Ukunciphisa ubungozi bokusebenzisa i-DoH ne-DoT
Ukuvikelwa kwe-DoH ne-DoT
Ingabe ulawula ithrafikhi yakho ye-DNS? Izinhlangano zitshala isikhathi esiningi, imali, nomzamo ukuze zivikele amanethiwekhi azo. Kodwa-ke, indawo eyodwa evame ukunganakwa ngokwanele yi-DNS.
Ukubuka konke okuhle kwezingozi ezilethwa yi-DNS
U-31% wamakilasi e-ransomware ahlolwa asebenzisa i-DNS ukuze ashintshisane ngokhiye. Okutholakele kocwaningo
U-31% wamakilasi e-ransomware ahlolwa asebenzisa i-DNS ukushintshanisa okubalulekile.
Inkinga inkulu. Ngokusho kwelebhu yocwaningo ye-Palo Alto Networks Unit 42, cishe ama-85% ohlelo olungayilungele ikhompuyutha asebenzisa i-DNS ukuze asungule umyalo nokulawula isiteshi, okuvumela abahlaseli ukuthi bajove kalula uhlelo olungayilungele ikhompuyutha kunethiwekhi yakho kanye nokuntshontsha idatha. Kusukela yaqalwa, ithrafikhi ye-DNS ibingakabhalwa ngokuyimfihlo futhi ingahlaziywa kalula yizindlela zokuphepha ze-NGFW.
Kuvele amaphrothokholi amasha e-DNS ahloselwe ukukhulisa ubumfihlo bokuxhumana kwe-DNS. Basekelwa ngenkuthalo ngabathengisi besiphequluli abahamba phambili nabanye abathengisi besoftware. Ithrafikhi ye-DNS ebethelwe maduze izoqala ukukhula kumanethiwekhi ezinkampani. Ithrafikhi ye-DNS ebethelwe engahlaziywanga kahle futhi ixazululwe ngamathuluzi idala ubungozi bezokuphepha enkampanini. Isibonelo, usongo olunjalo ama-cryptolockers asebenzisa i-DNS ukushintshanisa okhiye bokubethela. Abahlaseli manje bafuna isihlengo sezigidi ezimbalwa zamadola ukuze babuyisele ukufinyelela kudatha yakho. Ngokwesibonelo, uGarmin wakhokha amaRandi ayizigidi ezingu-10.
Uma ilungiselelwe kahle, ama-NGFW angaphika noma avikele ukusetshenziswa kwe-DNS-over-TLS (DoT) futhi angasetshenziswa ukunqabela ukusetshenziswa kwe-DNS-over-HTTPS (DoH), okuvumela yonke ithrafikhi ye-DNS kunethiwekhi yakho ukuthi ihlaziywe.
Yini i-DNS ebethelwe?
Yini i-DNS
I-Domain Name System (DNS) ixazulula amagama esizinda angafundwa umuntu (isibonelo, ikheli
Imibuzo ye-DNS nezimpendulo zithunyelwa kunethiwekhi yonkana ngombhalo ongenalutho, ongabethelwe, okuyenza ibe sengcupheni yokuhlola noma ukushintsha impendulo futhi iqondise kabusha isiphequluli kumaseva anonya. Ukubethela kwe-DNS kwenza kube nzima ukuthi izicelo ze-DNS zilandelelwe noma zishintshwe ngesikhathi sokudlulisa. Ukubhala ngekhodi izicelo ze-DNS nezimpendulo kukuvikela ekuhlaselweni kwe-Man-in-the-Middle ngenkathi wenza umsebenzi ofanayo nowephrothokholi yombhalo osobala ovamile we-DNS (Isistimu Yegama Lesizinda).
Kule minyaka embalwa edlule, kwethulwe amaphrothokholi amabili wokubethela we-DNS:
-
I-DNS-over-HTTPS (DoH)
-
I-DNS-over-TLS (DoT)
Lezi zivumelwano zinento eyodwa ezifana ngayo: zifihla ngamabomu izicelo ze-DNS kunoma yikuphi ukuvinjwa... kanye nakonogada benhlangano. Izimiso eziyisisekelo ngokuyinhloko zisebenzisa i-TLS (Ukuphepha Kwesendlalelo Sezokuthutha) ukuze kusungulwe uxhumano olubethelwe phakathi kweklayenti elenza imibuzo kanye neseva exazulula imibuzo ye-DNS phezu kwembobo engavamile ukusetshenziselwa ithrafikhi ye-DNS.
Ukugcinwa kuyimfihlo kwemibuzo ye-DNS kuyinhlanganisela enkulu yalezi zivumelwano. Nokho, babangela izinkinga konogada okufanele baqaphe ithrafikhi yenethiwekhi futhi bathole futhi bavimbe ukuxhumana okunonya. Ngenxa yokuthi amaphrothokholi ayahluka ekusetshenzisweni kwawo, izindlela zokuhlaziya zizohluka phakathi kwe-DoH ne-DoT.
