Ochwepheshe abavela kumalebhu ocwaningo e-JSOF babike ubungozi obusha obuyisikhombisa kuseva ye-DNS/DHCP dnsmasq. Iseva ye-dnsmasq idume kakhulu futhi isetshenziswa ngokuzenzakalelayo ekusabalaliseni okuningi kwe-Linux, kanye nasezinsizeni zenethiwekhi ezivela eCisco, Ubiquiti nabanye. Ubungozi be-Dnspooq bufaka ubuthi benqolobane ye-DNS kanye nokwenziwa kwekhodi okukude. Ubungozi bulungisiwe ku-dnsmasq 2.83.
Ngo-2008, umcwaningi wezokuphepha owaziwayo uDan Kaminsky wathola futhi wadalula iphutha elibalulekile endleleni ye-DNS ye-inthanethi. U-Kaminsky ufakazele ukuthi abahlaseli bangakwazi ukuxhaphaza amakheli esizinda futhi bantshontshe idatha. Lokhu sekwaziwa ngokuthi "i-Kaminsky Attack".
I-DNS ithathwe njengephrothokholi engavikelekile amashumi eminyaka, nakuba kufanele iqinisekise izinga elithile lobuqotho. Kungalesi sizathu kusathenjwa kakhulu. Ngasikhathi sinye, izindlela zenzelwe ukuthuthukisa ukuphepha kwephrothokholi ye-DNS yasekuqaleni. Lezi zindlela zifaka i-HTTPS, i-HSTS, i-DNSSEC nezinye izinhlelo. Kodwa-ke, noma sezikhona zonke lezi zindlela, ukudunwa kwe-DNS kusewukuhlasela okuyingozi ngo-2021. I-inthanethi eningi isathembele ku-DNS ngendlela efanayo neyayenza ngo-2008, futhi isengozini yokuhlaselwa okufanayo.
Ubungozi bokuthi inqolobane ye-DNSpooq:
CVE-2020-25686, CVE-2020-25684, CVE-2020-25685. Lobu buthakathaka bufana nokuhlasela kwe-SAD DNS okusanda kubikwa ngabacwaningi abavela eNyuvesi yaseCalifornia naseTsinghua University. I-SAD DNS kanye nokuba sengozini kwe-DNSpooq nakho kungahlanganiswa ukwenza ukuhlasela kube lula nakakhulu. Ukuhlasela okwengeziwe okunemiphumela engacacile kuye kwabikwa ngemizamo ehlanganyelwe yamanyuvesi (Poison Over Troubled Forwarders, njll.).
Ubungozi busebenza ngokunciphisa i-entropy. Ngenxa yokusetshenziswa kwe-hashi ebuthakathaka ukuhlonza izicelo ze-DNS kanye nokumataniswa okunembile kwesicelo kumpendulo, i-entropy ingancishiswa kakhulu futhi kufanele kuqatshelwe amabhithi angu-~19 kuphela, okwenza ukuba khona ubuthi benqolobane kwenzeke. Indlela i-dnsmasq ecubungula ngayo amarekhodi e-CNAME iyivumela ukuthi iphange uchungechunge lwamarekhodi e-CNAME futhi isebenze ubuthi obufika kumarekhodi e-DNS angu-9 ngesikhathi.
Ukuba sengozini kokuchichima kwebhafa: CVE-2020-25687, CVE-2020-25683, CVE-2020-25682, CVE-2020-25681. Bonke ubungozi obu-4 obuphawuliwe bukhona ngekhodi ngokusetshenziswa kwe-DNSSEC futhi kubonakala kuphela uma ukuhlola nge-DNSSEC kunikwe amandla kuzilungiselelo.
Source: linux.org.ru