CN117376305A

CN117376305A - Domain Name System (DNS) protection method and device and DNS server

Info

Publication number: CN117376305A
Application number: CN202311385247.5A
Authority: CN
Inventors: 韦佳明; 张允江; 管纪伟; 韩伟
Original assignee: Tianyi Safety Technology Co Ltd
Current assignee: Tianyi Safety Technology Co Ltd
Priority date: 2023-10-24
Filing date: 2023-10-24
Publication date: 2024-01-09

Abstract

The invention discloses a protection method and device for a Domain Name System (DNS) and a DNS server, wherein the method comprises the following steps: determining an initial encryption signature according to the DNS server address and the first domain name data, and constructing link node data based on the initial encryption signature and the first domain name data; after the link node data are uplink in the block, acquiring second domain name data in the link node of the block in real time based on preset time length, and determining a current encryption signature corresponding to the link node according to the second domain name data and the DNS server address; comparing the current encryption signature corresponding to the link node in the block with the initial encryption signature in the link node data stored by the current encryption signature, selecting an abnormal link node from the link nodes of the block according to the comparison result, and downloading the abnormal link node. The falsification cost is increased in a chained encryption signature mode, the falsification probability of domain name data is reduced, and the monitoring efficiency and the security of the domain name data are improved through real-time monitoring of falsification behaviors.

Description

Domain Name System (DNS) protection method and device and DNS server

Technical Field

The present invention relates to the field of mobile communications technologies, and in particular, to a method and an apparatus for protecting a domain name system DNS, and a DNS server.

Background

In a computer communications network, there is a mapping relationship between a Domain Name (DN) and a network protocol (Internet Protocol, IP) address. When a user accesses a website, the user can access the website usually only by using the domain name of the website, and the user does not need an IP address used by communication through the computer bottom layer. Therefore, there is a need for a service system in a communication network that provides domain name to IP address translation for users, which service system is called domain name system (Domain Name System, DNS). The host that provides such translation services to the user is called a DNS server.

However, in the actual network communication process, a hacker may tamper with domain name data stored in the DNS server, that is, a correspondence between a domain name and an IP address, so that a normal website is resolved to a phishing website or a host controlled by the hacker, so that a user suffers information leakage and property loss, and a significant network security problem is caused.

Disclosure of Invention

The invention provides a protection method and device for a Domain Name System (DNS) and a DNS server, which are used for solving the network security problems of user information leakage, property loss and the like caused by malicious tampering of domain name data in the domain name system in the prior art.

In a first aspect, an embodiment of the present invention provides a DNS protection method, including:

determining an initial encryption signature corresponding to each first domain name data according to a DNS server address and a plurality of first domain name data, and constructing link node data based on the initial encryption signature and the first domain name data;

after uplink operation is carried out on the plurality of link node data in at least one block, acquiring second domain name data in each link node of the at least one block in real time based on preset time length, and determining a current encryption signature corresponding to each link node according to the second domain name data and the DNS server address;

and comparing the current encryption signature corresponding to each link node in any block with the initial encryption signature in the link node data stored by the block, selecting an abnormal link node from a plurality of link nodes of the block according to the comparison result, and downloading the abnormal link node.

In the protection method of the DNS, chain type signature is carried out according to the address of the DNS server and the first domain name data cached locally, the obtained link node data is subjected to uplink processing in the blockchain, encryption processing is carried out in a chain type signature mode, and the characteristic of difficulty in tampering of the blockchain is utilized, so that the tampering cost is improved, the probability of tampering of the domain name data is reduced, and the safety of the domain name data is improved; in addition, according to the second domain name data in the block chain uplink node obtained in real time, the current encryption signature is determined, and according to the consistency of the current encryption signature and the initial encryption signature, whether the domain name data stored in the current link node is changed or not is judged, so that the real-time monitoring of tampering behavior is realized, the monitoring efficiency is improved, the probability of occurrence of problems such as user information leakage and property loss caused by network security holes is reduced, and the safety of a domain name system is further improved.

In an alternative embodiment, the determining the initial cryptographic signature corresponding to each first domain name data according to the DNS server address of the domain name system and the plurality of first domain name data includes:

for any one of the plurality of first domain name data, the initial encrypted signature corresponding to the first domain name data is determined by:

determining an encryption key based on the number of bits of the first domain name data and according to the DNS server address;

and carrying out encryption operation on the sum of the first encryption data and the second encryption data, and taking the result of the encryption operation as the initial encryption signature, wherein the first encryption data is obtained by carrying out encryption operation on the encryption key, and the second encryption data is obtained by carrying out encryption operation on the first domain name data.

According to the method, the encryption key corresponding to each first domain name data is determined according to the storage bit of the first domain name data and the DNS server address, encryption operation is carried out on the encryption key and the first domain name data to obtain a plurality of initial encryption signatures, and the cost of falsifying the domain name data is increased in an encryption signature mode, so that the falsifying probability of the domain name data is reduced, and the safety of the domain name data is improved.

In an alternative embodiment, the determining the encryption key based on the number of digits of the first domain name data and according to the DNS server address includes:

if the first domain name data is the first domain name data in the plurality of first domain name data, the DNS server address is used as the encryption key;

and if the first domain name data is non-first domain name data in the plurality of first domain name data, taking an initial encryption signature corresponding to the previous first domain name data adjacent to the first domain name data as the encryption key.

According to the method, the encryption key is determined in a chained mode, namely, the initial encryption signature corresponding to the former first domain name data is used as the encryption key corresponding to the latter first domain name data, so that chained encryption signature processing is realized, the probability of tampering of the domain name data is reduced, and the reliability and safety of the domain name data are improved.

In an alternative embodiment, the selecting an abnormal link node among the plurality of link nodes of the block according to the comparison result includes:

and selecting a link node with the inconsistent current encryption signature and the initial encryption signature as the abnormal link node according to the comparison result.

