Computer Science

Computer Science ›› 2025, Vol. 52 ›› Issue (6A): 240900140-8.doi: 10.11896/jsjkx.240900140

• Information Security • Previous Articles     Next Articles

Analysis of DNS Threats and the Challenges of DNS Security

YU Yiming1, CHEN Yuanzhi1, LANG Jun2   

  1. 1 The Third Research Institute of the Ministry of Public Security,Shanghai 200030,China
    2 Network Security Bureau of the Ministry of Public Security,Beijing 100010,China
  • Online:2025-06-16 Published:2025-06-12
  • About author:YU Yiming,born in 1998,master,research assistant.His main research interests include Web applications,cybersecurity,threat intelligence,and AI large models.

PDF (PC)

75

Abstract: With the widespread adoption and growing complexity of the Internet,the domain name system(DNS),a core component of global network communications,has encountered intensifying challenges pertaining to security,privacy,and performance.Commencing from an analysis of prevalent DNS attacks,the threat landscape had been conducted on its protocols and the system itself,elucidating the current inadequacies and flaws of the DNS protocol from four aspects:integrity,confidentiality,availability,and authenticity.The current issues faced by DNS were summarized based on an expanded framework of information security essentials.Subsequently,the prevalent enhancements and protective measures for DNS were introduced,with a focus on the existing research endeavors conducted in three primary areas:protocol reinforcement,intrusion detection system augmentation,and system strengthening.These endeavors were then summarized and evaluated for their respective strengths and limitations.Ultimately,future research directions were proposed,emphasizing decentralization,and a pivotal construction area,the traffic data retention project was highlighted,offering insights and prospects for the developmental trajectory of DNS security technologies in the future.

Key words: Domain name system, DNS security threats, DNS security protection, DNS privacy and security

CLC Number: 

  • TP393
[1]RFC 7624:Confidentiality in the Face of Pervasive Surveillance:A Threat Model and Problem Statement[EB/OL].https://datatracker.ietf.org/doc/html/rfc7624.
[2]ZHANG J W,AN Y J,DENG H Y.A Comprehensive Review of DNS Attack Detection and Security Protection [J].Telecommunications Science,2022,38(9):1-17.
[3]ALMOMANI A.Fast-flux hunter:a system forfiltering online fast-flux botnet[J].Neural Computing and Applications,2018,29(7):483-493.
[4]MALMOMANI A.Fast-flux hunter:a system for filtering on-line fast-flux botnet[J].Neural Computing and Applications,2018,29(7):483-493.
[5]LI J.The detection of DNS spoofing and cache poisoning at tack[D].Chengdu:University of Electronic Science and Technology of China,2015.
[6]Blocking-resistant communication through domain fronting[EB/OL].https://www.icir.org/vern/papers/meek-PETS-2015.pdf.
[7]SOODAK,ZEADALLYS.Ataxonomyofdomain-generation algorithms[J].IEEE Security&Privacy,2016,14(4):46-53.
[8]Information technology-Security techniques-Information security management systems-Overview and vocabulary:ISO/IEC Standard 27000[S].2018:26.
[9]关于境内大量家用路由器DNS服务器被篡改情况通报[EB/OL].www.cert.org.cn/publish/main/9/2019/20190221082151886249953/20190221082151886249953_.html.
[10]DDoS Trend Report 2024[EB/OL].www.nexusguard.com/threat-report/ddos-trend-report-2024.
[11]Justice Department Conducts Court-Authorized Disruption ofBotnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff(GRU)[EB/OL].www.justice.gov/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian.
[12]KAMINSKEY D.It’s the end of the cache as we know it[C]//Proc.In Blackhat Briefings.2008.
[13]LU C,LIU B,LI Z,et al.An End-to-End,Large-Scale Measurement of DNS-over Encryption How Far Have We Come?[C]//Internet Measurement Conference(IMC).2019.
[14]LIANG Z,HU Z,HEIDEMANN J,et al.Connection-OrientedDNS to Improve Privacy and Security[C]//2015 IEEE Sympo-sium on Security and Privacy:2015 IEEE Symposium on Security and Privacy(SP 2015).USA:Institute of Electrical and Electronics Engineers,2015:171-186.
[15]Specification for DNS over Transport Layer Security (TLS)[EB/OL].https://www.rfc-editor.org/rfc/rfc7858.html.
[16]DNS Queries over HTTPS(DoH)[EB/OL].https://www.rfc-editor.org/rfc/rfc8484.
[17]HEFTRIG E,SCHULMANN H,VOGEL N,et al.The HarderYou Try,The Harder You Fail:The KeyTrap Denial-of-Service Algorithmic Complexity Attacks on DNSSEC[J].arXiv.2406.03133,2024.
[18]US-CERT[EB/OL].https://www.us-cert.gov/ncas/alerts/TA13-088A.
[19]NIR Y.ChaCha20 and Poly1305 for IETF protocols[EB/OL].www.rfc-editor.org/rfc/rfc8439.txt.
[20]MAHDAVIFAR S,MALEKI N,LASHKARI A H,et al.Classifying malicious domains using DNS traffic analysis[C]//2021 IEEE Intl Conf on Dependable,Autonomic and Secure Computing,Intl Conf on Pervasive Intelligence and Computing,Intl Conf on Cloud and Big Data Computing,Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech).Piscataway:IEEE,2021:60-67.
[21]GU G M,CHEN W H,HUANG W D.A Multi-Model Fusion Method for Detecting Covert Tunnels and Encrypted Malicious Traffic [J].Information Network Security,2024,24(5):694-708.
[22]DNSSEC deployment report[EB/OL].https://rick.eng.br/dns-secstat/.
[23]WANG Z,HU H,CHENG G .Design and Implementation of an SDN-Enabled DNS Security Framework[J].Chinese Telecommunications,2019,16(2):233-245.
[24]XING X,LUO T,LI J,et al.A defense mechanism against the DNS amplification attack in SDN[C]//2016 IEEE International Conference on Network Infrastructure and Digital Content(IC-NIDC).IEEE,2016.
[25]GUPTA V,SHARMA E.Mitigating DNS Amplification At-tacks Using a Set of Geographically Distributed SDN Routers[C]//2018 International Conference on Advances in Computing,Communications and Informatics(ICACCI).2018:392-400.
[26]SAHARAN S,GUPTA V.Prevention and Mitigation of DNSbased DDoS attacks in SDN Environment[C]//2019 11th International Conference on Communication Systems & Networks(COMSNETS).Bengaluru,India,2019:571-573.
[27]HU N,YIN S,SU S,et al.Blockzone:A Decentralized andTrustworthy Data Plane for DNS[J].Computers, Materials and Continua,2020,65(2):1531-1557.
[28]HE G,SU W,GAO S ,et al.TD-Root: A trustworthy decentralized DNS root management architecture based on permissioned blockchain[J].Future Generation Computer Systems,2020,102:912-924.
[29]LEI K,SHU F X,HUANGL,et al.Research on cross-domain trustable blockchain based decentralized DNS architecture[J].Chinese Journal of Network and Information Security,2020,6(2):16.
[1] CHEN Xi, FENG Mei, JIANG Bo. Analysis of Kaminsky Attack and Its Abnormal Behavior [J]. Computer Science, 2020, 47(11A): 396-401.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.