CN103685168B - A kind of inquiry request method of servicing of DNS recursion server - Google Patents
A kind of inquiry request method of servicing of DNS recursion server Download PDFInfo
- Publication number
- CN103685168B CN103685168B CN201210328266.XA CN201210328266A CN103685168B CN 103685168 B CN103685168 B CN 103685168B CN 201210328266 A CN201210328266 A CN 201210328266A CN 103685168 B CN103685168 B CN 103685168B
- Authority
- CN
- China
- Prior art keywords
- inquiry request
- credible
- data packet
- response data
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses the inquiry request method of servicing of a kind of DNS recursion server, belong to networking technology area.The method include the steps that 1) caching of DNS recursion server is divided credible buffer area and insincere buffer area;2), after recursion server receives an inquiry request, the resource record of credible buffer area searches whether the resource of coupling;If it has, then return to coupling resource record inquire about end;If it is not, initiate inquiry request to authoritative server;3) recursion server monitors the response data packet arrival rate of this inquiry request;4) if response data packet arrival rate exceedes credible thresholding, then the response data packet of this inquiry request is placed in insincere buffer area by recursion server;If not less than this credible thresholding, the most again initiate inquiry request to authoritative server, be sent to the DNS resource record obtained inquire about end, and be added to credible buffer area.Present invention decreases the probability of Cache Poisoning, it is ensured that the efficiency of inquiry.
Description
Technical field
The present invention relates to the inquiry request method of servicing of a kind of DNS recursion server, belong to technical field of the computer network.
Background technology
The principal entities of internet domain name system (Domain Name System, DNS) includes providing the recurrence resolving inquiry service
Server and the authoritative server of offer authority's answer service.Its query script is as shown in Figure 1.Concretely comprise the following steps:
1) when terminal use desires access to www.sina.com, DNS query request message is sent to recursion server;
2) if the relevant information entirely without this domain name (assumes the authority's clothes both not having com in the caching of recursion server
Business device address, does not has the authoritative server address of sina.com yet), recursion server just needs to initiate to inquire about to root server
Journey, thus know the address of com authoritative server;
3) recursion server then sends query messages to com authoritative server, then learns that sina.com authority takes
The address information of business device;
4) by inquiring about to the continuation of sina.com authoritative server, recursion server has finally known www.sina.com
Address;
5) resource record obtained by inquiry is returned to client by recursion server, and is stored in the buffer by this record.
When other-end user is to this recursion server inquiry www.sina.com, recursion server searches coupling the most in the buffer
Resource record just can timely respond to.And terminal use can also access map network resource via this address information.
In above-mentioned query script, recursion server is after any one authoritative server sends query messages, if the puppet of correspondence
Make response data packet to be received by recursion server before correct response data packet arrives, and have matched recursion server transmission
The UDP port number of the inquiry packet gone out and packet ID, recursion server will be cached the authoritative resource record of mistake,
Thus cause Cache Poisoning.When subsequent user inquires about this domain name, all it is directed into mistake or the website of malice.
How to identify and to avoid the response message that recursion server caching is incredible or forges, to reduce DNS recursion service as far as possible
The probability of device Cache Poisoning is a technical problem urgently to be resolved hurrily.
Summary of the invention
For technical problem present in prior art, the inquiry that it is an object of the invention to provide a kind of DNS recursion server please
Seek method of servicing.The present invention proposes to be divided into the caching of DNS recursion server two parts: credible buffer area and insincere slow
Deposit district.The most credible buffer area is the correct DNS resource record cached by normal queries;Insincere buffer area is due to DNS
Some response is thrown doubt upon and the resource record of correspondence by recursion server by monitoring DNS flow.The use of credible buffer area depends on
Generally use data cached rule according to recursion server, and the data of insincere buffer area cannot be directly used to reply client.
Only fall back to below the credible thresholding that recursion server selects when monitoring result, just to the resource record of insincere buffer area again
Initiate query script, and add corresponding response to credible buffer area.
