DNS Cache Resources Sharing Model Based Blockchain

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI
10.1109/ACCESS.2020.2966428, IEEE Access
DNSTSM: DNS Cache Resources Trusted

Sharing Model Based on Consortium
Blockchain
ZHONG YU1, DONG XUE1, JIULUN FAN1, CHANG GUO1
School of Communication and Information Engineering, Xi’an University of Posts and Telecommunications, Xi’an 710071, China
1
Corresponding author: Dong Xue (e-mail: dongxue@stu.xupt.edu.cn).

This work was supported in part by the National key research and development plan under Grant 2017YFC0803805, and in part by
the Shaanxi Provincial Key Research and Development Program of China under Grant 2018ZDCXL-GY-04-01.
ABSTRACT The inseparable internet requirements and the endless stream of cyber-attacks have led to
strong demand for trusted IP addresses. However, the existing collaborative DNS security schemes have the
defects of low credibility and imperfect incentive mechanism. Enlightened by the Consortium blockchain
technology, we propose a novel DNS Cache Resources Trusted Sharing Model, which can improve the
credibility of DNS resolution results by establishing a complete chain of trust. Firstly, the consortium
blockchain is introduced as the carrier of the peer-to-peer network to reduce the impact of illegal access and
complicity tampering on the DNS cache credibility; Secondly, the evaluation index of the node credibility
in the DNS cache sharing model is proposed, and the trust-based incentive mechanism is designed to reduce
the impact of free-riding behavior and on the trusted performance of the system. The two indicators of node
abnormal behavior similarity and roundtrip time between nodes are used to comprehensively evaluate the
degree of recommendation of the node and serve as the basis for dynamic scheduling; Finally, we use the
stochastic distributed decentralized storage mechanism to solve the problem of low efficiency in the
consortium blockchain. The simulation results show that the model has certain advantages in ensuring the
credibility of domain name resolution results, and maintains the ideal efficiency while ensuring trust.
INDEX TERMS Blockchain, Consortium blockchain, DNS security, Sharing Model
I. INTRODUCTION the payload and analyzing its authenticity based on the

