CN114726566A - Website filtering method, device and node - Google Patents

Website filtering method, device and node Download PDF

Info

Publication number
CN114726566A
CN114726566A CN202110005422.8A CN202110005422A CN114726566A CN 114726566 A CN114726566 A CN 114726566A CN 202110005422 A CN202110005422 A CN 202110005422A CN 114726566 A CN114726566 A CN 114726566A
Authority
CN
China
Prior art keywords
domain name
request message
target
node
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110005422.8A
Other languages
Chinese (zh)
Inventor
谢进柳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN202110005422.8A priority Critical patent/CN114726566A/en
Publication of CN114726566A publication Critical patent/CN114726566A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a website filtering method, a device and a node, wherein the method comprises the following steps: a first node receives a DNS query request message sent by a terminal, wherein the DNS query request message carries a target domain name; if the domain name cache table of the first node does not comprise the target domain name, sending a domain name information query message to a second node in the cluster, wherein the domain name cache table comprises the domain name and the safety information of the domain name, and the domain name information query message carries the target domain name; receiving a domain name information query response message sent by a second node, wherein the domain name information query response message comprises a target domain name and domain name safety information; and determining whether to perform access limitation on the access request message of the world wide WEB WEB server sent by the terminal according to the domain name safety information. According to the method, whether access limitation is performed on the access request message of the WEB server sent by the terminal is determined according to whether the target domain name is safe or not, so that the filtering granularity of website access is finer, and the filtering accuracy is improved.

