äŒæ¥ãäœãããã«ããŠããDNSã»ãã¥ãªãã£ã¯ã»ãã¥ãªãã£èšç»ã®äžå¯æ¬ ãªéšåã§ããå¿ èŠããããŸãããã¹ãåãIPã¢ãã¬ã¹ã«å€æããããŒãã³ã°ãµãŒãã¹ã¯ããããã¯ãŒã¯äžã®ã»ãŒãã¹ãŠã®ã¢ããªã±ãŒã·ã§ã³ãšãµãŒãã¹ã§äœ¿çšãããŸãã
æ»æè ãçµç¹ã®DNSã®å¶åŸ¡ãååŸããå Žåãæ»æè ã¯ç°¡åã«æ¬¡ã®ããšãã§ããŸãã
- ãããªãã¯ãã¡ã€ã³ã«ãããªãœãŒã¹ã®å¶åŸ¡ã転éããŸã
- åä¿¡ã¡ãŒã«ãWebãªã¯ãšã¹ããèªèšŒã®è©Šè¡ããªãã€ã¬ã¯ãããŸã
- SSL / TLS蚌ææžãäœæããŠæ€èšŒãã
ãã®ã¬ã€ãã§ã¯ãDNSã»ãã¥ãªãã£ã次ã®2ã€ã®èŠ³ç¹ãã説æããŸãã
- DNSã®ç¶ç¶çãªç£èŠãšå¶åŸ¡
- DNSSECãDOHãDoTãªã©ã®æ°ããDNSãããã³ã«ããéä¿¡ãããDNSã¯ãšãªã®æŽåæ§ãšæ©å¯æ§ã®ä¿è·ã«ã©ã®ããã«åœ¹ç«ã€ã
DNSã»ãã¥ãªãã£ãšã¯äœã§ããïŒ
DNSã»ãã¥ãªãã£ã«ã¯2ã€ã®éèŠãªéšåããããŸãã
- ãã¹ãåãIPã¢ãã¬ã¹ã«å€æããDNSãµãŒãã¹ã®å šäœçãªæŽåæ§ãšå¯çšæ§ã確ä¿ãã
- DNSã¢ã¯ãã£ããã£ãç£èŠããŠããããã¯ãŒã¯äžã®ä»»æã®å Žæã§æœåšçãªã»ãã¥ãªãã£åé¡ãç¹å®ããŸã
DNSãæ»æã«å¯ŸããŠè匱ãªã®ã¯ãªãã§ããïŒ
DNSãã¯ãããžãŒã¯ãã€ã³ã¿ãŒãããã®åæã®é ã誰ãããããã¯ãŒã¯ã»ãã¥ãªãã£ã«ã€ããŠèãããã£ãšåã«äœæãããŸãããDNSã¯èªèšŒãæå·åãªãã§æ©èœãããŠãŒã¶ãŒããã®èŠæ±ãç²ç®çã«åŠçããŸãã
ãã®ç¹ã§ããŠãŒã¶ãŒãã ãŸããŠãååããIPã¢ãã¬ã¹ãžã®å€æãå®éã«å®è¡ãããå Žæã«é¢ããæ å ±ãåœé ããæ¹æ³ã¯ãããããããŸãã
DNSã»ãã¥ãªãã£ã®åé¡ãšã³ã³ããŒãã³ã
DNSã»ãã¥ãªãã£ã¯ããã€ãã®äž»èŠãªã³ã³ããŒãã³ãã§æ§æãããŠãããå®å šãªä¿è·ã確ä¿ããã«ã¯ããããããèæ ®ããå¿ èŠããããŸãã
- ãµãŒããŒãšç®¡çæé ã®åŒ·åïŒãµãŒããŒã®ã»ãã¥ãªãã£ã匷åããæšæºã®è©Šé転ãã³ãã¬ãŒããäœæããŸã
- ãããã³ã«ã®æ©èœåŒ·åïŒ DNSSECãDoTããŸãã¯DoHãå®è£ ãã
- åæãšã¬ããŒãïŒã€ã³ã·ãã³ãã調æ»ããéã®è¿œå ã®ã³ã³ããã¹ãã®ããã«ãDNSã€ãã³ããã°ãSIEMã·ã¹ãã ã«è¿œå ããŸã
- ãµã€ããŒã€ã³ããªãžã§ã³ã¹ãšè åšã®æ€åºïŒã¢ã¯ãã£ããªè åšã€ã³ããªãžã§ã³ã¹ãã£ãã«ã«ç»é²ãã
- èªååïŒããã»ã¹ãèªååããããã«ã§ããã ãå€ãã®ã¹ã¯ãªãããäœæããŸã
