CN112769769A - DNS alias resolution method and system - Google Patents
DNS alias resolution method and system Download PDFInfo
- Publication number
- CN112769769A CN112769769A CN202011547390.6A CN202011547390A CN112769769A CN 112769769 A CN112769769 A CN 112769769A CN 202011547390 A CN202011547390 A CN 202011547390A CN 112769769 A CN112769769 A CN 112769769A
- Authority
- CN
- China
- Prior art keywords
- domain name
- alias
- dns
- authorization information
- pointing
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a DNS alias resolution method and a system, wherein the method comprises the following steps: receiving the analysis of a first domain name, and inquiring the authorization information of the alias pointing to the domain name when determining that the alias of the first domain name points to the domain name; and determining whether the authorization information has the authority setting of the first domain name, and determining the resolution response of the first domain name according to the authority setting of the first domain name. The invention classifies and processes the CNAME records according to different authorities, protects the normal domain name from being attacked, and reduces the risk of illegal alias pointing.
Description
Technical Field
The invention relates to the technical field of computer network communication, in particular to a DNS alias resolution method and a DNS alias resolution system.
Background
The DNS (Domain Name System) provides an important service on the internet, and essentially bridges the world of people's names and the underlying world of binary protocol addresses. The domain name and IP address mapping method is used as a distributed database for mapping the domain name and the IP address to each other, so that people can access the Internet more conveniently without remembering the IP address number string which can be directly read by a machine, and the process of finally obtaining the IP address corresponding to the domain name through the domain name is called domain name resolution. The DNS is an open protocol established in 1987, a clear text mode is adopted to transmit query requests, corresponding safety and policy restrictions are less considered at the initial stage of the Internet, and resource record types which can be supported by query mainly comprise A records, AAAA records, NS records, MX records, PTR records, CNAME records, SOA records and the like.
Among other things, CNAME (Canonical Name, alias or Canonical Name) records, which allow multiple names to be mapped to the same server. For example, when a server is used to provide both WWW and MAIL services, the name of the server may be "services. In order to facilitate the user to access the WWW and MAIL services, respectively, two aliases are set for the server, such as "www.example.com" and "MAIL. When the IP address of the server is changed, it is not necessary to change the domain names "www.example.com" and "mail.example.com", respectively, only the corresponding a record or AAAA record of "services.example.com" needs to be changed, and the other domain names that are aliases will be automatically changed to the new IP address, so that the operation and maintenance efficiency is improved, and the method is also a technique that the CDN (Content Delivery Network) needs to use.
However, the existing DNS allows the CNAME record to point to any domain name, so that a malicious domain name administrator can point the CNAME record of its own domain name to any other normal domain name at any time, and when the domain name of the malicious domain name administrator provides illegal or malicious information, the normal domain name and the IP have risks of being identified as a malicious domain name and a dangerous IP, and also bring a risk of passive attack to the normal domain name. However, in the existing DNS architecture, the normal domain name administrator cannot actively prevent this from happening from the DNS level, and can only passively handle possible attacks.
Disclosure of Invention
The invention aims to provide a DNS alias resolution method and a DNS alias resolution system, which solve the technical problems that in the prior art, CNAME records can point to any domain name and bring uncontrollable, and a normal domain name has a passive attack risk.
In order to solve the above technical problem, the DNS alias resolution method according to the present invention includes the steps of:
receiving the analysis of a first domain name, and inquiring the authorization information of the alias pointing to the domain name when determining that the alias of the first domain name points to the domain name;
and determining whether the authorization information has the authority setting of the first domain name, and determining the resolution response of the first domain name according to the authority setting of the first domain name.
As a further improvement of the above DNS alias resolution method of the present invention, when the first domain name is within a range of a corresponding alias pointing to a domain name, the alias is queried to point to the IP address of the domain name and returned; and when the first domain name exceeds the pointing range of the corresponding alias pointing to the domain name, returning error information.
As a further improvement of the DNS alias resolution method, the recursive DNS server responds to the resolution query of the first domain name, and the query terminal is limited to obtain the resolution result of the illegal direction of the first domain name.
As a further improvement of the DNS alias resolution method of the present invention, if the local query of the authorization information fails, the authorization information is queried from an authoritative DNS server corresponding to the alias pointing to the domain name.
As a further improvement of the above DNS alias resolution method of the present invention, the authorization information is stored in the form of a TXT record.
