CN111818029A - Domain name request processing method and device - Google Patents

Domain name request processing method and device Download PDF

Info

Publication number
CN111818029A
CN111818029A CN202010601762.2A CN202010601762A CN111818029A CN 111818029 A CN111818029 A CN 111818029A CN 202010601762 A CN202010601762 A CN 202010601762A CN 111818029 A CN111818029 A CN 111818029A
Authority
CN
China
Prior art keywords
domain name
request
hash value
level
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010601762.2A
Other languages
Chinese (zh)
Other versions
CN111818029B (en
Inventor
谢俊峰
候婉琪
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangxi University for Nationalities
Original Assignee
Guangxi University for Nationalities
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guangxi University for Nationalities filed Critical Guangxi University for Nationalities
Priority to CN202010601762.2A priority Critical patent/CN111818029B/en
Publication of CN111818029A publication Critical patent/CN111818029A/en
Application granted granted Critical
Publication of CN111818029B publication Critical patent/CN111818029B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3236Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a domain name request processing method and a device, wherein the method is applied to a first top-level domain name server in a domain name system based on a block chain, and comprises the following steps: when a first domain name request sent by a client is received, acquiring a first request hash value carried in the first domain name request, wherein the first request hash value is obtained by processing the client based on a hash algorithm and a first parameter; the first parameter comprises a random character string carried in the first domain name request, a target domain name and a timestamp for sending the first domain name request by the client; judging whether the first request hash value is smaller than a first preset threshold value or not; if the first request hash value is not smaller than a first preset threshold value, discarding the first domain name request; and if the first request hash value is smaller than a first preset threshold value, adding the first domain name request as a transaction to a local transaction pool. Based on the processing, the influence of the domain name system being attacked can be reduced to a certain extent, and the interruption of network service is avoided.

