CCRI: Medium: DNS, Identity, and Internet Naming for Experimentation and Research (DIINER)

CCRI：媒介：用于实验和研究的 DNS、身份和互联网命名 (DINER)

• 批准号: 1925737
• 负责人: John Heidemann
• 金额: $ 145.84万
• 依托单位: University of Southern California
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2019
• 资助国家: 美国
• 起止时间: 2019-10-01 至 2024-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1925737&HistoricalAwards=false
• 关键词: CCRI; Medium; DNS; Identity; Internet

Naming and identification in the Internet is essential to find websites (e.g. www.nsf.gov) and other services. The Domain Name System (DNS), Identity, and Internet Naming for Experimentation and Research (DIINER) project proposes to accelerate research on Internet naming, identification, and the DNS by providing research infrastructure, data, and community building. The project will provide (1) a testbed and tools to allow experimentation on DNS data and to support gradual transition of new approaches from research into experimental use and ultimately to operation. (2) The project will provide data about how DNS is used and how the DNS system and servers perform, in the context of a framework for privacy-sensitive anonymization and controlled data sharing. The DIINER project will also work to (3) foster a collaborative research community by tightening the feedback loop between the creativity and perspectives of academia and the knowledge and real-world problems and data of operation of critical infrastructure, holding workshops about these topics and about these tools and new research methods. The DIINER project builds on the University of Southern California (USC) Information Sciences Institute (ISI) experiences both running operational DNS services such as B-Root and working with the research community to share data and provide research infrastructure. The anticipated outcome of DIINER is scientific progress on how to carry out research on Internet naming, identity, and DNS; improvements to the performance, reliability, security, and privacy of how Internet naming, identity, and DNS are done today; and support of education and research at the USC and in the community.The Internet's DNS most commonly maps names to addresses (e.g. www.nsf.gov to 128.150.4.107), and its use has grown to include applications like anti-spam and Content Delivery Networks. With DNSSEC (Domain Name System Security Extensions), DNS protects data integrity and can ground trust systems, X.509 communications and Certificate Authorities. But Internet naming, identification, and DNS face many challenges. Security has changed as the Internet has moved from a low-risk academic experiment to a trillion-dollar marketplace, bringing threats from organized crime and nation states. DNS has also gathered great inertia, with a huge, change-resistant installed base, from millions of home routers to sophisticated commercial clusters. Its identification as "critical infrastructure" adds both technical and political inertia. These requirements compound technical challenges, such as minimizing latency, and often leave the research community distant from operational reality, without the data and infrastructure they need to make credible contributions.The DIINER project proposes to meet these challenges and reverse DNS ossification by enabling new research in Internet naming and trust, and easing transition from research to operational deployment, while preserving stability. Its goal is to unite isolated researchers by growing an Internet naming and identification community around DIINER, a new shared research infrastructure providing: (1) parallel DNS resolution evaluation (PRE) to support safe testing of experiments within live, real-world deployed DNS, and (2) live instrumentation and measurement to share real-world DNS query and performance data, with responsibility supported by technical and legal methods. Today researchers are under-supported, with only limited DNS data available, often long after collection and with limited ability to share, and no support exists for real-world experiments at scale. USC ISI is uniquely prepared to lead this effort with operational responsibility for the B-Root DNS server, long-term involvement in networking research and graduate education, and independence from commercial interests. The DIINER approach spans the DNS ecosystem, from end-computers (stub resolvers), to organization-level recursive resolvers, and to authoritative DNS servers. The proposed infrastructure will integrate with B-Root, second-level-domain authoritative resolvers, and with a recursive resolver. Stakeholders include end users, Internet services providers (ISPs), and other kinds of service providers, from operators of public DNS services, to commercial DNS providers. The DIINER project will release tools it develops as open source, augmenting research-infrastructure-as-service with third-party deployments.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

