递归-权威侧部署加密DNS协议的隐私收益评估方法及测量分析  

作　　者：段丽莹 李瑞烜 刘西蒙 邵俊 刘保君 DUAN Liying;LI Ruixuan;LIU Ximeng;SHAO Jun;LIU Baojun(College of Computer and Data Science,Fuzhou University,Fuzhou 350108,China;Institute for Network Sciences and Cyberspace,Tsinghua University,Beijing 100084,China;School of Computer Science and Technology,Zhejiang Gongshang University,Hangzhou 310018,China)

机构地区：[1]福州大学计算机与大数据学院,福建福州350108 [2]清华大学网络科学与网络空间研究院,北京100084 [3]浙江工商大学计算机科学与技术学院,浙江杭州310018

出　　处：《网络与信息安全学报》2024年第5期71-80,共10页Chinese Journal of Network and Information Security

基　　金：国家重点研发计划青年科学家项目(2023YFB3105600)。

摘　　要：加密DNS协议最初被设计用于保护用户和递归解析器之间(用户-递归侧)的DNS通信隐私。目前,加密DNS协议获得了广泛应用。然而,递归解析器和权威服务器之间(递归-权威侧)的DNS通信仍遭受着大量隐私威胁。历经4年的标准化进程,互联网工程任务组在2024年2月正式发布RFC 9539,提出可利用加密DNS协议来保障递归-权威侧的DNS通信隐私。聚焦于在递归-权威侧部署加密DNS协议所带来的隐私收益,提出评估互联网域名隐私收益的方法。针对243万个流行域名和4万个敏感域名,结合1058个顶级域名的区域文件,分析权威服务器所托管的域名数量,从而判定目标域名的隐私收益等级。测量结果表明,超过90%的域名可获得递归-权威侧部署加密DNS协议的隐私保护,但是6.28%的敏感域名无法从递归-权威侧部署加密DNS协议中获得隐私收益。此外,一些高流行度的域名也没有获得足够的隐私收益。相较于大型域名托管商,小型域名托管商可为域名提供更高的隐私收益。将域名部署于仅托管单个域名的权威服务器上会极大地损害递归-权威侧加密DNS协议的隐私保护效果,管理人员应重新审视域名托管服务。The encrypted DNS protocol was originally designed to protect DNS communication privacy between users and recursive resolvers(user-recursive side).Currently,encrypted DNS communication has been widely deployed.However,DNS communications between recursive resolvers and authoritative servers(recursiveauthoritative side)still faced significant privacy threats.To address this issue,the Internet Engineering Task Force(IETF)officially released RFC 9539 in February 2024,which utilized the encrypted DNS protocol to protect DNS communication privacy on the recursive-authoritative side.Focusing on the privacy benefits of deploying the encrypted DNS protocol on the recursive-authoritative side,a method to evaluate the privacy benefits of domain names was proposed.The method defined three levels of privacy benefits by analyzing the number of domain names hosted by authoritative servers of the target domain name.Combined with the zone files of 1058 top-level domains,the privacy benefit level was determined for 2.43 million popular domain names and 40 thousand sensitive domain names.The results showed that over 90%of domain names could achieve privacy protection through the deployment of encrypted DNS on the recursive-authoritative side.However,6.28%of sensitive domain names could not benefit from such deployment.In addition,some popular domain names also did not gain privacy benefits.Compared to large domain hosting providers,smaller providers could offer higher privacy benefits for domain names.Administrators were advised not to deploy domains on authoritative servers that hosted only a single domain name,which significantly compromised the privacy protection effectiveness of encrypted DNS protocol deployment on the recursive-authoritative side.

关 键 词：域名系统 加密DNS 隐私保护 互联网测量 

分 类 号：TP393[自动化与计算机技术—计算机应用技术]