Description

Domain name request processing method and device
Technical Field
The present application relates to the field of computer network technologies, and in particular, to a method and an apparatus for processing a domain name request.
Background
A DNS (Domain Name System) is a distributed database, and a mapping relationship between a Domain Name and an IP address can be recorded in the DNS. In the related art, the DNS may include a root domain name server, a top level domain name server, and an authority domain name server. The root domain name server records a mapping relation between a top-level domain name and an IP (Internet Protocol) address, the top-level domain name server records a mapping relation between a second-level domain name and an IP address, and the authority domain name server records a mapping relation between a third-level, a fourth-level or a deeper-level domain name and the IP address.
In the related art, DNS is low in security and is vulnerable to DOS (Denial Of Service) attacks. For example, an attacker uses a malicious client to send a large number of malicious domain name requests to the root domain name server, which may cause the root domain name server to fail to respond to normal domain name requests, and may cause network service interruption.
Disclosure of Invention
The embodiments of the present application aim to provide a method and an apparatus for processing a domain name request, which can reduce the influence of a domain name system being attacked to a certain extent and avoid network service interruption. The specific technical scheme is as follows:
in a first aspect, to achieve the above object, an embodiment of the present application discloses a domain name request processing method, where the method is applied to a first top-level domain name server in a domain name system based on a block chain, and the method includes: when a first domain name request sent by a client is received, acquiring a first request hash value carried in the first domain name request, wherein the first request hash value is obtained by processing the client based on a hash algorithm and a first parameter; the first parameter comprises a random character string carried in the first domain name request, a target domain name and a timestamp of the first domain name request sent by the client; judging whether the first request hash value is smaller than a first preset threshold value or not; if the first request hash value is not smaller than the first preset threshold value, discarding the first domain name request; and if the first request hash value is smaller than the first preset threshold value, the first domain name request is used as a transaction and added to a local transaction pool.
Optionally, before the adding the first domain name request as a transaction to a local transaction pool, the method further includes: processing a first parameter carried in the first domain name request based on a Hash algorithm to obtain a Hash value to be matched; judging whether the hash value to be matched is consistent with the first request hash value or not; if the hash value to be matched is not consistent with the first request hash value, discarding the first domain name request; and if the hash value to be matched is consistent with the first request hash value, executing the step of adding the first domain name request as a transaction to a local transaction pool.
Optionally, before the adding the first domain name request as a transaction to a local transaction pool, the method further includes: decrypting a first digital signature carried in the first domain name request based on a first public key of a user logging in the client terminal carried in the first domain name request to obtain a decryption result; the first digital signature is obtained by encrypting a second parameter by the client based on a first private key corresponding to the first public key; the second parameter comprises the random string and the first request hash value; judging whether the decryption result is consistent with a second parameter carried in the first domain name request; if the decryption result is inconsistent with a second parameter carried in the first domain name request, discarding the first domain name request; and if the decryption result is consistent with a second parameter carried in the first domain name request, executing the step of adding the first domain name request as a transaction to a local transaction pool.
Optionally, when the first domain name request is a domain name registration request, the first parameter further includes a hash value of the target domain name and an internet protocol IP address corresponding to the target domain name; the second parameter further includes the target domain name, a hash value of the target domain name, an IP address corresponding to the target domain name, and the timestamp; when the first domain name request is a domain name updating request, the first parameter further comprises a hash value of the target domain name and an IP address corresponding to the target domain name after updating; the second parameter further comprises the target domain name, a hash value of the target domain name, an IP address corresponding to the updated target domain name and the timestamp; when the first domain name request is a domain name deletion request, the first parameter further comprises a hash value of the target domain name; the second parameter further comprises the target domain name, a hash value of the target domain name and the timestamp; when the first domain name request is a domain name transfer request, the first parameters further comprise a hash value of the target domain name and an IP address corresponding to the target domain name after transfer; the second parameter further comprises the target domain name, a hash value of the target domain name, an IP address corresponding to the target domain name after transfer and the timestamp; the domain name transfer request also carries a second public key of the transferred user of the target domain name.
Optionally, the adding the first domain name request as a transaction to a local transaction pool includes: judging whether the target domain name exists in a local domain name information table or not to obtain a target judgment result; the domain name information table is used for recording registered domain names; and adding the first domain name request as a transaction to a local transaction pool based on the target judgment result and the request type of the first domain name request.
Optionally, after the adding the first domain name request as a transaction to a local transaction pool, the method further includes: broadcasting and sending the first domain name request to a third top-level domain name server except the third top-level domain name server in the domain name system; and when a second domain name request sent by the third top-level domain name server in a broadcast manner is received, the second domain name request is added to a local transaction pool as a transaction.
Optionally, the method further includes: when the domain name server is determined to be the top-level domain name server used for generating the block currently based on the hash value of the last block in the current block chain, acquiring a preset number of domain name requests from the transaction pool, and generating the block as a first block based on the acquired domain name requests; and broadcasting and sending the first block to the third top-level domain name server, so as to determine whether to add the first block to a current block chain according to a judgment result of validity of each domain name request in the first block by the third top-level domain name server.
Optionally, the method further includes: when a second block broadcast by the third top-level domain name server is received, judging whether an illegal domain name request exists in the second block; if an illegal suspicious domain name request exists in the second block, sending a first challenge request message to a second top-level domain name server with the highest current credit value in the domain name system, wherein the first challenge request message carries: and the number of the second block and a second request hash value of the suspicious domain name request are used for enabling the second top-level domain name server to broadcast and send a first challenge query message to a fourth top-level domain name server except the second top-level domain name server in the domain name system, wherein the first challenge query message carries the number of the second block and the second request hash value, and whether the suspicious domain name request is legal or not is determined according to a judgment result which is returned by the fourth top-level domain name server and aims at the legality of the suspicious domain name request.
Optionally, the method further includes: if an illegal suspicious domain name request exists in the second block and the second block is a top-level domain name server with the highest current credit value in the domain name system, a second challenge query message is sent to the third top-level domain name server in a broadcast mode, wherein the second challenge query message carries: a number of the second block and the second request hash value; when receiving a judgment result which is respectively returned by the third top-level domain name servers and aims at the legality of the suspicious domain name request, determining the number of the judgment results which represent the legality of the suspicious domain name request as a first number; if the ratio of the first number to the second number of all received judgment results is larger than a second preset threshold value, determining that the suspicious domain name request is legal; and if the ratio of the first number to the second number of all received judgment results is not greater than a second preset threshold value, determining that the suspicious domain name request is illegal.
Optionally, after the determining that the suspicious domain name request is illegal, the method further includes: subtracting a first preset value from a credit value of a top-level domain name server which broadcasts and sends the second block; and broadcasting and sending a second question confirmation message which represents that the second block is illegal to the third top-level domain name server.
Optionally, the method further includes: if a first question confirmation message which is sent by the second top-level domain name server and indicates that the second block is illegal is received within a preset time length after the second block is received, deleting the second block; and subtracting a first preset value from the credit value of the top-level domain name server which broadcasts and sends the second block.
Optionally, the method further includes: and if a first question confirmation message which is sent by the second top-level domain name server and indicates that the second block is illegal is not received within the preset time length after the second block is received, adding the second block to the current block chain, and increasing the credit value of the top-level domain name server which broadcasts and sends the second block by a second preset value.
Optionally, the method further includes: receiving a domain name resolution request sent by an appointed domain name server, wherein the domain name resolution request carries a fifth domain name, a first domain name hash value of a second-level domain name corresponding to the fifth domain name and a second domain name hash value of a top-level domain name corresponding to the fifth domain name; judging whether the first domain name hash value exists in a local secondary domain name information table or not; the second-level domain name information table records a hash value of a second-level domain name registered by the domain name system; if the first domain name hash value exists in the secondary domain name information table, acquiring an IP address and a public key of a first authority domain name server which are recorded in the secondary domain name information table and correspond to the first domain name hash value, and a second digital signature obtained by encrypting the IP address of the first authority domain name server based on a third private key corresponding to a third public key of the second authority domain name server; and sending the IP address and the public key of the first authority domain name server and the second digital signature to the appointed domain name server so that the appointed domain name server carries out security verification on the received data based on the second digital signature, and sending a domain name resolution request carrying the fifth domain name to the first authority domain name server under the condition that the verification is passed.
Optionally, the method further includes: if the first domain name hash value does not exist in the second-level domain name information table, acquiring an IP address public key of a fifth top-level domain name server which is recorded in a local top-level domain name information table and corresponds to the second domain name hash value, and encrypting the IP address of the fifth top-level domain name server based on the third private key to obtain a third digital signature; the top-level domain name information table records a hash value of a top-level domain name registered by the domain name system; and sending the IP address and the public key of the fifth top-level domain name server and the third digital signature to the appointed domain name server so that the appointed domain name server carries out security verification on the received data based on the third digital signature, and sending a domain name resolution request carrying the fifth domain name to the fifth top-level domain name server under the condition that the verification is passed.
In a second aspect, in order to achieve the above object, an embodiment of the present application discloses a domain name request processing apparatus, which is applied to a first top-level domain name server in a domain name system based on a block chain, and the apparatus includes: the first obtaining module is used for obtaining a first request hash value carried in a first domain name request when the first domain name request sent by a client is received, wherein the first request hash value is obtained by processing the client based on a hash algorithm and a first parameter; the first parameter comprises a random character string carried in the first domain name request, a target domain name and a timestamp of the first domain name request sent by the client; the first judgment module is used for judging whether the first request hash value is smaller than a first preset threshold value or not; a discarding module, configured to discard the first domain name request if the first request hash value is not less than the first preset threshold; and the first processing module is used for adding the first domain name request as a transaction to a local transaction pool if the first request hash value is smaller than the first preset threshold value.
On the other hand, in order to achieve the above object, an embodiment of the present application further discloses an electronic device, which includes a memory and a processor; the memory is used for storing a computer program; the processor is configured to implement the domain name request processing method according to the first aspect when executing the program stored in the memory.
On the other hand, in order to achieve the above object, an embodiment of the present application further discloses a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements the domain name request processing method according to the first aspect.
On the other hand, in order to achieve the above object, an embodiment of the present application further discloses a computer program product containing instructions, which when run on a computer, causes the computer to execute the domain name request processing method according to the first aspect.