At present, Domain Name System (DNS), as one of the auxiliary information [6]. The Domain Name Cross
essential protocol in the Internet, maintains the interactive Referencing (DoX) [7] use the peer-to-peer network domain
mapping relationship between the Domain Name System name cross-referencing technology to detect cache poisoning
and the IP address space. However, there are two inherent attacks. With this approach, Recursive Servers are linked to
vulnerabilities in this network protocol, DNS resolvers trust each other through P2P (peer-to-peer) connections and allow
the response received after sending out queries, and users them to share a single piece of data called a verification
usually trust the host-address mapping provided by the cache (vCache). The correct rate of the solution to improve
DNS. Those vulnerabilities are easily exploited by the resolution results depends on the trust between the nodes,
malicious attackers who can insert a fake IP address in the but the solution inevitably risks the free ride and malicious
Recursive Server cache [1], [2]. DNS cache poisoning is collusion between the nodes. HARD-DNS [8] employs
often used as a primary source for developing more serious arbitration techniques between peers to increase tolerance for
secondary threats, such as phishing [3], masquerading cache poisoning but has similar problems as DoX. CoDNS [9]
servers for middleman (MITM) attacks [4], malware groups nodes that trust each other to assist each other's
injection, and denial of service [5]. queries when local domain name resolution fails, but its
In order to improve the credibility of the domain name security is weak because individual resolver error results can
resolution results, the researchers proposed a forgery easily be propagated throughout the peer-to-peer network.
detection mechanism for DNS cache poisoning attacks. This Although ConfiDNS [10] improves the security of CoDNS,
mechanism filters out forged DNS responses by examining their security mechanisms are not sensitive to Kaminsky's
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI
Z. Yu et al.: DNS Cache Resources Trusted Sharing Model (DNSTSM) Based on Consortium Blockchain
DNS cache poisoning attacks. H. Sun et al. [11] proposed the in the alliance. Network access is generally accessed
DepenDNS protocol, but Alfardan et al. [12] found that it through the gateway nodes of the member institutions, and
was weaker against DNS spoofing attacks. the consensus process is controlled by pre-selected nodes.
After studying the existing advanced solutions, we found The public can consult and trade, and a consortium license
that they did not consider the system may be subject to is required to verify the transaction or issue a smart contract.
internal attacks, and there is room for improvement in the Therefore, to a limited extent, only authorized nodes and
ability to resist cache poisoning attacks. To deal with these users can participate in the execution of transactions and
problems, we propose a DNS Cache Resources Trusted smart contracts, and any anonymous node or unauthorized
Sharing Model based on consortium blockchain to achieve user is denied service. With the advent of the FISCO BCOS
high credibility of domain name resolution results. The main [15], Ethereum Quorum [16], and Hyperledger Fabric [17],
contributions are as follows: consortium blockchain has become very popular and has
1) We propose to introduce the consortium blockchain into attracted more interest and investment in the world.
the peer-to-peer network collaboration system for forgery
detection, and design an identity-based access control system B. OVERVIEW OF APPLICATIONS OF BLOCKCHAIN IN
to eliminate potential threats caused by untrusted nodes. At TRUSTED SHARING MODEL
the same time, the model is divided according to the access In this section, we focus on several strategies to build a
interest of the consortium members, which improves the trusted sharing model based blockchain and point out their
reuse rate of the cached data. differences with our trusted sharing model for DNS caching.
2) We propose a method for calculating the credibility of Zhang et al. [18] proposed a distributed data security
DNS resolution nodes, which can evaluate the behavior of sharing and storage system solution for vehicle self-
malicious or later subverted nodes, and avoid them from organizing network. In DSSCB, when the vehicle node
further affecting the system. Moreover, based on the level of uploads the collected data, the integrity and security of the
credibility, a dynamic scheduling mechanism is implemented data can be guaranteed by digital signature technology, and
to motivate nodes to perform their own security upgrades. the data coin is used to motivate the vehicle participating in
3) We design a Stochastic Distributed Decentralized the data sharing. This solution effectively improves the
Storage Algorithm (SDDSA) to group members in the same VANET identity validity and message reliability issues.
federation, which provided conditions for further However, the data coins incentive method in this solution
implementing the multi-channel coroutine processing scheme does not bring intuitive benefits to sharers. In our solution,
of DNS cache resources so that the DNSTSM system trusted sharers can obtain safe, and efficient service.
satisfies the domain name resolution scenario for low latency Li et al. [19] proposed Meta-key, a data-sharing
and high-reliability requirements. mechanism that enables users to share their encrypted data
The structure of this paper is as follows: The second part under a blockchain-based distributed storage architecture.
introduces the consortium blockchain technology and the For the blockchain expansion problem, the scheme only
related research progress of the current blockchain in the extracts and stores some metadata, and the data and
sharing model field. In the third part, we introduce our metadata are encrypted by the data owner. The solution
trusted sharing model. The fourth part analyzes security and enables lightweight, secure storage and easy key
performance. We give the conclusion in the fifth part. management. We also use lightweight data storage, but our
solution validates the data before it is stored.
II. RELATED WORK Yang et al. [20] proposed a Differentially Private Data
In this section, we present a brief review of the consortium Sharing scheme based on the blockchain. The solution
blockchain technology and applications of blockchain in builds different cloud servers into a cloud federation for
Trusted Sharing Model (TSM). interoperability and collaboration, and enables privacy
owners to control the anonymization process and enhance
A. CONSORTIUM BLOCKCHAIN TECHNOLOGY service security through a privacy technology. The effect of
The consortium blockchain is only open to specific the privacy control of the data is achieved, but the
organizational groups, and it is a blockchain that requires management of the cloud server in the alliance is lacking.
registration permission [13]. The consortium blockchain is Unlike this approach, our shared model provides control
limited to the participation of consortium members, and the over the management of model members.
read and write permissions on the blockchain and the The current work on the blockchain in the DNS is mainly
participation accounting rights are specified according to focused on decentralizing the centralized authoritative
the consortium rules [14]. The consortium blockchain is domain name servers [21], [22], [23], [24]. However, our
composed of one supernode and several common nodes. In proposed DNSTSM is more concerned with the incremental
addition to the functions of common nodes, the supernode improvement of the existing DNS infrastructure, and the
also has the functions of implementing member credibility of resolution results is improved by the way that
management, authority management, and data monitoring peer-to-peer networks share trusted DNS cache resources.
FIGURE 1. DNSTSM network architecture diagram.
III. DNS CACHE RESOURCES TRUSTED SHARING

MODEL BASED ON CONSORTIUM BLOCKCHAIN
A. OVERALL FRAMEWORK AND THREAT MODEL FIGURE 2. The overall function module of DNSTSM.
The network structure of the solution is shown in Fig.1. TABLE 1. Threat model.
This solution is to maintain a set of validated A Records
between recursive servers in a peer-to-peer network, and to Membership management DNS security
isolate possible threats from trusted networks, ensuring the Cache
Permission out of bounds
tampering
credibility of users' domain name resolution results. Internal
Malicious logout Collusion attack
Fig.2 presents an overview of the function module of the
Free-riding
proposed DNS Cache Resources Trusted Sharing Model
Identity Cache
(DNSTSM), which is categorized into three parts, i.e. data Illegal
forgery poisoning
acquisition module, data storage module, service module. External access to
Evidence
In the data acquisition module section, we designed a set of the network
stealing
cache validation mechanisms. When the response returned
by the local Recursive Server is inconsistent with the
1) Collusion attack refers to the process of multiple
cached information in the cached federation or the domain
retransmission recursive servers jointly pointing the
name is resolved for the first time, the DNS Validator
resolution request to the same wrong IP address under
responds to the Multi-DNS Recursive Servers Lookup.
malicious control so that the forged IP is valid and written
Alert Manager is activated when Cache Validation Manager
into the Blockchain database. 2) Hitchhiking, in this article,
detects inconsistent resolution information to list it as high-
refers to the use of the system to obtain the credible results
risk domain name information. In the data storage module
of its own needs, but as a forwarding party, it does not
section, a peer-to-peer network consisting of different
maintain and upgrade its security.
recursive servers maintains a set of A records stored in
blockchain mode, and a Stochastic Distributed
B. CONSTRUCTION OF DNS CACHE RESOURCES
Decentralized Storage Scheme is designed to improve the TRUSTED SHARING MODEL
read and write efficiency of the system. In the service Member organization structure in DNSTSM network is
module section, the Dynamic Scheduling Mechanism shown in Fig.3. DNSTSM is established between recursive
provides an efficient way to assign forwarding Recursive servers with the same theme of interest. Depending on the
Server to all Recursive Servers. The Time-To-Live Scheme region, entities in the DNSTSM can be divided into several
maintains the real-time and effectiveness of the cached data organizations; depending on the service function, the
in the Blockchain Database. The credit manager is designed entities in the DNSTSM can be divided into the local
for credibility-based incentives to calculate the credibility recursive server and the forwarder recursive server. The
of each node and invoke the Dynamic Scheduling local recursive server is responsible for the functions of the
Mechanism to reward trusted nodes. traditional recursive server, and send the request to the
The threat model of our solution is constructed from the forwarder recursive server under the same model network
perspective of the attacker's possible attack methods. As when the poison alarm is triggered. The forwarder recursive
shown in Table 1, the security threats involved include server provides additional resolution services for the local
threats to member management and threats to DNS security. recursive server.
Under this threat model, our solution is effective. It should This section describes: DNSTSM member role
be specially stated that: assignment, DNSTSM member management.
TABLE 2. Entities correspond to roles in the DNSTSM.
Entity Roles in DNSTSM Description

