Page 54                                                               Kim et al. J Surveill Secur Saf 2020;1:34-60  I  http://dx.doi.org/10.20517/jsss.2020.14

               keys. However, TSIG faces one problem that it requires the keys is exchanged manually. A solution to the
               key distribution problem is TSIG using CGA. TSIG-CGA provides an automated way for the negotiation of
               a shared secret key, with authentication of the host via IPv6’s CGA algorithm.
               (2) DNS-Based Authentication of Named Entities (DANE) [71-73] : DANE takes advantage of the source
               of trust provided by DNSSEC to authenticate transport layer security (TLS) certificates. Through TLSA
               records in the DNS hierarchy, DNSSEC can verify the integrity of DNS data. DANE was designed to
               provide a stronger trust anchor using DNS as the root. Especially, DANE uses the DNSSEC chain of trust
               to authenticate X.509 certificates used for transport layer security (TLS) and, as it relies on DNSSEC
               infrastructure, it can support authentication and data integrity. DANE allows domain owners to issue their
               certificates without CAs. Using the DNS hierarchy as a single trust anchor instead of many existing CAs,
               DANE greatly reduces the attack surface. DANE can be used to solve issues related to CAs’ vulnerability
               through the use of a new DNS resource record type, TLSA, signed with DNSSEC. As a result, DANE allows
               TLS users to better control certificate validation.
                                         [74]
               (3) DNS-over-HTTPS (DoH) : DoH is a standard web protocol to send DNS traffic over HTTPS. DoH
               is developed to prevent fundamental DNS privacy problem of unencrypted communication between users
               and DNS resolvers. As shown in the previous section, without a trusted DNS resolver, DNS queries cannot
               be guaranteed. In DoH, by using HTTPS’s security platform, DNS queries and responses are protected.
               Moreover, DNS traffic and requests are not directly observable because DoH applies the same port 443
               used by HTTPS traffic. Additionally, DoH can be provided by existing DNS servers using a built-in web
               server. Starting with Mozilla Firefox and Google Chrome in 2018, most major web browsers support or
               plan to support DoH. Despite this, there are some drawbacks to DoH. First, DNS traffic is encrypted,
               making it difficult to track/analyze. Mitigation systems that detect DNS attacks based on DNS data
               analysis will fail to function. Second, the prerequisite for DoH is the support of a trusted DNS resolver.
               Each web browser, such as Firefox-Cloudflare and Chrome-Google OpenDNS, provides a trusted open
               DNS resolver. However, traffic is centralized with a few DNS resolvers, with corresponding privacy and
               performance concerns. Finally, the policies of these enterprises will be difficult to ensure transparency in
               DNS operations.


               5.2.3 Advanced DNS with additional secure functions
                                                                          [75]
               According to the DNSSEC deployment tracking system SecSpider , current DNSSEC-enabled zones
               number approximately 3.3 million. It seems that the full deployment of DNSSEC will take considerable
               time despite many efforts. Thus, additional security functions for DNS are required. The following are
               methods for improving DNS security.

                                                 [76]
               (1) DNS Proxy Server (DPS) and BIND : a new approach to detect cache poisoning attacks and then send
               an additional request for the same DNS Resource Record using a local proxy for the BIND caching server.
               This defensive system makes cache poisoning attacks more difficult.
               (2) T-DNS : DNS uses unconnected UDP as the standard protocol. However, because of the poorly
                         [77]
               secured UDP protocol, DNS is subject to attacks such as spoofing and flooding. T-DNS uses TCP and
               TLS to provide DNS security. T-DNS provides more secure DNS data through TCP encryption, reduces
               the impact of DoS attacks by establishing mutual connections, and overcomes the limitations of UDP’s
               response size. DNS based on TLS can provide more secure privacy, support large payload, and mitigate
               spoofing and reflection DDoS attacks compared to the use of existing UDP protocols. However, the
               fundamental problems of TCP, latency, and resource needs, remain.
                        [78]
               (3) S-DNS : A security solution to prevent DNS cache poisoning and spoofing attacks. Based on the
               predictability measures and timing analysis, S-DNS mitigates man-in-the-middle attacks in the DNS
               hierarchy. This protocol has effects on decreasing the probability of the attack and also provides a simple
               security mechanism with light-weight computation and overheads.
                                       [43]
               (4) Response Rate Limiting : A defense mechanism to reduce the impact of DNS amplification attacks