The technical scheme is that
The inquiry request method of servicing of a kind of DNS recursion server, the steps include:
1) caching of DNS recursion server is divided credible buffer area and insincere buffer area;Wherein, credible buffer area is used for delaying
Depositing believable DNS resource record, insincere buffer area is for storing the DNS resource record that questionable queries request is corresponding;
2), after recursion server receives an inquiry request, the resource record of credible buffer area searches whether the resource of coupling;
If it has, then return to coupling resource record inquire about end;If it is not, initiate inquiry request to authoritative server;
3) recursion server monitors the response data packet arrival rate of this inquiry request;Described response data packet arrival rate is the setting time
The response data packet for same inquiry request received in length;
4) if the response data packet arrival rate of this inquiry request exceedes default credible thresholding, then recursion server is by this inquiry request
Response data packet be placed in insincere buffer area;If the response data packet arrival rate of this inquiry request is preset not less than this
Credible thresholding, initiates inquiry request to authoritative server the most again, is sent to the DNS resource record obtained inquire about end,
And add credible buffer area to as a believable DNS resource record.
Further, if the response data packet arrival rate of this inquiry request exceedes default credible thresholding, recursion server receives
The inquiry request 2 identical with this inquiry request that other inquiry ends send, and the response data packet arrival rate of this inquiry request 2 is not
Exceed this and preset credible thresholding, then recursion server initiates inquiry request for this inquiry request 2 to authoritative server.
Further, if the response data packet arrival rate of certain inquiry request exceedes default credible thresholding, the most described recursion server
By the purpose IP address in the query messages that sends according to this inquiry request, determine Cache Poisoning attack source.
Further, described recursion server monitors the response data packet arrival rate of inquiry request in real time.
The present invention has a characteristic that
1) by dividing the buffer zone realization isolation to insincere resource record;
2), when the response data packet arrival rate of same inquiry request is excessive, recursion server thinks that having Cache Poisoning to attack occurs,
Thus the response received is judged to insincere;
3) by the result that reviews of resource record in insincere buffer area is filled into credible buffer area, it is ensured that recursion server leads to
Cross the purpose using caching to improve query processing efficiency.
Compared with prior art, the positive effect of the present invention is:
The present invention by dividing credible buffer area and insincere buffer area by buffer zone, it is achieved the isolation to insincere resource record;
Thus avoid the response message that recursion server caching is incredible or forges, reduce DNS recursion server Cache Poisoning can
Energy property, it is ensured that the efficiency of recursion server query processing.
Accompanying drawing explanation
Fig. 1 is existing DNS query flow chart;
Fig. 2 is the method flow diagram of the present invention.
Detailed description of the invention
In the present invention, the handling process of recursion server is as shown in Figure 2.
1), after recursion server receives an inquiry request, in the resource record of credible caching, the resource of coupling is first searched whether;
First recursion server wishes the inquiry by credible caching, coupling response is returned to user as early as possible, thus improves search efficiency
(under not finding attack condition, all results inquired all can be saved in credible caching, com in such as Fig. 1 example
Authoritative server address, the authoritative server address of sina.com and the address of www.sina.com.When attack being detected,
The response message received just stores in suspected region.);If it is not, initiate inquiry request to authoritative server, when this
Response data packet arrival rate corresponding to inquiry request exceedes default thresholding, is considered as this caching and just suffers to poison attack, poisoning source
It it is exactly the purpose IP address of the query messages that recursion server sends.Such as send out to recursion server when Cache Poisoning attack source
When sending the inquiry request of domain name such as xxx.yyy.cn, it does not finds the recursion server of corresponding resource record immediately in credible caching
Query script is initiated to authoritative server;The major function of authoritative server safeguards DNS data exactly." response data packet arrives
Rate " it is through adding up in certain time the response data packet for same inquiry request received.
2) in order to poison this recursion server, attack source sends large batch of forgery response message to recursion server, with
Phase coupling recursion server sends UDP port number and the packet ID of DNS query message to authoritative server;
3) if recursion server judges the insincere degree of this response by the response data packet arrival rate of same inquiry request,
If that after response data packet arrival rate exceedes pre-determined threshold, the coupling response message received is placed in by recursion server can not
(for clearly to show technical solution of the present invention, the present invention arrives letter buffer area with the response data packet of same inquiry request
Rate judges the insincere degree of this response, but the present invention can also support other decision rules);
4) if recursion server now receive that other clients initiate to poisoning the inquiry request of caching, and other visitors
Below credible thresholding, the then number during recursion server does not use insincere buffer area are fallen back in the corresponding response of the request that family end sends
According to, and again replied to authoritative server initiation query script;
5) the response data packet arrival rate of this inquiry request received until recursion server falls back to below credible thresholding, recurrence
Server thinks that attack is over, and the most again initiates query script, and adds the resource record in response to confidence region,
To realize the quick response to subsequent query.Such as: if any inquiry request message 1,2, corresponding query messages 1, there is a large amount of puppet
Make response, corresponding query messages 2, still have and forge response in a large number, then recursion server is considered as inquiring about 1 and inquiring about 2 all
It is the inquiry forged, is to poison used by caching, and does not responds.If but the response of the two inquiry correspondence is at credible door
Below limit, then it is a normal inquiry that recursion server is considered as this, thus initiates inquiry to authoritative server, then will ring
Resource record in Ying adds confidence region to, to realize the quick response to subsequent query.
