Security issues in the DNS protocol
DNS is a distributed domain name resolution system that converts domain names, IP addresses, email services, and so on through the cache technology and tree-based hierarchical authorization structure, however, the DNS Service and the domain name resolution server adopt a non-connection UDP protocol, so it is impossible to confirm the data source and whether the data is tampered with. This poses a major security risk and causes frequent attacks to the DNS server. Currently, DNS provides multiple security features, such as packet interception, ID prediction, cache poisoning, DDoS distributed denial-of-service (DDoS) attacks, cache overflow attacks, invalid domain name attacks, insecure dynamic updates, and information leakage. threat.
Currently, some non-DNSSEC security measures can alleviate some DNS security problems:
1) restrict ZONE data transmission;
2) service address restrictions;
3) disable the recursive query function of the Domain Name Server;
4) Split DNS;
5) TSIG mechanism.
However, these security measures only partially alleviate some security problems of dn s, and do not perform source identity authentication and data integrity check on DNS message data, and do not fundamentally resolve security problems from inside DNS.
DNS Security Extension protocol (DNSSEC)
Public key mechanism (asymmetricEncryptionAlgorithm) is a highly secure encryption technology, which has the advantage of convenient key management and can implement functions such as digital signature and identity authentication. The public key mechanism first generates a public/private key pair. The public key is made public and the private key is kept by itself. For example, the typical RSA public key technology is a type of block cipher system based on a large number of factors, where the plaintext and ciphertext are integers between a certain number of n from 0 to n-l, it is mainly a modulo operation.
Public key encryption Flowchart
The figure shows the main process of public key encryption. The sender uses the private key to encrypt the plaintext, and the receiver uses the public key to decrypt the ciphertext to obtain the plaintext, the plaintext encrypted by public key encryption technology can be decrypted only through another key.
In terms of security, symmetric encryption algorithms are difficult to crack when using long keys. asymmetric encryption algorithms such as the public and private keys in RSA are a pair of large prime numbers, the difficulty of cracking plaintext from a public key and password is equivalent to decomposing the product of two large prime numbers, but the product of the two large prime numbers is still unsolvable until now. So for now, the hybrid encryption mechanism based on asymmetric encryption algorithm and symmetric encryption algorithm is relatively safe.
In terms of execution efficiency, the time complexity of symmetric encryption algorithms is 0 (n), and the space complexity is 0 (n ). Asymmetric encryption algorithms need to encrypt keys of symmetric encryption algorithms. For example, the DES algorithm uses a 64-bit pseudo-random number. The time complexity and space complexity are O (1 ), therefore, the time complexity and space complexity of the hybrid encryption algorithm cannot exceed O (n ). Therefore, the hybrid encryption mechanism based on symmetric encryption algorithm and asymmetric encryption algorithm can improve the overall operational efficiency of DNSSEC on the basis of ensuring security.
DNSSEC has been released for many years, but it is still not widely used due to its complexity in implementing public key technology solutions and high hardware requirements, we will introduce a hybrid encryption mechanism that combines the encryption and decryption efficiency of symmetric encryption algorithms and the key management advantages of asymmetric encryption algorithms into DNSSEC for relevant research.
For more information, see:
Analysis of DNSSEC based on public key technology
Analysis of DNSSEC Based on hybrid encryption mechanism