Search Results (5)

The Domain Name System (DNS) is a key part of the Internet, and it is used for global domain name resolution. However, it has security risks due to its centralized or semi-centralized design and reliance on a few root servers. To improve DNS security and long-term stability, this study proposes the consensus roots system, a blockchain-based distributed domain architecture. The system uses a 1 + N master-subchain structure to solve the problem of trust and data synchronization across blockchains. The master chain acts as a relay and uses Hyperledger Fabric, a consortium blockchain platform, to support semi-centralized cross-chain communication. Subchains are local blockchains that need to connect with the master chain. To ensure safe and reliable transactions, the system uses a staged-proposal atomic swap method on the master chain. Compared to prior approaches, this work introduces a cross-chain architecture that enables more efficient trust synchronization, reducing latency and improving scalability without compromising security. Full article

The Domain Name System (DNS) is a fundamental component of the internet, responsible for resolving domain names into IP addresses. DNS servers are typically categorized into four types: recursive resolvers, root name servers, Top-Level Domain (TLD) name servers, and authoritative name servers. The latter three types of servers store actual records, while recursive resolvers do not store any real data and are only responsible for querying the other three types of servers and responding to clients. Recursive resolvers typically maintain a caching system to speed up response times, but these caching systems have the drawbacks of a low real-time performance, a poor accuracy, and many security and privacy issues. In this paper, we propose a caching system based on a consortium blockchain, namely DNS-BC, which uses the synchronization mechanism of the consortium blockchain to achieve a high real-time performance, uses the immutable mechanism of the consortium blockchain and our designed credibility management system to achieve up to a 100% accuracy, and has been combined with encrypted transmission protocols to solve common security and privacy issues. At the same time, this caching system can greatly reduce the traffic that name servers need to handle, thereby protecting them from Denial-of-Service (DoS) attacks. To further accelerate the data transmission speed, we have designed a new encrypted DNS protocol called DNS over KCP (DoK). The DoK protocol is based on the KCP protocol, which is a fast and reliable transmission protocol, and its latency can reach one-third of that of TCP when the network environment deteriorates. In our experiments, the transmission time of this protocol is about a quarter of that of the widely used encrypted protocols DNS over TLS (DoT) and DNS over HTTPS (DoH). Full article

The root zone is located at the top level of the DNS system’s hierarchical structure and serves as the entry point for all domain name resolutions. The accuracy of the root zone file determines whether domain names can be resolved correctly. To solve the problems of single-source distrust and inaccurate data in the use of root zone files, this paper utilizes multi-source root zone files to build an accurate, real-time, and highly trustworthy root zone file through the validation of data accuracy and integrity. First, we propose a weighted voting statistical verification method. We select top-level domain name records with the highest confidence from the multi-source root zone data, thereby improving data accuracy. Second, through a dynamic cyclic construction process, we achieve dynamic monitoring of root zone file version changes, effectively ensuring the real-time nature of root zone data. Finally, we adopt a DNSSEC verification mechanism to address the issue of unreliable transmission paths for actively probed root zone data, ensuring data integrity by verifying the signed top-level domain name records and their ZSK, KSK keys. In addition, through the analysis of experimental data, we find that the main reason for the inaccuracy and unreliability of the root zone file is the delay in updating and synchronizing the file. We also discover the presence of redundant KSK keys in some of the source root zone data, which led to failure in the DNSSEC validation chain. The high-trust root zone file constructed in this paper provides data support for research on the root-side resolution anomaly detection and localization application of root zone files and has wide-ranging practical value. Full article

The operation of today’s Internet can only be achieved with the domain name system (DNS), and the essential part of the DNS is the root servers. Adding anycast mirrors has been used to maintain the security of root servers, but many problems accompany this technique. In this paper, we used 36198 probe points deployed worldwide to probe 1160 root mirror sites and analyzed the data with root mirrors’ identification and localization (RMIL). RMIL is a method to identify and locate root mirrors. It contains probing and analyzing the network services ID (NSID) and traceroute data to identify and locate root mirror sites. Using this method, 821 (70.78% of the total) sites were accurately identified and located, and city-level localization was achieved for 281 other sites. Finally, the identification results were used in the service area analysis. The analysis contained multiple dimensions: locations, autonomous system numbers (ASN), internet service providers (ISP), and IPV4 prefixes. As such, we helped identify and locate root mirror sites more precisely and discover which ones have a greater service area in different dimensions. Full article

The root server is at the top of the domain name hierarchical structure. To improve root service performance, each root deploys anycast nodes worldwide. What is the actual service performance of these nodes after deployment? We analyze the service performance of the root anycast nodes deployed in China based on the active measurement data detected by the VPs of different ISPs in different geographical locations. From the analysis, we find that the resolution performance of the roots with anycast nodes deployed in China is higher than that of roots without deployment. However, users of different operators have significant differences in accessing the root servers, such as parsing time, hitting anycast nodes, and most anycast nodes only providing services for one operator, limiting the service scope and reducing the service performance. The analysis results can help the root management and introduction institutions master the actual service status of the root servers, which can be used to optimize the performance of the existing root anycast nodes and provide a basis for deploying new root anycast nodes in the next step. Finally, we find that 67 top-level domain names are hijacked on the resolution path based on the measured data. Full article