| 摘要(英) |
In recent years, network technology has been rapidly evolving, with personal computers and mobile devices becoming ubiquitous. DNS service queries provide the foundation for users to browse various websites and digital information through keyword searches or direct URL inputs. However, the internet world harbors numerous information security concerns, with fraudulent content from scams and phishing websites proliferating. There are various types of network attacks, such as DNS service denial attacks, man-in-the-middle attacks, impersonation, reflection/amplification attacks, botnets, malware, data breaches, etc. Among these, Denial of Service (DoS) attacks are the most common and easier to implement, using massive and intensive request behaviors to overwhelm servers, causing them to fail and cease operations, resulting in numerous impacts. Furthermore, the stability and availability of DNS response data are important indicators in measuring DNS performance.
In light of this, this paper proposes a blockchain-based decentralized Domain Name System (DNS) solution. Through blockchain technology, DNS records are no longer managed and maintained by a single DNS Server, but are stored on smart contracts, ensuring immutability and reducing DNS cache poisoning attacks in traditional environments. Regarding the currently rampant DDoS attacks, this system can better prevent attacks targeting DNS, improving availability and overall system efficiency. It is also designed to allow users to provide their own DNS records. In the context of telecommunications providers, maintaining their DNS is crucial. We implement a reward mechanism to enhance users′ willingness to assist in establishing a secure DNS environment. Additionally, DNS Records have a time- based validity and provide the ability to revoke abnormal IP addresses, further enhancing data security flexibility.
Moreover, to enhance performance, this thesis adopts BBS+ Signature for identity and data verification. This short signature scheme proposed by Boneh, Boyen, and Shacham supports signing multiple messages while generating a single output digital signature. BBS+ signature is more lightweight in both key and signature aspects, reducing on-chain and off-chain resource consumption. |
| 參考文獻 |
[1] F. Zou, S. Zhang, B. Pei, L. Pan, L. Li, and J. Li, "Survey on Domain Name System Security," presented at the 2016 IEEE First International Conference on Data Science in Cyberspace (DSC), 2016.
[2] X. Liang and Y. Kim, "A Survey on Security Attacks and Solutions in the IoT Network," in 2021 IEEE 11th Annual Computing and Communication Workshop and Conference (CCWC), 27-30 Jan. 2021 2021, pp. 0853-0859, doi: 10.1109/CCWC51732.2021.9376174.
[3] G. C. M. Moura et al., "Anycast vs. DDoS," presented at the Proceedings of the 2016 Internet Measurement Conference, 2016.
[4] A. Klein, H. Schulmann, and M. Waidner, "Internet-wide study of DNS cache injections," IEEE INFOCOM 2017 - IEEE Conference on Computer Communications, pp. 1-9, 2017.
[5] D. Lewis. "The DDoS Attack Against Dyn One Year Later." https://www.forbes.com/sites/davelewis/2017/10/23/the-ddos-attack-against-dyn-one-year-later/?sh=45d42e7b1ae9 (accessed.
[6] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, "DDoS in the IoT: Mirai and Other Botnets," Computer, vol. 50, no. 7, pp. 80-84, 2017, doi: 10.1109/MC.2017.201.
[7] C. Douligeris and A. Mitrokotsa, "DDoS attacks and defense mechanisms: classification and state-of-the-art," Computer Networks, vol. 44, no. 5, pp. 643-666, 2004/04/05/ 2004, doi: https://doi.org/10.1016/j.comnet.2003.10.003.
[8] K. Shah, M. Padhya, and S. Sharma, "Blockchain-Enabled DNS: Enhancing Security and Mitigating Attacks in Domain Name Systems," in 2023 6th International Conference on Signal Processing and Information Security (ICSPIS), 8-9 Nov. 2023 2023, pp. 21-26, doi: 10.1109/ICSPIS60075.2023.10343534.
[9] R. Arends, R. Austein, M. Larson, D. Massey, and S. Rose, "RFC 4033,DNS Security Introduction and Requirements," Network Working Group, 2005. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc4033.
[10] Z. Hu et al., "RFC 7858,Specification for DNS over Transport Layer Security (TLS)," Internet Engineering Task Force (IETF), 2016. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc7858.
[11] P. Hoffman and P. McManus, "RFC 8484,DNS Queries over HTTPS (DoH)," Internet Engineering Task Force (IETF), 2018. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc8484.
[12] Q. Shafi and A. Basit, "DDoS Botnet Prevention using Blockchain in Software Defined Internet of Things," in 2019 16th International Bhurban Conference on Applied Sciences and Technology (IBCAST), 8-12 Jan. 2019 2019, pp. 624-628, doi: 10.1109/IBCAST.2019.8667147.
[13] A. Ramdas and R. Muthukrishnan, "A Survey on DNS Security Issues and Mitigation Techniques," in 2019 International Conference on Intelligent Computing and Control Systems (ICCS), 15-17 May 2019 2019, pp. 781-784, doi: 10.1109/ICCS45141.2019.9065354.
[14] P. V. Mockapetris, "RFC 1034,DOMAIN NAMES - CONCEPTS AND FACILITIES," Network Working Group, 1987, doi: 10.17487/rfc1034.
[15] P. V. Mockapetris, "RFC 1035,DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION," Network Working Group, 1987. [Online]. Available: https://datatracker.ietf.org/doc/html/rfc1035.
[16] B. Sieklik, R. Macfarlane, and W. J. Buchanan, "Evaluation of TFTP DDoS amplification attack," Computers & Security, vol. 57, pp. 67-92, 2016/03/01/ 2016, doi: https://doi.org/10.1016/j.cose.2015.09.006.
[17] Imperva.com. "DNS Spoofing." https://www.imperva.com/learn/application-security/dns-spoofing/ (accessed.
[18] S. Goldlust. "What is DNS Cache snooping?" https://kb.isc.org/docs/aa-00509 (accessed.
[19] C. Deccio and J. Davis, "DNS privacy in practice and preparation," presented at the Proceedings of the 15th International Conference on Emerging Networking Experiments And Technologies, Orlando, Florida, 2019. [Online]. Available: https://doi.org/10.1145/3359989.3365435.
[20] S. Nakamoto, "Bitcoin: A Peer-to-Peer Electronic Cash System," 2008. [Online]. Available: www.bitcoin.org.
[21] Q. E. Abbas and J. Sung-Bong, "A Survey of Blockchain and Its Applications," in 2019 International Conference on Artificial Intelligence in Information and Communication (ICAIIC), 11-13 Feb. 2019 2019, pp. 001-003, doi: 10.1109/ICAIIC.2019.8669067.
[22] C. Lu et al., "An End-to-End, Large-Scale Measurement of DNS-over-Encryption: How Far Have We Come?," presented at the Proceedings of the Internet Measurement Conference, Amsterdam, Netherlands, 2019. [Online]. Available: https://doi.org/10.1145/3355369.3355580.
[23] L. Jin, S. Hao, Y. Huang, H. Wang, and C. Cotton, "DNSonChain: Delegating Privacy-Preserved DNS Resolution to Blockchain," in 2021 IEEE 29th International Conference on Network Protocols (ICNP), 1-5 Nov. 2021 2021, pp. 1-11, doi: 10.1109/ICNP52444.2021.9651951.
[24] Z. Li, S. Gao, Z. Peng, S. Guo, Y. Yang, and B. Xiao, "B-DNS: A Secure and Efficient DNS Based on the Blockchain Technology," IEEE Transactions on Network Science and Engineering, vol. 8, no. 2, pp. 1674-1686, 2021, doi: 10.1109/TNSE.2021.3068788.
[25] Y. Fu, J. Wei, Y. Li, B. Peng, and X. Li, "TI-DNS: A Trusted and Incentive DNS Resolution Architecture based on Blockchain," in 2023 IEEE 22nd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), 1-3 Nov. 2023 2023, pp. 265-274, doi: 10.1109/TrustCom60117.2023.00055.
[26] "Use of DNSSEC Validation for World (XA)," 2024. [Online]. Available: https://stats.labs.apnic.net/dnssec/.
[27] "TLD Zone File Statistics," 2024. [Online]. Available: https://www.statdns.com/.
[28] T. Chung et al., "Understanding the role of registrars in DNSSEC deployment," presented at the Proceedings of the 2017 Internet Measurement Conference, London, United Kingdom, 2017. [Online]. Available: https://doi.org/10.1145/3131365.3131373.
[29] M. W. Haya Shulman, "One Key to Sign Them All Considered Vulnerable:
Evaluation of DNSSEC in the Internet," USENIX, 2017.
[30] D. Boneh, X. Boyen, and H. Shacham, "Short Group Signatures," in Advances in Cryptology – CRYPTO 2004, Berlin, Heidelberg, M. Franklin, Ed., 2004// 2004: Springer Berlin Heidelberg, pp. 41-55.
[31] S. Bow, "BLS12-381: New zk-SNARK Elliptic Curve Construction," 2017. [Online]. Available: https://electriccoin.co/blog/new-snark-curve/.
[32] T. Looker, V. Kalos, A. Whitehead, and M. Lodder, "The BBS Signature Scheme," 2022. [Online]. Available: https://identity.foundation/bbs-signature/draft-irtf-cfrg-bbs-signatures.html.
[33] mattrglobal, "mattrglobal_ffi-bbs-signatures," 2023. [Online]. Available: https://github.com/mattrglobal/ffi-bbs-signatures.
[34] Cloudflare, "ECDSA & DNSSEC," 2024. [Online]. Available: https://www.cloudflare.com/zh-tw/dns/dnssec/ecdsa-and-dnssec/.
[35] A. S. Roland van Rijswijk-Deij, Aiko Pras, "Making the Case for Elliptic Curves in DNSSEC," ACM SIGCOMM Computer Communication Review, 2015. |
[Endnote RIS 格式]
[相關文章]
[文章引用]
[完整記錄]
[館藏目錄]
至系統瀏覽論文 (2026-7-31以後開放)
plurk
funp
live
udn
HD
myshare
netvibes
friend
youpush
delicious
baidu
Google bookmarks
del.icio.us
hemidemi
facebook
twitter
google
reddit