Research On DNS Security Extension And Scalable Distributed DNS

The DNS(Domain Name System)is a basic service of the Internet,which provides the conversion of domain names to IP addresses.In the beginning,the DNS was designed to be implemented in a trusted environment.,but now the Internet environment is complex,making the vulnerability of the DNS protocol surface.Therefore,this thesis summarizes the security problems of the DNS system,which can be divided into two categories: one is the security vulnerability of DNS protocol;the other is the risk of right abuse caused by the extremely centralized structure of DNS system.In response to the above questions,this thesis proposes and simulates to implement a DNS security extension system with forensic analysis extension,and a scalable distributed DNS system.The research work and results of this thesis are mainly as follows:1)The security challenges faced by the DNS system are analyzed.The technical evolution route of the DNS system to deal with security challenges has been sorted out.Including the security extension technology of the traditional DNS system and the new distributed DNS system architecture design.Quantitative analysis of the probability of a traditional DNS system being successfully implemented by an attacker is a cache poisoning attack.2)Analyze the problems in the promotion and application of DNS security extensions,and point out the necessity of enhancing the forensic analysis function in the deployment of DNSSEC.A scheme of DNSSEC system with forensic analysis extension is proposed.Setting up an environment simulation realizes the scheme,and realizes the deployment of the DNSSEC system and the extraction of abnormal data.3)A scalable distributed DNS system that combines the Hyperledger Fabric and IPFS(Inter Planetary File System)technology is proposed.In particular,the important domain names for the organization are permanently and securely included in the hyperledger in the form of transactions to realize the domain name management on the chain.The domain names of institutions,teams,and individuals within the organization are called extended domain names,which use distributed storage to realize off-chain domain name management.The thesis simulates and realizes the DNS system combining the domain name on the chain/the extended domain name off the chain.At the same time,the process of domain name registration and domain name resolution of the two types of domain names are described.4)In order to ensure the security of the extended domain name,digitally sign the content of the extended domain name data file and CID(Content-ID)off the chain,and establish a trust chain for signature verification.The thesis gives the process of trust chain and the data structure stored on and off the chain.Finally,the scalable distributed DNS system including the chain of trust mechanism is simulated and implemented,and the feasibility of the whole scheme is proved through the function test.