Description

Website filtering method, device and node
Technical Field
The embodiment of the invention relates to the technical field of information security, in particular to a website filtering method, a website filtering device and a node.
Background
With the popularization of the use of the internet, the information security is very important. At present, network access behaviors can be monitored and examined through firewalls, routers and other network access control devices, unsafe websites such as phishing, yellow, violence, gambling, virus-involved websites are filtered and access is blocked, and a safety protection mechanism is provided for users to utilize the internet.
At present, in an Internet security processing method, network filtering is usually performed according to an Internet Protocol Address (IP), and if a plurality of websites are deployed on the same server and one of the websites has a security problem, the IP corresponding to the server is listed in a blacklist, which causes that other secure websites on the server cannot be accessed, that is, the existing network filtering method has poor accuracy in a security determination method for accessing the websites.
Disclosure of Invention
The embodiment of the invention provides a website filtering method, a website filtering device and a website filtering node, and aims to solve the problem that the intercepting mode of website access in the prior art is poor in accuracy.
In order to solve the problems, the invention is realized as follows:
in a first aspect, an embodiment of the present invention provides a website filtering method, which is applied to a first node, and the method includes:
receiving a Domain Name System (DNS) query request message sent by a terminal, wherein the DNS query request message carries a target domain name;
if the domain name cache table of the first node does not comprise the target domain name, sending a domain name information query message to a second node in the cluster, wherein the domain name cache table comprises the domain name and safety information of the domain name, and the domain name information query message carries the target domain name;
receiving a domain name information query response message sent by the second node, wherein the domain name information query response message carries the target domain name and domain name safety information;
and determining whether to perform access limitation on the access request message of the World Wide WEB (WWW) WEB server sent by the terminal according to the domain name safety information.
In a second aspect, an embodiment of the present invention further provides a website filtering apparatus, applied to a first node, including:
the first receiving module is used for receiving a domain name system DNS query request message sent by a terminal, wherein the DNS query request message carries a target domain name;
a sending module, configured to send a domain name information query message to a second node in the cluster if the domain name cache table of the first node does not include the target domain name, where the domain name cache table includes a domain name and security information of the domain name, and the domain name information query message carries the target domain name;
a second receiving module, configured to receive a domain name information query response message sent by the second node, where the domain name information query response message carries the target domain name and domain name security information;
and the determining module is used for determining whether to carry out access limitation on the access request message of the World Wide WEB (WWW) server, which is sent by the terminal, according to the domain name safety information.
In a third aspect, an embodiment of the present invention further provides a terminal, including: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor; the processor is configured to read the program in the memory to implement the steps of the method according to the first aspect.
In a fourth aspect, the embodiment of the present invention further provides a readable storage medium for storing a program, where the program, when executed by a processor, implements the steps in the method according to the foregoing first aspect.
In the embodiment of the invention, whether the access restriction is carried out on the access request message which is sent by the terminal and is used for the WEB server is determined according to the safety of the target domain name, so that the filtering granularity of website access is finer, and the filtering accuracy is improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive exercise.
FIG. 1 is a schematic flow chart illustrating a website filtering method according to an embodiment of the present invention;
FIG. 2 is a second flowchart illustrating a web address filtering method according to an embodiment of the present invention;
FIG. 3 is a third schematic flowchart illustrating a website filtering method according to an embodiment of the present invention;
fig. 4a is a schematic diagram of a relationship among a terminal, a cluster, and a server according to an embodiment of the present invention;
FIG. 4b is a fourth flowchart illustrating a website filtering method according to an embodiment of the present invention;
FIG. 4c is a diagram of a cache table and a connection tracking table according to an embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a website filtering apparatus provided in the present invention;
fig. 6 is a schematic structural diagram of a first node provided in the implementation of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first," "second," and the like in the embodiments of the present invention are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Further, as used herein, "and/or" means at least one of the connected objects, e.g., a and/or B and/or C, means 7 cases including a alone, B alone, C alone, and both a and B present, B and C present, a and C present, and A, B and C present.
Referring to fig. 1, fig. 1 is a schematic flow chart of a website filtering method according to an embodiment of the present invention. The website filtering method shown in fig. 1 is applied to a first node, and may specifically include the following steps:
step 101, receiving a DNS query request message sent by a terminal, where the DNS query request message carries a target domain name.
The first node may be a management node or a common node in a redis cluster, the redis cluster may be formed by routers and the like in Network environments such as hotels, business offices, parks and the like, the redis cluster includes the management node and the common node, the management node is connected to the internet, and may be an exit gateway device, the common node is not connected to the internet, and may be locally networked with the management node through a Virtual Local Area Network (VLAN), and may be an Access Point (AP) device supporting a wireless fidelity (wifi) function.
The terminal is provided with a browser, and when a user accesses a website through the browser, the terminal sends a Domain Name System (DNS) request message to the first node. The terminal may be a Mobile phone, a Tablet Personal Computer (Tablet Personal Computer), a Laptop Computer (Laptop Computer), a Personal Digital Assistant (PDA), a Mobile Internet Device (MID), a Wearable Device (Wearable Device), or a vehicle-mounted Device. The network side device may be a base station, an Access and Mobility Management Function (AMF), a relay, an Access point, or other network elements.
The first node may resolve the DNS query request message to obtain the target domain name.
Step 102, if the domain name cache table of the first node does not include the target domain name, sending a domain name information query message to a second node in the cluster, where the domain name cache table includes a domain name and security information of the domain name, and the domain name information query message carries the target domain name.
And querying a domain name cache table in the first node according to the target domain name, wherein the domain name cache table comprises the domain name and the safety information of the domain name, and determining whether the domain name is safe according to the safety information of the domain name.
And if the domain name cache table does not comprise the target domain name, sending a domain name information query message to a second node in the cluster, wherein the second node is one or more nodes except the first node in the cluster.
In this step, the first node may also forward the DNS query request message to the WEB server when sending the domain name information query message to the second node in the cluster.
