I-ProHoster > Блог > Ukuphatha > Ukunciphisa ubungozi bokusebenzisa i-DNS-over-TLS (DoT) ne-DNS-over-HTTPS (DoH)

Ukunciphisa ubungozi bokusebenzisa i-DNS-over-TLS (DoT) ne-DNS-over-HTTPS (DoH)

Ukunciphisa ubungozi bokusebenzisa i-DNS-over-TLS (DoT) ne-DNS-over-HTTPS (DoH)Ukunciphisa ubungozi bokusebenzisa i-DoH ne-DoT

Ukuvikelwa kwe-DoH ne-DoT

Ingabe ulawula ithrafikhi yakho ye-DNS? Izinhlangano zitshala isikhathi esiningi, imali, nomzamo ukuze zivikele amanethiwekhi azo. Kodwa-ke, indawo eyodwa evame ukunganakwa ngokwanele yi-DNS.

Ukubuka konke okuhle kwezingozi ezilethwa yi-DNS Qinisekisa isethulo engqungqutheleni ye-Infosecurity.

Ukunciphisa ubungozi bokusebenzisa i-DNS-over-TLS (DoT) ne-DNS-over-HTTPS (DoH)U-31% wamakilasi e-ransomware ahlolwa asebenzisa i-DNS ukuze ashintshisane ngokhiye. Okutholakele kocwaningo

U-31% wamakilasi e-ransomware ahlolwa asebenzisa i-DNS ukushintshanisa okubalulekile.

Inkinga inkulu. Ngokusho kwelebhu yocwaningo ye-Palo Alto Networks Unit 42, cishe ama-85% ohlelo olungayilungele ikhompuyutha asebenzisa i-DNS ukuze asungule umyalo nokulawula isiteshi, okuvumela abahlaseli ukuthi bajove kalula uhlelo olungayilungele ikhompuyutha kunethiwekhi yakho kanye nokuntshontsha idatha. Kusukela yaqalwa, ithrafikhi ye-DNS ibingakabhalwa ngokuyimfihlo futhi ingahlaziywa kalula yizindlela zokuphepha ze-NGFW. 

Kuvele amaphrothokholi amasha e-DNS ahloselwe ukukhulisa ubumfihlo bokuxhumana kwe-DNS. Basekelwa ngenkuthalo ngabathengisi besiphequluli abahamba phambili nabanye abathengisi besoftware. Ithrafikhi ye-DNS ebethelwe maduze izoqala ukukhula kumanethiwekhi ezinkampani. Ithrafikhi ye-DNS ebethelwe engahlaziywanga kahle futhi ixazululwe ngamathuluzi idala ubungozi bezokuphepha enkampanini. Isibonelo, usongo olunjalo ama-cryptolockers asebenzisa i-DNS ukushintshanisa okhiye bokubethela. Abahlaseli manje bafuna isihlengo sezigidi ezimbalwa zamadola ukuze babuyisele ukufinyelela kudatha yakho. Ngokwesibonelo, uGarmin wakhokha amaRandi ayizigidi ezingu-10.

Uma ilungiselelwe kahle, ama-NGFW angaphika noma avikele ukusetshenziswa kwe-DNS-over-TLS (DoT) futhi angasetshenziswa ukunqabela ukusetshenziswa kwe-DNS-over-HTTPS (DoH), okuvumela yonke ithrafikhi ye-DNS kunethiwekhi yakho ukuthi ihlaziywe.

Yini i-DNS ebethelwe?

Yini i-DNS

I-Domain Name System (DNS) ixazulula amagama esizinda angafundwa umuntu (isibonelo, ikheli www.paloaltonnetworks.com ) kumakheli e-IP (isibonelo, 34.107.151.202). Uma umsebenzisi efaka igama lesizinda esipheqululini sewebhu, isiphequluli sithumela umbuzo we-DNS kuseva ye-DNS, sicela ikheli le-IP elihlotshaniswa nalelo gama lesizinda. Ukuphendula, iseva ye-DNS ibuyisela ikheli le-IP elizosetshenziswa lesi siphequluli.

Imibuzo ye-DNS nezimpendulo zithunyelwa kunethiwekhi yonkana ngombhalo ongenalutho, ongabethelwe, okuyenza ibe sengcupheni yokuhlola noma ukushintsha impendulo futhi iqondise kabusha isiphequluli kumaseva anonya. Ukubethela kwe-DNS kwenza kube nzima ukuthi izicelo ze-DNS zilandelelwe noma zishintshwe ngesikhathi sokudlulisa. Ukubhala ngekhodi izicelo ze-DNS nezimpendulo kukuvikela ekuhlaselweni kwe-Man-in-the-Middle ngenkathi wenza umsebenzi ofanayo nowephrothokholi yombhalo osobala ovamile we-DNS (Isistimu Yegama Lesizinda). 

