通过缓存一致性检查方法和灾难解析系统优化来抵御DNS缓存中毒

杨天乐; 谌颖; 王海涛

doi:10.3969/j.issn.2096-6091.2023.16.006

您当前的位置：

首页 >

文章列表页 >

通过缓存一致性检查方法和灾难解析系统优化来抵御DNS缓存中毒

科研通信 | 更新时间：2025-03-26

- 通过缓存一致性检查方法和灾难解析系统优化来抵御DNS缓存中毒
- Mitigating DNS Cache Poisoning Through Cache Consistency Checking Method and Disaster Resolution System Optimization
- 新一代信息技术 2023年6卷第16期页码：30-36
- 作者机构：
  
  中广电移动网络有限公司，北京 100020
- 作者简介：
  
  杨天乐（1981—），硕士研究生，高级技术职称，现任中广电移动网络通信有限公司技术专家，负责IP/传输/无线等网络新技术研究等工作。
  谌颖（1981—），硕士研究生，教授级高工，现任中广电移动网络通信有限公司技术专家。
  王海涛（1970—），本科学历，高级技术职称，现任中广电移动网络通信有限公司技术专家。
- 基金信息：
- DOI：10.3969/j.issn.2096-6091.2023.16.006
  中图分类号： TN915;TP393
- 录用日期：2023-10-19，
  
  纸质出版日期：2023-08-30
- 稿件说明：
移动端阅览
杨天乐, 谌颖, 王海涛. 通过缓存一致性检查方法和灾难解析系统优化来抵御DNS缓存中毒[J]. 新一代信息技术, 2023, 6(16): 30-36

YANG Tian-le, CHEN Ying, WANG Hai-tao. Mitigating DNS Cache Poisoning Through Cache Consistency Checking Method and Disaster Resolution System Optimization[J]. New Generation of Information Technology, 2023, 6(16): 30-36
杨天乐, 谌颖, 王海涛. 通过缓存一致性检查方法和灾难解析系统优化来抵御DNS缓存中毒[J]. 新一代信息技术, 2023, 6(16): 30-36 DOI： 10.3969/j.issn.2096-6091.2023.16.006.

YANG Tian-le, CHEN Ying, WANG Hai-tao. Mitigating DNS Cache Poisoning Through Cache Consistency Checking Method and Disaster Resolution System Optimization[J]. New Generation of Information Technology, 2023, 6(16): 30-36 DOI： 10.3969/j.issn.2096-6091.2023.16.006.

摘要

域名系统（DNS，Domain Name System）是互联网的核心组成部分，但由于分布式和缓存特性，DNS容易受到各种攻击，尤其是缓存中毒。随着随机端口号和随机事务ID的使用，缓存中毒的概率有所降低，但是近几年随着DNS Forwarder分片整理和侧信道攻击的出现，缓存中毒的概率又有加大的趋势。为应对新出现的缓存中毒手段，本文提出了3C（Cache Consistency Checking）方法，通过检查DNS缓存和权威查询结果是否一致来判断DNS是否发生缓存中毒，缓存中毒后切换到容灾解析系统进行解析。同时为了加快比对速度和DNS查询速度，隔离缓存中毒对容灾解析系统的影响，本文使用了本地顶级域权威镜像查询系统。实验证明3C方法能准确检测缓存中毒，而本地权威镜像查询系统可以大大提高3C的比对效率。与传统DNS相比，集成3C方法和本地顶级域权威镜像查询系统的DNS查询更快，提升了DNS的性能和安全性。

Abstract

DNS (Domain Name System) is a fundamental component of the internet. However

due to its distributed and caching nature

DNS is vulnerable to various attacks

especially cache poisoning. While the use of random port numbers and transaction IDs has reduced the likelihood of cache poisoning

recent developments such as DNS Forwarder fragmentation and side-channel attacks have increased the risk. To address these emerging cache poisoning techniques

this paper introduces the 3C (Cache Consistency Checking) method. It assesses whether DNS cache and authoritative query results align

detecting cache poisoning and subsequently switching to a disaster recovery resolution system for resolution. To enhance comparison speed and DNS query efficiency

and to isolate the impact of cache poisoning on the disaster recovery resolution system

the paper employs a local top-level domain authoritative mirror query system. Experimental results demonstrate the accuracy of the 3C method in detecting cache poisoning

while the local authoritative mirror query system significantly enhances 3C’s comparative efficiency. Compared to traditional DNS

the integration of the 3C method and the local top-level mirror system results in faster DNS queries

thereby improving DNS performance and security.

关键词

Keywords

references

MAN K Y , ZHOU X A , QIAN Z Y . DNS cache poisoning attack: Resurrections with side channels [C ] // Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM , 2021 : 3400 - 3414 .

ALOWAISHEQ E , TANG S Y , WANG Z H , et al . Zombie awakening: Stealthy hijacking of active domains through DNS hosting referral [C ] // Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security . New York : ACM , 2020 : 1307 - 1322 .

DUAN H Y , FISCHER R , LOU J , et al . RHINE: Robust and high-performance Internet naming with E2E authenticity [C ] // 20th USENIX Symposium on Networked Systems Design and Implementation . Boston : USENIX , 2023 : 531 - 553 .

ZHENG X F , LU C Y , PENG J , et al . Poison over troubled forwarders: A cache poisoning attack targeting DNS forwarding device [C ] // Proceedings of the 29th USENIX Conference on Security Symposium . New York : ACM , 2020 : 577 - 593 .

王文通 , 胡宁 , 刘波 , 等 . DNS安全防护技术研究综述 [J ] . 软件学报 , 2020 , 31 ( 7 ): 2205 - 2220 .

MUSASHI Y , KUMAGAI M , KUBOTA S , et al . Detection of kaminsky DNS cache poisoning attack [C ] // 2011 4th International Conference on Intelligent Networks and Intelligent Systems . Piscataway : IEEE , 2011 : 121 - 124 .

SON S , SHMATIKOV V . The hitchhiker’s guide to DNS cache poisoning [C ] // Security and Privacy in Communication Networks: 6th Iternational ICST Conference . Berlin : Springer , 2010 : 466 - 483 .

KHORMALI A , PARK J , ALASMARY H , et al . Domain name system security and privacy: A contemporary survey [J ] . Computer Networks , 2021 , 185 : 107699 .

DAVIS J , DECCIO C . A peek into the DNS cookie jar: An analysis of DNS cookie use [C ] // International Conference on Passive and Active Network Measurement . Berlin : Springer , 2021 : 302 - 316 .

YU H S , LIU Y , DUAN L H , et al . Cache Top-level domain locally: Make DNS respond quickly in mobile network [C ] // 2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom) . Piscataway : IEEE , 2022 : 1205 - 1210 .

LIU Y , YU H S , WANG W Y , et al . A robust blockchain-based distribution master for distributing root zone data in DNS [J ] . The Computer Journal , 2022 , 65 ( 11 ): 2880 - 2893 .

浏览量

下载量

CSCD

文章被引用时，请邮件提醒。

提交

工具集

关联资源

暂无数据