CN103561121B

CN103561121B - Method and device for analyzing DNS and browser

Info

Publication number: CN103561121B
Application number: CN201310473254.0A
Authority: CN
Inventors: 吴亮; 任寰
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: 360 Digital Security Technology Group Co Ltd
Priority date: 2013-10-11
Filing date: 2013-10-11
Publication date: 2017-04-12
Anticipated expiration: 2033-10-11
Also published as: CN103561121A

Abstract

The invention discloses a method for analyzing a DNS. The method for analyzing the DNS comprises the steps that when a browser side monitors that DNS analysis of a first webpage is wrong, an original DNS address of a current terminal is reset to be an appointed DNS address; a DNS analysis request of the first webpage is sent to the appointed DNS address, wherein the domain name of the first webpage is included in the DNS analysis request; an appointed DNS is used for analyzing one or more IP addresses corresponding to the domain name of the first webpage according to the DNS analysis request; the IP addresses returned by the appointed DNS are received; when it is ensured that the IP addresses returned by the appointed DNS are legal through verification, the legal IP addresses are extracted. The probability of successful DNS analysis can be greatly increased, and user experience is improved.

Description

A kind of analytic method of DNS, device and browser

Technical field

The present invention relates to the technical field of browser, and in particular to a kind of analytic method of DNS, a kind of parsing dress of DNS Put, and, a kind of browser.

Background technology

In the application of the Internet, domain name and IP（Internet Protocol, the agreement interconnected between network）Address is It is indispensable, because people access website and have to domain name and IP address by website to search login.Prior art is looked into DNS is applied to when looking for domain name and IP address（Domain Name System）, that is, domain name system（Or referred to as domain Name server）.DNS is used for the parsing of domain name, is host assignment domain name addresses and the IP address on Internet.That is, When user parses to DNS request domain name addresses, the system will switch to IP address domain name addresses automatically.In practice, appoint What domain name all at least one DNS parsing to domain name, at least two.Because DNS can be processed with samsara, first solution Analysis failure can look for second.As long as so there is a dns resolution normal, normally using for domain name would not be affected.

For example, the getaddrinfo functions used in Chrome browsers complete dns resolution.The function can be completed The unrelated parsing by domain name to host address of agreement.It is according to function prototype：

During using getaddrinfo functions, arranging needs the domain name (hostname) of parsing, service name or port （service）, configure addrinfo parameters（hints）, function successfully return 0 and pad parameter result complete parsing（Failure Corresponding error code can be returned）.

But in NDS parsings, dns server chained list is typically arranged by the machine, LAN Administrator, and operator provides etc. Composition.Below appearance during three kinds of situations, browser just cannot surf the Net：

1）Dns server arranges mistake；

2）Dns server cannot connect；

3）Dns server cannot complete the parsing of certain domain name.

The content of the invention

In view of the above problems, it is proposed that the present invention so as to provide one kind overcome the problems referred to above or at least in part solve on The analytic method and a kind of corresponding resolver of DNS of a kind of DNS of problem are stated, and, a kind of browser.

According to one aspect of the present invention, there is provided a kind of analytic method of DNS, including：

When browser side monitors the dns resolution mistake for the first webpage, by the original dns server of present terminal Address resets to the dns server address specified；

The dns resolution request of first webpage is sent to the dns server address specified, the dns resolution please Asking includes the domain name of first webpage；The dns server specified is used for according to described in the dns resolution request analysis Corresponding one or more IP address of domain name of first webpage；

Receive one or more IP address that the dns server specified is returned；

When one or more IP address for verifying the dns server return specified are legal, it is described legal to extract IP address.

Alternatively, the dns server address that present terminal is original resets to the step of the dns server address specified Suddenly include：

DNS is carried out in preset dns server address white list using the address of the original dns server of present terminal The matching of the address of server；

When the match is successful, the original dns server address is reset to into the dns server address of acquiescence；

When it fails to match, the original dns server address is reset in the dns server address white list Dns server address.

Alternatively, it is described when one or more IP address for verifying the dns server return specified are legal, extract The step of legal IP address, includes：

The matching of IP address is carried out in preset IP address white list using one or more of IP address；

When the match is successful, the IP address that the match is successful is extracted；

And/or,

The matching of IP address is carried out in preset IP address blacklist using one or more of IP address；

When the match is successful, the IP address beyond the IP address that the match is successful is extracted.

Alternatively, carry when one or more IP address for verifying the dns server return specified are legal described After the step of taking the legal IP address, also include：

Legitimate ip address mapping table is generated or updated using the legal IP address and its corresponding domain name.

Alternatively, also include：

When the load request of the second webpage is received, the domain name in the load request is extracted；

The matching of domain name is carried out in the legitimate ip address mapping table using the domain name in the load request；

When the match is successful, the corresponding legal IP address of domain name is extracted.

Alternatively, also include：

Domain name and its corresponding IP address that the reception server side sends；

The legitimate ip address mapping table is updated using domain name and its corresponding IP address.

Alternatively, extract when one or more IP address for verifying the specified dns server return are legal described After the step of legal IP address, also include：

Dns server is carried out in preset dns server address blacklist using the dns server address of present terminal The matching of address；

When the match is successful, the dns server address of present terminal is reset to into the dns server address specified.

Alternatively, also include：

The dns server address specified is stored in DNS CACHE.

Alternatively, also include：

When present terminal uses DHCP service, the dns server ground of the peripheral equipment that the DHCP service is provided is obtained Location；

The dns server address of the peripheral equipment is carried out into dns server in the dns server address blacklist The matching of address；

When the match is successful, the dns server address of the peripheral equipment is reset to into the dns server ground specified Location.

Alternatively, also include：

By the legal IP address and its terminal of corresponding domain name, the ID of active user and present terminal Mark is uploaded to the corresponding server side in browser side.

Alternatively, also include：

When the load request of the 3rd webpage is received, according to the load request from the corresponding server side in browser side Obtain ID, the corresponding legal IP of domain name of the 3rd webpage of the terminal iidentification of present terminal and instruction of active user Address.

According to a further aspect in the invention, there is provided a kind of resolver of DNS, including：

First dns server address resets module, is suitable to monitor the dns resolution mistake for the first webpage in browser side Mistake, the original dns server address of present terminal is reset to the dns server address specified；

Dns resolution request module, is suitable to send the DNS solutions of first webpage to the dns server address specified Analysis request, the dns resolution request includes the domain name of first webpage；The dns server specified is used for according to institute State corresponding one or more IP address of domain name of the first webpage described in dns resolution request analysis；

IP address receiver module, is suitable to receive one or more IP address that the dns server specified is returned；

First IP address extraction module, is suitable to verifying one or more IP ground that the dns server specified is returned When location is legal, the legal IP address is extracted.

Alternatively, the dns server address resets module and is further adapted for：

Alternatively, the legitimate ip address extraction module is further adapted for：

And/or,

Alternatively, also include：

Legitimate ip address mapping table management module, be suitable for use with the legal IP address and its corresponding domain name generate or Update legitimate ip address mapping table.

Alternatively, also include：

Domain name extraction module, is suitable to, when the load request of the second webpage is received, extract the domain in the load request Name；

Domain name matching module, be suitable for use with the domain name in the load request is carried out in the legitimate ip address mapping table The matching of domain name；

Second IP address extraction module, is suitable to, when the match is successful, extract the corresponding legal IP address of domain name.

Alternatively, also include：

Domain name and IP address receiver module, are suitable to the domain name and its corresponding IP address of the transmission of the reception server side；

Legitimate ip address mapping table update module, is suitable for use with domain name and its corresponding IP address updates described legal IP address mapping table.

