CN107707569A - DNS request processing method and DNS systems - Google Patents

DNS request processing method and DNS systems Download PDF

Info

Publication number
CN107707569A
CN107707569A CN201711107626.2A CN201711107626A CN107707569A CN 107707569 A CN107707569 A CN 107707569A CN 201711107626 A CN201711107626 A CN 201711107626A CN 107707569 A CN107707569 A CN 107707569A
Authority
CN
China
Prior art keywords
dns request
dns
user terminal
address
degree
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201711107626.2A
Other languages
Chinese (zh)
Inventor
毛帅
张永波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Knownsec Information Technology Co Ltd
Original Assignee
Beijing Knownsec Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Knownsec Information Technology Co Ltd filed Critical Beijing Knownsec Information Technology Co Ltd
Priority to CN201711107626.2A priority Critical patent/CN107707569A/en
Publication of CN107707569A publication Critical patent/CN107707569A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of DNS request processing method and DNS systems, and applied to DNS systems, methods described includes:Obtain the DNS request that user terminal is sent;The DNS request is parsed, obtains the degree of danger parameter of the DNS request;When the degree of danger parameter is less than the first predetermined threshold value, internet-ip address corresponding to the DNS request is fed back to the user terminal;When the degree of danger parameter is higher than first predetermined threshold value, using the DNS request as dangerous DNS request, a preset IP address is fed back to the user terminal.In this way, just dangerous network attack that may be present is intercepted when handling DNS request, it is possible to reduce the input of server resource or bandwidth resources during confrontation attack in force, and protection effect is preferable.

