摘要
【目的】作为互联网重要的基础架构,DNS系统在最初设计时没有对协议的安全性进行考虑,DNS查询和响应都是以明文形式传输的,因此容易受到窃听和流量分析的影响。随着互联网的发展,DNS的安全和隐私问题越来越受到重视,已经出现了多种扩展的DNS加密协议来解决传输过程的数据保护。但是,这些DNS加密传输协议未能解决DNS递归解析器对用户隐私的收集问题,其实现和部署方式反而加速了DNS解析体系的集中化,导致DNS服务端的隐私问题愈发严重。【方法】本文研究的多解析器机制通过向多个候选DNS解析器分散用户的查询请求,实现集中化缓解和DNS服务端用户隐私保护。通过对机制核心问题选择策略的研究,本文提出了一种改进的轮询选择方法,该方法通过在客户端维护一个查询记录表保证域名-解析器之间的固定关系,减少暴露在每个单独解析器上的用户浏览活动信息量,避免某个解析器获取用户的整个网页浏览历史。此外,基于解析器ping延迟的加权轮询方法作为更进一步的改进方案,对多解析器机制的域名解析延迟进行优化,以在隐私分散保护和性能之间取得平衡。【结果】实验表明改进的轮询方式可以有效地完成多解析器机制的设计目标,将用户的域名解析请求最大程度的在候选解析器之间进行分散,而基于ping延迟的加权轮询方法虽然分散效果有所降低但获得了显著的性能提升。【结论】通过不同选择策略的横向对比,本文提出的改进轮询方法和加权轮询方法分别在分散效果和解析性能上有着明显优势。基于本文方法的多解析器机制为解决当前的DNS隐私问题和集中化问题提供了一个可行的方案。
[Objective]As an important infrastructure of the Internet,the DNS system was not initially designed with protocol security in mind,and DNS queries and responses are transmitted in plaintext,making it vulnerable to eavesdropping and traffic analysis.With evolution of the Internet,DNS security and privacy concerns have received increasing attention,variants of extended DNS encryption protocols have emerged to address the data protection issue during transmission.However,these DNS encryption transfer protocols fail to prevent the collection of user privacy by DNS recursive resolvers.Instead,the implementation and deployment of those protocols accelerate the centralization of the DNS resolution system,leading to increasingly serious privacy issues on the DNS server side.[Methods]The multi-resolver mechanism studied in this paper achieves centralization mitigation and DNS server-side user privacy protection by dispersing user query requests to multiple candidate DNS resolvers.By studying the selection strategy which is the core issue of the mechanism,this paper proposes an improved round robin selection method,which ensures a fixed relationship among domain-name resolvers by maintaining a query record table on the client side,reduces the amount of information about user browsing activities exposed to each individual resolver,and avoids a particular resolver from obtaining a user's entire web browsing history.In addition,a weighted round robin approach based on resolver ping latency is used as a further improved scheme to optimize the domain name resolution latency of the multi-resolver mechanism in order to strike a balance between privacy decentralization protection and performance.[Results]The experiments show that the improved round robin approach can effectively achieve the design goal of maximizing the dispersion of user's domain name resolution requests among the candidate resolvers,and the weighted round robin approach based on ping delay achieves significant performance improvement at the cost of a reduced dispersion effect.[Conclusions]Through the comparison of different selection strategies,the improved round robin method and the weighted round robin method proposed in this paper have shown advantages in the decentralization effect and resolution performance,respectively.The multi-resolver mechanism proposed in this paper provides a feasible solution to solve the privacy and centralization problems of the current DNS.
作者
吴一铭
王伟
延志伟
汪洋
WU Yiming;WANG Wei;YAN Zhiwei;WANG Yang(Computer Network Information Center,Chinese Academy of Sciences,Beijing 100190,China;University of Chinese Academy of Sciences,Beijing 100049,China;China Internet Network Information Center,Beijing 100190,China)
出处
《数据与计算发展前沿》
CSCD
2021年第3期75-85,共11页
Frontiers of Data & Computing
基金
北京市科技新星计划项目(No.Z191100001119113)。