研究论文

基于隐私保护技术的DNS通信协议

  • 张海阔 ,
  • 陆忠华 ,
  • 陈闻宇 ,
  • 陈连栋 ,
  • 左鹏 ,
  • 王珏 ,
  • 徐彦之
展开
  • 1. 中国科学院计算机网络信息中心, 北京 100190;
    2. 中国科学院大学, 北京 100049;
    3. 中国互联网络信息中心, 北京 100190;
    4. 国家电网河北省电力公司, 石家庄 050022;
    5. 北京国科文明之光科技有限公司, 北京 100190
张海阔,博士研究生,研究方向为计算机系统结构,电子信箱:zhanghaikuo@cnnic.cn

收稿日期: 2018-12-24

  修回日期: 2019-03-07

  网络出版日期: 2019-05-06

基金资助

国家自然科学基金重点项目(91530324);国家重点研发计划项目(2017YFB0202302)

DNS communication protocol with consideration of networking privacy

  • ZHANG Haikuo ,
  • LU Zhonghua ,
  • CHEN Wenyu ,
  • CHEN Liandong ,
  • ZUO Peng ,
  • WANG Jue ,
  • XU Yanzhi
Expand
  • 1. Computer Network Information Center, Chinese Academy of Sciences, Beijing 100190, China;
    2. University of Chinese Academy of Sciences, Beijing 100049, China;
    3. China Internet Network Information Center, Beijing 100190, China;
    4. State Grid Hebei Electric Power Company, Shijiazhuang 050022, China;
    5. Beijing National Science Civilization Light Technology Co., Ltd., Beijing 100190, China

Received date: 2018-12-24

  Revised date: 2019-03-07

  Online published: 2019-05-06

摘要

域名系统(DNS)是互联网基础服务,是互联网访问的重要入口,域名隐私保护是DNS安全的研究热点。提出了一种基于用户数据报协议(UDP)的DNS传输中用户隐私保护的加密方法:DNSDEA(DNS data encryption algorithm)。该方法采用PKI加密体系与DNS协议相融合,不仅解决了域名隐私保护问题,而且与传统DNS体系相兼容,保持了DNS系统的简单、高效的技术特点。与当前的DNS加密方法相比,DNSDEA提高了任务并行的并行化粒度,降低了加密情况下DNS查询的延时。

本文引用格式

张海阔 , 陆忠华 , 陈闻宇 , 陈连栋 , 左鹏 , 王珏 , 徐彦之 . 基于隐私保护技术的DNS通信协议[J]. 科技导报, 2019 , 37(8) : 97 -103 . DOI: 10.3981/j.issn.1000-7857.2019.08.011

Abstract

The domain name system (DNS) is an essential service of the Internet to provide the mapping service for domain names and IP addresses, as one of the most important addressing services of the Internet. It is an open and interconnected platform and an important portal for the Internet access. The domain name privacy protection is one of the hot issues in the DNS security in recent years. The DNS data encryption algorithm (DNSDEA) is proposed to encrypt the DNS queries and responses between the client and the DNS server over the user datagram protocol (UDP) to protect the user privacy. This algorithm solves the problem of the domain name privacy protection, and is compatible with the traditional DNS system. It maintains the simple and efficient technical characteristics of the DNS system. Compared with the current encryption methods, this approach could increase the granularity of the DNS lookup parallel algorithm, reduce the latency and improve the concurrent DNS queries. Finally, from the technical level, some reference suggestions are made for the research of the subsequent communication encryption applications and for the DNS secure resolution performance.

参考文献

[1] Mockapetris P. Domain names-Concepts and facilities[EB/OL].[2018-10-06]. https://www.ietf.org/rfc/rfc882.txt.
[2] Mockapetris P. Domain names-Implementation and specification[EB/OL].[2018-10-06]. https://www.ietf.org/rfc/rfc1035.txt.
[3] Eastlake D. Domain name system security extensions[EB/OL].[2018-10-06]. https://www.ietf.org/rfc/rfc2535.txt.
[4] Hoffman P, Schlyter J. The DNS-based authentication of named entities (DANE) transport layer security (TLS) Protocol:TLSA[EB/OL].[2018-10-06]. https://www.ietf.org/rfc/rfc6698.txt.
[5] Hoffman P, Schlyter J. Using secure DNS to associate certificates with domain names for S/MIME[EB/OL].[2018-10-06]. https://www.ietf.org/rfc/rfc8162.txt.
[6] 胡宁, 邓文平, 姚苏. 互联网DNS安全研究现状与挑战[J]. 网络与信息安全学报, 2017, 3(3):13-21. Hu Ning, Deng Wenping, Yao Su. Issues and challenges of internet DNS security[J]. Chinese Journal of Network and Information Security, 2017, 3(3):13-21.
[7] The Internet Corporation for Assigned Names and Numbers. Global DNS-CERT business case:Improving the security, stability and resiliency of the DNS[EB/OL].[2018-10-06]. https://www.icann.org/en/system/files/files/dns-cert-business-case-19mar10-en.pdf.
[8] Osterweil E, Massey D, Zhang L. Deploying and monitoring DNS security(DNSSEC)[C]//Twenty-Fifth Annual Computer Security Applications Conference (ACSAC 2009). Honolulu:Curran Associates, 2009:429-438.
[9] Banse C, Herrmann D, Federrath H.Tracking users on the Internet with behavioral patterns:Evaluation of its practical feasibility[C]//IFIP Advances in Information & Communication Technology. Hamburg:Springer, 2017, 376:235-248.
[10] Herrmann D, Maaß M, Federrath H. Evaluating the security of a DNS query obfuscation scheme for private web surfing[C]//IFIP International Information Security Conference. Berlin, Heidelberg:Springer, 2014, 342:115-121.
[11] 黄锴, 孔宁. DNS隐私问题现状的研究[J]. 计算机工程与应用, 2018, 54(9):28-36. Huang Kai, Kong Ning. Research on status of DNS privacy[J]. Computer Engineering and Applications, 2018, 54(9):28-36.
[12] Bortzmeyer S. DNS privacy considerations[EB/OL].[2018-10-06]. https://www.ietf.org/rfc/rfc7626.txt.
[13] Dempsky M. DNSCurve:Link-level security for the domain name system[EB/OL].(2010-02-26)[2018-10-06]. https://tools.ietf.org/id/draft-dempsky-dnscurve-01.txt.
[14] Fischer S, Rensing W I C, Rödig D I U. Transport layer security[J]. IEEE Internet Computing, 2014, 18(6):60-63.
[15] Zhu L, Hu Z, Heidemann J, et al. T-DNS:Connectionoriented DNS to improve privacy and security(poster abstract)[J]. ACM Sigcomm Computer Communication Review, 2015, 44(4):379-380.
文章导航

/