| Domain Name System is the core technology of the Internet, which can provide resolution service on mutual mapping between domain names and IP addresses. Humane domain names provide a convenient way for Internet users to access the net, and domain name resolution technology has become an important prerequisite for the smooth functioning of majority of Internet applications and services. However, since the origin of DNS, many flaws on performance and security of the system have been exposed, and therefore, many types of related network attacks, have left classic cases in the long history of network security, just because of their great destructive power and wide scope of influence. They not only bring unstable factors to the Internet, but also cause much threat to the current network in the context of information society and national security. In this thesis, many efforts have been made for the research on the implementation of open-source DNS, for the purpose of improving its efficiency, as well as intensifying DNS security.In this thesis, standard DNS protocols are analyzed, which is the theoretical basis for further study on a kind of open-source DNS. At the same time, Unbound, a kind of representative DNS server software is chosen as the object of study and then its principle of implementation, domain name resolution mechanism and work flow is analyzed, as well as its software architecture and technical features. Via the usage of different measurement tools, the domain name hash algorithm in the implementation is chosen as the object to optimize, adopting the complete hash on the whole domain name rather than iterative hash on each label. The feasibility of the optimization strategy is tested through code tests in the simulated environment, and the result indicates that the sample of peak value of performance is improved. Moreover, its possible influence on collision performance is also analyzed.On the other hand, in order to study DNS security, DNSSEC protocols are also analyzed in depth, as well as many kinds of popular DNS attacks in recent years. More efforts are focused on DNS cache poisoning attack, specifying the principle of its implementation, and making comprehensive comparison of advantages and disadvantages between various solutions against such attacks. Based on these efforts, a LAN-oriented solution on checking DNS packet validity is proposed, as a more active strategy of defense. In the new solution, a reverse-direction checking algorithm has been designed, which does not have to make DNS protocols modified and at the same time works better for checking the validity of DNS packet. For its practice, some further improvements on the original algorithm model have been made, including a new addressing solution and a new negotiation and alarm mechanism between a client and the server. Its usage in different scenes is also analyzed, providing a theoretical basis for validating its feasibility. |
PDF Full Text Request