Securing the internet’s backbone: A blockchain-based and incentive-driven architecture for DNS cache poisoning defense

IF 4.4 2区 计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE Computer Networks Pub Date : 2024-09-12 DOI:10.1016/j.comnet.2024.110777
Yufan Fu , Xiaodong Lee , Jiuqi Wei , Ying Li , Botao Peng
{"title":"Securing the internet’s backbone: A blockchain-based and incentive-driven architecture for DNS cache poisoning defense","authors":"Yufan Fu ,&nbsp;Xiaodong Lee ,&nbsp;Jiuqi Wei ,&nbsp;Ying Li ,&nbsp;Botao Peng","doi":"10.1016/j.comnet.2024.110777","DOIUrl":null,"url":null,"abstract":"<div><p>Domain Name System (DNS) is the backbone of the Internet infrastructure, converting human-friendly domain names into machine-processable IP addresses. However, DNS remains vulnerable to various security threats, such as cache poisoning attacks, where malicious attackers inject false information into DNS resolvers’ caches. Although efforts have been made to enhance DNS against such vulnerabilities, existing countermeasures often fall short in one or more areas: they may offer limited resistance to the collusion attack, introduce significant overhead, or require complex implementation that hinders widespread adoption. To address these challenges, this paper introduces TI-DNS+, a trusted and incentivized blockchain-based DNS resolution architecture for cache poisoning defense. TI-DNS+ introduces a <em>Verification Cache</em> exploiting blockchain ledger’s immutable nature to detect and correct forged DNS responses. The architecture also incorporates a multi-resolver <em>Query Vote</em> mechanism, enhancing the ledger’s credibility by validating each record modification through a stake-weighted algorithm. This algorithm selects resolvers as validators based on their stake proportion. To promote well-behaved participation, TI-DNS+ also implements a novel stake-based incentive mechanism that optimizes the generation and distribution of stake rewards. This ensures that incentives align with participants’ contributions, achieving incentive compatibility, fairness, and efficiency. Moreover, TI-DNS+ possesses high practicability as it requires only resolver-side modifications to current DNS. Finally, through comprehensive prototyping and experimental evaluations, the results demonstrate that our solution effectively mitigates DNS cache poisoning. Compared to competitors, our solution improves attack resistance by 1-3 orders of magnitude, while also reducing resolution latency by 5% to 68%.</p></div>","PeriodicalId":50637,"journal":{"name":"Computer Networks","volume":"254 ","pages":"Article 110777"},"PeriodicalIF":4.4000,"publicationDate":"2024-09-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Networks","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S1389128624006091","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}
引用次数: 0

Abstract

Domain Name System (DNS) is the backbone of the Internet infrastructure, converting human-friendly domain names into machine-processable IP addresses. However, DNS remains vulnerable to various security threats, such as cache poisoning attacks, where malicious attackers inject false information into DNS resolvers’ caches. Although efforts have been made to enhance DNS against such vulnerabilities, existing countermeasures often fall short in one or more areas: they may offer limited resistance to the collusion attack, introduce significant overhead, or require complex implementation that hinders widespread adoption. To address these challenges, this paper introduces TI-DNS+, a trusted and incentivized blockchain-based DNS resolution architecture for cache poisoning defense. TI-DNS+ introduces a Verification Cache exploiting blockchain ledger’s immutable nature to detect and correct forged DNS responses. The architecture also incorporates a multi-resolver Query Vote mechanism, enhancing the ledger’s credibility by validating each record modification through a stake-weighted algorithm. This algorithm selects resolvers as validators based on their stake proportion. To promote well-behaved participation, TI-DNS+ also implements a novel stake-based incentive mechanism that optimizes the generation and distribution of stake rewards. This ensures that incentives align with participants’ contributions, achieving incentive compatibility, fairness, and efficiency. Moreover, TI-DNS+ possesses high practicability as it requires only resolver-side modifications to current DNS. Finally, through comprehensive prototyping and experimental evaluations, the results demonstrate that our solution effectively mitigates DNS cache poisoning. Compared to competitors, our solution improves attack resistance by 1-3 orders of magnitude, while also reducing resolution latency by 5% to 68%.

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
确保互联网骨干网的安全:基于区块链的 DNS 缓存中毒防御激励驱动架构
域名系统(DNS)是互联网基础设施的支柱,它将人类友好的域名转换为机器可处理的 IP 地址。然而,DNS 仍然容易受到各种安全威胁的影响,例如缓存中毒攻击,恶意攻击者会在 DNS 解析器的缓存中注入虚假信息。尽管人们一直在努力增强 DNS 的能力,以抵御此类漏洞,但现有的应对措施往往在一个或多个方面存在不足:它们对串通攻击的抵御能力有限,引入了大量开销,或者需要复杂的实施,从而阻碍了广泛应用。为了应对这些挑战,本文介绍了 TI-DNS+,一种基于区块链的可信和激励的 DNS 解析架构,用于缓存中毒防御。TI-DNS+ 引入了验证缓存,利用区块链账本的不可变性来检测和纠正伪造的 DNS 响应。该架构还采用了多解析器查询投票机制,通过利害关系加权算法验证每条记录的修改,从而提高分类账的可信度。该算法根据解析器的股权比例选择解析器作为验证者。为促进行为规范的参与,TI-DNS+ 还实施了一种新颖的基于股权的激励机制,优化了股权奖励的生成和分配。这确保了激励与参与者的贡献相一致,实现了激励的兼容性、公平性和高效性。此外,TI-DNS+ 还具有很高的实用性,因为它只需要对当前的 DNS 进行解析器方面的修改。最后,通过全面的原型设计和实验评估,结果表明我们的解决方案能有效缓解 DNS 缓存中毒问题。与竞争对手相比,我们的解决方案将抗攻击能力提高了 1-3 个数量级,同时还将解析延迟降低了 5%-68%。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
Computer Networks
Computer Networks 工程技术-电信学
CiteScore
10.80
自引率
3.60%
发文量
434
审稿时长
8.6 months
期刊介绍: Computer Networks is an international, archival journal providing a publication vehicle for complete coverage of all topics of interest to those involved in the computer communications networking area. The audience includes researchers, managers and operators of networks as well as designers and implementors. The Editorial Board will consider any material for publication that is of interest to those groups.
期刊最新文献
Performance modeling and comparison of URLLC and eMBB coexistence strategies in 5G new radio systems Integrating Unmanned Aerial Vehicles (UAVs) with Vehicular Ad-hoc NETworks (VANETs): Architectures, applications, opportunities Deep reinforcement learning for autonomous SideLink radio resource management in platoon-based C-V2X networks: An overview Robust and energy-efficient RPL optimization algorithm with scalable deep reinforcement learning for IIoT Privacy-preserving local clustering coefficient query on structured encrypted graphs
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1