CN110247932A - A kind of detection system and method for realizing DNS service defence - Google Patents
A kind of detection system and method for realizing DNS service defence Download PDFInfo
- Publication number
- CN110247932A CN110247932A CN201910597175.8A CN201910597175A CN110247932A CN 110247932 A CN110247932 A CN 110247932A CN 201910597175 A CN201910597175 A CN 201910597175A CN 110247932 A CN110247932 A CN 110247932A
- Authority
- CN
- China
- Prior art keywords
- server
- dns
- result
- parsing
- ruling
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a kind of detection system and method for realizing DNS service defence, system includes: the DNS recursion resolution server of more isomeries, and above-mentioned DNS recursion resolution server constitutes the server pools that an isomery of equal value executes body together;Above-mentioned execution body can be used as recursion server and can also be used as authorization server, for providing the domain name mapping of local or public internet;DNS distributes ruling server, for receiving the analysis request for analytically server being accelerated to pass over and being distributed to each execution body;The parsing result that the isomery dynamically chosen executes body is collected, and parsing is returned to by algorithm picks one preset most correct result and accelerates server;Parsing accelerates server, for transmitting analysis request and receiving that DNS distribution ruling server transmits as a result, saving that distribution ruling returns as a result, can request return parsing result directly facing user, reduces distribution ruling and calculates pressure.
Description
Technical field
The invention belongs to computer field, especially a kind of detection system and method for realizing DNS service defence.
Background technique
With the continuous development of China's Base communication, DNS also increases as internet core infrastructure service software, portfolio
It is long swift and violent.Domain Name Service System is converted for realizing the translation of domain names to IP address, is the portal that user enters internet,
With protocol open, deployment dispersion, data are huge, are always the main target attacked on internet using extensive feature
One of.Frequent for the network attack of DNS Protocol security breaches generation in recent years, caused loss is huge, seriously affects
The safety and stabilization of national network development.
In addition to common DNS dos attack on internet, the abduction of domain name data and distorts and be also important attack type.
One is acting as fraudulent substitute for a person by domain name, largely invade citizen privacy using fishing website, become offender and implement economic swindleness
It deceives and the movable important means such as illegal publicity;Another kind is to implement man-in-the-middle attack using domain name system, can be intercepted and captured any
The communication information of government website, Email and commercial affairs social activity etc. can distort control scheduling, financial transaction and logistics transportation etc.
The data and software of sensitive industry form and endanger huge cyberspace security risk.
The defect and problems faced of existing DNS recursion resolution system:
(1) DNS Protocol itself is mostly to increase income there are security breaches, the dns resolution software of mainstream, is lacked present in code
It falls into and is easier to expose;
(2) since deployment disperses, any dns server generates domain name safety problem, can all have user directly by
It influences;
(3) DNS security expands agreement because of the complexity of its management and to the high requirement of network bandwidth, in actual deployment mistake
There are certain difficulties in journey, and are readily incorporated the problems such as amplifying type is attacked;
(4) conventional domain name monitoring means can carry out the comparative analysis before and after domain name mapping results change, but be chiefly used in
Emphasis domain name, it is difficult to the dynamic implementation within the scope of universe name.
Summary of the invention
Technical problem to be solved by the invention is to provide a kind of detection systems and method for realizing DNS service defence, use
In solution drawbacks described above of the existing technology.
It is as follows that the present invention solves the technical solution that above-mentioned technical problem is taken:
A kind of detection system for realizing DNS service defence, comprising:
The DNS recursion resolution server of more isomeries, above-mentioned DNS recursion resolution server constitute together one it is of equal value different
The server pools of structure execution body;
Above-mentioned execution body can be used as recursion server and can also be used as authorization server, for providing local or public network
Domain name mapping;
DNS distributes ruling server, for receiving the analysis request for analytically server being accelerated to pass over and being distributed to
Each execution body;
The parsing result that the isomery dynamically chosen executes body is collected, and most just by preset algorithm picks one
True result returns to parsing and accelerates server;
Parsing accelerates server, for transmitting analysis request and receiving the result of DNS distribution ruling server transmitting.