According to the method, whether the domain name data stored in the link node are tampered or not is determined by comparing the current encryption signature with the initial encryption signature, namely if the current encryption signature is not consistent with the initial encryption signature, the domain name data in the link node are tampered domain name data, the link node is set to be an abnormal link node, so that the probability that the domain name sent by the client is resolved to an erroneous IP address by the DNS server according to the tampered domain name data, network security problems such as user information leakage are caused, and the security and reliability of a domain name system are improved.

In an optional implementation manner, after the abnormal link node is selected from the plurality of link nodes of the block according to the comparison result, before the abnormal link node is offline, the method further includes:

taking the ratio of the number of the abnormal link nodes to the total number of the link nodes in the block as the safety coefficient of the block;

comparing the safety coefficient with a preset coefficient threshold value, and determining that the safety coefficient is smaller than the preset coefficient threshold value.

According to the method, the preset coefficient threshold value is set, and under the condition that the safety coefficient is smaller than the preset coefficient threshold value, the abnormal link node is subjected to offline processing, tampered link data stored in the abnormal link node are prevented from being used, the accuracy of domain name resolution is improved, the safety of a domain name system is further improved, and the information safety of a user is guaranteed.

In an optional implementation manner, after selecting an abnormal link node from the plurality of link nodes of the block according to the comparison result, the method further includes:

and comparing the safety coefficient with a preset coefficient threshold, and if the safety coefficient is not smaller than the preset coefficient threshold, updating each link node in the block according to the link node data.

According to the method, the preset coefficient threshold value is set, and when the safety coefficient is not smaller than the preset coefficient threshold value, namely, abnormal link nodes in the block are excessive, the block is reset or updated, so that the safety and usability of the domain name system are guaranteed.

In an optional embodiment, after the constructing the link node data, before the uplink operation is performed on the plurality of link node data in at least one block, the method further includes:

and carrying out backup processing on node information of all current link nodes in any block.

According to the method, before the link node data is subjected to block uplink processing, the node data of the existing link nodes in the block are subjected to backup processing, and after the system is verified to work normally through backup operation, the link node data is subjected to block uplink, so that the accuracy and consistency of uplink are ensured, and the reliability of the system is improved.

In a second aspect, an embodiment of the present invention provides a DNS protection device, including:

a first data processing module, configured to determine an initial encryption signature corresponding to each first domain name data according to a DNS server address and a plurality of first domain name data, and construct link node data based on the initial encryption signature and the first domain name data

The second data processing module is used for acquiring second domain name data in each link node of at least one block in real time based on preset duration after the uplink operation of the plurality of link node data in the at least one block, and determining a current encryption signature corresponding to each link node according to the second domain name data and the DNS server address;

the link node processing module is used for comparing the current encryption signature corresponding to each link node in any block with the initial encryption signature in the link node data stored by the link node processing module per se, selecting an abnormal link node from a plurality of link nodes of the block according to the comparison result, and downloading the abnormal link node.

In an alternative embodiment, the first data processing module is specifically configured to:

In an alternative embodiment, the link node processing module is specifically configured to:

In an alternative embodiment, the apparatus further comprises a first security coefficient determination module;

the first safety coefficient judging module is used for taking the ratio of the number of the abnormal link nodes to the total number of the link nodes in the block as the safety coefficient of the block; comparing the safety coefficient with a preset coefficient threshold value, and determining that the safety coefficient is smaller than the preset coefficient threshold value.

In an alternative embodiment, the apparatus further comprises a second security coefficient determination module;

the second security coefficient determining module is configured to use a ratio of the number of the abnormal link nodes to the total number of the link nodes in the block as a security coefficient of the block; and comparing the safety coefficient with a preset coefficient threshold, and if the safety coefficient is not smaller than the preset coefficient threshold, updating each link node in the block according to the link node data.

In an alternative embodiment, the apparatus further comprises a node data backup module;

the node data backup module is used for carrying out backup processing on node information of all current link nodes in any block.

In a third aspect, an embodiment of the present invention provides a DNS server, including:

a memory for storing executable instructions;

a processor, configured to read and execute the executable instructions stored in the memory, so as to implement the steps of the DNS protection method according to any one of the embodiments of the first aspect.

In a fourth aspect, embodiments of the present invention provide a computer-readable storage medium storing computer instructions that, when run on a computer, cause the computer to perform the steps of the DNS protection method according to any of the embodiments of the first aspect.

The technical effects that may be achieved by the protection device for DNS disclosed in the second aspect, the server disclosed in the third aspect, and the computer readable storage medium disclosed in the fourth aspect are referred to the technical effects that may be achieved by the foregoing first aspect or the various possible solutions in the first aspect, and the detailed description is not repeated here.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments will be briefly described below, it will be apparent that the drawings in the following description are only some embodiments of the present invention, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic structural diagram of a DNS server capable of executing a DNS protection method according to an embodiment of the present invention;

fig. 2 is a schematic structural diagram of link node data according to an embodiment of the present invention;

fig. 3 is a schematic diagram of a block enabling module and a block module according to an embodiment of the present invention;

FIG. 4 is a schematic block diagram of an embodiment of the present invention;

fig. 5 is a schematic diagram of a block module after a completion of a uplink operation according to an embodiment of the present invention;

fig. 6 is a schematic diagram of a specific structure of a tamper monitoring module according to an embodiment of the present invention;

fig. 7 is a complete flow diagram of a protection method for implementing DNS by using a DNS server according to an embodiment of the present invention;

Fig. 8 is a flow chart of a DNS protection method according to an embodiment of the present invention;

fig. 9 is a schematic block diagram of a DNS protection device according to an embodiment of the present invention;

fig. 10 is a schematic structural diagram of a DNS server according to an embodiment of the present invention;

fig. 11 is a schematic diagram of a program product for implementing a DNS protection method according to an embodiment of the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention will be described in further detail below with reference to the accompanying drawings, and it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.

