Comprehensive Review of Application Progress of Blockchain in Domain Name System Security

doi:10.3778/j.issn.1002-8331.2405-0302

Abstract

Abstract: As one of the core architectures of the Internet, the domain name system (DNS) faces issues such as insufficient credibility and weak security protection. Blockchain, with its mechanism of data storage that is multi-centered or decentralized, and difficult to tamper with by synchronizing, sharing, and replicating data across multiple points, has become an important solution to enhance the credibility and security of DNS. However, there is currently a lack of comprehensive research on blockchain DNS, and there is an urgent need to review related studies to promote the application of blockchain in DNS, a core architecture of the Internet, thereby enhancing the overall security of the Internet infrastructure. The analysis begins from two perspectives: protocols and architecture, identifying the main security issues existing in DNS and categorizing DNS threats into traffic redirection attacks and denial of service attacks. Then, it examines the limitations of mainstream protective measures and reviews the relevant research on blockchain in DNS, summarizing the system workflow, and evaluates current solutions in terms of system complexity and security. Finally, it proposes several key issues that need to be addressed in building a mature and reliable blockchain DNS and presents future research directions.

Key words: domain name system (DNS), blockchain, distributed denial of service, cache poisoning, cyberspace security

摘要： 域名系统（domain name system, DNS）作为互联网的核心架构之一，面临可信度不足、安全保护薄弱等问题，而区块链通过多点同步、共享、复制数据提供了一种多中心或去中心，以及难以篡改的数据存储机制，已经成为提高DNS可信度和安全性的重要解决方案。然而，当前缺乏对区块链DNS相关文献的全面调研，亟需对相关研究进行综述，以推动区块链在DNS这一互联网的核心架构中的应用，进而提升互联网架构整体安全性。从协议和架构两个角度分析DNS现存的主要安全问题，将DNS威胁划分为重定向流量攻击和拒绝服务攻击；分析了主流防护措施的局限性，梳理了区块链在DNS中的相关研究，概述系统工作流程，从系统复杂度和安全性方面评价了当前方案；提出构建成熟可靠的区块链DNS需要解决的几个关键问题并给出未来研究方向。

关键词: 域名系统（DNS）, 区块链, 分布式拒绝服务攻击, 缓存中毒, 网络空间安全

JI Jie, YUE Pengfei, LI Leixiao, DU Jinze, LIN Hao, GAO Haoyu. Comprehensive Review of Application Progress of Blockchain in Domain Name System Security[J]. Computer Engineering and Applications, 2024, 60(21): 73-88.

姬婕, 岳鹏飞, 李雷孝, 杜金泽, 林浩, 高昊昱. 区块链在域名系统安全中的应用进展综述[J]. 计算机工程与应用, 2024, 60(21): 73-88.