The embodiment of the application provides a domain name request processing method, which can be applied to a first top-level domain name server in a domain name system based on a block chain, and when a first domain name request sent by a client is received, a first request hash value carried in the first domain name request is obtained, wherein the first request hash value is obtained by processing the client based on a hash algorithm and a first parameter; the first parameter comprises a random character string carried in the first domain name request, a target domain name and a timestamp for sending the first domain name request by the client; judging whether the first request hash value is smaller than a first preset threshold value or not; if the first request hash value is not smaller than a first preset threshold value, discarding the first domain name request; and if the first request hash value is smaller than a first preset threshold value, adding the first domain name request as a transaction to a local transaction pool.
Based on the above processing, if the malicious client side wants to implement attack, multiple attempts are required, so that the request hash value obtained based on the random character string is smaller than the first preset threshold value, and further, the attack cost of the malicious attack can be increased, the number of malicious domain name requests processed by the domain name system can be reduced, the influence of the domain name system being attacked can be reduced to a certain extent, and the network service interruption is avoided.
Of course, not all advantages described above need to be achieved at the same time in the practice of any one product or method of the present application.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a domain name request processing method according to an embodiment of the present application;
fig. 2 is a flowchart of another domain name request processing method according to an embodiment of the present application;
fig. 3 is a flowchart of another domain name request processing method according to an embodiment of the present application;
fig. 4 is a flowchart of another domain name request processing method according to an embodiment of the present application;
fig. 5 is a flowchart of another domain name request processing method according to an embodiment of the present application;
fig. 6 is a flowchart of domain name resolution provided in an embodiment of the present application;
FIG. 7 is an architecture diagram of a networking provided by an embodiment of the present application;
fig. 8 is a block diagram of a domain name request processing apparatus according to an embodiment of the present application;
fig. 9 is a block diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
In order to reduce the influence of a domain name system being attacked and avoid network service interruption, an embodiment of the present application provides a domain name request processing method, which may be applied to a first top-level domain name server in a domain name system based on a block chain, and referring to fig. 1, the method may include the following steps:
s101: when a first domain name request sent by a client is received, a first request hash value carried in the first domain name request is obtained.
The first request hash value is obtained by processing the client based on a hash algorithm and a first parameter; the first parameter comprises a random character string carried in the first domain name request, the target domain name and a timestamp of the first domain name request sent by the client.
S102: and judging whether the first request hash value is smaller than a first preset threshold value, if not, executing S103, and if so, executing S104.
S103: the first domain name request is discarded.
S104: the first domain name request is added as a transaction to a local transaction pool.
Therefore, if the malicious client side wants to realize attack, multiple attempts are needed, so that the request hash value obtained based on the random character string is smaller than the first preset threshold value, the attack cost of the malicious attack can be increased, the number of malicious domain name requests processed by the domain name system can be reduced, the influence of the domain name system being attacked can be reduced to a certain extent, and the interruption of network service is avoided.
In addition, the method of the embodiment of the application does not need to improve the client, only needs to add the block chain function to the top-level domain name server, and the improvement is transparent to the user side, so that the deployment cost and difficulty of the domain name system based on the block chain can be reduced.
The first top-level domain name server may be any top-level domain name server in a domain name system. In one embodiment, in order to further improve the security of the domain name system, the top-level domain name server included in the domain name system based on the blockchain may be a country-level top-level domain name server, and the country-level top-level domain name server is a top-level domain name server for maintaining country-level top-level domain names.
The country-level top-level domain name server is used as a node in the domain name system, so that the reliability and stability of the domain name system based on the block chain can be improved, and the transaction processing capacity of the domain name system is greatly improved.
In one embodiment, when a normal client sends a domain name request, a random string may be generated, and a hash value (which may be referred to as a request hash value) corresponding to the domain name request is obtained based on the generated random string, a target domain name, a timestamp for sending the domain name request, and a hash algorithm. If the request hash value is not less than the first preset threshold, in order to prevent the domain name request from being discarded, the client may regenerate the random character string, and obtain a new request hash value based on the newly generated random character string, the target domain name, the timestamp for sending the domain name request, and the hash algorithm, and so on, until the obtained request hash value is less than the first preset threshold, and further, the client may send the domain name request carrying the latest obtained request hash value to the domain name system.
The target domain name is a domain name requested to be processed by the first domain name request, for example, if the first domain name request is a domain name registration request, the target domain name is a domain name requested to be registered by the client; the first domain name request is a domain name updating request, and the target domain name is a domain name requested to be updated by the client; the first domain name request is a domain name deleting request, and the target domain name is a domain name which is requested to be deleted by the client; and if the first domain name request is a domain name transfer request, the target domain name is the domain name requested to be transferred by the client.
In one embodiment, to further improve the security of the domain name system, referring to fig. 2, before step S104, the method may further include the steps of:
s105: and processing the first parameter carried in the first domain name request based on a Hash algorithm to obtain a Hash value to be matched.
S106: judging whether the hash value to be matched is consistent with the first request hash value or not; if not, S103 is executed, and if yes, S104 is executed.
In this embodiment of the application, when sending the first domain name request, the client may process the first parameter according to a hash algorithm to obtain a corresponding hash value, and the hash value is carried in the first domain name request.
In order to prevent the first parameter carried in the first domain name request from being maliciously tampered, after the first domain name request is received, the first top-level domain name server may perform hash processing on the first parameter carried in the first domain name request to obtain a corresponding hash value (i.e., a hash value to be matched).
Further, the first top-level domain name server may compare whether the hash value to be matched is consistent with the first request hash value. If the first domain name request is inconsistent with the second domain name request, the first domain name request is carried with a first parameter which is maliciously tampered in the transmission process, and therefore the first domain name request can be directly discarded; if the first domain name request is consistent with the second domain name request, the first domain name request is carried with a first parameter which is not maliciously tampered in the transmission process, and the first domain name request can be added to a local transaction pool.
It can be understood that, if the first parameter includes multiple parameters, the client may splice the multiple parameters according to a preset sequence, and perform hash operation on the splicing result to obtain a corresponding hash value (i.e., a first request hash value); correspondingly, the first top-level domain name server may also splice a plurality of corresponding parameters carried in the first domain name request according to the preset sequence, and perform hash operation on the splicing result to obtain a corresponding hash value (i.e., a hash value to be matched).
In one embodiment, in order to further improve the security of the domain name system, on the basis of fig. 2, referring to fig. 3, before step S104, the method may further include the following steps:
s107: and decrypting the first digital signature carried in the first domain name request based on the first public key of the user logging in the client carried in the first domain name request to obtain a decryption result.
S108: judging whether the decryption result is consistent with a second parameter carried in the first domain name request; if not, S103 is executed, and if so, S104 is executed.
The first digital signature is obtained by encrypting a second parameter carried in the first domain name request by the client based on a first private key corresponding to the first public key; the second parameter may include a random string and the first request hash value.
In this embodiment of the application, when sending the first domain name request, the client may encrypt the second parameter based on its own private key (i.e., the first private key), obtain a corresponding digital signature, and carry the digital signature in the first domain name request.
In order to prevent the second parameter carried in the first domain name request from being maliciously tampered, after the first domain name request is received, the first top-level domain name server may decrypt the digital signature (i.e., the first digital signature) carried in the first domain name request based on a public key (i.e., the first public key) corresponding to the first private key carried in the first domain name request, so as to obtain a decryption result.
Furthermore, whether the decryption result is consistent with the second parameter carried in the first domain name request or not can be compared, if not, the second parameter carried in the first domain name request is maliciously tampered in the transmission process, and therefore the first domain name request can be directly discarded; if the first domain name request is consistent with the second domain name request, the second parameter carried by the first domain name request is not maliciously tampered in the transmission process, and the first domain name request can be added to a local transaction pool.
In one embodiment, when the first domain name request is a domain name registration request, the first parameter further includes a hash value of the target domain name and an IP address corresponding to the target domain name; the second parameter further includes the target domain name, the hash value of the target domain name, the IP address corresponding to the target domain name, and the timestamp.
When the first domain name request is a domain name updating request, the first parameter further comprises a hash value of the target domain name and an IP address corresponding to the updated target domain name; the second parameter further includes a target domain name, a hash value of the target domain name, an IP address and a timestamp corresponding to the updated target domain name.
When the first domain name request is a domain name deletion request, the first parameter further comprises a hash value of the target domain name; the second parameters also include the target domain name, a hash value of the target domain name, and a timestamp.
When the first domain name request is a domain name transfer request, the first parameters further comprise a hash value of the target domain name and an IP address corresponding to the transferred target domain name; the second parameter also comprises a target domain name, a hash value of the target domain name, an IP address corresponding to the target domain name after transfer and a timestamp; the domain name transfer request also carries a second public key of the transferred user of the target domain name.
In this embodiment of the present application, for different types of first domain name requests, the corresponding first preset thresholds may be the same or different. For example, the first preset threshold corresponding to the domain name registration request may be smaller than the first preset threshold corresponding to the domain name update request; the first preset threshold corresponding to the domain name registration request may be smaller than the first preset threshold corresponding to the domain name deletion request; the first preset threshold corresponding to the domain name registration request may be smaller than the first preset threshold corresponding to the domain name transfer request.
In one embodiment, on the basis of fig. 3, referring to fig. 4, step S104 may include the steps of:
s1041: and judging whether a target domain name exists in the local domain name information table or not to obtain a target judgment result.
S1042: based on the target determination and the request type of the first domain name request, the first domain name request is added as a transaction to a local transaction pool.
The domain name information table is used for recording the registered domain names.
In this embodiment of the application, the target determination result may be that a target domain name exists in the local domain name information table, or that the target domain name does not exist in the local domain name information table. The request type of the first domain name request may be a domain name registration request, a domain name update request, a domain name deletion request, or a domain name transfer request.
If the first domain name request is a domain name registration request and the target determination result is that no target domain name exists in the local domain name information table, indicating that the current target domain name is not registered, at this time, the first domain name request may be added to a local transaction pool as a transaction. In addition, if the first domain name request is a domain name registration request and the target determination result is that a target domain name exists in the local domain name information table, at this time, the target domain name cannot be repeatedly registered, and the first domain name request may be discarded.