It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. The implementations described in the following exemplary examples do not represent all implementations consistent with the invention. Rather, they are merely examples of apparatus and methods consistent with aspects of the invention as detailed in the accompanying claims.

The embodiment of the invention provides a protection method and device for a Domain Name System (DNS) and a DNS server, which are used for reducing the probability of domain name data falsification, improving the safety and reliability of the domain name system and protecting the information safety of users.

The following describes the technical scheme in the embodiment of the present invention with reference to the accompanying drawings:

example 1

In order to reduce the probability of domain name data being tampered and improve the safety and reliability of a domain name system, the embodiment of the invention provides a DNS server which can be used for executing the DNS protection method provided by the embodiment of the invention.

Fig. 1 shows a schematic block diagram of the DNS server described above. As shown in fig. 1, the DNS server 100 includes a transaction consensus module 101, a block enabling module 102, a tamper monitoring module 103, and a block module 104, where the block module 104 includes a block 1-a block m, where m is a positive integer;

the transaction consensus module 101 is configured to determine an initial encryption signature corresponding to each first domain name data according to the DNS server address and the plurality of first domain name data, and construct link node data based on the initial encryption signature and the first domain name data.

In a specific implementation, the transaction consensus module 101 performs a data extraction operation on the DNS server 100, extracts the DNS server address and the cached first domain name data, and constructs an initial data set according to all the extracted first domain name data, where each first domain name data in the present application includes a domain name and an IP address corresponding to the domain name.

For example, assuming that k pieces of first domain name data are extracted, k is a positive integer, the first domain name data d1 includes a domain name 1 and an IP address 1, where the domain name 1 is www.example1.com and the IP address 1 is 192.168.1.1; the first domain name data d2 comprises a domain name 2 and an IP address 2, wherein the domain name 2 is www.example2.com, and the IP address 2 is 192.168.1.2; and so on, i.e., the first domain name data di may be represented as (www.examplei.com, 192.168.1. I), where www.examplei.com is the domain name and 192.168.1.I is the IP address to which the domain name corresponds; thus, the initial data set constructed is: t (d 1, …, di, …, dk).

In one or more embodiments, the DNS server address is an address of a DNS server corresponding to the local gateway. For example, the DNS server address may be IP0 = 1.1.1.0.

In an alternative embodiment, the transaction consensus module 101 may determine the initial cryptographic signature by:

for any one of the plurality of first domain name data, the initial cryptographic signature corresponding to the first domain name data is determined by:

And carrying out encryption operation on the sum of the first encryption data and the second encryption data, and taking the result of the encryption operation as an initial encryption signature, wherein the first encryption data is obtained by carrying out encryption operation on an encryption key, and the second encryption data is obtained by carrying out encryption operation on the first domain name data.

In a specific implementation, after the transaction consensus module 101 constructs an initial data set, a chain Signature (Signature) process is performed on each first domain name data in the initial data set, so as to obtain an initial encrypted Signature corresponding to each first domain name data.

In an alternative embodiment, the encryption key may be determined by:

if the first domain name data is the first domain name data in the plurality of first domain name data, the DNS server address is used as an encryption key;

if the first domain name data is non-first domain name data in the plurality of first domain name data, an initial encryption signature corresponding to the previous first domain name data adjacent to the first domain name data is used as an encryption key.

In a specific implementation, the transaction consensus module 101 determines the rank of the currently processed first domain name data in the initial data set, and if the currently processed first domain name data is the first element in the initial data set, directly uses the DNS server address as an encryption key; if the first element is not the first element in the initial data set, the initial encryption signature corresponding to the first domain name data before the first domain name data currently processed in the initial data set is directly used as an encryption key.

In one or more embodiments, an SHA-256 (Secure Hash Algorithm ) algorithm may be employed in performing the encryption operation.

Illustratively, an initial data set T (d 1, …, di, …, dk) is set, and the DNS server address is IP0, taking the first domain name data d1 in the initial data set T as an example:

first, since the first domain name data d1 is the first element in the initial data set T, the DNS server address IP0 is used as an encryption key corresponding to the first domain name data d1, that is, ken1=ip0; then, the encryption key1 is subjected to encryption operation, and first encrypted data are obtained as follows: SHA256 (key 1), and performs encryption operation on the first domain name data d1 to obtain second encrypted data as follows: SHA256 (d 1); finally, the sum of the first encrypted data SHA256 (key 1) and the second encrypted data SHA256 (d 1) is subjected to encryption operation, so that an initial encrypted signature corresponding to the first domain name data d1 can be obtained as follows: signature 1=sha256 (sha256 (key 1) +sha256 (d 1)).

Taking the first domain name data d2 in the initial data set T as an example:

since the first domain name data d2 is a second element, not the first element, in the initial data set T, and the first domain name data d1 is a previous element of the first domain name data d2, the initial encryption signature corresponding to the first domain name data d1 is used as the encryption key corresponding to the first domain name data d2, that is, ken2=signature 1; then, the encryption key2 is subjected to encryption operation, and first encrypted data are obtained as follows: SHA256 (key 2), and performs encryption operation on the first domain name data d2 to obtain second encrypted data as follows: SHA256 (d 2); finally, the sum of the first encrypted data SHA256 (key 2) and the second encrypted data SHA256 (d 2) is subjected to encryption operation, so that an initial encrypted signature corresponding to the first domain name data d2 can be obtained as follows: signature 2=sha256 (sha256 (key 2) +sha256 (d 2)).

