Okuthandwayo nokungathandwa: DNS phezu kwe-HTTPS

Sihlaziya imibono emayelana nezici ze-DNS nge-HTTPS, esanda kuba “ithambo lengxabano” phakathi kwabahlinzeki be-inthanethi nabathuthukisi besiphequluli.

/Vula/ Steve Halama

Ingqikithi yokungavumelani

Muva nje abezindaba ezinkulu и amapulatifomu anezihloko (kuhlanganise no-Habr), bavame ukubhala nge-DNS phezu kwephrothokholi ye-HTTPS (DoH). Ibhala ngemfihlo izicelo eziya kuseva ye-DNS nezimpendulo kuzo. Le ndlela ikuvumela ukuthi ufihle amagama abasingathi abafinyelelwa ngumsebenzisi. Kusukela ekushicilelweni singaphetha ngokuthi umthetho olandelwayo omusha (ku-IETF ivume ngo-2018) wahlukanisa umphakathi we-IT waba amakamu amabili.

Ingxenye ikholelwa ukuthi iphrothokholi entsha izothuthukisa ukuphepha kwe-inthanethi futhi bayayisebenzisa ezinhlelweni zabo zokusebenza namasevisi. Enye ingxenye iqinisekile ukuthi ubuchwepheshe buyenza umsebenzi wabaphathi besistimu ube nzima kakhulu. Okulandelayo, sizohlaziya izimpikiswano zezinhlangothi zombili.

Isebenza kanjani i-DoH

Ngaphambi kokuthi singene kokuthi kungani ama-ISP nabanye abahlanganyeli bemakethe bemele noma bemelene ne-DNS nge-HTTPS, ake sibheke kafushane ukuthi isebenza kanjani.

Esimeni se-DoH, isicelo sokunquma ikheli le-IP sifakwe kuthrafikhi ye-HTTPS. Bese iya kuseva ye-HTTP, lapho icutshungulwa kusetshenziswa i-API. Nasi isicelo esiyisibonelo esivela ku-RFC 8484 (ikhasi 6):

   :method = GET
   :scheme = https
   :authority = dnsserver.example.net
   :path = /dns-query?
           dns=AAABAAABAAAAAAAAAWE-NjJjaGFyYWN0ZXJsYWJl
           bC1tYWtlcy1iYXNlNjR1cmwtZGlzdGluY3QtZnJvbS1z
           dGFuZGFyZC1iYXNlNjQHZXhhbXBsZQNjb20AAAEAAQ
   accept = application/dns-message

Ngakho, ithrafikhi ye-DNS ifihliwe kuthrafikhi ye-HTTPS. Iklayenti neseva baxhumana ngembobo evamile engu-443. Ngenxa yalokho, izicelo ohlelweni lwegama lesizinda zihlala zingaziwa.

Kungani engathandwa?

Abamelene ne-DNS ngaphezu kwe-HTTPS bathiukuthi iphrothokholi entsha izonciphisa ukuphepha kokuxhumeka. Ngu ngokusho U-Paul Vixie, ilungu lethimba lokuthuthukisa i-DNS, uzokwenza kube nzima kakhulu kubaphathi besistimu ukuvimba amasayithi okungenzeka ayingozi. Abasebenzisi abavamile bazolahlekelwa amandla okusetha izilawuli zomzali ezinemibandela kuziphequluli.

Imibono kaPaul yabelwa abahlinzeki be-inthanethi base-UK. Umthetho wezwe izibophezelo zivimbele ezinsizeni ezinokuqukethwe okungavunyelwe. Kodwa ukusekelwa kwe-DoH kuziphequluli kwenza umsebenzi wokuhlunga ithrafikhi ibe nzima. Abagxeki balo mthethonqubo omusha bahlanganisa neSikhungo Sezokuxhumana Sikahulumeni eNgilandi (GCHQ) kanye ne-Internet Watch Foundation (IMF), egcina irejista yezinsiza ezivinjiwe.

