Frontiers of Data and Computing ›› 2021, Vol. 3 ›› Issue (3): 75-85.

doi: 10.11871/jfdc.issn.2096-742X.2021.03.007

• Special Issue: Communication and Security of Network • Previous Articles     Next Articles

Multi-Resolver-Based Privacy Protection Mechanism for Domain Names

WU Yiming1,2,*(),WANG Wei1(),YAN Zhiwei3(),WANG Yang1()   

  1. 1. Computer Network Information Center, Chinese Academy of Sciences, Beijing 100190, China
    2. University of Chinese Academy of Sciences, Beijing 100049, China
    3. China Internet Network Information Center, Beijing 100190, China
  • Received:2021-03-04 Online:2021-06-20 Published:2021-07-09
  • Contact: WU Yiming E-mail:wuyiming@cnic.cn;wangwei@cnic.cn;yanzhiwei@cnnic.cn;wangyang@cnic.cn

Abstract:

[Objective] As an important infrastructure of the Internet, the DNS system was not initially designed with protocol security in mind, and DNS queries and responses are transmitted in plaintext, making it vulnerable to eavesdropping and traffic analysis. With evolution of the Internet, DNS security and privacy concerns have received increasing attention, variants of extended DNS encryption protocols have emerged to address the data protection issue during transmission. However, these DNS encryption transfer protocols fail to prevent the collection of user privacy by DNS recursive resolvers. Instead, the implementation and deployment of those protocols accelerate the centralization of the DNS resolution system, leading to increasingly serious privacy issues on the DNS server side. [Methods] The multi-resolver mechanism studied in this paper achieves centralization mitigation and DNS server-side user privacy protection by dispersing user query requests to multiple candidate DNS resolvers. By studying the selection strategy which is the core issue of the mechanism, this paper proposes an improved round robin selection method, which ensures a fixed relationship among domain-name resolvers by maintaining a query record table on the client side, reduces the amount of information about user browsing activities exposed to each individual resolver, and avoids a particular resolver from obtaining a user's entire web browsing history. In addition, a weighted round robin approach based on resolver ping latency is used as a further improved scheme to optimize the domain name resolution latency of the multi-resolver mechanism in order to strike a balance between privacy decentralization protection and performance.[Results] The experiments show that the improved round robin approach can effectively achieve the design goal of maximizing the dispersion of user's domain name resolution requests among the candidate resolvers, and the weighted round robin approach based on ping delay achieves significant performance improvement at the cost of a reduced dispersion effect. [Conclusions] Through the comparison of different selection strategies, the improved round robin method and the weighted round robin method proposed in this paper have shown advantages in the decentralization effect and resolution performance, respectively. The multi-resolver mechanism proposed in this paper provides a feasible solution to solve the privacy and centralization problems of the current DNS.

Key words: DNS, privacy protection, DNS over HTTPS