As a further improvement of the above DNS alias resolution method of the present invention, the administrator of the alias pointing to the domain name sets the authorization information according to the management requirement.
In order to solve the above technical problem, a DNS alias resolution system according to the present invention includes:
the query unit is used for receiving the analysis of a first domain name and querying the authorization information of the domain name pointed by the alias when determining that the alias of the first domain name points to the domain name;
and the processing unit is used for determining whether the authorization information has the authority setting of the first domain name or not and determining the resolution response of the first domain name according to the authority setting of the first domain name.
As a further improvement of the above DNS alias resolution system of the present invention, the processing unit queries an IP address returned by the alias pointing to the domain name when the first domain name is within a pointing range of the corresponding alias pointing to the domain name; and when the first domain name exceeds the pointing range of the corresponding alias pointing to the domain name, returning error information.
As a further improvement of the above DNS alias resolution system of the present invention, in the query unit, if the local query of the authorization information fails, the authorization information is queried from an authoritative DNS server corresponding to the alias pointing to the domain name.
As a further improvement of the above DNS alias resolution system of the present invention, the authorization information is stored in the form of TXT records.
Compared with the prior art, the method and the device have the advantages that in the process of realizing recursive resolution, authorization query is carried out on the resolved first domain name authority so as to determine whether to respond to the resolution response of the corresponding alias pointing to the domain name. The invention classifies and processes the CNAME records according to different authorities, protects the normal domain name from being attacked, and reduces the risk of illegal alias pointing.
Other features and advantages of the present invention will become more apparent from the detailed description of the embodiments of the present invention when taken in conjunction with the accompanying drawings.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart of a DNS alias resolution method according to an embodiment of the present invention.
FIG. 2 is a schematic diagram of an implementation architecture of recursive query according to an embodiment of the present invention.
Fig. 3 is a diagram illustrating a DNS alias resolution system according to an embodiment of the present invention.
Detailed Description
The present invention will be described in detail below with reference to embodiments shown in the drawings. These embodiments are not intended to limit the present invention, and variations in structure, method, or function that may be affected by one of ordinary skill in the art based on these embodiments are within the scope of the present invention.
It should be noted that the same reference numbers or symbols may be used in different embodiments, but these do not represent an absolute relationship in structure or function. Further, the references to "first" and "second" in the embodiments do not represent an absolutely distinct relationship in structure or function, and these are merely for convenience of description.
As shown in fig. 1, a flow chart of a DNS alias resolution method according to an embodiment of the present invention is shown. The DNS alias resolution method specifically comprises the following steps:
step S1, receiving an analysis of the first domain name, and when it is determined that the alias of the first domain name points to the domain name, querying authorization information of the alias pointing to the domain name. As shown in fig. 2, when the query terminal initiates an access of the first domain name, in order to access the server corresponding to the first domain name, it is required to query an IP address corresponding to the first domain name, that is, a record corresponding to the first domain name or an AAAA record, and it is usually determined whether the query terminal has a corresponding cache record, and if not, the query terminal initiates a query to a corresponding recursive DNS server, so that the recursive DNS server may be considered as an intermediate link of access information between the query terminal and the access server. However, in the prior art, the recursive DNS server plays more of a two-way role in a neutral query access manner, but does not actively intervene in the access behavior between the query terminal and the access server. In this embodiment, when the recursive DNS server receives an analysis query of the first domain name, for example, www.example.com, it may preferentially implement a local query in its own cache, and if the local query fails, it queries the authoritative DNS server, specifically, it queries the top-level domain name server (for example, com top-level domain name server) from the root domain name server, and then queries the access manner of the second-level domain name server (for example, com second-level domain name server) from the corresponding top-level domain name server, and for the domain name www.example.com, the second-level domain name server is the lowest authoritative DNS server, and can query the corresponding second-level domain name server to obtain the corresponding IP address. However, if the first domain name points to the corresponding alias, then the corresponding CNAME record is obtained instead of the a/AAAA record, and similarly, corresponding query is also required to obtain the alias in the CNAME record, so as to finally obtain the accessed IP address. Specifically, for the query for obtaining the alias IP address, the query may be initiated locally, and if the local query fails, the query may be started from the root domain name server until the lowest authoritative DNS server is queried and the corresponding IP address is returned.
As described above, the matching relationship between the first domain name and the domain name (alias) pointed by the alias is determined by querying the CNAME record of the first domain name, and the specific content setting of the CNAME record is configured by the administrator of the first domain name according to the service condition thereof in the authoritative DNS server at the lowest layer according to the operation flow. The problem here is that the configuration of the CNAME record is independent of the administrator of the alias-directed domain name, especially in the case where the first domain name and the alias-directed domain name do not belong to the same administrator, which may become passive for the administrator of the alias-directed domain name, especially if the administrator of the first domain name is not standing for normal use when setting the CNAME record, such as providing illegal or malicious information.
Therefore, in order to avoid malicious use of the alias-directed domain name (i.e., the alias may be), when the first domain name is analyzed and the first domain name is queried to determine that the corresponding alias-directed domain name exists, the a/AAAA record of the alias-directed domain name is not directly queried, but the authorization information of the alias-directed domain name is queried first. Preferably, the authorization information is a TXT record, and the TXT record is a record set and described for the domain name in the DNS protocol, in this embodiment, a mechanism of the TXT record may be directly used, and a new record format does not need to be added again, so that compatibility is improved, which will be described in detail below. In further embodiments, when the recursive DNS server queries the relevant authorization information after determining that the alias of the first domain name points to the domain name, the first priority is to query locally, and locally cache the corresponding TXT record, preferably, the TXT record also sets a time-to-live value, and if the TXT record is deleted after the time-to-live value is expired, the pre-fetch program is further set to initiate a query to the corresponding authoritative DNS server and cache the query. If the local query of the authorization information fails, corresponding authorization information (that is, TXT records) is queried from an authoritative DNS server corresponding to the alias pointing to the domain name, and specifically, a query of an a/AAAA record of the alias pointing to the domain name can be initiated at the same time, because the processes of the two are consistent, the query is started from the root domain name server to the lowest authoritative DNS server, so that the time of repeated query can be reduced when the resolution result is returned under the condition of meeting the authority, and the resolution efficiency is improved.
Step S2, determining whether the authorization information has the authority setting of the first domain name, and determining an analysis response of the first domain name according to the authority setting of the first domain name. In this embodiment, through step S1, when the recursive DNS server queries the authorization information corresponding to the alias pointing to the domain name, the authority of the first domain name is determined according to the authorization information, and when the recursive DNS server responds to the resolution query of the first domain name, the recursive DNS server performs a resolution response according to the authority of the first domain name, so as to limit the query terminal from obtaining a resolution result to which the first domain name points illegally. That is, the function location of the recursive DNS server has been extended, and it can be understood that a law enforcement role is added, an illegal domain name is directed to direct blocking, and an attack on the access server is directly killed at the source of finding the access address.
It should be noted here that the authorization information recorded by TXT as a carrier is in a format of TXT record, and the corresponding authorization information is set by an administrator of alias directed to domain name according to management requirements, for example, a white list is set, and a first domain name allowed to be resolved is listed, where only the first domain name in the white list can be resolved to obtain an IP address of the corresponding alias directed to the domain name, or a black list is set, and a first domain name prohibited from being resolved is listed, where only the first domain name outside the black list can be resolved to obtain an IP address of the corresponding alias directed to the domain name. The set TXT record is specifically configured in an authoritative DNS server corresponding to the domain name pointed by the alias for query and acquisition by a recursive DNS server in the public network. Therefore, when the administrator of the first domain name owns the right of setting the CNAME record, the administrator of the domain name pointed by the alias owns the right of setting the TXT record, and for the first domain name and the domain name pointed by the alias in the same matching pair, the priority of the TXT record is higher than that of the CNAME record, so that the initiative that the alias points to the domain name administrator is ensured.
In a specific embodiment, when the TXT record is provided with authorization information, the authorization information is embedded according to a uniform standard, so that the TXT record can be compatibly recognized by query devices of the whole network, and the content format of the TXT record may be "v = cpf1 domain: < domain >, < domain > … -all", which may mean that a plurality of first domain names are authorized to perform CNAME resolution, and the other first domain names do not allow resolution. Where v = cpf1, denoted version cpf1, cpf is an abbreviation of the CNAME Policy Framework, which may be used in particular to label the white list mechanism. Such as: com configures corresponding authorization information for CNAME, and its configuration example is as follows: com IN TXT "v = cpf1 domain: example.com-all", when the recursive DNS server queries this TXT record, only the sub-domain names under example.com will be allowed to use the sub-domain name of point.com as the resolution of the CNAME type record. CNAME www.pointer.com is a CNAME configuration for example www.example.com. IN CNAME www.pointer.com. Com, assuming that the malicious domain name www.evil.com is not allowed by pointer, the malicious configuration set is as follows: www.evil.com IN CNAME www.pointer.com, IN the process of DNS domain name recursive resolution, when the resolution domain name www.evil.com returns a CNAME record type, TXT record is resolved on the superior domain name pointer.com of the target domain name www.pointer.com, configuration of cpf1 is searched, the allowed domain name is example.com, and the evil.com is not IN the allowed white list, the CNAME resolution which is unauthorized is recursively judged, and a response with a response code of NXDOMAIN is returned to the resolution of www.evil.com. In further embodiments, "v = cpf2 domain: < domain >, < domain > … -all" may also be used to set the blacklisting mechanism, where cpf2 may be used to mark the blacklisting mechanism and the domain name to which the content relates is the first domain name corresponding to the prohibited resolution. In a preferred embodiment, fuzzy matching of domain names in the authorization information may also be supported, for example, corresponding wildcards, such as $, and the like, may be supported in configured authorization information, different types of wildcards may express character strings of different ranges, so that one domain name expression may be used to point to corresponding multiple domain names, and when a corresponding recursive DNS server supporting fuzzy matching receives a corresponding TXT record with a fuzzy matching flag, a fuzzy matching program is used to determine various domain name objects configured in the TXT record, which is particularly suitable for multiple similar malicious domain names in a blacklist mechanism.
Therefore, in this embodiment, in the process of performing recursive resolution by the recursive DNS server, the CNAME record of the first domain name is resolved to determine that the alias points to the domain name, and then, instead of directly querying the IP address of the domain name pointed to by the alias, a TXT record query is performed on an upper domain name (e.g., the upper domain name point.com of www.pointer.com) pointed to by the alias to determine whether the corresponding upper domain name configures corresponding authorization for the corresponding first domain name. It should be noted that, it is not necessary to configure a superior domain name of a specific domain name in the TXT record, but a direct specific domain name may also be configured, such as a direct matching relationship between www.example.com and www.pointer.com, and therefore, when querying the TXT record, the alias may also be directly used to point to the domain name itself to determine the corresponding TXT record. If the corresponding first domain name and the corresponding alias pointing domain name are not legal alias pointing, then a specific IP address does not need to be returned to the corresponding query terminal, correspondingly, if the authorization information of the alias pointing to the domain name is locally queried, then the IP address of the alias pointing to the domain name does not need to be queried, correspondingly, the process of initiating recursive query to an authoritative DNS server is directly skipped, and then an error message, such as an nxdmoin prompt, may be returned to the query terminal to notify the query terminal that the corresponding first domain name is an illegal access domain name. On the contrary, if the corresponding first domain name and the corresponding alias pointing domain name belong to a legal alias pointing relationship, the queried IP address of the corresponding alias pointing domain name needs to be returned to the query terminal at this time, specifically, local query is performed preferentially, and if local query fails, recursive query is initiated to each level of authoritative DNS servers until the final IP address is queried, so that the final IP address is returned to the query terminal through the recursive DNS servers.
Fig. 3 is a schematic diagram of a DNS alias resolution system according to an embodiment of the present invention. The DNS alias resolution system specifically includes a query unit U1 and a processing unit U2. The query unit U1 queries, when it is determined that the corresponding alias points to the domain name in the resolution process of the first domain name, authorization information of the alias pointing to the domain name, which is configured by an administrator of the alias pointing to the domain name and is used for preventing malicious alias pointing, and the authorization information may be stored in the corresponding authoritative DNS server, or the recursive DNS server may query the authoritative DNS server and cache the authoritative DNS server locally. The processing unit U2 determines whether to perform further processing on the resolution of the first domain name based on the authorization information obtained by the querying unit U1, and if the authorization information contains the pointing authorization of the first domain name, the corresponding IP address can be returned to the querying terminal, so that the querying terminal can normally access the access server corresponding to the IP address. On the contrary, if the authorization information does not include the pointing authorization of the first domain name, it indicates that the first domain name does not get the agreement that the alias points to the domain name manager when the CNAME record configuration that the associated alias points to the domain name is configured, so the query terminal may reject the resolution request of the query terminal through the recursive DNS server, and the query terminal may not implement initiating access to the corresponding server.