Kubhulogi yethu ku-Habré:

• I-robocall war yase-US - ubani onqobayo futhi kungani
• I-telecoms yaseBrithani izokhokhela ababhalisile isinxephezelo ngokuphazamiseka kwesevisi

Ochwepheshe bayaqaphela ukuthi i-DNS phezu kwe-HTTPS ingaba usongo lwe-cybersecurity. Ekuqaleni kukaJulayi, ochwepheshe bezokuphepha bolwazi abavela kwaNetlab kutholakele igciwane lokuqala elasebenzisa umthetho olandelwayo omusha ukwenza ukuhlasela kwe-DDoS - Godlua. Uhlelo olungayilungele ikhompuyutha lufinyelele ku-DoH ukuze luthole amarekhodi ombhalo (TXT) futhi lukhiphe umyalo nokulawula ama-URL eseva.

Izicelo ze-DoH ezibethelwe azizange zibonwe isofthiwe yokuvikela amagciwane. Ochwepheshe bezokuphepha kolwazi bayesabaukuthi ngemva kokuthi i-Godlua enye uhlelo olungayilungele ikhompuyutha izofika, ingabonakali ekugadweni kwe-DNS okungenzi lutho.

Kodwa akubona bonke abamelene nakho

Ekuvikeleni i-DNS phezu kwe-HTTPS kubhulogi yakhe wakhuluma Unjiniyela we-APNIC uGeoff Houston. Ngokusho kwakhe, i-protocol entsha izokwenza kube lula ukulwa nokuhlaselwa kwe-DNS, okuye kwanda kakhulu. Leli qiniso kuyaqinisekisa Umbiko kaJanuwari wenkampani ye-cybersecurity iFireEye. Izinkampani ezinkulu ze-IT nazo zasekela ukuthuthukiswa kwephrothokholi.

Ekuqaleni konyaka odlule, i-DoH yaqala ukuhlolwa kwa-Google. Futhi ngenyanga edlule inkampani kwethulwe Inguqulo Yokutholakala Okujwayelekile yesevisi yayo ye-DoH. Ku-Google ithemba, ukuthi izokwandisa ukuphepha kwedatha yomuntu siqu kunethiwekhi futhi ivikele ekuhlaselweni kwe-MITM.

Omunye unjiniyela wesiphequluli - i-Mozilla - isekela I-DNS ngaphezulu kwe-HTTPS kusukela ehlobo eledlule. Ngesikhathi esifanayo, inkampani ikhuthaza ngenkuthalo ubuchwepheshe obusha endaweni ye-IT. Ngalokhu, i-Internet Services Providers Association (ISPA) ngisho oqokiwe I-Mozilla yomklomelo we-Internet Villain of the Year. Ngokuphendula, abamele inkampani kuphawuliwe, abakhungathekiswe ukungabaza kwabaqhubi bezingcingo ukuthuthukisa ingqalasizinda yabo ye-inthanethi esiphelelwe yisikhathi.

/Vula/ TETrebbien

Ngokusekela i-Mozilla abezindaba abakhulu bakhulume kanye nabanye abahlinzeki be-inthanethi. Ikakhulukazi, eBritish Telecom cabangaukuthi iphrothokholi entsha ngeke ithinte ukuhlungwa kokuqukethwe futhi izothuthukisa ukuphepha kwabasebenzisi base-UK. Ngaphansi kwengcindezi yomphakathi ISPA kwakufanele kukhunjulwe "villain" ukuqokwa.

Abahlinzeki bamafu baphinde bakhuthaza ukwethulwa kwe-DNS nge-HTTPS, ngokwesibonelo I-Cloudflare. Sebevele banikela ngezinsizakalo ze-DNS ngokusekelwe kuphrothokholi entsha. Uhlu oluphelele lweziphequluli namaklayenti asekela i-DoH luyatholakala kokuthi GitHub.

Kunoma yikuphi, akukakwazi ukukhuluma ngokuphela kokungqubuzana phakathi kwamakamu amabili. Ochwepheshe be-IT babikezela ukuthi uma i-DNS phezu kwe-HTTPS imiselwe ukuba yingxenye yesitaki sobuchwepheshe be-inthanethi obujwayelekile, kuzothatha ngaphezu kweshumi leminyaka.

Yini enye esibhala ngayo kubhulogi yethu yebhizinisi:

• Yakhiwa kanjani inethiwekhi yomhlinzeki we-inthanethi
• Amasevisi ayisisekelo kumanethiwekhi abahlinzeki be-inthanethi
• Ukuhlangana nokuhlanganisa - imisebenzi eminingi kudivayisi eyodwa

Source: www.habr.com