互联网上的命名和识别对于查找网站（例如www.nsf.gov）和其他服务至关重要。域名系统（DNS）、身份和互联网命名实验与研究（DIINER）项目建议通过提供研究基础设施、数据和社区建设来加速互联网命名、身份和DNS的研究。该项目将提供(1)一个测试平台和工具，允许对DNS数据进行实验，并支持新方法从研究逐步过渡到实验使用并最终投入运营。(2)该项目将在隐私敏感匿名化和受控数据共享框架的背景下，提供有关如何使用DNS以及DNS系统和服务器如何执行的数据。DIINER项目还将致力于(3)通过加强学术界的创造力和观点与知识、现实世界问题和关键基础设施运行数据之间的反馈循环，举办关于这些主题、这些工具和新研究方法的研讨会，促进合作研究社区。DIINER项目建立在南加州大学（USC）信息科学研究所（ISI）运行运营DNS服务（如B-Root）以及与研究社区合作共享数据和提供研究基础设施的经验基础上。DIINER的预期成果是在如何开展互联网命名、身份和DNS研究方面取得科学进展；改进当今互联网命名、身份和DNS的性能、可靠性、安全性和隐私性；以及对南加州大学和社区教育和研究的支持。互联网的DNS最常见的是将名称映射到地址（例如www.nsf.gov到128.150.4.107），它的使用已经发展到包括反垃圾邮件和内容交付网络等应用程序。通过DNSSEC（域名系统安全扩展），DNS保护数据完整性，并可以建立信任系统、X.509通信和证书颁发机构。但是Internet命名、识别和DNS面临许多挑战。随着互联网从一个低风险的学术实验变成一个价值数万亿美元的市场，安全已经发生了变化，带来了有组织犯罪和民族国家的威胁。DNS也积累了巨大的惯性，从数以百万计的家庭路由器到复杂的商业集群，它的安装基础庞大且不受变化的影响。将其定义为“关键基础设施”增加了技术和政治上的惰性。这些需求加剧了技术挑战，例如最小化延迟，并且经常使研究界远离实际操作，没有他们需要的数据和基础设施来做出可信的贡献。DIINER项目建议通过启用互联网命名和信任方面的新研究，以及在保持稳定性的同时简化从研究到运营部署的过渡，来应对这些挑战并逆转DNS僵化。DIINER是一种新的共享研究基础设施，它提供：(1)并行DNS解析评估（PRE），以支持在真实世界部署的实时DNS中进行实验的安全测试；(2)实时仪器和测量，以共享真实世界的DNS查询和性能数据，并提供技术和法律方法的支持。今天的研究人员缺乏支持，只有有限的DNS数据可用，通常在收集后很长时间，共享能力有限，并且没有大规模的现实世界实验支持。USC ISI是唯一准备领导这项工作的B-Root DNS服务器的运营责任，长期参与网络研究和研究生教育，并独立于商业利益。DIINER方法横跨DNS生态系统，从终端计算机（存根解析器）到组织级递归解析器，再到权威DNS服务器。提议的基础设施将与B-Root、二级域权威解析器和递归解析器集成。利益相关者包括最终用户、互联网服务提供商（isp）和其他类型的服务提供商，从公共DNS服务运营商到商业DNS提供商。DIINER项目将发布其开发的开源工具，通过第三方部署增强研究基础设施即服务。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Old but Gold: Prospecting TCP to Engineer and Live Monitor DNS Anycast

老而黄金：勘探 TCP 来设计和实时监控 DNS 选播

• 发表时间: 2022
• 期刊: Passive and Active Measurement Conference"
• 作者: Moura, Giovane C.;Heidemann, John;Hardaker, Wes;Charnsethikul, Pithayuth;Bulten, Jeroen;Ceron, João M.;Hesselman, Cristian
• 通讯作者: Hesselman, Cristian

Do You Really Like Me? Anycast Latency and Root DNS Popularity

你真的喜欢我吗？

• 发表时间: 2021
• 期刊: Workshop on DNS and Internet Naming Research Directions
• 作者: Heidemann, John;Moura, Giovane C.;Hardaker, Wes
• 通讯作者: Hardaker, Wes

TsuNAME: exploiting misconfiguration and vulnerability to DDoS DNS

TsuNAME：利用 DDoS DNS 的错误配置和漏洞

• DOI: 10.1145/3487552.3487824
• 发表时间: 2021
• 期刊: ACM Internet Measurements Conference
• 作者: Moura, Giovane C.;Castro, Sebastian;Heidemann, John;Hardaker, Wes
• 通讯作者: Hardaker, Wes

Anycast Agility: Network Playbooks to Fight DDoS

Anycast Agility：对抗 DDoS 的网络手册

• 发表时间: 2022
• 期刊: 31st USENIX Security Symposium
• 作者: Rizvi, A S;Bertholdo, Leandro;Ceron, João;Heidemann, John
• 通讯作者: Heidemann, John

Institutional privacy risks in sharing DNS data

共享 DNS 数据的机构隐私风险

• DOI: 10.1145/3472305.3472324
• 发表时间: 2021
• 期刊: Proceedings of the Applied Networking Research Workshop (ANRW
• 作者: Imana, Basileal;Korolova, Aleksandra;Heidemann, John
• 通讯作者: Heidemann, John