Step 103, receiving a domain name information query response message sent by the second node, where the domain name information query response message carries the target domain name and the domain name security information.
The second node queries based on the domain name information query message to obtain domain name safety information of the target domain name, and sends a domain name information query response message carrying the target domain name and the domain name safety information to the first node.
And step 104, determining whether to perform access limitation on the access request message of the World Wide WEB (WWW) WEB server sent by the terminal according to the domain name safety information.
The access request message is a message that is sent to a first node by a terminal and needs to be forwarded to a World Wide Web (Web) server by the first node, and may be understood as a Secure Hypertext Transfer Protocol (HTTPS) message. After receiving the access request message sent by the terminal, the first node may determine whether to perform access restriction on the access request message according to the domain name security information, for example, if it is determined that the target domain name is not secure according to the domain name security information, perform access restriction on the access request message, in this case, the type field in the access request message may be modified, and the field is modified to 0xff, and after receiving the modified message, the WEB server may actively disconnect the connection with the terminal, so as to achieve the purpose of access restriction.
By adopting the method, if a plurality of websites are deployed on the same server, because each website has different domain names, even if one website in the plurality of websites has a security problem, other websites without the security problem can still be normally accessed.
In this embodiment, a first node receives a domain name system DNS query request message sent by a terminal, where the DNS query request message carries a target domain name; if the domain name cache table of the first node does not comprise the target domain name, sending a domain name information query message to a second node in the cluster, wherein the domain name cache table comprises the domain name and safety information of the domain name, and the domain name information query message carries the target domain name; receiving a domain name information query response message sent by the second node, wherein the domain name information query response message comprises the target domain name and domain name safety information; and determining whether to perform access limitation on the access request message of the World Wide WEB (WWW) WEB server sent by the terminal according to the domain name safety information. According to the method, whether the access of the access request message of the terminal to the WEB server is limited or not is determined according to whether the target domain name is safe or not, so that the filtering granularity of website access is finer, and the filtering accuracy is improved.
In an embodiment of the present invention, as shown in fig. 2, after receiving a domain name system DNS query request message sent by a terminal in step 101, and before receiving a domain name information query response message sent by the second node in step 103, the method further includes:
and 105, sending the DNS query request message to a DNS server, and receiving a DNS query response message sent by the DNS server, where the DNS query response message carries a destination IP and a destination port corresponding to the target domain name.
The first node sends the received DNS query request message to a DNS server, the DNS server determines an Internet Protocol Address (IP) and a port corresponding to a target domain name, namely a target IP and a target port, according to the target domain name, and carries the target IP and the target port in a DNS query response message to send the DNS query response message to the first node.
And step 106, if the domain name cache table of the first node does not include the target domain name, storing the target domain name and default security information into the domain name cache table.
The default security information may be secure or non-secure, or unknown, and may be set according to a time condition, where the default security information is domain name security information of the target domain name.
Step 107, storing a connection relationship and a connection state into a connection relationship table, where the connection relationship includes a source IP and a source port that send the DNS query request message, the destination IP, and the destination port, and the connection state is a storage address of the target domain name in the domain name cache table.
The connection relation may also include a five-tuple, i.e. including the source IP, the source port, the destination IP, the destination port and the transport layer protocol.
In the foregoing, the domain name cache table and the connection relation table are stored in the first node, so that for each group of source IP and source port, the destination IP and the destination port, the storage address of the domain name can be obtained through the connection relation table, so as to obtain domain name security information corresponding to the domain name from the domain name cache table, and determine whether the domain name is secure according to the domain name security information.
The domain name cache table consists of M (e.g., M65536) buckets, each of which can hold N (N >1) hash values, and the storage address may consist of the number of the bucket and the location number in the bucket. And when the quantity in the bucket exceeds the maximum value, a new old covering mode is adopted to ensure that at most only N hash values exist in the bucket. The connection tracking table stores all connection records, and stores the position of the domain name in the cache table by using the status reserved bit corresponding to the connection record, so that the black and white of the domain name can be determined according to the connection record.
In the above embodiment, when the domain name security information of the target domain name is unknown, the target domain name and the default security information are stored in the domain name cache table, and the connection relationship and the connection state are stored in the connection relationship table, so that after an access request message sent by the terminal is subsequently received, the domain name security information of the target domain name is obtained through the domain name cache table and the connection relationship table, and thus whether the target domain name is secure or not is determined.
In this embodiment, as shown in fig. 3, after receiving the domain name information query response message sent by the second node in step 103, before determining whether to perform access restriction on an access request message to a WEB server sent by the terminal according to the domain name security information in step 104, the method further includes:
step 108, updating the default security information by using the domain name security information;
correspondingly, step 104, determining whether to perform access limitation on the access request message to the WEB server sent by the terminal according to the domain name security information, includes:
step 1041, determining the domain name security information according to the domain name cache table, the connection relation table and the access request message sent by the terminal;
step 1042, if the domain name security information is the target information, performing access restriction on the access request message to the WEB server sent by the terminal.
In this embodiment, the default security information is updated according to the domain name information query response message sent by the second node, that is, the domain name security information in the domain name information query response message is used to update the default security information.
Correspondingly, in the subsequent steps, the domain name safety information can be determined according to the domain name cache table, the connection relation table and the access request message sent by the terminal, and the access to the access request message of the WEB server sent by the terminal is limited under the condition that the domain name safety information is the target information, so that the purpose of filtering according to the domain name (namely, the website) is achieved, and the filtering accuracy is improved. The target information may be black or white, when the target information is black, the target domain name is unsafe, when the target information is white, the target domain name is safe, and the target information may also be other information that may indicate the domain name is safe or unsafe, which is not limited herein.
