DNS分布及配置探测系统的设计与实现
|
摘要
随着互联网的快速发展和各种网络应用的不断出现,人们的生活和工作变得越来越方便快捷。然而近年来频频爆发的网络安全事件,也给人们带来了巨大的损失。DNS作为Internet重要的基础设施之一,其安全性具有举足轻重的地位,它直接影响着整个互联网的安全和运行效率,因此对DNS系统性能和安全的研究就尤为重要了。
本文首先详细介绍了研究DNS所必需具备的基础理论知识,然后分析了DNS易遭受攻击的主要原因,包括:DNS协议本身的设计缺陷、DNS软件的实现漏洞和DNS服务器操作和配置失误,并着重研究了DNS服务器操作和配置失误对DNS系统安全产生的影响。然后,提出了DNS分布及配置探测的模型,该模型以探测DNS服务器分布及常见配置错误为目标。在分布探测中,本文综合运用ICMP协议和IP协议的理论知识来指导网络路径的探测,并借用了最新的QQ纯真版IP数据库来为DNS权威名字服务器的地理定位服务。在配置错误探测中,本文在DNS协议规范和相关RFC文档的指导下,研究并总结出DNS系统三种最主要的资源记录的配置规范,为配置错误探测子系统的设计与实现提供了理论标准。
然后,在DNS分布及配置探测模型思想的基础上,本文设计并实现了一个DNS分布及配置探测系统,该系统采用模块化设计思想,将整个系统分为DNS配置探测和DNS分布探测两个功能模块,分别负责DNS服务器资源记录配置探测和部署探测。最后,通过对国内外流量较大的域名服务器进行了测量和分析,发现配置错误广泛存在;通过比较还发现,国内的域名服务器存在的隐患较国外高很多。
With the fast development of the Internet and the constantly appearance of the various network applications, people’s life and work become more and more convenient. However, the network security events that erupted repeatedly in recent years, also brought the huge losses. DNS is one of the most important Internet infrastructures. Its safety plays an important role and directly affects the safety and efficiency of the whole Internet. Therefore, it is particularly important to pay more attention to DNS performance and security research.
So this paper introduces the basic theory in detail, which is necessary for the DNS research, and then analyzes the major reasons for why DNS is easy to be attacked. These reasons are design flaws of the DNS protocol, the DNS software vulnerabilities and the operation and configuration errors of DNS server. First of all, this paper mainly analyzes the effect of the third reason for the reduction of DNS security, and then proposes a model for detect DNS distribution and configuration, which aims at detecting the distribution of DNS servers and common configuration errors. The distribution detective subsystem is composed of the network router prober, which is based on the theory of ICMP and IP, and the prober of DNS authoritative name servers location which used the actual data from the lastest QQ Chunzhen IP database. In configuration errors prober subsystem, with the guideline of DNS protocol specification and some correlative RFC documents, the configuration specification developed in this paper, which include the three most important resource records, provides theory standard for configuration errors probe subsystem.
Secondly, based on the model of DNS distribution and configuration prober, this paper designs and implements DNS distribution and configuration prober system, which adopts modularity thinking and is composed of DNS configuration errors detective module which is responsible for detecting the errors of resource records configuration, and DNS distribution module which is responsible for detecting the errors of name server distribution. Finally, through measurement and analysis of the most popular domestic DNS servers,a lot of configuration errors have been found, and with the comparison with the DNS servers in developed countries, it was found that domestic servers have more configuration errors.
