CN107070957A - A kind of method that DNS is cheated of preventing based on SDN - Google Patents
A kind of method that DNS is cheated of preventing based on SDN Download PDFInfo
- Publication number
- CN107070957A CN107070957A CN201710463558.7A CN201710463558A CN107070957A CN 107070957 A CN107070957 A CN 107070957A CN 201710463558 A CN201710463558 A CN 201710463558A CN 107070957 A CN107070957 A CN 107070957A
- Authority
- CN
- China
- Prior art keywords
- dns
- response
- sdn
- bag
- cheated
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Abstract
The invention discloses a kind of method that DNS is cheated of preventing based on SDN, by disposing SDN system, and the UDP53 ports on SDN controllers create IP address white list, judged by the physical port to response, the physical port accessed if not the dns server of initial configuration, IP address i.e. beyond white list, then this secondary response discarding;Except this, recorded by resolution response message with the presence or absence of Authorized Domain and additional field, if Authorized Domain is not present in the response message and additional field is recorded, the response is abandoned, and effectively solves the problem of user receives the dns server of implantation and receives the response of dns server of implantation.
Description
Technical field
The invention belongs to prevent the technical field of DNS deceptions, and in particular to a kind of side that DNS is cheated of preventing based on SDN
Method.
Background technology
SDN is earliest originating from one of the Stanford University campus project for being called clean slate.It is a kind of innovative
Network architecture, its core concept is that Forwarding plane and control plane are separated, pass through centralization controller
Controller is configured and managed to a variety of network equipments using the interface of standard so that the management to network
More centralization, become more meticulous.
Dns server is made up of Domain Name Resolver and name server.Name server refers to preserve the network
The domain name and correspondence IP address of middle All hosts, and with the server that domain name is converted to IP address function.Wherein domain name must
Palpus one IP address of correspondence, and IP address not necessarily has domain name.Domain name system uses the hierarchical organization of similar directory tree, domain name clothes
Business device is the server in Client/Server pattern, and it mainly has two kinds of forms:Master server and forwarding server, by domain
The process that name is mapped as IP address is known as " domain name mapping ".
DNS Cheating Technologies common are planted agent's attack and sequence number attacks two kinds, and planted agent's attack is that hacker is controlling one
After dns server, its Domain Database content is modified, false IP Address are assigned to specifically
Domain Name, as the IP of Client requesting queries this certain domain names, by the IP forged.Sequence number attack refers to
The dns server of camouflage sends the sequence contained in reply data message, the message in the forward direction client of real dns server
It is identical that row number ID sends the ID contained in request data package with client to real dns server, therefore client can be received
The false message, and the true message that discarding evening arrives, i.e. DNS ID sequence numbers enabled cheat, the false message that client computer is obtained
The IP of the domain name of middle offer is the IP of attacker's setting, and client will be taken to the website that attacker specifies by this IP.
The content of the invention
It is an object of the invention to above-mentioned not enough there is provided a kind of based on SDN prevent DNS from cheating for of the prior art
Method, when being accessed with solving error, the dns server that is implanted into a network and receive implantation dns server response
Problem.
To reach above-mentioned purpose, the present invention is adopted the technical scheme that:
A kind of method that DNS is cheated of preventing based on SDN, including
Step S1, sets the SDN of Forwarding plane and control plane separation;
Step S2, in the SDN, according to the configuration information of dns server, obtains the corresponding physics end of SDN switch
Mouthful, the position of network where confirming dns server;
Step S3, sets up the trusted port for accessing the dns server on SDN controllers;
Step S4, when the DNS data bag that main frame is sent is transferred to the interface of SDN switch, shows SDN switch and DNS numbers
It is unsuccessful according to bag matching flow table item, then the Layer 2 data frame of the DNS data bag is sent to SDN controllers;
Step S5, when SDN controllers receive two response bags, then there are DNS deceptive practices in DNS data bag, and compare two
Identification field in the response message of response bag,;
Step S6, if two response bag ID DNS response messages are identical, parsing two DNS response messages in Authorized Domain and
Additional field is recorded, if being recorded in DNS response messages without Authorized Domain and additional field, the DNS response messages are deception message, are abandoned
The response bag, the response bag that transmission is recorded with Authorized Domain and additional field;
Step S7, if two response bag ID DNS response messages are different, the IP address white list set up using trusted port is entered
Row screening and filtering, abandons and DNS response messages is not present in white list, DNS response messages present in transmission white list.
