The domain name system(DNS)provides a mapping service between memorable names and numerical internet protocol addresses,and it is a critical infrastructure of the Internet.The authenticity of DNS resolution results is...The domain name system(DNS)provides a mapping service between memorable names and numerical internet protocol addresses,and it is a critical infrastructure of the Internet.The authenticity of DNS resolution results is crucial for ensuring the accessibility of Internet services.Hundreds of supplementary specifications of protocols have been proposed to compensate for the security flaws of DNS.However,DNS security incidents still occur frequently.Although DNS is a distributed system,for a specified domain name,only authorized authoritative servers can resolve it.Other servers must obtain the resolution result through a recursive or iterative resolving procedure,which renders DNS vulnerable to various attacks,such as DNS cache poisoning and distributed denial of service(DDoS)attacks.This paper proposes a novel decentralized architecture for a DNS data plane,which is called Blockzone.First,Blockzone utilizes novel mechanisms,which include on-chain authorization and off-chain storage,to implement a decentralized and trustworthy DNS data plane.Second,in contrast to the hierarchical authentication and recursive query of traditional DNS,Blockzone implements a decentralized operation model.This model significantly increases the efficiency of domain name resolution and verification and enhances the security of DNS against DDoS and cache poisoning attacks.In addition,Blockzone is fully compatible with the traditional DNS implementation and can be incrementally deployed as a plug-in service of DNS without changing the DNS protocol or system architecture.The Blockzone scheme can also be generalized to address security issues in other areas,such as the Internet of things and edge computing.展开更多
The rapid development of blockchain technology has provided new ideas for network security research.Blockchain-based network security enhancement solutions are attracting widespread attention.This paper proposes an In...The rapid development of blockchain technology has provided new ideas for network security research.Blockchain-based network security enhancement solutions are attracting widespread attention.This paper proposes an Internet domain name verification method based on blockchain.The authenticity of DNS(Domain Name System)resolution results is crucial for ensuring the accessibility of Internet services.Due to the lack of adequate security mechanisms,it has always been a challenge to verify the authenticity of Internet domain name resolution results.Although the solution represented by DNSSEC(Domain Name System Security Extensions)can theoretically solve the domain name verification problem,it has not been widely deployed on a global scale due to political,economic,and technical constraints.We argue that the root cause of this problem lies in the significant centralization of the DNS system.This centralized feature not only reduces the efficiency of domain name verification but also has the hidden risks of single point of failure and unilateral control.Internet users may disappear from the Internet due to the results of fake,subverted,or misconfigured domain name resolution.This paper presents a decentralized DNS cache verification method,which uses the consortium blockchain to replace the root domain name server to verify the authenticity of the domain name.Compared with DNSSEC’s domain name verification process,the verification efficiency of this method has increased by 30%,and there is no single point of failure or unilateral control risk.In addition,this solution is incrementally deployable,and even if it is deployed on a small number of content delivery network servers,satisfactory results can be obtained.展开更多
As one of the most important Internet infrastructures,domain name system(DNS)is vulnerable to various attacks,and the issue of DNS security has received critical attention.However,most of the existing DNS security enh...As one of the most important Internet infrastructures,domain name system(DNS)is vulnerable to various attacks,and the issue of DNS security has received critical attention.However,most of the existing DNS security enhancements have encountered great difficulties in the process of popularization.The main reason is that these enhancement measures usually focus on the server side,thus requiring changes to existing DNS protocol or architecture,while modifying the Internet infrastructure is inherently hard.Noticing that the range of domain name frequently visited by a single user is much smaller than the entire domain system,in this paper we propose the idea of personal DNS agent(P-DNS),which migrates DNS security from servers to user terminals and can be applied without changing the current DNS infrastructure.P-DNS takes advantage of static and dynamic redundancy to enhance DNS security.Specifically,in the static redundancy phase,P-DNS improves the resolution efficiency by utilizing resolution results cached in LDAP.While in the dynamic redundancy stage,F-DNS improves the reliability of resolution results by querying multiple recursive name servers(RNSs).Simulation results show that our proposed architecture can effectively improve DNS security performance and greatly reduce the additional delay caused by redundancy.展开更多
基金This research was supported by National Natural Science Foundation of China(Grant No.61976064)Project of National Defense Science and Technology Innovation Zone(Grant No.18-H863-01-ZT-005-027-02)+1 种基金Equipment Pre-Research Key Laboratory Fund Project(61421030203)Zhijiang International Young Talent Scheme(2019).