The determination of the initial encryption signature corresponding to the other first domain name data in the initial data set T is similar to the above example, and thus will not be described in detail.

In the manner described above, the transaction consensus module 101 determines an initial cryptographic signature corresponding to each first domain name data in the initial data set T, i.e., T (d 1, …, di, …, dk) corresponds one-to-one to (signature 1, …, signature i, …, signature n).

In one or more embodiments, after the initial encryption signature determination is completed, the first domain name data in the initial data set and the initial encryption signature corresponding to the first domain name data are combined to obtain a plurality of link node data, where the number of link node data is equal to the number of first domain name data.

Illustratively, an initial data set T (d 1, …, di, …, dk) is set, and an initial cryptographic signature (signature 1, …, signature i, …, signature) is set, then the plurality of link node data are respectively: n1 (d 1, key1, signature 1), n2 (d 2, key2, signature 2), …, nk (dk, key k, signature);

fig. 2 shows a schematic diagram of a structure of link node data, and as shown in fig. 2, the link node data n1 includes first domain name data d1, an encryption key1, and an initial encryption signature1; the link node data n2 includes first domain name data d2, an encryption key2, and an initial encryption signature2, wherein the encryption key 2=the initial encryption signature1; the link node data n3 includes first domain name data d3, an encryption key3, and an initial encryption signature3, wherein the encryption key 3=the initial encryption signature2; and so on.

In particular implementations, the transaction consensus module 101 constructs the determined plurality of link node data as a link node data set N (N1, …, ni, …, nk) and transmits the link node data set N (N1, …, ni, …, nk) to the block enabling module 102.

In the method, the encryption key is determined in a chained mode, namely, the initial encryption signature corresponding to the former first domain name data is used as the encryption key corresponding to the latter first domain name data, and encryption operation is carried out on the encryption key and the first domain name data to obtain a plurality of initial encryption signatures. Namely, by means of chained encryption signature, the cost of domain name data falsification is increased, so that the probability of domain name data falsification is reduced, and the reliability and safety of the domain name data are improved.

A block enabling module 102, configured to perform a uplink operation on the plurality of link node data in at least one block.

In a specific implementation, after the block enabling module 102 receives the link node data set transmitted by the transaction consensus module 101, each link node data in the link node data set is subjected to a uplink operation in the block module 104, and a secondary submission policy is introduced in the uplink operation process, so as to ensure the accuracy and consistency of the uplink.

In one or more embodiments, the number of blocks in the block module 104 is an odd number. For example, the block module 104 may include 1 block, 5 blocks, or other odd blocks, which is not limited in this embodiment of the present invention.

In an alternative embodiment, the block enabling module 102 is further configured to:

and carrying out backup processing on node information of all current link nodes in the block aiming at any block.

Fig. 3 shows a schematic diagram of a specific structure of the block enabling module 102 and the block module 104, where, as shown in fig. 3, the block enabling module 102 includes a coordination center, each block in the block module 104 includes a state pool, that is, a block 1 includes a state pool P1, a block 2 includes state pools P2 and …, and a block m includes a state pool Pm;

in one or more embodiments, a secondary commit policy is used to perform a link node data uplink, where the secondary commit policy divides the uplink process into two phases of pre-commit and formal commit, and the specific implementation manner is as follows:

pre-commit:

in a specific implementation, after the block enabling module 102 receives the link node data set, a data backup instruction and the link node data set are issued to all blocks (block 1-block m) in the block module 104;

All blocks (block 1-block m) in the block module 104 respond to the data backup instruction to backup all node information in the current link node to the state pool of the block module, and reserve a position for the link node data to be uplinked. When any block in the block module 104 detects that the node information of the block module is stored in the state pool of the block module, a first confirmation message is sent to the coordination center of the block enabling module 102;

take block 2 in fig. 3 as an example for illustration:

for example, assuming that 2 link nodes already exist in the block 2 before the link node data set is received, as shown in fig. 4, the link node 20 and the link node 21 already exist in the block 2, after the block 2 receives the data backup command and the link node data set, the node information of the link node 20 and the node information of the link node 21 are stored in the state pool P2, and meanwhile, the link node 22 is created to reserve a storage space for the link node data, and when it is detected that 2 pieces of node information are already stored in the state pool P2, it is determined that the node information storage is completed, and at this time, a first acknowledgement message is sent to the coordination center of the block enabling module 102.

In an implementation, if any block in the block module 104 is abnormal in the process of backing up node information, for example, due to a network abnormality, the block will not send the first acknowledgement message to the coordination center of the block enabling module 102.

In one or more embodiments, if the number of first acknowledgement messages received by the coordination center of the block enabling module 102 is equal to the number of blocks in the block module 104 within a preset threshold duration, the block enabling module 102 determines that the pre-commit is successful; if the number of the first acknowledgement messages received by the coordination center of the block enabling module 102 is not equal to the number of the blocks in the block module 104 within the preset threshold duration, the block enabling module 102 determines that the pre-commit fails.

It should be noted that, the preset threshold duration in the present application is an empirical value, and may be flexibly set according to an actual service requirement, for example, the preset threshold duration may be set to be 3ms.

In an implementation, if any block in the block module 104 is abnormal in the process of backing up node information, for example, due to network abnormality, the block sends a backup abnormal message to the coordination center of the block enabling module 102.

In one or more embodiments, if the message received by the coordination center of the block enabling module 102 only includes the first acknowledgement message, the block enabling module 102 determines that the pre-commit is successful; if the message received by the coordination center of the block enabling module 102 only includes the first acknowledgement message and the backup exception message, the block enabling module 102 determines that the pre-commit fails.