Recursive Server (local) Client The direct operator of the blockchain
Peer (endorser) Simulated execution
Peer (committer) Verify the transaction
Recursive Server (local/fowarder)
Orderer Sort and package transaction
CA Verify identity information
FIGURE 4. Flowchart of certificate issuance in DNSTSM.
FIGURE 3. Member organization structure in DNSTSM network. 2) DNSTSM MEMBER MANAGEMENT

Credibility is strongly related to identity authentication.
1) DNSTSM MEMBER ROLE ASSIGNMENT DNSTSM is established on the permissioned blockchain
As shown in Table 2, in the P2P network built by and only allows authorized members to participate in data
DNSTSM, two types of recursive servers have five maintenance. It uses the Membership Service Provider
different logical roles. (MSP) to implement member authentication. MSP abstracts
There are five logical roles in the DNSTSM: 1. Client: certificate issuance, user authentication, background
The client uses the SDK to communicate with the encryption mechanisms, and protocols. The MSP's
DNSTSM network. It obtains a valid identity certificate certificate is issued based on a trusted third-party
from the CA and joins the application channel in the organization, the Certification Authority (CA), which
network. 2. Peer (Endorser): Responsible for checking and issues the certificate after confirming the identity of the
endorsing the proposal of the transaction, calculating the applicant. The Root Certificate is a self-signed certificate,
execution result of the transaction. 3. Peer (Committer): and a new certificate can be signed with the private key of
Responsible for rechecking the legality before accepting the the Root CA Certificate to form a tree structure. The digital
certificate issuance process is shown in Fig.4. Here the
transaction result, accepting the modification of the legal
node signature uses the Elliptic Curve Digital Signature
transaction reconciliation ledger, and writing to the
Algorithm (ECDSA), and the digest is generated using
blockchain structure 4. Orderer: Is the blockchain identity
SHA-256. A certificate signed by the private key of the
of the members of the sorting service in the cache sharing Root CA Certificate can also issue new certificates. When
consortium member. It does two things: first, receiving and the new certificates serve as intermediate certificates, these
sorting the transactions by rules. Second, the completed intermediate certificates form a list that meets the X.509
transactions are packaged into blocks at regular intervals. 5. standard. Members in the list are called intermediate CAs,
CA: A CA server cluster is formed by some nodes elected and intermediate CAs can also Issue a new certificate with
in the DNSTSM network, responsible for managing the own private key. Issuing a certificate is a Trust
certificates of all recursive servers in the DNSTSM endorsement process that forms a Chain of Trust from the
network, and providing standard PKI services, including root CA certificate to the end-user certificate. The data
registration and unregister. structure of membership information is shown in Table 3.
TABLE 3. Membership Data Structure. 1) DESCRIPTION AND MEASUREMENT OF