Description

DNS request processing method and DNS systems
Technical field
The present invention relates to technical field of network security, in particular to a kind of DNS request processing method and DNS systems.
Background technology
CC (Challenge Collapsar) attacks are DDoS (Distributed Denial of Service, distributions Formula refusal service) attack one kind, belong to a kind of attacking wayses that hacker commonly uses.Hacker would generally pass through a large amount of proxy servers Or puppet's machine, initiate substantial amounts of request simultaneously to destination server, cause destination server resource or bandwidth resources to exhaust, so as to Hinder the normal operation of destination server.When existing confrontation is more than the method that the extensive CC of self-defense ability is attacked, Chang Cai Tackled with the mode for stacking server or increase bandwidth, newly-increased resource is idle when not receiving attack, so as to lead Operation cost increase is caused, wastes resource.
The content of the invention
In order to overcome above-mentioned deficiency of the prior art, it is an object of the invention to provide a kind of DNS request processing method, Applied to DNS systems, methods described includes:
Obtain DNS request;
The DNS request is parsed, obtains the degree of danger parameter of the DNS request;
When the degree of danger parameter is less than the first predetermined threshold value, it is corresponding to feed back the DNS request to the user terminal Internet-ip address;
When the degree of danger parameter is higher than first predetermined threshold value, using the DNS request as dangerous DNS request, A preset IP address is fed back to the user terminal.
Alternatively, in the above-mentioned methods, the DNS request includes the IP address for sending the user terminal of the DNS request;Institute State DNS systems and prestore white list and blacklist;Before the step of described pair of DNS request parses, methods described is also Including:
Whether the IP address that inquiry sends the user terminal of the DNS request has note in the white list or blacklist Record;
When the IP address of the user terminal has record in the white list, the DNS request is responded, it is whole to the user Feed back web IP address corresponding to the DNS request in end;
When the IP address of the user terminal has record in the blacklist, feed back one to the user terminal and preset IP address;
When the user terminal does not record in the white list and blacklist, then perform and the DNS request is entered The step of row parsing.
Alternatively, in the above-mentioned methods, the DNS systems prestore degree of danger judgment rule, and the degree of danger judges Rule includes dangerous values corresponding to different preparatory conditions;The described pair of DNS request parses, and obtains the danger of the DNS request The step of extent index, including:
The DNS request is parsed, for each preparatory condition, judges whether the DNS request meets the preparatory condition, When the DNS request meets the preparatory condition, degree of danger parameter corresponding to the DNS request is increased corresponding dangerous Value.
Alternatively, in the above-mentioned methods, it is described for each preparatory condition, judge whether the DNS request meets this Preparatory condition, when the DNS request meets the preparatory condition, phase is increased to degree of danger parameter corresponding to the DNS request The step of dangerous values answered, including:
Judge whether include non-standard HTTP heads in the DNS request, if so, then by dangerous journey corresponding to the DNS request Spending parameter increases by the first dangerous values;
Judging to send the IP address of the DNS request, whether the access frequency in preset time is more than the second default threshold Value, if so, degree of danger parameter corresponding to the DNS request then is increased into the second dangerous values;
Judge whether the DNS request asks the URL of access preset, if so, then by degree of danger corresponding to the DNS request Parameter increases by the second dangerous values;
Judge whether request Concurrency accesses identical file to the DNS request, if so, then will be dangerous corresponding to the DNS request Extent index increases by the second dangerous values;
Judge whether the URL addresses that the DNS request accesses are to generate at random, if so, then by danger corresponding to the DNS request Dangerous extent index increases by the first dangerous values;
Judge whether the user terminal for sending the DNS request uses Agent IP, if so, then by corresponding to the DNS request Degree of danger parameter increases by the second dangerous values;
Wherein, first dangerous values are more than second dangerous values.
Alternatively, in the above-mentioned methods, the preset IP address fed back to the user terminal is loopback address, makes the user The access request of terminal points to the user terminal in itself.
Alternatively, in the above-mentioned methods, the DNS systems communicate with public dns server, and methods described also includes:
Set NS to record for the domain name of targeted website, make public dns server by for the domain name of the targeted website The DNS request of initiation is sent to the DNS systems.
Alternatively, in the above-mentioned methods, the DNS systems support edns-client-subnet Extended Protocols, pass through institute State the IP that edns-client-subnet Extended Protocols obtain the user terminal for sending the DNS request from public dns server Address.
Alternatively, in the above-mentioned methods, using the DNS request as dangerous DNS request, one is fed back to the user terminal After the step of preset IP address, methods described also includes:
The IP address of the user terminal is recorded into the blacklist.
Alternatively, in the above-mentioned methods, using the DNS request as dangerous DNS request, one is fed back to the user terminal After the step of preset IP address, methods described also includes:
