计算机科学

计算机科学 ›› 2025, Vol. 52 ›› Issue (6A): 240900140-8.doi: 10.11896/jsjkx.240900140

• 信息安全 • 上一篇    下一篇

DNS威胁面分析及其安全防护现状与挑战

郁毅明1, 陈远志1, 郎君2   

  1. 1 公安部第三研究所 上海 200030
    2 公安部网络安全保卫局 北京 100010
  • 出版日期:2025-06-16 发布日期:2025-06-12
  • 通讯作者: 郁毅明(724378735@qq.com)

Analysis of DNS Threats and the Challenges of DNS Security

YU Yiming1, CHEN Yuanzhi1, LANG Jun2   

  1. 1 The Third Research Institute of the Ministry of Public Security,Shanghai 200030,China
    2 Network Security Bureau of the Ministry of Public Security,Beijing 100010,China
  • Online:2025-06-16 Published:2025-06-12
  • About author:YU Yiming,born in 1998,master,research assistant.His main research interests include Web applications,cybersecurity,threat intelligence,and AI large models.

PDF (PC)

38

摘要: 随着互联网的普及和其复杂性的增加,作为全球网络通信核心组件的域名系统(DNS)涉及到的安全、隐私和性能相关的挑战愈演愈烈。首先,从DNS的常见攻击入手,对其协议和系统本身进行了威胁面的分析,从完整性、保密性、可用性和可信性4个方面分别阐述了DNS协议当前的不足和缺陷,总结了DNS当前面临的问题。随后,介绍了DNS当前主流的增强和防护措施,主要从协议增强、入侵检测系统增强以及系统增强三方面论述现有的研究工作,并总结和评估了它们的优势和不足。最后,提出了未来的研究方向去中心化以及未来的重点建设方向流量数据留存工程,对未来DNS安全技术的发展方向提供了参考。

关键词: 域名系统, DNS安全威胁, DNS安全防护, DNS隐私安全

Abstract: With the widespread adoption and growing complexity of the Internet,the domain name system(DNS),a core component of global network communications,has encountered intensifying challenges pertaining to security,privacy,and performance.Commencing from an analysis of prevalent DNS attacks,the threat landscape had been conducted on its protocols and the system itself,elucidating the current inadequacies and flaws of the DNS protocol from four aspects:integrity,confidentiality,availability,and authenticity.The current issues faced by DNS were summarized based on an expanded framework of information security essentials.Subsequently,the prevalent enhancements and protective measures for DNS were introduced,with a focus on the existing research endeavors conducted in three primary areas:protocol reinforcement,intrusion detection system augmentation,and system strengthening.These endeavors were then summarized and evaluated for their respective strengths and limitations.Ultimately,future research directions were proposed,emphasizing decentralization,and a pivotal construction area,the traffic data retention project was highlighted,offering insights and prospects for the developmental trajectory of DNS security technologies in the future.

Key words: Domain name system, DNS security threats, DNS security protection, DNS privacy and security

中图分类号: 

