Page 64 - Read Online
P. 64

Kim et al. J Surveill Secur Saf 2020;1:34-60  I  http://dx.doi.org/10.20517/jsss.2020.14                                                               Page 57

               Another factor is the support of the Certification Transparency and Certification Authority (CAA) records,
               which are techniques to compensate for weaknesses and defects in the PKI-certificate system. While all
               organizations provide Certification Transparency, some do not offer CAA records. Regardless of whether
               DoH or DoT is supported or not, it is judged as the support of a security solution for certificates.

               Almost all providers support DoH and/or DoT, except for Oracle and Verisign. We expect that the support
               of the DoH/DoT would increase with time.

               Finally, all providers offer TLS 1.2 for cipher transmission, especially Google, Cloudfare, and Quad9 that
               support DoH, up to the latest TLS 1.3. Therefore, these institutions are expected to provide more stable
               DoH based on TLS 1.3 in the future.

               6. DISCUSSION
               This paper presents a survey of DNS security. The background of basic DNS and DNSSEC was described,
               with an explanation for the motivation of DNSSEC. DNS is essential for proper operation of the Internet,
               but it is still subject to a variety of attacks, due to its vulnerabilities, lack of widespread adoption of available
               mitigation techniques, and limitations of those techniques. These vulnerabilities were described, and DNS
               attacks were classified based on those vulnerabilities. Also, several methods suggested in the literature for
               defending against such attacks were summarized.

               This survey provides a novel and useful analysis to understand DNS and DNSSEC in terms of cybersecurity.
               Specifically, the classification of DNS attacks supports understanding and analysis of future DNS attacks.
               This paper provides the first DNS attack classification. The analysis of various mitigation systems also
               provides indicators for future DNS developments. Promising alternatives to DNSSEC include DANE/TLSA
               and DNS-over-HTTPS. Even lighter-weight approaches, suitable for deployment in the Internet of Things,
               are needed as well.


               DECLARATIONS
               Authors’ contributions
               Contributed to the design, survey, implementation, and analysis of the research and to the writing of the
               manuscript: Kim TH, Reeves D


               Availability of data and materials
               Not applicable.


               Financial support and sponsorship
               Not applicable.


               Conflicts of interest
               Both authors declared that there are no conflicts of interest.

               Ethical approval and consent to participate
               Not applicable.

               Consent for publication
               Not applicable.

               Copyright
               © The Author(s) 2020.
   59   60   61   62   63   64   65   66   67   68   69