Preferably, installed respectively in each DNS recursion resolution server different operating system, dns resolution software or
Person's different editions.
Preferably, the server that the isomery executes in the server pools of body can also retain one with all on-line
Part is used as standby, in the case where exception occurs in the server of the business of offer, is replaced automatically.
Preferably, the parsing accelerates server to be located at the front end of whole system, plays the role of cache, has
There are two layers of operating mode, can be requested with quick response user, reduce parsing time delay, promotes user's perception;
The work load that can reduce distribution ruling server simultaneously is answered in life cycle by data cached
It answers.
Preferably, the detection system is based on three-tier switch cooperation and realizes resource isolation, and will be from external use
Family service traffics are limited in different VLAN respectively from the distribution ruling flow of inside arbitration;
Wherein, the parsing accelerates between server and DNS distribution ruling server using double on-link mode (OLM)s, the DNS
Distribute ruling server and isomery executes and uses private network or connection type trusty between the server pools of body.
A kind of detection method for realizing DNS service defence, comprising:
Building is made of the server pools that isomery executes body the DNS recursion resolution server of more isomeries;
Above-mentioned execution body can be used as recursion server and can also be used as authorization server, for providing local or public network
Domain name mapping;
Receive the domain name mapping request for analytically server being accelerated to pass over;
The online situation of server of the server pools of body is executed according to current isomery, is dynamically executed from N platform and is selected M platform in body
Execution body, and will request be distributed to them respectively, wherein M <=N;
It obtains above-mentioned isomery and executes the result that body is inquired in local parsing or outside recurrence;
Returning the result for body is executed from M according to what is obtained, is arbitrated using corresponding algorithm, generates one finally
As a result, and returning to parsing acceleration server.
Preferably, further includes:
Parsing accelerates server to reply to user terminal for the result that ruling returns is distributed, while result is retained in caching
In.
Preferably, further includes: body periodically is executed to each isomery and carries out state-detection, constantly adjusts every execution body
Distribution priority, basic principle includes:
It will be rejected from available execution body list completely when its service is unreachable;When some detection cycle finds its service
When available, then it is placed back into freelist.
It is not selected after its parsing result is arbitrated, it will be reduced and use weight;
One mesa-shaped state normally executes body since lower weight is after the suspend mode of certain time, will be waken up ginseng
With scheduling;
The execution body used for a long time can also be lowered weight after effective time, when exposure to reduce the execution body
Between, reduce its traffic load, ensures that executing the balanced of body pond uses.
Preferably, it is arbitrated using corresponding algorithm, generates a final result, above-mentioned algorithm includes:
When the result for executing body return is inconsistent, arbitration unit, which is chosen, there is most results.Usual M value can quilt
It is set as odd number, to guarantee to there is result to win in this link;
During carrying out single result relatively, the result of higher weights server is submitted to;
Weight of holding power is identical to be executed under multiple result frequency of occurrence unanimous circumstances that body returns, and random fashion is taken to select
One result returns.
Preferably, installed respectively in each DNS recursion resolution server different operating system, dns resolution software or
Person's different editions.
This invention takes several threats for after above scheme, coping with domain name system and facing, including deorienting wind
Dangerous (such as root name server deletes .cn domain name record), blinding risk (such as root name server is not parsed from China
Domain name mapping request) and data tampering risk (such as the Cache Poisoning as caused by unknown loophole and back door and domain name misfortune
Hold), which has carrier class domain name service ability and security guarantee.
Other features and advantages of the present invention will be illustrated in the following description, also, partly becomes from specification
It obtains it is clear that understand through the implementation of the invention.The objectives and other advantages of the invention can be by written explanation
Specifically noted structure is achieved and obtained in book, claims and attached drawing.
Detailed description of the invention
The present invention is described in detail with reference to the accompanying drawing, so that above-mentioned advantage of the invention is definitely.Its
In,
Fig. 1 is the structural schematic diagram of the embodiment for the detection system that the present invention realizes DNS service defence.
Fig. 2 is the flow diagram of the embodiment for the detection method that the present invention realizes DNS service defence;
Specific embodiment
Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings and examples, how to apply to the present invention whereby
Technological means solves technical problem, and the realization process for reaching technical effect can fully understand and implement.It needs to illustrate
As long as not constituting conflict, each embodiment in the present invention and each feature in each case study on implementation can be tied mutually
It closes, it is within the scope of the present invention to be formed by technical solution.
In addition, step shown in the flowchart of the accompanying drawings can be in the department of computer science of such as a group of computer-executable instructions
It is executed in system, although also, logical order is shown in flow charts, and it in some cases, can be to be different from herein
Sequence execute shown or described step.
As shown in Figure 1, simple the present invention is directed to establish a nested structure, it is easy to dispose, there is Initiative Defense ability and fault-tolerant
The DNS system of ability, improves the robustness of system, evades the risk of Single Point of Faliure, reduces recursive data and is tampered bring shadow
It rings, increases the enforcement difficulty and intrusion scene of domain name attack, resist unknown loophole and software back door.
Wherein, DNS recursion resolution server (or authorization server) of the invention by more isomeries of deployment, DNS distribution
Ruling server, parsing accelerate server, establish a set of with safety, redundancy, the domain name of isomerism Initiative Defense function
Dynamic ruling system.
As shown in Figure 1, a kind of detection system for realizing DNS service defence, comprising:
The DNS recursion resolution server of more isomeries, above-mentioned DNS recursion resolution server constitute together one it is of equal value different
The server pools of structure execution body;
Above-mentioned execution body can be used as recursion server and can also be used as authorization server, for providing local or public network
Domain name mapping;
DNS distributes ruling server, for receiving the analysis request for analytically server being accelerated to pass over and being distributed to
Each execution body;
The parsing result that the isomery dynamically chosen executes body is collected, and most just by preset algorithm picks one
True result returns to parsing and accelerates server;
Parsing accelerates server, for transmitting analysis request and receiving the result of DNS distribution ruling server transmitting.
Wherein, the DNS recursion resolution server of the isomery can use different operating system, dns resolution software
Or different editions, it forms an isomery of equal value and executes body server pools.
Wherein, above-mentioned isomery execution body, which can be used as recursion server, can also be used as authorization server.
Server in pond can also retain a part as standby, in the server of the business of offer with all on-line
In the case where there is exception, replaced automatically.The main function that isomery executes body is to provide the domain name mapping of local or public network,
It is the data source in whole system.
The DNS distributes ruling server, is the core component of this system, is located at isomery execution body and parsing accelerates service
On the one hand the centre of device receives the analysis request passed over from accelerator and is distributed to each execution body again, on the other hand will move
The isomery that state is chosen executes body parsing result and is collected, and is returned to by algorithm picks one preset most correct result
Accelerator.Its main function is to carry out dynamic dispatching and result arbitration.
The parsing accelerates server to play the role of cache, two layers of operating mode positioned at the front end of whole system
It can be requested with quick response user, reduce parsing time delay, promote user's perception.It can reduce the work of distribution ruling server simultaneously
It bears, carries out response by data cached in life cycle.In addition, its superpower processing capacity and effective attack resistance mould
The component that formula also can protect rear end is not encroached on by network attack.
In addition, in a preferred embodiment, the present invention realizes resource isolation using three-tier switch cooperation.It will be from outside
User traffic from inside arbitration distribution ruling flow be limited in different VLAN respectively.Accelerator and distribution ruling it
Between using double on-link mode (OLM)s improve professional abilities, distribute ruling and execute and use private network or connection side trusty between body pond
Formula.
