SaTC: CORE: Small: Understanding Practical Deployment Considerations for Decentralized, Encrypted DNS

SaTC：核心：小型：了解去中心化加密 DNS 的实际部署注意事项

• 批准号: 2155128
• 负责人: Nicholas Feamster
• 金额: $ 50万
• 依托单位: University of Chicago
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-08-01 至 2025-07-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2155128&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Understanding; Practical

The Domain Name System (DNS) is the Internet protocol and system that maps human-readable names to Internet protocol addresses; it is central to every Internet activity, from web browsing to video streaming. Despite the central role of the DNS in essentially all Internet communications, until recently it has been unencrypted, which has introduced significant privacy risks and vulnerabilities. In recent years, technology to encrypt DNS queries and responses includes transmitting DNS queries and responses. This project is studying the performance and privacy properties of existing encrypted DNS protocols such as DoH and DoT, towards the ultimate goal of deploying applications and systems that use these new protocols to improve user privacy and provide users satisfactory performance. The Internet is rapidly moving towards encrypted DNS protocols, with encrypted DNS now either available or enabled by default in many standard Internet browsers and Internet-connected embedded devices. Yet, there is relatively little knowledge or agreement about the performance and privacy characteristics of such protocols. This project builds on the early work in this area to develop comprehensive techniques for evaluating both the performance and privacy of new network applications, systems, and architectures that rely on encrypted DNS protocols. The research will contribute to the larger body of knowledge on both DNS performance and privacy, and the available performance and evaluation frameworks for evaluating encrypted DNS protocols will be released to the community to allow others to continue to build on these results.The first theme of this project seeks to understand the performance implications of existing encrypted DNS protocols and architectures, on DNS lookup time, as well as on the performance of popular Internet applications whose performance depends on the DNS, particularly for metrics such as web page load time. Understanding why (and when) encrypted DNS outperforms unencrypted DNS---as well as when it does not---will ultimately shed light on how to best architect DNS resolution to ensure both confidentiality and good performance. The second theme of this project recognizes that encrypting DNS need not imply centralization. Distributing a client's DNS queries across multiple recursive resolvers may improve reliability, privacy, and even performance, although such improvements will ultimately require the design of appropriate strategies for distributing these queries. This theme explores the prospect of re-decentralizing the DNS. Third, the project is coalescing various approaches to DNS privacy---from DNS encryption to previous work on oblivious DNS (ODNS)---into a coherent architectural framework. This theme explores how and where DNS privacy extensions could be deployed (e.g., in a local DNS resolver, in a web browser) to both preserve user privacy and preserve a seamless user experience.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

域名系统（DNS）是将人类可读名称映射到Internet协议地址的Internet协议和系统；从Web浏览到视频流媒体，它都是每个Internet活动的核心。尽管DNS在本质上是所有互联网通信中的核心作用，但直到最近它都没有加密，这引入了很大的隐私风险和脆弱性。近年来，加密DNS查询和响应的技术包括传输DNS查询和响应。该项目正在研究现有的加密DNS协议（例如DOH和DOT）的性能和隐私属性，以部署使用这些新协议来改善用户隐私并为用户提供令人满意的性能的应用程序和系统的最终目标。 Internet正在迅速朝着加密的DNS协议迈进，现在使用加密的DNS可用或默认在许多标准的Internet浏览器和与Internet连接的嵌入式设备中启用。 但是，关于此类协议的绩效和隐私特征的知识或一致性相对较少。 该项目建立在该领域的早期工作的基础上，以开发全面的技术，以评估依赖加密DNS协议的新网络应用程序，系统和体系结构的性能和隐私。 The research will contribute to the larger body of knowledge on both DNS performance and privacy, and the available performance and evaluation frameworks for evaluating encrypted DNS protocols will be released to the community to allow others to continue to build on these results.The first theme of this project seeks to understand the performance implications of existing encrypted DNS protocols and architectures, on DNS lookup time, as well as on the performance of popular Internet applications whose performance depends on the DNS，特别是对于诸如网页加载时间之类的指标。 了解为什么（以及何时）加密的DNS优于未加密的DNS-以及何时不限制DNS，最终将阐明如何最好地确保建筑师DNS解决方案以确保机密性和良好的性能。该项目的第二个主题认识到加密DNS不必暗示集中化。在多个递归解析器上分发客户的DNS查询可能会提高可靠性，隐私甚至性能，尽管此类改进最终将需要设计适当的策略来分发这些查询。该主题探讨了重新将DNS进行重新居中的前景。 第三，该项目是将各种DNS隐私的方法融合在一起 - 从DNS加密到先前关于Obsovious DNS（ODN）的工作 - 到连贯的建筑框架。 This theme explores how and where DNS privacy extensions could be deployed (e.g., in a local DNS resolver, in a web browser) to both preserve user privacy and preserve a seamless user experience.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.