| 摘要: |
| 域名系统权威服务器的可用性对于网络服务的正常运行至关重要,权威服务器不可用会直接导致域名不可用,影响用户访问网站、发送电子邮件等正常网络活动。俄乌冲突爆发后,域名系统的服务可用性受到了地缘政治的影响,导致以.ru为代表的俄罗斯相关域名的服务运营被迫迁往本国基础设施。然而,目前还没有公开研究全面分析中国域名权威服务器的配置和部署情况,缺少对中国重点域名权威服务器的可用性风险评估研究。面对断网停服等全球网络空间安全威胁,迫切需要对国家网络空间重点领域域名开展态势感知。本文从政府、教育、企业三个领域着手收集整理了中国重点领域的域名作为数据集,然后对上述重点领域域名进行了全面的态势测量,包括基础设施静态属性测量、基础设施共享测量、权威服务器部署方式测量、无效权威服务器测量、基础设施境外依赖度测量和顶级域名境外依赖度测量,从配置有效性、部署方式、地区依赖三方面进行数据分析,揭示了基础设施托管域名过多形成单点瓶颈、权威服务器无法提供权威响应、IPv6网络中无法解析中国重点域名的风险更高的情况,研究还发现部分中国域名的权威服务器完全依赖于境外基础设施,存在潜在的安全隐患。本文从统合评价分析的角度,提出了量化的中国重点域名权威服务器可用性风险评分指标。最后基于总体风险的分析,提出了中国重点域名的管理建议,以强化中国重点领域域名的健康运营。 |
| 关键词: 域名系统 权威域名服务器 网络测量 依赖度 风险评估 |
| DOI:10.19363/J.cnki.cn10-1380/tn.2025.11.01 |
| 投稿时间:2024-03-05修订日期:2024-05-06 |
| 基金项目:本课题得到中关村实验室“十四五”重点研究计划项目(No.2022YFB3105000),泉城实验室重点项目(No.QCLZD 202304-2),山东省实验室项目(No.SYS202201)资助。 |
|
| Measurement and Analysis of Service Status for Key Domain Authoritative Nameservers in China |
| NIE Leyao,LI Chenglong,DONG Cong,SONG Guanglei,ZHANG Hui,FAN Linna,YANG Jiahai |
| Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China;Zhongguancun Laboratory, Beijing 100094, China;Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China;Zhongguancun Laboratory, Beijing 100094, China;Quan Cheng Laboratory, Jinan 250215, China;Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China;Quan Cheng Laboratory, Jinan 250215, China;College of Information and Communication, National University of Defense Technology, Wuhan 430019, China |
| Abstract: |
| In the context of rapid Internet development, the availability of Domain Name System (DNS) authoritative servers is essential for the normal functioning of network services. The unavailability of these servers directly results in domain inaccessibility, impairing users' ability to access websites, send emails, and engage in other routine online activities. Following the outbreak of the Russo-Ukrainian War, the availability of DNS services has been affected by geopolitical dynamics, necessitating the migration of services associated with Russian domains, particularly those ending in .ru, to domestic infrastructures. However, to date, there is no comprehensive public research that analytically examines the configuration and deployment of authoritative DNS servers for Chinese domains, nor studies that assess the availability risks associated with these servers. In response to global cybersecurity threats, such as service disruptions and complete network outages, there is an urgent need to conduct situational awareness for domain names within critical national cyberspace sectors. This paper initiates its study by compiling a dataset of domain names from the government, educational, and business sectors in China. We proceed to conduct a comprehensive situational assessment of these domains, measuring static infrastructure attributes, infrastructure sharing, authoritative server deployment methods, inactive authoritative servers, dependencies on foreign infrastructure, and top-level domain dependencies on foreign elements. The study undertakes a three-fold data analysis encompassing configuration efficacy, deployment modalities, and regional dependencies to highlight the risks associated with infrastructure hosting bottlenecks, authoritative servers' failure to provide responses, and higher risks of unresolved key Chinese domain names in IPv6 networks. It also uncovers that some Chinese domain authoritative servers are entirely reliant on foreign infrastructures, presenting potential security vulnerabilities. From an integrated evaluation perspective, this paper proposes quantified risk scoring metrics for the availability of authoritative servers for China's key domain names. Finally, based on a comprehensive risk analysis, management recommendations are suggested to enhance the robust operation of domain names in China's key sectors. |
| Key words: domain name system authoritative server network measurement overseas dependency risk assessment |