Wherein, as shown in Fig. 2, the workflow of above system such as Fig. 2, specifically, a kind of to realize what DNS service was defendd
Detection method, comprising:
Building is made of the server pools that isomery executes body the DNS recursion resolution server of more isomeries;
Above-mentioned execution body can be used as recursion server and can also be used as authorization server, for providing local or public network
Domain name mapping;
Receive the domain name mapping request for analytically server being accelerated to pass over;
The online situation of server of the server pools of body is executed according to current isomery, is dynamically executed from N platform and is selected M platform in body
Execution body, and will request be distributed to them respectively, wherein M <=N;
It obtains above-mentioned isomery and executes the result that body is inquired in local parsing or outside recurrence;
Returning the result for body is executed from M according to what is obtained, is arbitrated using corresponding algorithm, generates one finally
As a result, and returning to parsing acceleration server.
Such as in one embodiment, detailed process is as follows:
User pc accesses the webpage of Baidu by browser, inputs request domain name in the position browser URL:
Www.baidu.com, if the PC of user is the system of an IPV4 protocol stack, and one address DNSIP of system configuration:
8.8.8.8.At this time request will be sent automatically on the DNS of 8.8.8.8 by system, i.e., the parsing mentioned in this system accelerates
Server.Request requires to obtain the corresponding address IPV4 www.baidu.com, and this request type is referred to as type-A, number of request
According to having following information in packet:
;;QUESTION SECTION:
;www.baidu.com. IN A
Parsing accelerates the parsing result then direct response in server with the domain name.
Such as: many domain-name informations are saved in the caching of parsing acceleration server, system is sent out in the buffer at this time
The A record for having showed www.baidu.com domain name becomes 61.135.169.125 and 61.135.169.121, then returns to user:
The address ipv4 of www.baidu.com is the two IP.
Include following information in request:
Parsing accelerates in server without the domain name as a result, request is transparent to distribution ruling server.
Such as: parsing accelerates server not find the corresponding IPV4 address information of www.baidu.com in the buffer, then
Will continue to ask point-score ruling server: the address ipv4 of www.baidu.com is how many.
Request is similar with the inquiry that client is initiated, and includes following information:
;;QUESTION SECTION:
;www.baidu.com. IN A
Distribute ruling server and body service state is executed according to isomery at that time, it is certain dynamically to execute selection in body from N platform
The execution body of quantity (M platform), and request is distributed to them respectively.
For example, distribution ruling therefrom selects 3 if in system resource pond including 8 execution bodies, requested respectively to them
The address ipv4 of www.baidu.com.
Request is similar with the inquiry that client is initiated, and includes following information;
;;QUESTION SECTION:
;www.baidu.com. IN A
Isomery executes body respectively in local parsing (authorization) or outside recurrence, returns to distribution ruling after obtaining parsing result
Server.
Such as: after isomery execution body receives inquiry request, it can be inquired to internet, according to dns working mechanism, finally
The authorization server of baidu.com can be removed, i.e., by the DNS request wwww.baidu.com's of Baidu company oneself maintenance data
The address ipv4, it is 61.135.169.125 that some corresponding server of baidu.com, which replys and executes body 1 and execute the address of body 2,
And 61.135.169.121, isomery execute body 1 and 2 and result result are returned to distribution ruling: the address ipv4 of www.baidu.com
It is 61.135.169.125 and 61.135.169.121.It executes body 3 for some reason, for example may be held as a hostage and be also possible to match
A baidu server for setting mistake returns, and the result that he obtains is 1.2.3.4, and tells point-score ruling:
The address ipv4 of www.baidu.com is 1.2.3.4.
Body 1 is executed, the information that body 2 is replied is executed:
Execute the information that body 3 is replied:
Distribution ruling server executes returning the result for body from M according to what is obtained, is carried out using corresponding algorithm secondary
It cuts out, generates a final result, and return to parsing and accelerate server.
Such as:: point-score ruling obtains two 61.135.169.125 and 61.135.169.121, a 1.2.3.4, according to
Majority principle selects correct result for 61.135.169.125 and 61.135.169.121, returns to accelerator.
Accelerator receives reply;
Parsing accelerates server to reply to user terminal for the result that ruling returns is distributed, while result is retained in caching
In.
Such as: parsing accelerate server by www.baidu.com correspond to the address ipv4 61.135.169.125 with
61.135.169.121 result returns to user pc, and after user pc obtains IP address, one can be chosen from two addresses, with
Carry out http connection.
The reply that user receives:
Wherein, in the DNS distribution ruling, in query process each time, distribution arbitration module holds dynamic from isomery
Preset M platform server is chosen in row body pond carries out business forwarding.System periodically executes body to each isomery and carries out state inspection
It surveys, constantly adjusts the distribution priority of every execution body, basic principle includes:
It will be rejected from available execution body list completely when its service is unreachable;When some detection cycle finds its service
When available, then it is placed back into freelist.
It is not selected after its parsing result is arbitrated, it will be reduced and use weight;
One mesa-shaped state normally executes body since lower weight is after the suspend mode of certain time, will be waken up ginseng
With scheduling.
The execution body used for a long time can also be lowered weight after effective time, when exposure to reduce the execution body
Between, reduce its traffic load, ensures that executing the balanced of body pond uses.
A possibility that the use weight of execution body the high scheduled is bigger, and the execution body of equal weight will be selected at random by system
It selects.
Wherein, as a result arbitration is responsible for collecting executing from M in the result that body returns and be carried out preferably, finally determining one it is credible
It spends highest result and returns to accelerator.Distribution ruling copes with different results using different algorithms and returns to state:
It selects more:
When the result for executing body return is inconsistent, arbitration unit, which is chosen, there is most results.Usual M value can quilt
It is set as odd number, to guarantee to there is result to win in this link.
Weight:
Body is executed during the monitoring of dynamic dispatching unit, can constantly be modified it using weight, the weight is in result
Also it will affect its selected probability in arbitration.In selecting more algorithms, there is attacked for the server that parsing result is eliminated
Bigger possibility, therefore carry out single result relatively during, the result of higher weights server can be submitted to.
It is random:
Weight of holding power is identical to be executed under multiple result frequency of occurrence unanimous circumstances that body returns, and random fashion is taken to select
One result returns.Such as M platform server returns to M parsing result, such case is commonly available to the environment of CDN, business clothes
Business device is present in the cluster of a load balancing, and authorization server can return to available server at random and carry out balanced business.It is secondary
The random selection for cutting out unit protects the use original intention of CDN.
This invention takes several threats for after above scheme, coping with domain name system and facing, including deorienting wind
Dangerous (such as root name server deletes .cn domain name record), blinding risk (such as root name server is not parsed from China
Domain name mapping request) and data tampering risk (such as the Cache Poisoning as caused by unknown loophole and back door and domain name misfortune
Hold), which has carrier class domain name service ability and security guarantee.
It should be noted that for simple description, therefore, it is stated as a series of for above method embodiment
Combination of actions, but those skilled in the art should understand that, the application is not limited by the described action sequence because
According to the application, some steps may be performed in other sequences or simultaneously.Secondly, those skilled in the art should also know
It knows, the embodiments described in the specification are all preferred embodiments, related actions and modules not necessarily the application
It is necessary.
It should be understood by those skilled in the art that, embodiments herein can provide as method, system or computer program
Product.Therefore, complete hardware embodiment, complete software embodiment or reality combining software and hardware aspects can be used in the application
Apply the form of example.
It can be used moreover, the application can be used in the computer that one or more wherein includes computer usable program code
The computer program product implemented on storage medium (including but not limited to magnetic disk storage, CD-ROM, optical memory etc.)
Form.
Finally, it should be noted that the foregoing is only a preferred embodiment of the present invention, it is not intended to restrict the invention,
Although the present invention is described in detail referring to the foregoing embodiments, for those skilled in the art, still may be used
To modify the technical solutions described in the foregoing embodiments or equivalent replacement of some of the technical features.
All within the spirits and principles of the present invention, any modification, equivalent replacement, improvement and so on should be included in of the invention
Within protection scope.
Claims (10)
1. a kind of detection system for realizing DNS service defence characterized by comprising
The DNS recursion resolution server of more isomeries, above-mentioned DNS recursion resolution server constitute an isomery of equal value together and hold
The server pools of row body;
Above-mentioned execution body can be used as recursion server and can also be used as authorization server, for providing the domain name of local or public network
Parsing;
DNS distributes ruling server, for receiving the analysis request for analytically server being accelerated to pass over and being distributed to each
Execute body;
The parsing result that the isomery dynamically chosen executes body is collected, and most correctly by preset algorithm picks one
As a result it returns to parsing and accelerates server;
Parsing accelerates server, for transmitting analysis request and receiving the result of DNS distribution ruling server transmitting.
2. the detection system according to claim 1 for realizing DNS service defence, which is characterized in that each DNS recursion resolution
Different operating system, dns resolution software or different editions are installed respectively in server.
3. the detection system according to claim 1 or 2 for realizing DNS service defence, which is characterized in that the isomery executes
Server in the server pools of body can also retain a part as standby, in the service of the business of offer with all on-line
In the case that exception occurs in device, replaced automatically.
4. the detection system according to claim 1 for realizing DNS service defence, which is characterized in that the parsing accelerates clothes
Business device is located at the front end of whole system, plays the role of cache, has two layers of operating mode, can be with quick response user
Request reduces parsing time delay, promotes user's perception;
The work load that can reduce distribution ruling server simultaneously, carries out response by data cached in life cycle.
5. the detection system according to claim 1 for realizing DNS service defence, which is characterized in that the detection system base
Resource isolation is realized in three-tier switch cooperation, and will be from external user traffic and the internal distribution ruling stream arbitrated
Amount is limited in respectively in different VLAN;
Wherein, the parsing accelerates between server and DNS distribution ruling server using double on-link mode (OLM)s, the DNS distribution
Ruling server and isomery, which execute, uses private network or connection type trusty between the server pools of body.
6. a kind of detection method for realizing DNS service defence characterized by comprising
Building is made of the server pools that isomery executes body the DNS recursion resolution server of more isomeries;
Above-mentioned execution body can be used as recursion server and can also be used as authorization server, for providing the domain name of local or public network
Parsing;
Receive the domain name mapping request for analytically server being accelerated to pass over;
The online situation of server of the server pools of body is executed according to current isomery, is dynamically executed from N platform and is selected holding for M platform in body
Row body, and request is distributed to them respectively, wherein M <=N;
It obtains above-mentioned isomery and executes the result that body is inquired in local parsing or outside recurrence;
Returning the result for body is executed from M according to what is obtained, is arbitrated using corresponding algorithm, is generated one and most terminate
Fruit, and return to parsing and accelerate server.
7. the detection method according to claim 6 for realizing DNS service defence, which is characterized in that further include:
The result that parsing accelerates server that will distribute ruling return replies to user terminal, while result being retained in the buffer.
8. the detection method according to claim 6 for realizing DNS service defence, which is characterized in that further include: it is periodically right
Each isomery executes body and carries out state-detection, constantly adjusts the distribution priority of every execution body, and basic principle includes:
It will be rejected from available execution body list completely when its service is unreachable;When some detection cycle finds that its service is available
When, then be placed back into freelist.
It is not selected after its parsing result is arbitrated, it will be reduced and use weight;
One mesa-shaped state normally executes body since lower weight is after the suspend mode of certain time, will be waken up participation and adjusts
Degree;
The execution body used for a long time can also be lowered weight after effective time, to reduce the exposure duration of the execution body, subtract
Its small traffic load ensures that executing the balanced of body pond uses.
9. the detection method according to claim 6 for realizing DNS service defence, which is characterized in that utilize corresponding algorithm
It is arbitrated, generates a final result, above-mentioned algorithm includes:
When the result for executing body return is inconsistent, arbitration unit, which is chosen, there is most results.Usual M value can be set
For odd number, to guarantee to there is result to win in this link;
During carrying out single result relatively, the result of higher weights server is submitted to;
Weight of holding power is identical to be executed under multiple result frequency of occurrence unanimous circumstances that body returns, and random fashion is taken to select one
As a result it returns.
10. the detection method according to claim 6 for realizing DNS service defence, which is characterized in that each DNS recursive solution
Different operating system, dns resolution software or different editions are installed respectively in analysis server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910597175.8A CN110247932A (en) | 2019-07-04 | 2019-07-04 | A kind of detection system and method for realizing DNS service defence |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910597175.8A CN110247932A (en) | 2019-07-04 | 2019-07-04 | A kind of detection system and method for realizing DNS service defence |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN110247932A true CN110247932A (en) | 2019-09-17 |
Family
ID=67890950
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910597175.8A Pending CN110247932A (en) | 2019-07-04 | 2019-07-04 | A kind of detection system and method for realizing DNS service defence |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110247932A (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111371747A (en) * | 2020-02-21 | 2020-07-03 | 中山大学 | Method for preventing information leakage of domain name resolution server |
| CN112367289A (en) * | 2020-09-11 | 2021-02-12 | 浙江大学 | Mimicry WAF construction method |
| CN112600859A (en) * | 2021-01-08 | 2021-04-02 | 北京润通丰华科技有限公司 | Anomaly detection processing method for mimicry DNS (Domain name System) defense system |
| CN113268728A (en) * | 2021-05-31 | 2021-08-17 | 河南信大网御科技有限公司 | Decision method and decision device based on mimicry camouflage strategy |
| CN113900817A (en) * | 2021-10-15 | 2022-01-07 | 广州电力通信网络有限公司 | Mirror image root server processing terminal processing method based on IPV6 energy industry |
| CN114745356A (en) * | 2022-03-29 | 2022-07-12 | 深信服科技股份有限公司 | Domain name resolution method, device and equipment and readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160277433A1 (en) * | 2012-03-22 | 2016-09-22 | Los Alamos National Security, Llc | Non-harmful insertion of data mimicking computer network attacks |
| CN106878254A (en) * | 2016-11-16 | 2017-06-20 | 国家数字交换系统工程技术研究中心 | Improve the method and device of DNS securities of system |
| CN106961422A (en) * | 2017-02-24 | 2017-07-18 | 中国人民解放军信息工程大学 | The mimicry safety method and device of a kind of DNS recursion servers |
| CN108900654A (en) * | 2018-08-04 | 2018-11-27 | 中国人民解放军战略支援部队信息工程大学 | A kind of DNS dynamic dispatching method based on mimicry name server |
| CN109067737A (en) * | 2018-07-28 | 2018-12-21 | 中国人民解放军战略支援部队信息工程大学 | A kind of mimicry judgment device and method exported under asynchronous Keep-order requirements |
-
2019
- 2019-07-04 CN CN201910597175.8A patent/CN110247932A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20160277433A1 (en) * | 2012-03-22 | 2016-09-22 | Los Alamos National Security, Llc | Non-harmful insertion of data mimicking computer network attacks |
| CN106878254A (en) * | 2016-11-16 | 2017-06-20 | 国家数字交换系统工程技术研究中心 | Improve the method and device of DNS securities of system |
| CN106961422A (en) * | 2017-02-24 | 2017-07-18 | 中国人民解放军信息工程大学 | The mimicry safety method and device of a kind of DNS recursion servers |
| CN109067737A (en) * | 2018-07-28 | 2018-12-21 | 中国人民解放军战略支援部队信息工程大学 | A kind of mimicry judgment device and method exported under asynchronous Keep-order requirements |
| CN108900654A (en) * | 2018-08-04 | 2018-11-27 | 中国人民解放军战略支援部队信息工程大学 | A kind of DNS dynamic dispatching method based on mimicry name server |
Non-Patent Citations (2)
| Title |
|---|
| ZHENPENG WANG等: ""Design and Implementation of an SDN-Enabled DNS Security Framework"", 《CHINA COMMUNICATIONS》 * |
| 王禛鹏等: ""一种基于拟态安全防御的DNS框架设计"", 《电子学报》 * |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111371747A (en) * | 2020-02-21 | 2020-07-03 | 中山大学 | Method for preventing information leakage of domain name resolution server |
| CN112367289A (en) * | 2020-09-11 | 2021-02-12 | 浙江大学 | Mimicry WAF construction method |