References

[1] VAN DER TOORN O, MüLLER M, DICKINSON S, et al. Addressing the challenges of modern DNS a comprehensive tutorial[J]. Computer Science Review, 2022, 45(4): 100469-100506.
[2] RAJASEKARAN A S, AZEES M, ALTURJMAN F. A comprehensive survey on blockchain technology[J]. Sustainable Energy Technologies and Assessments, 2022, 52(4): 102039-102052.
[3] LIU Y, ZHANG Y W, ZHU S Y, et al. A comparative study of blockchain?based DNS design[C]//Proceedings of the 2019 2nd International Conference on Blockchain Technology and Applications, 2019: 86-92.
[4] AL-MASHHADI S, MANICKAM S. A brief review of blockchain-based DNS systems[J]. International Journal of Internet Technology and Secured Transactions, 2020, 10(4): 420-432.
[5] HU W H, AO M, SHI L, et al. Review of blockchain based DNS alternatives[J]. Chinese Journal of Network and Information Security, 2017, 3(3): 71-77.
[6] THEODER J, METHARATH B S, ALOUNEH S. Securing domain name systems with blockchain[C]//Proceedings of the 2023 Fourth International Conference on Intelligent Data Science Technologies and Applications (IDSTA), 2023: 48-53.
[7] BISIAUX J Y. DNS threats and mitigation strategies[J]. Network Security, 2014(7): 5-9.
[8] WEI L, HEIDEMANN J. Whac-A-Mole: six years of DNS spoofing[J]. arXiv:2011.12978, 2020.
[9] DAI T X, JEITNER P, SHULMAN H, et al. From IP to transport and beyond: cross-layer attacks against applications[C]//Proceedings of the 2021 ACM SIGCOMM Conference, 2021: 836-849.
[10] BERGER H, DVIR A Z, GEVA M. A wrinkle in time: a case study in DNS poisoning[J]. International Journal of Information Security, 2021, 20(3): 313-329.
[11] VISSERS T, BARRON T, VAN GOETHEM T, et al. The wolf of name street: Hijacking domains through their nameservers[C]//Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, 2017: 957-970.
[12] ALOWAISHEQ E, TANG S Y, WANG Z B, et al. Zombie awakening: stealthy hijacking of active domains through DNS hosting referral[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020: 1307-1322.
[13] HOUSER R, HAO S, LI Z, et al. A comprehensive measurement-based investigation of DNS hijacking[C]//Proceedings of the 2021 40th International Symposium on Reliable Distributed Systems (SRDS), 2021: 210-221.
[14] CONTI M, DRAGONI N, LESYK V. A survey of man in the middle attacks[J]. IEEE Communications Surveys & Tutorials, 2016, 18(3): 2027-2051.
[15] YLLI E, FEJZAJ J. Man in the middle: attack and protection[C]//Proceedings of the International Conference on Recent Trends and Applications in Computer Science and Information Technology (RTA-CSIT), 2021: 198-204.
[16] MOURA G C M, CASTRO S, HARDAKER W, et al. Clouding up the Internet: how centralized is DNS traffic becoming?[C]//Proceedings of the ACM Internet Measurement Conference, 2020: 42-49.
[17] ISMAIL S, HASSEN H R, JUST M, et al. A review of amplification-based distributed denial of service attacks and their mitigation[J]. Computers & Security, 2021, 109(8): 102380.
[18] ANAGNOSTOPOULOS M, KAMBOURAKIS G, KOPANOS P, et al. DNS amplification attack revisited[J]. Computers & Security, 2013, 39(11): 475-485.
[19] RAJENDRAN B. DNS amplification & DNS tunneling attacks simulation, detection and mitigation approaches[C]//Proceedings of the 2020 International Conference on Inventive Computation Technologies (ICICT), 2020: 230-236.
[20] ZHANG H K, YE J Y, HU W H, et al. Study on the latent state of Kaminskystyle DNS cache poisoning: modeling and empirical analysis[J]. Computers & Security, 2021, 110(11): 102445-102460.