Preferably, the trusted port in step S3 is the UDP53 ports for being used on SDN controllers accessing dns server.
Preferably, dns server is asked a nslookup, can only respond one data response bag of return, the data
There is at least one Acknowledge in response bag.
Preferably, deception message is recorded only containing an Acknowledge in the absence of Authorized Domain and additional field.
The method for preventing DNS from cheating based on SDN that the present invention is provided, has the advantages that:
Present invention deployment SDN system, and the UDP53 ports establishment IP address white list on SDN controllers, by sound
The physical port answered is judged, beyond the physical port accessed if not the dns server of initial configuration, i.e. white list
IP address, then this secondary response abandon;Except this, recorded by resolution response message with the presence or absence of Authorized Domain and additional field, if should
Authorized Domain is not present in response message and additional field is recorded, then the response is abandoned, effective to solve the DNS clothes that user receives implantation
The problem of response of business device and the dns server of reception implantation.
Brief description of the drawings
Fig. 1 is the flow chart for the method that the DNS of preventing based on SDN is cheated.
Fig. 2 is the theory diagram for the method that the DNS of preventing based on SDN is cheated.
Embodiment
The embodiment to the present invention is described below, in order to which those skilled in the art understand this hair
It is bright, it should be apparent that the invention is not restricted to the scope of embodiment, for those skilled in the art,
As long as various change is in the spirit and scope of the present invention that appended claim is limited and is determined, these changes are aobvious and easy
See, all are using the innovation and creation of present inventive concept in the row of protection.
According to one embodiment of the application, as shown in Figure 1-2, the side that DNS is cheated of preventing based on SDN of this programme
Method.
The SDN of Forwarding plane and control plane separation is set.
In SDN, according to the configuration information of dns server, the corresponding physical port of SDN switch is obtained, is confirmed
The position of network where dns server.
The trusted port that may have access to dns server is set up on SDN controllers, the trusted port is on SDN controllers
UDP53 ports for accessing dns server.
When the DNS data bag that main frame is sent is transferred to the interface of SDN switch, when SDN switch and above-mentioned DNS data
When bag matching flow table item is unsuccessful, and then the Layer 2 data frame of the DNS data bag is sent to SDN controllers.
When SDN controllers receive two reply data bags, show there are DNS deceptive practices, and two response bags are entered
Row judges that one of response bag is the reply data bag that attacker sends, and another is real DNS reply datas bag.It is logical
In the case of often, request of the dns server to a nslookup will not send the different response bag of multiple results to client, i.e.,
It is the multiple IP address of domain name correspondence, dns server can also return to client in a response bag, simply in the presence of many
Individual Acknowledge, i.e. dns server are asked a nslookup, can only respond one data response bag of return, the data answering
There is at least one Acknowledge in bag.
SDN controllers parse the identification field in the response message for comparing two response bags received, if two responses
The DNS response messages for wrapping ID are identical, then parse Authorized Domain and additional field record in two DNS response messages.
Because DNS is cheated, response bag is more simpler than real response bag construction, and DNS deceptions response bag is typically only wrapped
Containing an Acknowledge, recorded in the absence of Authorized Domain and additional field, because attacker will ensure enabled cheat rate, the deception of transmission should
Client will be reached before actual response bag by answering bag, and the build time of response bag must be reduced as far as possible, and legal correct
Response bag is relative complex, is not only recorded containing multiple Acknowledges, and also Authorized Domain, the record such as additional field, you can according to
Above difference finds DNS deception response bags, and then abandons DNS deception response bags.
The Authorized Domain and additional field record of two DNS response message identical response bags are checked in parsing, if being resolved to wherein
Authorized Domain is not present in one DNS response message and additional field is recorded, then judges the DNS response messages for deception message, and then sentence
Another DNS response message break for correct DNS response messages, and continues transmission.
If two response bag ID DNS response messages are different, the IP address white list set up by UDP53 trusted ports enters
Row screening and filtering, abandons the response beyond white list, and correct DNS response messages are continued to transmit.
Present inventive concept is ingenious, by disposing SDN system, and the UDP53 ports on SDN controllers are with creating IP
Location white list, is judged, the physics accessed if not the dns server of initial configuration by the physical port to response
IP address beyond port, i.e. white list, then this secondary response discarding;Except this, Authorized Domain whether there is by resolution response message
With additional field record, if Authorized Domain is not present for the response message and additional field is recorded, the response is abandoned, and effectively solves user
The problem of dns server for receiving implantation and the response of dns server for receiving implantation, with very strong practicality and popularization
Property.
Although being described in detail with reference to accompanying drawing to the embodiment of invention, it should not be construed as to this patent
Protection domain restriction.In the scope described by claims, those skilled in the art are without creative work
The various modification and variation made still belong to the protection domain of this patent.
Claims (4)
1. a kind of method that DNS is cheated of preventing based on SDN, it is characterised in that:Including
Step S1, sets the SDN of Forwarding plane and control plane separation;
Step S2, in the SDN, according to the configuration information of dns server, obtains the corresponding physics end of SDN switch
Mouthful, the position of network where confirming dns server;
Step S3, sets up the trusted port for accessing the dns server on SDN controllers;
Step S4, when the DNS data bag that main frame is sent is transferred to the interface of SDN switch, shows SDN switch and DNS numbers
It is unsuccessful according to bag matching flow table item, then the Layer 2 data frame of the DNS data bag is sent to SDN controllers;
Step S5, when SDN controllers receive two response bags, then there are DNS deceptive practices in DNS data bag, and compare two
Identification field in the response message of response bag;
Step S6, if two response bag ID DNS response messages are identical, parsing two DNS response messages in Authorized Domain and
Additional field is recorded, if being recorded in DNS response messages without Authorized Domain and additional field, the DNS response messages are deception message, are abandoned
The response bag, the response bag that transmission is recorded with Authorized Domain and additional field;
Step S7, if two response bag ID DNS response messages are different, the IP address white list set up using trusted port is entered
Row screening and filtering, abandons and DNS response messages is not present in white list, DNS response messages present in transmission white list.
2. the method that DNS is cheated of preventing based on SDN according to claim 1, it is characterised in that:In the step S3
Trusted port is the UDP53 ports for being used on SDN controllers accessing dns server.
3. the method that DNS is cheated of preventing based on SDN according to claim 1, it is characterised in that:The dns server
To a nslookup request, it can only respond in one data response bag of return, the data answering bag and there is at least one response
Domain.
4. the method that DNS is cheated of preventing based on SDN according to claim 1, it is characterised in that:The deception message is only
Containing an Acknowledge, recorded in the absence of Authorized Domain and additional field.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710463558.7A CN107070957A (en) | 2017-06-19 | 2017-06-19 | A kind of method that DNS is cheated of preventing based on SDN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710463558.7A CN107070957A (en) | 2017-06-19 | 2017-06-19 | A kind of method that DNS is cheated of preventing based on SDN |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107070957A true CN107070957A (en) | 2017-08-18 |
Family
ID=59595434
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710463558.7A Pending CN107070957A (en) | 2017-06-19 | 2017-06-19 | A kind of method that DNS is cheated of preventing based on SDN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107070957A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109361676A (en) * | 2018-11-01 | 2019-02-19 | 天津睿邦安通技术有限公司 | A kind of DNS abduction defence method, apparatus and system based on firewall system |
| US11438151B2 (en) | 2019-04-03 | 2022-09-06 | Cisco Technology, Inc. | Enriching local cryptoprocessor queries with sdn augmented information |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030110274A1 (en) * | 2001-08-30 | 2003-06-12 | Riverhead Networks Inc. | Protecting against distributed denial of service attacks |
| US20120303808A1 (en) * | 2011-05-24 | 2012-11-29 | Palo Alto Networks, Inc. | Using dns communications to filter domain names |
| CN104618351A (en) * | 2015-01-15 | 2015-05-13 | 中国科学院信息工程研究所 | Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack |
| CN105119930A (en) * | 2015-09-09 | 2015-12-02 | 南京理工大学 | Malicious website protection method based on OpenFlow protocol |
-
2017
- 2017-06-19 CN CN201710463558.7A patent/CN107070957A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030110274A1 (en) * | 2001-08-30 | 2003-06-12 | Riverhead Networks Inc. | Protecting against distributed denial of service attacks |
| US20120303808A1 (en) * | 2011-05-24 | 2012-11-29 | Palo Alto Networks, Inc. | Using dns communications to filter domain names |
| CN104618351A (en) * | 2015-01-15 | 2015-05-13 | 中国科学院信息工程研究所 | Method for identifying DNS spoofing attack packet and detecting DNS spoofing attack |
| CN105119930A (en) * | 2015-09-09 | 2015-12-02 | 南京理工大学 | Malicious website protection method based on OpenFlow protocol |
Non-Patent Citations (3)
| Title |
|---|
| NM SAHRI: "Protecting DNS services from IP spoofing - SDN collaborative authentication approach", 《PROCEEDING CFI "16 PROCEEDINGS OF THE 11TH INTERNATIONAL CONFERENCE ON FUTURE INTERNET TECHNOLOGIES》 * |
| YEHUDA AFEK: "Network Anti-Spoofing with SDN Data plane", 《IEEE INFOCOM 2017 - IEEE CONFERENCE ON COMPUTER COMMUNICATIONS》 * |
| 孔政: "DNS 欺骗原理及其防御方案", 《计算机工程》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109361676A (en) * | 2018-11-01 | 2019-02-19 | 天津睿邦安通技术有限公司 | A kind of DNS abduction defence method, apparatus and system based on firewall system |
| US11438151B2 (en) | 2019-04-03 | 2022-09-06 | Cisco Technology, Inc. | Enriching local cryptoprocessor queries with sdn augmented information |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8200798B2 (en) | Address security in a routed access network | |
| CN103248726B (en) | A kind of many reciprocity Internet of Things identification analytic method | |
| CN103581363B (en) | To malice domain name and the control method and device of unauthorized access | |
| US10491561B2 (en) | Equipment for offering domain-name resolution services | |
| US9264440B1 (en) | Parallel detection of updates to a domain name system record system using a common filter | |
| CN101674306B (en) | Address resolution protocol message processing method and switch | |
| CN103327025A (en) | Method and device for network access control | |
| CN102769529A (en) | Dnssec signing server | |
| CN107733670A (en) | A kind of forwarding strategy collocation method and device | |
| US10305934B2 (en) | Identity based domain name system (DNS) caching with security as a service (SecaaS) | |
| CN101471777B (en) | Access control system and method between domains based on domain name | |
| CN104243472A (en) | Network with MAC table overflow protection | |
| WO2013170616A1 (en) | Method for obtaining information of resource in internet of things, terminal device, and system | |
| WO2009058686A2 (en) | Variable dns responses based on client identity | |
| CN109672680B (en) | Cross-domain login method | |
| CN110493366A (en) | The method and device of network management is added in a kind of access point | |
| CN103563301A (en) | Incoming redirection mechanism on a reverse proxy | |
| CN108347428A (en) | Accreditation System, the method and apparatus of application program based on block chain | |
| US9762542B2 (en) | Parallel detection of updates to a domain name system record system using a common filter | |
| CN109495583B (en) | Data security interaction method based on host characteristic confusion | |
| CN107040618A (en) | The domain names service system and method for a kind of decentralization | |
| CN102801716B (en) | DHCP (Dynamic Host Configuration Protocol) anti-attacking method and device | |
| CN107070957A (en) | A kind of method that DNS is cheated of preventing based on SDN | |
| CN102223422A (en) | Domain name system (DNS) message processing method and network safety equipment | |
| CN112738002A (en) | Technology for building industrial control honey net based on virtuality and reality combination |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |