CN101895591B - Method and domain name server for increasing robustness of credible Internet domain name service - Google Patents
Method and domain name server for increasing robustness of credible Internet domain name service Download PDFInfo
- Publication number
- CN101895591B CN101895591B CN2010102377574A CN201010237757A CN101895591B CN 101895591 B CN101895591 B CN 101895591B CN 2010102377574 A CN2010102377574 A CN 2010102377574A CN 201010237757 A CN201010237757 A CN 201010237757A CN 101895591 B CN101895591 B CN 101895591B
- Authority
- CN
- China
- Prior art keywords
- name
- domain
- name server
- domain name
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Information Transfer Between Computers (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention provides a method and domain name server for increasing the robustness of credible Internet domain name service. The domain name server obtains the operational state of each associated domain name server instantly; when the operation of the associated domain name server is normal, the corresponding domain name information is cached according to the timeout mechanism and the corresponding source domain name server information is recorded; and when the associated domain name server is out of operation, the unoperated associated domain name server is used as the source domain name server, and all the domain name information is stored permanently. In addition, a credibility evaluation mechanism is introduced in the invention, and the credibility of the domain name server is evaluated according to a domain name server credibility white list. By using the method and domain name server of the invention, when the associated domain name server is out of operation, the domain name information can be furthest cached by the local domain name server, and the domain name inquiry of the client can be responded in the response-failing period according to the cached domain name information, thus realizing the applicability of the domain name server in the response-failing period as much as possible and increasing the robustness and credibility of credible Internet domain name service.
Description
Technical field
The present invention relates to technical field of the computer network, relate in particular to the method and the name server that improve credible Internet domain name service robustness.
Background technology
In current society, the Internet has become one of most important information infrastructure of modern society, and society is increasing to the degree of dependence of the Internet, and is more and more stronger to the requirement of the credible wilfulness of safe and reliable, the internet, applications of the Internet and information.
The fragility of current internet and trustless sex expression are in each links such as network design, realization and operational managements, and the internet security incident of frequently breaking out is the concrete manifestation of the Internet fragility.The consequence of the insincere wilfulness in the Internet is to make government and application prospect to the Internet among the people show great worry; Make people's self-distrust intactly move to key application on the Internet; Greatly limit the profound application in the Internet, seriously restricted the performance of Internet development and great potential thereof.Simultaneously, the safety problem of the Internet also affects the sound development of national economy, even is threatening social stability and national security.Although existing the Internet has carried out costly repairing in each aspect of network architecture, still exist huge potential safety hazard.Therefore, credible Internet safety and network service become the key technology of setting up high credible Internet network.
Domain name system (DNS) is used for naming computer and the network service that is organized into the domain hierarchy structure.The availability of domain name system is related to the availability of a lot of other internet, applications, and for example: SMTP, SIP, POP3, IMAP, SSH etc., therefore, the robustness of domain name system is most important to the Internet.
In recent years, some had taken place on the Internet attacked to the denial of service formula of domain name system, as: 2002, the root name server of www.ripe.net was under attack, and service can not normally be provided to external world; 2002, the Ultra name server was under attack; 2004, the name server of Akamai received the attack to name server from Botnet; Nearest 2009, MPC software made telecommunications name server paralysis incident, exactly because domain name service merchant DNSPod has received to the denial of service formula of name server to be attacked, or the like.These other application of attacking all types of target the Internet have all caused destruction in various degree, have also caused corresponding economic loss simultaneously.
It is thus clear that in present network application structure, domain name service has critical role.Equally, improve the robustness of credible Internet domain name service, reduction accident and attack, most important to the influence of domain name service.
At present, propose some and strengthened the research and the method for domain name service reliability.Because the structure of domain name service layering, classification; High-rise name server lacks a lot than the domain name quantity of low layer; This has just produced hidden danger to the robustness of high-rise name server, and therefore, some research proposals adopt IP to appoint the redundancy of broadcasting the high-rise name server of (IPAnycast) skill upgrading.Yet this solution need drop into a large amount of name servers and routing device again, and needs additional overhead, and the input of writing like this can't be born in the less territory of some scales, so ease for use is not strong.Other researchs are then hoped through between the client and server of domain name system, adopting domain name system coded communication (DNSSEC) to strengthen the reliability of domain name service; Can prevent that domain name from poisoning effectively like this etc. to the attack of domain name service availability; But; Adopt this scheme to need thoroughly to change existing domain name system structure, be not easy to implement.
Summary of the invention
The invention provides a kind of method and name server that improves credible Internet domain name service robustness, to improve the robustness and the availability of credible Internet domain name service.
A kind of method that improves credible Internet domain name service robustness provided by the invention comprises:
Maximum response time threshold value RT is set in advance
MaxLife span TTL with domain name;
Buffer memory domain-name information, source domain name server information and name server confidence level white list in local domain name server, wherein:
Each bar domain-name information comprises parameter: the source name server of the life span of domain name, domain name, domain name and the confidence level of domain name;
Each bar source domain name server information comprises parameter: the network address of source name server, quote number of times and confidence level;
Name server confidence level white list is used to preserve the confidence level configuration of name server;
This method also comprises:
Local domain name server regularly sends the inquiry of the domain name request to each related name server, if at RT
MaxIn received related name server response, judge that then said related name server is in proper working order; If at RT
MaxIn do not receive related name server response, then judge said related domain name fails;
If judge that related name server is in proper working order; Operation below then in the domain-name information of institute's buffer memory, carrying out: the life span of the corresponding domain name of the said response of buffer memory, domain name is set to TTL, confirm and the source name server of record domain name, the confidence level of domain name are set to equal the confidence level of said source name server, and operate below in the source domain name server information of institute's buffer memory, carrying out: number of times is quoted in the source of said source name server added 1;
If judge related domain name fails; Then will forever preserve as all domain-name informations of source name server with the related name server of this inefficacy; And to the life span time out of said all domain-name informations; Related name server until this inefficacy is in proper working order, continues the life span of said all domain-name informations is carried out timing;
When receiving the inquiry of the domain name request of client; Local domain name server responds the domain name query requests based on the domain-name information of institute's buffer memory; In said response, comprise by the confidence level of nslookup, whether client uses domain name information based on the confidence level decision of domain name;
If local domain name server can't be according to the inquiry of the domain name request of the domain-name information customer in response end of local institute buffer memory; Then obtain the domain-name information that said client is inquired about through inquiring about to other name servers; And operation below in the domain-name information of institute's buffer memory, carrying out: the domain name that caching query obtains, the life span of domain name are set to TTL, confirm and write down the source name server of domain name; Whether inquiry exists said source name server in the source domain name server information of institute's buffer memory; If exist; Number of times is quoted in the source of said source name server added 1, and the confidence level of domain name is set to equal the confidence level of said source name server; If do not exist; Then in domain name server confidence level white list, inquire about the confidence level of said source name server; And in the source domain name server information of institute's buffer memory newly-increased said source name server; The number of times of quoting of said newly-increased source name server is set to 1, and the confidence level and the domain name Reliability of Information of said newly-increased source name server are set to equal to inquire about the confidence level that obtains.