If the first domain name request is a domain name updating request and the target judgment result is that the target domain name exists in the local domain name information table, the target domain name can be updated, and at this time, the first domain name request can be used as a transaction and added to a local transaction pool. Similarly, if the first domain name request is a domain name deletion request and the target determination result is that the target domain name exists in the local domain name information table, it indicates that the target domain name can be deleted, and at this time, the first domain name request may be added to the local transaction pool as a transaction. If the first domain name request is a domain name transfer request and the target judgment result is that a target domain name exists in the local domain name information table, indicating that the target domain name can be transferred, at this time, the first domain name request can be used as a transaction and added to a local transaction pool.
On the contrary, if the first domain name request is a domain name update request and the target determination result is that the target domain name does not exist in the local domain name information table, it indicates that the current target domain name is not registered, at this time, the target domain name cannot be updated, and the first domain name request may be discarded. Similarly, if the first domain name request is a domain name deletion request and the target determination result is that the target domain name does not exist in the local domain name information table, it indicates that the current target domain name is not registered, and at this time, the target domain name cannot be deleted, and the first domain name request may be discarded. If the first domain name request is a domain name transfer request and the target judgment result is that no target domain name exists in the local domain name information table, it indicates that the current target domain name is not registered, at this time, the target domain name cannot be transferred, and the first domain name request can be discarded.
In one embodiment, on the basis of fig. 1, referring to fig. 5, after step S104, the method may further include the steps of:
s109: and broadcasting and sending the first domain name request to a third top-level domain name server except the third top-level domain name server in the domain name system.
S1010: and when a second domain name request broadcast by a third top-level domain name server is received, the second domain name request is added to a local transaction pool as a transaction.
In the embodiment of the present application, each top-level domain name server in the domain name system may maintain a transaction pool, and the transaction pool is used for storing the received domain name request. In order to ensure that the domain name requests stored in the transaction pools of the top-level domain name servers are consistent, after the first domain name request is added to the local transaction pool as a transaction, the first top-level domain name server may broadcast and send the first domain name request to other top-level domain name servers (i.e., a third top-level domain name server). Accordingly, the third top-level domain name server may add the first domain name request to a transaction pool local to the third top-level domain name server.
Similarly, when the third top-level domain name server receives a domain name request (i.e., a second domain name request) sent by the client and adds the second domain name request to the local transaction pool, the third top-level domain name server may also send the second domain name request to the first top-level domain name server, and correspondingly, the first top-level domain name server may also add the second domain name request to the local transaction pool.
In one embodiment, the corresponding block may be further generated based on a domain name request in the transaction pool and added to the block chain, and the method may further include the following steps:
the method comprises the following steps: when the domain name server is determined to be the top-level domain name server currently used for generating the block based on the hash value of the last block in the current block chain, acquiring a preset number of domain name requests from the transaction pool, and generating the block based on the acquired domain name requests to serve as the first block.
Wherein the preset number may be determined by a technician based on experience and network status between top-level domain name servers. The preset number may be larger if the network state between the top-level domain name servers is better, and the preset number may be smaller if the network state between the top-level domain name servers is worse.
In this embodiment of the present application, when a preset period is reached, one top-level domain name server may be determined from the top-level domain name servers, and is used to generate a block.
In one embodiment, a corresponding number may be set for each top-level domain name server in the domain name system, and each top-level domain name server may determine, according to the number, the top-level domain name server currently used for generating the block. For example, the domain name system includes m top-level domain name servers, and the serial numbers of the top-level domain name servers are 0, 1, 2, and … m-1, respectively. Each top level domain name server may determine the top level domain name server currently used to generate the tile by equation (1).
N=h(mod)m (1)
Where N represents the number of the top-level domain name server currently used to generate the block, h represents the hash value of the last block in the current block chain, and mod represents the remainder operation. Based on the above processing, since the block chains in each top-level domain name server are consistent, the top-level domain name servers determined by each top-level domain name server and currently used for generating the block are also consistent.
Wherein, the block can contain transaction and the first two parts of the block, and the transaction in the block can be stored in Merkle tree structure. The root of the Merkle tree is recorded in the chunk header as a summary of all transactions in the chunk. The chunk header may also include the number of the chunk, the chunk timestamp, the hash value of the parent chunk of the chunk, and the hash value of the chunk. The block timestamp indicates the time of generation of the block. The parent block of the block represents the previous block of the block in the block chain.
The first block in the block chain may be referred to as a created block, the number of the created block may be 0, and after creating the blocks, the numbers of the created blocks may be sequentially incremented by 1 in the creation order. The hash value of a block may be calculated based on a hash algorithm, the block number, a block timestamp, a hash value of the parent block of the block, and the root of the Merkle tree. The created block is the first block, and therefore, the created block does not have a parent block, and the hash value of the parent block does not exist in the block header of the created block.
In an embodiment of the present application, the generating of the founding block may include: after the domain name system based on the block chain is operated, for each top-level domain name server in the domain name system, the top-level domain name server may generate a domain name registration request, and the domain name registration request may carry: the third request hash value of the domain name registration request, the hash value of the domain name of the top level domain name server, the country level top level domain name maintained by the top level domain name server, the IP address of the top level domain name server, the timestamp, the random character string, the public key of the top level domain name server, and the fourth digital signature.
The third request hash value may be obtained by processing the hash value of the domain name of the top-level domain name server, the country-level top-level domain name maintained by the top-level domain name server, the IP address of the top-level domain name server, the timestamp, and the random character string by using a hash algorithm, and is smaller than the first preset threshold.
Further, the top-level domain name server may broadcast and transmit the generated domain name registration request to other top-level domain name servers. Correspondingly, the top-level domain name server can also receive domain name registration requests sent by other top-level domain name servers, and further, the top-level domain name server can sort the domain name registration requests generated by all the top-level domain name servers according to the numbers of the corresponding top-level domain name servers, and package the sorting results into founding blocks. The timestamp in the foundational block may be the time at which the domain name system started running. Based on the above processing, it can be ensured that the created blocks generated by each top-level domain name server in the domain name system are the same.
When the first top-level dns server determines that the first top-level dns server is the top-level dns server currently used for generating the block, the first top-level dns server may obtain a preset number of domain name requests from the local transaction pool, and further, may generate the block (i.e., the first block) based on the obtained domain name requests.
Step two: and broadcasting and sending the first block to a third top-level domain name server so as to determine whether to add the first block to the current block chain according to the judgment result of the validity of each domain name request in the first block by the third top-level domain name server.
After the first block is generated, in order to determine the reliability of the generated first block, the first top-level domain name server may broadcast and send the first block to the third top-level domain name server, and further, the third top-level domain name server may respectively determine whether each domain name request in the first block is legal, and based on the determination result, the first top-level domain name server may determine whether to add the first block to the current block chain.
For example, most top-level domain name servers determine that the domain name request in the first block is legitimate, then the first block may be determined to be legitimate and added to the blockchain, otherwise, the first block may be determined to be illegitimate and discarded.
In one embodiment, the method may further comprise the steps of:
step 1: and when a second block broadcast by a third top-level domain name server is received, judging whether an illegal domain name request exists in the second block.
Step 2: if an illegal suspicious domain name request exists in the second block, sending a first challenge request message to a second top-level domain name server with the highest current credit value in the domain name system, so that the second top-level domain name server sends a first challenge query message to a fourth top-level domain name server except the second top-level domain name server in the domain name system in a broadcasting manner, and determining whether the suspicious domain name request is legal or not according to a judgment result which is returned by the fourth top-level domain name server and aims at the legality of the suspicious domain name request.
Wherein, the first challenge request message carries: the number of the second block and a second request hash value of the suspicious domain name request; the first challenge query message carries the number of the second block and the second request hash value.
It will be appreciated that at this point, the suspect domain name request is simply a domain name request that the first top-level domain name server determines is not legitimate.
The credit value for the top level domain name server may indicate the reliability and security of the top level domain name server. When the domain name system just starts to operate, each top-level domain name server can be set to have the same initial credit value, and subsequently, the credit value of each top-level domain name server can be updated in the operation process of the domain name system.
In the embodiment of the present application, when the third top-level domain name server generates a block (i.e., a second block), the third top-level domain name server may also send the second block to the first top-level domain name server. Further, the first top-level domain name server may determine whether there is an illegal domain name request in the second block.
For example, for each domain name request in the second block, the first top-level domain name server may query whether a domain name request consistent with the domain name request exists in the local transaction pool; if so, the domain name request may be determined to be legitimate, and if not, the domain name request may be determined to be illegitimate.
In one embodiment, when the first top-level domain name server determines that there is an illegal domain name request (i.e., a suspicious domain name request) in the second block, the first top-level domain name server may send a challenge request message (i.e., a first challenge request message) for the suspicious domain name request to the second top-level domain name server.
Furthermore, the second top-level domain name server may broadcast a challenge query packet (i.e., the first challenge query packet) for the suspicious domain name request to a top-level domain name server (i.e., a fourth top-level domain name server) other than the second top-level domain name server in the domain name system, and determine whether the suspicious domain name request is legal according to a determination result of validity of the suspicious domain name request returned by the fourth top-level domain name server. Specifically, reference may be made to the processing step of determining whether the second block is legal or not with respect to the first top-level domain name server in the subsequent embodiments.
In one embodiment, the method may further comprise the steps of:
step one, if an illegal suspicious domain name request exists in the second block and the second block is a top-level domain name server with the highest current credit value in the domain name system, a second challenge query message is sent to a third top-level domain name server in a broadcast mode.
And step two, when receiving the judging results which are respectively returned by the third top-level domain name servers and aim at the legality of the suspicious domain name request, determining the number of the judging results which represent the legality of the suspicious domain name request as the first number.
And step three, if the ratio of the first number to the second number of all the received judgment results is larger than a second preset threshold value, determining that the suspicious domain name request is legal.
And step four, if the ratio of the first number to the second number of all the received judgment results is not greater than a second preset threshold value, determining that the suspicious domain name request is illegal.
Wherein, the second challenge query message carries: a number of the second block and a second request hash value. The second preset threshold may be set by a technician according to experience and business requirements, for example, the second preset threshold may be 0.5, or may also be 0.6, but is not limited thereto.
In this embodiment of the present application, if the first top-level domain name server is a top-level domain name server with the highest current credit value in the domain name system, the first top-level domain name server may directly broadcast and send a challenge query packet (i.e., a second challenge query packet) for the suspicious domain name request to the third top-level domain name server.