Kule minyaka embalwa edlule, kwethulwe amaphrothokholi amabili wokubethela we-DNS:

  1. I-DNS-over-HTTPS (DoH)

  2. I-DNS-over-TLS (DoT)

Lezi zivumelwano zinento eyodwa ezifana ngayo: zifihla ngamabomu izicelo ze-DNS kunoma yikuphi ukuvinjwa... kanye nakonogada benhlangano. Izimiso eziyisisekelo ngokuyinhloko zisebenzisa i-TLS (Ukuphepha Kwesendlalelo Sezokuthutha) ukuze kusungulwe uxhumano olubethelwe phakathi kweklayenti elenza imibuzo kanye neseva exazulula imibuzo ye-DNS phezu kwembobo engavamile ukusetshenziselwa ithrafikhi ye-DNS.

Ukugcinwa kuyimfihlo kwemibuzo ye-DNS kuyinhlanganisela enkulu yalezi zivumelwano. Nokho, babangela izinkinga konogada okufanele baqaphe ithrafikhi yenethiwekhi futhi bathole futhi bavimbe ukuxhumana okunonya. Ngenxa yokuthi amaphrothokholi ayahluka ekusetshenzisweni kwawo, izindlela zokuhlaziya zizohluka phakathi kwe-DoH ne-DoT.

I-DNS phezu kwe-HTTPS (DoH)

Ukunciphisa ubungozi bokusebenzisa i-DNS-over-TLS (DoT) ne-DNS-over-HTTPS (DoH)I-DNS ngaphakathi kwe-HTTPS

I-DoH isebenzisa i-port 443 eyaziwa kakhulu ye-HTTPS, lapho i-RFC isho ngokuqondile ukuthi inhloso "ukuxuba ithrafikhi ye-DoH nenye ithrafikhi ye-HTTPS ekuxhumekeni okufanayo", "kwenze kube nzima ukuhlaziya ithrafikhi ye-DNS" futhi ngaleyo ndlela yeqe izilawuli zezinkampani. ( RFC 8484 DoH Isigaba 8.1 ). Iphrothokholi ye-DoH isebenzisa ukubethela kwe-TLS kanye ne-syntax yesicelo ehlinzekwa yizindinganiso ezivamile ze-HTTPS ne-HTTP/2, kwengeza izicelo ze-DNS nezimpendulo phezu kwezicelo ezijwayelekile ze-HTTP.

Ubungozi obuhlobene ne-DoH

Uma ungeke ukwazi ukuhlukanisa ithrafikhi evamile ye-HTTPS ezicelweni ze-DoH, izinhlelo zokusebenza ezingaphakathi kwenhlangano yakho zingakwazi (futhi) ukweqa izilungiselelo zendawo ze-DNS ngokuqondisa kabusha izicelo kumaseva ezinkampani zangaphandle eziphendula izicelo ze-DoH, ezeqa noma yikuphi ukuqapha, okungukuthi, kucekele phansi amandla lawula ithrafikhi ye-DNS. Ngokufanelekile, kufanele ulawule i-DoH usebenzisa imisebenzi yokususa ukubethela kwe-HTTPS. 

И I-Google ne-Mozilla basebenzise amakhono e-DoH enguqulweni yakamuva yeziphequluli zabo, futhi zombili izinkampani zisebenzela ukusebenzisa i-DoH ngokuzenzakalelayo kuzo zonke izicelo ze-DNS. I-Microsoft futhi yenza izinhlelo ekuhlanganiseni i-DoH ezinhlelweni zabo zokusebenza. Okubi ukuthi akuzona kuphela izinkampani zama-software ezihlonishwayo, kodwa nabahlaseli sebeqalile ukusebenzisa i-DoH njengendlela yokweqa izindlela ezivamile ze-firewall zezinkampani. (Ngokwesibonelo, buyekeza izihloko ezilandelayo: I-PsiXBot manje isebenzisa i-Google DoH , I-PsiXBot iyaqhubeka nokuvela ngengqalasizinda ye-DNS ebuyekeziwe и Godlua backdoor analysis Kunoma ikuphi, kokubili ithrafikhi ye-DoH enhle neyingozi ngeke ibonwe, okushiya inhlangano ingaboni ukusetshenziswa okunonya kwe-DoH njengomsele wokulawula uhlelo olungayilungele ikhompuyutha (C2) futhi yebe idatha ebucayi.

