| 引用本文: |
-
李白杨,朱宇佳,刘庆云,孙永,张跃冬,郭莉.加密DNS:协议、研究现状与未来展望[J].信息安全学报,已采用 [点击复制]
- Li Baiyang,Zhu Yujia,Liu Qingyun,Sun Yong,Zhang Yuedong,Guo Li.Encrypted DNS: Protocol, Research Status and Future Prospects[J].Journal of Cyber Security,Accept [点击复制]
|
|
| 摘要: |
| 域名系统(DNS)提供名称解析服务,是互联网的关键基础设施之一。若域名解析遭到攻击,绝大多数网络应用将受到严重影响。但是DNS协议在初始设计上存在脆弱性,无法保障用户隐私和传输安全。加密DNS通过加密域名请求和响应报文保护用户隐私,近年来发展迅速,受到了国内外的广泛关注。为全面了解加密DNS的发展状况,探究加密DNS对域名解析生态的影响,本文围绕加密DNS研究工作展开了调研。首先概述了加密DNS协议制定与发展情况,并从协议设计、协议成熟度和协议适用性三方面对比了五种协议,即DNSCrypt、DNS-over-TLS(DoT)、DNS-over-DTLS(DoD)、DNS-over-QUIC(DoQ)和DNS-over-HTTPS(DoH);深入调研了加密DNS的研究现状,分析了加密DNS部署、性能、安全性以及对其他服务的影响,总结了各部分的研究进展;最后在加密DNS现阶段的研究基础上,从加密DNS优化的角度出发,围绕性能优化、安全增强、服务选择与管理三方面展望了加密DNS未来的技术发展趋势及研究方向,为后续研究提供参考。 |
| 关键词: DNS安全 加密DNS 网络测量 传输协议 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2023.08.36 |
| 投稿时间:2021-07-14修订日期:2021-10-29 |
| 基金项目: |
|
| Encrypted DNS: Protocol, Research Status and Future Prospects |
|
Li Baiyang1, Zhu Yujia1, Liu Qingyun1, Sun Yong1, Zhang Yuedong2, Guo Li1
|
| (1.Institute of Information Engineering, Chinese Academy of Sciences;2.CNCERT/CC) |
| Abstract: |
| The Domain Name System (DNS), which provides a user-friendly name associated with an internet source, is one of the most important infrastructure components of the Internet. Almost every activity on the Internet starts with a DNS query. Although DNS is so critical, it can not guarantee transmission security and user privacy due to its inherent protocol vulnerability. Encrypted DNS, which protects user privacy by encrypting DNS data, has developed rapidly in recent years and attracted extensive attention. Using encrypted DNS, instead of plaintext DNS on the client side, has become a noticeable trend. It should be admitted that encrypted DNS is gradually changing the DNS ecosystem. And analyzing its impact on the DNS ecosystem is necessary and important. In order to fully understand the devel-opment of encrypted DNS and the impact on the DNS ecosystem, we conduct a survey on the status of encrypted DNS, concentrating on hot topics. In this paper, we introduce protocol implementations of encrypted DNS first. The state of development for each protocol is summarized in detail. The current five major protocols, DNSCrypt, DNS-over-TLS (DoT), DNS-over-DTLS (DoD), DNS-over-QUIC (DoQ) and DNS-over-HTTPS (DoH), are the most widely attractive. We compare these protocols from aspects of design, usability and maturity. Then, we analyze fo-cused research areas of encrypted DNS in depth. Current status of the research on encrypted DNS can be concluded into four areas: adoption, performance, security and the impact on other Internet applications or services. The re-search progress of each area, which demonstrates the availability of encrypted DNS, is concluded. Finally, based on the current work, we discuss future trends and prospect important issues of encrypted DNS from the perspective of system optimization. Feasible future directions, performance improvement, security enhancement, selection mechanism and service management are proposed. These proposals could help provide a reference for further research. |
| Key words: DNS security encrypted DNS network measurement protocol |