If the domain name security information is the target information, the traditional mode of discarding the data packet or constructing the TCP FIN packet is not adopted, but the flow is modified, for example, the type field of the HTTPS message is modified to 0xff, so that the browser or the server actively disconnects. Compared with a direct packet loss mode, the method can reduce the retransmission data packets in the network; compared with a processing mode of constructing the TCP FIN packet, the first node does not need to independently increase work of constructing and sending data packets for the purpose of interception, the load of a CPU (Central processing Unit) of the node is reduced, and the interception function of the first node is lighter.
In the above, in step 1041, determining the domain name security information according to the domain name cache table, the connection relation table, and the access request message sent by the terminal includes:
receiving an access request message to a WEB server, wherein the access request message carries the source IP, the source port, the destination IP and the destination port;
acquiring the storage address from the connection relation table according to the access request message;
and acquiring the domain name safety information from the domain name cache table according to the storage address.
Specifically, the access request message is a message that is sent to the first node by the terminal and needs to be forwarded to the WEB server by the first node, and the access request message may be understood as a Secure Hypertext Transfer Protocol (HTTPS) message. And searching storage addresses corresponding to the source IP, the source port, the destination IP and the destination port which are carried by the access request from the connection relation table, and acquiring corresponding domain name safety information from the domain name cache table according to the storage addresses.
Further, if the domain name security information is target information, performing access restriction on an access request message to a WEB server sent by the terminal, including:
if the domain name safety information is the target information, modifying the content type in the access request message into a target type to obtain a target access request message;
and sending the target access request message to the WEB server, so that the WEB server is disconnected from the terminal after receiving the target access request message.
After receiving the access request message sent by the terminal, the first node may determine whether to perform access restriction on the access request message according to the domain name security information, for example, if it is determined that the target domain name is not secure according to the domain name security information, perform access restriction on the access request message, in this case, instead of discarding the data packet, change a type field (e.g., a content-type field) in the access request message, modify the field to 0xff, and after receiving the modified message, the WEB server may actively disconnect the connection with the terminal, so as to achieve the purpose of access restriction.
If the domain name security information is the target information, the traditional mode of discarding the data packet or constructing the TCP FIN packet is not adopted, but the flow is modified, for example, the type field of the HTTPS message is modified to 0xff, so that the browser or the server actively disconnects. Compared with a direct packet loss mode, the method can reduce the retransmission data packets in the network; compared with a processing mode of constructing the TCP FIN packet, the first node does not need to independently increase work of constructing and sending data packets for the purpose of interception, the load of a CPU (Central processing Unit) of the node is reduced, and the interception function of the first node is lighter.
In an embodiment of the present invention, after receiving a domain name system DNS query request message sent by a terminal in step 101, before determining whether to perform access restriction on an access request message to a WEB server sent by the terminal according to the domain name security information in step 104, the method further includes:
sending the DNS query request message to a DNS server, and receiving a DNS query response message sent by the DNS server, wherein the DNS query response message carries a target IP and a target port corresponding to the target domain name;
if the domain name cache table of the first node comprises the target domain name, acquiring a storage address corresponding to the target domain name in the domain name cache table;
storing a connection relation and a connection state into a connection relation table, wherein the connection relation comprises a source IP and a source port which send the DNS query request message, the target IP and the target port, and the connection state is a storage address of the target domain name in the domain name cache table;
and sending the DNS inquiry response message to the terminal.
In this embodiment, if the domain name cache table of the first node includes the target domain name, the domain name information query message is not sent to the second node, but the connection relationship and the connection state are stored in the connection relationship table, where the connection state is a storage address of the target domain name in the domain name cache table, and the DNS query response message is sent to the terminal.
Further, when the first node forwards a greeting message sent by the terminal to the WEB server, and receives a certificate request message sent by the WEB server, the first node extracts a target domain name and queries a local policy cache (i.e., a domain name cache table), where the local policy cache temporarily stores black and white of a domain name that is recently visited. If the domain name is not found in the policy cache, the first node stores the target domain name into the local policy cache, sets the black and white as unknown, and updates the connection attribute (namely the storage address of the target domain name in the domain name cache table); if the target domain name is found in the local policy cache, only the connection attributes are updated. While passing through the Certificate request message (i.e., Certificate message). When an HTTPS message behind the Certificate message reaches a first node, the first node determines the position of a connection record in a connection tracking table through a port, an IP address and a protocol quintuple of the HTTPS message, then obtains a connection attribute (status value) corresponding to the connection record, obtains the position of a target domain name in a domain name cache table, further inquires the black and white of the target domain name in the domain name cache table, and determines the black and white of the connection.
That is, after receiving the domain name system DNS query request message sent by the terminal, and before receiving the domain name information query response message sent by the second node, the method further includes:
sending the DNS query request message to a DNS server, and receiving a DNS query response message sent by the DNS server, wherein the DNS query response message carries a destination Internet protocol address IP and a destination port corresponding to the target domain name;
receiving a greeting message sent by the terminal, and sending the greeting message to the WEB server;
receiving a certificate request message sent by the WEB server, wherein the certificate request message carries the target domain name;
if the domain name cache table of the first node does not comprise the target domain name, storing the target domain name and default safety information into the domain name cache table;
storing a connection relation and a connection state into a connection relation table, wherein the connection relation comprises a source IP and a source port for sending the hello message, the destination IP and the destination port, and the connection state is a storage address of the target domain name in the domain name cache table;
and sending the certificate request message to the terminal.
As described above, the hello message may be a client-hello message, and the Certificate request message may be a Certificate message.
For ease of understanding, examples are illustrated below:
