| With the development of Internet,the security of network infrastructure and basic services are becoming increasingly important, as they are the basis of other network services and applications. As a link of Internet, the security of DNS directly determines that of the entire network, so it is crucial to protect the DNS.At its inception, DNS was not designed to be a secure protocol. Because of its vulnerability, DNS faces many threats from a variety of aspects. So this paper first concisely introduced the system structure and the working principle of DNS. Then detailed analysis of existing vulnerability in DNS system was given from aspects of design, implementation and operation respectively. Attacks are also introduced according to the corresponding vulnerability.In the view of the analysis of vulnerability, a deep, multi-level, all-round defense system model was proposed. The model, aiming at enhancing the survivability of DNS, exerted the technology of fault tolerance and intrusion tolerance. The fault tolerance system is composed of three components: vulnerability detection, configuration error detection and failure restoration. Meanwhile according to the intrusion tolerance system, we present three methods to detect DNS spoofing attack, and then three techniques are given to identify the bogus packets or the right ones. Two original attack tracing methods are also proposed.On the basis of DNS security model, we accomplished a DNS security platform-DNSSPF, which adopts hierarchy and modularity thinking and is composed of three layers and six modules. The special kind of structure make the entire system is of strong cohesion and low coupling feature. Last but not least, through the experimental test of the proposed model, we certified the correctness and validity of our core concept to DNS protection. |
PDF Full Text Request