CREDIBILITY
Variables Types Description Definition 1 Credibility: Credibility refers to the definition
Membership ID, one-to-one of trust evaluation of target node based on its direct
id string
correspondence with ip interaction with peer node. Let the set of servers be
Adopted the public key A, d  A , and the credibility of d is calculated as follows:
cert x.509
certificate standard  q
1  e1 q , 0  q  1
pk pk.Key public key d cred   (1)
mspid string Subordinate to the MSP  1 ,q 1
The calculation formula of q is as follows, where the
The validity of the management certificate is managed interaction between the target node and the peer node is
by using a CRL (Certificate Revocation List) or an OCSP recorded as set B , and the abnormal result set of the server
(Online Certificate Status Protocol) in the PKI system of is detected as C , t p is the time attribute of q .
DNSTSM. DNSTSM member management includes t
 p.ln now
now  t p
registration and unregister. pB t
(a) Registration: Complete registration by applying to a q  1 (2)
higher-level CA. There are three types of registered  k
kB
certificates: ECert: issued to the user or node entity that In this paper, the transition parameter q is set as
provides the registration credentials, long-term valid; logarithmic decay with time, that is, the credibility is
communication certificate (TLSCert): TLS certificate is used affected by previous attacks, and the influence intensity
to secure the communication link and control access to the gradually decreases with time. In practical applications, it
network layer Access, you can verify the remote entity can be understood as a server with an abnormality,
identity, prevent eavesdropping; transaction certificate although the vulnerability is fixed, it still has a greater risk
(TCert): issued to the user, control the permissions of each of being attacked than a server without an abnormality.
transaction, generally for a transaction, short-term effective. Definition 2 Similarity of abnormal state: refers to the
(b) Unregister: A certificate that has been issued can be similarity degree of abnormal behaviors of nodes and other
revoked due to rights management or other reasons. The nodes in the network. In this paper, the similarity is solved
CRL is part of the shared cache and is used to track
by the method of cosine similarity. Suppose that the set of
revoked identities and certificates. It is shared by all CA
detection results of server attack degree is C , p  C , and
servers in the consortium, and non-CA servers do not have
the calculation formula of abnormal state similarity of d sim
access. There are several ways to unregister an issued
certificate: 1) Delete the intermediate CA certificate: delete is as follows:
n
the certificate in the intermediate certs directory, so that the
certificates issued by the intermediate CA certificate belong
p vi . pwi
(3)
d sim  i 1
to the invalid certificate. 2) Add CRL list: you can add an n n
intermediate CA certificate or a single certificate to the p
i 1
vi
2
p
i 1
wi
2
CRL list.
Definition 3 Roundtrip time ( RRT ): Round trip time
C. CREDIBILITY-BASED INCENTIVE MECHANISM refers to the time it takes for the remote name server to
In this section, we propose a credibility-based incentive respond to requests. The internal timer is started whenever
mechanism to address the behavior of rational users “free- the local server sends a query request to the remote name
riding” in cache-shared peer-to-peer networks. This server. Stops timing when it receives a response, recording
mechanism fine-grained regulate the traditional one-sided the time it takes for the remote name server to answer.
credibility scheme and uses dynamic programming to 2) DYNAMIC SCHEDULING MECHANISM
allocate node resources, while maximizing system The incentive mentioned in this section are reflected in the
credibility maintenance efficiency, also enable resource- dynamic scheduling mechanism. The dynamic scheduling
providing nodes to maximize rewards after sharing reliable mechanism is composed of a scheduling manager, which is
network resources, in order to encourage rational users in used to allocate a suitable upstream resolution server for the
the network to perform security maintenance and upgrade forwarding mechanism of the local resolution server. Based
of their own domain name servers. Ensure the credibility of on the credibility-based incentive mechanism, the dynamic
the resources in the network, and achieve the characteristics scheduling mechanism uses the credibility of nodes in the
of sharing the trusted resources in the true sense of the cached alliance network as the allocation criterion. The
sharing model. First, describe and measure the definition of selection of the upstream resolution server considers the
credibility, and then introduce the implementation scheme node anomaly state similarity and the comprehensive index
of the incentive mechanism based on node credibility.
of roundtrip time in the network. The higher the node
credibility, the greater the contribution to the total credibility
of the network, correspondingly, the higher the allocation behalf of the client. Instead of resolve only onetime,
priority, the mechanism encourages the node to share trusted DNSTSM duplicates the query and forwards them to
network resources for higher contribution. multiple recursive servers according to the Dynamic
Definition 4 Selection rate: The selection rate is a description Scheduling Mechanism. When the forwarder detects that
of the degree to which it can be selected to serve the target the request comes from other members of the consortium, it
node. The calculation formula is as follows: does not trigger the MDRSL. In addition, a domain name
a 1  dcred   b 1  d sim  +c 1  d rtt  often corresponds to multiple IP (i.e., dynamic DNS). For
d selection _ rate  (4)
  cred   sim   rrt 
hA
a 1  h  b 1  h  b 1  h how to return the appropriate IP for the user, in MDRSLM,
the IP selection is related to the recursive server to which
The initial value of d sim is 0, and a , b , and c are the user belongs. DNSTSM executes the following actions
constants. The selection coefficient is a comprehensive when a user's wants to resolve a domain name. The
consideration in terms of safety and performance. The higher proposed method does not change the packet length, so the
the similarity degree of the abnormal state, the smaller the packet length is the same as the original DNS packet length.
selection coefficient; the larger the RTT , the smaller the These actions are shown in Fig. 5.
selection coefficient. In the scheduling process, a basic (a) The application's request triggers DNSTSM to perform
threshold is firstly set. If the number of times that the server a regular domain name resolution to obtain IP data R ;
is selected as the upstream parsing server exceeds this (b) If a packet with the same TXID is received later, the
threshold, the server will be added to the frozen list, and the Alert Manager is triggered and R is left blank, and write the
server will not be selected in a dynamic allocation exception status record of this recursive server to the
mechanism cycle. After the cycle, the frozen list will be blacklist;
removed and initialized. The specific selection method is (c) DNSTSM searches the Blockchain Database for
based on the priority of credibility, and three parsing servers domain information and obtains the IP history value H . If
are selected as the upstream party according to the selection R  H and R is not empty, it can directly return the packet
coefficient. Since the credibility, the attack state similarity, where R is. Otherwise, proceed to the next step;
and roundtrip time are dynamically updated, the selection (d) DNSTSM converts the first and last letters of the name
factor changes, making the selection dynamic. tuple of the request packet question part to uppercase, as the
identifier forwarded by the consortium member, and
D. DNSTSM DATA ACQUISITION AND STORAGE forwards it to the t recursive servers assigned by the
1) DNSTSM DATA ACQUISITION member manager. And gets the response Li  i 1,2 ,..., t  ;
This section describes the method of collecting trusted data (e) If R  Li , return the packet where R is, and
in DNSTSM and the process of returning trusted data to the supplementary updates to this domain information are made
client. using R and RNS _ ID through the DNS Cache Manager;
(f) Based on R , the application will connect to the
trustworthy IP addresses.
Algorithm 1: SDDSA.
Input: Domain name X , Number of channels C
Output: Storage location N
Begin
H _ 32 ←Build a 32-bit hexadecimal number of X
base on CRC 32  X 
H _ 8 ←Convert a 32-bit hexadecimal number to an 8-
bit hexadecimal number base on two fold-and-fold
additions method with overflow
if C  255 then
FIGURE 5. Multi-DNS Recursive Servers Lookup Mechanism.
D ←Convert hexadecimal H _ 8 to decimal
According to the fact that it is difficult for an attacker to N ←Generates the storage location of X based on the
destroy multiple DNS servers using the same error data at operation D mod C
the same time, we propose a Multi-DNS Recursive Servers else
Lookup Mechanism (MDRSLM) to isolate the fake reply Exit Algorithm // organizations exceeded
packets. It consists of Cache Validation Manager, TTL endif
Manger, and Alert Manager. Typically, when a client End
program makes a domain name resolution request, the local
Recursive Server performs only one DNS resolution on
Submit Transaction; (3.b) Forward; (4) Sort the transactions