  • TP393
[1]RFC 7624:Confidentiality in the Face of Pervasive Surveillance:A Threat Model and Problem Statement[EB/OL].https://datatracker.ietf.org/doc/html/rfc7624.
[2]ZHANG J W,AN Y J,DENG H Y.A Comprehensive Review of DNS Attack Detection and Security Protection [J].Telecommunications Science,2022,38(9):1-17.
[3]ALMOMANI A.Fast-flux hunter:a system forfiltering online fast-flux botnet[J].Neural Computing and Applications,2018,29(7):483-493.
[4]MALMOMANI A.Fast-flux hunter:a system for filtering on-line fast-flux botnet[J].Neural Computing and Applications,2018,29(7):483-493.
[5]LI J.The detection of DNS spoofing and cache poisoning at tack[D].Chengdu:University of Electronic Science and Technology of China,2015.
[6]Blocking-resistant communication through domain fronting[EB/OL].https://www.icir.org/vern/papers/meek-PETS-2015.pdf.
[7]SOODAK,ZEADALLYS.Ataxonomyofdomain-generation algorithms[J].IEEE Security&Privacy,2016,14(4):46-53.
[8]Information technology-Security techniques-Information security management systems-Overview and vocabulary:ISO/IEC Standard 27000[S].2018:26.
[9]关于境内大量家用路由器DNS服务器被篡改情况通报[EB/OL].www.cert.org.cn/publish/main/9/2019/20190221082151886249953/20190221082151886249953_.html.
[10]DDoS Trend Report 2024[EB/OL].www.nexusguard.com/threat-report/ddos-trend-report-2024.
[11]Justice Department Conducts Court-Authorized Disruption ofBotnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff(GRU)[EB/OL].www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian.
[12]KAMINSKEY D.It’s the end of the cache as we know it[C]//Proc.In Blackhat Briefings.2008.
[13]LU C,LIU B,LI Z,et al.An End-to-End,Large-Scale Measurement of DNS-over Encryption How Far Have We Come?[C]//Internet Measurement Conference(IMC).2019.
[14]LIANG Z,HU Z,HEIDEMANN J,et al.Connection-OrientedDNS to Improve Privacy and Security[C]//2015 IEEE Sympo-sium on Security and Privacy:2015 IEEE Symposium on Security and Privacy(SP 2015).USA:Institute of Electrical and Electronics Engineers,2015:171-186.
[15]Specification for DNS over Transport Layer Security (TLS)[EB/OL].https://www.rfc-editor.org/rfc/rfc7858.html.
[16]DNS Queries over HTTPS(DoH)[EB/OL].https://www.rfc-editor.org/rfc/rfc8484.
[17]HEFTRIG E,SCHULMANN H,VOGEL N,et al.The HarderYou Try,The Harder You Fail:The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNSSEC[J].arXiv.2406.03133,2024.
[18]US-CERT[EB/OL].https://www.us-cert.gov/ncas/alerts/TA13-088A.
[19]NIR Y.ChaCha20 and Poly1305 for IETF protocols[EB/OL].www.rfc-editor.org/rfc/rfc8439.txt.
[20]MAHDAVIFAR S,MALEKI N,LASHKARI A H,et al.Classifying malicious domains using DNS traffic analysis[C]//2021 IEEE Intl Conf on Dependable,Autonomic and Secure Computing,Intl Conf on Pervasive Intelligence and Computing,Intl Conf on Cloud and Big Data Computing,Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech).Piscataway:IEEE,2021:60-67.
[21]GU G M,CHEN W H,HUANG W D.A Multi-Model Fusion Method for Detecting Covert Tunnels and Encrypted Malicious Traffic [J].Information Network Security,2024,24(5):694-708.
[22]DNSSEC deployment report[EB/OL].https://rick.eng.br/dns-secstat/.
[23]WANG Z,HU H,CHENG G .Design and Implementation of an SDN-Enabled DNS Security Framework[J].Chinese Telecommunications,2019,16(2):233-245.
[24]XING X,LUO T,LI J,et al.A defense mechanism against the DNS amplification attack in SDN[C]//2016 IEEE International Conference on Network Infrastructure and Digital Content(IC-NIDC).IEEE,2016.
[25]GUPTA V,SHARMA E.Mitigating DNS Amplification At-tacks Using a Set of Geographically Distributed SDN Routers[C]//2018 International Conference on Advances in Computing,Communications and Informatics(ICACCI).2018:392-400.
[26]SAHARAN S,GUPTA V.Prevention and Mitigation of DNSbased DDoS attacks in SDN Environment[C]//2019 11th International Conference on Communication Systems & Networks(COMSNETS).Bengaluru,India,2019:571-573.
[27]HU N,YIN S,SU S,et al.Blockzone:A Decentralized andTrustworthy Data Plane for DNS[J].Computers, Materials and Continua,2020,65(2):1531-1557.
[28]HE G,SU W,GAO S ,et al.TD-Root: A trustworthy decentralized DNS root management architecture based on permissioned blockchain[J].Future Generation Computer Systems,2020,102:912-924.
[29]LEI K,SHU F X,HUANGL,et al.Research on cross-domain trustable blockchain based decentralized DNS architecture[J].Chinese Journal of Network and Information Security,2020,6(2):16.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
地址:重庆市渝北区洪湖西路18号    邮编:401121  
电话:023-63500828(编辑部) 023-67039612(会议/专题) 023-67039623(财务/发票)
E-mail:jsjkx12@163.com
本系统由北京玛格泰克科技发展有限公司设计开发