I-DNS phezu kwe-HTTPS (DoH)
I-DNS ngaphakathi kwe-HTTPS
I-DoH isebenzisa i-port 443 eyaziwa kakhulu ye-HTTPS, lapho i-RFC isho ngokuqondile ukuthi inhloso "ukuxuba ithrafikhi ye-DoH nenye ithrafikhi ye-HTTPS ekuxhumekeni okufanayo", "kwenze kube nzima ukuhlaziya ithrafikhi ye-DNS" futhi ngaleyo ndlela yeqe izilawuli zezinkampani. (
Ubungozi obuhlobene ne-DoH
Uma ungeke ukwazi ukuhlukanisa ithrafikhi evamile ye-HTTPS ezicelweni ze-DoH, izinhlelo zokusebenza ezingaphakathi kwenhlangano yakho zingakwazi (futhi) ukweqa izilungiselelo zendawo ze-DNS ngokuqondisa kabusha izicelo kumaseva ezinkampani zangaphandle eziphendula izicelo ze-DoH, ezeqa noma yikuphi ukuqapha, okungukuthi, kucekele phansi amandla lawula ithrafikhi ye-DNS. Ngokufanelekile, kufanele ulawule i-DoH usebenzisa imisebenzi yokususa ukubethela kwe-HTTPS.
И
Ukuqinisekisa ukubonakala nokulawulwa kwethrafikhi ye-DoH
Njengesixazululo esingcono kakhulu sokulawula i-DoH, sincoma ukuthi ulungiselele i-NGFW ukuze isuse ukubethela kwethrafikhi ye-HTTPS futhi uvimbe ithrafikhi ye-DoH (igama lohlelo lokusebenza: dns-over-https).
Okokuqala, qiniseka ukuthi i-NGFW ilungiselelwe ukususa ukubhala nge-HTTPS, ngokusho
Okwesibili, dala umthetho wethrafikhi yohlelo lokusebenza "dns-over-https" njengoba kukhonjisiwe ngezansi:
I-Palo Alto Networks Umthetho we-NGFW Wokuvimba i-DNS-over-HTTPS
Njengenye indlela yesikhashana (uma inhlangano yakho ingakasebenzisi ngokugcwele ukukhishwa kwemfihlo kwe-HTTPS), i-NGFW ingalungiselelwa ukusebenzisa isenzo "sokuphika" ku-ID yesicelo "dns-over-https", kodwa umphumela uzokhawulelwa ekuvimbeni okuthile kahle- amaseva e-DoH aziwayo ngegama lawo lesizinda, ngakho-ke ngaphandle kokukhishwa kwemfihlo kwe-HTTPS, ithrafikhi ye-DoH ayikwazi ukuhlolwa ngokugcwele (bona
I-DNS phezu kwe-TLS (DoT)
I-DNS ngaphakathi kwe-TLS
Nakuba umthetho olandelwayo we-DoH uvame ukuhlangana nezinye izimoto esikhungweni esifanayo, i-DoT esikhundleni salokho ikhetha ukusebenzisa imbobo ekhethekile ebekelwe leyo njongo kuphela, ize ivimbele ngokuqondile imbobo efanayo ukuthi isetshenziswe yithrafikhi ye-DNS engabetheliwe (
Iphrothokholi ye-DoT isebenzisa i-TLS ukuze inikeze ukubethela okuhlanganisa imibuzo ejwayelekile yephrothokholi ye-DNS, ngethrafikhi esebenzisa imbobo eyaziwa kakhulu engu-853 (
Izingozi ezihlobene ne-DoT
I-Google isebenzise i-DoT kuklayenti layo
Ukuqinisekisa ukubonakala nokulawulwa kwethrafikhi ye-DoT
Njengomkhuba ongcono kakhulu wokulawula i-DoT, sincoma noma yikuphi kwalokhu okungenhla, ngokuya ngezidingo zenhlangano yakho:
-
Lungiselela i-NGFW ukuze isuse ukubhala phansi yonke i-traffic yembobo okuyiwa kuyo 853. Ngokususa ukubethela kwethrafikhi, i-DoT izovela njengohlelo lwe-DNS ongasebenzisa kulo noma yisiphi isenzo, njengokunika amandla ukubhalisa.
I-Palo Alto Networks DNS Security ukulawula izizinda ze-DGA noma esivele sikhonaI-DNS Sinkholing kanye ne-anti-spyware. -
Okunye ukuthi injini ye-App-ID ivimbe ngokuphelele ithrafikhi ye-'dns-over-tls' ku-port 853. Lokhu kuvame ukuvinjwa ngokuzenzakalela, asikho isenzo esidingekayo (ngaphandle uma uvumela ngokuqondile uhlelo lokusebenza lwe-'dns-over-tls' noma imbobo. traffic 853).
Source: www.habr.com