fig. 4a is a schematic diagram illustrating a connection relationship between a terminal, a cluster, and the internet according to an embodiment of the present invention.
Routers in network environments such as hotels, business offices, parks, etc. are classified into management nodes and common nodes. The management node is connected with the Internet and can be an exit gateway device. The common node is not connected with the Internet, is locally networked with the management node through the VLAN, and can be AP equipment supporting the WIFI function. The management node has the functions of interactively acquiring with a feature library server (which can be understood as a DNS server), writing feature library data (which can be understood as domain name security information) into a cluster, and storing the feature library data. The common nodes are used as interception points of the data and have the function of storing the feature library data. The feature data includes a white domain name and a black domain name.
As shown in fig. 4b, which is a schematic flow chart of the website filtering method provided in the embodiment of the present invention, reference numerals 1-9 in the diagram are steps executed inside the first node, for example, reference numeral 1 identifies a step of extracting a domain name, reference numeral 2 identifies a step of caching query, reference numeral 3 identifies a step of not modifying release traffic, reference numeral 4 identifies a step of caching update, reference numeral 5 identifies a step of extracting a domain name, reference numeral 6 identifies a step of caching query, reference numeral 7 identifies a step of setting a storage location connected to a corresponding domain name, and not modifying and releasing traffic, reference numeral 8 identifies a storage address connected to a corresponding domain name, a step of determining black and white of a domain name, and reference numeral 9 identifies a step of releasing or modifying traffic.
The browser (i.e., the terminal) sends a DNS request message to the general node or the management node (i.e., the first node). The first node extracts the domain name from the DNS request message, and queries a local policy cache (i.e., a domain name cache table), where the local policy cache temporarily stores black and white of the domain name that is recently accessed. If the domain name is not found in the local policy cache, the first node initiates a domain name black and white query message (namely a domain name information query message) to other nodes (namely a second node) of the local Redis cluster, and simultaneously sends a DNS request message to the DNS server.
And when the domain name information query response message is returned, the common node or the management node updates the domain name cache table. And when the Certificate message reaches the common node or the management node, extracting the domain name and inquiring a local policy cache, wherein the local policy cache temporarily stores the black and white of the domain name which is accessed recently. If the domain name is not found in the policy cache, the common node or the management node stores the domain name into the cache, black and white are set to be unknown, and the connection attribute is updated; if the domain name is found in the cache, only the connection attributes are updated. While passing the Certificate message. When an HTTPS message behind the Certificate message reaches a common node or a management node, the node determines the position of a connection record in a connection tracking table through a port, an IP address and a protocol quintuple of the HTTPS message, then obtains a status value of the connection record, obtains the position of a domain name in a cache table, further inquires the black and white of the domain name in the cache table, and determines the black and white of the connection.
When the node determines that the connection is black, the packet is not discarded, but the TYPE field of the HTTPS message is modified to 0 xff. The server or browser receiving the modified traffic will actively disconnect the connection.
FIG. 4c is a diagram of a cache table and a connection tracking table;
the cache table stores black and white information of the queried domain name. It consists of M (e.g., M65536) buckets, each of which can hold N (N >1) hash values. And when the number in the barrel exceeds the maximum value, the new coverage old mode is adopted to ensure that at most N hash values exist in the barrel. The connection tracking table holds all connection records. The location of the domain name in the cache table is stored with the connection record status reserved bit. Thus, the black and white of the domain name can be determined from the connection.
The first step is as follows: when receiving the returned domain name black-and-white inquiry response message, the node stores the domain name and the black-and-white information to corresponding positions in the cache table, wherein the positions consist of the barrel numbers and the position numbers in the barrels.
The second step is that: and the node receives the Certificate message, extracts the domain name from the Certificate message and queries the local policy cache. If the domain name is not found in the policy cache, the node stores the domain name into the cache, sets the black and white to unknown, and updates the connection status attribute; if the domain name is found in the cache, only the connection status attribute is updated.
The third step: when an HTTPS message behind the Certificate message reaches a common node or a management node, the node determines the position of a connection record in a connection tracking table through a port, an IP address and a protocol quintuple of the HTTPS message, then obtains a status value of the connection record, obtains the position of a domain name in a cache table, further inquires the black and white of the domain name in the cache table, and determines the black and white of the connection.
The website filtering method has the following characteristics:
the first node sends a domain name query request message to a local redis cluster while sending the DNS query request message;
the black and white of the connection is determined through the use of a cache table and a connection tracking table. The domain name cache table stores black and white information of the queried domain name using hash mapping (ashmaph). The connection record status reserved bit stores the location of the domain name in the cache table.
And when receiving the returned domain name black-and-white inquiry response message, the first node stores the domain name and the black-and-white information to corresponding positions in the cache table, wherein the positions consist of the number of the barrel and the position number in the barrel.
And the first node extracts the domain name and queries a domain name cache table after receiving the Certificate message. If the target domain name is not found in the domain name cache table, the first node stores the target domain name into a cache, sets black and white to unknown and updates a connection status attribute; if the target domain name is found in the domain name cache table, only the connection status attribute is updated.
When an HTTPS message behind the Certificate message reaches a common node or a management node, the node determines the position of a connection record in a connection tracking table through a port, an IP address and a protocol quintuple of the HTTPS message, then obtains a status value of the connection record, obtains the position of a domain name in a cache table, further inquires the black and white of the domain name in the cache table, and determines the black and white of the connection.
When the first node determines that the connection is black, the traditional mode of discarding data packets or constructing TCP FIN packets is not adopted, and the flow is modified, for example, the TYPE field of the HTTPS message is modified to 0xff, so that the browser or the server actively disconnects. Compared with a direct packet loss mode, the method can reduce the retransmission data packets in the network; compared with a mode of constructing a TCP FIN packet, the node does not need to independently increase work of constructing and sending a data packet for the purpose of interception, the load of a node CPU is reduced, and the node interception function is lighter.
The invention fully utilizes intelligent routers or gateway equipment in environments such as hotels, enterprise office places, gardens and the like, and integrates the safety function into the intelligent routers or gateway equipment, so that the outlet gateway does not need to be concentrated for filtering, and the requirement on the processing capacity of the outlet gateway is reduced; moreover, a feature server does not need to be deployed at the near source side, so that an enterprise can quickly and conveniently obtain safety service and filter and control the online of enterprise staff.
