Noma ngabe inkampani yenzani, ukuphepha
Uma umhlaseli ezuza ukulawula i-DNS yenhlangano, angakwazi kalula:
- zinike amandla okulawula izinsiza ezabiwe
- qondisa kabusha ama-imeyili angenayo kanye nezicelo zewebhu nemizamo yokuqinisekisa
- dala futhi uqinisekise izitifiketi ze-SSL/TLS
Lo mhlahlandlela ubheka ukuphepha kwe-DNS kuma-engeli amabili:
- Ukwenza ukuqapha okuqhubekayo nokulawula i-DNS
- Izivumelwano ezintsha ze-DNS ezifana ne-DNSSEC, i-DOH ne-DoT zingasiza kanjani ukuvikela ubuqotho nokugcinwa kuyimfihlo kwezicelo ze-DNS ezidlulisiwe
Kuyini ukuphepha kwe-DNS?
Umqondo wokuphepha kwe-DNS uhlanganisa izingxenye ezimbili ezibalulekile:
- Ukuqinisekisa ubuqotho okuphelele nokutholakala kwezinsizakalo ze-DNS ezixazulula amagama abasingathi kumakheli e-IP
- Qapha umsebenzi we-DNS ukuze ubone izinkinga zokuphepha ezingaba khona noma yikuphi kunethiwekhi yakho
Kungani i-DNS isengozini yokuhlaselwa?
Ubuchwepheshe be-DNS badalwa ezinsukwini zokuqala ze-inthanethi, kudala ngaphambi kokuba noma ubani aqale ukucabanga ngokuphepha kwenethiwekhi. I-DNS isebenza ngaphandle kokuqinisekisa noma ukubethela, icubungula izicelo ngokungaboni kunoma yimuphi umsebenzisi.
Ngenxa yalokhu, ziningi izindlela zokukhohlisa umsebenzisi nokuqamba amanga ulwazi mayelana nokuthi ukulungiswa kwamagama kumakheli e-IP kwenzeka kuphi ngempela.
Ukuphepha kwe-DNS: Izinkinga Nezingxenye
Ukuphepha kwe-DNS kuqukethe izinto ezimbalwa eziyisisekelo izingxenye, ngakunye okufanele kucatshangelwe ukuze kuqinisekiswe ukuvikelwa okuphelele:
- Ukuqinisa ukuphepha kweseva nezinqubo zokuphatha: khulisa izinga lokuvikeleka kweseva futhi udale ithempulethi evamile yokuthunywa
- Ukuthuthukiswa kwephrothokholi: sebenzisa i-DNSSEC, i-DoT noma i-DoH
- Izibalo nokubika: engeza ilogu yomcimbi we-DNS kusistimu yakho ye-SIEM ukuze uthole umongo owengeziwe lapho uphenya izigameko
- Ukutholwa Kwe-Cyber Intelligence Nosongo: bhalisa kokuphakelayo kobuhlakani obusongelayo obusebenzayo
- Okuzenzakalelayo: dala imibhalo eminingi ngangokunokwenzeka ukuze wenze izinqubo ngokuzenzakalelayo
Izingxenye ezishiwo ngenhla zezinga eliphezulu ziyithiphu nje ye-DNS security iceberg. Esigabeni esilandelayo, sizongena ezimweni ezithile zokusetshenziswa eziqondile kanye nemikhuba engcono kakhulu odinga ukuyazi ngayo.
Ukuhlaselwa kwe-DNS
I-DNS spoofing noma i-cache poisoning : ukuxhaphaza ubungozi besistimu ukuze kusetshenziswe inqolobane ye-DNS ukuqondisa kabusha abasebenzisi kwenye indawoI-DNS tunneling : ngokuyinhloko isetshenziselwa ukudlula izivikelo zokuxhuma okukude- Ukudunwa kwe-DNS: iqondisa kabusha ithrafikhi ye-DNS evamile kuseva ye-DNS eqondiwe ehlukile ngokushintsha umbhalisi wesizinda
- Ukuhlasela kwe-NXDOMAIN: ukwenza ukuhlasela kwe-DDoS kuseva ye-DNS egunyaziwe ngokuthumela imibuzo yesizinda esingekho emthethweni ukuze kutholwe impendulo ephoqelelwe
- isizinda se-phantom: ibangela isixazululi se-DNS ukuthi silinde impendulo evela ezizindeni ezingekho, okuholela ekusebenzeni kabi
- ukuhlasela isizinda esingaphansi kwesinye esingahleliwe: ababungazi abasengozini kanye nama-botnets bethula ukuhlasela kwe-DDoS esizindeni esivumelekile, kodwa bagxilisa umlilo wabo ezizindeni ezingaphansi komgunyathi ukuze baphoqe iseva ye-DNS ukuthi ibheke amarekhodi futhi ilawule insizakalo.