äžèšã®é«ã¬ãã«ã®ã³ã³ããŒãã³ãã¯ãDNSã»ãã¥ãªãã£ã®æ°·å±±ã®äžè§ã«ãããŸããã次ã®ã»ã¯ã·ã§ã³ã§ã¯ãç¥ã£ãŠããå¿ èŠã®ãããããå ·äœçãªäœ¿çšäŸãšãã¹ããã©ã¯ãã£ã¹ã«ã€ããŠè©³ããèŠãŠãããŸãã
DNSæ»æ
- DNSã¹ããŒãã£ã³ã°ãŸãã¯ãã£ãã·ã¥ãã€ãºãã³ã°ïŒã·ã¹ãã ã®è匱æ§ãæªçšããŠDNSãã£ãã·ã¥ã管çãããŠãŒã¶ãŒãå¥ã®å Žæã«ãªãã€ã¬ã¯ãããŸã
- DNSãã³ããªã³ã°ïŒäž»ã«ãªã¢ãŒãæ¥ç¶ã«å¯Ÿããä¿è·ããã€ãã¹ããããã«äœ¿çšãããŸã
- DNSãã€ãžã£ãã¯ïŒãã¡ã€ã³ã¬ãžã¹ãã©ãå€æŽããããšã«ãããéåžžã®DNSãã©ãã£ãã¯ãå¥ã®ã¿ãŒã²ããDNSãµãŒããŒã«ãªãã€ã¬ã¯ãããŸã
- NXDOMAINæ»æïŒäžé©åãªãã¡ã€ã³èŠæ±ãéä¿¡ããŠåŒ·å¶å¿çãååŸããããšã«ãããæš©éã®ããDNSãµãŒããŒã«å¯ŸããŠDDoSæ»æãå®è¡ããŸã
- : DNS- (DNS resolver) ,
- : DDoS- , , DNS-
- : - DNS-
- - : , , , -
DNS
äœããã®æ¹æ³ã§DNSã䜿çšããŠä»ã®ã·ã¹ãã ãæ»æããæ»æïŒã€ãŸããDNSã¬ã³ãŒãã®å€æŽã¯æçµç®æšã§ã¯ãããŸããïŒïŒ
- ãã¡ã¹ããã©ãã¯ã¹
- ã·ã³ã°ã«ãã©ãã¯ã¹ãããã¯ãŒã¯
- ãã¥ã¢ã«ãã©ãã¯ã¹ãããã¯ãŒã¯
- DNSãã³ããªã³ã°
DNSæ»æ
æ»æè ãå¿ èŠãšããIPã¢ãã¬ã¹ãDNSãµãŒããŒããè¿ãæ»æïŒ
- DNSã¹ããŒãã£ã³ã°ãŸãã¯ãã£ãã·ã¥ãã€ãºãã³ã°
- DNSãã€ãžã£ãã¯
DNSSECãšã¯äœã§ããïŒ
DNSSECïŒãã¡ã€ã³ããŒã ãµãŒãã¹ã»ãã¥ãªãã£ã¢ãžã¥ãŒã«ïŒã¯ãç¹å®ã®DNSèŠæ±ããšã«äžè¬çãªæ å ±ãç¥ãå¿ èŠãªãã«DNSã¬ã³ãŒããæ€èšŒããããã«äœ¿çšãããŸãã
DNSSECã¯ãããžã¿ã«çœ²åããŒïŒPKIïŒã䜿çšããŠããã¡ã€ã³åã¯ãšãªã®çµæãæå¹ãªãœãŒã¹ããã®ãã®ã§ãããã©ããã確èªããŸãã
DNSSECã®å®è£ ã¯ãæ¥çã®ãã¹ããã©ã¯ãã£ã¹ã§ããã ãã§ãªããã»ãšãã©ã®DNSæ»æãå¹æçã«åé¿ããŸãã
DNSSECã®ããã¿
DNSSECã¯TLS / HTTPSãšåæ§ã«æ©èœããå ¬éããŒãšç§å¯ããŒã®ãã¢ã䜿çšããŠDNSã¬ã³ãŒãã«ããžã¿ã«çœ²åããŸããããã»ã¹ã®äžè¬çãªæŠèŠïŒ
- DNSã¬ã³ãŒãã¯ãç§å¯éµãšç§å¯éµã®ãã¢ã§çœ²åãããŠããŸã
- DNSSECå¿çã«ã¯ãèŠæ±ããããšã³ããªã眲åãå ¬ééµãå«ãŸããŸã
