高级检索

    域名系统递归解析服务安全技术综述:风险、防护和测量

    DNS Recursive Resolution Service Security: Threats, Defenses, and Measurements

    • 摘要: 在域名系统(domain name system, DNS)中,DNS递归解析服务消除了用户与根域名服务器等上游DNS服务器之间的复杂交互,使得互联网用户可以方便地通过本地DNS服务器完成全球范围的域名解析. 作为直接与用户通信的第一门户,DNS递归解析服务过程已成为互联网基础设施攻击的一个重要目标. 由于DNS递归解析服务规模庞大且部署方式繁多,现有的DNS安全拓展机制在DNS递归解析服务器中存在部署复杂、兼容性差等问题,但是目前还缺少对安全防护机制的部署测量方法的研究与总结工作,缺乏针对DNS递归解析服务安全风险的系统全面的评估工作. 针对上述现状,将DNS递归解析服务存在的安全风险分为5大类,对DNS递归解析服务安全威胁,DNS安全拓展机制和DNS递归解析服务安全风险评估与测量等方面的现状与最新研究成果进行了归纳与总结,并对DNS递归解析服务安全监测与治理的潜在研究方向进行了展望.

       

      Abstract: The Domain Name System (DNS) recursive resolving service acts as a bridge between users and upstream DNS authoritative servers to enable users conveniently resolving domain names through local DNS servers. However, as the first gateway for communication with users, DNS recursive resolving services have become a significant target for attacks on Internet infrastructure. Given the vast scale and variety of DNS recursive service deployments, current DNS security enhancements struggle with implementation complexity and compatibility issues. Despite its importance, there is a noticeable lack of research focused on the deployment of security protection mechanisms for DNS recursive services, as well as the comprehensive assessment of the associated security threats. To bridge this gap, we categorize the security risks associated with DNS recursive services into five main types: cache poisoning, DNS hijacking, direct attacks on recursive servers, leveraging recursive servers to target other servers, and exploiting software vulnerabilities. Additionally, we provide a summary of the latest research on DNS recursive service security threats and DNS security enhancement mechanisms. Our review also summarizes measurement methods for assessing the security risks. Finally, we analyze the current state of DNS recursive service security and offer insights into future research directions for improving the security monitoring and governance of DNS recursive services.

       

    /

    返回文章
    返回