目前针对DNS服务器的恶意攻击频发,如DNS缓存投毒攻击,而DNS安全拓展协议(DNSSEC)在大规模部署时仍面临许多难题.本文提出一种简单易部署的,具有入侵容忍能力的主动防御架构——拟态DNS(Mimic DNS,M-DNS)—保证DNS安全.该架构由选调器和包含多个异构DNS服务器的服务器池组成.首先选调器动态选取若干服务器并行处理请求,然后对各服务器的处理结果采用投票机制决定最终的有效响应.实验仿真表明,相比当前传统架构,M-DNS可以降低缓存投毒攻击成功率约10个数量级.%A simple and practical approach is required immediately to safeguard the Domain Name System (DNS) because there are increasing attacks on DNS (such as DNS cache poisoning) and various problems when deploying Domain Name System Security Extensions (DNSSEC) on a large scale.In this paper,we present Mimic DNS (M-DNS),a nonintrusive,tolerant and proactive security architecture,to deal with it.M-DNS is comprised of a scheduler and a server pool which consists of several heterogeneous DNS servers.The scheduler dynamically schedules the DNS servers to handle the requests in parallel and adopts the vote results from the majority of the servers to determine valid responses.Simulation results demonstrate that compared with current traditional frameworks,approximating 10 orders of magnitude reduction in cache poisoning attack probability is acquired when employing M-DNS.
展开▼