Ukuqinisekisa ukubonakala nokulawulwa kwethrafikhi ye-DoH

Njengesixazululo esingcono kakhulu sokulawula i-DoH, sincoma ukuthi ulungiselele i-NGFW ukuze isuse ukubethela kwethrafikhi ye-HTTPS futhi uvimbe ithrafikhi ye-DoH (igama lohlelo lokusebenza: dns-over-https). 

Okokuqala, qiniseka ukuthi i-NGFW ilungiselelwe ukususa ukubhala nge-HTTPS, ngokusho umhlahlandlela wamasu angcono kakhulu wokususa ukubethela.

Okwesibili, dala umthetho wethrafikhi yohlelo lokusebenza "dns-over-https" njengoba kukhonjisiwe ngezansi:

Ukunciphisa ubungozi bokusebenzisa i-DNS-over-TLS (DoT) ne-DNS-over-HTTPS (DoH)I-Palo Alto Networks Umthetho we-NGFW Wokuvimba i-DNS-over-HTTPS

Njengenye indlela yesikhashana (uma inhlangano yakho ingakasebenzisi ngokugcwele ukukhishwa kwemfihlo kwe-HTTPS), i-NGFW ingalungiselelwa ukusebenzisa isenzo "sokuphika" ku-ID yesicelo "dns-over-https", kodwa umphumela uzokhawulelwa ekuvimbeni okuthile kahle- amaseva e-DoH aziwayo ngegama lawo lesizinda, ngakho-ke ngaphandle kokukhishwa kwemfihlo kwe-HTTPS, ithrafikhi ye-DoH ayikwazi ukuhlolwa ngokugcwele (bona  I-Applipedia evela ku-Palo Alto Networks   bese usesha okuthi "dns-over-https").

I-DNS phezu kwe-TLS (DoT)

Ukunciphisa ubungozi bokusebenzisa i-DNS-over-TLS (DoT) ne-DNS-over-HTTPS (DoH)I-DNS ngaphakathi kwe-TLS

Nakuba umthetho olandelwayo we-DoH uvame ukuhlangana nezinye izimoto esikhungweni esifanayo, i-DoT esikhundleni salokho ikhetha ukusebenzisa imbobo ekhethekile ebekelwe leyo njongo kuphela, ize ivimbele ngokuqondile imbobo efanayo ukuthi isetshenziswe yithrafikhi ye-DNS engabetheliwe ( RFC 7858, Isigaba 3.1 ).

Iphrothokholi ye-DoT isebenzisa i-TLS ukuze inikeze ukubethela okuhlanganisa imibuzo ejwayelekile yephrothokholi ye-DNS, ngethrafikhi esebenzisa imbobo eyaziwa kakhulu engu-853 ( RFC 7858 isigaba 6 ). Iphrothokholi ye-DoT yakhelwe ukwenza kube lula ezinhlanganweni ukuvimba ithrafikhi echwebeni, noma zamukele ithrafikhi kodwa zinike amandla ukukhishwa kwekhodi kuleyo mbobo.

Izingozi ezihlobene ne-DoT

I-Google isebenzise i-DoT kuklayenti layo I-Android 9 Pie nakamuva , ngokusetha okuzenzakalelayo ukuze usebenzise i-DoT ngokuzenzakalelayo uma ikhona. Uma uhlole ubungozi futhi usulungele ukusebenzisa i-DoT ezingeni lenhlangano, kuzomele ube nabaphathi benethiwekhi abavumele ngokusobala ithrafikhi ephumayo echwebeni elingu-853 ngokusebenzisa ipherimitha yabo yalesi sivumelwano esisha.

Ukuqinisekisa ukubonakala nokulawulwa kwethrafikhi ye-DoT

Njengomkhuba ongcono kakhulu wokulawula i-DoT, sincoma noma yikuphi kwalokhu okungenhla, ngokuya ngezidingo zenhlangano yakho:

  • Lungiselela i-NGFW ukuze isuse ukubhala phansi yonke i-traffic yembobo okuyiwa kuyo 853. Ngokususa ukubethela kwethrafikhi, i-DoT izovela njengohlelo lwe-DNS ongasebenzisa kulo noma yisiphi isenzo, njengokunika amandla ukubhalisa. I-Palo Alto Networks DNS Security ukulawula izizinda ze-DGA noma esivele sikhona I-DNS Sinkholing kanye ne-anti-spyware.

  • Okunye ukuthi injini ye-App-ID ivimbe ngokuphelele ithrafikhi ye-'dns-over-tls' ku-port 853. Lokhu kuvame ukuvinjwa ngokuzenzakalela, asikho isenzo esidingekayo (ngaphandle uma uvumela ngokuqondile uhlelo lokusebenza lwe-'dns-over-tls' noma imbobo. traffic 853).

Source: www.habr.com

Engeza amazwana