文摘The domain name system(DNS)provides a mapping service between memorable names and numerical internet protocol addresses,and it is a critical infrastructure of the Internet.The authenticity of DNS resolution results is crucial for ensuring the accessibility of Internet services.Hundreds of supplementary specifications of protocols have been proposed to compensate for the security flaws of DNS.However,DNS security incidents still occur frequently.Although DNS is a distributed system,for a specified domain name,only authorized authoritative servers can resolve it.Other servers must obtain the resolution result through a recursive or iterative resolving procedure,which renders DNS vulnerable to various attacks,such as DNS cache poisoning and distributed denial of service(DDoS)attacks.This paper proposes a novel decentralized architecture for a DNS data plane,which is called Blockzone.First,Blockzone utilizes novel mechanisms,which include on-chain authorization and off-chain storage,to implement a decentralized and trustworthy DNS data plane.Second,in contrast to the hierarchical authentication and recursive query of traditional DNS,Blockzone implements a decentralized operation model.This model significantly increases the efficiency of domain name resolution and verification and enhances the security of DNS against DDoS and cache poisoning attacks.In addition,Blockzone is fully compatible with the traditional DNS implementation and can be incrementally deployed as a plug-in service of DNS without changing the DNS protocol or system architecture.The Blockzone scheme can also be generalized to address security issues in other areas,such as the Internet of things and edge computing.
基金This work was supported in National Natural Science Foundation of China(Grant Nos.61976064,U20B2046)National Defence Science and Technology Key Laboratory Fund 61421190306)+1 种基金Guangdong Province Universities and Colleges Pearl River Scholar Funded Scheme(2019)National Key research and Development Plan(Grant No.2018YFB1800702).
文摘The rapid development of blockchain technology has provided new ideas for network security research.Blockchain-based network security enhancement solutions are attracting widespread attention.This paper proposes an Internet domain name verification method based on blockchain.The authenticity of DNS(Domain Name System)resolution results is crucial for ensuring the accessibility of Internet services.Due to the lack of adequate security mechanisms,it has always been a challenge to verify the authenticity of Internet domain name resolution results.Although the solution represented by DNSSEC(Domain Name System Security Extensions)can theoretically solve the domain name verification problem,it has not been widely deployed on a global scale due to political,economic,and technical constraints.We argue that the root cause of this problem lies in the significant centralization of the DNS system.This centralized feature not only reduces the efficiency of domain name verification but also has the hidden risks of single point of failure and unilateral control.Internet users may disappear from the Internet due to the results of fake,subverted,or misconfigured domain name resolution.This paper presents a decentralized DNS cache verification method,which uses the consortium blockchain to replace the root domain name server to verify the authenticity of the domain name.Compared with DNSSEC’s domain name verification process,the verification efficiency of this method has increased by 30%,and there is no single point of failure or unilateral control risk.In addition,this solution is incrementally deployable,and even if it is deployed on a small number of content delivery network servers,satisfactory results can be obtained.
基金supported by the National Key R&D Program of China under Grant 2018YFA0701600.
文摘As one of the most important Internet infrastructures,domain name system(DNS)is vulnerable to various attacks,and the issue of DNS security has received critical attention.However,most of the existing DNS security enhancements have encountered great difficulties in the process of popularization.The main reason is that these enhancement measures usually focus on the server side,thus requiring changes to existing DNS protocol or architecture,while modifying the Internet infrastructure is inherently hard.Noticing that the range of domain name frequently visited by a single user is much smaller than the entire domain system,in this paper we propose the idea of personal DNS agent(P-DNS),which migrates DNS security from servers to user terminals and can be applied without changing the current DNS infrastructure.P-DNS takes advantage of static and dynamic redundancy to enhance DNS security.Specifically,in the static redundancy phase,P-DNS improves the resolution efficiency by utilizing resolution results cached in LDAP.While in the dynamic redundancy stage,F-DNS improves the reliability of resolution results by querying multiple recursive name servers(RNSs).Simulation results show that our proposed architecture can effectively improve DNS security performance and greatly reduce the additional delay caused by redundancy.
