Skip to main content

针对已发布域名系统攻击报告保持警惕

本页面还提供其他语种:

洛杉矶——2019 年 2 月 15 日——互联网名称与数字地址分配机构 (The Internet Corporation for Assigned Names and Numbers, ICANN) 于今天宣布现已注意到多份针对域名系统 (Domain Name System, DNS) 的恶意活动的公共报告已在近期发布。我们认识到 ICANN 组织的系统并未遭到攻击,我们正在与相关社群成员一起针对顶级域 (TLD) 攻击报告展开调查。有关这一事务的报告,请参考以下资源:

ICANN 认为,域名行业的各个成员,包括:注册管理机构、注册服务构、分销商和其他相关方应当立即采取积极的防范措施,包括施行安全最佳实践来保护它们的系统、客户系统,以及可以通过 DNS 获取的信息。

我们相信 DNS 的业内人士现已在自己的企业中采纳了强健的安全规范措施。但大家仍旧可以核对一下安全清单。

  • 确保所有系统的安全补丁均已得到审核和应用;
  • 针对各类系统的未授权访问活动审核日志文件,特别关注管理人访问的情况;
  • 针对管理人访问("根")的内部控制加以审核;
  • 验证每个 DNS 记录的完整性,以及这些记录的变更记录;
  • 使用足够复杂的密码,特别是加大密码的长度;
  • 确保密码不会与其他用户共享;
  • 确保密码永远不用清晰文本进行保存或传输;
  • 执行规范和定期密码变更;
  • 执行密码锁定政策;
  • 确保 DNS 根区记录均应获得 DNSSEC 签名;且您的 DNS 解析商能够执行 DNSSEC 验证;
  • 最好能够确保所有系统均采用多重要素验证,特别是针对管理人访问的情况;和
  • 最好能够确保您的电子邮件域拥有与 SPF 和/或 DKIM 签署的 DMARC 政策,且您能够在自己的电邮系统中执行其他域名提供的这类政策。

安全与稳定咨询委员会 (SSAC) 此前还发布了一篇针对这类威胁的安全最佳实践建议和信息:

ICANN 致力于成为多利益相关方社群的可靠合作伙伴,积极参与合作,确保互联网全球标识符系统的安全、稳定和弹性。如需了解更多有关 ICANN 在维护互联网标识符系统的安全、稳定与弹性方面扮演的角色,请访问:https://www.icann.org/octo-ssr

ICANN 社群将在即将召开的 ICANN64 神户会议期间继续针对这一关键主题展开讨论。此外,ICANN 组织也能够针对安全最佳实践一题提供咨询,请发送电子邮件至:globalsupport@icann.org

ICANN 简介

ICANN 的使命在于确保全球互联网的稳定、安全与统一。在互联网上寻找另一个人的信息,您必须在您的电脑或其他设备中键入一个地址——可以是一个名称或是一串数字。这一地址必须是独一无二的,只有这样电脑之间才能互相识别。ICANN 则负责协调这些分布在全球各地的唯一标识符。ICANN 成立于 1998 年,是一家非营利公益型企业,其社群成员遍布全球各地。


More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."