And the query unit U1 is configured to receive resolution of the first domain name, and query, when it is determined that the alias of the first domain name points to the domain name, authorization information that the alias points to the domain name. When the query unit U1 performs the resolution of the first domain name, it first queries the corresponding resource record locally, and if there is no corresponding resource record locally, it further initiates a query to the authoritative DNS server, and the architecture of the recursive query is not described again, which is a basic query function. For the first domain name to which the alias is set, the resource record obtained by the direct resolution of the first domain name is a CNAME record to determine what the alias pointed to by the first domain name points to the domain name. When the corresponding alias is obtained and points to the domain name, whether the authority obtained based on the first domain name can analyze the IP address of the alias pointing to the domain name or not is judged, if so, the corresponding resource record of the alias pointing to the domain name is inquired from the local, and when the local inquiry fails, the inquiry is further initiated to the authoritative DNS server until the corresponding IP address is finally obtained. If the exceeding authority is not analyzed, returning the corresponding error information of the query terminal. Therefore, when determining that the alias to the first domain name points to the domain name, it is determined whether the corresponding first domain name is included in the authority range configured by the alias pointing to the domain name by querying the authorization information. The corresponding authorization information can be stored locally or on a corresponding authoritative DNS server in a TXT record form, and when the authorization information is inquired, the operation can be carried out according to a DNS protocol for inquiring the TXT record, so that the compatibility of the whole system is improved, and the generation of new record types is avoided. Specifically, the query may be preferentially started locally, and if the local query of the authorization information fails, the authorization information is queried from the authoritative DNS server corresponding to the alias pointing to the domain name. It should be noted that the query alias points to the independent a/AAAA record and TXT record of the domain name, and the query may also be performed at the same time, so as to reduce the time required for re-query when returning the corresponding IP address under authorization. The setting of the content of the authorization information is determined by the manager of the domain name pointed by the alias, namely the manager of the domain name pointed by the alias sets the authorization information according to the management requirement, specifically, the manager of the domain name pointed by the alias flexibly sets the authorization range according to the capability of preventing and controlling malicious attacks or the determined cooperative domain name range, limits the analysis range of the CNAME, and effectively excludes the malicious domain name binding.
And the processing unit U2 is configured to determine whether the authorization information has the authority setting of the first domain name, and determine an analysis response of the first domain name according to the authority setting of the first domain name. The obtained authorization information may be a white list mechanism, that is, a range determined to the first domain name that can be legally resolved, or a black list mechanism, that is, a range determined to the illegal first domain name that is prohibited from being resolved. The authorization information exists in a form of TXT record, and can be identified according to a corresponding TXT record format, so that a corresponding domain name list is extracted. Further, when the first domain name is in a pointing range of the corresponding alias pointing to the domain name, inquiring the IP address return of the alias pointing to the domain name; and when the first domain name exceeds the pointing range of the domain name pointed by the corresponding alias, returning error information, such as NXDOMAIN information.
In this embodiment, when the processing unit U2 resolves the domain name associated with the alias name through the authorization information, the corresponding domain name is resolved according to the authorization range, and does not perform resolution response on all domain names, and an error message is directly returned for illegal domain name resolution beyond the authorization range, so that some attacks cannot be initiated because the IP address of the target server is not actually known. Specifically, the recursive DNS server responds to the resolution query of the first domain name, and restricts the query terminal from obtaining a resolution result to which the first domain name points illegally.
In further embodiments, the second domain name without the associated alias may also be provided with similar authorization information, which may also block the source of the illegal attack to some extent. The administrator of the second domain name may define a range of the access terminal that can access the corresponding second domain name server by configuring the TXT record, such as an IP address range of the access terminal may be set. In the prior art, when an access terminal initiates an analysis query of a second domain name to a recursive DNS server, the recursive DNS server returns an IP address corresponding to the second domain name to the access terminal, so that the access terminal can access the corresponding server without limitation. However, after the authorization mechanism exists, the recursive DNS server does not certainly return the IP address corresponding to the second domain name to the access terminal, but first queries the authorization information corresponding to the second domain name, for example, first queries the corresponding authorization information locally, queries the corresponding authoritative DNS server when the query fails, determines the access terminal corresponding to the authorization range of the second domain name, and only the access terminal within the authorization range will notify the access terminal to access the IP address of the second domain name, so that the access terminal not within the authorization range cannot know the corresponding access IP address and cannot access the corresponding server. For the second domain name manager, the method is a more efficient and active mode for blocking the attack, and compared with the method for implementing filtering at the server side, the method enables the attack side to launch the attack without a locatable target at all.
