CCRI: Medium: DNS, Identity, and Internet Naming for Experimentation and Research (DIINER)

CCRI：媒介：用于实验和研究的 DNS、身份和互联网命名 (DINER)

• 批准号: 1925737
• 负责人: John Heidemann
• 金额: $ 145.84万
• 依托单位: University of Southern California
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1925737&HistoricalAwards=false
• 关键词: CCRI; Medium; DNS; Identity; Internet

Naming and identification in the Internet is essential to find websites (e.g. www.nsf.gov) and other services. The Domain Name System (DNS), Identity, and Internet Naming for Experimentation and Research (DIINER) project proposes to accelerate research on Internet naming, identification, and the DNS by providing research infrastructure, data, and community building. The project will provide (1) a testbed and tools to allow experimentation on DNS data and to support gradual transition of new approaches from research into experimental use and ultimately to operation. (2) The project will provide data about how DNS is used and how the DNS system and servers perform, in the context of a framework for privacy-sensitive anonymization and controlled data sharing. The DIINER project will also work to (3) foster a collaborative research community by tightening the feedback loop between the creativity and perspectives of academia and the knowledge and real-world problems and data of operation of critical infrastructure, holding workshops about these topics and about these tools and new research methods. The DIINER project builds on the University of Southern California (USC) Information Sciences Institute (ISI) experiences both running operational DNS services such as B-Root and working with the research community to share data and provide research infrastructure. The anticipated outcome of DIINER is scientific progress on how to carry out research on Internet naming, identity, and DNS; improvements to the performance, reliability, security, and privacy of how Internet naming, identity, and DNS are done today; and support of education and research at the USC and in the community.The Internet's DNS most commonly maps names to addresses (e.g. www.nsf.gov to 128.150.4.107), and its use has grown to include applications like anti-spam and Content Delivery Networks. With DNSSEC (Domain Name System Security Extensions), DNS protects data integrity and can ground trust systems, X.509 communications and Certificate Authorities. But Internet naming, identification, and DNS face many challenges. Security has changed as the Internet has moved from a low-risk academic experiment to a trillion-dollar marketplace, bringing threats from organized crime and nation states. DNS has also gathered great inertia, with a huge, change-resistant installed base, from millions of home routers to sophisticated commercial clusters. Its identification as "critical infrastructure" adds both technical and political inertia. These requirements compound technical challenges, such as minimizing latency, and often leave the research community distant from operational reality, without the data and infrastructure they need to make credible contributions.The DIINER project proposes to meet these challenges and reverse DNS ossification by enabling new research in Internet naming and trust, and easing transition from research to operational deployment, while preserving stability. Its goal is to unite isolated researchers by growing an Internet naming and identification community around DIINER, a new shared research infrastructure providing: (1) parallel DNS resolution evaluation (PRE) to support safe testing of experiments within live, real-world deployed DNS, and (2) live instrumentation and measurement to share real-world DNS query and performance data, with responsibility supported by technical and legal methods. Today researchers are under-supported, with only limited DNS data available, often long after collection and with limited ability to share, and no support exists for real-world experiments at scale. USC ISI is uniquely prepared to lead this effort with operational responsibility for the B-Root DNS server, long-term involvement in networking research and graduate education, and independence from commercial interests. The DIINER approach spans the DNS ecosystem, from end-computers (stub resolvers), to organization-level recursive resolvers, and to authoritative DNS servers. The proposed infrastructure will integrate with B-Root, second-level-domain authoritative resolvers, and with a recursive resolver. Stakeholders include end users, Internet services providers (ISPs), and other kinds of service providers, from operators of public DNS services, to commercial DNS providers. The DIINER project will release tools it develops as open source, augmenting research-infrastructure-as-service with third-party deployments.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

