网络与信息安全学报 (Oct 2024)
Measurement and evaluation for privacy benefits of deploying encrypted DNS protocol between recursive and authoritative servers
Abstract
The encrypted DNS protocol was originally designed to protect DNS communication privacy between users and recursive resolvers (user-recursive side). Currently, encrypted DNS communication has been widely deployed. However, DNS communications between recursive resolvers and authoritative servers (recursive-authoritative side) still faced significant privacy threats. To address this issue, the Internet Engineering Task Force (IETF) officially released RFC 9539 in February 2024, which utilized the encrypted DNS protocol to protect DNS communication privacy on the recursive-authoritative side. Focusing on the privacy benefits of deploying the encrypted DNS protocol on the recursive-authoritative side, a method to evaluate the privacy benefits of domain names was proposed. The method defined three levels of privacy benefits by analyzing the number of domain names hosted by authoritative servers of the target domain name. Combined with the zone files of 1058 top-level domains, the privacy benefit level was determined for 2.43 million popular domain names and 40 thousand sensitive domain names. The results showed that over 90% of domain names could achieve privacy protection through the deployment of encrypted DNS on the recursive-authoritative side. However, 6.28% of sensitive domain names could not benefit from such deployment. In addition, some popular domain names also did not gain privacy benefits. Compared to large domain hosting providers, smaller providers could offer higher privacy benefits for domain names. Administrators were advised not to deploy domains on authoritative servers that hosted only a single domain name, which significantly compromised the privacy protection effectiveness of encrypted DNS protocol deployment on the recursive-authoritative side.