| CN112367289B (en) * | 2020-09-11 | 2021-08-06 | 浙江大学 | Mimicry WAF construction method |
| CN112600859A (en) * | 2021-01-08 | 2021-04-02 | 北京润通丰华科技有限公司 | Anomaly detection processing method for mimicry DNS (Domain name System) defense system |
| CN112600859B (en) * | 2021-01-08 | 2023-03-31 | 北京润通丰华科技有限公司 | Anomaly detection processing method for mimicry DNS (Domain name System) defense system |
| CN113268728A (en) * | 2021-05-31 | 2021-08-17 | 河南信大网御科技有限公司 | Decision method and decision device based on mimicry camouflage strategy |
| CN113900817A (en) * | 2021-10-15 | 2022-01-07 | 广州电力通信网络有限公司 | Mirror image root server processing terminal processing method based on IPV6 energy industry |
| CN113900817B (en) * | 2021-10-15 | 2022-09-13 | 广州电力通信网络有限公司 | Mirror image root server processing terminal processing method based on IPV6 energy industry |
| CN114745356A (en) * | 2022-03-29 | 2022-07-12 | 深信服科技股份有限公司 | Domain name resolution method, device and equipment and readable storage medium |
| CN114745356B (en) * | 2022-03-29 | 2024-02-23 | 深信服科技股份有限公司 | Domain name resolution method, device, equipment and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110247932A (en) | A kind of detection system and method for realizing DNS service defence | |
| US10841324B2 (en) | Method and system for uniquely identifying a user computer in real time using a plurality of processing parameters and servers | |
| CN106068639B (en) | The Transparent Proxy certification handled by DNS | |
| US8447856B2 (en) | Policy-managed DNS server for to control network traffic | |
| US20240048579A1 (en) | Identification of malicious domain campaigns using unsupervised clustering | |
| WO2015149062A1 (en) | System and method for predicting impending cyber security events using multi channel behavioral analysis in a distributed computing environment | |
| US9264440B1 (en) | Parallel detection of updates to a domain name system record system using a common filter | |
| JP2015043204A (en) | Detection of pattern co-occurring in dns | |
| EP1877904A2 (en) | Detecting unwanted electronic mail messages based on probabilistic analysis of referenced resources | |
| Alenazi et al. | Holistic model for http botnet detection based on dns traffic analysis | |
| Futai et al. | Hybrid detection and tracking of fast-flux botnet on domain name system traffic | |
| EP3332533B1 (en) | Parallel detection of updates to a domain name system record system using a common filter | |
| CN106789868A (en) | A kind of website user's Activity recognition and managing and control system | |
| CN103916379A (en) | CC attack identification method and system based on high frequency statistics | |
| CN110233774B (en) | Detection method, distributed detection method and system for Socks proxy server | |
| Tatang et al. | A study of newly observed hostnames and DNS tunneling in the wild | |
| CN115190107B (en) | Multi-subsystem management method based on extensive domain name, management terminal and readable storage medium | |
| US20110219440A1 (en) | Application-level denial-of-service attack protection | |
| Tatang et al. | Below the radar: spotting DNS tunnels in newly observed hostnames in the wild | |
| CN111371917B (en) | Domain name detection method and system | |
| Singh et al. | TI-16 DNS labeled dataset for detecting botnets | |
| CN117439824B (en) | AI-based smart city evaluation method, system, device and storage medium | |
| Arjmandpanah‐Kalat et al. | Design and performance analysis of an efficient single flow IP traceback technique in the AS level | |
| Deri et al. | Exploiting dns traffic to rank internet domains | |
| Spring | Large scale DNS traffic analysis of malicious Internet activity with a focus on evaluating the response time of blocking phishing sites |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190917 |
|
| RJ01 | Rejection of invention patent application after publication |