Furthermore, the third top-level domain name server may respectively determine whether the suspicious domain name request is legal, obtain a corresponding determination result, and send the determination result to the first top-level domain name server. The determination result may be represented by a flag, for example, a flag of 1 may indicate that the suspicious domain name request is illegal, and a flag of 0 may indicate that the suspicious domain name request is legal.
In one implementation, the third top-level domain name server may send a challenge response packet carrying the determination result to the first top-level domain name server. The challenge response message may also carry the number of the second block and a second request hash value.
After obtaining the determination results sent by the third top-level domain name server, the first top-level domain name server may determine the number of determination results (i.e., a first number) indicating that the suspicious domain name request is legitimate, and may further calculate a ratio of the first number to the number of all received determination results (i.e., a second number).
If the ratio is greater than the second preset threshold, it indicates that most top-level domain name servers determine that the suspicious domain name request is legal, and therefore, the first top-level domain name server can determine that the suspicious domain name request is legal. If the ratio is not greater than the second predetermined threshold, it indicates that most top-level domain name servers determine that the suspicious domain name request is not legitimate, and therefore, the first top-level domain name server may determine that the suspicious domain name request is illegitimate.
In one embodiment, after determining that the suspicious domain name request is not legitimate, the method may further comprise the steps of: subtracting a first preset value from a credit value of a top-level domain name server which broadcasts and sends a second block; and broadcasting and sending a second question confirmation message which represents that the second block is illegal to the third top-level domain name server.
The first preset value may be set by a technician according to experience and business requirements.
In this embodiment, if the suspicious domain name request is illegal, it indicates that the reliability of the top-level domain name server broadcasting the second block is low, and therefore, the credit value of the top-level domain name server broadcasting the second block may be subtracted by the first preset value.
In addition, the first top-level domain name server may also broadcast and send a second challenge confirmation message to the third top-level domain name server to notify that the second block of the third top-level domain name server is illegal. Accordingly, the third top-level domain name server may delete the second block locally, and the third top-level domain name server may also subtract the first preset value from the credit value of the top-level domain name server broadcasting the second block.
In one embodiment, the method may further comprise the steps of: if a first question confirmation message which is sent by a second top-level domain name server and indicates that the second block is illegal is received within the preset time length after the second block is received, deleting the second block; and subtracting the first preset value from the credit value of the top-level domain name server broadcasting the second block.
In this embodiment of the application, if the first top-level domain name server receives the first challenge acknowledgement packet within the preset time after receiving the second block, which indicates that the second top-level domain name server determines that the second block is illegal, the first top-level domain name server may delete the second block locally, and subtract the first preset value from the credit value of the top-level domain name server that broadcasts and sends the second block.
In one embodiment, the method may further comprise the steps of:
and if the first question confirmation message which is sent by the second top-level domain name server and indicates that the second block is illegal is not received within the preset time length after the second block is received, adding the second block into the current block chain, and increasing the credit value of the top-level domain name server which sends the second block in a broadcast mode by a second preset value.
If the first challenge confirmation message is not received within the preset time after the second block is received, the ratio of the top-level domain name servers which judge that the suspicious domain name request is legal is larger, and the second top-level domain name server determines that the second block is legal, so that the second block can be added into the current block chain. Meanwhile, the credit value of the top-level domain name server broadcasting the second block can be increased by a second preset value. The second preset value may be set by a technician according to experience and business requirements, and may be the same as or different from the first preset value.
In one embodiment, after adding a block to the current block chain, the local domain name information table may also be updated based on the domain name request in the block.
In one implementation, a top-level domain name information table and a second-level domain name information table may be locally maintained, where the second-level domain name information table records related information of a second-level domain name registered by a domain name system; the top-level domain name information table records the related information of the top-level domain name registered by the domain name system.
For example, for a domain name registration request in a block, a request hash value, a domain name, a hash value of the domain name, an IP address, a timestamp, and a public key to be carried in the domain name registration request, and a hash value of the block may be recorded in a corresponding domain name information table. For the domain name update request in the block, the hash value, the request hash value, the IP address, and the timestamp of the block corresponding to the domain name carried in the domain name update request may be updated in the corresponding domain name information table. For the domain name deletion request in the block, the information corresponding to the domain name carried in the domain name update request can be deleted from the corresponding domain name information table. For the domain name transfer request in the block, the hash value, the request hash value, the IP address, the timestamp, and the public key of the block corresponding to the domain name carried in the domain name transfer request may be updated in the corresponding domain name information table.
In one embodiment, referring to fig. 6, the method may further comprise the steps of:
s601: receiving a domain name resolution request sent by a specified domain name server.
The domain name resolution request carries a fifth domain name, a first domain name hash value of a second-level domain name corresponding to the fifth domain name and a second domain name hash value of a top-level domain name corresponding to the fifth domain name. The specified domain name server may be a local domain name server corresponding to the client sending the domain name resolution request.
In this embodiment of the present application, when the client needs to access the fifth domain name, the client may send a domain name resolution request to the local domain name server. Furthermore, the local domain name server can query a local cache, and if the IP address corresponding to the fifth domain name is cached, the IP address can be directly returned to the client; if the IP address corresponding to the fifth domain name is not cached, a domain name resolution request may be sent to a top-level domain name server in the domain name system.
S602: judging whether a first domain name hash value exists in a local secondary domain name information table or not; if yes, executing S603-S604; if not, S605-S606 are performed.
The second-level domain name information table records a hash value of the second-level domain name registered by the domain name system.
S603: and acquiring the IP address and the public key of the first authority domain name server which are recorded in the secondary domain name information table and correspond to the first domain name hash value, and acquiring a second digital signature obtained by encrypting the IP address of the first authority domain name server based on a third private key corresponding to a third public key of the second authority domain name server.
S604: and sending the IP address and the public key of the first authority domain name server and a second digital signature to the appointed domain name server so that the appointed domain name server carries out security verification on the received data based on the second digital signature, and sending a domain name resolution request carrying a fifth domain name to the first authority domain name server under the condition that the verification is passed.
In this embodiment of the present application, if the first domain name hash value exists in the local second-level domain name information table, indicating that the user registers the fifth domain name through the domain name system in this application, the first top-level domain name server may process the IP address of the first authority domain name server corresponding to the first domain name hash value based on its own private key (i.e., the third private key), to obtain the second digital signature, and send the IP address and the public key of the first authority domain name server and the second digital signature to the specified domain name server.
And then, the appointed domain name server can decrypt the second digital signature according to the third public key of the first top-level domain name server, if the decryption result is consistent with the received IP address of the first authority domain name server, the verification is passed, and further, the appointed domain name server can send a domain name resolution request carrying a fifth domain name to the first authority domain name server.
Similarly, after receiving the domain name resolution request, the first authority domain name server may encrypt the IP address corresponding to the fifth domain name based on its own public key to obtain a fifth digital signature, and send the IP address corresponding to the fifth domain name and the fifth digital signature to the specified domain name server.
Furthermore, the designated domain name server may decrypt the received fifth digital signature based on the public key of the first authority domain name server, and if the decryption result is consistent with the IP address corresponding to the received fifth domain name, indicating that the verification is passed, may send the IP address corresponding to the fifth domain name received from the first authority domain name server to the client.
S605: and acquiring the IP address and the public key of a fifth top-level domain name server which are recorded in the local top-level domain name information table and correspond to the second domain name hash value, and encrypting the IP address of the fifth top-level domain name server based on a third private key to obtain a third digital signature.
S606: and sending the IP address and the public key of the fifth top-level domain name server and a third digital signature to the appointed domain name server so that the appointed domain name server carries out security verification on the received data based on the third digital signature, and sending a domain name resolution request carrying the fifth domain name to the fifth top-level domain name server under the condition that the verification is passed.
The top-level domain name information table records a hash value of the top-level domain name registered by the domain name system.
In this embodiment of the present application, if the first domain name hash value does not exist in the local secondary domain name information table, it indicates that the user is not the fifth domain name registered by the domain name system in the present application, but is registered by the top-level domain name corresponding to the fifth domain name.
Therefore, it can be determined that the fifth top-level domain name server corresponding to the hash value of the second domain name is recorded in the local top-level domain name information table, and the fifth top-level domain name server is a top-level domain name server for maintaining the top-level domain name corresponding to the fifth domain name.
The first top-level domain name server may send the IP address and the public key of the fifth top-level domain name server to the designated domain name server, and a third digital signature obtained by encrypting the IP address of the fifth top-level domain name server based on its own private key (i.e., a third private key).
Furthermore, the specified domain name server may decrypt the third digital signature according to the third public key of the first top-level domain name server, and if the decryption result is consistent with the received IP address of the fifth top-level domain name server, it indicates that the verification is passed, and further, the specified domain name server may send a domain name resolution request carrying the fifth domain name to the fifth top-level domain name server.
Similarly, after receiving the domain name resolution request, the fifth top-level domain name server may search for an IP address of an authority domain name server (which may be referred to as a second authority domain name server) that maintains the second-level domain name of the fifth domain name, encrypt the IP address of the second authority domain name server according to its own private key, obtain a sixth digital signature, and send the IP address of the second authority domain name server and the sixth digital signature to the specified domain name server.
Furthermore, the designated domain name server may decrypt the received sixth digital signature based on the public key of the fifth top-level domain name server, and if the decryption result is consistent with the received IP address of the second authority domain name server, it indicates that the verification is passed, and further, may send a domain name resolution request carrying the fifth domain name to the second authority domain name server.
Similarly, after receiving the domain name resolution request, the second authority domain name server may send the IP address corresponding to the fifth domain name to the specified domain name server. Further, the specified domain name server may send, to the client, an IP address corresponding to the fifth domain name received from the second authority domain name server.
Referring to fig. 7, fig. 7 is an architecture diagram of a network according to an embodiment of the present application.
The networking of fig. 7 may include: the system comprises a client, a local domain name server, a permission domain name server and a block chain network. The blockchain network represents a domain name system based on a blockchain, and may include a plurality of top-level domain name servers, which are specifically: ". cn" domain name server represents a chinese country level top level domain name server, ". us" domain name server represents a united states country level top level domain name server, ". ru" domain name server represents a russian country level top level domain name server, ". jp" domain name server represents a japanese country level top level domain name server, ". uk" domain name server represents a uk country level top level domain name server.
When the client needs to access the domain name, the client can send a domain name resolution request carrying the domain name to the local domain name server. Furthermore, the local domain name server can query a local cache, and if the IP address corresponding to the domain name is cached, the IP address can be directly returned to the client; if the IP address corresponding to the domain name is not cached, a domain name resolution request may be sent to a top level domain name server in the blockchain network.