Internet中的命名和标识对于找到网站（例如www.nsf.gov）和其他服务至关重要。域名系统（DNS），身份和互联网命名进行实验和研究（Diiner）项目提议通过提供研究基础架构，数据和社区建设来加速有关互联网命名，标识和DNS的研究。 该项目将提供（1）测试床和工具，以允许对DNS数据进行实验，并支持从研究到实验用途和最终运营的新方法的逐步过渡。 （2）该项目将在对隐私敏感的匿名化和受控数据共享的框架下，提供有关DNS的使用方式以及DNS系统和服务器的性能的数据。 Diiner项目还将通过（3）促进一个协作研究社区，通过收紧学术界的创造力和观点之间的反馈循环，知识和现实世界中的问题以及关键基础设施的操作数据，举办有关这些主题以及这些工具和新研究方法的研讨会。 Diiner项目基于南加州大学（USC）信息科学研究所（ISI）经验，既经营运营DNS服务，例如B-root，又与研究社区合作共享数据并提供研究基础架构。 Diiner的预期结果是如何进行有关互联网命名，身份和DNS的研究的科学进步。今天如何完成互联网命名，身份和DNS的性能，可靠性，安全性和隐私的改善；以及在南加州大学和社区中对教育和研究的支持。互联网的DNS最常见的地址映射名称（例如www.nsf.gov到128.150.4.107），其用途已增长以包括诸如反垃圾邮件和内容交付网络之类的应用程序。 使用DNSSEC（域名系统安全扩展），DNS可以保护数据完整性，并可以基于信任系统，X.509通信和证书授权。 但是互联网命名，标识和DNS面临许多挑战。随着互联网已从低风险的学术实验转变为一个万亿美元的市场，安全性发生了变化，从而带来了有组织犯罪和民族国家的威胁。 DNS还聚集了伟大的惯性，具有巨大的，耐药的安装基础，从数百万的家庭路由器到精致的商业群集。 它作为“关键基础设施”的认同增加了技术和政治惯性。 这些要求加剧了技术挑战，例如最大程度地减少潜伏期，并且经常使研究社区与运营现实相距甚远，而没有数据和基础设施来做出可靠的贡献。Diiner项目建议通过在互联网命名和信任和从研究中促进工作到运营的稳定性来满足这些挑战，并反向DNS骨化，并在互联网命名和信任方面进行新的研究。 它的目标是通过在Diiner周围建立互联网命名和识别社区来团结孤立的研究人员，这是一个新的共享研究基础架构提供：（1）并行DNS分辨率评估（PRE），以支持对实时，现实世界中部署的DNS内实验实验的安全测试，并根据现实仪表和法律责任与现实的DNS和责任DNS和责任数据，并与责任和责任数据和责任。 如今，研究人员的支持不足，只有有限的DNS数据可用，通常是在收集到有限的共享能力，并且不存在对实际实验的支持。 南加州大学ISI是为了领导这项工作，以对B-Root DNS服务器的运营责任，长期参与网络研究和研究生教育以及与商业利益的独立性。 Diiner方法跨越了DNS生态系统，从最终计算机（存根解析器）到组织级递归解析器，再到权威的DNS服务器。 拟议的基础设施将与B根，第二域权威解析器以及递归解析器集成。 利益相关者包括最终用户，互联网服务提供商（ISP）和其他类型的服务提供商，从公共DNS服务运营商到商业DNS提供商。 Diiner项目将发布其开发的工具，通过第三方部署来扩大研究基础设施，以服务为服务。该奖项反映了NSF的法定任务，并认为值得通过基金会的知识分子的智力优点和更广泛的影响来通过评估来获得支持。

项目成果

Old but Gold: Prospecting TCP to Engineer and Live Monitor DNS Anycast

老而黄金：勘探 TCP 来设计和实时监控 DNS 选播

• 发表时间: 2022
• 期刊: Passive and Active Measurement Conference"
• 作者: Moura, Giovane C.;Heidemann, John;Hardaker, Wes;Charnsethikul, Pithayuth;Bulten, Jeroen;Ceron, João M.;Hesselman, Cristian
• 通讯作者: Hesselman, Cristian

TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS

TsuNAME：利用 DDoS DNS 的错误配置和漏洞

• DOI: 10.1145/3487552.3487824
• 发表时间: 2021
• 期刊: ACM Internet Measurements Conference
• 作者: Moura, Giovane C.;Castro, Sebastian;Heidemann, John;Hardaker, Wes
• 通讯作者: Hardaker, Wes

Do You Really Like Me? Anycast Latency and Root DNS Popularity

你真的喜欢我吗？

• 发表时间: 2021
• 期刊: Workshop on DNS and Internet Naming Research Directions
• 作者: Heidemann, John;Moura, Giovane C.;Hardaker, Wes
• 通讯作者: Hardaker, Wes

Institutional privacy risks in sharing DNS data

共享 DNS 数据的机构隐私风险

• DOI: 10.1145/3472305.3472324
• 发表时间: 2021
• 期刊: Proceedings of the Applied Networking Research Workshop (ANRW
• 作者: Imana, Basileal;Korolova, Aleksandra;Heidemann, John
• 通讯作者: Heidemann, John

Anycast Agility: Network Playbooks to Fight DDoS

Anycast Agility：对抗 DDoS 的网络手册

• 发表时间: 2022
• 期刊: 31st USENIX Security Symposium
• 作者: Rizvi, A S;Bertholdo, Leandro;Ceron, João;Heidemann, John
• 通讯作者: Heidemann, John