Iqembu labacwaningi base-Tel Aviv University kanye ne-Interdisciplinary Centre e-Herzliya (Israel) indlela entsha yokuhlasela (), okukuvumela ukuthi usebenzise noma yiziphi izixazululi ze-DNS njengezikhulisi zethrafikhi, ihlinzeka ngezinga lokukhulisa izikhathi ezifika ku-1621 ngokwenani lamaphakethe (ngesicelo ngasinye esithunyelwa kumxazululi, ungafinyelela izicelo eziyi-1621 ezithunyelwa kuseva yesisulu) futhi kufika izikhathi ezingu-163 ngokuya ngethrafikhi.
Inkinga ihlobene nezici zephrothokholi futhi ithinta wonke amaseva e-DNS asekela ukucutshungulwa kwemibuzo ephindaphindayo, okuhlanganisa (I-CVE-2020-8616), (I-CVE-2020-12667), (I-CVE-2020-10995), и (CVE-2020-12662), kanye nezinsiza zomphakathi ze-DNS ze-Google, Cloudflare, Amazon, Quad9, ICANN nezinye izinkampani. Ukulungiswa kwahlanganiswa nabathuthukisi beseva ye-DNS, abakhiphe izibuyekezo ngesikhathi esisodwa ukulungisa ubungozi emikhiqizweni yabo. Ukuvikelwa kokuhlasela kusetshenziswe ekukhishweni
, , , .
Ukuhlasela kusekelwe kumhlaseli esebenzisa izicelo ezibhekisela enanini elikhulu lamarekhodi e-NS angamanga angakaze abonwe, lapho ukunqunywa kwegama kudluliselwa khona, kodwa ngaphandle kokucacisa amarekhodi eglue anolwazi olumayelana namakheli e-IP wamaseva e-NS empendulweni. Isibonelo, umhlaseli uthumela umbuzo ukuze axazulule igama elithi sd1.attacker.com ngokulawula iseva ye-DNS enesibopho sesizinda se-attacker.com. Ekuphenduleni isicelo somxazululi kuseva ye-DNS yomhlaseli, kukhishwa impendulo ethuma ukuzimisela kwekheli elithi sd1.attacker.com kuseva ye-DNS yesisulu ngokubonisa amarekhodi e-NS empendulweni ngaphandle kokunikeza imininingwane ngamaseva e-IP NS. Njengoba iseva ye-NS eshiwo ingakaze ihlangatshezwe ngaphambili futhi ikheli layo le-IP alicacisiwe, isixazululi sizama ukunquma ikheli lasesizindeni se-inthanethi leseva ye-NS ngokuthumela umbuzo kuseva ye-DNS yesisulu enikezela ngesizinda esiqondiwe (victim.com).
Inkinga ukuthi umhlaseli angaphendula ngohlu olukhulu lwamaseva e-NS angaphindi anamagama esizinda esingaphansi kwezisulu eziqanjiwe (fake-1.victim.com, fake-2.victim.com,... fake-1000. isisulu.com). Umxazululi uzozama ukuthumela isicelo kuseva ye-DNS yesisulu, kodwa uzothola impendulo yokuthi isizinda asitholakalanga, ngemva kwalokho sizozama ukunquma iseva ye-NS elandelayo ohlwini, njalonjalo kuze kube yilapho esezame konke Amarekhodi e-NS abhalwe umhlaseli. Ngokufanelekile, ngesicelo somhlaseli oyedwa, isixazululi sizothumela inani elikhulu lezicelo zokunquma abasingathi be-NS. Njengoba amagama eziphakeli ze-NS enziwa ngokungahleliwe futhi ebhekisela ezizindeni ezingaphansi kwezinye ezingekho, awabuyiswa kunqolobane futhi isicelo ngasinye esivela kumhlaseli siphumela kunqwaba yezicelo kuseva ye-DNS esebenzela isizinda somuntu ohlukunyeziwe.
Abacwaningi bafunde izinga lokuba sengozini kwezixazululi ze-DNS zomphakathi enkingeni futhi banquma ukuthi lapho kuthunyelwa imibuzo kusixazululi se-CloudFlare (1.1.1.1), kuyenzeka ukukhulisa inani lamaphakethe (i-PAF, I-Packet Amplification Factor) izikhathi ezingu-48, i-Google (8.8.8.8) - izikhathi ezingu-30, i-FreeDNS (37.235.1.174) - izikhathi ezingu-50, i-OpenDNS (208.67.222.222) - izikhathi ezingu-32. Izinkomba eziphawuleka kakhulu ziyabhekwa
I-Level3 (209.244.0.3) - izikhathi ezingu-273, Quad9 (9.9.9.9) - izikhathi ezingu-415
I-SafeDNS (195.46.39.39) - izikhathi ezingu-274, i-Verisign (64.6.64.6) - izikhathi ezingu-202,
I-Ultra (156.154.71.1) - 405 izikhathi, Comodo Secure (8.26.56.26) - 435 izikhathi, DNS.Watch (84.200.69.80) - 486 izikhathi, kanye Norton ConnectSafe (199.85.126.10) - 569 izikhathi. Kumaseva asuselwe ku-BIND 9.12.3, ngenxa yokuhambisana kwezicelo, izinga lokuzuza lingafinyelela ku-1000. Ku-Knot Resolver 5.1.0, ileveli yokuzuza cishe ingamashumi ambalwa wezikhathi (24-48), kusukela ekunqumeni Amagama e-NS enziwa ngokulandelana futhi ancike emkhawulweni wangaphakathi enanini lezinyathelo zokulungiswa kwegama ezivunyelwe esicelweni esisodwa.
Kunamasu amabili okuvikela ayinhloko. Okwamasistimu ane-DNSSEC sebenzisa ukuvimbela ukudlula inqolobane ye-DNS ngoba izicelo zithunyelwa ngamagama angahleliwe. Ingqikithi yendlela ukukhiqiza izimpendulo ezingezinhle ngaphandle kokuxhumana namaseva e-DNS agunyaziwe, kusetshenziswa ukuhlola ububanzi nge-DNSSEC. Indlela elula iwukukhawulela inani lamagama angachazwa lapho kucutshungulwa isicelo esisodwa esithunyelwe, kodwa le ndlela ingase ibangele izinkinga ngokunye ukucupha okukhona ngenxa yokuthi imikhawulo ayichazwanga kuphrothokholi.
Source: opennet.ru