It should be noted that the specific embodiment of the DNS alias resolution system may refer to the specific embodiment of the DNS alias resolution method, and the DNS alias resolution method may also refer to the relevant contents of the DNS alias resolution system.
In connection with the technical solutions disclosed in the present Application, the present invention may be directly embodied as hardware, a software module executed by a control unit, or a combination of the two, that is, one or more steps and/or one or more combinations of steps, and may correspond to each software module of a computer program flow, or may correspond to each hardware module, for example, an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array), or other Programmable logic device, a discrete Gate or crystal logic device, a discrete hardware component, or any suitable combination thereof. For convenience of description, the above-mentioned apparatuses are described as being divided into various modules by functions, and of course, the functions of the modules may be implemented in one or more software and/or hardware when implementing the present application.
From the above description of the embodiments, it is clear to those skilled in the art that the present application can also be implemented by software plus necessary general hardware platform. Based on this understanding, the technical solutions of the present application may also be embodied in the form of software products, which essentially or partially contribute to the prior art. The software may be executed by a micro-control unit, and may include one or more micro-control units of any type, depending on the desired configuration, including but not limited to a microcontroller, a DSP (Digital Signal Processor), or any combination thereof. The software is stored in a memory, such as a volatile memory (e.g., random access memory, etc.), a non-volatile memory (e.g., read-only memory, flash memory, etc.), or any combination thereof.
In summary, in the process of implementing recursive resolution, the present invention performs authorization query on the resolved first domain name authority to determine whether to respond to the resolution response of the corresponding alias pointing to the domain name. The invention classifies and processes the CNAME records according to different authorities, protects the normal domain name from being attacked, and reduces the risk of illegal alias pointing.
It should be understood that although the present description refers to embodiments, not every embodiment contains only a single technical solution, and such description is for clarity only, and those skilled in the art should make the description as a whole, and the technical solutions in the embodiments can be appropriately combined to form other embodiments understood by those skilled in the art.
The above-listed detailed description is only a specific description of a possible embodiment of the present invention, and they are not intended to limit the scope of the present invention, and equivalent embodiments or modifications made without departing from the technical spirit of the present invention should be included in the scope of the present invention.
Claims (10)
1. A DNS alias resolution method is characterized by comprising the following steps:
receiving the analysis of a first domain name, and inquiring the authorization information of the alias pointing to the domain name when determining that the alias of the first domain name points to the domain name;
and determining whether the authorization information has the authority setting of the first domain name, and determining the resolution response of the first domain name according to the authority setting of the first domain name.
2. The DNS alias resolution method according to claim 1, wherein when the first domain name is within a range of a corresponding alias pointing to a domain name, the IP address of the alias pointing to the domain name is queried to be returned; and when the first domain name exceeds the pointing range of the corresponding alias pointing to the domain name, returning error information.
3. The DNS alias resolution method according to claim 1, wherein the query terminal is restricted from obtaining the resolution result to which the first domain name is directed illegally, in response to the resolution query of the first domain name by the recursive DNS server.
4. The DNS alias resolution method according to claim 1, wherein if the local query of the authorization information fails, the authorization information is queried from an authoritative DNS server corresponding to the alias pointing to the domain name.
5. The DNS alias resolution method of claim 1 or 4, wherein the authorization information is stored in a TXT record.
6. The DNS alias resolution method according to claim 1, wherein the administrator of the alias pointing to the domain name sets the authorization information according to the management requirement.
7. A DNS alias resolution system, comprising:
the query unit is used for receiving the analysis of a first domain name and querying the authorization information of the domain name pointed by the alias when determining that the alias of the first domain name points to the domain name;
and the processing unit is used for determining whether the authorization information has the authority setting of the first domain name or not and determining the resolution response of the first domain name according to the authority setting of the first domain name.