本文首先详细介绍了研究DNS所必需具备的基础理论知识,然后分析了DNS易遭受攻击的主要原因,包括:DNS协议本身的设计缺陷、DNS软件的实现漏洞和DNS服务器操作和配置失误,并着重研究了DNS服务器操作和配置失误对DNS系统安全产生的影响。然后,提出了DNS分布及配置探测的模型,该模型以探测DNS服务器分布及常见配置错误为目标。在分布探测中,本文综合运用ICMP协议和IP协议的理论知识来指导网络路径的探测,并借用了最新的QQ纯真版IP数据库来为DNS权威名字服务器的地理定位服务。在配置错误探测中,本文在DNS协议规范和相关RFC文档的指导下,研究并总结出DNS系统三种最主要的资源记录的配置规范,为配置错误探测子系统的设计与实现提供了理论标准。
然后,在DNS分布及配置探测模型思想的基础上,本文设计并实现了一个DNS分布及配置探测系统,该系统采用模块化设计思想,将整个系统分为DNS配置探测和DNS分布探测两个功能模块,分别负责DNS服务器资源记录配置探测和部署探测。最后,通过对国内外流量较大的域名服务器进行了测量和分析,发现配置错误广泛存在;通过比较还发现,国内的域名服务器存在的隐患较国外高很多。
With the fast development of the Internet and the constantly appearance of the various network applications, people’s life and work become more and more convenient. However, the network security events that erupted repeatedly in recent years, also brought the huge losses. DNS is one of the most important Internet infrastructures. Its safety plays an important role and directly affects the safety and efficiency of the whole Internet. Therefore, it is particularly important to pay more attention to DNS performance and security research.
So this paper introduces the basic theory in detail, which is necessary for the DNS research, and then analyzes the major reasons for why DNS is easy to be attacked. These reasons are design flaws of the DNS protocol, the DNS software vulnerabilities and the operation and configuration errors of DNS server. First of all, this paper mainly analyzes the effect of the third reason for the reduction of DNS security, and then proposes a model for detect DNS distribution and configuration, which aims at detecting the distribution of DNS servers and common configuration errors. The distribution detective subsystem is composed of the network router prober, which is based on the theory of ICMP and IP, and the prober of DNS authoritative name servers location which used the actual data from the lastest QQ Chunzhen IP database. In configuration errors prober subsystem, with the guideline of DNS protocol specification and some correlative RFC documents, the configuration specification developed in this paper, which include the three most important resource records, provides theory standard for configuration errors probe subsystem.
Secondly, based on the model of DNS distribution and configuration prober, this paper designs and implements DNS distribution and configuration prober system, which adopts modularity thinking and is composed of DNS configuration errors detective module which is responsible for detecting the errors of resource records configuration, and DNS distribution module which is responsible for detecting the errors of name server distribution. Finally, through measurement and analysis of the most popular domestic DNS servers,a lot of configuration errors have been found, and with the comparison with the DNS servers in developed countries, it was found that domestic servers have more configuration errors.
引文
1 P. Mockapetris. Domain Names: Concepts and Facilities. IETF RFC1034, 1987
2 P. Mockapetris. Domain Names: Implementation and Specification. IETF RFC1035, 1987
3 Internet Systems Consortium. Internet Domain Survey. https://www.isc.org/solu tions/survey. 2009
4丁振华,李锦涛,冯波,郭俊波. RFID中间件研究进展.计算机工程. 2006, 32(21):9-11
5魏峻,冯玉林.移动计算形式理论分析与研究.计算机研究与发展. 2000, 37(2):129-139
6 P. Xu, X.P. Huang, X. M. Long. Next generation network service model and applications. Journal of Beijing University of Posts and Telecommunications. 2009, 32(4):106-110
7 R. Pvenugopalan, S. Emin. The Design and Implementation of a Next Generation Name Service of the Internet. ACM SIGCOMM Computer Communication Review. 2004, 34(4):331-342
8张鸿,钱华林. IPv6对域名系统的需求及其解决方法的研究.微电子学与计算机. 2003, (1):35-38
9 D. Ralph. Automated configuration of TCP/IP with DHCP. IEEE Internet Computing. 1999, 3(4):45-53
10王垚,胡铭曾,李斌,闫伯儒.域名系统安全研究综述.通信学报. 2007, 28(9):91-103
11杜跃进,崔翔.僵尸网络及其启发.中国数据通信. 2005, 7(5):9-13
12 SANS Institute. March 2005 DNS Poisoning Summary. http:/isc.sans.org/ presentations/nspoisoning.php
13 SANS Institute. The twenty most critical Internet security vulnerabilities. http://www.sans.org/top20
14 M. Lerner. At the Forge: Server Migration and Disasters. Linux Journal. 2003, 2003(115):11-21
15李目海,李明,吴新星,李旭宏.一种分布式拒绝服务攻击的检测模型.计算机科学. 2009, 36(1):288-290
16张小妹,赵荣彩,单征,陈静.基于DNS的拒绝服务攻击研究与防范.计算机工程与设计. 2008, 29(1):21-24
17闫伯儒,方滨兴,李斌,王垚. DNS欺骗攻击的检测和防范.计算机工程.2006, 32(21):130-135
18 D. Eastlake, C. Kaufman. Domain Name System Security Extensions. IETF RFC 2065, 1997
19 C. Ramaswamy, R. Scott. Challenges in Securing the Domain Name System. IEEE Security and Privacy. 2006, 4(1):84-87
20 C. Christian, S. Asad. Secure distributed DNS. Proceedings of the International Conference on Dependable Systems and Networks, Florence Italy, 2004:423-432
21 P. Vasileios, X. Pzhiguo, L. Songwu, P. Daniel. Impact of Configuration Errors on DNS Robustness. ACM SIGCOMM Computer Communication Review. 2004, 34(4):319-330
22 J. Pang, J. Hendricks, A. Akella, R. D. Prisco, B. Maggs, S. Seshan. Availability, Usage and Deployment Characteristics of the Domain Name System. Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement. Taormina Italy, 2004:1-14
23 A. Patooqhy, S. Miremadi, A. Javadtalab, M. Fazeli, N. Farazmand. A solution to single point of failure using voter replication and disagreement detection. Proceedings of 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing, Indianapolis United States, 2006:171-176
24 F. Guo, J. Chen, T. Chiueh. Spoof detection for preventing DoS attacks against DNS servers. Proceedings of the 26th IEEE International Conference on Distributed Computing Systems, Lisboa Portugal, 2006:36-37
25 P. Chen. Maintaining Strong Cache Consistency for the Domain Name System. IEEE Transactions on Knowledge and Data Engineering. 2007, 19(8):1507-1071
26 C. Shen, T. Koo, C. Yang, J. Chang. Proactive DNS domain security configuration assessment machanism. Journal of Internet Technology. 2005, 6(2):165-170
27 P. Danzig, K. Obraczka, A. Kumar. An analysis of wide-area name server traffic: a study of the Internet Domain Name System. ACM SIGCOMM Computer Communication Review. 1992, 22(4):281-292
28 B. Nevil, K. Claffy, N. Evi. DNS measurements at a root server. Proceedings of IEEE Global Telecommunications Conference, San Antonio United States, 2001:1672-1676
29 L. Richard, S. Sridhar, Z. Ellen. Diversity in DNS Performance Measures. Proceedings of the 2nd Internet Measurement Workshop, Marseille France, 2002:19-31
30王垚.域名系统安全性研究.哈尔滨工业大学博士论文. 2007:27-34
31 V. Pappas, Z. G. Xu, S. W. Lu, D. Massey, A. Terzis, L. X. Zhang. Impact of configuration errors on DNS robustness. IEEE Journal on Selected Areas inCommunications. 2004, 34(4):319-330
32 CheckDNS. http://www.checkdns.net/quickcheck.aspx
33 DNSReport. http://www.dnsreport.com
34韩殿飞,袁睿翕,管晓宏.中国域名服务器配置错误的测量与分析.计算机工程. 2007, 33(2):105-107
35 S. H. Xue. Domain name server system architectural structure and its running procedure. Journal of Zhengzhou University. 1998, 30(2):58-64
36 W. Richard Stevens. TCP/IP详解,卷1:协议.范建华,胥光辉,张涛等译.机械工业出版社, 2007:142-157
37 D. Kaminsky. Explorations in namespace: White-hat hacking across the domain name system. Communications of the ACM. 2006, 49(6):62-69
38 R. Ardnds, R. Austein, M. Larson, D. Massey, S. Rose. Resource Records for the DNS Security Extensions. IETF RFC 4034, 2005
39 J. Kalafut, A. Craig, G. Minaxi. Understanding Implications of DNS Zone Provisioning. Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, Vouliagmeni Greece, 2008:211-216
40 C. Ramaswamy, R.Scott. An integrity verification scheme for DNS zone file based on security impact analysis. Proceedings of 21st Annual Computer Security Applications Conference, Tucson United States, 2005:312-321
41 T. Shian, L. Chien, C. Chang. A Unifying Framework for Intelligent DNS Management. International Journal of Human-Computer Studies. 2003, 58(4):415-445
42王垚,胡铭曾,云晓春等. DNS权威名字服务器性能与安全性的研究.通信学报. 2006, 27(2):147-152
43钟乐海. DNS:域名系统分析与研究.计算机科学. 2002, 29(8):54-56
44吴海涛,郭丽红. DNS协议分析与安全检测.计算机安全. 2009, (4):24-27
45 R. Elz, R. Bush, M. Patton. Selection and Operation of Secondary DNS Servers. IETF RFC2182, 1997
46 D. Barr. Common DNS Operational and Configuration Errors. IETF RFC1912, 1996
47 M. Andrews. Negative Caching of DNS Queries(DNS NCACHE). IETF RFC2308, 1998
48王振宇,施东炜.基于BIND域名解析服务管理的设计.计算机工程. 2007, 33(15):134-136
2 P. Mockapetris. Domain Names: Implementation and Specification. IETF RFC1035, 1987
3 Internet Systems Consortium. Internet Domain Survey. https://www.isc.org/solu tions/survey. 2009
4丁振华,李锦涛,冯波,郭俊波. RFID中间件研究进展.计算机工程. 2006, 32(21):9-11
5魏峻,冯玉林.移动计算形式理论分析与研究.计算机研究与发展. 2000, 37(2):129-139
6 P. Xu, X.P. Huang, X. M. Long. Next generation network service model and applications. Journal of Beijing University of Posts and Telecommunications. 2009, 32(4):106-110
7 R. Pvenugopalan, S. Emin. The Design and Implementation of a Next Generation Name Service of the Internet. ACM SIGCOMM Computer Communication Review. 2004, 34(4):331-342
8张鸿,钱华林. IPv6对域名系统的需求及其解决方法的研究.微电子学与计算机. 2003, (1):35-38
9 D. Ralph. Automated configuration of TCP/IP with DHCP. IEEE Internet Computing. 1999, 3(4):45-53
10王垚,胡铭曾,李斌,闫伯儒.域名系统安全研究综述.通信学报. 2007, 28(9):91-103
11杜跃进,崔翔.僵尸网络及其启发.中国数据通信. 2005, 7(5):9-13
12 SANS Institute. March 2005 DNS Poisoning Summary. http:/isc.sans.org/ presentations/nspoisoning.php
13 SANS Institute. The twenty most critical Internet security vulnerabilities. http://www.sans.org/top20
14 M. Lerner. At the Forge: Server Migration and Disasters. Linux Journal. 2003, 2003(115):11-21
15李目海,李明,吴新星,李旭宏.一种分布式拒绝服务攻击的检测模型.计算机科学. 2009, 36(1):288-290
16张小妹,赵荣彩,单征,陈静.基于DNS的拒绝服务攻击研究与防范.计算机工程与设计. 2008, 29(1):21-24
17闫伯儒,方滨兴,李斌,王垚. DNS欺骗攻击的检测和防范.计算机工程.2006, 32(21):130-135
18 D. Eastlake, C. Kaufman. Domain Name System Security Extensions. IETF RFC 2065, 1997
19 C. Ramaswamy, R. Scott. Challenges in Securing the Domain Name System. IEEE Security and Privacy. 2006, 4(1):84-87
20 C. Christian, S. Asad. Secure distributed DNS. Proceedings of the International Conference on Dependable Systems and Networks, Florence Italy, 2004:423-432
21 P. Vasileios, X. Pzhiguo, L. Songwu, P. Daniel. Impact of Configuration Errors on DNS Robustness. ACM SIGCOMM Computer Communication Review. 2004, 34(4):319-330
22 J. Pang, J. Hendricks, A. Akella, R. D. Prisco, B. Maggs, S. Seshan. Availability, Usage and Deployment Characteristics of the Domain Name System. Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement. Taormina Italy, 2004:1-14
23 A. Patooqhy, S. Miremadi, A. Javadtalab, M. Fazeli, N. Farazmand. A solution to single point of failure using voter replication and disagreement detection. Proceedings of 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing, Indianapolis United States, 2006:171-176
24 F. Guo, J. Chen, T. Chiueh. Spoof detection for preventing DoS attacks against DNS servers. Proceedings of the 26th IEEE International Conference on Distributed Computing Systems, Lisboa Portugal, 2006:36-37
25 P. Chen. Maintaining Strong Cache Consistency for the Domain Name System. IEEE Transactions on Knowledge and Data Engineering. 2007, 19(8):1507-1071
26 C. Shen, T. Koo, C. Yang, J. Chang. Proactive DNS domain security configuration assessment machanism. Journal of Internet Technology. 2005, 6(2):165-170
27 P. Danzig, K. Obraczka, A. Kumar. An analysis of wide-area name server traffic: a study of the Internet Domain Name System. ACM SIGCOMM Computer Communication Review. 1992, 22(4):281-292
28 B. Nevil, K. Claffy, N. Evi. DNS measurements at a root server. Proceedings of IEEE Global Telecommunications Conference, San Antonio United States, 2001:1672-1676
29 L. Richard, S. Sridhar, Z. Ellen. Diversity in DNS Performance Measures. Proceedings of the 2nd Internet Measurement Workshop, Marseille France, 2002:19-31
30王垚.域名系统安全性研究.哈尔滨工业大学博士论文. 2007:27-34
31 V. Pappas, Z. G. Xu, S. W. Lu, D. Massey, A. Terzis, L. X. Zhang. Impact of configuration errors on DNS robustness. IEEE Journal on Selected Areas inCommunications. 2004, 34(4):319-330
32 CheckDNS. http://www.checkdns.net/quickcheck.aspx
33 DNSReport. http://www.dnsreport.com
34韩殿飞,袁睿翕,管晓宏.中国域名服务器配置错误的测量与分析.计算机工程. 2007, 33(2):105-107
35 S. H. Xue. Domain name server system architectural structure and its running procedure. Journal of Zhengzhou University. 1998, 30(2):58-64
36 W. Richard Stevens. TCP/IP详解,卷1:协议.范建华,胥光辉,张涛等译.机械工业出版社, 2007:142-157
37 D. Kaminsky. Explorations in namespace: White-hat hacking across the domain name system. Communications of the ACM. 2006, 49(6):62-69
38 R. Ardnds, R. Austein, M. Larson, D. Massey, S. Rose. Resource Records for the DNS Security Extensions. IETF RFC 4034, 2005
39 J. Kalafut, A. Craig, G. Minaxi. Understanding Implications of DNS Zone Provisioning. Proceedings of the 8th ACM SIGCOMM conference on Internet measurement, Vouliagmeni Greece, 2008:211-216
40 C. Ramaswamy, R.Scott. An integrity verification scheme for DNS zone file based on security impact analysis. Proceedings of 21st Annual Computer Security Applications Conference, Tucson United States, 2005:312-321
41 T. Shian, L. Chien, C. Chang. A Unifying Framework for Intelligent DNS Management. International Journal of Human-Computer Studies. 2003, 58(4):415-445
42王垚,胡铭曾,云晓春等. DNS权威名字服务器性能与安全性的研究.通信学报. 2006, 27(2):147-152
43钟乐海. DNS:域名系统分析与研究.计算机科学. 2002, 29(8):54-56
44吴海涛,郭丽红. DNS协议分析与安全检测.计算机安全. 2009, (4):24-27
45 R. Elz, R. Bush, M. Patton. Selection and Operation of Secondary DNS Servers. IETF RFC2182, 1997
46 D. Barr. Common DNS Operational and Configuration Errors. IETF RFC1912, 1996
47 M. Andrews. Negative Caching of DNS Queries(DNS NCACHE). IETF RFC2308, 1998
48王振宇,施东炜.基于BIND域名解析服务管理的设计.计算机工程. 2007, 33(15):134-136