- 次ã«ãå ¬ééµã䜿çšããŠããšã³ããªãšçœ²åã®ä¿¡é Œæ§ãæ¯èŒããŸãã
DNSããã³DNSSECã»ãã¥ãªãã£
DNSSECã¯ãDNSã¯ãšãªã®æŽåæ§ããã§ãã¯ããããã®ããŒã«ã§ããDNSã®æ©å¯æ§ã«ã¯åœ±é¿ããŸãããèšãæãããšãDNSSECã¯ãDNSã¯ãšãªãžã®åçãåœè£ ãããŠããªãããšã確信ã§ããŸãããæ»æè ã¯ãããã®çµæãéä¿¡ããããšãã«ãããèŠãããšãã§ããŸãã
DoT-DNS over TLS
Transport Layer SecurityïŒTLSïŒã¯ããããã¯ãŒã¯æ¥ç¶ãä»ããŠéä¿¡ãããæ å ±ãä¿è·ããããã®æå·åãããã³ã«ã§ããã¯ã©ã€ã¢ã³ããšãµãŒããŒã®éã«å®å šãªTLSæ¥ç¶ã確ç«ããããšãéä¿¡ãããããŒã¿ã¯æå·åããã仲ä»è ã¯ãããèŠãããšãã§ããªããªããŸãã
TLSã¯ããªã¯ãšã¹ããå®å šãªHTTPãµãŒããŒã«éä¿¡ããããããWebãã©ãŠã¶ãŒã§HTTPSïŒSSLïŒã®äžéšãšããŠæãäžè¬çã«äœ¿çšãããŸãã
DNS-over-TLSïŒDNS over TLSãDoTïŒã¯ãTLSãããã³ã«ã䜿çšããŠãéåžžã®DNSèŠæ±ã®UDPãã©ãã£ãã¯ãæå·åããŸãã
ãããã®ãªã¯ãšã¹ãããã¬ãŒã³ããã¹ãã§æå·åãããšããªã¯ãšã¹ããè¡ããŠãŒã¶ãŒãŸãã¯ã¢ããªã±ãŒã·ã§ã³ãè€æ°ã®æ»æããä¿è·ããã®ã«åœ¹ç«ã¡ãŸãã
- MitMããŸãã¯ãçãäžã®ç·ãïŒæå·åãè¡ããªããšãã¯ã©ã€ã¢ã³ããšä¿¡é Œã§ããDNSãµãŒããŒéã®äžéã·ã¹ãã ããèŠæ±ã«å¿ããŠèª€ã£ãæ å ±ãå±éºãªæ å ±ãã¯ã©ã€ã¢ã³ãã«éä¿¡ããå¯èœæ§ããããŸãã
- ã¹ãã€ãšè¿œè·¡ïŒãªã¯ãšã¹ããæå·åããªããšãäžéã·ã¹ãã ã¯ç¹å®ã®ãŠãŒã¶ãŒãŸãã¯ã¢ããªã±ãŒã·ã§ã³ãã¢ã¯ã»ã¹ããŠãããµã€ããç°¡åã«ç¢ºèªã§ããŸããDNSã ããããµã€ãäžã®ç¹å®ã®èšªåæžã¿ããŒãžãèŠã€ããããšã¯ã§ããŸããããèŠæ±ããããã¡ã€ã³ã®åçŽãªç¥èã§ãã·ã¹ãã ãŸãã¯å人ã®ãããã¡ã€ã«ã圢æããã®ã«ååã§ãã
åºå žïŒã«ãªãã©ã«ãã¢å€§åŠã¢ãŒãã€ã³æ ¡
DoH-HTTPSãä»ããDNS
DNS-over-HTTPSïŒDNS over HTTPSãDoHïŒã¯ãMozillaãšGoogleãå ±åã§æšé²ããŠããå®éšçãªãããã³ã«ã§ãããã®ç®æšã¯ãDNSèŠæ±ãšå¿çãæå·åããããšã«ãã£ãŠã€ã³ã¿ãŒãããäžã®äººã ã®ãã©ã€ãã·ãŒã匷åããããšã§ããDoTã«äŒŒãŠããŸãã
æšæºã®DNSã¯ãšãªã¯UDPãä»ããŠéä¿¡ãããŸãããªã¯ãšã¹ããšã¬ã¹ãã³ã¹ã¯ãWiresharkãªã©ã®ããŒã«ã䜿çšããŠè¿œè·¡ã§ããŸãã DoTã¯ãããã®èŠæ±ãæå·åããŸãããããã§ããããã¯ãŒã¯äžã®ããªãã¯ãªã¢ãªUDPãã©ãã£ãã¯ãšããŠèå¥ããŸãã
DoHã¯å¥ã®ã¢ãããŒããåãããããã¯ãŒã¯äžã®ä»ã®WebèŠæ±ãšåãããã«HTTPSæ¥ç¶ãä»ããŠæå·åããããã¹ãå解決èŠæ±ãéä¿¡ããŸãã
ãã®éãã¯ãã·ã¹ãã 管çè ãšå°æ¥ã®åå解決ã®äž¡æ¹ã«ãšã£ãŠéåžžã«éèŠãªæå³ãæã¡ãŸãã
- DNSãã£ã«ã¿ãªã³ã°ã¯ãWebãã©ãã£ãã¯ããã£ã«ã¿ãªã³ã°ããŠããã£ãã·ã³ã°æ»æããã«ãŠã§ã¢ãæ¡æ£ãããµã€ãããŸãã¯äŒæ¥ãããã¯ãŒã¯äžã®ãã®ä»ã®æœåšçã«æ害ãªã€ã³ã¿ãŒãããã¢ã¯ãã£ããã£ãããŠãŒã¶ãŒãä¿è·ããäžè¬çãªæ¹æ³ã§ããDoHã¯ãããã®ãã£ã«ã¿ãŒããã€ãã¹ãããŠãŒã¶ãŒãšãããã¯ãŒã¯ãããé«ããªã¹ã¯ã«ãããå¯èœæ§ããããŸãã
- åå解決ã®çŸåšã®ã¢ãã«ã§ã¯ããããã¯ãŒã¯äžã®åããã€ã¹ã¯ãåãå ŽæããïŒæå®ãããDNSãµãŒããŒããïŒããçšåºŠDNSèŠæ±ãåä¿¡ããŸããDoHãç¹ã«ãã®Firefoxã®å®è£ ã¯ããããå°æ¥å€æŽãããå¯èœæ§ãããããšã瀺ããŠããŸããã³ã³ãã¥ãŒã¿ãŒäžã®åã¢ããªã±ãŒã·ã§ã³ã¯ãããŸããŸãªDNSãœãŒã¹ããããŒã¿ãååŸã§ããããããã©ãã«ã·ã¥ãŒãã£ã³ã°ãã»ãã¥ãªãã£ãããã³ãªã¹ã¯ã¢ããªã³ã°ãã¯ããã«å°é£ã«ãªããŸãã
åºå žïŒwww.varonis.com/blog/what-is-powershell
DNS overTLSãšDNSover HTTPSã®éãã¯äœã§ããïŒ
DNS over TLSïŒDoTïŒããå§ããŸããããããã§ã®äž»ãªçŠç¹ã¯ãå ã®DNSãããã³ã«ã¯å€æŽããããå®å šãªãã£ãã«ãä»ããŠå®å šã«éä¿¡ãããããšã§ããDoHã¯ãèŠæ±ãè¡ãåã«DNSãHTTP圢åŒã«ããŸãã
DNSç£èŠã¢ã©ãŒã
çãããç°åžžããªãããããã¯ãŒã¯äžã®DNSãã©ãã£ãã¯ãå¹æçã«ç£èŠããæ©èœã¯ãéåãæ©æã«æ€åºããããã«éèŠã§ããVaronis Edgeãªã©ã®ããŒã«ã䜿çšãããšããã¹ãŠã®éèŠãªææšãææ¡ãããããã¯ãŒã¯äžã®ãã¹ãŠã®ã¢ã«ãŠã³ãã®ãããã¡ã€ã«ãäœæã§ããŸããç¹å®ã®æéã«çºçããã¢ã¯ã·ã§ã³ã®çµã¿åããã®çµæãšããŠãã¢ã©ãŒãã®çæãã«ã¹ã¿ãã€ãºã§ããŸãã
DNSã®å€æŽãã¢ã«ãŠã³ãã®å Žæãæ©å¯ããŒã¿ãžã®åããŠã®äœ¿çšãšã¢ã¯ã»ã¹ãããã³å¶æ¥æéå€ã®ã¢ã¯ãã£ããã£ã®ç£èŠã¯ãæ€åºã®å šäœåãæäŸããããã«æ¯èŒã§ããããã€ãã®ã¡ããªãã¯ã§ãã