CAREER: Debugging the Fragmented DNS Infrastructure at Scale

职业：大规模调试分散的 DNS 基础设施

• 批准号: 2047476
• 负责人: Zhou Li
• 金额: $ 52.74万
• 依托单位: University of California-Irvine
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2021
• 资助国家: 美国
• 起止时间: 2021-06-01 至 2026-05-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2047476&HistoricalAwards=false
• 关键词: CAREER; Debugging; Fragmented; DNS; Infrastructure

Domain Name System (DNS) is one of the most critical Internet infrastructures. It underpins nearly every Internet activity, translating user-friendly names like www.google.com to computer-friendly IP addresses. Though designed as a highly reliable infrastructure in its blueprint, DNS failures are not rare, sometimes even leading to the network outage of a country. Debugging DNS failures is undoubtedly important but also challenging. Though DNS can be seen as a distributed system, it is open-ended and fragmented, containing numerous service providers and being interfered by powerful network adversaries. Though the basic logic of DNS is conceptually simple, its implementation is highly customized on the client-side devices and DNS bugs can be caused by the complex interactions between code and non-code resources. These unique settings make DNS failures and bugs complex and difficult to be diagnosed.This project is to develop novel platforms, techniques, and tools to enable holistic debugging for the DNS Infrastructure. This work is organized through two research thrusts: debugging DNS failures at the network layer, and debugging client-side DNS bugs at the software layer. For the first thrust, a comprehensive reference to the real-world DNS failures and bugs are to be created first by mining the public text with DMiner, a tool powered by Natural Language Processing (NLP) techniques. To reproduce a DNS failure, a new measurement platform, DTrap+, will be developed with innovative usage of peer-to-peer proxies to crowd-source the debugging tasks. To enable cross-layer and adversary-resilient debugging for DNS, DTrace, an end-to-end tracing framework for DNS, and DARTrace, a secured tracing protocol, will be developed. The second thrust focuses on the DNS bugs embedded in the Internet of Things (IoT) devices. The DNS implementations will be extracted from the IoT firmware with DFirm, a tool powered by symbolic execution and library matching. The DNS bugs will be uncovered by DScope, a tool enforcing multi-component analysis on the DNS implementations.The proposed project will have significant societal impacts in the following aspects. First, ensuring reliable network services for the Internet users is one core mission of the Internet community. By enabling effective fault discovery and root-cause analysis of DNS services and clients, this project makes an important contribution to this mission. Second, through a set of educational tasks, this project will democratize DNS and the general network debugging for students, researchers, industry partners, and the public. Third, this project will prioritize research opportunities for the underrepresented population through programs like UCI ASPIRE and OC STEM.The data, code, and knowledge base developed under this project will be released at dns-debug.github.io.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

域名系统（DNS）是最重要的互联网基础设施之一。它支持几乎每一个互联网活动，将用户友好的名称，如www.google.com转换为计算机友好的IP地址。虽然DNS在其蓝图中被设计为高度可靠的基础设施，但DNS故障并不罕见，有时甚至导致一个国家的网络中断。DNS故障无疑是重要的，但也具有挑战性。虽然DNS可以被看作是一个分布式系统，但它是开放的和分散的，包含众多的服务提供商，并受到强大的网络对手的干扰。虽然DNS的基本逻辑在概念上很简单，但其实现在客户端设备上是高度定制的，并且DNS错误可能由代码和非代码资源之间的复杂交互引起。这些独特的设置使DNS故障和错误变得复杂且难以诊断。本项目旨在开发新的平台，技术和工具，以实现DNS基础设施的整体调试。这项工作是通过两个研究重点组织的：在网络层调试DNS故障，并在软件层调试客户端DNS错误。对于第一个推力，首先通过使用DMiner（一种由自然语言处理（NLP）技术支持的工具）挖掘公共文本来创建对真实世界DNS故障和错误的全面参考。为了重现DNS故障，将开发一个新的测量平台DTrap+，创新地使用点对点代理来众包调试任务。为了实现DNS的跨层和对抗性恢复调试，将开发用于DNS的端到端跟踪框架DTrace和安全跟踪协议DARTrace。第二个重点是物联网（IoT）设备中嵌入的DNS错误。DNS实现将使用DMirm从物联网固件中提取，DMirm是一种由符号执行和库匹配提供支持的工具。DScope是一个对DNS实现进行多组件分析的工具，它将揭示DNS漏洞。该项目将在以下方面产生重大的社会影响。首先，确保为互联网用户提供可靠的网络服务是互联网界的核心使命之一。通过对DNS服务和客户端进行有效的故障发现和根本原因分析，该项目为这一使命做出了重要贡献。其次，通过一系列教育任务，该项目将使DNS和一般网络调试民主化，供学生、研究人员、行业合作伙伴和公众使用。第三，该项目将通过UCI ASPIRE和OC STEM等项目优先考虑代表性不足的人群的研究机会。在该项目下开发的数据，代码和知识库将在dns-debug.github.io上发布。该奖项反映了NSF的法定使命，并通过使用基金会的智力价值和更广泛的影响审查标准进行评估而被认为值得支持。

项目成果

Ghost Domain Reloaded: Vulnerable Links in Domain Name Delegation and Revocation

• DOI: 10.14722/ndss.2023.23005
• 发表时间: 2023
• 期刊: Proceedings 2023 Network and Distributed System Security Symposium
• 作者: Xiang Li;Baojun Liu;Xuesong Bai;Mingming Zhang;Qifan Zhang;Zhou Li;Haixin Duan;Qi Li

A Comprehensive Study of DNS Operational Issues by Mining DNS Forums

• DOI: 10.1109/access.2022.3215753
• 发表时间: 2022
• 期刊: IEEE Access
• 影响因子: 3.9
• 作者: Xianran Liao;Jiacen Xu;Qifan Zhang;Zhou Li

A Comprehensive Measurement-based Investigation of DNS Hijacking

• DOI: 10.1109/srds53918.2021.00029
• 发表时间: 2021-09
• 期刊: 2021 40th International Symposium on Reliable Distributed Systems (SRDS)
• 作者: Rebekah Houser;Shuai Hao;Zhou Li;Daiping Liu;Chase Cotton;Haining Wang