[21] MAN K Y, QIAN Z Y, WANG Z J, et al. DNS cache poisoning attack reloaded: revolutions with side channels[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, 2020: 1337-1350.
[22] FENG X W, LI Q, SUN K, et al. Man-in-the-middle attacks without rogue AP: when WPAs meet ICMP redirects[C]//Proceedings of the 2023 IEEE Symposium on Security and Privacy (SP), 2023: 3162-3177.
[23] XU C X, ZHANG Y Y, SHI F, et al. Measuring the centrality of DNS infrastructure in the Wild[J]. Applied Sciences, 2023, 13(9): 5739.
[24] AFEK Y, BREMLERBARR A, SHAFIR L. NXNSAttack: recursive DNS inefficiencies and vulnerabilities[C]//Proceedings of the 29th USENIX Security Symposium (USENIX Security 20), 2020: 631-648.
[25] AFEK Y, BREMLERBARR A, STAJNROD S. NRDelegationAttack: complexity DDoS attack on DNS recursive resolvers[C]//Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23), 2023: 3187-3204.
[26] SOMMESE R, CLAFFY K, VAN RIJSWIJKDEIJ R, et al. Investigating the impact of DDoS attacks on DNS infrastructure[C]//Proceedings of the 22nd ACM Internet Measurement Conference, 2022: 51-64.
[27] YU Z, XUE D, FAN J L, et al. DNSTSM: DNS cache resources trusted sharing model based on consortium blockchain[J]. IEEE Access, 2020, 8: 13640-13650.
[28] HU N, YU T, ZHAO Y, et al. IDV: Internet domain name verification based on blockchain[J]. CMES-Computer Modeling in Engineering & Sciences, 2021, 129(1): 299-322.
[29] PENG G. CDN: content distribution network[J]. arXiv:cs/0411069, 2004.
[30] GAO T, DONG Q K. DNS-BC: fast, reliable and secure domain name system caching system based on a consortium blockchain[J]. Sensors, 2023, 23(14): 6366.
[31] BENSHOOF B, ROSEN A, BOURGEOIS A, et al. Distributed decentralized domain name service[C]//Proceedings of the 2016 IEEE International Parallel and Distributed Processing Symposium Workshops (IPDPSW), 2016: 1279-1287.
[32] DUAN X A, YAN Z W, GENG G G, et al. DNSLedger: decentralized and distributed name resolution for ubiquitous IoT[C]//Proceedings of the 2018 IEEE International Conference on Consumer Electronics (ICCE), 2018: 1-3.
[33] LIU W F, ZHANG Y, LIU L, et al. A secure domain name resolution and management architecture based on blockchain[C]//Proceedings of the 2020 IEEE Symposium on Computers and Communications (ISCC), 2020: 1-7.
[34] JI B F, HAN Y, LIU S W, et al. Several key technologies for 6G: challenges and opportunities[J]. IEEE Communications Standards Magazine, 2021, 5(2): 44-51.
[35] REID F, HARRIGAN M. An analysis of anonymity in the bitcoin system[M]. New York: Springer, 2013.
[36] ZHENG B, ZHU L, SHEN M, et al. Identifying the vulnerabilities of bitcoin anonymous mechanism based on address clustering[J]. Science China Information Sciences, 2020, 63: 1-15.
[37] ARENDS R, AUSTEIN R, LARSON M, et al. DNS security introduction and requirements: RFC4033[S]. 2005.
[38] LU C, LIU B, LI Z, et al. An end-to-end, large-scale measurement of DNS-over-encryption: how far have we come?[C]//Proceedings of the Internet Measurement Conference, 2019: 22-35.
[39] ADAMS C, LLOYD S. Understanding PKI: concepts, standards, and deployment considerations[M]. [S.l.]: Addison-Wesley Professional, 2003.
[40] 陈闻宇, 李晓东, 杨学, 等. 一种基于区块链的 DNSSEC 公钥验证机制[J]. 自动化学报, 2023, 49(4): 731-743.
CHEN W Y, LI X D, YANG X, et al. A blockchain-based DNSSEC public key verification scheme[J]. Acta Automatica Sinica, 2023, 49(4): 731-743.
[41] GOURLEY S, TEWARI H. Blockchain backed dnssec[C]//Proceedings of the International Conference on Business Information Systems. Cham: Springer International Publishing, 2018: 173-184.
[42] HARI A, LAKSHMAN T V. The internet blockchain: a distributed, tamper-resistant transaction framework for the internet[C]//Proceedings of the 15th ACM Workshop on Hot Topics in Networks, 2016: 204-210.