The top-level domain name server in the blockchain network may send the determined IP address of the authority server to the local domain name server based on the above steps S601-S606. Furthermore, the local domain name server may send a domain name resolution request to the authority server, and the authority domain name server may query an IP address corresponding to the domain name and send the IP address to the local domain name server. The local domain name server may then send the client the IP address received from the rights domain name server.
Referring to fig. 8, fig. 8 is a structural diagram of a domain name request processing apparatus according to an embodiment of the present application, where the apparatus is applied to a first top-level domain name server in a domain name system based on a block chain, and the apparatus includes:
a first obtaining module 801, configured to obtain a first request hash value carried in a first domain name request when the first domain name request sent by a client is received, where the first request hash value is obtained by processing the client based on a hash algorithm and a first parameter; the first parameter comprises a random character string carried in the first domain name request, a target domain name and a timestamp for sending the first domain name request by the client; a first determining module 802, configured to determine whether the first request hash value is smaller than a first preset threshold; a discarding module 803, configured to discard the first domain name request if the hash value of the first request is not less than a first preset threshold; a first processing module 804, configured to add the first domain name request as a transaction to a local transaction pool if the first request hash value is smaller than a first preset threshold.
Optionally, the apparatus further comprises: the second processing module is used for processing the first parameter carried in the first domain name request based on a Hash algorithm to obtain a Hash value to be matched; judging whether the hash value to be matched is consistent with the first request hash value or not; if the hash value to be matched is not consistent with the first request hash value, discarding the first domain name request; and if the hash value to be matched is consistent with the first request hash value, executing the step of adding the first domain name request as a transaction to a local transaction pool.
Optionally, the apparatus further comprises: the third processing module is used for decrypting the first digital signature carried in the first domain name request based on the first public key of the user logging in the client terminal carried in the first domain name request to obtain a decryption result; the first digital signature is obtained by encrypting the second parameter based on a first private key corresponding to the first public key by the client; the second parameter comprises a random string and a first request hash value; judging whether the decryption result is consistent with a second parameter carried in the first domain name request; if the decryption result is not consistent with the second parameter carried in the first domain name request, discarding the first domain name request; and if the decryption result is consistent with the second parameter carried in the first domain name request, executing the step of adding the first domain name request as a transaction to a local transaction pool.
Optionally, when the first domain name request is a domain name registration request, the first parameter further includes a hash value of the target domain name and an internet protocol IP address corresponding to the target domain name; the second parameter also comprises a target domain name, a hash value of the target domain name, an IP address corresponding to the target domain name and a timestamp; when the first domain name request is a domain name updating request, the first parameter further comprises a hash value of the target domain name and an IP address corresponding to the updated target domain name; the second parameter also comprises a target domain name, a hash value of the target domain name, an IP address corresponding to the updated target domain name and a timestamp; when the first domain name request is a domain name deletion request, the first parameter further comprises a hash value of the target domain name; the second parameter also comprises a target domain name, a hash value of the target domain name and a timestamp; when the first domain name request is a domain name transfer request, the first parameters further comprise a hash value of the target domain name and an IP address corresponding to the transferred target domain name; the second parameter also comprises a target domain name, a hash value of the target domain name, an IP address corresponding to the target domain name after transfer and a timestamp; the domain name transfer request also carries a second public key of the transferred user of the target domain name.
Optionally, the third processing module is specifically configured to determine whether a target domain name exists in the local domain name information table, so as to obtain a target determination result; the domain name information table is used for recording registered domain names; based on the target determination and the request type of the first domain name request, the first domain name request is added as a transaction to a local transaction pool.
Optionally, the apparatus further comprises: the domain name request broadcasting module is used for broadcasting and sending a first domain name request to a third top-level domain name server except the third top-level domain name server in the domain name system; and the first adding module is used for adding the second domain name request as a transaction to a local transaction pool when receiving the second domain name request broadcast and sent by the third top-level domain name server.
Optionally, the apparatus further comprises: the generation module is used for acquiring a preset number of domain name requests from a transaction pool when the domain name server is determined to be the top-level domain name server currently used for generating the block based on the hash value of the last block in the current block chain, and generating the block based on the acquired domain name requests as a first block; and the block broadcasting module is used for broadcasting and sending the first block to the third top-level domain name server so as to determine whether to add the first block to the current block chain according to the judgment result of the third top-level domain name server on the legality of each domain name request in the first block.
Optionally, the apparatus further comprises: the fourth processing module is used for judging whether an illegal domain name request exists in a second block when the second block broadcast by a third top-level domain name server is received; if an illegal suspicious domain name request exists in the second block, sending a first challenge request message to a second top-level domain name server with the highest current credit value in the domain name system, wherein the first challenge request message carries: and the number of the second block and the second request hash value of the suspicious domain name request are used for enabling the second top-level domain name server to broadcast and send a first challenge query message to a fourth top-level domain name server except the second top-level domain name server in the domain name system, wherein the first challenge query message carries the number of the second block and the second request hash value, and whether the suspicious domain name request is legal or not is determined according to a judgment result which is returned by the fourth top-level domain name server and aims at the legality of the suspicious domain name request.
Optionally, the apparatus further comprises: a fifth processing module, configured to broadcast and send a second challenge query packet to a third top-level domain name server if an illegal suspicious domain name request exists in the second block and the second block is a top-level domain name server with a highest current credit value in the domain name system, where the second challenge query packet carries: a number of the second block and a second request hash value; when receiving the judging results which are respectively returned by the third top-level domain name servers and aim at the legality of the suspicious domain name request, determining the number of the judging results which represent the legality of the suspicious domain name request as a first number; if the ratio of the first number to the second number of all received judgment results is larger than a second preset threshold value, determining that the suspicious domain name request is legal; and if the ratio of the first number to the second number of all received judgment results is not greater than a second preset threshold value, determining that the suspicious domain name request is illegal.
Optionally, the apparatus further comprises: the first credit value updating module is used for subtracting a first preset value from the credit value of the top-level domain name server which broadcasts and sends the second block; and the message broadcasting module is used for broadcasting and sending a second question confirmation message which represents that the second block is illegal to the third top-level domain name server.
Optionally, the apparatus further comprises: the deleting module is used for deleting the second block if a first question confirmation message which is sent by the second top-level domain name server and indicates that the second block is illegal is received within a preset time length after the second block is received; and the second credit value updating module is used for subtracting the first preset value from the credit value of the top-level domain name server which broadcasts and sends the second block.
Optionally, the apparatus further comprises: and the second adding module is used for adding the second block into the current block chain and increasing the credit value of the top-level domain name server which broadcasts and sends the second block by a second preset numerical value if the first question confirmation message which is sent by the second top-level domain name server and indicates that the second block is illegal is not received within the preset time length after the second block is received.
Optionally, the apparatus further comprises: the receiving module is used for receiving a domain name resolution request sent by a specified domain name server, wherein the domain name resolution request carries a fifth domain name, a first domain name hash value of a second-level domain name corresponding to the fifth domain name and a second domain name hash value of a top-level domain name corresponding to the fifth domain name; the second judgment module is used for judging whether the first domain name hash value exists in the local second-level domain name information table or not; wherein, the second-level domain name information table records the hash value of the second-level domain name registered by the domain name system; the second acquisition module is used for acquiring the IP address and the public key of the first authority domain name server which are recorded in the secondary domain name information table and correspond to the first domain name hash value if the first domain name hash value exists in the secondary domain name information table, and acquiring a second digital signature which is obtained by encrypting the IP address of the first authority domain name server based on a third private key corresponding to a third public key of the second acquisition module; the first sending module is used for sending the IP address and the public key of the first authority domain name server and the second digital signature to the appointed domain name server so that the appointed domain name server can carry out security verification on the received data based on the second digital signature, and sending a domain name resolution request carrying a fifth domain name to the first authority domain name server under the condition that the verification is passed.
Optionally, the apparatus further comprises: the third acquisition module is used for acquiring an IP address public key of a fifth top-level domain name server which is recorded in the local top-level domain name information table and corresponds to the second domain name hash value if the first domain name hash value does not exist in the second-level domain name information table, and acquiring a third digital signature which is obtained by encrypting the IP address of the fifth top-level domain name server based on a third private key; the top-level domain name information table records a hash value of a top-level domain name registered by a domain name system; and the second sending module is used for sending the IP address and the public key of the fifth top-level domain name server and the third digital signature to the appointed domain name server so that the appointed domain name server can carry out security verification on the received data based on the third digital signature, and sending a domain name resolution request carrying the fifth domain name to the fifth top-level domain name server under the condition that the verification is passed.
An embodiment of the present application further provides an electronic device, as shown in fig. 9, including a memory 901 and a processor 902; a memory 901 for storing a computer program; the processor 902 is configured to implement the domain name request processing method provided in the embodiment of the present application when executing the program stored in the memory 901. It should be noted that other implementation manners of the domain name request processing method are the same as those of the foregoing method embodiment, and are not described herein again. The electronic device may be provided with a communication interface for realizing communication between the electronic device and another device.
The processor, the communication interface, and the memory are configured to communicate with each other through a communication bus, where the communication bus may be a Peripheral Component Interconnect (PCI) bus or an Extended Industry Standard Architecture (EISA) bus. The communication bus may be divided into an address bus, a data bus, a control bus, etc. The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor. The Processor may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component.
In another embodiment provided by the present application, a computer-readable storage medium is further provided, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of any of the above domain name request processing methods.
In yet another embodiment provided by the present application, there is also provided a computer program product containing instructions which, when run on a computer, cause the computer to perform any of the above-described method for domain name request processing.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, hard Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the apparatus, the electronic device, the computer-readable storage medium, and the computer program product embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and for the relevant points, reference may be made to the partial description of the method embodiments.
The above description is only for the preferred embodiment of the present application and is not intended to limit the scope of the present application. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application are included in the protection scope of the present application.

Claims (15)

1. A domain name request processing method is applied to a first top-level domain name server in a domain name system based on a block chain, and comprises the following steps:
when a first domain name request sent by a client is received, acquiring a first request hash value carried in the first domain name request, wherein the first request hash value is obtained by processing the client based on a hash algorithm and a first parameter; the first parameter comprises a random character string carried in the first domain name request, a target domain name and a timestamp of the first domain name request sent by the client;
judging whether the first request hash value is smaller than a first preset threshold value or not;
if the first request hash value is not smaller than the first preset threshold value, discarding the first domain name request;
and if the first request hash value is smaller than the first preset threshold value, the first domain name request is used as a transaction and added to a local transaction pool.
2. The method of claim 1, wherein prior to said adding the first domain name request as a transaction to a local transaction pool, the method further comprises:
processing a first parameter carried in the first domain name request based on a Hash algorithm to obtain a Hash value to be matched;
judging whether the hash value to be matched is consistent with the first request hash value or not;
if the hash value to be matched is not consistent with the first request hash value, discarding the first domain name request;
and if the hash value to be matched is consistent with the first request hash value, executing the step of adding the first domain name request as a transaction to a local transaction pool.
3. The method of claim 2, wherein prior to the adding the first domain name request as a transaction to a local transaction pool, the method further comprises:
decrypting a first digital signature carried in the first domain name request based on a first public key of a user logging in the client terminal carried in the first domain name request to obtain a decryption result; the first digital signature is obtained by encrypting a second parameter by the client based on a first private key corresponding to the first public key; the second parameter comprises the random string and the first request hash value;
judging whether the decryption result is consistent with a second parameter carried in the first domain name request;
if the decryption result is inconsistent with a second parameter carried in the first domain name request, discarding the first domain name request;
and if the decryption result is consistent with a second parameter carried in the first domain name request, executing the step of adding the first domain name request as a transaction to a local transaction pool.
4. The method according to claim 3, wherein when the first domain name request is a domain name registration request, the first parameter further includes a hash value of the target domain name, and an internet protocol IP address corresponding to the target domain name; the second parameter further includes the target domain name, a hash value of the target domain name, an IP address corresponding to the target domain name, and the timestamp;
when the first domain name request is a domain name updating request, the first parameter further comprises a hash value of the target domain name and an IP address corresponding to the target domain name after updating; the second parameter further comprises the target domain name, a hash value of the target domain name, an IP address corresponding to the updated target domain name and the timestamp;
when the first domain name request is a domain name deletion request, the first parameter further comprises a hash value of the target domain name; the second parameter further comprises the target domain name, a hash value of the target domain name and the timestamp;
when the first domain name request is a domain name transfer request, the first parameters further comprise a hash value of the target domain name and an IP address corresponding to the target domain name after transfer; the second parameter further comprises the target domain name, a hash value of the target domain name, an IP address corresponding to the target domain name after transfer and the timestamp; the domain name transfer request also carries a second public key of the transferred user of the target domain name.
5. The method of claim 3, wherein adding the first domain name request as a transaction to a local transaction pool comprises:
judging whether the target domain name exists in a local domain name information table or not to obtain a target judgment result; the domain name information table is used for recording registered domain names;
and adding the first domain name request as a transaction to a local transaction pool based on the target judgment result and the request type of the first domain name request.
6. The method of claim 1, wherein after the adding the first domain name request as a transaction to a local transaction pool, the method further comprises:
broadcasting and sending the first domain name request to a third top-level domain name server except the third top-level domain name server in the domain name system;
and when a second domain name request sent by the third top-level domain name server in a broadcast manner is received, the second domain name request is added to a local transaction pool as a transaction.
7. The method of claim 6, further comprising:
when the domain name server is determined to be the top-level domain name server used for generating the block currently based on the hash value of the last block in the current block chain, acquiring a preset number of domain name requests from the transaction pool, and generating the block as a first block based on the acquired domain name requests;
and broadcasting and sending the first block to the third top-level domain name server, so as to determine whether to add the first block to a current block chain according to a judgment result of validity of each domain name request in the first block by the third top-level domain name server.
8. The method of claim 7, further comprising:
when a second block broadcast by the third top-level domain name server is received, judging whether an illegal suspicious domain name request exists in the second block;
if an illegal suspicious domain name request exists in the second block, sending a first challenge request message to a second top-level domain name server with the highest current credit value in the domain name system, wherein the first challenge request message carries: and the number of the second block and a second request hash value of the suspicious domain name request are used for enabling the second top-level domain name server to broadcast and send a first challenge query message to a fourth top-level domain name server except the second top-level domain name server in the domain name system, wherein the first challenge query message carries the number of the second block and the second request hash value, and whether the suspicious domain name request is legal or not is determined according to a judgment result which is returned by the fourth top-level domain name server and aims at the legality of the suspicious domain name request.
9. The method of claim 8, further comprising:
if an illegal suspicious domain name request exists in the second block and the second block is a top-level domain name server with the highest current credit value in the domain name system, a second challenge query message is sent to the third top-level domain name server in a broadcast mode, wherein the second challenge query message carries: a number of the second block and the second request hash value;
when receiving a judgment result which is respectively returned by the third top-level domain name servers and aims at the legality of the suspicious domain name request, determining the number of the judgment results which represent the legality of the suspicious domain name request as a first number;
if the ratio of the first number to the second number of all received judgment results is larger than a second preset threshold value, determining that the suspicious domain name request is legal;
and if the ratio of the first number to the second number of all received judgment results is not greater than a second preset threshold value, determining that the suspicious domain name request is illegal.
10. The method of claim 9, wherein after the determining that the suspicious domain name request is not legitimate, the method further comprises:
subtracting a first preset value from a credit value of a top-level domain name server which broadcasts and sends the second block;
and broadcasting and sending a second question confirmation message which represents that the second block is illegal to the third top-level domain name server.
11. The method of claim 8, further comprising:
if a first question confirmation message which is sent by the second top-level domain name server and indicates that the second block is illegal is received within a preset time length after the second block is received, deleting the second block;
and subtracting a first preset value from the credit value of the top-level domain name server which broadcasts and sends the second block.
12. The method of claim 8, further comprising:
and if a first question confirmation message which is sent by the second top-level domain name server and indicates that the second block is illegal is not received within the preset time length after the second block is received, adding the second block to the current block chain, and increasing the credit value of the top-level domain name server which broadcasts and sends the second block by a second preset value.
13. The method of claim 1, further comprising:
receiving a domain name resolution request sent by an appointed domain name server, wherein the domain name resolution request carries a fifth domain name, a first domain name hash value of a second-level domain name corresponding to the fifth domain name and a second domain name hash value of a top-level domain name corresponding to the fifth domain name;
judging whether the first domain name hash value exists in a local secondary domain name information table or not; the second-level domain name information table records a hash value of a second-level domain name registered by the domain name system;
if the first domain name hash value exists in the secondary domain name information table, acquiring an IP address and a public key of a first authority domain name server which are recorded in the secondary domain name information table and correspond to the first domain name hash value, and a second digital signature obtained by encrypting the IP address of the first authority domain name server based on a third private key corresponding to a third public key of the second authority domain name server;
and sending the IP address and the public key of the first authority domain name server and the second digital signature to the appointed domain name server so that the appointed domain name server carries out security verification on the received data based on the second digital signature, and sending a domain name resolution request carrying the fifth domain name to the first authority domain name server under the condition that the verification is passed.
14. The method of claim 13, further comprising:
if the first domain name hash value does not exist in the second-level domain name information table, acquiring an IP address public key of a fifth top-level domain name server which is recorded in a local top-level domain name information table and corresponds to the second domain name hash value, and encrypting the IP address of the fifth top-level domain name server based on the third private key to obtain a third digital signature; the top-level domain name information table records a hash value of a top-level domain name registered by the domain name system;
and sending the IP address and the public key of the fifth top-level domain name server and the third digital signature to the appointed domain name server so that the appointed domain name server carries out security verification on the received data based on the third digital signature, and sending a domain name resolution request carrying the fifth domain name to the fifth top-level domain name server under the condition that the verification is passed.
15. A domain name request processing apparatus, which is applied to a first top-level domain name server in a block chain based domain name system, the apparatus comprising:
the first obtaining module is used for obtaining a first request hash value carried in a first domain name request when the first domain name request sent by a client is received, wherein the first request hash value is obtained by processing the client based on a hash algorithm and a first parameter; the first parameter comprises a random character string carried in the first domain name request, a target domain name and a timestamp of the first domain name request sent by the client;
the first judgment module is used for judging whether the first request hash value is smaller than a first preset threshold value or not;
a discarding module, configured to discard the first domain name request if the first request hash value is not less than the first preset threshold;
and the first processing module is used for adding the first domain name request as a transaction to a local transaction pool if the first request hash value is smaller than the first preset threshold value.
CN202010601762.2A 2020-06-28 2020-06-28 Domain name request processing method and device Active CN111818029B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010601762.2A CN111818029B (en) 2020-06-28 2020-06-28 Domain name request processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010601762.2A CN111818029B (en) 2020-06-28 2020-06-28 Domain name request processing method and device

Publications (2)

Publication Number Publication Date
CN111818029A true CN111818029A (en) 2020-10-23
CN111818029B CN111818029B (en) 2022-06-03

Family

ID=72856376

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010601762.2A Active CN111818029B (en) 2020-06-28 2020-06-28 Domain name request processing method and device

Country Status (1)

Country Link
CN (1) CN111818029B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995354A (en) * 2021-02-08 2021-06-18 中国电子信息产业集团有限公司第六研究所 Domain name resolution record reconstruction method and domain name resolution method
CN113014455A (en) * 2021-03-15 2021-06-22 读书郎教育科技有限公司 Method for monitoring network request frequency

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018191882A1 (en) * 2017-04-19 2018-10-25 北京大学深圳研究生院 Domain name resolution system based on block chain
KR101946196B1 (en) * 2018-03-26 2019-02-08 그래프 블록체인 리미티드 Control system for controlling private block-chain system
CN110032895A (en) * 2019-04-22 2019-07-19 湖南快乐阳光互动娱乐传媒有限公司 Request processing method, processing unit and requests verification method, verifying device
CN111066046A (en) * 2019-04-26 2020-04-24 阿里巴巴集团控股有限公司 Replay attack resistant authentication protocol

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018191882A1 (en) * 2017-04-19 2018-10-25 北京大学深圳研究生院 Domain name resolution system based on block chain
KR101946196B1 (en) * 2018-03-26 2019-02-08 그래프 블록체인 리미티드 Control system for controlling private block-chain system
CN110032895A (en) * 2019-04-22 2019-07-19 湖南快乐阳光互动娱乐传媒有限公司 Request processing method, processing unit and requests verification method, verifying device
CN111066046A (en) * 2019-04-26 2020-04-24 阿里巴巴集团控股有限公司 Replay attack resistant authentication protocol

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
DMITRY BAGAY: "《Blockchain-based DNS building》", 《ELSEVIER》 *
雷凯等: "面向跨域可信的泛中心化区块链DNS架构研究", 《网络与信息安全学报》 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112995354A (en) * 2021-02-08 2021-06-18 中国电子信息产业集团有限公司第六研究所 Domain name resolution record reconstruction method and domain name resolution method
CN113014455A (en) * 2021-03-15 2021-06-22 读书郎教育科技有限公司 Method for monitoring network request frequency

Also Published As

Publication number Publication date
CN111818029B (en) 2022-06-03

Similar Documents

Publication Publication Date Title
CN109983752B (en) Network address with encoded DNS level information
RU2320008C2 (en) Protective infrastructure and method for peer name resolution protocol (pnrp)
Ariyapperuma et al. Security vulnerabilities in DNS and DNSSEC
WO2016184216A1 (en) Link-stealing prevention method, link-stealing prevention server, and client side
US8887249B1 (en) Protecting against denial of service attacks using guard tables
US9258293B1 (en) Safe and secure access to dynamic domain name systems
US8856525B2 (en) Authentication of email servers and personal computers
US8549581B1 (en) Distributed network security system deploying guard tables
KR20130031660A (en) Network apparatus based contents name and method for generate and authenticate contents name
CN106790296B (en) Domain name record verification method and device
US11258759B2 (en) Entity-separated email domain authentication for known and open sign-up domains
CN107948235B (en) JAR-based cloud data security management and audit device
CN111818029B (en) Domain name request processing method and device
CN109067768B (en) Method, system, equipment and medium for detecting domain name query security
JP2006236349A5 (en)
CN106209907B (en) Method and device for detecting malicious attack
JP2006236349A (en) Peer-to-peer network information
US10122755B2 (en) Method and apparatus for detecting that an attacker has sent one or more messages to a receiver node
KR20140111485A (en) Communicaton method of administration node, requesting node and normal node deleting unvalid contents using contents revocation list in a contents centric network
CN112311769A (en) Method, system, electronic device and medium for security authentication
CN109951481B (en) Information processing method and system based on block chain network adjacent nodes
CN107770183B (en) Data transmission method and device
CN110289969B (en) Method for preventing DNS from being hijacked by adopting encryption signature and accelerated analysis
US9385992B2 (en) Inline key-based peer-to-peer processing
CN111901319A (en) Client DNS cache verification method, system, device and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant