DNS is one of the most important basic infrastructures of the Internet, attacks on which will prevent the Internet from working properly. Therefore, its security is receiving great concern. This paper analyzes the pri...DNS is one of the most important basic infrastructures of the Internet, attacks on which will prevent the Internet from working properly. Therefore, its security is receiving great concern. This paper analyzes the principles of both traditional and novel (Kaminsky) DNS cache poisoning, presents attack samples and describes the whole attack process in detail. After verifying the potential harm of DNS cache poisoning, the paper gives out several defense strategies.展开更多
域名系统(DNS,Domain Name System)是互联网的核心组成部分,但由于分布式和缓存特性,DNS容易受到各种攻击,尤其是缓存中毒。随着随机端口号和随机事务ID的使用,缓存中毒的概率有所降低,但是近几年随着DNS Forwarder分片整理和侧信道攻...域名系统(DNS,Domain Name System)是互联网的核心组成部分,但由于分布式和缓存特性,DNS容易受到各种攻击,尤其是缓存中毒。随着随机端口号和随机事务ID的使用,缓存中毒的概率有所降低,但是近几年随着DNS Forwarder分片整理和侧信道攻击的出现,缓存中毒的概率又有加大的趋势。为应对新出现的缓存中毒手段,本文提出了3C(Cache Consistency Checking)方法,通过检查DNS缓存和权威查询结果是否一致来判断DNS是否发生缓存中毒,缓存中毒后切换到容灾解析系统进行解析。同时为了加快比对速度和DNS查询速度,隔离缓存中毒对容灾解析系统的影响,本文使用了本地顶级域权威镜像查询系统。实验证明3C方法能准确检测缓存中毒,而本地权威镜像查询系统可以大大提高3C的比对效率。与传统DNS相比,集成3C方法和本地顶级域权威镜像查询系统的DNS查询更快,提升了DNS的性能和安全性。展开更多
The Domain Name System(DNS) is suffering from the vulnerabilities exploited to launch the cache poisoning attack. Inspired by biodiversity, we design and implement a non-intrusive and tolerant secure architecture Mult...The Domain Name System(DNS) is suffering from the vulnerabilities exploited to launch the cache poisoning attack. Inspired by biodiversity, we design and implement a non-intrusive and tolerant secure architecture Multi-DNS(MDNS) to deal with it. MDNS consists of Scheduling Proxy and DNS server pool with heterogeneous DNSs in it. And the Scheduling Proxy dynamically schedules m DNSs to provide service in parallel and adopts the vote results from majority of DNSs to decide valid replies. And benefit from the centralized control of software defined networking(SDN), we implement a proof of concept for it. Evaluation results prove the validity and availability of MDNS and its intrusion/fault tolerance, while the average delay can be controlled in 0.3s.展开更多
DNS(domain name system)作为网络的重要基础服务设施,是终端访问互联网必要的一环.近年来,越来越多尝试将用户通过DNS系统引入恶意服务器的攻击,对互联网安全产生重要威胁.防范与化解针对恶意域名或IP的访问,如钓鱼网站、垃圾邮件、勒...DNS(domain name system)作为网络的重要基础服务设施,是终端访问互联网必要的一环.近年来,越来越多尝试将用户通过DNS系统引入恶意服务器的攻击,对互联网安全产生重要威胁.防范与化解针对恶意域名或IP的访问,如钓鱼网站、垃圾邮件、勒索软件、色情网站等,无论是对于运营商还是网络监管机构都具有重要的现实意义.论文阐述RPZ(response policy zones)的工作原理,构建DNS的RPZ安全防护系统,再进行相关核心软件的配置,最后通过实验验证,检验系统针对恶意域名和IP的防护效果.展开更多
域名系统(domain name system,DNS)作为互联网的核心架构之一,面临可信度不足、安全保护薄弱等问题,而区块链通过多点同步、共享、复制数据提供了一种多中心或去中心,以及难以篡改的数据存储机制,已经成为提高DNS可信度和安全性的重要...域名系统(domain name system,DNS)作为互联网的核心架构之一,面临可信度不足、安全保护薄弱等问题,而区块链通过多点同步、共享、复制数据提供了一种多中心或去中心,以及难以篡改的数据存储机制,已经成为提高DNS可信度和安全性的重要解决方案。然而,当前缺乏对区块链DNS相关文献的全面调研,亟需对相关研究进行综述,以推动区块链在DNS这一互联网的核心架构中的应用,进而提升互联网架构整体安全性。从协议和架构两个角度分析DNS现存的主要安全问题,将DNS威胁划分为重定向流量攻击和拒绝服务攻击;分析了主流防护措施的局限性,梳理了区块链在DNS中的相关研究,概述系统工作流程,从系统复杂度和安全性方面评价了当前方案;提出构建成熟可靠的区块链DNS需要解决的几个关键问题并给出未来研究方向。展开更多
文摘DNS is one of the most important basic infrastructures of the Internet, attacks on which will prevent the Internet from working properly. Therefore, its security is receiving great concern. This paper analyzes the principles of both traditional and novel (Kaminsky) DNS cache poisoning, presents attack samples and describes the whole attack process in detail. After verifying the potential harm of DNS cache poisoning, the paper gives out several defense strategies.
基金partly supported by the National key Research and Development Program of China (No.2016YFB0800100, 2016YFB0800101)the National Natural Science Fund for Creative Research Groups Project (No.61521003)the National Natural Science Fund for Youth Found Project (No.61602509)
文摘The Domain Name System(DNS) is suffering from the vulnerabilities exploited to launch the cache poisoning attack. Inspired by biodiversity, we design and implement a non-intrusive and tolerant secure architecture Multi-DNS(MDNS) to deal with it. MDNS consists of Scheduling Proxy and DNS server pool with heterogeneous DNSs in it. And the Scheduling Proxy dynamically schedules m DNSs to provide service in parallel and adopts the vote results from majority of DNSs to decide valid replies. And benefit from the centralized control of software defined networking(SDN), we implement a proof of concept for it. Evaluation results prove the validity and availability of MDNS and its intrusion/fault tolerance, while the average delay can be controlled in 0.3s.
文摘DNS(domain name system)作为网络的重要基础服务设施,是终端访问互联网必要的一环.近年来,越来越多尝试将用户通过DNS系统引入恶意服务器的攻击,对互联网安全产生重要威胁.防范与化解针对恶意域名或IP的访问,如钓鱼网站、垃圾邮件、勒索软件、色情网站等,无论是对于运营商还是网络监管机构都具有重要的现实意义.论文阐述RPZ(response policy zones)的工作原理,构建DNS的RPZ安全防护系统,再进行相关核心软件的配置,最后通过实验验证,检验系统针对恶意域名和IP的防护效果.
文摘域名系统(domain name system,DNS)作为互联网的核心架构之一,面临可信度不足、安全保护薄弱等问题,而区块链通过多点同步、共享、复制数据提供了一种多中心或去中心,以及难以篡改的数据存储机制,已经成为提高DNS可信度和安全性的重要解决方案。然而,当前缺乏对区块链DNS相关文献的全面调研,亟需对相关研究进行综述,以推动区块链在DNS这一互联网的核心架构中的应用,进而提升互联网架构整体安全性。从协议和架构两个角度分析DNS现存的主要安全问题,将DNS威胁划分为重定向流量攻击和拒绝服务攻击;分析了主流防护措施的局限性,梳理了区块链在DNS中的相关研究,概述系统工作流程,从系统复杂度和安全性方面评价了当前方案;提出构建成熟可靠的区块链DNS需要解决的几个关键问题并给出未来研究方向。