The method and the device filter the domain name of the HTTPS website, and have finer granularity compared with IP filtering. If a plurality of websites are deployed on the same server, a certain website has a safety problem, and other websites have no safety problem, the website access with problems can be accurately intercepted, and the website access without problems can be normally carried out.
Referring to fig. 5, fig. 5 is a structural diagram of a website filtering device according to an embodiment of the present invention. As shown in fig. 5, the website filtering apparatus 500, applied to the first node, includes:
a first receiving module 501, configured to receive a domain name system DNS query request message sent by a terminal, where the DNS query request message carries a target domain name;
a first sending module 502, configured to send a domain name information query message to a second node in the cluster if the domain name cache table of the first node does not include the target domain name, where the domain name cache table includes a domain name and security information of the domain name, and the domain name information query message carries the target domain name;
a second receiving module 503, configured to receive a domain name information query response message sent by the second node, where the domain name information query response message carries the target domain name and domain name security information;
a determining module 504, configured to determine whether to perform access restriction on an access request message to a WEB server sent by the terminal according to the domain name security information.
Further, the website filtering apparatus 500 further includes:
a second sending module, configured to send the DNS query request message to a DNS server;
a third receiving module, configured to receive a DNS query response message sent by the DNS server, where the DNS query response message carries a destination internet protocol address IP and a destination port corresponding to the target domain name;
a first storage module, configured to store the target domain name and default security information in a domain name cache table if the domain name cache table of the first node does not include the target domain name;
and the second storage module is used for storing a connection relation and a connection state into a connection relation table, wherein the connection relation comprises a source IP and a source port which send the DNS query request message, the destination IP and the destination port, and the connection state is a storage address of the target domain name in the domain name cache table.
Further, the website filtering apparatus 500 further includes:
the updating module is used for updating the default safety information by utilizing the domain name safety information;
the determining module 504 includes:
a first determining submodule, configured to determine the domain name security information according to the domain name cache table, the connection relation table, and the access request message sent by the terminal;
and the restriction submodule is used for restricting access to the access request message of the WEB server sent by the terminal if the domain name safety information is the target information.
Further, the first determining sub-module includes:
a receiving unit, configured to receive an access request message to a WEB server sent by the terminal, where the access request message carries the source IP, the source port, the destination IP, and the destination port;
a first obtaining unit, configured to obtain the storage address from the connection relation table according to the access request message;
and the second acquisition unit is used for acquiring the domain name safety information from the domain name cache table according to the storage address.
Further, the limiter submodule includes:
a third obtaining unit, configured to modify a content type in the access request message to a target type if the domain name security information is the target information, and obtain a target access request message;
and the sending unit is used for sending the target access request message to the WEB server, so that the WEB server is disconnected from the terminal after receiving the target access request message.
Further, the website filtering apparatus 500 further includes:
the second sending module is used for sending the DNS query request message to a DNS server;
a third receiving module, configured to receive a DNS query response message sent by the DNS server, where the DNS query response message carries a destination IP and a destination port corresponding to the target domain name;
an obtaining module, configured to obtain a storage address corresponding to the target domain name in a domain name cache table if the domain name cache table of the first node includes the target domain name;
a second storage module, configured to store a connection relationship and a connection state in a connection relationship table, where the connection relationship includes a source IP and a source port that send the DNS query request message, the destination IP, and the destination port, and the connection state is a storage address of the target domain name in the domain name cache table;
and the third sending module is used for sending the DNS inquiry response message to the terminal.
Further, the website filtering apparatus 500 further includes:
the second sending module is used for sending the DNS query request message to a DNS server;
a third receiving module, configured to receive a DNS query response message sent by the DNS server, where the DNS query response message carries a destination internet protocol address IP and a destination port corresponding to the target domain name;
a fourth receiving module, configured to receive a hello message sent by the terminal;
a fourth sending module, configured to send the greeting message to the WEB server;
a fifth receiving module, configured to receive a certificate request message sent by the WEB server, where the certificate request message carries the target domain name;
a first storage module, configured to store the target domain name and default security information in a domain name cache table if the domain name cache table of the first node does not include the target domain name;
a second storage module, configured to store a connection relationship and a connection state in a connection relationship table, where the connection relationship includes a source IP and a source port that send the hello message, the destination IP, and the destination port, and the connection state is a storage address of the target domain name in the domain name cache table;
and a fifth sending module, configured to send the certificate request message to the terminal.
The website filtering apparatus 500 can implement the processes of the embodiments of the method of fig. 1-3 and achieve the same advantageous effects, and therefore, in order to avoid repetition, the detailed description thereof is omitted here.
The embodiment of the invention also provides the first node. Referring to fig. 6, the first node may include a processor 901, a memory 902, and a program 9021 stored in the memory 902 and capable of running on the processor 901, where when the program 9021 is executed by the processor 901, any step in the method embodiments corresponding to fig. 1 to fig. 3 may be implemented and the same beneficial effect may be achieved, and details are not repeated here.
Those skilled in the art will appreciate that all or part of the steps of the method according to the above embodiments may be implemented by hardware associated with program instructions, and the program may be stored in a readable medium. An embodiment of the present invention further provides a readable storage medium, where a computer program is stored on the readable storage medium, and when the computer program is executed by a processor, any step in the method embodiments corresponding to fig. 1 to 3 may be implemented, and the same technical effect may be achieved, and in order to avoid repetition, details are not repeated here.
The storage medium may be a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk.
While the foregoing is directed to the preferred embodiment of the present invention, it will be understood by those skilled in the art that various changes and modifications may be made without departing from the spirit and scope of the invention as defined in the appended claims.

