I-ProHoster > Блог > Ukuphatha > I-DNS Security Guide

I-DNS Security Guide

I-DNS Security Guide

Noma ngabe inkampani yenzani, ukuphepha DNS kufanele kube yingxenye ebalulekile yohlelo lwayo lokuvikela. Amasevisi egama, axazulula amagama osokhaya kumakheli e-IP, asetshenziswa cishe yizo zonke izinhlelo zokusebenza nesevisi kunethiwekhi.

Uma umhlaseli ezuza ukulawula i-DNS yenhlangano, angakwazi kalula:

  • zinike amandla okulawula izinsiza ezabiwe
  • qondisa kabusha ama-imeyili angenayo kanye nezicelo zewebhu nemizamo yokuqinisekisa
  • dala futhi uqinisekise izitifiketi ze-SSL/TLS

Lo mhlahlandlela ubheka ukuphepha kwe-DNS kuma-engeli amabili:

  1. Ukwenza ukuqapha okuqhubekayo nokulawula i-DNS
  2. Izivumelwano ezintsha ze-DNS ezifana ne-DNSSEC, i-DOH ne-DoT zingasiza kanjani ukuvikela ubuqotho nokugcinwa kuyimfihlo kwezicelo ze-DNS ezidlulisiwe

Kuyini ukuphepha kwe-DNS?

I-DNS Security Guide

Umqondo wokuphepha kwe-DNS uhlanganisa izingxenye ezimbili ezibalulekile:

  1. Ukuqinisekisa ubuqotho okuphelele nokutholakala kwezinsizakalo ze-DNS ezixazulula amagama abasingathi kumakheli e-IP
  2. Qapha umsebenzi we-DNS ukuze ubone izinkinga zokuphepha ezingaba khona noma yikuphi kunethiwekhi yakho

Kungani i-DNS isengozini yokuhlaselwa?

Ubuchwepheshe be-DNS badalwa ezinsukwini zokuqala ze-inthanethi, kudala ngaphambi kokuba noma ubani aqale ukucabanga ngokuphepha kwenethiwekhi. I-DNS isebenza ngaphandle kokuqinisekisa noma ukubethela, icubungula izicelo ngokungaboni kunoma yimuphi umsebenzisi.

Ngenxa yalokhu, ziningi izindlela zokukhohlisa umsebenzisi nokuqamba amanga ulwazi mayelana nokuthi ukulungiswa kwamagama kumakheli e-IP kwenzeka kuphi ngempela.

Ukuphepha kwe-DNS: Izinkinga Nezingxenye

I-DNS Security Guide

Ukuphepha kwe-DNS kuqukethe izinto ezimbalwa eziyisisekelo izingxenye, ngakunye okufanele kucatshangelwe ukuze kuqinisekiswe ukuvikelwa okuphelele:

  • Ukuqinisa ukuphepha kweseva nezinqubo zokuphatha: khulisa izinga lokuvikeleka kweseva futhi udale ithempulethi evamile yokuthunywa
  • Ukuthuthukiswa kwephrothokholi: sebenzisa i-DNSSEC, i-DoT noma i-DoH
  • Izibalo nokubika: engeza ilogu yomcimbi we-DNS kusistimu yakho ye-SIEM ukuze uthole umongo owengeziwe lapho uphenya izigameko
  • Ukutholwa Kwe-Cyber ​​​​Intelligence Nosongo: bhalisa kokuphakelayo kobuhlakani obusongelayo obusebenzayo
  • Okuzenzakalelayo: dala imibhalo eminingi ngangokunokwenzeka ukuze wenze izinqubo ngokuzenzakalelayo

Izingxenye ezishiwo ngenhla zezinga eliphezulu ziyithiphu nje ye-DNS security iceberg. Esigabeni esilandelayo, sizongena ezimweni ezithile zokusetshenziswa eziqondile kanye nemikhuba engcono kakhulu odinga ukuyazi ngayo.

Ukuhlaselwa kwe-DNS

I-DNS Security Guide

  • I-DNS spoofing noma i-cache poisoning: ukuxhaphaza ubungozi besistimu ukuze kusetshenziswe inqolobane ye-DNS ukuqondisa kabusha abasebenzisi kwenye indawo
  • I-DNS tunneling: ngokuyinhloko isetshenziselwa ukudlula izivikelo zokuxhuma okukude
  • Ukudunwa kwe-DNS: iqondisa kabusha ithrafikhi ye-DNS evamile kuseva ye-DNS eqondiwe ehlukile ngokushintsha umbhalisi wesizinda
  • Ukuhlasela kwe-NXDOMAIN: ukwenza ukuhlasela kwe-DDoS kuseva ye-DNS egunyaziwe ngokuthumela imibuzo yesizinda esingekho emthethweni ukuze kutholwe impendulo ephoqelelwe
  • isizinda se-phantom: ibangela isixazululi se-DNS ukuthi silinde impendulo evela ezizindeni ezingekho, okuholela ekusebenzeni kabi
  • ukuhlasela isizinda esingaphansi kwesinye esingahleliwe: ababungazi abasengozini kanye nama-botnets bethula ukuhlasela kwe-DDoS esizindeni esivumelekile, kodwa bagxilisa umlilo wabo ezizindeni ezingaphansi komgunyathi ukuze baphoqe iseva ye-DNS ukuthi ibheke amarekhodi futhi ilawule insizakalo.
  • ukuvinjwa kwesizinda: ithumela izimpendulo eziningi zogaxekile ukuze ivimbe izinsiza zeseva ye-DNS
  • Ukuhlaselwa kwe-Botnet okuvela kumishini yababhalisile: iqoqo lamakhompuyutha, amamodemu, amarutha namanye amadivaysi agxilisa amandla ekhompuyutha kuwebhusayithi ethile ukuze ayilayishe ngokweqile ngezicelo zethrafikhi.

Ukuhlaselwa kwe-DNS

Ukuhlasela okusebenzisa i-DNS ngandlela thize ukuhlasela ezinye izinhlelo (okungukuthi, ukushintsha amarekhodi e-DNS akuwona umgomo wokugcina):

  • I-Fast-Flux
  • I-Single Flux Networks
  • I-Double Flux Networks
  • I-DNS tunneling

Ukuhlaselwa kwe-DNS

Ukuhlasela okuholela ekhelini lasesizindeni se-inthanethi elidingwa umhlaseli abuyiswe esuka kuseva ye-DNS:

  • I-DNS spoofing noma i-cache poisoning
  • Ukudunwa kwe-DNS

Iyini i-DNSSEC?

I-DNS Security Guide

I-DNSSEC - Izinjini Zokuvikela Zegama Lesizinda - zisetshenziselwa ukuqinisekisa amarekhodi e-DNS ngaphandle kokudinga ukwazi ulwazi olujwayelekile ngesicelo ngasinye se-DNS.

I-DNSSEC isebenzisa Okhiye Besiginesha Yedijithali (ama-PKI) ukuze iqinisekise ukuthi ingabe imiphumela yombuzo wegama lesizinda iqhamuke kumthombo ovumelekile yini.
Ukusebenzisa i-DNSSEC akuwona nje umkhuba ongcono kakhulu wemboni, kodwa futhi kusebenza kahle ekugwemeni ukuhlaselwa kwe-DNS okuningi.

Isebenza kanjani i-DNSSEC

I-DNSSEC isebenza ngendlela efanayo ne-TLS/HTTPS, isebenzisa amapheya okhiye basesidlangalaleni nabayimfihlo ukuze isayine ngedijithali amarekhodi e-DNS. Ukubuka konke okujwayelekile kwenqubo:

  1. Amarekhodi e-DNS asayinwa ngokhiye abazimele nabangasese
  2. Izimpendulo zemibuzo ye-DNSSEC ziqukethe irekhodi eliceliwe kanye nesiginesha nokhiye wasesidlangalaleni
  3. Khona-ke, ukhiye womphakathi esetshenziswa ukuqhathanisa ubuqiniso berekhodi nesiginesha

I-DNS ne-DNSSEC Security

I-DNS Security Guide

I-DNSSEC iyithuluzi lokuhlola ubuqotho bemibuzo ye-DNS. Akuthinti ubumfihlo be-DNS. Ngamanye amazwi, i-DNSSEC ingakunikeza ukuzethemba ukuthi impendulo yombuzo wakho we-DNS ayizange iphazanyiswe, kodwa noma yimuphi umhlaseli angabona leyo miphumela njengoba ithunyelwe kuwe.

I-DoT - DNS phezu kwe-TLS

I-Transport Layer Security (TLS) iyiphrothokholi eyimfihlo yokuvikela ulwazi oludluliswa ngoxhumano lwenethiwekhi. Uma uxhumano oluvikelekile lwe-TLS selumisiwe phakathi kweklayenti neseva, idatha edlulisiwe iyabethelwa futhi akekho umlamuli ongayibona.

TLS esetshenziswa kakhulu njengengxenye ye-HTTPS (SSL) esipheqululini sakho sewebhu ngoba izicelo zithunyelwa ukuze kuvikelwe amaseva e-HTTP.

I-DNS-over-TLS (i-DNS phezu kwe-TLS, i-DoT) isebenzisa iphrothokholi ye-TLS ukuze ibethele ithrafikhi ye-UDP yezicelo ze-DNS ezivamile.
Ukubethela lezi zicelo ngombhalo ongenalutho kusiza ukuvikela abasebenzisi noma izinhlelo zokusebenza ezenza izicelo ekuhlaselweni okumbalwa.

  • I-MitM, noma "indoda phakathi": Ngaphandle kokubethela, isistimu ephakathi phakathi kweklayenti neseva egunyaziwe ye-DNS ingase ithumele ulwazi olungamanga noma oluyingozi kuklayenti ngokuphendula isicelo.
  • Ubunhloli nokulandelela: Ngaphandle kwezicelo zokubethela, kulula kumasistimu e-middleware ukubona ukuthi yimaphi amasayithi umsebenzisi othile noma uhlelo lokusebenza olufinyelela kuwo. Nakuba i-DNS iyodwa ingeke iveze ikhasi elithile elivakashelwe kuwebhusayithi, ukwazi izizinda eziceliwe kwanele ukudala iphrofayela yesistimu noma yomuntu ngamunye.

I-DNS Security Guide
Source: Inyuvesi yaseCalifornia Irvine

I-DoH - DNS phezu kwe-HTTPS

I-DNS-over-HTTPS (i-DNS phezu kwe-HTTPS, i-DoH) iphrothokholi yokuhlola ephromothwa ngokuhlanganyela yi-Mozilla ne-Google. Imigomo yayo iyafana nephrothokholi ye-DoT—ukuthuthukisa ubumfihlo babantu ku-inthanethi ngokubhala ngekhodi izicelo nezimpendulo ze-DNS.

Imibuzo ejwayelekile ye-DNS ithunyelwa nge-UDP. Izicelo nezimpendulo zingalandelelwa kusetshenziswa amathuluzi afana I-Wireshark. I-DoT ibhala ngemfihlo lezi zicelo, kodwa zisabonakala njengethrafikhi ye-UDP ehluke ngokufanelekile kunethiwekhi.

I-DoH ithatha indlela ehlukile futhi ithumela izicelo zokulungiswa kwegama lomethuleli elibethelwe ngoxhumo lwe-HTTPS, olubukeka njenganoma yisiphi esinye isicelo sewebhu kunethiwekhi.

Lo mehluko unemithelela ebaluleke kakhulu kokubili kubaphathi besistimu kanye nekusasa lokulungiswa kwamagama.

  1. Ukuhlunga kwe-DNS kuyindlela evamile yokuhlunga ithrafikhi yewebhu ukuvikela abasebenzisi ekuhlaselweni kobugebengu bokweba imininingwane ebucayi, amasayithi asabalalisa uhlelo olungayilungele ikhompuyutha, noma eminye imisebenzi ye-inthanethi engaba yingozi kunethiwekhi yebhizinisi. Iphrothokholi ye-DoH idlula lezi zihlungi, okungase kudalule abasebenzisi kanye nenethiwekhi engcupheni enkulu.
  2. Kumodeli yamanje yokulungiswa kwegama, yonke idivayisi ekunethiwekhi kakhulu noma ngaphansi ithola imibuzo ye-DNS endaweni efanayo (iseva ye-DNS ecacisiwe). I-DoH, futhi ikakhulukazi ukuqaliswa kwayo kweFirefox, kubonisa ukuthi lokhu kungase kushintshe esikhathini esizayo. Uhlelo ngalunye kukhompyutha lungathola idatha evela emithonjeni ehlukene ye-DNS, okwenza ukuxazulula inkinga, ukuphepha, kanye nokumodela ingozi kube nzima kakhulu.

I-DNS Security Guide
Source: www.varonis.com/blog/what-is-powershell

Uyini umehluko phakathi kwe-DNS phezu kwe-TLS ne-DNS nge-HTTPS?

Ake siqale nge-DNS phezu kwe-TLS (DoT). Iphuzu eliyinhloko lapha ukuthi iphrothokholi yokuqala ye-DNS ayishintshiwe, kodwa imane idluliselwe ngokuphephile esiteshini esivikelekile. I-DoH, ngakolunye uhlangothi, ibeka i-DNS kufomethi ye-HTTP ngaphambi kokwenza izicelo.

Izaziso Zokuqapha ze-DNS

I-DNS Security Guide

Ikhono lokuqapha ngempumelelo ithrafikhi ye-DNS kunethiwekhi yakho ngokudidayo okusolisayo kubalulekile ukuze kutholwe kusenesikhathi ukwephulwa komthetho. Ukusebenzisa ithuluzi elifana ne-Varonis Edge kuzokunika amandla okuhlala phezulu kwawo wonke amamethrikhi abalulekile futhi udale amaphrofayili awo wonke ama-akhawunti kunethiwekhi yakho. Ungakwazi ukumisa izexwayiso ukuthi zenziwe njengomphumela wenhlanganisela yezenzo ezenzeka phakathi nenkathi ethile yesikhathi.

Ukwengamela izinguquko ze-DNS, izindawo ze-akhawunti, ukusetshenziswa kokuqala kanye nokufinyelela kudatha ebucayi, kanye nomsebenzi wangemva kwamahora amamethrikhi ambalwa nje angahlotshaniswa ukuze kwakhiwe isithombe esitholwayo esibanzi.

Source: www.habr.com

Engeza amazwana