and construct the blocks; (5) Send Transaction block; (5.a)
Check transaction structure integrity, signature, repeat; (5.b)
Verify that the transaction complies with the Endorsement
Policy (VSCC); (5.c) Check that the version in the read set is
consistent with the ledger; (5.d) Perform legal transactions in
the block and update the account status.
IV. EXPERIMENTAL EVALUATION

Unless explicitly stated, in our experiments: (1) The node
runs on Fabric v1.1 and performs performance testing
through local login, (2) All nodes use a 2.0GHz 16-vCPU
virtual machine, using Ubuntu16.4 LTS system, with 12G
FIGURE 6. Cache confirmation flow in DNSTSM.
memory, (3) Use three ZooKeeper nodes, four Kafka brokers
2) DNSTSM DATA STORAGE and three Fabric orderers to run multi-channel orderer
This section accomplishes two tasks. The first is to assign the service on different virtual machines, (4) There are five peers,
channel address stored on the DNSTSM to the verified A which are composed of different recursive servers and all of
record, and the second is to store the verified A record on the which are CA endorsement nodes, (5) Signature uses the
matching blockchain. default 256-bit ECDSA policy.
A channel is a private "subnet" for communication
between two or more specific network members for A. PERFORMANCE TEST
transactions that require data confidentiality. In Fabric, In this section, we evaluate the performance of the proposal
establishing a channel is equivalent to establishing a sub- in terms of availability and efficiency. In addition, we
chain. However, because all peers in the same channel store estimate the effects of factors such as cache percent and the
and process the same data, this storage structure can affect number of members on system efficiency.
the read and write speed of Peer nodes when the amount of 1) AVAILABILITY
data is very large. This test is used to verify the normal domain name
The multi-channel (i.e., multi-chain) storage scheme can resolution capability of the system under the cache
improve the reading efficiency of system data. Based on the poisoning attack. Birthday attacks were launched on
multi-chain deployment structure, smart contracts running on traditional DNS servers and DNSTSM systems. The values
different chains access different data, improving the of the parameters are shown in Table 4. RT and NoF are
efficiency of parallel processing. Each organization has used to set the number of valid packets forged by the
members used as sorting service nodes to increase the attacker, and q is the number of requests for the same
throughput of the blockchain system by equally assigning domain name sent by the attacker in advance. In this case,
sorting tasks. the attacker only needs to guess one of them. RT takes 0.1s
We designed a Stochastic Distributed Decentralized to refer to "DNS Security", NoF takes 10000 and q takes
Storage Algorithm (SDDSA) to select storage locations. 100 is the empirical value. In this configuration, the attack
The usage scenarios of the algorithm include the selection effect can be made more obvious. The value of n is 2,
of the storage location when storing data and the which is the simplest case, and the lower limit of the
acquisition of the read address when reading data. When security scheme provided by the corresponding scheme.
storing or reading data, the position information is obtained According to the experimental results in Fig.7, the attack
by using two parameters of the converted domain name and success rate of the DNSTSM system is on the order of 10 11 ,
the number of channels (i.e., the initial number of while that of the HARD-DNS and DependDNS system is
members). The feature of the algorithm is to ensure the on the order of 10-9 . With the same number of server nodes,
uniform distribution of the storage location and the DNSTSM system has better anti-attack capability and
certainty of the storage location. stability than the HARD-DNS and DependDNS. The
After obtaining the storage location, the DNSTSM system results show that the model and method are effective. This
initiates the Blockchain-based DNS Caching Mechanism. As indicates that it is difficult for an attacker to cooperate with
Fig.6 shown, the caching process is as follows: (1) Send TX multiple DNS servers, and a single trial-and-error attack
Proposal (including write, delete, read); (1.a) Verify Proposal cannot produce a cumulative effect. When the alarm senses
signature; (1.b) Check if the Channel ACL is satisfied; (1.c) an abnormal response, the DNSTSM system can block the
Simulate execution of transactions and sign results (ESCC); attack chain by dynamically changing the forwarder to
(2) Reply to Proposal Response; (2.a) Verify signature; (2.b) achieve the high availability of the system.
Compare the results of multiple Endorsers; (2.c) Check if
enough Endorsement is collected; (3) Send Transaction; (3.a)
TABLE 4. Experimental parameter configuration. As shown in Fig.8, the average latency of DependDNS and
HARD-DNS queries is 128.93ms and 119.81ms, and the
Variables Value Description average latency of the DNSTSM domain name system is
Number of query requests for the 94.562ms. The DNSTSM mechanism gives a lower latency
q 100 same domain name sent by the
than the control group.
attacker in advance 100
Number of false attack packets that
NoF 10000
an attacker can send per second
RT 0.1s DNS query request reply time 90
Forwarding party recursive server
Response time (ms)

n 2
number
80
70
10
0
0 20 40 60 80 100
Cache percent (%)
FIGURE 9. The relationship between the proportion of the query in the
cache of the DNSTSM system and the average response time.
100
98 With SDDSA
Normal
96
Response time (ms)
94
FIGURE 7. Effect of different attack intensity on availability of existing
advanced methods and DNSTSM system. 92
90
88
8
6
4
2
0
0 3 6 9 12 15 18 21 24 27 30 33
Num
FIGURE 10. Comparison of average response time between the system
with SDDSA and without SDDSA.
Fig.9 shows that the DNSTSM system can bring
cumulative benefits. As the cached data increases, the cache
hit probability is increased to ensure the efficiency of the
service. We use the system with and without the SDDSA
FIGURE 8. Comparison of average response time between DNSTSM
algorithm as a control group to test the average response time
system and existing advanced methods. when all nodes perform domain name resolution at different
2) EFFICIENCY system sizes (number of nodes). As shown in Fig. 10, the
Compared with general domain name queries, DNSTSM system with the SDDSA algorithm has a lower average delay
requires multiple domain name servers and blockchain than the system without the SDDSA algorithm, and as the
databases at the same time, which adds additional latency. system size (number of nodes) increases, the delay of the
The delay mainly includes the user and data validator delay system with the SDDSA algorithm increases very low. These
Tcv , the data validator and the last response. The propagation characteristics show that the scheme we designed improves
delay between the forwarders is delayed by Tvf and the the system's ability to handle multitasking. Combining the
processing delay between the blockchain database Tb . The above two experiments, we can see that increasing the
data validator delay Tv , the forwarder's resolution delay T f . number of members in the consortium only brings a very
little delay, but the number of members is more conducive to
increasing the cache rate, which means that the overall chained block structure with a timestamp, and the subsequent
efficiency of the system has been improved. blocks record the hash of the previous block (prehash).
Therefore, the DNSTSM prototype system only needs to Changes to any block data are changed from the changed
add a small processing delay and network communication block to the last block. Moreover, any new legal block must
delay in the case of providing highly reliable and highly be generated through a consensus mechanism to agree on the
available services. At the same time, when sending requests final selected block. Ensure that data cannot be tampered
to DNSTSM systems at different stages (referring to from a storage perspective;
different levels of caching), the network communication Security of data transmission: Every message transmitted
delay can have an important impact on the average time of through Gossip is signed, so forged messages sent by
the actual domain name query. Different sizes (referring to Byzantine nodes are easily identifiable.
the number of members of the cache consortium) have less 2) COMPLETE MEMBERSHIP TRUST CHAIN
impact on response time, but scale effects can lead to more The certificate represents the abstraction of a member entity
cache rates. Therefore, the DNSTSM system should be in the consortium. In order to solve the problem of member
formed to a certain size in exchange for low latency. certificate authority management, there is a Member Service
System (MSP) in the DNSTSM. MSP is based on the
B. SECURITY ANALYSIS identity authentication framework PKI to achieve
In our scheme, by combining the identity authentication certification and management related to the certificate life
mechanism and consensus mechanism of the consortium cycle. The issuance of a certificate requires the CA to sign
blockchain, and designing the incentive mechanism the validity of the certificate. A higher-level CA can issue the
according to the technical characteristics of DNS resolution legitimacy of the CA, and the root CA realizes the basis of
service, we obtain a resolution service that is more secure trust by pre-distributing certificates.
and trusted than the traditional P2P network sharing model.
3) MOTIVATION FOR CREDIBILITY
In this section, we discuss the security of the program.
The credibility-based incentive mechanism serves as an
As shown in Table 5, we compare our scheme with
important part of ensuring the credibility level of DNSTSM,
existing advanced schemes from the perspective of Defend
stimulating the enthusiasm of members to maintain their own
against cache poisoning attacks and internal attacks. The key
server security performance, and maintaining the virtuous
factors that define internal attacks include: Avoid
circle of DNSTSM domain name resolution.
information disclosure, Identity management, Access control,
Avoid conspiracy. We take whether to resist Kaminsky 4) AVOID NODE FAILURE
attack and whether to address these four critical factors of Avoid single point of failure: In our solution, the consensus
internal attacks as the evaluation criteria in Table 5. The mechanism uses the Kafka message queuing system, and the
comparison results show that our solution has more sorting nodes are clustered by Kafka, which can effectively
advantages in terms of functions and features. avoid the single network failure and cause the entire network
to collapse;
1) COMPLETE DATA TRUST CHAIN
Node crash tolerance: Each node continuously extracts
Reliable data source: In our solution, we obtain reliable
blocks from other nodes in the channel. Since there is no
cached data source in the way of multi-recursive server
need for a fixed connection to maintain Gossip-based data
parsing, and ensure the credibility of the data from the source;
propagation, the process can reliably implement node crash
Security of data storage: The entire system obtains a copy
tolerance for shared ledgers.
of the complete database in the form of a sub-database. Each
copy is a chain of identical blocks, which stores the data in a
Table 5. Comparison of the security indicators of our solutions with dox, CoDNS,ConfiDNS, DepenDNS, and HARD-DNS
Defend against cache Avoid information Identity Access Avoid

