[Read Together at Zangjing Pavilion] (76)__ "White Paper on the Development of "DNS+""
Author: Liang Zhuo Song Linjian Chen Jian Liu Zhihui Liu Baojun Guo Feng Ma Chendi Ma Yong Sun Junzhe Shen Jianwei Ji Yenan Sun Wanyue Zhang Jianguang Li Xianda Zhang Xiaojun Zhao Hua
Release time: 2023-10-31
Number of chapters: 6
1. Basic knowledge
1.1、DNS
DNS
DNS is the abbreviation of Domain Name System. It is a system that converts domain names into IP addresses. It can map domain names (such as example.com) to corresponding IP addresses (such as 192.0.2.1) to realize domain names. Parsing, users can access the website through the domain name, and DNS is responsible for converting the domain name into the corresponding IP address.
Domain Name System (DNS) has been proposed for 40 years. During this period, the scale, technology and application of the Internet have undergone tremendous changes. The public basic attributes of DNS in the Internet of Everything convergence services have gradually strengthened. Various networks represented by DNS have The technical means of identification services are also constantly developing, and tend to be technological integration, platform inclusiveness, and governance diversification. In this context, Alibaba Cloud invited experts in the fields of technology, product services, and governance to discuss and propose "DNS+", a broad network ecological concept based on the DNS system and including a variety of network identification services.
From the perspective of network architecture, DNS is a network communication protocol and a basic network component that provides domain name and IP search functions for network connections. Its characteristic is that it is centered on network connections. When the new mobile Internet and cloud computing emerge, new application scenarios and higher requirements are provided for DNS. DNS no longer just serves network connections, but centers around application creation and deployment, including mobile Internet applications. , cloud computing products, and cloud native applications, etc. At this stage, large-scale cloud computing platforms provide DNS services with higher elasticity and high availability capabilities. DNS has evolved from basic network functions to PaaS/SaaS services that can be integrated through APIs.
Currently, the Internet has become a critical information infrastructure in the field of digital economy, like water and electricity. The Domain Name System (DNS) is the forgotten cornerstone of the Internet, and almost all applications rely on its stability and security. Unfortunately, as the Achilles heel of the Internet, DNS is often the target of various attacks. Domain name resources are also often the target of malicious attacks and illegal industrial abuse. Various types of malicious network attacks and domain name attacks are carried out with the help of domain names and DNS. The risk of abuse and fraud continues to expand, and more and more people are paying attention to and participating in the field of cyberspace security and governance. DNS is also the trust anchor (Trust Anchor) for various security mechanisms such as public key certificates. This involves both global domain name, IP and infrastructure resource management policies, as well as regional, platform-based domain name system security research and governance. DNS has become an important part of the country's critical information infrastructure, and the importance of DNS in cyberspace security and governance has become increasingly prominent.
With the long-term evolution and development of the Internet, DNS has become more secure, and the functions and trust it carries have far exceeded the original intentions of the pioneer designers of the Internet. Especially in the era of cloud computing, "DNS+" means more opportunities and greater responsibilities; "the network is in a different domain, but the risks are the same." A secure cyberspace community with a shared future requires the cooperation of governments, industries and academia in all countries. Collaborate and work together.
According to the "China Hybrid Cloud User Development Survey Report" released by the China Academy of Information and Communications Technology in July 2022, the construction of enterprise IT infrastructure has entered a new stage of "multi-cloud + traditional IDC" integration. As the first hop for application access, DNS needs to solve the global interconnection and unified scheduling of IT resources in heterogeneous environments such as "public cloud + private cloud + traditional IDC". DNS has begun to focus on digital asset integration and unified management, and IT in service integration scenarios. Digital asset management.
Therefore, in this context, the pan-IP addressing and resolution system based on the DNS system will continue to integrate and develop in the three fields of new technologies, new business formats, and new governance, and will be deeply integrated with today's vigorous digitalization, entering the "DNS+" era. DNS is the core and starting point, integrating and spreading towards the three ecological dimensions of new technology, new business formats and new governance, and developing new topics, functions and roles. Specifically, "DNS+" embodies distinctive characteristics in three aspects: new technology, new business, and new governance.
1.2、DNS+
DNS+ is a new protocol that expands the functions of DNS. It is an enhanced version of DNS service. It adds more security functions, performance optimization and management functions to the traditional DNS service. It can provide more security. performance and reliability. DNS+ can support more encryption and digital signature functions, so it can more effectively prevent DNS spoofing attacks and man-in-the-middle attacks. In addition, DNS+ can provide more DNS record types, such as TLSA records, which can make web applications more secure.
In short, DNS+ is a safe and reliable Internet infrastructure that can ensure the privacy and security of Internet users.
- In terms of new technologies, "DNS+" and new digital technologies represented by cloud computing are integrated and innovative.
- In terms of new business formats, "DNS+" integrates into and serves thousands of industries and assists the digitalization process.
- In terms of new governance, "DNS+" infrastructure security research and governance will promote orderly and high-quality development.
2. "DNS+" Current Situation and Development
(1) Scale and high-quality development
The continued growth of mobile Internet traffic and terminal network scale, as well as the large-scale deployment of IPv6, provide more momentum for the scale of DNS.
In terms of DNS security function expansion, DNSSEC support, encrypted DNS deployment, and the promotion of new DNS technologies are all continuing to improve.
From quantity to quality, the development prospects of the DNS industry are promising.
(2) Platformization and security guarantee
DNS domain name resolution services show a trend of platformization and centralization.
| feature |
Description of technical characteristics |
Ability reference |
| Flexible deployment |
Traditionally, DNS is maintained by large centralized server clusters. However, this centralized deployment method has some problems, such as single point of failure and high operation and maintenance costs. In order to solve these problems, the elastic deployment of DNS is increasingly widely adopted. The elastic deployment of DNS can be carried out by utilizing various cloud infrastructures. In order to better utilize the cloud, the traditional DNS system is required to undergo cloud-native transformation. |
Launch a new DNS server in minutes |
| Tenant isolation |
Traditional public domain domain name resolution services do not have the concept of tenants. Everyone shares a domain name space. Nowadays, with the complexity of networks and application scenarios, private domain resolution services have become more and more widely demanded. Especially with the rise of cloud services, tenant private domain name resolution services based on VPC networks have become an essential capability for cloud vendors. |
Support tens of millions of VPCs private namespace |
| Intelligent scheduling |
Intelligent scheduling is different from the static configuration of traditional DNS. With the rapid development of the Internet, authoritative DNS has begun to have more and more demands for intelligent scheduling strategies from the aspects of traffic allocation, disaster recovery, and optimization of access quality. Platform-based DNS can better sense terminals and provide accurate and fast scheduling capabilities for different user terminals. |
Strategies can be based on weight, access delay, geographical location, availability, load, etc. |
| Integrated capability |
OpenAPI (Application Programming Interface) is an interface standard used to describe the interaction between different software systems. It is usually used to build Web services, microservices, etc. The DNS system opens resolution configuration management capabilities to users through OpenAPI, so that users can use OpenAP to more flexibly and efficiently integrate domain name resolution capabilities into their own IT resource management platforms based on their own needs. |
Rich parsing and management API; Multi-language capability SDK, easy to integrate |
| High concurrency |
The platform-based DNS system carries a large number of Internet domain name resolutions. Faced with a large number of business requests that frequently change domain names, it is particularly important for the DNS system to have high-concurrency resolution configuration management capabilities to meet these challenges. Considering cost considerations, platform-based DNS systems should also have horizontal scalability so that IT resource deployment configurations can be adjusted at any time based on the amount of concurrency. |
Million-level horizontal scalability |
| data delay |
Platform DNS nodes are distributed in various regions around the world, and it is necessary to ensure that the resolution configuration takes effect in a timely manner. That is, after the user completes the resolution configuration, it needs to be synchronized to various DNS nodes around the world in a timely manner, and it can support high-throughput synchronization in high-concurrency resolution configuration scenarios. |
Global synchronization in seconds |
| Intelligent operation and maintenance |
In order to ensure the timeliness and stability of analysis, more intelligent means are needed to quickly locate and recover system problems. With the help of data collection platform, intelligent analysis platform, service scheduling platform and other technical means and systems, fault points in the DNS cluster can be discovered within seconds and automatic isolation and self-healing of services can be realized, thereby achieving no awareness of upper-layer service abnormalities. . |
Major faults can be discovered in one minute, located in five minutes, and repaired in ten minutes |
| Security and high availability |
In terms of security and high availability, platform DNS relies on the basic capabilities of cloud security and high availability, including anti-DDOS, load balancing, AnycastIP, software and hardware components, and other capabilities. At the same time, cloud platform companies provide higher-quality full-link software development and testing, as well as heterogeneous deployment requirements and processes, to help ensure the security and stability of platform-based DNS. |
Multi-region, supporting heterogeneous deployment of two or more DNS core software |
As enterprise IT infrastructure enters the multi-cloud + traditional IDC stage, cloud platform DNS will also be integrated with traditional IDC.
The security and stability of platform-based domain name resolution services have undergone more stringent tests.
Establishing a safe and stable DNS system is a necessary guarantee for digital development.
(3) Multi-business integration and innovative development
DNS directly or indirectly participates in the composition, analysis and resource storage of emerging identity applications, providing momentum for the integration and innovation of multiple Internet identity formats.
With the advent of the fourth word industrial revolution, our country has seized the strategic opportunity of Internet development and built an industrial Internet logo analysis system.
New Internet applications use DNS as a bridge to seamlessly connect DNS data and application data.
Different from directly using DNS to store application information, there is another type that uses DNS indirectly to connect services and business entrances of new identification applications.
(4) Technology inclusiveness and ecological co-construction
Meet high-quality development and take into account the specific requirements of enterprises for cost reduction and efficiency improvement.
Unified industry standards should be established to improve reuse and enhance social service benefits.
A unified emergency strategy should be established to improve service response and governance channels.
3. "DNS +" industry-university-research dynamics
(1) my country’s “DNS +” construction and development
Commercial cryptographic algorithms have been initially promoted and applied in some aspects of my country's domain name system.
The construction of the industrial Internet logo analysis system has developed rapidly, forming a nationwide industrial Internet logo resolution infrastructure.
In the evolution of the national Internet, the development from web2 to web3 has become unstoppable, and decentralized name services continue to develop.
(2) Digital transformation practice
1. Integration of [multi-cloud + traditional IDC]
Phase 1, DNS + traditional IDC
Phase 2, DNS + cloud computing
Phase 3: DNS+multi-cloud and traditional IDC integration
Issues regarding enterprise domain name resolution security are mainly divided into three categories:
Denial of service attack:
Since domain name resolution is the first hop for clients to access enterprise IT application services, the DNS system responsible for domain name resolution for enterprise IT applications is often targeted by attackers. Attacks include layer 4 network attacks targeting service IP addresses, random domain name query attacks targeting specific domain name suffixes, and various protocol penetration attacks targeting the DNS system (such as cache poisoning, amplification attacks, reflection attacks, etc.) ), the goal is to make the DNS system unavailable or access abnormal, thereby making enterprise applications unavailable or access abnormal.
Domain name dynamic holding:
Clients accessing enterprise IT applications are scattered around the world, and DNS resolution access is achieved through different network service providers and DNS service providers. When the client performs domain name resolution, the DNS system that provides domain name resolution for the client often encounters the problem that the DNS resolution results are modified, thereby diverting the client's application access traffic to a non-existent IP address or other illegal IP address. so that the client cannot access enterprise industrial applications normally.
For domain name:
With the advancement of enterprise digital transformation, the enterprise's office, testing and production processes will basically involve accessing external third-party services, and external third-party services generally provide external access services through a publicly resolvable public domain name. At this time, you need to parse the public domain name to obtain the service IP address. Attackers often use various means to resolve the domain names of corporate office machines, test machines, and production machines to a malicious IP service address. The malicious application services provided by this address come in many forms, including viruses, Trojans, phishing, remote control, etc. , the goal is to induce terminal access, thereby illegally accessing corporate networks and resources, destroying corporate systems, and conducting network fraud on corporate staff, causing corporate system losses and personnel and property losses.
Therefore, it is necessary to provide a set of security protection solutions against denial of service attacks and domain name blue use, which mainly provide the following three capabilities:
Denial of service attack protection capabilities
Traffic-based attacks: Can carry TB-level DDoS traffic attacks and random domain name attacks with hundreds of millions of QPS for a single domain name
Protocol attacks: Can effectively defend against various protocol layer attacks against DNS, including DNS malformed packet attacks, DNS random domain name query attacks, cache poisoning, amplification attacks, reflection attacks, etc.
Or the ability to discover domain name persistence and prevent domain name persistence: Provide domain name persistence monitoring and alarming for corporate domain names in various network environments in various regions around the world, and provide upgrades to the client's domain name access process to achieve domain name resolution and prevention. the goal of.
The ability to detect and block malicious domain name access: Provides enterprise clients with the ability to discover malicious domain names when doing third-party public network domain name resolution, and provides blocking capabilities on the DNS resolution side of malicious domain names to stop enterprise clients from accessing malicious third-party public networks. Domain name resolution to enable enterprise clients to access malicious applications
(3) Safety research results
DNS Cache Poisoning Attack exploits vulnerabilities in the domain name server cache mechanism to deceive the server by sending specially crafted malicious requests and store error information in the cache. When other users query the same content, the server returns tampered with incorrect results, redirecting the user to a malicious website or server controlled by the attacker.
In 2008, Dan Kaminsky proposed an efficient domain name cache pollution attack that could pollute a specific domain name within 10 seconds, which attracted the attention of global Internet manufacturers. In order to enhance the security of the domain name protocol, the Internet community has introduced security defense methods such as source port randomization and 0x20 domain name case randomization encoding. Theoretically, if the domain name server fully implements these security measures, the probability of an attacker achieving a cache pollution attack is extremely low (1/232). This probability makes actual domain name cache pollution attacks nearly impossible.
However, security research in recent years has given the security community a more comprehensive and in-depth understanding of the domain name system attack surface. The domain name system security threat model has also been significantly expanded and extended. Specifically, the main roles in the domain name resolution interaction process include: client (Stub Resolver), domain name forwarder (DNS Forwarder), recursive domain name server (DNS Recursive Resolver), and authoritative name server (Authoritative Nameserver). Judging from the latest research results, attackers can appear on various intermediate links in domain name resolution.
Important discovery 1: Based on the side channel introduced by the underlying implementation of the operating system, efficient cache pollution attacks can be implemented
Important finding two: Domain name forwarders have become a weak link in resolution links, and related security risks continue to emerge.
Important discovery three: Using domain name cache pollution attacks to seek to affect higher-level network services has become a hot topic
2. Domain name authorization security threats
The domain name system can be thought of as a distributed database, and the domain name resolution interaction process can be thought of as the process of querying and retrieving the distributed database from the client.
In order to have good scalability, the domain name system adopts a hierarchical hierarchical authorization structure, that is, each domain name server is only responsible for the domain names it manages. However, the above-mentioned domain name system schooling mechanism has potential security risks. According to the conventional domain name resolution process, when the recursive resolution server has no record in the cache, it will sequentially send queries to the root server, top-level domain name server, and second-level domain name server to obtain the response content. In theory, in order to maintain the consistency of record content in large-scale distributed databases, parent domains and subdomains should have the same domain name authorization records. However, due to complex factors such as network configuration management, domain name authorization records in parent domains and child domains are often inconsistent in practice. Research shows that conflicts between parent and child domain authorization records are quite common.
Important finding 1: Inconsistencies in domain name authorization records can cause important domain names to be covertly hijacked by attackers
Important finding 2: Improper handling of authorization records by domain name software can result in malicious domain names being unable to be revoked
The domain name authorization mechanism has triggered a new type of security risk, namely Ghost Domain (ghost domain name). Domain name deletion and domain revocation (Domain Revocatio) are effective means for the security community to deal with cybercrime, which is achieved by modifying the authorization record of the corresponding domain name in the zone file of the J top-level domain. However, there is a potential ambiguity in this process: when the recursive resolution server updates cached resource records, should the parent domain authority or the child domain authority prevail? The existing RFC domain name protocol specification requires the recursive server to give higher priority to the resource records fed back by the subdomain. This allows attackers to still manipulate the cache records of the recursive server even after the domain name is deleted, allowing it to maintain control over malicious domain names. Analytical ability. This security flaw is called Ghost Domain Attack.
The ghost domain name vulnerability was first disclosed in 2012 and was included in the US National Vulnerability Database and the FCC's 2012 Security Best Practices Report. However, a research work published at the NDSS conference in 2023 once again revealed two types of ghost domain name vulnerabilities, exploiting security vulnerabilities when recursive servers manage cached resource records, so that they still preferentially believe and adopt malicious records returned by attackers .
Important finding three: The security risk of subdomain hijacking is common, and the security impact has indirectly affected web applications.
(4) Technical standards work
(5) Governance-related progress
4. Thoughts after reading
When the new mobile Internet and cloud computing emerge, new application scenarios and higher requirements are provided for DNS. DNS no longer just serves network connections, but centers around application creation and deployment, including mobile Internet applications. , cloud computing products, and cloud native applications, etc. At this stage, large-scale cloud computing platforms provide DNS services with higher elasticity and high availability capabilities. DNS has evolved from basic network functions to PaaS/SaaS services that can be integrated through APIs. But almost all applications depend on its stability and security.
The pan-IP addressing and resolution system based on the DNS system will continue to develop integratedly in the three fields of new technologies, new business formats, and new governance. It will be deeply integrated with today's vigorous digitalization and enter the "DNS+" era.
It adds more security functions, performance optimization and management functions based on traditional DNS services, and it can provide more security and reliability.
When I was reading this article, it happened to be November 12th, around 5 pm, when Alibaba collapsed, DingTalk collapsed, and Taobao collapsed. . . All kinds of negative news exploded. Although it only took more than an hour, engineers immediately fixed the fault. However, as a work that represents top technology and apps, the fact that several series crashed at the same time shows that it was not an accidental sporadic fault. Failure to judge and handle non-accidental large-scale failures before they occur indicates that there is some kind of loophole, either in management or technology, or a social event that cannot be handled by a few of us. The social situation is different, and technical requirements must keep up accordingly, rather than staying in traditional concepts and technical thinking. Technical maintenance personnel should pay more attention to the internal working principles and structural mechanisms of the system, rather than just testing the external performance. The specific technical implementation will continue to change and evolve with network technology, security and stability and other needs. For example, with the popularity of cloud computing and cloud services, a large amount of Internet traffic passes through the cloud platform for domain name resolution. As a key middle layer, the cloud platform plays an important role in routing user requests to the corresponding service instances. Cyber attacks against cloud platform domain name resolution services continue to occur, and the scale and complexity of the cloud platform have also increased the challenges of domain name resolution security. The cloud platform is composed of multiple distributed components and services, involving multiple domain name resolution points and network levels. Increased attack surface and potential security vulnerabilities.
A secure community with a shared future in cyberspace requires the joint collaboration and efforts of governments, industries and academia in all countries.