[43] DNSSEC deployment report[EB/OL].[2022-04-13]. http://rick.eng.br/dnssecstat/.
[44] HOUNSEL A, BORGOLTE K, SCHMITT P, et al. Comparing the effects of DNS, DoT, and DoH on web performance[C]//Proceedings of The Web Conference 2020, 2020: 562-572.
[45] KOSHY A M, YELLUR G, KAMMACHI H J, et al. An insight into encrypted DNS protocol: DNS over TLS[C]//Proceedings of the 2021 4th International Conference on Recent Developments in Control, Automation & Power Engineering (RDCAPE), 2021: 379-383.
[46] BANNAT WALA F, CAMPBELL S, KIRAN M. Insights into DoH: traffic classification for DNS over HTTPS in an encrypted network[C]//Proceedings of the 2023 on Systems and Network Telemetry and Analytics, 2023: 9-17.
[47] KOSEK M, SCHUMANN L, MARX R, et al. DNS privacy with speed? evaluating DNS over QUIC and its impact on Web performance[C]//Proceedings of the 22nd ACM Internet Measurement Conference, 2022: 44-50.
[48] JIN L, HAO S, HUANG Y, et al. DNSonChain: delegating privacy-preserved DNS resolution to blockchain[C]//Proceedings of the 2021 IEEE 29th International Conference on Network Protocols (ICNP), 2021: 1-11.
[49] CHEN W Y, YANG X, ZHANG H K, et al. Big data architecture for scalable and trustful DNS based on sharded DAG blockchain[J]. Journal of Signal Processing Systems, 2021, 93(4): 753-768.
[50] DANG H, DINH T, LOGHIN D, et al. Towards scaling blockchain systems via sharding[C]//Proceedings of the 2019 International Conference on Management of Data, 2019: 123-140.
[51] VAN RIJSWIJKDEIJ R, SPEROTTO A, PRAS A. DNSSEC and its potential for DDoS attacks: a comprehensive measurement study[C]//Proceedings of the 2014 Conference on Internet Measurement Conference, 2014: 449-460.
[52] STOICA I, MORRIS R, KARGER D, et al. Chord: a scalable peer-to-peer lookup service for Internet applications[J]. ACM SIGCOMM Computer Communication Review, 2001, 31(4): 149-160.
[53] COX R, MUTHITACHAROEN A, MORRIS R T. Serving DNS using a peer-to-peer lookup service[C]//Proceedings of the International Workshop on Peer-to-Peer Systems. Berlin, Heidelberg: Springer, 2002: 155-165.
[54] GUTIERREZ C, KRISHNAN R, SUNDARAM R, et al. HARD-DNS: highly-available redundantly-distributed DNS[C]//Proceedings of the 2010 Military Communications Conference, 2010: 1343-1348.
[55] SUN H M, ZHANG W X, ZHANG S Y, et al. DepenDNS: dependable mechanism against DNS cache poisoning[C]//Proceedings of the International Conference on Cryptology and Network Security. Berlin, Heidelberg: Springer, 2009: 174-188.
[56] HOANG N, LIN I, GHAVAMNIA S, et al. K-resolver: towards decentralizing encrypted DNS resolution[J]. arXiv:2001.08901, 2020.
[57] GUPTA A, CHAUDHARY B, DWIVEDI P. A comprehensive study on Namecoin[R]. 2022.
[58] ALI M, NELSON J, SHEA R, et al. Blockstack: a global naming and storage system secured by blockchains[C]//Proceedings of the 2016 USENIX Annual Technical Conference (USENIX ATC 16), 2016: 181-194.
[59] XIA P C, WANG H Y, YU Z, et al. Challenges in decentralized name management: the case of ENS[C]//Proceedings of the 22nd ACM Internet Measurement Conference, 2022: 65-82.
[60] CAO K Y, LIU Y F, MENG G J, et al. An overview on edge computing research[J]. IEEE Access, 2020, 8: 85714-85728.
[61] CHONCHOLAS J, BHARDWAJ K, GAVRILOVSKA A. The performance argument for blockchain-based edge DNS caching[C]//Proceedings of the 2021 IEEE/ACM Symposium on Edge Computing (SEC), 2021: 312-318.