Alternatively, also include：

Dns server address blacklist matching module, is suitable for use with the dns server address of present terminal preset The matching of dns server address is carried out in dns server address blacklist；

Second dns server address resets module, is suitable to when the match is successful, by the dns server address of present terminal Reset to the dns server address specified.

Alternatively, also include：

Dns server address is stored in module, is suitable to that the dns server address specified is stored in DNS CACHE.

Alternatively, also include：

Dns server address acquisition module, is suitable to, when present terminal uses DHCP service, obtain and provide the DHCP clothes The dns server address of the peripheral equipment of business；

Dns server address blacklist matching module, is suitable to the dns server address of the peripheral equipment described The matching of dns server address is carried out in dns server address blacklist；

3rd dns server address resets module, when being suitable to that the match is successful, by the dns server ground of the peripheral equipment Location resets to the dns server address specified.

Alternatively, also include：

Transmission module in information, is suitable to the legal IP address and its corresponding domain name, the ID of active user And the terminal iidentification of present terminal is uploaded to the corresponding server side in browser side.

Alternatively, also include：

IP address acquisition module, is suitable to when the load request of the 3rd webpage is received, according to the load request from clear The corresponding server side in device side of looking at obtains the ID of active user, the 3rd webpage of the terminal iidentification of present terminal and instruction The corresponding legal IP address of domain name.

According to a further aspect in the invention, there is provided a kind of browser, including：

The present invention can when there is the situation of dns resolution failure, especially temporarily when dns server cannot connect, Secondary parsing is carried out to specified dns server, so as to complete the parsing of DNS, the chance of success of dns resolution is considerably increased, Improve Consumer's Experience.

The present invention will can be stored in local in browser side or server side through the IP address of legitimacy verifies In caching, directly the loading of webpage carried out using the IP address in caching when user browses webpage again, it is to avoid enter again The parsing of row DNS, reduces the operation burden of server, improves the efficiency of web page access.

The present invention can by the way that the malicious DNS server address of present terminal is reset to into the dns server address specified, Can effectively contain that the dns server address of client is tampered, achieve reduction lawless person by distorting dns server Address and give user's network access risk such as bring phishing, privacy to steal, so as to improve user's Internet Security.

The present invention can will be stored in the individual subscriber of server side through the IP address and terminal iidentification of legitimacy verifies In information, directly obtaining corresponding IP address to server side when user browses webpage again carries out the loading of webpage, it is to avoid The parsing of DNS is again carried out, the operation burden of server is reduced, the efficiency of web page access is improve.Also, according to terminal Mark carries out the association of IP address so that web page access has higher success rate.

And after the security identification for having accessed for IP address so that safety has more preferable raising.

Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of description, and in order to allow above and other objects of the present invention, specify and advantage can Become apparent, below especially exemplified by the specific embodiment of the present invention.

Description of the drawings

By the detailed description for reading hereafter preferred implementation, various other advantages and benefit is common for this area Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as to the present invention Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings：

The step of Fig. 1 shows a kind of analytic method embodiment 1 of DNS according to an embodiment of the invention flow chart；

The step of Fig. 2 shows a kind of analytic method embodiment 2 of DNS according to an embodiment of the invention flow chart；

The step of Fig. 3 shows a kind of analytic method embodiment 3 of DNS according to an embodiment of the invention flow chart；

The step of Fig. 4 shows a kind of analytic method embodiment 4 of DNS according to an embodiment of the invention flow chart； And,

Fig. 5 shows a kind of resolver embodiment of DNS according to an embodiment of the invention.

Specific embodiment

The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure and should not be by embodiments set forth here Limited.On the contrary, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure Complete conveys to those skilled in the art.

To make those skilled in the art more fully understand the application, below to domain name system（DNS）Correlation technique carry out Explanation.