Claims (4)
1. an inquiry request method of servicing for DNS recursion server, the steps include:
1) caching of DNS recursion server is divided credible buffer area and insincere buffer area;Wherein, credible buffer area is used for delaying
Depositing believable DNS resource record, insincere buffer area is for storing the DNS resource record that questionable queries request is corresponding;
2), after recursion server receives an inquiry request, the resource record of credible buffer area searches whether the resource of coupling;
If it has, then return to coupling resource record inquire about end;If it is not, initiate inquiry request to authoritative server;
3) recursion server monitors the response data packet arrival rate of this inquiry request;Described response data packet arrival rate is the setting time
The response data packet for same inquiry request received in length;
4) if the response data packet arrival rate of this inquiry request exceedes default credible thresholding, then recursion server is by this inquiry request
Response data packet be placed in insincere buffer area;If the response data packet arrival rate of this inquiry request is preset not less than this
Credible thresholding, initiates inquiry request to authoritative server the most again, is sent to the DNS resource record obtained inquire about end,
And add credible buffer area to as a believable DNS resource record.
2. the method for claim 1, it is characterised in that if the response data packet arrival rate of this inquiry request exceedes default credible
During thresholding, recursion server receives the inquiry request 2 identical with this inquiry request that other inquiry ends send, and this inquiry please
Ask the response data packet arrival rate of 2 to preset credible thresholding not less than this, then recursion server for this inquiry request 2 to authority
Server initiates inquiry request.
3. the method for claim 1, it is characterised in that if the response data packet arrival rate of certain inquiry request exceedes default credible
Thresholding, the most described recursion server is by the purpose IP address in the query messages that sends according to this inquiry request, really
Make Cache Poisoning attack source.
4. the method for claim 1, it is characterised in that described recursion server is monitored the response data packet of inquiry request in real time and arrived
Reach rate.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210328266.XA CN103685168B (en) | 2012-09-07 | 2012-09-07 | A kind of inquiry request method of servicing of DNS recursion server |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201210328266.XA CN103685168B (en) | 2012-09-07 | 2012-09-07 | A kind of inquiry request method of servicing of DNS recursion server |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103685168A CN103685168A (en) | 2014-03-26 |
CN103685168B true CN103685168B (en) | 2016-12-07 |
Family
ID=50321500
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201210328266.XA Active CN103685168B (en) | 2012-09-07 | 2012-09-07 | A kind of inquiry request method of servicing of DNS recursion server |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103685168B (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN104144165A (en) * | 2014-08-11 | 2014-11-12 | 互联网域名系统北京市工程研究中心有限公司 | Caching method and system for resisting DNS dead domain attacks |
CN105245630B (en) * | 2015-09-25 | 2019-04-23 | 互联网域名系统北京市工程研究中心有限公司 | The method and device of identification and defence DNS SERVFAIL attack |
EP3151520B1 (en) * | 2015-10-02 | 2020-03-18 | Efficient IP SAS | Quarantining an internet protocol address |
CN105939337B (en) * | 2016-03-09 | 2019-08-06 | 杭州迪普科技股份有限公司 | The means of defence and device that DNS cache is poisoned |
CN105827599A (en) * | 2016-03-11 | 2016-08-03 | 中国互联网络信息中心 | Cache infection detection method and apparatus based on deep analysis on DNS message |
CN108494891A (en) * | 2018-02-28 | 2018-09-04 | 网宿科技股份有限公司 | A kind of domain name analytic method, server and system |
CN112543215A (en) * | 2019-09-23 | 2021-03-23 | 北京国双科技有限公司 | Access request processing method, system, device, storage medium and electronic equipment |