[62] PALLADINO N, SANTANIELLO M, PALLADINO N, et al. IANA functions, ICANN, and the DNS war[M]//Legitimacy, power, and inequalities in the multistakeholder Internet governance: analyzing IANA transition, 2021: 43-61.
[63] ZHANG Y, LIU W F, XIA Z D, et al. Blockchain-based DNS root zone management decentralization for Internet of things[J]. Wireless Communications and Mobile Computing, 2021: 1-20.
[64] 庄天舒, 刘文峰, 李东. 基于区块链的DNS根域名解析体系[J]. 电信科学, 2018, 34(3): 17-22.
ZHUANG T S, LIU W F, LI D. DNS root domain name analysis system based on block chain[J]. Telecommunications Science, 2018, 34(3): 17-22.
[65] LIU Y, YU H S, WANG W Y, et al. A robust blockchain-based distribution master for distributing root zone data in DNS[J]. The Computer Journal, 2022, 65(11): 2880-2893.
[66] Handshake[EB/OL].[2023-10-26]. https://handshake.org/.
[67] HE G B, SU W, GAO S, et al. TD-Root: a trustworthy decentralized DNS root management architecture based on permissioned blockchain[J]. Future Generation Computer Systems, 2020, 102(1): 912-924.
[68] DOUCEUR J. The sybil attack[C]//Proceedings of the International Workshop on Peer-to-Peer Systems. Berlin, Heidelberg: Springer, 2002: 251-260.
[69] 雷凯, 束方兴, 黄磊, 等. 面向跨域可信的泛中心化区块链 DNS 架构研究[J]. 网络与信息安全学报, 2020, 6(2): 19-34.
LEI K, SHU F X, HUANG L, et al. Research on cross-domain trustable blockchain based decentralized DNS architecture[J]. Chinese Journal of Network and Information Security, 2020, 6(2): 19-34.
[70] HAN P P, YAN Z, DING W X, et al. A survey on cross-chain technologies[J]. Distributed Ledger Technologies: Research and Practice, 2023, 2(2): 1-30.
[71] LI Z C, GAO S, PENG Z, et al. B-DNS: a secure and efficient DNS based on the blockchain technology[J]. IEEE Transactions on Network Science and Engineering, 2021, 8(2): 1674-1686.
[72] LIU J Q, LI B, CHEN L Z, et al. A data storage method based on blockchain for decentralization DNS[C]//Proceedings of the 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC), 2018: 189-196.
[73] MATSUOKA K, SUZUKI T. Blockchain and DHT based lookup system aiming for alternative DNS[C]//Proceedings of the 2020 2nd International Conference on Computer Communication and the Internet (ICCCI), 2020: 98-105.
[74] MAYMOUNKOV P, MAZIERES D. Kademlia: a peer-to-peer information system based on the XOR metric[C]//Proceedings of the International Workshop on Peer-to-Peer Systems. Berlin, Heidelberg: Springer, 2002: 53-65.
[75] LIU S Y, GUO S Y, HU Z W, et al. Domain name service mechanism based on master-slave chain[J]. Intelligent Automation & Soft Computing, 2022, 32(2): 951-962.
[76] 李妍星, 徐世中, 辛光. 具有可扩展性的区块链 DNS 系统设计[J]. 通信与信息技术, 2022(6): 22-29.
LI Y X, XU S Z, XIN G. Design of a scalable blockchain-based DNS system[J]. Communication & Information Technology, 2022(6): 22-29.
[77] DANIEL E, TSCHORSCH F. IPFS and friends: a qualitative comparison of next generation peer-to-peer data networks[J]. IEEE Communications Surveys & Tutorials, 2022, 24(1): 31-52.
[78] CAMENISCH J, STADLER M. Efficient group signature schemes for large groups[C]//Proceedings of the Annual International Cryptology Conference. Berlin, Heidelberg: Springer, 1997: 410-424.
[79] FUJISAKI E, SUZUKI K. Traceable ring signature[C]//Proceedings of the International Workshop on Public Key Cryptography. Berlin, Heidelberg: Springer, 2007: 181-200.
[80] YI X, PAULET R, BERTINO E, et al. Homomorphic encryption[M].[S.l.]: Springer International Publishing, 2014.
[81] 陈越, 郝增航, 魏江宏, 等. 支持陷门撤销和编辑次数限制的可编辑区块链[J]. 通信学报, 2023, 44(7): 100-113.
CHEN Y, HAO Z H, WEI J H, et al. Redactable blockchain supporting trapdoor revocation and limited number of redactions[J]. Journal on Communications, 2023, 44(7): 100-113.