poisoning attacks disclosure management control conspiracy
Dox High No No No No
CoDNS Medium No No No No
ConfiDNS Medium No No No No
DepenDNS Medium No No No No
HARD-DNS High Yes No No No
Ours High Yes Yes Yes Yes
V. CONCLUSION [13] Q. Feng, D. He, S. Zeadally, M. K. Khan, N. J. J. o. N. Kumar, and

In this paper, we proposed a novel consortium blockchain- C. Applications, "A survey on privacy protection in blockchain
system," vol. 126, pp. 45-58, 2018.
based DNS Cache Resources Trusted Sharing Model [14] D. Puthal, N. Malik, S. P. Mohanty, E. Kougianos, and G. Das,
(DNSTSM). By introducing the consortium blockchain into "Everything You Wanted to Know About the Blockchain: Its
the DNS system, a secure and trusted DNS cache is Promise, Components, Processes, and Problems," IEEE Consumer
Electronics Magazine, vol. 7, no. 4, pp. 6-14, 2018.
maintained and the risk of illegal access and collusion is [15] FISCO BCOS [Online]. Available: www.fisco-bcos.org/
reduced. DNSTSM includes a trust-based incentive [16] Quorum [Online]. Available: https://quorum.com/
mechanism that creates positive feedback of trust for model [17] Hyperledger Fabric [Online]. Available:
https://www.hyperledger.org/
members. We designed a Stochastic Distributed [18] X. Zhang and X. Chen, "Data Security Sharing and Storage Based on
Decentralized Storage Algorithm to improve system a Consortium Blockchain in a Vehicular Ad-hoc Network," IEEE
throughput and load balancing. The experimental results Access, vol. 7, pp. 58241-58254, 2019.
show that DNSTSM meets the good performance [19] D. Li, R. Du, Y. Fu, and M. H. Au, "Meta-Key: A Secure Data-
Sharing Protocol Under Blockchain-Based Decentralized Storage
requirements under the premise of ensuring the security of Architecture," IEEE Networking Letters, vol. 1, no. 1, pp. 30-33,
domain name resolution. All of these benefits are obtained 2019.
without changing any external server-side DNS [20] M. Yang, A. Margheri, R. Hu, and V. Sassone, "Differentially
Private Data Sharing in a Cloud Federation with Blockchain," IEEE
infrastructure, which allows DNSTSM to be incrementally Cloud Computing, vol. 5, no. 6, pp. 69-79, 2018.
deployed, requiring only the local server to join the [21] J. Liu, B. Li, L. Chen, M. Hou, F. Xiang, and P. Wang, "A Data
consortium network and a minimal proxy. Storage Method Based on Blockchain for Decentralization DNS," in
2018 IEEE Third International Conference on Data Science in
In the future, we will explore and design a decentralized Cyberspace (DSC), 2018, pp. 189-196.
root CA certificate mechanism for DNSTSM to improve the [22] X. Wang, K. Li, H. Li, Y. Li, and Z. Liang, "ConsortiumDNS: A
decentralization and fault tolerance of the identity Distributed Domain Name Service Based on Consortium Chain," in
2017 IEEE 19th International Conference on High Performance
authentication system. Computing and Communications; IEEE 15th International
Conference on Smart City; IEEE 3rd International Conference on
REFERENCES Data Science and Systems (HPCC/SmartCity/DSS), 2017, pp. 617-
[1] J. Trostle, B. V. Besien, and A. Pujari, "Protecting against DNS 620.
cache poisoning attacks," in 2010 6th IEEE Workshop on Secure [23] Namecoin [Online]. Available: https://namecoin.org/
Network Protocols, 2010, pp. 25-30. [24] M. Ali, J. Nelson, R. Shea, and M. J. Freedman, "Blockstack: A
[2] L. Fan, Y. Wang, X. Cheng, and J. Li, "Prevent DNS Cache global naming and storage system secured by blockchains," in 2016
Poisoning Using Security Proxy," in 2011 12th International Annual Technical Conference, 2016, pp. 181-194.
Conference on Parallel and Distributed Computing, Applications
and Technologies, 2011, pp. 387-393.
[3] L. Yuan, C.-C. Chen, P. Mohapatra, C.-N. Chuah, and K. Kant, "A
Proxy View of Quality of Domain Name Service, Poisoning Attacks
and Survival Strategies," ACM Trans. Internet Technol, vol. 12, no.
3, pp. 1-26, 2013.
[4] R. Chandramouli and S. Rose, "Challenges in securing the domain
name system," IEEE Security & Privacy, vol. 4, no. 1, pp. 84-87, ZHONG YU received the M.S. and Ph.D.
2006. degrees in electronic science and technology
[5] I. M. M. Dissanayake, "DNS Cache Poisoning: A Review on its from the Xi’an Jiaotong University, China, in
Technique and Countermeasures," in 2018 National Information 2000, and 2005, respectively. He is currently an
Technology Conference (NITC), 2018, pp. 1-6. Associate Professor with the Xi’an University of
[6] A. Herzberg and H. Shulman, "Antidotes for DNS Poisoning by Off- Posts and Telecommunications. His current
Path Adversaries," in 2012 Seventh International Conference on research interests include communication
Availability, Reliability and Security, 2012, pp. 262-267. technology and blockchain technology.
[7] L. Yuan, K. Kant, P. Mohapatra, and C. Chuah, "DoX: A Peer-to-
Peer Antidote for DNS Cache Poisoning Attacks," in 2006 IEEE
International Conference on Communications, 2006, vol. 5, pp.
2345-2350.
[8] C. Gutierrez, R. Krishnan, R. Sundaram, and F. Zhou, "HARD-DNS:
Highly-Available Redundantly-Distributed DNS," in 2010 -
MILCOM 2010 MILITARY COMMUNICATIONS CONFERENCE,
2010, pp. 1343-1348.
[9] K. Park, V. S. Pai, L. L. Peterson, and Z. Wang, "CoDNS:
Improving DNS Performance and Reliability via Cooperative DONG XUE received the B.S. degree in
Lookups," in OSDI, 2004, vol. 4, pp. 14-14. electronic information engineering from Luliang
[10] L. Poole and V. S. Pai, "ConfiDNS: Leveraging Scale and History to University, China, in 2016. He is currently
Improve DNS Security," in WORLDS, 2006, vol. 3, pp. 3-3. pursuing the M.S. degree in communication and
[11] H.-M. Sun, W.-H. Chang, S.-Y. Chang, and Y.-H. Lin, "DepenDNS: information system with Xi’an University of
Dependable mechanism against DNS cache poisoning," in Posts and Telecommunications, Xi’an, China.
International Conference on Cryptology and Network Security, 2009, His research interests include network security
pp. 174-188: Springer. and the blockchain technology.
[12] N. J. Alfardan and K. G. Paterson, "An Analysis of DepenDNS," in
International Conference on Information Security, 2010, vol. 6531,
pp. 31-38.
JIULUN FAN received the B.S. and M.S.

degrees in basic mathematics from the Shanxi
Normal University, China, in 1985, and 1988. He
received the Ph.D. degrees in signal and
information processing from the Xidian
University, China, in 1998. He is currently a
Professor with the Xi’an University of Posts and
Telecommunications. His current research
interests include information security and
network security.
CHANG GUO received the B.S. degree in

electronic information engineering from
Zhongyuan University of Technology, China, in
2017. He is currently pursuing the M.S. degree in
electronics and communication engineering with
Xi’an University of Posts and
Telecommunications, Xi’an, China. His research
interests include network security and the
blockchain technology.

DNS Cache Resources Sharing Model Based Blockchain

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DNS Cache Resources Sharing Model Based Blockchain

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

DNSTSM: DNS Cache Resources Trusted

Corresponding author: Dong Xue (e-mail: dongxue@stu.xupt.edu.cn).

INDEX TERMS Blockchain, Consortium blockchain, DNS security, Sharing Model

I. INTRODUCTION the payload and analyzing its authenticity based on the

FIGURE 1. DNSTSM network architecture diagram.

III. DNS CACHE RESOURCES TRUSTED SHARING

TABLE 2. Entities correspond to roles in the DNSTSM.

Entity Roles in DNSTSM Description

FIGURE 4. Flowchart of certificate issuance in DNSTSM.

FIGURE 3. Member organization structure in DNSTSM network. 2) DNSTSM MEMBER MANAGEMENT

TABLE 3. Membership Data Structure. 1) DESCRIPTION AND MEASUREMENT OF

Submit Transaction; (3.b) Forward; (4) Sort the transactions

IV. EXPERIMENTAL EVALUATION

Response time (ms)

Defend against cache Avoid information Identity Access Avoid

V. CONCLUSION [13] Q. Feng, D. He, S. Zeadally, M. K. Khan, N. J. J. o. N. Kumar, and

JIULUN FAN received the B.S. and M.S.

CHANG GUO received the B.S. degree in

You might also like