And (one) formally submitting:

in practice, if the pre-commit is successful, the block enabling module 102 sends a ul instruction to all blocks (block 1-block m) in the block module 104; any block in the block module 104 responds to the uplink instruction, carries out uplink processing on each link node data in the received link node data set in sequence, and sends a second confirmation message to the coordination center of the block enabling module 102 after all link node data realize uplink; after receiving the second acknowledgement message, the coordination center of the block enabling module 102 can confirm that the block uplink is successful.

Take block 2 in fig. 4 as an example for illustration:

illustratively, if the link node 20 and the link node 21 already exist in the block 2, and assuming the link node data set N (N1, …, ni, …, nk), after receiving the uplink instruction, the block 2 first creates the link node 22 and uploads the link node data N1 in the link node data set N to the link node 22; then creating a link node 23 and uploading link node data N2 in the link node data set N to the link node 23; and so on, until all k link node data in the link node data set N are up-linked, at which point the block 2 sends a second acknowledgement message to the coordination center of the block enabling module 102.

In practice, if the pre-commit fails, the block enabling module 102 sends a rollback instruction to all blocks (block 1-block m) in the block module 104; any block in the block module 104 responds to the rollback instruction, resets the link node of the block module according to the node information stored in the state pool of the block module, and sends a second confirmation message to the coordination center of the block enabling module 102 after the reset is completed; after the coordination center of the block enabling module 102 receives the third acknowledgement message sent by all the blocks, it can confirm that the block module 104 fails to uplink, successfully rolls back, and re-links the link node data through the secondary commit policy until the uplink is successful.

In the method, before the link node data is subjected to block uplink processing, the node data of the existing link nodes in the block are subjected to backup processing, and after the system is verified to work normally through backup operation, the link node data is subjected to block uplink, so that the accuracy and consistency of uplink are ensured, and the reliability of the system is improved.

Fig. 5 shows a schematic diagram of a block module 104 after the completion of the uplink operation, as shown in fig. 5, k link nodes (node 10-node 1 (k-1)) are generated in the block 1, wherein the link node data n1 is stored in the node 10, the link node data n2, … are stored in the node 11, and the link node data nk is stored in the node 1 (k-1).

Similarly, k link nodes (link node 20—link node 2 (k-1)) are also generated in the block 2, wherein the link node 20 stores link node data n1, the link node 21 stores link node data n2, …, and the link node 2 (k-1) stores link node data nk. Other blocks and so on.

The same link node data are stored in different blocks, so that the purpose of redundancy setting is achieved, and the high reliability of the DNS server is ensured by using the redundancy setting.

After the uplink operation is performed on the plurality of link node data in at least one block, the tamper listening module 103 is configured to:

and acquiring second domain name data in each link node of at least one block in real time based on the preset duration, and determining a current encryption signature corresponding to each link node according to the second domain name data and the DNS server address.

Fig. 6 shows a schematic structural diagram of a tamper sniffer module 103, as shown in fig. 6, the tamper sniffer module 103 includes a plurality of probes 1031 (probes 1-probes m) and a sniffer processing unit 1032, wherein the plurality of probes 1031 are sequentially disposed on corresponding blocks, i.e., probes 1 are disposed on the block 1, probes 2 are disposed on the block 2, …, probes m are disposed on the block m, and output ends of the plurality of probes 1031 (probes 1-probes m) are connected with the sniffer processing unit 1032.

In a specific implementation, the plurality of probes 1031 (probe 1-probe m) respectively monitor the corresponding blocks according to the preset duration, specifically, sequentially monitor the data stored in each link node in the block, and transmit the monitored data, i.e. the second domain name data, to the monitor processing unit 1032.

Taking probe 2 and block 2 of fig. 6 as an example, it is illustrated:

illustratively, probe 2 first monitors link node 20 in block 2 to obtain second domain name data a21 stored in link node 20; then monitoring the link node 21 to obtain second domain name data a22 stored in the link node 21; and the same is done until the last link node 2 (k-1) is monitored, so as to obtain the second domain name data a2k stored in the link node 2 (k-1).

In one or more embodiments, the probes (probe 1-probe m) in the embodiments of the present invention may be self-timed sniffer probes, where the self-timed time is a preset duration.

It should be noted that, in the embodiment of the present invention, the preset duration is an empirical value, and may be flexibly set according to an actual service requirement, for example, the preset duration may be set to be 6h.

In a specific implementation, after receiving the second domain name data from any block, the listening processing unit 1032 determines a current encryption signature corresponding to each link node in the block according to the second domain name data and the DNS server address, where a determination manner of the current encryption signature may refer to a calculation manner of the initial encryption signature, which is not described herein.

Take block 2 in fig. 6 as an example for illustration:

illustratively, the encryption key corresponding to the second domain name data a21 is: key21 = DNS server address IP0, the current encrypted signature corresponding to the second domain name data a21 is: signature 21=sha256 (sha256 (key 21) +sha256 (a 21));

the encryption key corresponding to the second domain name data a22 is: key 22=signature 21, and the current encrypted signature corresponding to the second domain name data a22 is: signature 22=sha256 (sha256 (key 22) +sha256 (a 22));

and the like until the encryption key corresponding to the second domain name data a2k is determined as follows: key 2k=signature 2 (k-1), and the current encrypted signature corresponding to the second domain name data a2k is: signature 2k=sha256 (sha256 (key 2 k) +sha256 (a 2 k)).

After determining the current cryptographic signature, the tamper interception module 103 is further configured to:

for any one block, comparing the current encryption signature corresponding to each link node in the block with the initial encryption signature in the link node data stored by the block, selecting an abnormal link node from a plurality of link nodes of the block according to the comparison result, and downloading the abnormal link node.

In one or more embodiments, the present invention may employ a quadratic comparison method to achieve a comparison of the current cryptographic signature and the initial cryptographic signature when comparing.

In an alternative embodiment, tamper listening module 103 selects an abnormal link node according to the following:

and selecting a link node with the comparison result that the current encryption signature is inconsistent with the initial encryption signature as an abnormal link node.

In one or more embodiments, a link node whose comparison result is that the current cryptographic signature and the initial cryptographic signature agree is taken as a normal link node.

Illustratively, assume that the initial encrypted signature stored in link node 20 of block 2 is: signature 1= "1033C30AE28488FF7497D61D2 DA 1DA50AB480824186a24019D6736126870FB01";

the current encryption signature corresponding to the link node 20 determined by the tamper interception module 103 is: signature 21= "1033C30AE28488FF7497D61D2FB1DA50AB480824186a24019D6736126870FBF9";

since the current cryptographic signature21 is not consistent with the initial cryptographic signature1, the link node 20 is regarded as an abnormal link node.

Illustratively, assume that the initial encrypted signature stored in link node 21 of block 2 is: signature 2= "1033C30AE28488FF7497D61D2 DA 1 AB 50AB480824186a24019D6736126870FB88";

the current encryption signature corresponding to the link node 21 determined by the tamper interception module 103 is: signature 22= "1033C30AE28488FF7497D61D2 DA 1DA50AB480824186a24019D6736126870FB88";

Since the current cryptographic signature22 is identical to the initial cryptographic signature2, the link node 21 is regarded as a normal link node.

In an alternative embodiment, the tamper listening module 103 is further configured to:

taking the ratio of the number of abnormal link nodes to the total number of link nodes in the block as the safety coefficient of the block; and comparing the safety coefficient with a preset coefficient threshold value, and determining that the safety coefficient is smaller than the preset coefficient threshold value, and then disconnecting the abnormal link node.

In one or more embodiments, if the number of abnormal link nodes is 0, it is indicated that the DNS has not been tampered with.

Illustratively, assume that the total number of link nodes in block 2 is: num (node 2) =k, the number of abnormal link nodes in block 2 is: tmp2=j, the security coefficient of block 2 is:

safe2＝tmp2/(num(node2))＝j/k。

for example, assuming that the preset coefficient threshold value threshold=30%, the total number of link nodes in block 2 num (node 2) =10, where only the link node 20 is monitored to be an abnormal link node, the safety coefficient of block 2 safe2=10%. Since the security coefficient safe 2=10% < the preset coefficient threshold value threshold=30%, the link node 20 is down-line to ensure the normal availability of DNS.

In one or more embodiments, the preset coefficient threshold in the embodiments of the present invention is an empirical value, and may be flexibly set according to actual service requirements. For example, the preset coefficient threshold value may be set to 30%.

taking the ratio of the number of abnormal link nodes to the total number of link nodes in the block as the safety coefficient of the block; and comparing the safety coefficient with a preset coefficient threshold, and if the safety coefficient is not smaller than the preset coefficient threshold, updating each link node in the block according to the link node data.

For example, assuming that the preset coefficient threshold threshold=30%, the total number of link nodes in block 2 num (node 2) =10, where it is monitored that the link nodes 20, 21, 24, and 25 are all abnormal link nodes, the safety coefficient of block 2, safe2=40%. Since the security coefficient safe2=40% > the preset coefficient threshold value threshold=30% of the block 2, the data stored in the link node of the block 2 is subjected to downlink and uplink processing to update the block 2.

For the DNS server in fig. 1, fig. 7 shows a complete flow diagram of a protection method for implementing DNS by using the DNS server according to the embodiment of the present invention, as shown in fig. 7, including the following steps:

step S701, the transaction consensus module 101 performs a data extraction operation on the DNS server 100 to obtain a DNS server address and a plurality of first domain name data;

step S702, the transaction consensus module 101 identifies whether the rank of the current first domain name data is first, if so, step S703 is executed, otherwise step S704 is executed;

step S703, the transaction consensus module 101 uses the DNS server address as an encryption key;

step S704, the transaction consensus module 101 uses the initial encryption signature corresponding to the previous first domain name data adjacent to the current first domain name data as an encryption key;

step S705, the transaction consensus module 101 performs encryption operation on the encryption key to obtain first encrypted data, performs encryption operation on the first domain name data to obtain second encrypted data, and performs encryption operation on the sum of the first encrypted data and the second encrypted data to obtain an initial encrypted signature corresponding to the first domain name data;

step S706, the transaction consensus module 101 confirms whether the processing of all the first domain name data has been completed, if yes, step S707 is executed, otherwise step S702 is executed;

Step S707, the transaction consensus module 101 combines the first domain name data and the initial encrypted signature corresponding to the first domain name data to obtain a plurality of link node data, and transmits the link node data to the block enabling module 102;

step S708, the block enabling module 102 issues a data backup command and a link node data set to all the blocks in the block module 104;

step S709, all blocks in the block module 104 respond to the data backup command, perform backup of all node information in the current link node of the block module, and send a first acknowledgement message to the block enabling module 102 after the backup is completed;

step S710, the block enabling module 102 determines whether a first acknowledgement message of all blocks is received, if yes, step S711 is executed, otherwise, step S712 is executed;

step S711, the block enabling module 102 sends a uplink instruction to all the blocks in the block module 104, so that the blocks perform uplink operation of the link node data;

step S712, the block enabling module 102 sends a rollback instruction to all the blocks in the block module 104 to make the blocks rollback;

step S713, the tamper monitoring module 103 acquires, in real time, second domain name data in each link node of all blocks in the block module 104 based on a preset duration, and determines a current encryption signature corresponding to each link node according to the second domain name data and the DNS server address;

Step S714, the tamper monitoring module 103 compares whether the current encryption signature corresponding to each link node in the block is consistent with the initial encryption signature in the link node data stored in the tamper monitoring module, if yes, S715 is executed, otherwise S716 is executed;

step S715, the tamper monitoring module 103 identifies the link node as an abnormal link node, and counts the number;

step S716, the tamper monitoring module 103 identifies the link node as a normal link node;

step S717, the tamper monitoring module 103 calculates the ratio of the number of abnormal link nodes to the total number of link nodes in the block, to obtain the security coefficient of the block;

step S718, the tamper monitoring module 103 determines whether the security coefficient is smaller than a preset coefficient threshold, if yes, S719 is executed, otherwise S720 is executed;

step S719, the tamper listening module 103 drops the abnormal link node off line;

in step S720, the tamper monitoring module 103 updates each link node in the block according to the link node data.

Example two

Based on the same conception, the embodiment of the invention also provides a protection method of the DNS, which is applied to the DNS server, and because the method is the method in the DNS server in the embodiment of the invention, and the principle of solving the problem of the method is similar to that of the system, the implementation of the method can be referred to the implementation of the DNS server, and the repetition is omitted.

For the DNS server in fig. 1, fig. 8 shows a flowchart of a protection method for implementing DNS by using the DNS server according to the embodiment of the present invention, where as shown in fig. 8, the method includes the following steps:

step S801, determining an initial encryption signature corresponding to each first domain name data according to a DNS server address and a plurality of first domain name data, and constructing link node data based on the initial encryption signature and the first domain name data;

step S802, after uplink operation is carried out on a plurality of link node data in at least one block, acquiring second domain name data in each link node of the at least one block in real time based on preset duration, and determining a current encryption signature corresponding to each link node according to the second domain name data and a DNS server address;

step 803, for any block, comparing the current encryption signature corresponding to each link node in the block with the initial encryption signature in the link node data stored in the block, selecting an abnormal link node from a plurality of link nodes in the block according to the comparison result, and downloading the abnormal link node.

In an alternative embodiment, determining an initial cryptographic signature corresponding to each first domain name data from a domain name system DNS server address and the plurality of first domain name data includes:

In an alternative embodiment, determining the encryption key based on the number of digits of the first domain name data and based on the DNS server address includes:

In an alternative embodiment, selecting an abnormal link node among the plurality of link nodes of the block according to the comparison result includes:

In an alternative embodiment, after selecting the abnormal link node from the plurality of link nodes of the block according to the comparison result, before dropping the abnormal link node, the method further includes:

taking the ratio of the number of abnormal link nodes to the total number of link nodes in the block as the safety coefficient of the block;

and comparing the safety coefficient with a preset coefficient threshold value, and determining that the safety coefficient is smaller than the preset coefficient threshold value.

In an alternative embodiment, after selecting an abnormal link node among the plurality of link nodes of the block according to the comparison result, the method further includes:

In an alternative embodiment, after constructing the link node data, before the uplink operation is performed on the plurality of link node data in at least one block, the method further includes:

Example III

Based on the same conception, the embodiment of the present invention provides a protection device for implementing DNS, and since the device is a device in the method of the embodiment of the present invention and the principle of the device for solving the problem is similar to that of the method, the implementation of the device may refer to the implementation of the method, and the repetition is omitted.

As shown in fig. 9, the above device includes the following modules:

a first data processing module 901, configured to determine an initial encryption signature corresponding to each first domain name data according to the DNS server address and the plurality of first domain name data, and construct link node data based on the initial encryption signature and the first domain name data

The second data processing module 902 is configured to obtain, in real time, second domain name data in each link node of at least one block based on a preset duration after performing a uplink operation on the plurality of link node data in the at least one block, and determine a current encryption signature corresponding to each link node according to the second domain name data and the DNS server address;

The link node processing module 903 is configured to compare, for any block, a current encryption signature corresponding to each link node in the block with an initial encryption signature in link node data stored in the block, select an abnormal link node from a plurality of link nodes in the block according to a comparison result, and drop the abnormal link node.

In an alternative embodiment, the first data processing module 901 is specifically configured to:

In an alternative embodiment, the link node processing module 903 is specifically configured to:

In an alternative embodiment, the apparatus further includes a first security coefficient determination module;

the first safety coefficient judging module is used for taking the ratio of the number of abnormal link nodes to the total number of link nodes in the block as the safety coefficient of the block; and comparing the safety coefficient with a preset coefficient threshold value, and determining that the safety coefficient is smaller than the preset coefficient threshold value.

the second safety coefficient judging module is used for taking the ratio of the number of abnormal link nodes to the total number of link nodes in the block as the safety coefficient of the block; and comparing the safety coefficient with a preset coefficient threshold, and if the safety coefficient is not smaller than the preset coefficient threshold, updating each link node in the block according to the link node data.

In an alternative embodiment, the apparatus further includes a node data backup module;

and the node data backup module is used for backing up the node information of all the current link nodes in the block aiming at any block.

Example IV

Based on the same conception, the embodiment of the present invention also provides a DNS server, and because the communication node is the DNS server in the method of the embodiment of the present invention, and the principle of solving the problem of the DNS server is similar to that of the method, the implementation of the DNS server may refer to the implementation of the method, and the repetition is omitted.

A DNS server 100 according to this embodiment of the present invention is described below with reference to fig. 10. The DNS server 100 shown in fig. 10 is merely an example, and should not impose any limitation on the functions and usage scope of the embodiments of the present invention.

As shown in fig. 10, DNS server 100 may be in the form of a general purpose computing device, which may be an embedded network device, for example. Components of DNS server 100 may include, but are not limited to: the at least one processor 101, the at least one memory 102 storing instructions executable by the processor 101, and a bus 103 connecting the various system components, including the memory 102 and the processor 101, the processor 101 being a processor of a smart device.

In one possible implementation, the processor 101 implements the following steps by executing executable instructions:

determining an initial encryption signature corresponding to each first domain name data according to the DNS server address and the plurality of first domain name data, and constructing link node data based on the initial encryption signature and the first domain name data;

after uplink operation is carried out on the plurality of link node data in at least one block, acquiring second domain name data in each link node of the at least one block in real time based on preset duration, and determining a current encryption signature corresponding to each link node according to the second domain name data and a DNS server address;

In an alternative embodiment, processor 101 is specifically configured to:

In an alternative embodiment, the processor 101 is further configured to:

taking the ratio of the number of abnormal link nodes to the total number of link nodes in the block as the safety coefficient of the block; and comparing the safety coefficient with a preset coefficient threshold value, and determining that the safety coefficient is smaller than the preset coefficient threshold value.

In an alternative embodiment, the processor 101 is further configured to:

Bus 103 represents one or more of several types of bus structures, including a memory bus or memory controller, a peripheral bus, a processor, and a local bus using any of a variety of bus architectures.

Memory 102 may include readable media in the form of volatile memory, such as Random Access Memory (RAM) 1021 and/or cache memory 1022, and may further include Read Only Memory (ROM) 1023.

Memory 102 may also include program/utility 1025 having a set (at least one) of program modules 1024, such program modules 1024 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each or some combination of which may include an implementation of a network environment.

DNS server 100 may also communicate with one or more external devices 104 (e.g., keyboard, pointing device, etc.), one or more devices that enable a user to interact with DNS server 100, and/or any device (e.g., router, modem, etc.) that enables DNS server 100 to communicate with one or more other computing devices. Such communication may occur through an input/output (I/O) interface 105. Also, DNS server 100 may also communicate with one or more networks, such as a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet, through network adapter 106. As shown, network adapter 106 communicates with other modules of DNS server 100 via bus 103. It should be appreciated that although not shown, other hardware and/or software modules may be used in connection with DNS server 100, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, data backup storage systems, and the like.

Example five

In some possible embodiments, the aspects of the present invention may also be implemented in the form of a program product, which includes program code for causing a DNS server to execute the steps of the modules in the guard of DNS according to the various exemplary embodiments of the present disclosure described in the above "exemplary method" section of the present disclosure, when the program product is run on a terminal device, for example, determining an initial cryptographic signature corresponding to each first domain name data from a DNS server address and a plurality of first domain name data, and constructing link node data based on the initial cryptographic signature and the first domain name data; after uplink operation is carried out on the plurality of link node data in at least one block, acquiring second domain name data in each link node of the at least one block in real time based on preset duration, and determining a current encryption signature corresponding to each link node according to the second domain name data and a DNS server address; for any one block, comparing the current encryption signature corresponding to each link node in the block with the initial encryption signature in the link node data stored by the block, selecting an abnormal link node from a plurality of link nodes of the block according to the comparison result, and downloading the abnormal link node.

The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. The readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium would include the following: an electrical connection having one or more wires, a portable disk, a hard disk, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), optical fiber, portable compact disk read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.

As shown in fig. 11, a program product 110 for implementing a DNS protection method according to an embodiment of the present invention is described, which may employ a portable compact disc read-only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present invention is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.

The readable signal medium may include a data signal propagated in baseband or as part of a carrier wave with readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.

Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.

Program code for carrying out operations of the present invention may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).

It should be noted that while several modules or sub-modules of the system are mentioned in the detailed description above, such partitioning is merely exemplary and not mandatory. Indeed, the features and functions of two or more modules described above may be embodied in one module in accordance with embodiments of the present invention. Conversely, the features and functions of one module described above may be further divided into a plurality of modules to be embodied.

Furthermore, while the operations of the various modules of the inventive system are depicted in a particular order in the drawings, this is not required to either imply that the operations must be performed in that particular order or that all of the illustrated operations be performed to achieve desirable results. Additionally or alternatively, certain operations may be omitted, multiple operations combined into one operation execution, and/or one operation decomposed into multiple operation executions.

The present application is described above with reference to block diagrams and/or flowchart illustrations of methods, apparatus (systems) and/or computer program products according to embodiments of the application. It will be understood that one block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, and/or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer and/or other programmable data processing apparatus, create means for implementing the functions/acts specified in the block diagrams and/or flowchart block or blocks.

Accordingly, the present application may also be embodied in hardware and/or in software (including firmware, resident software, micro-code, etc.). Still further, the present application may take the form of a computer program product on a computer-usable or computer-readable storage medium having computer-usable or computer-readable program code embodied in the medium for use by or in connection with an instruction execution system. In the context of this application, a computer-usable or computer-readable medium may be any medium that can contain, store, communicate, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. A method for protecting domain name system DNS, comprising:

2. The method of claim 1, wherein determining an initial cryptographic signature for each first domain name data based on a domain name system DNS server address and the plurality of first domain name data comprises:

3. The method of claim 2, wherein the determining an encryption key based on the number of digits of the first domain name data and based on the DNS server address comprises:

4. The method of claim 1, wherein selecting an abnormal link node among the plurality of link nodes of the block according to the comparison result comprises:

5. The method of claim 1, wherein after selecting an abnormal link node among the plurality of link nodes of the block according to the comparison result, before the dropping the abnormal link node, further comprising:

6. The method of claim 1, wherein after selecting an abnormal link node among the plurality of link nodes of the block according to the comparison result, further comprising:

7. The method of any of claims 1-6, wherein after the constructing the link node data, before the uplink operation of the plurality of link node data in at least one block, further comprises:

8. A domain name system DNS guard comprising:

9. A domain name system, DNS, server comprising:

a memory for storing executable instructions;

a processor for reading and executing executable instructions stored in said memory to implement the steps of the domain name system DNS protection method according to any of the claims 1-7.

10. A computer readable storage medium storing computer instructions which, when run on a computer, cause the computer to perform the steps of the domain name system DNS protection method according to any of the claims 1-7.