Claims (10)

1. A website filtering method is applied to a first node, and is characterized by comprising the following steps:
receiving a Domain Name System (DNS) query request message sent by a terminal, wherein the DNS query request message carries a target domain name;
if the domain name cache table of the first node does not comprise the target domain name, sending a domain name information query message to a second node in the cluster, wherein the domain name cache table comprises the domain name and safety information of the domain name, and the domain name information query message carries the target domain name;
receiving a domain name information query response message sent by the second node, wherein the domain name information query response message carries the target domain name and domain name safety information;
and determining whether to perform access limitation on the access request message of the World Wide WEB (WWW) WEB server sent by the terminal according to the domain name safety information.
2. The method according to claim 1, further comprising, after receiving the domain name system DNS query request message sent by the terminal and before receiving the domain name information query response message sent by the second node:
sending the DNS query request message to a DNS server, and receiving a DNS query response message sent by the DNS server, wherein the DNS query response message carries a destination Internet protocol address IP and a destination port corresponding to the target domain name;
if the domain name cache table of the first node does not comprise the target domain name, storing the target domain name and default safety information into the domain name cache table;
storing a connection relation and a connection state into a connection relation table, wherein the connection relation comprises a source IP and a source port which send the DNS query request message, the destination IP and the destination port, and the connection state is a storage address of the target domain name in the domain name cache table.
3. The method according to claim 2, wherein after the receiving the domain name information query response message sent by the second node, and before the determining whether to perform access restriction on the access request message to the WEB server sent by the terminal according to the domain name security information, further comprising:
updating the default security information by using the domain name security information;
the determining whether to perform access limitation on the access request message to the WEB server sent by the terminal according to the domain name security information includes:
determining the domain name safety information according to the domain name cache table, the connection relation table and the access request message sent by the terminal;
and if the domain name safety information is the target information, performing access limitation on an access request message sent by the terminal to the WEB server.
4. The method according to claim 3, wherein the determining the domain name security information according to the domain name cache table, the connection relation table, and the access request message sent by the terminal comprises:
receiving an access request message to a WEB server, wherein the access request message carries the source IP, the source port, the destination IP and the destination port;
acquiring the storage address from the connection relation table according to the access request message;
and acquiring the domain name safety information from the domain name cache table according to the storage address.
5. The method according to claim 4, wherein if the domain name security information is target information, performing access restriction on an access request message to a WEB server sent by the terminal, includes:
if the domain name safety information is the target information, modifying the content type in the access request message into a target type to obtain a target access request message;
and sending the target access request message to the WEB server, so that the WEB server is disconnected from the terminal after receiving the target access request message.
6. The method according to claim 1, further comprising, after receiving a domain name system DNS query request message sent by a terminal, before the determining whether to perform access restriction on an access request message to a WEB server sent by the terminal according to the domain name security information, the method further comprising:
sending the DNS query request message to a DNS server, and receiving a DNS query response message sent by the DNS server, wherein the DNS query response message carries a target IP and a target port corresponding to the target domain name;
if the domain name cache table of the first node comprises the target domain name, acquiring a storage address corresponding to the target domain name in the domain name cache table;
storing a connection relation and a connection state into a connection relation table, wherein the connection relation comprises a source IP and a source port which send the DNS query request message, the destination IP and the destination port, and the connection state is a storage address of the target domain name in the domain name cache table;
and sending the DNS inquiry response message to the terminal.
7. The method according to claim 1, wherein after receiving a domain name system DNS query request message sent by the receiving terminal and before receiving a domain name information query response message sent by the second node, the method further comprises:
sending the DNS query request message to a DNS server, and receiving a DNS query response message sent by the DNS server, wherein the DNS query response message carries a destination Internet protocol address IP and a destination port corresponding to the target domain name;
receiving a greeting message sent by the terminal, and sending the greeting message to the WEB server;
receiving a certificate request message sent by the WEB server, wherein the certificate request message carries the target domain name;
if the domain name cache table of the first node does not comprise the target domain name, storing the target domain name and default safety information into the domain name cache table;
storing a connection relation and a connection state into a connection relation table, wherein the connection relation comprises a source IP and a source port for sending the hello message, the destination IP and the destination port, and the connection state is a storage address of the target domain name in the domain name cache table;
and sending the certificate request message to the terminal.
8. A website filtering apparatus applied to a first node, comprising:
the first receiving module is used for receiving a domain name system DNS query request message sent by a terminal, wherein the DNS query request message carries a target domain name;
a sending module, configured to send a domain name information query message to a second node in the cluster if the domain name cache table of the first node does not include the target domain name, where the domain name cache table includes a domain name and security information of the domain name, and the domain name information query message carries the target domain name;
a second receiving module, configured to receive a domain name information query response message sent by the second node, where the domain name information query response message carries the target domain name and domain name security information;
and the determining module is used for determining whether to carry out access limitation on the access request message of the World Wide WEB (WWW) server, which is sent by the terminal, according to the domain name safety information.
9. A node, comprising: a transceiver, a memory, a processor, and a program stored on the memory and executable on the processor; the processor is configured to read a program in a memory to implement the steps in the website filtering method according to any one of claims 1 to 7.
10. A readable storage medium storing a program, wherein the program, when executed by a processor, implements the steps in the web address filtering method according to any one of claims 1 to 7.
CN202110005422.8A 2021-01-05 2021-01-05 Website filtering method, device and node Pending CN114726566A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110005422.8A CN114726566A (en) 2021-01-05 2021-01-05 Website filtering method, device and node

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110005422.8A CN114726566A (en) 2021-01-05 2021-01-05 Website filtering method, device and node

Publications (1)

Publication Number Publication Date
CN114726566A true CN114726566A (en) 2022-07-08

Family

ID=82233438

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110005422.8A Pending CN114726566A (en) 2021-01-05 2021-01-05 Website filtering method, device and node

Country Status (1)

Country Link
CN (1) CN114726566A (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025713A (en) * 2010-02-09 2011-04-20 中国移动通信集团北京有限公司 Access control method, system and DNS (Domain Name Server) server
CN103220302A (en) * 2013-05-07 2013-07-24 腾讯科技(深圳)有限公司 Malicious website access defending method and related device
CN104219200A (en) * 2013-05-30 2014-12-17 杭州迪普科技有限公司 Device and method for protection from DNS cache attack
CN105072120A (en) * 2015-08-14 2015-11-18 中国传媒大学 Method and device for malicious domain name detection based on domain name service state analysis
KR101622876B1 (en) * 2015-04-06 2016-05-31 닉스테크 주식회사 Apparatus and method for blocking access to unallowable site
CN110572377A (en) * 2019-08-22 2019-12-13 网宿科技股份有限公司 Data forwarding method, plug-in and domain name server
CN110855543A (en) * 2019-10-24 2020-02-28 广西信恒科技有限公司 Website filtering method and device based on cloud technology
CN112073439A (en) * 2020-10-13 2020-12-11 中国联合网络通信集团有限公司 Secure Internet access control method, gateway equipment and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102025713A (en) * 2010-02-09 2011-04-20 中国移动通信集团北京有限公司 Access control method, system and DNS (Domain Name Server) server
CN103220302A (en) * 2013-05-07 2013-07-24 腾讯科技(深圳)有限公司 Malicious website access defending method and related device
CN104219200A (en) * 2013-05-30 2014-12-17 杭州迪普科技有限公司 Device and method for protection from DNS cache attack
KR101622876B1 (en) * 2015-04-06 2016-05-31 닉스테크 주식회사 Apparatus and method for blocking access to unallowable site
CN105072120A (en) * 2015-08-14 2015-11-18 中国传媒大学 Method and device for malicious domain name detection based on domain name service state analysis
CN110572377A (en) * 2019-08-22 2019-12-13 网宿科技股份有限公司 Data forwarding method, plug-in and domain name server
CN110855543A (en) * 2019-10-24 2020-02-28 广西信恒科技有限公司 Website filtering method and device based on cloud technology
CN112073439A (en) * 2020-10-13 2020-12-11 中国联合网络通信集团有限公司 Secure Internet access control method, gateway equipment and storage medium

Similar Documents

Publication Publication Date Title
US11425093B2 (en) Device specific website filtering using a bifurcated domain name system
US9210122B2 (en) System and method for inspecting domain name system flows in a network environment
US11451510B2 (en) Method and apparatus for processing service request
EP2924941B1 (en) Method and device for preventing service illegal access
CN111800458B (en) Dynamic load balancing method and system for Kubernetes container cloud platform
US8127008B2 (en) Method and apparatus for managing proxy and non-proxy requests in telecommunications network
JP3459183B2 (en) Packet verification method
US8914510B2 (en) Methods, systems, and computer program products for enhancing internet security for network subscribers
US20160164826A1 (en) Policy Implementation at a Network Element based on Data from an Authoritative Source
US10305934B2 (en) Identity based domain name system (DNS) caching with security as a service (SecaaS)
US11871309B2 (en) Methods, systems, and computer readable media for network function discovery using preferred-locality information
CN107948979B (en) Information processing method and device and auditing equipment
CN105187380A (en) Secure access method and system
EP3016423A1 (en) Network safety monitoring method and system
CN108737407A (en) A kind of method and device for kidnapping network flow
EP2165502B1 (en) Lawful interception of data of a roaming mobile node
CN114466054A (en) Data processing method, device, equipment and computer readable storage medium
CN115190107B (en) Multi-subsystem management method based on extensive domain name, management terminal and readable storage medium
CN107666444B (en) Method and system for routing data flow
CN105429880B (en) The network equipment and its method for carrying out routing forwarding
US8239930B2 (en) Method for controlling access to a network in a communication system
CN114726566A (en) Website filtering method, device and node
US20160227394A1 (en) Hiding Diameter Network Topology
US10148766B2 (en) Methods, systems, and computer readable media for subscriber binding repository reconfiguration
WO2009082306A1 (en) Detection of malicious software in communication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination