计算机工程与应用 ›› 2024, Vol. 60 ›› Issue (21): 73-88.DOI: 10.3778/j.issn.1002-8331.2405-0302
姬婕,岳鹏飞,李雷孝,杜金泽,林浩,高昊昱
出版日期:
2024-11-01
发布日期:
2024-10-25
JI Jie, YUE Pengfei, LI Leixiao, DU Jinze, LIN Hao, GAO Haoyu
Online:
2024-11-01
Published:
2024-10-25
摘要: 域名系统(domain name system, DNS)作为互联网的核心架构之一,面临可信度不足、安全保护薄弱等问题,而区块链通过多点同步、共享、复制数据提供了一种多中心或去中心,以及难以篡改的数据存储机制,已经成为提高DNS可信度和安全性的重要解决方案。然而,当前缺乏对区块链DNS相关文献的全面调研,亟需对相关研究进行综述,以推动区块链在DNS这一互联网的核心架构中的应用,进而提升互联网架构整体安全性。从协议和架构两个角度分析DNS现存的主要安全问题,将DNS威胁划分为重定向流量攻击和拒绝服务攻击;分析了主流防护措施的局限性,梳理了区块链在DNS中的相关研究,概述系统工作流程,从系统复杂度和安全性方面评价了当前方案;提出构建成熟可靠的区块链DNS需要解决的几个关键问题并给出未来研究方向。
姬婕, 岳鹏飞, 李雷孝, 杜金泽, 林浩, 高昊昱. 区块链在域名系统安全中的应用进展综述[J]. 计算机工程与应用, 2024, 60(21): 73-88.
JI Jie, YUE Pengfei, LI Leixiao, DU Jinze, LIN Hao, GAO Haoyu. Comprehensive Review of Application Progress of Blockchain in Domain Name System Security[J]. Computer Engineering and Applications, 2024, 60(21): 73-88.
[1] VAN DER TOORN O, MüLLER M, DICKINSON S, et al. Addressing the challenges of modern DNS a comprehensive tutorial[J]. Computer Science Review, 2022, 45(4): 100469-100506. [2] RAJASEKARAN A S, AZEES M, ALTURJMAN F. A comprehensive survey on blockchain technology[J]. Sustainable Energy Technologies and Assessments, 2022, 52(4): 102039-102052. [3] LIU Y, ZHANG Y W, ZHU S Y, et al. A comparative study of blockchain?based DNS design[C]//Proceedings of the 2019 2nd International Conference on Blockchain Technology and Applications, 2019: 86-92. [4] AL-MASHHADI S, MANICKAM S. A brief review of blockchain-based DNS systems[J]. International Journal of Internet Technology and Secured Transactions, 2020, 10(4): 420-432. [5] HU W H, AO M, SHI L, et al. Review of blockchain based DNS alternatives[J]. Chinese Journal of Network and Information Security, 2017, 3(3): 71-77. [6] THEODER J, METHARATH B S, ALOUNEH S. Securing domain name systems with blockchain[C]//Proceedings of the 2023 Fourth International Conference on Intelligent Data Science Technologies and Applications (IDSTA), 2023: 48-53. [7] BISIAUX J Y. DNS threats and mitigation strategies[J]. Network Security, 2014(7): 5-9. [8] WEI L, HEIDEMANN J. Whac-A-Mole: six years of DNS spoofing[J]. arXiv:2011.12978, 2020. [9] DAI T X, JEITNER P, SHULMAN H, et al. From IP to transport and beyond: cross-layer attacks against applications[C]//Proceedings of the 2021 ACM SIGCOMM Conference, 2021: 836-849. [10] BERGER H, DVIR A Z, GEVA M. A wrinkle in time: a case study in DNS poisoning[J]. International Journal of Information Security, 2021, 20(3): 313-329. [11] VISSERS T, BARRON T, VAN GOETHEM T, et al. The wolf of name street: Hijacking domains through their nameservers[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017: 957-970. [12] ALOWAISHEQ E, TANG S Y, WANG Z B, et al. Zombie awakening: stealthy hijacking of active domains through DNS hosting referral[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020: 1307-1322. [13] HOUSER R, HAO S, LI Z, et al. A comprehensive measurement-based investigation of DNS hijacking[C]//Proceedings of the 2021 40th International Symposium on Reliable Distributed Systems (SRDS), 2021: 210-221. [14] CONTI M, DRAGONI N, LESYK V. A survey of man in the middle attacks[J]. IEEE Communications Surveys & Tutorials, 2016, 18(3): 2027-2051. [15] YLLI E, FEJZAJ J. Man in the middle: attack and protection[C]//Proceedings of the International Conference on Recent Trends and Applications in Computer Science and Information Technology (RTA-CSIT), 2021: 198-204. [16] MOURA G C M, CASTRO S, HARDAKER W, et al. Clouding up the Internet: how centralized is DNS traffic becoming?