CN111698345B (en) * | 2020-06-10 | 2022-09-20 | 山东伏羲智库互联网研究院 | Domain name query method, recursive server and storage medium |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
JP2011049745A (en) * | 2009-08-26 | 2011-03-10 | Toshiba Corp | Device for defending dns cache poisoning attack |
CN102035809A (en) * | 2009-09-29 | 2011-04-27 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for defending cache poison |
CN102404318A (en) * | 2011-10-31 | 2012-04-04 | 杭州迪普科技有限公司 | Method and device for prevention of DNS (Domain Name Server) cathe attack |
Family Cites Families (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007058732A2 (en) * | 2005-11-10 | 2007-05-24 | Markmonitor Inc. | B2c authentication system and methods |
JPWO2008084729A1 (en) * | 2006-12-28 | 2010-04-30 | 日本電気株式会社 | Application chain virus and DNS attack source detection device, method and program thereof |
CN101431449B (en) * | 2008-11-04 | 2011-05-04 | 中国科学院计算技术研究所 | Network flux cleaning system |
CN101505218B (en) * | 2009-03-18 | 2012-04-18 | 杭州华三通信技术有限公司 | Detection method and apparatus for attack packet |
CN102624750B (en) * | 2012-04-22 | 2016-08-03 | 吴兴利 | Resist the method and system that DNS recurrence is attacked |
-
2012
- 2012-09-07 CN CN201210328266.XA patent/CN103685168B/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011049745A (en) * | 2009-08-26 | 2011-03-10 | Toshiba Corp | Device for defending dns cache poisoning attack |
CN102035809A (en) * | 2009-09-29 | 2011-04-27 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for defending cache poison |
CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
CN102404318A (en) * | 2011-10-31 | 2012-04-04 | 杭州迪普科技有限公司 | Method and device for prevention of DNS (Domain Name Server) cathe attack |
Also Published As
Publication number | Publication date |
---|---|
CN103685168A (en) | 2014-03-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103685168B (en) | A kind of inquiry request method of servicing of DNS recursion server | |
US20220272146A1 (en) | Point of presence management in request routing | |
US9985927B2 (en) | Managing content delivery network service providers by a content broker | |
US20190297137A1 (en) | Point of presence management in request routing | |
US20190044787A1 (en) | Point of presence management in request routing | |
US9560074B2 (en) | Systems and methods of identifying suspicious hostnames | |
US7802014B2 (en) | Method and system for class-based management of dynamic content in a networked environment | |
US9225613B2 (en) | Method for accessing content in networks and a corresponding system | |
US8886750B1 (en) | Alias resource record sets | |
WO2015134323A1 (en) | Transparent proxy authentication via dns processing | |
CN106161667A (en) | A kind of domain name analytic method and device | |
CN109067936B (en) | Domain name resolution method and device | |
CN108337257B (en) | Authentication-free access method and gateway equipment | |
CN111698345B (en) | Domain name query method, recursive server and storage medium | |
CN103685584A (en) | Method and system of resisting domain name hijacking based on tunnelling | |
US10021176B2 (en) | Method and server for managing traffic-overload on a server | |
CN109995885B (en) | Domain name space structure presentation method, device, equipment and medium | |
US20180375818A1 (en) | Dns-based method of transmitting data | |
EP3151520B1 (en) | Quarantining an internet protocol address | |
KR101645222B1 (en) | Advanced domain name system and management method | |
Carli | Security Issues with DNS | |
CN105357279A (en) | Domain name service (DNS) request message processing method and system | |
CN116743442A (en) | DNS domain name resolution system based on cloud computing | |
CN117527809A (en) | Resource acquisition method, device, equipment and storage medium | |
CN115941341A (en) | DNS tunnel detection method and device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20210209 Address after: 100190 room 506, building 2, courtyard 4, South 4th Street, Zhongguancun, Haidian District, Beijing Patentee after: CHINA INTERNET NETWORK INFORMATION CENTER Address before: 100190 No. four, 4 South Street, Haidian District, Beijing, Zhongguancun Patentee before: Computer Network Information Center, Chinese Academy of Sciences |
|
TR01 | Transfer of patent right |