- ukuvinjwa kwesizinda: ithumela izimpendulo eziningi zogaxekile ukuze ivimbe izinsiza zeseva ye-DNS
- Ukuhlaselwa kwe-Botnet okuvela kumishini yababhalisile: iqoqo lamakhompuyutha, amamodemu, amarutha namanye amadivaysi agxilisa amandla ekhompuyutha kuwebhusayithi ethile ukuze ayilayishe ngokweqile ngezicelo zethrafikhi.
Ukuhlaselwa kwe-DNS
Ukuhlasela okusebenzisa i-DNS ngandlela thize ukuhlasela ezinye izinhlelo (okungukuthi, ukushintsha amarekhodi e-DNS akuwona umgomo wokugcina):
- I-Fast-Flux
- I-Single Flux Networks
- I-Double Flux Networks
I-DNS tunneling
Ukuhlaselwa kwe-DNS
Ukuhlasela okuholela ekhelini lasesizindeni se-inthanethi elidingwa umhlaseli abuyiswe esuka kuseva ye-DNS:
- I-DNS spoofing noma i-cache poisoning
- Ukudunwa kwe-DNS
Iyini i-DNSSEC?
I-DNSSEC - Izinjini Zokuvikela Zegama Lesizinda - zisetshenziselwa ukuqinisekisa amarekhodi e-DNS ngaphandle kokudinga ukwazi ulwazi olujwayelekile ngesicelo ngasinye se-DNS.
I-DNSSEC isebenzisa Okhiye Besiginesha Yedijithali (ama-PKI) ukuze iqinisekise ukuthi ingabe imiphumela yombuzo wegama lesizinda iqhamuke kumthombo ovumelekile yini.
Ukusebenzisa i-DNSSEC akuwona nje umkhuba ongcono kakhulu wemboni, kodwa futhi kusebenza kahle ekugwemeni ukuhlaselwa kwe-DNS okuningi.
Isebenza kanjani i-DNSSEC
I-DNSSEC isebenza ngendlela efanayo ne-TLS/HTTPS, isebenzisa amapheya okhiye basesidlangalaleni nabayimfihlo ukuze isayine ngedijithali amarekhodi e-DNS. Ukubuka konke okujwayelekile kwenqubo:
- Amarekhodi e-DNS asayinwa ngokhiye abazimele nabangasese
- Izimpendulo zemibuzo ye-DNSSEC ziqukethe irekhodi eliceliwe kanye nesiginesha nokhiye wasesidlangalaleni
- Khona-ke,
ukhiye womphakathi esetshenziswa ukuqhathanisa ubuqiniso berekhodi nesiginesha
I-DNS ne-DNSSEC Security
I-DNSSEC iyithuluzi lokuhlola ubuqotho bemibuzo ye-DNS. Akuthinti ubumfihlo be-DNS. Ngamanye amazwi, i-DNSSEC ingakunikeza ukuzethemba ukuthi impendulo yombuzo wakho we-DNS ayizange iphazanyiswe, kodwa noma yimuphi umhlaseli angabona leyo miphumela njengoba ithunyelwe kuwe.
I-DoT - DNS phezu kwe-TLS
I-Transport Layer Security (TLS) iyiphrothokholi eyimfihlo yokuvikela ulwazi oludluliswa ngoxhumano lwenethiwekhi. Uma uxhumano oluvikelekile lwe-TLS selumisiwe phakathi kweklayenti neseva, idatha edlulisiwe iyabethelwa futhi akekho umlamuli ongayibona.
I-DNS-over-TLS (i-DNS phezu kwe-TLS, i-DoT) isebenzisa iphrothokholi ye-TLS ukuze ibethele ithrafikhi ye-UDP yezicelo ze-DNS ezivamile.
Ukubethela lezi zicelo ngombhalo ongenalutho kusiza ukuvikela abasebenzisi noma izinhlelo zokusebenza ezenza izicelo ekuhlaselweni okumbalwa.
- I-MitM, noma "indoda phakathi": Ngaphandle kokubethela, isistimu ephakathi phakathi kweklayenti neseva egunyaziwe ye-DNS ingase ithumele ulwazi olungamanga noma oluyingozi kuklayenti ngokuphendula isicelo.
- Ubunhloli nokulandelela: Ngaphandle kwezicelo zokubethela, kulula kumasistimu e-middleware ukubona ukuthi yimaphi amasayithi umsebenzisi othile noma uhlelo lokusebenza olufinyelela kuwo. Nakuba i-DNS iyodwa ingeke iveze ikhasi elithile elivakashelwe kuwebhusayithi, ukwazi izizinda eziceliwe kwanele ukudala iphrofayela yesistimu noma yomuntu ngamunye.
Source:
I-DoH - DNS phezu kwe-HTTPS
I-DNS-over-HTTPS (i-DNS phezu kwe-HTTPS, i-DoH) iphrothokholi yokuhlola ephromothwa ngokuhlanganyela yi-Mozilla ne-Google. Imigomo yayo iyafana nephrothokholi ye-DoT—ukuthuthukisa ubumfihlo babantu ku-inthanethi ngokubhala ngekhodi izicelo nezimpendulo ze-DNS.
Imibuzo ejwayelekile ye-DNS ithunyelwa nge-UDP. Izicelo nezimpendulo zingalandelelwa kusetshenziswa amathuluzi afana
I-DoH ithatha indlela ehlukile futhi ithumela izicelo zokulungiswa kwegama lomethuleli elibethelwe ngoxhumo lwe-HTTPS, olubukeka njenganoma yisiphi esinye isicelo sewebhu kunethiwekhi.
Lo mehluko unemithelela ebaluleke kakhulu kokubili kubaphathi besistimu kanye nekusasa lokulungiswa kwamagama.
- Ukuhlunga kwe-DNS kuyindlela evamile yokuhlunga ithrafikhi yewebhu ukuvikela abasebenzisi ekuhlaselweni kobugebengu bokweba imininingwane ebucayi, amasayithi asabalalisa uhlelo olungayilungele ikhompuyutha, noma eminye imisebenzi ye-inthanethi engaba yingozi kunethiwekhi yebhizinisi. Iphrothokholi ye-DoH idlula lezi zihlungi, okungase kudalule abasebenzisi kanye nenethiwekhi engcupheni enkulu.
- Kumodeli yamanje yokulungiswa kwegama, yonke idivayisi ekunethiwekhi kakhulu noma ngaphansi ithola imibuzo ye-DNS endaweni efanayo (iseva ye-DNS ecacisiwe). I-DoH, futhi ikakhulukazi ukuqaliswa kwayo kweFirefox, kubonisa ukuthi lokhu kungase kushintshe esikhathini esizayo. Uhlelo ngalunye kukhompyutha lungathola idatha evela emithonjeni ehlukene ye-DNS, okwenza ukuxazulula inkinga, ukuphepha, kanye nokumodela ingozi kube nzima kakhulu.
Source:
Uyini umehluko phakathi kwe-DNS phezu kwe-TLS ne-DNS nge-HTTPS?
Ake siqale nge-DNS phezu kwe-TLS (DoT). Iphuzu eliyinhloko lapha ukuthi iphrothokholi yokuqala ye-DNS ayishintshiwe, kodwa imane idluliselwe ngokuphephile esiteshini esivikelekile. I-DoH, ngakolunye uhlangothi, ibeka i-DNS kufomethi ye-HTTP ngaphambi kokwenza izicelo.
Izaziso Zokuqapha ze-DNS
Ikhono lokuqapha ngempumelelo ithrafikhi ye-DNS kunethiwekhi yakho ngokudidayo okusolisayo kubalulekile ukuze kutholwe kusenesikhathi ukwephulwa komthetho. Ukusebenzisa ithuluzi elifana ne-Varonis Edge kuzokunika amandla okuhlala phezulu kwawo wonke amamethrikhi abalulekile futhi udale amaphrofayili awo wonke ama-akhawunti kunethiwekhi yakho. Ungakwazi ukumisa izexwayiso ukuthi zenziwe njengomphumela wenhlanganisela yezenzo ezenzeka phakathi nenkathi ethile yesikhathi.
Ukwengamela izinguquko ze-DNS, izindawo ze-akhawunti, ukusetshenziswa kokuqala kanye nokufinyelela kudatha ebucayi, kanye nomsebenzi wangemva kwamahora amamethrikhi ambalwa nje angahlotshaniswa ukuze kwakhiwe isithombe esitholwayo esibanzi.
Source: www.habr.com