The number that user terminal sends dangerous DNS request is recorded, the number that DNS request is sent when the user terminal exceedes During three predetermined threshold values, the IP address of the user terminal is recorded into the blacklist.
Another object of the present invention is to provide a kind of DNS systems, including:
Acquisition module, for obtaining DNS request;
Parsing module, for being parsed to the DNS request, obtain the degree of danger parameter of the DNS request;
First execution module, it is anti-to the user terminal for when the degree of danger parameter is less than the first predetermined threshold value Present internet-ip address corresponding to the DNS request;
Second execution module, for when the degree of danger parameter is higher than first predetermined threshold value, by the DNS request As dangerous DNS request, a preset IP address is fed back to the user terminal.
In terms of existing technologies, the invention has the advantages that:
DNS request processing method and DNS systems provided by the invention, by the way that when carrying out DNS request parsing, judging can Can be the DNS request of dangerous network attack, for be probably dangerous network attack DNS request without response, and return pre- If IP address.In this way, just dangerous network attack that may be present is intercepted when handling DNS request, it is possible to reduce The input of server resource or bandwidth resources when resisting attack in force, and protection effect is preferable.
Brief description of the drawings
In order to illustrate the technical solution of the embodiments of the present invention more clearly, below by embodiment it is required use it is attached Figure is briefly described, it will be appreciated that the following drawings illustrate only certain embodiments of the present invention, therefore be not construed as pair The restriction of scope, for those of ordinary skill in the art, on the premise of not paying creative work, can also be according to this A little accompanying drawings obtain other related accompanying drawings.
Fig. 1 is one of DNS systematic differences schematic diagram of a scenario provided in an embodiment of the present invention;
Fig. 2 is the two of DNS systematic differences schematic diagram of a scenario provided in an embodiment of the present invention;
Fig. 3 is the step schematic flow sheet of DNS request processing method provided in an embodiment of the present invention;
Fig. 4 is the schematic diagram of degree of danger judgment rule provided in an embodiment of the present invention;
Fig. 5 is the schematic diagram of DNS request processing unit provided in an embodiment of the present invention.
Icon:100-DNS systems;111- acquisition modules;112- parsing modules;The execution modules of 113- first;114- second Execution module;200- user terminals;The public dns servers of 300-;The server of 400- targeted websites.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is Part of the embodiment of the present invention, rather than whole embodiments.The present invention implementation being generally described and illustrated herein in the accompanying drawings The component of example can be configured to arrange and design with a variety of.
Therefore, below the detailed description of the embodiments of the invention to providing in the accompanying drawings be not intended to limit it is claimed The scope of the present invention, but be merely representative of the present invention selected embodiment.It is common based on the embodiment in the present invention, this area The every other embodiment that technical staff is obtained under the premise of creative work is not made, belong to the model that the present invention protects Enclose.
It should be noted that:Similar label and letter represents similar terms in following accompanying drawing, therefore, once a certain Xiang Yi It is defined, then it further need not be defined and explained in subsequent accompanying drawing in individual accompanying drawing.
In the description of the invention, it is necessary to which explanation, term " first ", " second ", " the 3rd " etc. are only used for differentiation and retouched State, and it is not intended that instruction or hint relative importance.
In the description of the invention, it is also necessary to explanation, unless otherwise clearly defined and limited, term " setting ", " installation ", " connected ", " connection " should be interpreted broadly, for example, it may be fixedly connected or be detachably connected, or one Connect body;Can be mechanical connection or electrical connection;Can be joined directly together, can also be indirect by intermediary It is connected, can is the connection of two element internals.For the ordinary skill in the art, on being understood with concrete condition State the concrete meaning of term in the present invention.
Fig. 1 is refer to, Fig. 1 is a kind of application scenarios schematic diagram for DNS systems 100 that present pre-ferred embodiments provide. The DNS systems 100 can communicate with user terminal 200, and the DNS request sent to the user terminal 200 judges, When the DNS request may be the DNS request of dangerous network attack (such as CC attacks), the DNS request is not responding to, is made described User terminal 200 can not have access to the target attacked;When the DNS request is not the DNS request of dangerous network attack, The DNS request is responded, feeds back corresponding web IP address to the user terminal 200.
In a kind of possible embodiment of the present embodiment, the DNS systems 100 can be public DNS systems 100, The CC attack protection of universality is provided.
In the alternatively possible embodiment of the present embodiment, the DNS systems 100 can also be for for target The server 400 of website carries out the specific DNS systems 100 of CC attack protection.It refer to Fig. 2, in the present embodiment, this implementation The DNS systems 100 that mode provides can be connected with public dns server 300., can for the domain name of the targeted website The setting of NS records is carried out with the DNS systems 100 first provided the public dns server 300 and the present embodiment, makes institute State public dns server 300 DNS request initiated for the target domain name is sent to described in present embodiment provides DNS systems 100 are parsed.Special protection is carried out to the server 400 of the targeted website in this way, realizing.
Fig. 3 is refer to, Fig. 3 is a kind of flow of DNS request processing method applied to the DNS systems 100 shown in Fig. 1 Figure, methods described will be described in detail including each step below.
Step S110, obtain user terminal 200 and send DNS request.
In the present embodiment, the DNS systems 100 can directly receive the DNS request of the transmission of user terminal 200, and obtain Obtain the IP address of the user terminal 200.The DNS systems 100 can also receive DNS by public dns server 300 please Ask, wherein, the DNS systems 100 support edns-client-subnet Extended Protocols, pass through the edns-client- Subnet Extended Protocols obtain the IP address for the user terminal 200 for sending the DNS request from public dns server 300.
Step S120, inquiry send the IP address of the user terminal 200 of the DNS request in the white list or blacklist In whether have record.
In embodiment, the DNS systems 100 prestore white list and blacklist, and the DNS systems 100 are receiving After the DNS request, first judge the IP address of the user terminal 200 of the DNS request is in the white list or blacklist It is no to have record.
When the IP address of the user terminal 200 has record in the white list, it is possible to determine that be that the DNS request is Normal DNS request, it is not necessary to carry out protective treatment, then the DNS systems 100 respond the DNS request, into step S130.
When the IP address of the user terminal 200 has record in the blacklist, it is possible to determine that be that the DNS request is The DNS request of CC attacks to the DNS request, it is necessary to intercept, then the DNS systems 100 are not responding to the DNS request, enter Step S140.
When the user terminal 200 does not record in the white list and blacklist, the DNS systems 100 need Determined whether, into step S150.
Step S130, the DNS request is responded, feed back web IP address corresponding to the DNS request to the user terminal 200.
Step S140, feed back a preset IP address to the user terminal 200.
In the present embodiment, for may be CC attack DNS request, the DNS systems 100 without response, return One preset address so that the target attacked can not be had access to by sending the user terminal 200 of the DNS request.Wherein, it is described pre- If address can be address blank, or can send address (127.0.0.1).
In this way, the method that the present embodiment provides, can just carry out security protection when parsing DNS request, make what CC was attacked The target attacked can not be reached by accessing, and the target attacked avoids the need for by way of stacking server or increase bandwidth pair Anti- extensive CC attacks.
Step S150, the DNS request is parsed, obtain the degree of danger parameter of the DNS request.
In the present embodiment, if sending the IP address of the DNS request neither in the white list, and not described black In list, then the DNS systems 100 are further parsed to the DNS request.
Alternatively, the DNS systems 100 prestore degree of danger judgment rule, and the degree of danger judgment rule is included not With dangerous values corresponding to preparatory condition.The DNS systems 100 parse the DNS request, for each preparatory condition, sentence Whether the DNS request of breaking meets the preparatory condition, corresponding to the DNS request when the DNS request meets the preparatory condition Degree of danger parameter increase corresponding dangerous values.
For example, the DNS systems 100 can include the preparatory condition and dangerous values of following corresponding relation:
Judge whether include non-standard HTTP heads in the DNS request, if so, then by dangerous journey corresponding to the DNS request Spending parameter increases by the first dangerous values.
Judging to send the IP address of the DNS request, whether the access frequency in preset time is more than the second default threshold Value, if so, degree of danger parameter corresponding to the DNS request then is increased into the second dangerous values.Wherein, the preset time can be 10 seconds.
Judge whether the DNS request asks the URL of access preset, if so, then by degree of danger corresponding to the DNS request Parameter increases by the second dangerous values.
Judge whether request Concurrency accesses identical file to the DNS request, if so, then will be dangerous corresponding to the DNS request Extent index increases by the second dangerous values.
Judge whether the URL addresses that the DNS request accesses are to generate at random, if so, then by danger corresponding to the DNS request Dangerous extent index increases by the first dangerous values.
Judge whether the user terminal 200 for sending the DNS request uses Agent IP, if so, then that the DNS request is corresponding Degree of danger parameter increase the second dangerous values.
Wherein, first dangerous values are more than second dangerous values, for example, refer to Fig. 4, described first is that limitation can Think 10, described second is that limitation can be 5.
Enter step S160 after degree of danger parameter corresponding to the DNS request is obtained.
Step S160, judges whether the degree of danger parameter is more than the first predetermined threshold value.
When the degree of danger parameter is less than the first predetermined threshold value, into step S130.
When the degree of danger parameter is higher than first predetermined threshold value, using the DNS request as dangerous DNS request, Into step S140.
Alternatively, after using the DNS request as dangerous DNS request, the dns server can will send the DNS The IP address of request is recorded into the blacklist.
Alternatively, after using the DNS request as dangerous DNS request, the DNS systems 100 can record the use Family terminal 200 sends the number of dangerous DNS request, and the number that DNS request is sent when the user terminal 200 is default more than the 3rd During threshold value, the IP address of the user terminal 200 is recorded into the blacklist.
Fig. 5 is refer to, the present embodiment also provides a kind of DNS systems 100, and the DNS systems 100 include acquisition module 111st, parsing module 112, the first execution module 113 and the second execution module 114.
The acquisition module 111, for obtaining DNS request.
In the present embodiment, the acquisition module 111 can be used for performing the step S110 shown in Fig. 3, on the acquisition mould The specific descriptions of block 111 can join the description to the step S110.
The parsing module 112, for being parsed to the DNS request, obtain the degree of danger parameter of the DNS request.
In the present embodiment, the parsing module 112 can be used for performing the step S120 shown in Fig. 3, on the parsing mould The specific descriptions of block 112 can join the description to the step S120.
First execution module 113, for when the degree of danger parameter is less than the first predetermined threshold value, to the user Terminal 200 feeds back internet-ip address corresponding to the DNS request.
In the present embodiment, first execution module 113 can be used for performing the step S130 shown in Fig. 3, on described the The specific descriptions of one execution module 113 can join the description to the step S130.
Second execution module 114, for when the degree of danger parameter is higher than first predetermined threshold value, by this DNS request feeds back a preset IP address as dangerous DNS request to the user terminal 200.
In the present embodiment, second execution module 114 can be used for performing the step S140 shown in Fig. 3, on described the The specific descriptions of two execution modules 114 can join the description to the step S140.
In summary, DNS request processing method and DNS systems 100 provided by the invention, by carrying out DNS request solution During analysis, judge be probably dangerous network attack DNS request, for be probably dangerous network attack DNS request without Response, and return to the preset IP address.In this way, just dangerous network attack that may be present is entered when handling DNS request Go interception, it is possible to reduce the input of server resource or bandwidth resources during confrontation attack in force, and protection effect is preferable.
In embodiment provided herein, it should be understood that disclosed apparatus and method, can also be by other Mode realize.Device embodiment described above is only schematical, for example, the flow chart and block diagram in accompanying drawing are shown According to the device, the architectural framework in the cards of method and computer program product, function of multiple embodiments of the present invention And operation.At this point, each square frame in flow chart or block diagram can represent one of a module, program segment or code Point, a part for the module, program segment or code includes one or more and is used to realize the executable of defined logic function Instruction.It should also be noted that at some as in the implementation replaced, the function of being marked in square frame can also be with different from attached The order marked in figure occurs.For example, two continuous square frames can essentially perform substantially in parallel, they also may be used sometimes To perform in the opposite order, this is depending on involved function.It is it is also noted that each in block diagram and/or flow chart The combination of square frame and the square frame in block diagram and/or flow chart, can use function or action as defined in performing it is special based on The system of hardware is realized, or can be realized with the combination of specialized hardware and computer instruction.
In addition, each functional module in each embodiment of the present invention can integrate to form an independent portion Point or modules individualism, can also two or more modules be integrated to form an independent part.
If the function is realized in the form of software function module and is used as independent production marketing or in use, can be with It is stored in a computer read/write memory medium.Based on such understanding, technical scheme is substantially in other words The part to be contributed to prior art or the part of the technical scheme can be embodied in the form of software product, the meter Calculation machine software product is stored in a storage medium, including some instructions are causing a computer equipment (can be People's computer, server, or network equipment etc.) perform all or part of step of each embodiment methods described of the present invention. And foregoing storage medium includes:USB flash disk, mobile hard disk, read-only storage (ROM, Read-Only Memory), arbitrary access are deposited Reservoir (RAM, Random Access Memory), magnetic disc or CD etc. are various can be with the medium of store program codes.
It should be noted that herein, such as first and second or the like relational terms are used merely to a reality Body or operation make a distinction with another entity or operation, and not necessarily require or imply and deposited between these entities or operation In any this actual relation or order.Moreover, term " comprising ", "comprising" or its any other variant are intended to Nonexcludability includes, so that process, method, article or equipment including a series of elements not only will including those Element, but also the other element including being not expressly set out, or it is this process, method, article or equipment also to include Intrinsic key element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that Other identical element also be present in process, method, article or equipment including the key element.
The foregoing is only a specific embodiment of the invention, but protection scope of the present invention is not limited thereto, any Those familiar with the art the invention discloses technical scope in, change or replacement can be readily occurred in, should all be contained Cover within protection scope of the present invention.Therefore, protection scope of the present invention should be defined by scope of the claims.

Claims (10)

  1. A kind of 1. DNS request processing method, applied to DNS systems, it is characterised in that methods described includes:
    Obtain the DNS request that user terminal is sent;
    The DNS request is parsed, obtains the degree of danger parameter of the DNS request;
    When the degree of danger parameter is less than the first predetermined threshold value, fed back to the user terminal corresponding to the DNS request mutually Networking IP address;
    When the degree of danger parameter is higher than first predetermined threshold value, using the DNS request as dangerous DNS request, to this User terminal feeds back a preset IP address.
  2. 2. according to the method for claim 1, it is characterised in that the user that the DNS request includes sending the DNS request is whole The IP address at end;The DNS systems prestore white list and blacklist;The described pair of DNS request parses the step of it Before, methods described also includes:
    Whether the IP address that inquiry sends the user terminal of the DNS request has record in the white list or blacklist;
    When the IP address of the user terminal has record in the white list, the DNS request is responded, it is anti-to the user terminal Present web IP address corresponding to the DNS request;
    When the IP address of the user terminal has record in the blacklist, to the user terminal with feeding back the default IP Location;
    When the user terminal does not record in the white list and blacklist, then perform and the DNS request is solved The step of analysis.
  3. 3. method according to claim 1 or 2, it is characterised in that the DNS systems prestore degree of danger judgment rule, The degree of danger judgment rule includes dangerous values corresponding to different preparatory conditions;The described pair of DNS request parses, and obtains The step of degree of danger parameter of the DNS request, including:
    The DNS request is parsed, for each preparatory condition, judges whether the DNS request meets the preparatory condition, works as institute When stating DNS request and meeting the preparatory condition, corresponding dangerous values are increased to degree of danger parameter corresponding to the DNS request.
  4. 4. according to the method for claim 3, it is characterised in that it is described for each preparatory condition, judge that the DNS please Seeking Truth is no to meet the preparatory condition, when the DNS request meets the preparatory condition, to degree of danger corresponding to the DNS request Parameter increases the step of corresponding dangerous values, including:
    Judge whether include non-standard HTTP heads in the DNS request, if so, then joining degree of danger corresponding to the DNS request Number the first dangerous values of increase;
    Whether judge to send access frequency of the IP address of the DNS request in preset time more than the second predetermined threshold value, if It is that degree of danger parameter corresponding to the DNS request is then increased into by the second dangerous values;
    Judge whether the DNS request asks the URL of access preset, if so, then by degree of danger parameter corresponding to the DNS request Increase by the second dangerous values;
    Judge whether request Concurrency accesses identical file to the DNS request, if so, then by degree of danger corresponding to the DNS request Parameter increases by second dangerous values;
    Judge whether the URL addresses that the DNS request accesses are to generate at random, if so, then by dangerous journey corresponding to the DNS request Spending parameter increases by first dangerous values;
    Judge whether the user terminal for sending the DNS request uses Agent IP, if so, then will be dangerous corresponding to the DNS request Extent index increases by second dangerous values;
    Wherein, first dangerous values are more than second dangerous values.
  5. 5. method according to claim 1 or 2, it is characterised in that to the user terminal feed back preset IP address be Loopback address, the access request of the user terminal is set to point to the user terminal in itself.
  6. 6. method according to claim 1 or 2, it is characterised in that the DNS systems communicate with public dns server, institute Stating method also includes:
    Set NS to record for the domain name of targeted website, make public dns server by the domain name initiation for the targeted website DNS request be sent to the DNS systems.
  7. 7. according to the method for claim 6, it is characterised in that the DNS systems support edns-client-subnet to expand Agreement is opened up, the DNS systems are obtained from public dns server by the edns-client-subnet Extended Protocols and send institute State the IP address of the user terminal of DNS request.
  8. 8. according to the method for claim 2, it is characterised in that using the DNS request as dangerous DNS request, to the use After family terminal feeds back the step of preset IP address, methods described also includes:
    The IP address of the user terminal is recorded into the blacklist.
  9. 9. according to the method for claim 2, it is characterised in that using the DNS request as dangerous DNS request, to the use After family terminal feeds back the step of preset IP address, methods described also includes:
    The number that user terminal sends dangerous DNS request is recorded, when the user terminal sends the number of DNS request more than the 3rd During predetermined threshold value, the IP address of the user terminal is recorded into the blacklist.
  10. 10. a kind of DNS systems, it is characterised in that the DNS systems include:
    Acquisition module, the acquisition DNS request sent for user terminal;
    Parsing module, for being parsed to the DNS request, obtain the degree of danger parameter of the DNS request;
    First execution module, for when the degree of danger parameter is less than the first predetermined threshold value, feeding back institute to the user terminal State internet-ip address corresponding to DNS request;
    Second execution module, for when the degree of danger parameter is higher than first predetermined threshold value, using the DNS request as Dangerous DNS request, feed back a preset IP address to the user terminal.
CN201711107626.2A 2017-11-10 2017-11-10 DNS request processing method and DNS systems Pending CN107707569A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711107626.2A CN107707569A (en) 2017-11-10 2017-11-10 DNS request processing method and DNS systems

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201711107626.2A CN107707569A (en) 2017-11-10 2017-11-10 DNS request processing method and DNS systems

Publications (1)

Publication Number Publication Date
CN107707569A true CN107707569A (en) 2018-02-16

Family

ID=61179862

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201711107626.2A Pending CN107707569A (en) 2017-11-10 2017-11-10 DNS request processing method and DNS systems

Country Status (1)

Country Link
CN (1) CN107707569A (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108650244A (en) * 2018-04-24 2018-10-12 网宿科技股份有限公司 A kind of domain name analytic method, terminal and recurrence dns server
CN112202776A (en) * 2020-09-29 2021-01-08 中移(杭州)信息技术有限公司 Source station protection method and network equipment
CN113596186A (en) * 2021-06-24 2021-11-02 北京网瑞达科技有限公司 DNS access resolution method and system based on scene
CN114244593A (en) * 2021-12-08 2022-03-25 杭州安恒信息技术股份有限公司 DNS security defense method and system, electronic equipment and medium

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101834866A (en) * 2010-05-05 2010-09-15 北京来安科技有限公司 CC (Communication Center) attack protective method and system thereof
CN103152357A (en) * 2013-03-22 2013-06-12 北京网御星云信息技术有限公司 Defense method, device and system for DNS (Domain Name System) services
CN103581363A (en) * 2013-11-29 2014-02-12 杜跃进 Method and device for controlling baleful domain name and illegal access
CN103634315A (en) * 2013-11-29 2014-03-12 杜跃进 Front end control method and system of domain name server (DNS)
CN103957195A (en) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 DNS system and defense method and device for DNS attack
CN104468860A (en) * 2014-12-04 2015-03-25 北京奇虎科技有限公司 Method and device for recognizing risk of domain name resolution server
CN104506538A (en) * 2014-12-26 2015-04-08 北京奇虎科技有限公司 Machine learning type domain name system security defense method and device
CN106230861A (en) * 2016-09-07 2016-12-14 上海斐讯数据通信技术有限公司 A kind of router fire wall lower network access method and router
CN107124434A (en) * 2017-07-06 2017-09-01 中国互联网络信息中心 A kind of discovery method and system of DNS malicious attacks flow
CN108418780A (en) * 2017-02-10 2018-08-17 阿里巴巴集团控股有限公司 Filter method and device, system, the dns server of IP address

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101834866A (en) * 2010-05-05 2010-09-15 北京来安科技有限公司 CC (Communication Center) attack protective method and system thereof
CN103152357A (en) * 2013-03-22 2013-06-12 北京网御星云信息技术有限公司 Defense method, device and system for DNS (Domain Name System) services
CN103581363A (en) * 2013-11-29 2014-02-12 杜跃进 Method and device for controlling baleful domain name and illegal access
CN103634315A (en) * 2013-11-29 2014-03-12 杜跃进 Front end control method and system of domain name server (DNS)
CN103957195A (en) * 2014-04-04 2014-07-30 上海聚流软件科技有限公司 DNS system and defense method and device for DNS attack
CN104468860A (en) * 2014-12-04 2015-03-25 北京奇虎科技有限公司 Method and device for recognizing risk of domain name resolution server
CN104506538A (en) * 2014-12-26 2015-04-08 北京奇虎科技有限公司 Machine learning type domain name system security defense method and device
CN106230861A (en) * 2016-09-07 2016-12-14 上海斐讯数据通信技术有限公司 A kind of router fire wall lower network access method and router
CN108418780A (en) * 2017-02-10 2018-08-17 阿里巴巴集团控股有限公司 Filter method and device, system, the dns server of IP address
CN107124434A (en) * 2017-07-06 2017-09-01 中国互联网络信息中心 A kind of discovery method and system of DNS malicious attacks flow

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108650244A (en) * 2018-04-24 2018-10-12 网宿科技股份有限公司 A kind of domain name analytic method, terminal and recurrence dns server
CN112202776A (en) * 2020-09-29 2021-01-08 中移(杭州)信息技术有限公司 Source station protection method and network equipment
CN113596186A (en) * 2021-06-24 2021-11-02 北京网瑞达科技有限公司 DNS access resolution method and system based on scene
CN113596186B (en) * 2021-06-24 2022-05-20 北京网瑞达科技有限公司 DNS access resolution method and system based on scene
CN114244593A (en) * 2021-12-08 2022-03-25 杭州安恒信息技术股份有限公司 DNS security defense method and system, electronic equipment and medium
CN114244593B (en) * 2021-12-08 2024-04-19 杭州安恒信息技术股份有限公司 DNS security defense method and system, electronic equipment and medium

Similar Documents

Publication Publication Date Title
KR101662605B1 (en) System and method for correlating network information with subscriber information in a mobile network environment
CN106330844B (en) Cross-terminal login-free method and device
CN107707569A (en) DNS request processing method and DNS systems
CN106936791B (en) Method and device for intercepting malicious website access
US10419431B2 (en) Preventing cross-site request forgery using environment fingerprints of a client device
CN106302308B (en) Trust login method and device
CN103067385A (en) Defensive method and firewall for session hijacking and attacking
CN105516080A (en) Processing method, apparatus, and system for TCP connection
WO2014172956A1 (en) Login method,apparatus, and system
CN103313429A (en) Processing method for recognizing fabricated WIFI (Wireless Fidelity) hotspot
CN103379099A (en) Hostile attack identification method and system
CN105939326A (en) Message processing method and device
CN105162793A (en) Method and apparatus for defending against network attacks
CN104796406A (en) Method and device for identifying application
WO2020107446A1 (en) Method and apparatus for obtaining attacker information, device, and storage medium
CN106713318B (en) WEB site safety protection method and system
CN104348789A (en) Web server and method for preventing cross-site scripting attack
EP3376740B1 (en) Method and apparatus for acquiring ip address
CN105704120A (en) Method for safe network access based on self-learning form
WO2016008212A1 (en) Terminal as well as method for detecting security of terminal data interaction, and storage medium
KR20120084806A (en) Method for detecting the hijacking of computer resources
CN105939320A (en) Message processing method and device
US11062018B2 (en) Platform for generation of passwords and/or email addresses
CN111225038B (en) Server access method and device
CN102510386A (en) Distributed attack prevention method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Room 311501, Unit 1, Building 5, Courtyard 1, Futong East Street, Chaoyang District, Beijing

Applicant after: Beijing Zhichuangyu Information Technology Co., Ltd.

Address before: Room 803, Jinwei Building, 55 Lanindichang South Road, Haidian District, Beijing

Applicant before: Beijing Knows Chuangyu Information Technology Co.,Ltd.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20180216