[C]//Proceedings of the ACM Internet Measurement Conference, 2020: 42-49. [17] ISMAIL S, HASSEN H R, JUST M, et al. A review of amplification-based distributed denial of service attacks and their mitigation[J]. Computers & Security, 2021, 109(8): 102380. [18] ANAGNOSTOPOULOS M, KAMBOURAKIS G, KOPANOS P, et al. DNS amplification attack revisited[J]. Computers & Security, 2013, 39(11): 475-485. [19] RAJENDRAN B. DNS amplification & DNS tunneling attacks simulation, detection and mitigation approaches[C]//Proceedings of the 2020 International Conference on Inventive Computation Technologies (ICICT), 2020: 230-236. [20] ZHANG H K, YE J Y, HU W H, et al. Study on the latent state of Kaminskystyle DNS cache poisoning: modeling and empirical analysis[J]. Computers & Security, 2021, 110(11): 102445-102460. [21] MAN K Y, QIAN Z Y, WANG Z J, et al. DNS cache poisoning attack reloaded: revolutions with side channels[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020: 1337-1350. [22] FENG X W, LI Q, SUN K, et al. Man-in-the-middle attacks without rogue AP: when WPAs meet ICMP redirects[C]//Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP), 2023: 3162-3177. [23] XU C X, ZHANG Y Y, SHI F, et al. Measuring the centrality of DNS infrastructure in the Wild[J]. Applied Sciences, 2023, 13(9): 5739. [24] AFEK Y, BREMLERBARR A, SHAFIR L. NXNSAttack: recursive DNS inefficiencies and vulnerabilities[C]//Proceedings of the 29th USENIX Security Symposium (USENIX Security 20), 2020: 631-648. [25] AFEK Y, BREMLERBARR A, STAJNROD S. NRDelegationAttack: complexity DDoS attack on DNS recursive resolvers[C]//Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23), 2023: 3187-3204. [26] SOMMESE R, CLAFFY K, VAN RIJSWIJKDEIJ R, et al. Investigating the impact of DDoS attacks on DNS infrastructure[C]//Proceedings of the 22nd ACM Internet Measurement Conference, 2022: 51-64. [27] YU Z, XUE D, FAN J L, et al. DNSTSM: DNS cache resources trusted sharing model based on consortium blockchain[J]. IEEE Access, 2020, 8: 13640-13650. [28] HU N, YU T, ZHAO Y, et al. IDV: Internet domain name verification based on blockchain[J]. CMES-Computer Modeling in Engineering & Sciences, 2021, 129(1): 299-322. [29] PENG G. CDN: content distribution network[J]. arXiv:cs/0411069, 2004. [30] GAO T, DONG Q K. DNS-BC: fast, reliable and secure domain name system caching system based on a consortium blockchain[J]. Sensors, 2023, 23(14): 6366. [31] BENSHOOF B, ROSEN A, BOURGEOIS A, et al. Distributed decentralized domain name service[C]//Proceedings of the 2016 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW), 2016: 1279-1287. [32] DUAN X A, YAN Z W, GENG G G, et al. DNSLedger: decentralized and distributed name resolution for ubiquitous IoT[C]//Proceedings of the 2018 IEEE International Conference on Consumer Electronics (ICCE), 2018: 1-3. [33] LIU W F, ZHANG Y, LIU L, et al. A secure domain name resolution and management architecture based on blockchain[C]//Proceedings of the 2020 IEEE Symposium on Computers and Communications (ISCC), 2020: 1-7. [34] JI B F, HAN Y, LIU S W, et al. Several key technologies for 6G: challenges and opportunities[J]. IEEE Communications Standards Magazine, 2021, 5(2): 44-51. [35] REID F, HARRIGAN M. An analysis of anonymity in the bitcoin system[M]. New York: Springer, 2013. [36] ZHENG B, ZHU L, SHEN M, et al. Identifying the vulnerabilities of bitcoin anonymous mechanism based on address clustering[J]. Science China Information Sciences, 2020, 63: 1-15. [37] ARENDS R, AUSTEIN R, LARSON M, et al. DNS security introduction and requirements: RFC4033[S]. 2005. [38] LU C, LIU B, LI Z, et al. An end-to-end, large-scale measurement of DNS-over-encryption: how far have we come?[C]//Proceedings of the Internet Measurement Conference, 2019: 22-35. [39] ADAMS C, LLOYD S. Understanding PKI: concepts, standards, and deployment considerations[M]. [S.l.]: Addison-Wesley Professional, 2003. [40] 陈闻宇, 李晓东, 杨学, 等. 一种基于区块链的 DNSSEC 公钥验证机制[J]. 自动化学报, 2023, 49(4): 731-743. CHEN W Y, LI X D, YANG X, et al. A blockchain-based DNSSEC public key verification scheme[J]. Acta Automatica Sinica, 2023, 49(4): 731-743. [41] GOURLEY S, TEWARI H. Blockchain backed dnssec[C]//Proceedings of the International Conference on Business Information Systems. Cham: Springer International Publishing, 2018: 173-184. [42] HARI A, LAKSHMAN T V. The internet blockchain: a distributed, tamper-resistant transaction framework for the internet[C]//Proceedings of the 15th ACM Workshop on Hot Topics in Networks, 2016: 204-210. [43] DNSSEC deployment report[EB/OL].[2022-04-13]. http://rick.eng.br/dnssecstat/. [44] HOUNSEL A, BORGOLTE K, SCHMITT P, et al. Comparing the effects of DNS, DoT, and DoH on web performance[C]//Proceedings of The Web Conference 2020, 2020: 562-572. [45] KOSHY A M, YELLUR G, KAMMACHI H J, et al. An insight into encrypted DNS protocol: DNS over TLS[C]//Proceedings of the 2021 4th International Conference on Recent Developments in Control, Automation & Power Engineering (RDCAPE), 2021: 379-383. [46] BANNAT WALA F, CAMPBELL S, KIRAN M. Insights into DoH: traffic classification for DNS over HTTPS in an encrypted network[C]//Proceedings of the 2023 on Systems and Network Telemetry and Analytics, 2023: 9-17. [47] KOSEK M, SCHUMANN L, MARX R, et al. DNS privacy with speed? evaluating DNS over QUIC and its impact on Web performance[C]//Proceedings of the 22nd ACM Internet Measurement Conference, 2022: 44-50. [48] JIN L, HAO S, HUANG Y, et al. DNSonChain: delegating privacy-preserved DNS resolution to blockchain[C]//Proceedings of the 2021 IEEE 29th International Conference on Network Protocols (ICNP), 2021: 1-11. [49] CHEN W Y, YANG X, ZHANG H K, et al. Big data architecture for scalable and trustful DNS based on sharded DAG blockchain[J]. Journal of Signal Processing Systems, 2021, 93(4): 753-768. [50] DANG H, DINH T, LOGHIN D, et al. Towards scaling blockchain systems via sharding[C]//Proceedings of the 2019 International Conference on Management of Data, 2019: 123-140. [51] VAN RIJSWIJKDEIJ R, SPEROTTO A, PRAS A. DNSSEC and its potential for DDoS attacks: a comprehensive measurement study[C]//Proceedings of the 2014 Conference on Internet Measurement Conference, 2014: 449-460. [52] STOICA I, MORRIS R, KARGER D, et al. Chord: a scalable peer-to-peer lookup service for Internet applications[J]. ACM SIGCOMM Computer Communication Review, 2001, 31(4): 149-160. [53] COX R, MUTHITACHAROEN A, MORRIS R T. Serving DNS using a peer-to-peer lookup service[C]//Proceedings of the International Workshop on Peer-to-Peer Systems. Berlin, Heidelberg: Springer, 2002: 155-165. [54] GUTIERREZ C, KRISHNAN R, SUNDARAM R, et al. HARD-DNS: highly-available redundantly-distributed DNS[C]//Proceedings of the 2010 Military Communications Conference, 2010: 1343-1348. [55] SUN H M, ZHANG W X, ZHANG S Y, et al. DepenDNS: dependable mechanism against DNS cache poisoning[C]//Proceedings of the International Conference on Cryptology and Network Security. Berlin, Heidelberg: Springer, 2009: 174-188. [56] HOANG N, LIN I, GHAVAMNIA S, et al. K-resolver: towards decentralizing encrypted DNS resolution[J]. arXiv:2001.08901, 2020. [57] GUPTA A, CHAUDHARY B, DWIVEDI P. A comprehensive study on Namecoin[R]. 2022. [58] ALI M, NELSON J, SHEA R, et al. Blockstack: a global naming and storage system secured by blockchains[C]//Proceedings of the 2016 USENIX Annual Technical Conference (USENIX ATC 16), 2016: 181-194. [59] XIA P C, WANG H Y, YU Z, et al. Challenges in decentralized name management: the case of ENS[C]//Proceedings of the 22nd ACM Internet Measurement Conference, 2022: 65-82. [60] CAO K Y, LIU Y F, MENG G J, et al. An overview on edge computing research[J]. IEEE Access, 2020, 8: 85714-85728. [61] CHONCHOLAS J, BHARDWAJ K, GAVRILOVSKA A. The performance argument for blockchain-based edge DNS caching[C]//Proceedings of the 2021 IEEE/ACM Symposium on Edge Computing (SEC), 2021: 312-318. [62] PALLADINO N, SANTANIELLO M, PALLADINO N, et al. IANA functions, ICANN, and the DNS war[M]//Legitimacy, power, and inequalities in the multistakeholder Internet governance: analyzing IANA transition, 2021: 43-61. [63] ZHANG Y, LIU W F, XIA Z D, et al. Blockchain-based DNS root zone management decentralization for Internet of things[J]. Wireless Communications and Mobile Computing, 2021: 1-20. [64] 庄天舒, 刘文峰, 李东. 基于区块链的DNS根域名解析体系[J]. 电信科学, 2018, 34(3): 17-22. ZHUANG T S, LIU W F, LI D. DNS root domain name analysis system based on block chain[J]. Telecommunications Science, 2018, 34(3): 17-22. [65] LIU Y, YU H S, WANG W Y, et al. A robust blockchain-based distribution master for distributing root zone data in DNS[J]. The Computer Journal, 2022, 65(11): 2880-2893. [66] Handshake[EB/OL].[2023-10-26]. https://handshake.org/. [67] HE G B, SU W, GAO S, et al. TD-Root: a trustworthy decentralized DNS root management architecture based on permissioned blockchain[J]. Future Generation Computer Systems, 2020, 102(1): 912-924. [68] DOUCEUR J. The sybil attack[C]//Proceedings of the International Workshop on Peer-to-Peer Systems. Berlin, Heidelberg: Springer, 2002: 251-260. [69] 雷凯, 束方兴, 黄磊, 等. 面向跨域可信的泛中心化区块链 DNS 架构研究[J]. 网络与信息安全学报, 2020, 6(2): 19-34. LEI K, SHU F X, HUANG L, et al. Research on cross-domain trustable blockchain based decentralized DNS architecture[J]. Chinese Journal of Network and Information Security, 2020, 6(2): 19-34. [70] HAN P P, YAN Z, DING W X, et al. A survey on cross-chain technologies[J]. Distributed Ledger Technologies: Research and Practice, 2023, 2(2): 1-30. [71] LI Z C, GAO S, PENG Z, et al. B-DNS: a secure and efficient DNS based on the blockchain technology[J]. IEEE Transactions on Network Science and Engineering, 2021, 8(2): 1674-1686. [72] LIU J Q, LI B, CHEN L Z, et al. A data storage method based on blockchain for decentralization DNS[C]//Proceedings of the 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC), 2018: 189-196. [73] MATSUOKA K, SUZUKI T. Blockchain and DHT based lookup system aiming for alternative DNS[C]//Proceedings of the 2020 2nd International Conference on Computer Communication and the Internet (ICCCI), 2020: 98-105. [74] MAYMOUNKOV P, MAZIERES D. Kademlia: a peer-to-peer information system based on the XOR metric[C]//Proceedings of the International Workshop on Peer-to-Peer Systems. Berlin, Heidelberg: Springer, 2002: 53-65. [75] LIU S Y, GUO S Y, HU Z W, et al. Domain name service mechanism based on master-slave chain[J]. Intelligent Automation & Soft Computing, 2022, 32(2): 951-962. [76] 李妍星, 徐世中, 辛光. 具有可扩展性的区块链 DNS 系统设计[J]. 通信与信息技术, 2022(6): 22-29. LI Y X, XU S Z, XIN G. Design of a scalable blockchain-based DNS system[J]. Communication & Information Technology, 2022(6): 22-29. [77] DANIEL E, TSCHORSCH F. IPFS and friends: a qualitative comparison of next generation peer-to-peer data networks[J]. IEEE Communications Surveys & Tutorials, 2022, 24(1): 31-52. [78] CAMENISCH J, STADLER M. Efficient group signature schemes for large groups[C]//Proceedings of the Annual International Cryptology Conference. Berlin, Heidelberg: Springer, 1997: 410-424. [79] FUJISAKI E, SUZUKI K. Traceable ring signature[C]//Proceedings of the International Workshop on Public Key Cryptography. Berlin, Heidelberg: Springer, 2007: 181-200. [80] YI X, PAULET R, BERTINO E, et al. Homomorphic encryption[M].[S.l.]: Springer International Publishing, 2014. [81] 陈越, 郝增航, 魏江宏, 等. 支持陷门撤销和编辑次数限制的可编辑区块链[J]. 通信学报, 2023, 44(7): 100-113. CHEN Y, HAO Z H, WEI J H, et al. Redactable blockchain supporting trapdoor revocation and limited number of redactions[J]. Journal on Communications, 2023, 44(7): 100-113. |
[1] | 张苗, 李绍稳, 吴雨婷, 涂立静, 张磊, 杨尚雄. 实用拜占庭容错共识算法的奖惩机制优化研究[J]. 计算机工程与应用, 2024, 60(7): 266-273. |
[2] | 李洋, 王静宇, 刘立新. 基于区块链的公平可验证搜索加密方案[J]. 计算机工程与应用, 2024, 60(6): 301-311. |
[3] | 倪雪莉, 马卓, 王群. 区块链P2P网络及安全研究[J]. 计算机工程与应用, 2024, 60(5): 17-29. |
[4] | 蔡元海, 宋甫元, 黎凯, 陈彦宇, 付章杰. 高判别精度的区块链交易合法性检测方法[J]. 计算机工程与应用, 2024, 60(5): 271-280. |
[5] | 张铭泉, 杨甜, 朵春红. 改进PBFT算法的配电物联网接入认证方法[J]. 计算机工程与应用, 2024, 60(2): 279-287. |
[6] | 李光柱, 李雷孝, 高昊昱. 跨链技术发展与应用研究进展[J]. 计算机工程与应用, 2024, 60(2): 32-45. |
[7] | 张驰骋, 李雷孝, 杜金泽, 史建平. 可编辑区块链研究综述[J]. 计算机工程与应用, 2024, 60(18): 32-49. |
[8] | 王心, 李欢, 张书华, 侯棚文, 叶小芬. 政府补贴下区块链投资策略与电商销售模式[J]. 计算机工程与应用, 2024, 60(17): 321-330. |
[9] | 宁宇豪, 黄建华, 顾彬, 张文韬, 宫在为. 结合信誉跳跃一致性哈希的区块链分片协议[J]. 计算机工程与应用, 2024, 60(16): 276-287. |
[10] | 李天祥, 韩云飞, 阿不都热衣木江·阿白, 马玉鹏, 王轶. HLF区块链交易时延动态优化方法研究[J]. 计算机工程与应用, 2024, 60(14): 257-266. |
[11] | 翟社平, 霍媛媛, 杨锐, 聂浩楠. 基于一致性哈希和随机选取的PBFT算法改进[J]. 计算机工程与应用, 2024, 60(12): 294-302. |
[12] | 王春东, 郭茹月. 基于逻辑回归与区块链的车联网信任管理方案[J]. 计算机工程与应用, 2024, 60(1): 281-288. |
[13] | 李馥娟, 马卓, 王群. 区块链系统身份管理机制研究综述[J]. 计算机工程与应用, 2024, 60(1): 57-73. |
[14] | 张天祥, 李雷孝, 刘东江, 高昊昱. 区块链激励机制在车联网领域的应用研究综述[J]. 计算机工程与应用, 2023, 59(9): 59-74. |
[15] | 翟社平, 童彤, 白喜芳. 基于区块链的属性代理重加密数据共享方案[J]. 计算机工程与应用, 2023, 59(8): 270-279. |
阅读次数 | ||||||
全文 |
|
|||||
摘要 |
|
|||||