Me: The last time I finally sent away TLS, this time ...
DNS: (Popping out suddenly) this is certainly my special session! Hello everyone, my name is DNS (domain Name System), I was born in 1987, Before I was born, computer scientists used hosts.txt files to solve the host name and corresponding IP address of the corresponding problem, but with the increase in the number of hosts in the Internet, the hosts file becomes more and more bloated, but also more and more users are not friendly, I was born! (However, the hosts file in each operating system still remains, historical relics AH)
I mainly work on the UDP/IP protocol, the essence is a distributed public database system, store the domain name and IP address of each website corresponding data, also known as Rrsets (Resourse record, resource record collection), the domain name and corresponding IP address formed a map ...
Me: D! N! S Why do you have a problem with love interrupting someone? Also, you don't have to jiliguala here, I've let you out twice!
DNS: No, I will not go this time, because: 1, you laughed at me, said I foolishly work on the unreliable non-connected UDP so that GFW can be easily exploited; 2, I have a brother you did not mention that today I must introduce him to you, Let us look at our DNS family is not as weak as you think!
Me: About the 1th, I think I said a bit is right: you work on unreliable UDP, there is no security mechanism, it is really silly:)
DNS: Don't you ever wonder why I work primarily on UDP?
Me: It is very simple, because the connection-oriented TCP work needs to undergo a complex process of establishing and removing connections, establishing a logical "leased line" (virtual circuit, virtual circuit, or directly called connection) to ensure the reliability of the data transmission, And UDP does not have these work steps, just send whatever arrives. And you lazy ghost won't go through TCP those troublesome work steps, so chose UDP ah ...
DNS: Shut Up! I'm not a lazy bastard! Did you ever think that TCP that complex connection building and demolition process is to consume a considerable amount of resources? Did you ever think that every resolver (domain name resolution server, responsible for and client communication) and name server (domain name authoritative server, storage rrsets, responsible and resolver communication) are faced with a very large number of query requests every day? Have you thought about it? Domain name parsing is a very short process, if TCP is used, then the process of connection building and demolition is much longer than the query process.
I:...... If you use TCP, then each of the relevant server consumes the compute resources will be crazy, and 1987 the computing power of the server is even today's PC is not able to catch up with, coupled with the time of the establishment and demolition of the connection, the user experience will become extremely bad, the server maintenance costs will be increased ... OK, I get it, sorry, DNS.
DNS: Well, you know. Speaking of which, I do not have any security mechanism to a large extent also because of performance. But my creators are really too thoughtless, and I'm an extremely critical part of the Internet, and no security mechanism is really justified, so I called my brother Dnssec back this time.
Me: DNSSEC? DNS Security Extension Protocol (DNS Secure extension protocol)?
DNSSEC: It's just me. I was born in 1999, but so far has not been large-scale deployment, lazy human ah, a delay disease is so heavy!
Me: (Khan) haha, yes, but the last time I was here] mentioned a few responses to the DNS attacks on the idea, you achieve a few?
DNSSEC: Let me see ... I added the authentication mechanism, there is end-to-end integrity check, I do not encrypt, and do not work based on TCP ...
Me: Have you added an identity authentication mechanism? This can make GFW fake query results means ineffective, but if there is no encryption, still can't prevent real query results are tampered with ah ...
DNSSEC: No, I can prevent real query results from being tampered with!
Me: What do you say?
DNSSEC: The point is that I realized "end-to-end integrity check" and heard about digital signatures? I just use the mechanism of digital signature to verify the integrity, thus ensuring that the query results returned by the server have not been tampered with.
Me: I don't know what "end-to-end" means.
DNSSEC: The so-called "end-to-end (End-to-end)" is corresponding to the "Springboard to Springboard (Hop-to-hop)", hop-to-hop refers to a mechanism: in the computer network, a router p received a packet (massage) m, P can determine that the packet m does come from a legitimate communication party router Q, and that M has neither been tampered with nor is the old message replayed by the attacker (I will introduce a replay attack), p and Q are responsible for the storage and forwarding of the router, play the role of information springboard, so called "Springboard to the springboard."
End-to-end, however, means that the client can confirm that the received packets are from the target server, that they are not tampered with and not replayed, and that both the client and the target server are communication terminals, so they are referred to as "end-to-end".
Me: That's it. I looked at the digital signature and hash value is used for file integrity check, but also can be used for query results ah?
DNSSEC: Of course you can! My identity authentication mechanism is also achieved through digital signature, GFW can not produce the equivalent of a valid digital signature it! Included in the cache dynamic update, I can also use the same mechanism to prevent the cache poisoning!
Me: Sounds good, but can you deal with the rogue ISP's DNS hijacking?
DNSSEC: This ... I can't handle it because DNS is a publicly distributed database ...
Me: "Public" means there is no permission limit, anyone can see the change data is it! Well, that's not surprising. However, if the server itself is not reliable, then other security mechanisms are useless.
DNSSEC: That's not true! No permission restrictions and anyone can see the change data is not a matter! I mean, I can verify that the server cache has been poisoned by verifying the digital signature of the rrsets in the cache, but this assumes the server has been running for some time! The first time I run, I have no place to sign a digital signature!
Me: It seems you are far from perfect ...
DNSSEC: There is no perfection in this world!
Me: I know, but why don't you encrypt it? In your case, although GFW can not play the tricks of forgery and tampering, but the user requested the content is GFW know Ah!
DNSSEC: I can't help it, my designers gave up encryption for performance reasons, and didn't let me work on TCP.
I: Really should be a good makeover you! I thought the DNS family, known for its dubious reputation, finally had an exception, and it was a parallel! OK, your DNS family has run out of opportunities, go back to the Application layer Studio!
TLS: Should I tell you about my brother Dtls next time?
Me: Sorry, no! Next time is the IP session!
(IP: Finally remembered I came, moved Ah!) ）
The principle of SSL/TLS and how the Internet works (5)-dns and his brother