Said method may further include:
Local domain name server carries out timing to the life span of each bar domain-name information;
When the life span timing of domain-name information is overtime; The overtime domain-name information of the said life span timing of deletion from the domain-name information of institute's buffer memory; And in the source domain name server information of institute's buffer memory; The number of times of quoting of the source name server that domain-name information that said life span timing is overtime is corresponding subtracts 1, and will quote number of times and be reduced to 0 source name server and from the source domain name server information of institute's buffer memory, delete.
In the said method, confirm domain-name information the source name server mode can for:
If inquiry of the domain name request and response that local domain name server is responsible for transmitting related name server; Then local domain name server is confirmed as said higher level's name server the source name server of domain name information when buffer memory comes from the domain-name information of higher level's name server;
If local domain name server is through obtaining the acquiescence name server of domain name information to related domain name server lookup name server record; And and then when obtaining domain name information through the said acquiescence name server of inquiry, then said acquiescence name server is confirmed as the source name server of domain name information;
If local domain name server is the authoritative domain name server or the acquiescence name server of domain name information, then said local domain name server is confirmed as the source name server of domain name information.
Said method can further be provided with maximum dont answer times N in advance;
When each related name server sent inquiry of the domain name, this method further comprised in the local domain name server timing: if at RT
MaxIn do not receive related name server response, then write down said related name server and once do not response, when the number of times that does not response when said related name server equals N time, judge said related domain name fails.
A kind of name server that improves credible Internet domain name service robustness provided by the invention comprises: related name server sensing module, home domain name cache module, related domain name server buffer module and confidence level white list cache module;
Said home domain name cache module is used for the buffer memory domain-name information, and each bar domain-name information comprises parameter: the source name server of the life span of domain name, domain name, domain name and the confidence level of domain name;
Said related domain name server buffer module is used for buffer memory source domain name server information, and each bar source domain name server information comprises parameter: the network address of source name server, quote number of times and confidence level;
Said confidence level white list cache module is used for caching nameserver confidence level white list, and domain name server confidence level white list is used to preserve the confidence level configuration of name server;
Said related name server sensing module is used for regularly sending the inquiry of the domain name request to each related name server, when at the maximum response time threshold value RT that is provided with in advance
MaxIn when having received the response of related name server; Judge that said related name server is in proper working order; Domain-name information in the said response is sent to the home domain name cache module; Confirm the source name server of domain name information, with said source name server notice home domain name cache module and related domain name server buffer module; When at RT
MaxIn when not receiving the response of related name server, judge said related domain name fails; Result notification home domain name cache module and related domain name server buffer module with said judgement;
Said home domain name cache module is used for carrying out corresponding operation according to the result of said judgement; In the result of said judgement is that related name server is when in proper working order; Operation below in the domain-name information of institute's buffer memory, carrying out: the life span TTL of the domain name that the domain name of the said response correspondence of buffer memory, the life span of domain name are set to set in advance, the source name server of record domain name; To the confidence level that said related domain name server buffer module is inquired about said source name server, the confidence level of domain name is set to equal the confidence level of said source name server; When the result of said judgement is related domain name fails; Operation below in the domain-name information of institute's buffer memory, carrying out: will forever preserve as all domain-name informations of source name server with the related name server of this inefficacy; And to the life span time out of said all domain-name informations; Related name server until this inefficacy is in proper working order, continues the life span of said all domain-name informations is carried out timing;
Said related domain name server buffer module is used for being related name server when in proper working order in the result of said judgement, according to the notice of related name server sensing module number of times is quoted in the source of said source name server and is added 1;
When the inquiry of the domain name request of receiving client; Said home domain name cache module also is used for based on the domain-name information of institute's buffer memory the domain name query requests being responded; In said response, comprise by the confidence level of nslookup, whether client uses domain name information based on the confidence level decision of domain name;
When local domain name server can't be based on the inquiry of the domain name request of the domain-name information customer in response end of local institute buffer memory; Said related name server sensing module also is used for obtaining the domain-name information that said client is inquired about through inquiring about to other name servers; The domain-name information that inquiry is obtained sends to the home domain name cache module; And the source name server of definite domain name information, with said source name server notice home domain name cache module and related domain name server buffer module;
Said related domain name server buffer module; Whether the domain name server information inquiry exists said source name server in the source of institute's buffer memory to be used for source name server according to related name server sensing module notice; When existing; Number of times is quoted in the source of said source name server added 1, when not existing, inquire about to said confidence level white list cache module; Obtain the confidence level of said source name server; And in the source domain name server information of institute's buffer memory newly-increased said source name server, the number of times of quoting of said newly-increased source name server is set to 1, the confidence level of said newly-increased source name server is set to equal to inquire about the confidence level that obtains;
Said home domain name cache module also is used for domain-name information operation below the domain-name information of institute's buffer memory is carried out that inquiry obtains according to related name server sensing module: the domain name that caching query obtains, the life span of domain name are set to TTL, the source name server that writes down domain name, the confidence level of domain name and are set to equal the confidence level of said source name server.
Said home domain name cache module can be further used for the life span of each bar domain-name information is carried out timing; When the life span timing of domain-name information is overtime; Be used for the overtime domain-name information of the domain-name information said life span timing of deletion, and notify said related domain name server buffer module the source name server of domain name from institute's buffer memory;
Said related domain name server buffer module is further used for the notice according to said home domain name cache module; The number of times of quoting of the source name server that domain-name information that said life span timing is overtime is corresponding in the source domain name server information of institute's buffer memory subtracts 1, and will quote number of times and be reduced to 0 source name server and from the source domain name server information of institute's buffer memory, delete.
Said related name server sensing module can be used to carry out following operation when confirming the source name server of domain-name information:
If inquiry of the domain name request and response that the domain name server is responsible for transmitting related name server then when buffer memory comes from the domain-name information of higher level's name server, are confirmed as said higher level's name server the source name server of domain name information;
If the domain name server is through obtaining the acquiescence name server of domain name information to related domain name server lookup name server record; And and then when obtaining domain name information through the said acquiescence name server of inquiry, then said acquiescence name server is confirmed as the source name server of domain name information;
If the domain name server is the authoritative domain name server or the acquiescence name server of domain name information, then the domain name server is confirmed as the source name server of domain name information.
Said related name server sensing module is regularly sending inquiry of the domain name request and at RT to each related name server
MaxIn when not receiving the response of related name server, be further used for writing down the number of times that related name server does not response, when the number of times that does not response reaches the maximum dont answer times N that is provided with in advance, judge said related domain name fails.
Visible by technique scheme; The method and the name server of raising credible Internet domain name service robustness provided by the invention; Can part server failover, mistake or quilt in domain name system attack and paralysis period; Buffer memory domain-name information farthest; And use the domain-name information of institute's buffer memory to reply the inquiry of the domain name of paralysis period client, thus farthest preserved the ability that name server continues to provide service, improved the robustness and the availability of credible Internet domain name service.
And; The improvement technical scheme that the present invention provides for the confidence level that improves the credible Internet domain name service; Through name server confidence level white list is set, and name server carried out confidence level white list coupling, can estimate and record for the confidence level of domain-name information in the domain name system and name server; Domain-name information is carried out confidence level distinguish, thereby improve the confidence level of domain name service.
In addition, the present invention does not need new hardware input, and can be operated in well on the existing DNS framework, need not domain name system is designed again, has higher easy implementation.
Description of drawings
Fig. 1 is the schematic flow sheet of local domain name server customer in response end inquiry in the present invention's one preferred embodiment;
Fig. 2 improves the system architecture sketch map of credible Internet domain name service robustness for the present invention;
Fig. 3 is the workflow sketch map of associated server sensing module in the present invention's one preferred embodiment.
Embodiment
For making the object of the invention, technical scheme and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is done further explain.
In the existing IP network; The thought that its domain name system mechanism mainly is based on distributed storage, replys, the relevance between the name server is not strong, when domain name system breaks down or be under attack; Name server can't be learned the ruuning situation of other servers, robustness a little less than.If on existing domain name system framework basis, increase the technological means that some improve robustness, just can when domain name system is under attack, farthest save as the ability that the client provides service, and ensure the robustness and the availability of domain name service.
Main thought of the present invention is: the operation conditions of being known related name server by local domain name server in real time; And domain-name information is taked corresponding local cache behavior according to the operation conditions of related name server; Particularly: when related name server is in proper working order; According to the corresponding domain-name information of timeout mechanism buffer memory, when related domain name fails, forever preserve corresponding domain-name information.Adopt technical scheme provided by the present invention or to be attacked and paralysis period in related name server failover, mistake; Make local domain name server buffer memory domain-name information farthest; And the domain-name information that uses institute's buffer memory is replied the inquiry of the domain name of paralysis period client; Thereby keep name server as much as possible in the availability of paralysis period, improve the robustness of credible Internet domain name service.
On the basis of above-mentioned main thought; The present invention further introduces the confidence level Evaluation Mechanism; Name server confidence level white list according to being disposed is estimated the confidence level of name server, and with the confidence level of name server as with the confidence level of this name server, when the inquiry of the domain name of customer in response end as the domain-name information in source; The confidence level of this domain name is sent to client in the lump; Thereby make client can know the confidence level of domain-name information, and whether use this domain-name information, further improved the confidence level of credible Internet domain name service according to the confidence level decision of domain-name information.
Among the present invention, related name server is meant: the set in the source of all domain-name informations in the local domain name server.According to the difference of confidence level, related name server can be divided into believable related name server and incredible related name server again.Local domain name server is meant the name server of embodiment of the present invention technical scheme.
Based on above-mentioned main thought, the present invention proposes a kind of method that improves credible Internet domain name service robustness, this method is provided with maximum response time threshold value RT in advance
MaxWith the life span TTL of domain name, and in local domain name server the buffer memory domain-name information with the source domain name server information, wherein:
Each bar domain-name information can comprise parameter: the source name server of the life span of domain name, domain name, domain name and the confidence level of domain name; Except above-mentioned parameter, can also comprise other relevant parameters, like A, NS, CNAME record etc., these other parameter is not an emphasis of the present invention, repeats no more at this.
Each bar source domain name server information can comprise parameter: the network address of source name server, quote number of times and confidence level.
Method provided by the invention is further comprising the steps of:
Local domain name server regularly sends the inquiry of the domain name request to each related name server, if at RT
MaxIn received related name server response, then judge should the association name server in proper working order; If at RT
MaxIn do not receive related name server response, then judging should association domain name fails;
If judge that related name server is in proper working order; Operation below then in the domain-name information of institute's buffer memory, carrying out: the domain name that buffer memory is should response corresponding, the life span of this domain name be set to TTL, definite and write down the source name server of this domain name, the confidence level of this domain name is set to equal the confidence level of this source name server, and in the source domain name server information of institute's buffer memory, operate below the execution: the source of the name server of will originating is quoted number of times and is added 1;
If judge related domain name fails; Then will forever preserve as all domain-name informations of source name server with the related name server of this inefficacy; And to the life span time out of said all domain-name informations; Related name server until this inefficacy is in proper working order, continues the life span of said all domain-name informations is carried out timing.
Because after the related domain name fails of a domain-name information; This domain-name information just can not obtain from this association name server once more; Therefore; The present invention has taked the mode of permanent preservation for the domain-name information of the related name server of inefficacy to the source; Thereby technical scheme provided by the present invention can or be attacked and paralysis period makes local domain name server buffer memory domain-name information farthest in related name server failover, mistake, and use the domain-name information of institute's buffer memory to reply the inquiry of the domain name of paralysis period client; Thereby keep name server as much as possible in the availability of paralysis period, improve the robustness of credible Internet domain name service.
When receiving the inquiry of the domain name request of client; Local domain name server responds this inquiry of the domain name request according to the domain-name information of institute's buffer memory; In response, can comprise by the confidence level of nslookup, whether client can use this domain-name information according to the confidence level decision of domain name.
On the basis of said method, can further introduce the confidence level Evaluation Mechanism, thereby obtain the present invention's one preferred embodiment.Particularly: further caching nameserver confidence level white list in local domain name server, name server confidence level white list are used to preserve the confidence level configuration of name server;
If local domain name server can't be according to the inquiry of the domain name request of the domain-name information customer in response end of local institute buffer memory, then this method may further include:
Local domain name server obtains the domain-name information that client is inquired about through inquiring about to other name servers; And operation below in the domain-name information of institute's buffer memory, carrying out: the domain name that caching query obtains, the life span of this domain name are set to TTL, confirm and write down the source name server of this domain name; Whether inquiry exists this source name server in the source domain name server information of institute's buffer memory; If exist; Number of times is quoted in the source of this source name server added 1, and the confidence level of this domain name is set to equal the confidence level of this source name server; If do not exist; Then in domain name server confidence level white list, inquire about the confidence level of said source name server; And newly-increased in the source domain name server information of institute's buffer memory should source name server; The number of times of quoting of the source name server that this is newly-increased is set to 1, and the confidence level of the source name server that this is newly-increased is set to equal to inquire about the confidence level that obtains with the confidence level of this domain-name information.Here, when not having the confidence level of this source name server in the name server confidence level white list, can the confidence level of this source name server be used as default.
Here; The domain-name information of local institute buffer memory is all local known domain-name informations of local domain name server; Comprise two aspects: being the domain-name information according to the inventive method buffer memory on the one hand, is the local Authorized Domain that on local domain name server, disposes on the other hand.Local Authorized Domain is meant some domain-name informations of configuration before the local domain name server operation, promptly is used for being illustrated in the domain name system, and certain station server is the acquiescence name server of this domain name.The information of this all domain names finally all is that the default server from this domain name obtains.In domain name system; Each domain name all has an acquiescence name server; When other servers can't response, they will inquire about the default server of being responsible for this domain name through the server record (being the NS record) of domain name, and through send the direct acquired information of inquiry to default server.
Fig. 1 is the schematic flow sheet of local domain name server customer in response end inquiry in the above-mentioned preferred embodiment of the present invention.Referring to Fig. 1, this flow process comprises:
In step 101, local domain name server is received the inquiry of the domain name request from client.
In step 102, local domain name server is checked the domain-name information whether buffer memory has client to inquire about, if having, continues execution in step 103, uses the inquiry of the domain-name information customer in response end of institute's buffer memory, and process ends; If no, continue execution in step 104.
In step 104, local domain name server carries out inquiry of the domain name to other name servers.
In step 105, the domain-name information that local domain name server obtains inquiry writes in the domain-name information of local institute buffer memory.
In step 106, the local whether buffer memory of local domain name server inspection has the source domain name server information of this domain-name information, if having, execution in step 107 adds 1 with the number of times of quoting of this source name server, writes down confidence level, and process ends; If no, execution in step 108.
In step 108, in the source domain name server information of institute's buffer memory, set up new clauses and subclauses, with this source name server relevant information records therein.
So far, finish flow process shown in Figure 1.
Among the present invention, local domain name server can carry out timing to the life span of each bar domain-name information; When the life span timing of domain-name information is overtime; The overtime domain-name information of this life span timing of deletion from the domain-name information of institute's buffer memory; And in the source domain name server information of institute's buffer memory; The number of times of quoting of the source name server that domain-name information that this life span timing is overtime is corresponding subtracts 1, and will quote number of times and be reduced to 0 source name server and from the source domain name server information of institute's buffer memory, delete.
Among the present invention, confirm domain-name information the source name server mode can for:
If local domain name server only is responsible for transmitting the inquiry of the domain name request and the response of related name server; Then local domain name server is confirmed as this higher level's name server the source name server of this domain-name information when buffer memory comes from the domain-name information of higher level's name server;
If local domain name server is by obtaining the acquiescence name server of this domain-name information to related domain name server lookup name server record (NS); And and then when obtaining this domain-name information by this acquiescence name server of inquiry, then will give tacit consent to the source name server that name server is confirmed as this domain-name information;
If local domain name server is the authoritative domain name server or the acquiescence name server of this domain-name information, then this local domain name server is confirmed as the source name server of this domain-name information.
On the basis of technique scheme provided by the invention, maximum dont answer times N can be set in advance further; When each related name server sent inquiry of the domain name, this method may further include in the local domain name server timing: if at RT
MaxIn do not receive related name server response, then record should once not response by the association name server, when the number of times that does not response when this association name server equaled N time, judgement should association domain name fails.It is thus clear that if related domain name fails, local domain name server will be at N at the most doubly to maximum response time RT
MaxTime in find, and take appropriate measures.
More than the method for raising credible Internet domain name service robustness provided by the invention is specified; Face the name server of raising credible Internet domain name service robustness provided by the invention down, and use the system of this name server to be elaborated.
Fig. 2 improves the system architecture sketch map of credible Internet domain name service robustness for the present invention.The entity that relates among Fig. 2 comprises: several related name servers, the Internet, local domain name server and several clients; Wherein: local domain name server links to each other through the related name server with several in the Internet, and local domain name server is responsible for the inquiry of the domain name request of several clients of being attached thereto is responded.
Local domain name server in the system shown in Figure 2 framework is the enforcement entity of technical scheme of the present invention.At least comprise in this local domain name server: related name server sensing module, home domain name cache module and related domain name server buffer module; Can further include confidence level white list cache module in this local domain name server.Be elaborated in the face of each module in the local domain name server down.
In a preferred embodiment of the present invention, the performed operation of each module is following:
The home domain name cache module is used for the buffer memory domain-name information, and each bar domain-name information comprises parameter: the source name server of the life span of domain name, domain name, domain name and the confidence level of domain name;
Related domain name server buffer module is used for buffer memory source domain name server information, and each bar source domain name server information comprises parameter: the network address of source name server, quote number of times and confidence level;
Related name server sensing module is used for regularly sending the inquiry of the domain name request to each related name server, when at the maximum response time threshold value RT that is provided with in advance
MaxIn when having received the response of related name server; Judgement is should the association name server in proper working order; Domain-name information in this response is sent to the home domain name cache module; Confirm the source name server of this domain-name information, the name server of should originating notice home domain name cache module and related domain name server buffer module; When at RT
MaxIn when not receiving the response of related name server, judgement should association domain name fails; With the result notification home domain name cache module and related domain name server buffer module judged;
The home domain name cache module is used for carrying out corresponding operation according to the result who judges; In the result who judges is that related name server is when in proper working order; In the domain-name information of institute's buffer memory, carry out following operation: the life span TTL of the domain name that the domain name of this response correspondence of buffer memory, the life span of this domain name are set to set in advance, write down the source name server of this domain name; To the confidence level of related this source name server of domain name server buffer module inquiry, the confidence level of this domain name is set to equal the confidence level of this source name server; When the result who judges is related domain name fails; Operation below in the domain-name information of institute's buffer memory, carrying out: will forever preserve as all domain-name informations of source name server with the related name server of this inefficacy; And to the life span time out of these all domain-name informations; Related name server until this inefficacy is in proper working order, continues the life span of these all domain-name informations is carried out timing;
Related domain name server buffer module is used for being related name server when in proper working order in the result who judges, quotes number of times and adds 1 according to will the originate source of name server of the notice of related name server sensing module.
When receiving the inquiry of the domain name request of client; The home domain name cache module is further used for according to the domain-name information of institute's buffer memory this inquiry of the domain name request being responded; In response, comprise by the confidence level of nslookup, whether client uses this domain-name information according to the confidence level decision of this domain name.
When further comprising confidence level white list cache module in the name server; This confidence level white list cache module can be used for caching nameserver confidence level white list, and this name server confidence level white list is used to preserve the confidence level configuration of name server.When local domain name server can't be according to the inquiry of the domain name request of the domain-name information customer in response end of local institute buffer memory, the function of other modules need be improved accordingly, particularly:
Related name server sensing module is further used for obtaining the domain-name information that client is inquired about through inquiring about to other name servers; The domain-name information that inquiry is obtained sends to the home domain name cache module; And the source name server of definite this domain-name information, the name server of should originating notice home domain name cache module and related domain name server buffer module;
Related domain name server buffer module; Be further used in the source domain name server information of institute's buffer memory, inquiring about whether there is said source name server according to the source name server of related name server sensing module notice; When existing; Number of times is quoted in the source of this source name server added 1, when not existing, inquire about to confidence level white list cache module; Obtain the confidence level of this source name server; And in the source domain name server information of institute's buffer memory newly-increased said source name server, the number of times of quoting of said newly-increased source name server is set to 1, the confidence level of said newly-increased source name server is set to equal to inquire about the confidence level that obtains; Here, when not having the confidence level of this source name server in the name server confidence level white list, can the confidence level of this source name server be used as default;
The home domain name cache module is further used for inquiry obtains according to related name server sensing module domain-name information and operates below in the domain-name information of institute's buffer memory, carrying out: the confidence level that the domain name that caching query obtains, the life span of domain name be set to TTL, write down the source name server of this domain name, this domain name is set to equal the confidence level of this source name server.
On the basis of above-mentioned preferred embodiment; The home domain name cache module can be further used for the life span of each bar domain-name information is carried out timing; And when the life span timing of domain-name information is overtime; Be used for the overtime domain-name information of domain-name information deletion life span timing, and notify related domain name server buffer module the source name server of this domain name from institute's buffer memory;
At this moment; Related domain name server buffer module is further used for the notice according to the home domain name cache module; The number of times of quoting of the source name server that domain-name information that the life span timing is overtime is corresponding in the source domain name server information of institute's buffer memory subtracts 1, and will quote number of times and be reduced to 0 source name server and from the source domain name server information of institute's buffer memory, delete.
In the name server provided by the present invention, related name server sensing module is used to carry out following operation when confirming the source name server of domain-name information:
If inquiry of the domain name request and response that this name server is responsible for transmitting related name server then when buffer memory comes from the domain-name information of higher level's name server, are confirmed as this higher level's name server the source name server of this domain-name information;
If this name server is by obtaining the acquiescence name server of domain name information to related domain name server lookup name server record; And and then when obtaining domain name information by this acquiescence name server of inquiry, then will give tacit consent to the source name server that name server is confirmed as this domain-name information;
If this name server is the authoritative domain name server or the acquiescence name server of this domain-name information, then this name server is confirmed as the source name server of this domain-name information.
Preferably, related name server sensing module is regularly sending inquiry of the domain name request and at RT to each related name server
MaxIn when not receiving the response of related name server, can further write down the number of times that related name server does not response, and when the number of times that does not response reached the maximum dont answer times N that is provided with in advance, judgement should association domain name fails.It is thus clear that if related domain name fails, local domain name server will be at N at the most doubly to maximum response time RT
MaxTime in find, and take appropriate measures.Preferably, can be set to 3 by N, the workflow of associated server sensing module among the present invention is described through a preferred embodiment below.
Fig. 3 is the workflow sketch map of associated server sensing module in the present invention's one preferred embodiment.Referring to Fig. 3:
In step 301, the associated server sensing module sends the inquiry of the domain name request to all the credible associated server in the related domain name server buffer module at set intervals.
In step 302, the associated server sensing module judges whether continuous response of in maximum response time, not receiving associated server three times, if, continue execution in step 303, otherwise, execution in step 304 continued.
In step 303, scanning of home domain-name information cache module, stopping to originate is the life span timing of all domain-name informations of this association name server, and these domain-name informations are forever preserved.
In step 304, scanning of home domain-name information cache module, confirm the source for all domain-name informations of this association name server not by permanent preservation, and continue to reduce the life span that the source is the domain-name information of this credible related name server.
Visible by the foregoing description; The method and the name server of raising credible Internet domain name service robustness provided by the invention; Can part server failover, mistake or quilt in domain name system attack and paralysis period; Buffer memory domain-name information farthest; And use the domain-name information of institute's buffer memory to reply the inquiry of the domain name of paralysis period client, thus farthest preserved the ability that name server continues to provide service, improved the robustness and the availability of credible Internet domain name service.
And; The improvement technical scheme that the present invention provides for the confidence level that improves the credible Internet domain name service; Through name server confidence level white list is set, and name server carried out confidence level white list coupling, can estimate and record for the confidence level of domain-name information in the domain name system and name server; Domain-name information is carried out confidence level distinguish, thereby improve the confidence level of domain name service.
In addition, the present invention does not need new hardware input, and can be operated in well on the existing DNS framework, need not domain name system is designed again, has higher easy implementation.
The above is merely preferred embodiment of the present invention, and is in order to restriction the present invention, not all within spirit of the present invention and principle, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope that the present invention protects.
Claims (6)
1. method that improves credible Internet domain name service robustness is characterized in that:
Maximum response time threshold value RT is set in advance
MaxLife span TTL with domain name;
Buffer memory domain-name information, source domain name server information and name server confidence level white list in local domain name server, wherein:
Each bar domain-name information comprises parameter: the source name server of the life span of domain name, domain name, domain name and the confidence level of domain name;
Each bar source domain name server information comprises parameter: the network address of source name server, quote number of times and confidence level;
Name server confidence level white list is used to preserve the confidence level configuration of name server;
This method also comprises:
Local domain name server regularly sends the inquiry of the domain name request to each related name server, if at RT
MaxIn received related name server response, judge that then said related name server is in proper working order; If at RT
MaxIn do not receive related name server response, then judge said related domain name fails;
If judge that related name server is in proper working order; Operation below then in the domain-name information of institute's buffer memory, carrying out: the life span of the corresponding domain name of the said response of buffer memory, domain name is set to TTL, confirm and the source name server of record domain name, the confidence level of domain name are set to equal the confidence level of said source name server, and operate below in the source domain name server information of institute's buffer memory, carrying out: number of times is quoted in the source of said source name server added 1;
If judge related domain name fails; Then will forever preserve as all domain-name informations of source name server with the related name server of this inefficacy; And to the life span time out of said all domain-name informations; Related name server until this inefficacy is in proper working order, continues the life span of said all domain-name informations is carried out timing;
When receiving the inquiry of the domain name request of client; Local domain name server responds the domain name query requests based on the domain-name information of institute's buffer memory; In said response, comprise by the confidence level of nslookup, whether client uses domain name information based on the confidence level decision of domain name;
If local domain name server can't be according to the inquiry of the domain name request of the domain-name information customer in response end of local institute buffer memory; Then obtain the domain-name information that said client is inquired about through inquiring about to other name servers; And operation below in the domain-name information of institute's buffer memory, carrying out: the domain name that caching query obtains, the life span of domain name are set to TTL, confirm and write down the source name server of domain name; Whether inquiry exists said source name server in the source domain name server information of institute's buffer memory; If exist; Number of times is quoted in the source of said source name server added 1, and the confidence level of domain name is set to equal the confidence level of said source name server; If do not exist; Then in domain name server confidence level white list, inquire about the confidence level of said source name server; And in the source domain name server information of institute's buffer memory newly-increased said source name server; The number of times of quoting of said newly-increased source name server is set to 1, and the confidence level and the domain name Reliability of Information of said newly-increased source name server are set to equal to inquire about the confidence level that obtains;
Wherein, the mode of confirming the source name server of domain-name information is:
If inquiry of the domain name request and response that local domain name server is responsible for transmitting related name server; Then local domain name server is confirmed as said higher level's name server the source name server of domain name information when buffer memory comes from the domain-name information of higher level's name server;
If local domain name server is through obtaining the acquiescence name server of domain name information to related domain name server lookup name server record; And and then when obtaining domain name information through the said acquiescence name server of inquiry, then said acquiescence name server is confirmed as the source name server of domain name information;
If local domain name server is the authoritative domain name server or the acquiescence name server of domain name information, then said local domain name server is confirmed as the source name server of domain name information.
2. method according to claim 1 is characterized in that, this method further comprises:
Local domain name server carries out timing to the life span of each bar domain-name information;
When the life span timing of domain-name information is overtime; The overtime domain-name information of the said life span timing of deletion from the domain-name information of institute's buffer memory; And in the source domain name server information of institute's buffer memory; The number of times of quoting of the source name server that domain-name information that said life span timing is overtime is corresponding subtracts 1, and will quote number of times and be reduced to 0 source name server and from the source domain name server information of institute's buffer memory, delete.
3. method according to claim 1 and 2 is characterized in that:
Maximum dont answer times N further is set in advance;
When each related name server sent inquiry of the domain name, this method further comprised in the local domain name server timing: if at RT
MaxIn do not receive related name server response, then write down said related name server and once do not response, when the number of times that does not response when said related name server equals N time, judge said related domain name fails.
4. a name server that improves credible Internet domain name service robustness is characterized in that, comprising: related name server sensing module, home domain name cache module, related domain name server buffer module and confidence level white list cache module;
Said home domain name cache module is used for the buffer memory domain-name information, and each bar domain-name information comprises parameter: the source name server of the life span of domain name, domain name, domain name and the confidence level of domain name;
Said related domain name server buffer module is used for buffer memory source domain name server information, and each bar source domain name server information comprises parameter: the network address of source name server, quote number of times and confidence level;
Said confidence level white list cache module is used for caching nameserver confidence level white list, and domain name server confidence level white list is used to preserve the confidence level configuration of name server;
Said related name server sensing module is used for regularly sending the inquiry of the domain name request to each related name server, when at the maximum response time threshold value RT that is provided with in advance
MaxIn when having received the response of related name server; Judge that said related name server is in proper working order; Domain-name information in the said response is sent to the home domain name cache module; Confirm the source name server of domain name information, with said source name server notice home domain name cache module and related domain name server buffer module; When at RT
MaxIn when not receiving the response of related name server, judge said related domain name fails; Result notification home domain name cache module and related domain name server buffer module with said judgement;
Said home domain name cache module is used for carrying out corresponding operation according to the result of said judgement; In the result of said judgement is that related name server is when in proper working order; Operation below in the domain-name information of institute's buffer memory, carrying out: the life span TTL of the domain name that the domain name of the said response correspondence of buffer memory, the life span of domain name are set to set in advance, the source name server of record domain name; To the confidence level that said related domain name server buffer module is inquired about said source name server, the confidence level of domain name is set to equal the confidence level of said source name server; When the result of said judgement is related domain name fails; Operation below in the domain-name information of institute's buffer memory, carrying out: will forever preserve as all domain-name informations of source name server with the related name server of this inefficacy; And to the life span time out of said all domain-name informations; Related name server until this inefficacy is in proper working order, continues the life span of said all domain-name informations is carried out timing;
Said related domain name server buffer module is used for being related name server when in proper working order in the result of said judgement, according to the notice of related name server sensing module number of times is quoted in the source of said source name server and is added 1;
When the inquiry of the domain name request of receiving client; Said home domain name cache module also is used for based on the domain-name information of institute's buffer memory the domain name query requests being responded; In said response, comprise by the confidence level of nslookup, whether client uses domain name information based on the confidence level decision of domain name;
When local domain name server can't be based on the inquiry of the domain name request of the domain-name information customer in response end of local institute buffer memory; Said related name server sensing module also is used for obtaining the domain-name information that said client is inquired about through inquiring about to other name servers; The domain-name information that inquiry is obtained sends to the home domain name cache module; And the source name server of definite domain name information, with said source name server notice home domain name cache module and related domain name server buffer module;
Said related domain name server buffer module; Whether the domain name server information inquiry exists said source name server in the source of institute's buffer memory to be used for source name server according to related name server sensing module notice; When existing; Number of times is quoted in the source of said source name server added 1, when not existing, inquire about to said confidence level white list cache module; Obtain the confidence level of said source name server; And in the source domain name server information of institute's buffer memory newly-increased said source name server, the number of times of quoting of said newly-increased source name server is set to 1, the confidence level of said newly-increased source name server is set to equal to inquire about the confidence level that obtains;
Said home domain name cache module also is used for domain-name information operation below the domain-name information of institute's buffer memory is carried out that inquiry obtains according to related name server sensing module: the domain name that caching query obtains, the life span of domain name are set to TTL, the source name server that writes down domain name, the confidence level of domain name and are set to equal the confidence level of said source name server;
Wherein, said related name server sensing module is used to carry out following operation when confirming the source name server of domain-name information:
If inquiry of the domain name request and response that the domain name server is responsible for transmitting related name server then when buffer memory comes from the domain-name information of higher level's name server, are confirmed as said higher level's name server the source name server of domain name information;
If the domain name server is through obtaining the acquiescence name server of domain name information to related domain name server lookup name server record; And and then when obtaining domain name information through the said acquiescence name server of inquiry, then said acquiescence name server is confirmed as the source name server of domain name information;
If the domain name server is the authoritative domain name server or the acquiescence name server of domain name information, then the domain name server is confirmed as the source name server of domain name information.
5. name server according to claim 4 is characterized in that:
Said home domain name cache module is further used for the life span of each bar domain-name information is carried out timing; When the life span timing of domain-name information is overtime; Be used for the overtime domain-name information of the domain-name information said life span timing of deletion, and notify said related domain name server buffer module the source name server of domain name from institute's buffer memory;
Said related domain name server buffer module is further used for the notice according to said home domain name cache module; The number of times of quoting of the source name server that domain-name information that said life span timing is overtime is corresponding in the source domain name server information of institute's buffer memory subtracts 1, and will quote number of times and be reduced to 0 source name server and from the source domain name server information of institute's buffer memory, delete.
6. according to claim 4 or 5 described name servers, it is characterized in that:
Said related name server sensing module is regularly sending inquiry of the domain name request and at RT to each related name server
MaxIn when not receiving the response of related name server, be further used for writing down the number of times that related name server does not response, when the number of times that does not response reaches the maximum dont answer times N that is provided with in advance, judge said related domain name fails.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102377574A CN101895591B (en) | 2010-07-23 | 2010-07-23 | Method and domain name server for increasing robustness of credible Internet domain name service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010102377574A CN101895591B (en) | 2010-07-23 | 2010-07-23 | Method and domain name server for increasing robustness of credible Internet domain name service |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101895591A CN101895591A (en) | 2010-11-24 |
| CN101895591B true CN101895591B (en) | 2012-10-31 |
Family
ID=43104656
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010102377574A Expired - Fee Related CN101895591B (en) | 2010-07-23 | 2010-07-23 | Method and domain name server for increasing robustness of credible Internet domain name service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101895591B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106027516A (en) * | 2016-05-17 | 2016-10-12 | 中国互联网络信息中心 | Domain name service security event evaluation method and system |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102137174B (en) * | 2010-12-29 | 2013-10-09 | 华为技术有限公司 | Method for caching of domain name system, authorized domain name server and cache domain name server |
| CN104935683A (en) * | 2015-06-29 | 2015-09-23 | 北京经天科技有限公司 | Buffer processing method and device for domain name resolution |
| CN106610975A (en) * | 2015-10-21 | 2017-05-03 | 北京国双科技有限公司 | Method and device for updating configuration list of cache server |
| CN106899701B (en) * | 2015-12-17 | 2020-08-25 | 阿里巴巴集团控股有限公司 | Domain name query method and device |
| CN109347996A (en) * | 2018-12-10 | 2019-02-15 | 中共中央办公厅电子科技学院 | A kind of DNS domain name acquisition system and method |
| CN109905388B (en) * | 2019-02-20 | 2021-12-07 | 中国互联网络信息中心 | Domain name credit processing method and system based on block chain |
| CN111092966B (en) * | 2019-12-30 | 2022-04-26 | 中国联合网络通信集团有限公司 | Domain name system, domain name access method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6016512A (en) * | 1997-11-20 | 2000-01-18 | Telcordia Technologies, Inc. | Enhanced domain name service using a most frequently used domain names table and a validity code table |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7984493B2 (en) * | 2005-07-22 | 2011-07-19 | Alcatel-Lucent | DNS based enforcement for confinement and detection of network malicious activities |
| US7593935B2 (en) * | 2006-10-19 | 2009-09-22 | Paxfire | Methods and systems for node ranking based on DNS session data |
-
2010
- 2010-07-23 CN CN2010102377574A patent/CN101895591B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6016512A (en) * | 1997-11-20 | 2000-01-18 | Telcordia Technologies, Inc. | Enhanced domain name service using a most frequently used domain names table and a validity code table |
| CN101567888A (en) * | 2008-12-29 | 2009-10-28 | 郭世泽 | Safety protection method of network feedback host computer |
| CN101572701A (en) * | 2009-02-10 | 2009-11-04 | 中科正阳信息安全技术有限公司 | Security gateway system for resisting DDoS attack for DNS service |
Non-Patent Citations (1)
| Title |
|---|
| Li weimin et al..Alleviating the impact of DNS DDoS attacks.《Second International Conference on Networks Security, Wireless Communications and Trusted Computing》.2010,240-243. * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106027516A (en) * | 2016-05-17 | 2016-10-12 | 中国互联网络信息中心 | Domain name service security event evaluation method and system |
| CN106027516B (en) * | 2016-05-17 | 2019-06-14 | 中国互联网络信息中心 | A kind of domain name service security incident evaluation method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101895591A (en) | 2010-11-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101895591B (en) | Method and domain name server for increasing robustness of credible Internet domain name service | |
| US8849921B2 (en) | Method and apparatus for creating predictive filters for messages | |
| US8447856B2 (en) | Policy-managed DNS server for to control network traffic | |
| CA2606998C (en) | Detecting unwanted electronic mail messages based on probabilistic analysis of referenced resources | |
| EP2502398B1 (en) | Detecting malicious behaviour on a network | |
| Passerini et al. | Fluxor: Detecting and monitoring fast-flux service networks | |
| Stock et al. | Walowdac-analysis of a peer-to-peer botnet | |
| US8219644B2 (en) | Requesting a service or transmitting content as a domain name system resolver | |
| JP5499183B2 (en) | Method and system for preventing DNS cache poisoning | |
| JP6315640B2 (en) | Communication destination correspondence collection apparatus, communication destination correspondence collection method, and communication destination correspondence collection program | |
| US8959626B2 (en) | Detecting a suspicious entity in a communication network | |
| Bushart et al. | DNS unchained: Amplified application-layer DoS attacks against DNS authoritatives | |
| US20060168017A1 (en) | Dynamic spam trap accounts | |
| CN103685168B (en) | A kind of inquiry request method of servicing of DNS recursion server | |
| CN101252443B (en) | Apparatus and method for detecting message security | |
| JP2015043204A (en) | Detection of pattern co-occurring in dns | |
| Satam et al. | Anomaly Behavior Analysis of DNS Protocol. | |
| KR101114049B1 (en) | A method and apparatus for spam message management in a messaging system | |
| CN102624716A (en) | P | |
| US9385993B1 (en) | Media for detecting common suspicious activity occurring on a computer network using firewall data and reports from a network filter device | |
| Yu et al. | Fast-flux attack network identification based on agent lifespan | |
| CN114301696B (en) | Malicious domain name detection method, malicious domain name detection device, computer equipment and storage medium | |
| Hasegawa et al. | Collaborative Defense Framework Using FQDN-Based Allowlist Filter Against DNS Water Torture Attack | |
| CN107547682B (en) | IP address identification method and device | |
| JP7520333B1 (en) | Gateway device, communication system and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20121031 Termination date: 20140723 |
|
| EXPY | Termination of patent right or utility model |