{"title":"基于客户端的递归DNS服务器分离DNSSEC验证机制","authors":"Yong Jin, M. Tomoishi, N. Yamai","doi":"10.1109/ICTC.2018.8539727","DOIUrl":null,"url":null,"abstract":"DNSSEC has been proposed to provide data origin authentication and data integrity between recursive DNS server and authoritative zone server. Although DNSSEC is an effective countermeasure to DNS cache poisoning attack, it still has low deployment rate in the Internet due to the significant workload increase on recursive DNS servers. Moreover, current DNSSEC operation does not cover end clients and the recursive DNS server separation has not been considered so that end users do not intend to use free and powerful public recursive DNS servers due to security concerns. In this paper, we propose a client based DNSSEC validation mechanism with recursive DNS server separation based on query types. DNSSEC related record types such as RRSIG, DNSKEY, DS, etc. will be forwarded to a trusted internal recursive DNS server while normal record types such as A, AAAA, MX, etc. will be forwarded to public recursive DNS server, and eventually, DNSSEC validation will be performed on end clients. Consequently, not only end clients can obtain the benefit of DNSSEC but also the workload increase of internal recursive DNS servers can be mitigated. We implemented a prototype system and evaluated the features on a local experimental network. Based on the results, we confirmed that the prototype system worked effectively and it is possible to prevent end clients from DNS cache poisoning attacks by the proposed mechanism.","PeriodicalId":417962,"journal":{"name":"2018 International Conference on Information and Communication Technology Convergence (ICTC)","volume":"30 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2018-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":"{\"title\":\"A Client Based DNSSEC Validation Mechanism with Recursive DNS Server Separation\",\"authors\":\"Yong Jin, M. Tomoishi, N. Yamai\",\"doi\":\"10.1109/ICTC.2018.8539727\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"DNSSEC has been proposed to provide data origin authentication and data integrity between recursive DNS server and authoritative zone server. Although DNSSEC is an effective countermeasure to DNS cache poisoning attack, it still has low deployment rate in the Internet due to the significant workload increase on recursive DNS servers. Moreover, current DNSSEC operation does not cover end clients and the recursive DNS server separation has not been considered so that end users do not intend to use free and powerful public recursive DNS servers due to security concerns. In this paper, we propose a client based DNSSEC validation mechanism with recursive DNS server separation based on query types. DNSSEC related record types such as RRSIG, DNSKEY, DS, etc. will be forwarded to a trusted internal recursive DNS server while normal record types such as A, AAAA, MX, etc. will be forwarded to public recursive DNS server, and eventually, DNSSEC validation will be performed on end clients. Consequently, not only end clients can obtain the benefit of DNSSEC but also the workload increase of internal recursive DNS servers can be mitigated. We implemented a prototype system and evaluated the features on a local experimental network. Based on the results, we confirmed that the prototype system worked effectively and it is possible to prevent end clients from DNS cache poisoning attacks by the proposed mechanism.\",\"PeriodicalId\":417962,\"journal\":{\"name\":\"2018 International Conference on Information and Communication Technology Convergence (ICTC)\",\"volume\":\"30 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2018-10-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"2\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2018 International Conference on Information and Communication Technology Convergence (ICTC)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICTC.2018.8539727\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2018 International Conference on Information and Communication Technology Convergence (ICTC)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICTC.2018.8539727","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
A Client Based DNSSEC Validation Mechanism with Recursive DNS Server Separation
DNSSEC has been proposed to provide data origin authentication and data integrity between recursive DNS server and authoritative zone server. Although DNSSEC is an effective countermeasure to DNS cache poisoning attack, it still has low deployment rate in the Internet due to the significant workload increase on recursive DNS servers. Moreover, current DNSSEC operation does not cover end clients and the recursive DNS server separation has not been considered so that end users do not intend to use free and powerful public recursive DNS servers due to security concerns. In this paper, we propose a client based DNSSEC validation mechanism with recursive DNS server separation based on query types. DNSSEC related record types such as RRSIG, DNSKEY, DS, etc. will be forwarded to a trusted internal recursive DNS server while normal record types such as A, AAAA, MX, etc. will be forwarded to public recursive DNS server, and eventually, DNSSEC validation will be performed on end clients. Consequently, not only end clients can obtain the benefit of DNSSEC but also the workload increase of internal recursive DNS servers can be mitigated. We implemented a prototype system and evaluated the features on a local experimental network. Based on the results, we confirmed that the prototype system worked effectively and it is possible to prevent end clients from DNS cache poisoning attacks by the proposed mechanism.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