8. The DNS alias resolution system of claim 7, wherein the processing unit queries an IP address return of the alias pointed to the domain name when the first domain name is within a pointing range of the corresponding alias pointed to the domain name; and when the first domain name exceeds the pointing range of the corresponding alias pointing to the domain name, returning error information.
9. The DNS alias resolution system according to claim 7, wherein in the query unit, if the local query for the authorization information fails, the authoritative DNS server corresponding to the domain name to which the alias refers is queried for the authorization information.
10. The DNS alias resolution system of claim 7 or 9, wherein the authoritative information is stored in the form of TXT records.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011547390.6A CN112769769B (en) | 2020-12-24 | 2020-12-24 | DNS alias resolution method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011547390.6A CN112769769B (en) | 2020-12-24 | 2020-12-24 | DNS alias resolution method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112769769A true CN112769769A (en) | 2021-05-07 |
| CN112769769B CN112769769B (en) | 2022-11-11 |
Family
ID=75694022
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011547390.6A Active CN112769769B (en) | 2020-12-24 | 2020-12-24 | DNS alias resolution method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112769769B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113315853A (en) * | 2021-05-26 | 2021-08-27 | 杭州安恒信息技术股份有限公司 | Cloud protection node scheduling method, system and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561120A (en) * | 2013-10-08 | 2014-02-05 | 北京奇虎科技有限公司 | Method and device for detecting suspicious DNS and method and system for processing suspicious DNS |
| US20150281168A1 (en) * | 2014-04-01 | 2015-10-01 | Cloudflare, Inc. | Domain name system cname record management |
| CN105681491A (en) * | 2016-04-08 | 2016-06-15 | 网宿科技股份有限公司 | DNS (Domain Name Resolution) acceleration method, system and device |
-
2020
- 2020-12-24 CN CN202011547390.6A patent/CN112769769B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103561120A (en) * | 2013-10-08 | 2014-02-05 | 北京奇虎科技有限公司 | Method and device for detecting suspicious DNS and method and system for processing suspicious DNS |
| US20150281168A1 (en) * | 2014-04-01 | 2015-10-01 | Cloudflare, Inc. | Domain name system cname record management |
| CN105681491A (en) * | 2016-04-08 | 2016-06-15 | 网宿科技股份有限公司 | DNS (Domain Name Resolution) acceleration method, system and device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113315853A (en) * | 2021-05-26 | 2021-08-27 | 杭州安恒信息技术股份有限公司 | Cloud protection node scheduling method, system and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112769769B (en) | 2022-11-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10666608B2 (en) | Transparent proxy authentication via DNS processing | |
| US7930413B2 (en) | System and method for controlling access to a network resource | |
| US7797410B2 (en) | Reverse IP method and system | |
| US8219644B2 (en) | Requesting a service or transmitting content as a domain name system resolver | |
| US7499998B2 (en) | Arrangement in a server for providing dynamic domain name system services for each received request | |
| US20060265516A1 (en) | Generic top-level domain re-routing system | |
| US20100011420A1 (en) | Operating a service on a network as a domain name system server | |
| US20060218289A1 (en) | Systems and methods of registering and utilizing domain names | |
| CN105282269B (en) | A kind of configuration method and method of servicing of local dns root server | |
| CN112468309B (en) | Domain name management system based on intelligent contract | |
| Zou et al. | Survey on domain name system security | |
| CN112769769B (en) | DNS alias resolution method and system | |
| Jin et al. | A detection method against DNS cache poisoning attacks using machine learning techniques: Work in progress | |
| CN111193816A (en) | Authoritative DNS server information updating method and system | |
| CN116170403A (en) | Method and device for decentralized domain name resolution based on Handle system | |
| CN115174518A (en) | Recursive side domain name preservation method and system based on RPZ | |
| US11233767B1 (en) | System and method for publishing DNS records of a domain including either signed or unsigned records | |
| US11405353B2 (en) | System and method for generating concurrently live and test versions of DNS data | |
| CN116827902A (en) | Domain name generation method, domain name detection method, electronic device, and storage medium | |
| Weiler | Deploying dnssec without a signed root | |
| Kalafut et al. | Pollution resilience for dns resolvers | |
| Hanley | DNS overview with a discussion of DNS spoofing | |
| Yalagandula | A survey of DNS | |
| Contributors | Relevant DNSSEC Concepts and Basic Building Blocks | |
| Cymru | Incident Response Guide to the Kaminsky DNS Cache Poison Exploit |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |