DNS-BC: Fast, Reliable and Secure Domain Name System Caching System Based on a Consortium Blockchain
Abstract
:1. Introduction
- We propose a DNS caching system based on a consortium blockchain, which can archive up to 100% accuracy through the immutable mechanism of the consortium blockchain and our designed credibility management system and eliminate the non-real time caused by expired caches through the synchronization mechanism of the consortium blockchain.
- We propose a new encrypted DNS protocol called DoK, which is fast, reliable, and secure. In our experiments, the transmission time of this protocol is about a quarter of that of the widely used encrypted DNS protocols DoT and DoH. The DoK protocol is designed to be compatible with the existing DNS system and can replace DoT and DoH in traditional DNS systems.
- By introducing the DoK protocol into the caching system, valuable nodes in the DNS caching system, namely name servers, can be protected from DoS attacks.
2. Related Work
2.1. Defects of the Existing DNS Caching System
- The accuracy of the cache is difficult to guarantee, and it is easy to be polluted [4].
- It is difficult to ensure the real-time performance of the cache. When authoritative name servers update the corresponding records, it cannot be guaranteed that the cache will be updated immediately.
- Valuable nodes in the network are not protected. Name servers store valuable data, making them the primary target of attackers. Attackers can use DNS flood attacks to attack name servers, causing them to be paralyzed.
2.2. Application of Blockchain Technology in DNS Caching Systems
2.3. Current Research Status on Encrypted DNS Protocols
2.4. Performance Bottleneck of DoT and DoH
3. DNS Caching Systems Based on Consortium Blockchains
3.1. Architecture of the Caching System
3.2. Maintenance of the Consortium Blockchain
- positively incentivizes credibility because when a node’s cache is error free for a long time, it indicates that the node is reliable.
- K positively incentivizes credibility because when a node is willing to maintain more cache, it means that the node is willing to take on more responsibility, and its credibility should be higher.
- M negatively incentivizes credibility because when a node maintains only a small amount of cache but accesses a large amount of cache maintained by other nodes, it indicates that the node is not willing to take on more responsibility but wants to use more resources, and its credibility should be lower.
- negatively incentivizes credibility because when a node’s cache expires, it indicates that the node is unreliable.
3.3. Security and Performance Analysis of the Caching System
4. The DoK Protocol
4.1. The Format of the DoK Message
- Transaction ID (16 bits): This field is used to match the response with the request sent from the client side. Matching is carried out by this field as the server copies the 16-bit value of identification in the response message so the client device can match the queries with the corresponding response received from the server side.
- Flags (16 bits): This field is used to identify certain attributes of the current message, and its specific structure is shown in Figure 6b, which we will discuss shortly.
- Questions (16 bits): This field specifies the number of questions in the Queries section of the message.
- Answers RRs (16 bits): This field specifies the count of answer records in the Answers section of the message. This section has a value of 0 in query messages, and is available only in response messages.
- Authority RRs (16 bits): This field gives the count of the resource records in the Authoritative Name Servers section of the message. It gives information that comprises domain names about one or more authoritative servers. This section has a value of 0 in query messages, and is available only in response messages.
- Additional RRs (16 bits): This field holds the number of Additional Records, which are used to keep additional information to help the resolver. This section has a value of 0 in query messages, and is available only in response messages.
- Queries (variable length): This field contains the queries made by the client. The number of queries is specified in the Questions field.
- Answers (variable length): This field contains the server’s answers to the queries made by the client, which is available only in response messages. The number of answers is specified in the Answers RRs field.
- Authoritative Name Servers (variable length): This field contains the domain names of the authoritative servers that are responsible for managing a specific domain name. The number of authoritative servers is specified in the Authority RRs field.
- Additional Records (variable length): This field contains additional information that can be used to help the resolver. The number of additional records is specified in the Additional RRs field.
- Client Public Key (variable length): This field contains the public key of the client, which is available only in query messages.
- QR (Query/Response, 1 bit): This subfield is used to indicate whether the message is a query or a response. A value of 0 indicates a query message, while a value of 1 indicates a response message.
- Opcode (2 bits): This subfield defines the type of query carried by the message. This value is repeated in the response. It can have three possible values: 0 for a standard query, 1 for an inverse query that finds the domain name from the IP address, and 2 for a server status request.
- AA (Authoritative Answer, 1 bit): When set to 1, it indicates that the name server is authoritative. It is only used in response messages.
- VF (Verify, 1 bit): This subfield is usually 0. When set to 1, it indicates that the server has been subjected to a DoS attack and requires source authentication from the client. The source authentication process is simple; when the client receives the request, it initiates a three-way handshake to establish a TCP connection. If the connection is successful, the source authentication is passed; otherwise, it fails. For zombie networks that like to send brute force packets, source authentication requests can easily be ignored, resulting in their IP addresses being blacklisted.
- RD (Recursion Desired, 1 bit): When set to 1, it indicates that the server is expected to perform a recursive query. When set to 0, it indicates that the server is expected to perform an iterative query.
- RA (Recursion Available, 1 bit): This subfield indicates whether recursive queries are available. It only appears in response messages, and a value of 1 indicates that the server supports recursive queries.
- CID (Certificate Identity, 4 bits): This subfield is used to identify the ID of the current temporary certificate. The DoK protocol requires the server to issue a temporary certificate to establish a connection. We will discuss the workflow and the usage of temporary certificates in Section 4.2.
- UC (Update Certificate, 1 bit): When set to 1, it indicates that the server requires the client to update the temporary certificate. This subfield is always 0 in query messages.
- Rcode (4 bits): This subfield is used to denote whether the query was answered successfully or not. There are several values of rcode, each with their error status.
- –
- A value of 0 indicates no error.
- –
- A value of 1 indicates that there is a problem with the format specification.
- –
- A value of 2 indicates a server failure.
- –
- A value of 3 refers to a name error, which implies that the name given by the query does not exist in the domain.
- –
- A value of 4 indicates that the request type is not supported by the server.
- –
- A value of 5 refers to the non-execution of queries by the server due to policy reasons.
4.2. The Workflow of the DoK Protocol
- Step 1
- The client sends the message to the server.
- 1.1
- The client first checks whether the temporary certificate and the client’s own public and private key pairs are expired. If they are expired, the client requests a new temporary certificate from the server or generates its own public and private key pairs.
- 1.2
- The client appends its public key to the message, which is the “Client Public Key” field in Figure 6a.
- 1.3
- The client encrypts the entire message with the server public key in the temporary certificate.
- 1.4
- The encrypted message is sent to the server.
- 1.5
- The client waits for the ACK response from the server. If the ACK response is not received for a long time, the timeout retransmission mechanism is triggered and the client resends the message to the server.
- Step 2
- The server receives the message and responds to the client.
- 2.1
- The server first checks whether a corresponding connection has been created based on the sender’s IP address, port number, and conv number. If not, a new connection is created.
- 2.2
- The server responds with an ACK to indicate that it has received the message from the client.
- 2.3
- The server decrypts the message with its own private key to obtain the record to be queried and the client’s public key.
- 2.4
- The server queries the corresponding record.
- 2.5
- The server encrypts the query result with the client’s public key.
- 2.6
- The encrypted message is sent to the client.
- 2.7
- The server waits for the ACK response from the client. If the ACK response is not received for a long time, the timeout retransmission mechanism is triggered and the server resends the message to the client.
- Step 3
- The client receives the response.
- 3.1
- The client responds with an ACK to indicate that it has received the message from the server.
- 3.2
- The client decrypts the message with its own private key to obtain the desired query result.
- 3.3
- The client closes the connection.
- 3.4
- When the server receives the ACK message from the client, it also closes the connection. The entire communication process is completed at this point.
4.3. Security and Performance Analysis of the DoK Protocol
5. Experiments
5.1. Implementation
5.2. Experimental Environment
- The services were deployed on Amazon Web Services (AWS) Lightsail. Unless otherwise specified, the server has the following technical specifications:
- –
- Operating system: Ubuntu 20.04.6 LTS (Focal Fossa)
- –
- RAM: 512 MB
- –
- Swap: 2 GB
- –
- CPU: 1 vCPU, x86_64
- –
- SSD: 20 GB
- –
- Location: Oregon, Zone A (us-west-2a)
- The client device was a MacBook Air. Unless otherwise specified, the client has the following technical specifications:
- –
- Operating system: macOS 13.3 (Ventura)
- –
- RAM: 16 GB
- –
- Swap: 1 GB
- –
- CPU: Apple M1, 8 cores, aarch64
- –
- SSD: 512 GB
- –
- Location: Shaanxi, China
- –
- Network: Wifi, China Unicom
5.3. Results and Analysis
5.4. Discussion of the Experiments
6. Conclusions
Author Contributions
Funding
Institutional Review Board Statement
Informed Consent Statement
Data Availability Statement
Conflicts of Interest
Abbreviations
AA | Authoritative Answer |
ACK | ACKnowledgment |
AWS | Amazon Web Services |
BNS | Blockstack Naming Service |
CA | Certificate Authority |
CDN | Content Delivery Network |
CID | Certificate Identity |
CRUD | Create, Read, Update, and Delete |
CV | Coefficient of Variation |
DNS | Domain Name System |
DNSDEA | DNS Data Encryption Algorithm |
DNSSEC | Domain Name System Security Extensions |
DOAJ | Directory of Open Access Journals |
DoH | DNS over HTTPS |
DoK | DNS over KCP |
DoQ | DNS over QUIC |
DoS | Denial-of-Service |
DoT | DNS over TLS |
ENS | Ethereum Name Service |
LD | Linear Dichroism |
MA | Monolithic Architecture |
MDPI | Multidisciplinary Digital Publishing Institute |
NC | Node and Client |
PoS | Proof-of-Stake |
PoW | Proof-of-Work |
QR | Query/Response |
QUIC | Quick UDP Internet Connections |
RA | Recursion Available |
RD | Recursion Desired |
RSD | Relative Standard Deviation |
RTO | Retransmission Time Out |
RTT | Round-Trip Time |
SOA | Service-Oriented Architecture |
TLA | Three Letter Acronym |
TLD | Top-Level Domain |
UC | Update Certificate |
VF | Verify |
References
- Chandramouli, R.; Rose, S. Challenges in securing the domain name system. IEEE Secur. Priv. 2006, 4, 84–87. [Google Scholar] [CrossRef]
- Mahjabin, T.; Xiao, Y.; Li, T.; Chen, C.L.P. Load Distributed and Benign-Bot Mitigation Methods for IoT DNS Flood Attacks. IEEE Internet Things J. 2020, 7, 986–1000. [Google Scholar] [CrossRef]
- Sanjay; Rajendran, B.; Shetty D., P. DNS Amplification & DNS Tunneling Attacks Simulation, Detection and Mitigation Approaches. In Proceedings of the International Conference on Inventive Computation Technologies (ICICT), Coimbatore, India, 26–28 February 2020; pp. 230–236. [Google Scholar]
- Dissanayake, I.M.M. DNS Cache Poisoning: A Review on its Technique and Countermeasures. In Proceedings of the National Information Technology Conference (NITC), Colombo, Sri Lanka, 2–4 October 2018; pp. 1–6. [Google Scholar]
- Jin, Y.; Tomoishi, M.; Matsuura, S. Detection of Hijacked Authoritative DNS Servers by Name Resolution Traffic Classification. In Proceedings of the IEEE International Conference on Big Data (Big Data), Los Angeles, CA, USA, 9–12 December 2019; pp. 6084–6085. [Google Scholar]
- Zhao, F.; Hori, Y.; Sakurai, K. Analysis of Privacy Disclosure in DNS Query. In Proceedings of the International Conference on Multimedia and Ubiquitous Engineering (MUE), Seoul, Republic of Korea, 26–28 April 2007; pp. 952–957. [Google Scholar]
- Zubaydi, H.D.; Varga, P.; Molnár, S. Leveraging Blockchain Technology for Ensuring Security and Privacy Aspects in Internet of Things: A Systematic Literature Review. Sensors 2023, 23, 788. [Google Scholar] [CrossRef] [PubMed]
- Yu, Z.; Xue, D.; Fan, J.; Guo, C. DNSTSM: DNS Cache Resources Trusted Sharing Model Based on Consortium Blockchain. IEEE Access 2020, 8, 13640–13650. [Google Scholar] [CrossRef]
- Chen, W.; Yang, X.; Zhang, H.; Xu, Y.; Pang, Z. Big Data Architecture for Scalable and Trustful DNS based on Sharded DAG Blockchain. J. Signal Process. Syst. 2021, 93, 753–768. [Google Scholar] [CrossRef]
- Choncholas, J.; Bhardwaj, K.; Gavrilovska, A. The Performance Argument for Blockchain-based Edge DNS Caching. In Proceedings of the IEEE/ACM Symposium on Edge Computing (SEC), San Jose, CA, USA, 14–17 December 2021; pp. 312–318. [Google Scholar]
- Austin, H.; Kevin, B.; Paul, S.; Holland, J.; Feamster, N. Comparing the Effects of DNS, DoT, and DoH on Web Performance. In Proceedings of the Web Conference, Taipei, Taiwan, 20–24 April 2020; pp. 562–572. [Google Scholar]
- Lu, S.; Pei, J.; Zhao, R.; Yu, X.; Zhang, X.; Li, J.; Yang, G. CCIO: A Cross-Chain Interoperability Approach for Consortium Blockchains Based on Oracle. Sensors 2023, 23, 1864. [Google Scholar] [CrossRef] [PubMed]
- KCP. Available online: https://github.com/skywind3000/kcp (accessed on 26 June 2023).
- Liu, Y.; Zhang, Y.; Zhu, S.; Chi, C. A Comparative Study of Blockchain-Based DNS Design. In Proceedings of the 2019 2nd International Conference on Blockchain Technology and Applications, Xi’an, China, 9–11 December 2019; pp. 86–92. [Google Scholar]
- Namecoin. Available online: https://www.namecoin.org/ (accessed on 26 June 2023).
- Ali, M.; Nelson, J.; Shea, R.; Freedman, M.J. Blockstack: A global naming and storage system secured by blockchains. In Proceedings of the USENIX Annual Technical Conference, Denver, CO, USA, 22–24 June 2016; pp. 181–194. [Google Scholar]
- Ethereum Name Service. Available online: https://ens.domains/ (accessed on 26 June 2023).
- HandShake. Available online: https://handshake.org/ (accessed on 26 June 2023).
- Li, Z.; Gao, S.; Peng, Z.; Guo, S.; Yang, Y.; Xiao, B. B-DNS: A Secure and Efficient DNS Based on the Blockchain Technology. IEEE Trans. Netw. Sci. Eng. 2021, 8, 1674–1686. [Google Scholar] [CrossRef]
- Osterweil, E.; Fotouhi Tehrani, P.; Schmidt, T.C.; Wahlisch, M. From the Beginning: Key Transitions in the First 15 Years of DNSSEC. IEEE Trans. Netw. Serv. Manag. 2022, 19, 5265–5283. [Google Scholar] [CrossRef]
- Koshy, A.M.; Yellur, G.; Kammachi, H.J.; Isha, V.P.; Kumar, R.; Moharir, M.; Deepamala, N. An Insight into Encrypted DNS protocol: DNS over TLS. In Proceedings of the International Conference on Recent Developments in Control, Automation and Power Engineering, Noida, India, 7–8 October 2021; pp. 379–383. [Google Scholar]
- Hynek, K.; Vekshin, D.; Luxemburk, J.; Cejka, T.; Wasicek, A. Summary of DNS over HTTPS Abuse. IEEE Access 2022, 10, 54668–54680. [Google Scholar] [CrossRef]
- Kosek, M.; Schumann, L.; Marx, R.; Doan, T.V.; Bajpai, V. DNS Privacy with Speed? Evaluating DNS over QUIC and its Impact on Web Performance. In Proceedings of the ACM SIGCOMM Internet Measurement Conference, Nice, France, 25–27 October 2022; pp. 44–50. [Google Scholar]
- Zhang, H.; Lu, Z.; Chen, W. DNS communication protocol with consideration of networking privacy. Sci. Technol. Rev. 2019, 37, 97–103. [Google Scholar]
- Honar Pajooh, H.; Rashid, M.A.; Alam, F.; Demidenko, S. Experimental Performance Analysis of a Scalable Distributed Hyperledger Fabric for a Large-Scale IoT Testbed. Sensors 2022, 22, 4868. [Google Scholar] [CrossRef] [PubMed]
- Koppl, M.; Siroshtan, D.; Orgon, M.; Pocarovsky, S.; Bohacik, A.; Kuchar, K.; Holasova, E. Performance Comparison of ECDH and ECDSA. In Proceedings of the International Conference on Electronics, Communications and Information Technology (CECIT), Sanya, China, 27–29 December 2021; pp. 825–829. [Google Scholar]
- Dorri, A.; Jurdak, R.; Beheshti, A.; Barros, A. Towards Scalable Blockchains Using Service-Oriented Architectures. In Proceedings of the Service-Oriented Computing—ICSOC 2021 Workshops, Dubai, United Arab Emirates, 22–25 November 2021; pp. 351–362. [Google Scholar]
- Bind. Available online: https://www.isc.org/bind/ (accessed on 26 June 2023).
- Dnsmasq. Available online: https://thekelleys.org.uk/dnsmasq/doc.html (accessed on 26 June 2023).
Protocol | Average Query Time (ms) | Relative Standard Deviation 1 |
---|---|---|
DoT | 1045.522 | 21.916% |
DoH | 956.015 | 18.852% |
DoK | 249.545 | 35.784% |
Protocol | Average Query Time (ms) | Relative Standard Deviation 1 |
---|---|---|
DoT | 205.569 | 1.886% |
DoH | 205.492 | 1.835% |
DoK | 53.560 | 3.085% |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2023 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Gao, T.; Dong, Q. DNS-BC: Fast, Reliable and Secure Domain Name System Caching System Based on a Consortium Blockchain. Sensors 2023, 23, 6366. https://doi.org/10.3390/s23146366
Gao T, Dong Q. DNS-BC: Fast, Reliable and Secure Domain Name System Caching System Based on a Consortium Blockchain. Sensors. 2023; 23(14):6366. https://doi.org/10.3390/s23146366
Chicago/Turabian StyleGao, Tianfu, and Qingkuan Dong. 2023. "DNS-BC: Fast, Reliable and Secure Domain Name System Caching System Based on a Consortium Blockchain" Sensors 23, no. 14: 6366. https://doi.org/10.3390/s23146366
APA StyleGao, T., & Dong, Q. (2023). DNS-BC: Fast, Reliable and Secure Domain Name System Caching System Based on a Consortium Blockchain. Sensors, 23(14), 6366. https://doi.org/10.3390/s23146366