SaTC: CORE: Small: Understanding Practical Deployment Considerations for Decentralized, Encrypted DNS

SaTC：核心：小型：了解去中心化加密 DNS 的实际部署注意事项

• 批准号: 2155128
• 负责人: Nicholas Feamster
• 金额: $ 50万
• 依托单位: University of Chicago
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-08-01 至 2025-07-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2155128&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Understanding; Practical

The Domain Name System (DNS) is the Internet protocol and system that maps human-readable names to Internet protocol addresses; it is central to every Internet activity, from web browsing to video streaming. Despite the central role of the DNS in essentially all Internet communications, until recently it has been unencrypted, which has introduced significant privacy risks and vulnerabilities. In recent years, technology to encrypt DNS queries and responses includes transmitting DNS queries and responses. This project is studying the performance and privacy properties of existing encrypted DNS protocols such as DoH and DoT, towards the ultimate goal of deploying applications and systems that use these new protocols to improve user privacy and provide users satisfactory performance. The Internet is rapidly moving towards encrypted DNS protocols, with encrypted DNS now either available or enabled by default in many standard Internet browsers and Internet-connected embedded devices. Yet, there is relatively little knowledge or agreement about the performance and privacy characteristics of such protocols. This project builds on the early work in this area to develop comprehensive techniques for evaluating both the performance and privacy of new network applications, systems, and architectures that rely on encrypted DNS protocols. The research will contribute to the larger body of knowledge on both DNS performance and privacy, and the available performance and evaluation frameworks for evaluating encrypted DNS protocols will be released to the community to allow others to continue to build on these results.The first theme of this project seeks to understand the performance implications of existing encrypted DNS protocols and architectures, on DNS lookup time, as well as on the performance of popular Internet applications whose performance depends on the DNS, particularly for metrics such as web page load time. Understanding why (and when) encrypted DNS outperforms unencrypted DNS---as well as when it does not---will ultimately shed light on how to best architect DNS resolution to ensure both confidentiality and good performance. The second theme of this project recognizes that encrypting DNS need not imply centralization. Distributing a client's DNS queries across multiple recursive resolvers may improve reliability, privacy, and even performance, although such improvements will ultimately require the design of appropriate strategies for distributing these queries. This theme explores the prospect of re-decentralizing the DNS. Third, the project is coalescing various approaches to DNS privacy---from DNS encryption to previous work on oblivious DNS (ODNS)---into a coherent architectural framework. This theme explores how and where DNS privacy extensions could be deployed (e.g., in a local DNS resolver, in a web browser) to both preserve user privacy and preserve a seamless user experience.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

域名系统（DNS）是将人类可读的名称映射到互联网协议地址的互联网协议和系统；它是所有互联网活动的核心，从网页浏览到视频流。尽管DNS在基本上所有的互联网通信中都扮演着核心角色，但直到最近它还没有加密，这带来了重大的隐私风险和漏洞。近年来，对DNS查询和响应进行加密的技术主要包括传输DNS查询和响应。该项目正在研究现有加密DNS协议（如DoH和DoT）的性能和隐私属性，最终目标是部署使用这些新协议的应用程序和系统，以改善用户隐私并为用户提供满意的性能。Internet正迅速向加密DNS协议发展，加密DNS现在在许多标准Internet浏览器和连接Internet的嵌入式设备中可用或默认启用。然而，对于这些协议的性能和隐私特征，人们的认识和共识相对较少。该项目建立在该领域早期工作的基础上，开发全面的技术来评估依赖加密DNS协议的新网络应用程序、系统和体系结构的性能和隐私性。该研究将为DNS性能和隐私方面的更大知识体系做出贡献，并且将向社区发布用于评估加密DNS协议的可用性能和评估框架，以允许其他人继续在这些结果的基础上进行构建。该项目的第一个主题旨在了解现有加密DNS协议和架构对DNS查找时间的性能影响，以及对性能依赖于DNS的流行互联网应用程序的性能影响，特别是对网页加载时间等指标的影响。理解加密DNS为何（以及何时）优于未加密DNS——以及何时优于未加密DNS——将最终阐明如何最好地构建DNS解析，以确保保密性和良好的性能。这个项目的第二个主题认识到加密DNS并不意味着集中化。跨多个递归解析器分布客户机的DNS查询可以提高可靠性、隐私性甚至性能，尽管这种改进最终需要设计适当的策略来分发这些查询。本主题探讨了DNS重新去中心化的前景。第三，该项目正在将各种DNS隐私方法（从DNS加密到之前对遗忘DNS （ODNS）的研究）合并到一个一致的体系结构框架中。本主题探讨了如何以及在哪里可以部署DNS隐私扩展（例如，在本地DNS解析器中，在web浏览器中），以保护用户隐私并保持无缝的用户体验。该奖项反映了美国国家科学基金会的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。