Domain name system（DNS）It is that one kind is used for TCP（Transmission Control Protocol, pass transport control protocol View）The distributed data base of/IP application programs, it provides the transitional information between host name and IP address.Generally, network is used Family passes through udp protocol（User Datagram Protocol, User Datagram Protocol）Communicated with dns server, serviced Device returns the relevant information needed for user in specific 53 port snoop.

DNS point is Client（Client）And Server（Server）, Client plays the part of the role of question, that is, asks Mono- Domain Name of Server（Domain name）Real IP address, Server to answer this Domain Name real IP ground Location.Generally, local DNS can first look into the information bank of oneself, if real IP of the information bank of oneself without this Domain Name Address, then dns server that can be set toward on the DNS is inquired, after the real IP address of this Domain Name is obtained according to this, The corresponding real IP address of the Domain Name is stored away, and answers client.

Dns server can record each name data under the affiliated domain, this name according to different empowered zones (Zone) Title data includes：Secondary domain name and Hostname under domain, there is a cache in each dns name claims server Buffer area (Cache), the main purpose of this cache buffer area is the title that checked out the name server and relative IP address record in cache buffer area, when next time also have another client go on this server inquire about identical During title, server is just not used in on other main frame looking for, and corresponding name directly can be found from cache buffer area Claim record material, client is returned to, so as to accelerate speed of the client to name query.

For example, when DNS client is to a certain Hostname on specified dns server inquiry the Internet, DNS clothes Business device can look for the title specified by user in the information bank, if it did not, the server can be in the cache buffer area of oneself Middle inquiry whether there is the pseudonym claims record, if finding corresponding title record, from dns server directly by it is corresponding to IP Address is returned to client, if name server can not find out in data logging, and also without corresponding name in cache buffer area Claim record, server just can be to the desired title of other name server queries.

Or such as, DNS client works as dns server to certain Hostname on specified dns server inquiry the Internet When the data logging can not find the title specified by user, the cache buffer area that can turn to the server looks for whether have the money Material, when cache buffer area also can not find, can go to require the IP address that the title is looked in help to immediate name server, Identical action executing inquiry operation is also used on another server, the source clothes for requiring inquiry originally can be replied after inquiring Business device, the source dns server after the result for receiving the inquiry of another dns server, first by the Hostname for being inquired And correspondence IP address recorded in cache buffer area, finally the result for being inquired replied to into client.

With reference to Fig. 1, flow the step of show a kind of analytic method embodiment 1 of DNS according to an embodiment of the invention Cheng Tu, specifically may comprise steps of：

Step 101 is original by present terminal when browser side monitors the dns resolution mistake for the first webpage Dns server address resets to the dns server address specified；

In application is realized, browser monitors that getaddrinfo functions return mistake, indicates dns resolution mistake, specifically Can include：

1）Dns server arranges mistake；

2）Dns server cannot connect；

3）Dns server cannot complete the parsing of certain domain name.

It should be noted that present terminal can be the equipment that browser is located, for server, the equipment can To be referred to as client.Original dns server address can be the dns server address set by present terminal.Specify Dns server address can be the address of the public dns server by detections such as safety, practicality, and for example, certain company carries For dns server address " 8.8.8.8 ", the dns server address " 114.114.114.114 " etc. that provides of another company.

In one preferred embodiment of the invention, the step 101 can specifically include following sub-step：

Sub-step S11, using the address of the original dns server of present terminal in the preset white name of dns server address The matching of the address of dns server is carried out in list；

Sub-step S12, when the match is successful, by the original dns server address dns server of acquiescence is reset to Address；

Sub-step S13, when it fails to match, by the original dns server address dns server ground is reset to Dns server address in the white list of location.

In actual applications, dns server address white list can record the dns server address specified.When original Dns server address when being the dns server address of specifying of storing in dns server address white list, show DNS clothes Business device address is not tampered with, then the original dns server address of present terminal can be reset to the dns server ground of acquiescence Location；When original dns server address not for the dns server address of specifying of storing in dns server address white list when, Show that the NS server address is tampered, there is the possibility of malicious DNS server address, then can be original by present terminal Dns server address resets to the dns server address specified, and can be specifically to reset in order, or random replacement Etc..

Step 102, to the dns server address specified the dns resolution request of first webpage is sent, described Dns resolution request includes the domain name of first webpage；The dns server specified is used for please according to the dns resolution Solve corresponding one or more IP address of domain name of analysis first webpage；

In actual applications, browser side can generate dns resolution request, and in the dns resolution request first can be included The domain name of webpage.When specified dns server is one, directly DNS solutions can be sent to this dns server specified Analysis request；When specified dns server is multiple, I/O Completion port mechanism can be passed through（Completing port）Adopt Dns resolution request is sent with the mode of asynchronism and concurrency to multiple dns servers specified.

On the internet, the final position of host machine for determining access webpage is not domain name, nor the MAC ground of computer Location, but IP address.And DNS service, or domain name service, domain name resolution service are, just it is to provide the phase of domain name and IP address Mutually conversion, it may also be said to be a kind of correspondence（Mapping）Association.Reflecting for a domain name and IP address is generally had in the dns server Firing table, so that user is either input into server name（Equivalent to domain name）, or the IP address of server can obtain in time Conversion, finds corresponding server.The service that dns server is provided can complete for host name and domain name to be converted to IP The work of address.

Realize that connection is but the only IP ground possessed in a network by every computer between computer on network Location is so accomplished by having a solution between the IP address that the address and computer that user easily remembers is capable of identify that come what is completed Analysis, dns server just act as the key player of address resolution.

Domain name mapping has saying for resolution and reverse resolution, and resolution is exactly to translate domain names into corresponding IP address Process, it be applied in browser address bar be input into website domain name when situation；And reverse resolution is by IP address conversion Into the process of correspondence domain name, but reverse resolution need not be carried out when website is accessed, even if what is be input in browser address bar is Website server IP address, because what the positioning of internet host was inherently carried out by IP address, simply on same IP ground Needs when multiple domain names are mapped under location.In addition reverse resolution Jing is often used by some background programs, and user can't see.

In addition to positive, reverse resolution, also a kind of parsing for being referred to as " recursive query "." recursive query " contains substantially When justice is exactly to search on certain dns server less than corresponding domain name and IP address corresponding relation, other one is automatically brought to Inquired about on dns server.The root dns server of another dns server corresponding domain that usual recurrence is arrived.Because for carrying For internet domain name parsing Internet service business, no matter from performance, or from safety for, be impossible to only one Dns server, but by one or two root dns servers（Two root dns servers are typically mirror image relationship）, Ran Houzai Many estrade dns servers are configured with below carrys out equally loaded（Each sub- dns server is replicated from root dns server Query Information）, root dns server typically do not receive the direct inquiry of user, only receives the recursive query of sub- dns server, To guarantee the availability of whole domain name server system.

When user accesses certain website, website is being have input（Which includes domain name）Afterwards, just there is a head first Sub- dns server is selected to be parsed, if inquiring the IP address of corresponding website in its domain name and IP address mapping table, Then can access immediately, if not finding the IP address corresponding to corresponding domain name on current sub- dns server, it will Automatically inquiry request is gone to and inquired about on root dns server.If the domain name of corresponding domain name service provider, in root DNS clothes It is can to inquire corresponding domain name/IP address certainly in business device, if what is accessed is not the net under corresponding domain name service provider domain name Stand, then respective queries can be gone on the name server of correspondence domain name service provider.

Step 103, receives one or more IP address that the dns server specified is returned；

There are different network environments, such as telecommunications, Netcom, education network etc. in the Internet.In order that in different network environments In can provide dns resolution for the website of the servers such as telecommunications, Netcom, education network, allow telecommunication user access telecommunications server, The user of Netcom accesses the server of Netcom, and the user of education network accesses the server of education network, so as to reach what is interconnected Effect, the name server of domain name service business would generally arrange the IP address that multiple different network environments are used.Additionally, in order to anti- The appearance of the failures such as machine of only delaying, the name server of domain name service business can also be provided with standby IP address.And in practical application In, DNS round-robin techniques can be passed through（Load balancing techniques）Realize that a domain name corresponds to multiple IP address.

Step 104, when one or more IP address for verifying the dns server return specified are legal, extracts institute State legal IP address.

It should be noted that legal IP address can be the IP address that can normally access the webpage.

In one preferred embodiment of the invention, the step 104 can specifically include following sub-step：

Sub-step S21, IP address is carried out using one or more of IP address in preset IP address white list Matching；

Sub-step S22, when the match is successful, extracts the IP address that the match is successful；

And/or,

Sub-step S23, IP address is carried out using one or more of IP address in preset IP address blacklist Matching；

Sub-step S24, when the match is successful, extracts the IP address beyond the IP address that the match is successful.

It is not that each IP address can be accessed normally for different network environments, such as presence access time delay is big, visit Ask the situations such as time-out, connection failure.Also, can also there is the name server of the domain name service provider situation such as break down causes IP Address can not normally using access.For this purpose, IP address white list can be arranged, for recording different network environments in can be normal The IP address for using, can also arrange IP address blacklist, for recording different network environments in can not normally use IP ground Location.And IP address white list and IP address blacklist can be with used aloneds, it is also possible to while use, the embodiment of the present invention to this not It is any limitation as.

After legal IP address is extracted, can access the legal IP address carries out the loading of the first webpage.

To make those skilled in the art more fully understand the application, carry out in a Chrome browser presented below preset Dns server address handover operation example come illustrate the present invention carrying out practically process.

（1）, the domain name mapping of the first webpage is asked using getaddrinfo functions to original dns server；

（2）, when parsing failure, the dns server request specified to carries out the secondary parsing of the first webpage, specifically DnsQuery API can be used（One general-purpose interface that name server is called by BIND analysis programs storehouse, the program Support carrys out nslookup server using some inquiry operation codes.）To complete.Wherein, the parameter for parsing is done, specific example can be with It is as follows：

Wherein, PVOID pExtra can be used for configuring the dns server specified, and specifically, can adopt dns server Address white list completes parsing.

With reference to Fig. 2, flow the step of show a kind of analytic method embodiment 2 of DNS according to an embodiment of the invention Cheng Tu, specifically may comprise steps of：

Step 201 is original by present terminal when browser side monitors the dns resolution mistake for the first webpage Dns server address resets to the dns server address specified；

Step 202, to the dns server address specified the dns resolution request of first webpage is sent, described Dns resolution request includes the domain name of first webpage；The dns server specified is used for please according to the dns resolution Solve corresponding one or more IP address of domain name of analysis first webpage；

Step 203, receives one or more IP address that the dns server specified is returned；

Step 204, when one or more IP address for verifying the dns server return specified are legal, extracts institute State legal IP address；

Step 205, generates or updates legitimate ip address mapping table using the legal IP address and its corresponding domain name；

In embodiments of the present invention, can be by the result of verification（I.e. legal IP address and its corresponding domain name）It is buffered in Locally, directly used when being and be directed to the dns resolution of the webpage next time.

When first by verification result cache new legitimate ip address mapping table is generated when local, then；As high-ranking officers again The result cache tested updates existing legitimate ip address mapping table when local, then.

Step 206, domain name and its corresponding IP address that the reception server side sends；

Using the embodiment of the present invention, the dns resolution service that the corresponding server side in browser side can be provided, to some heat After the legal IP address of the webpage such as door, popular, conventional is collected, browser side is sent to.

Step 207, using domain name and its corresponding IP address the legitimate ip address mapping table is updated；

Browser side can adopt the domain name and its corresponding IP address of server side transmission to supplement legitimate ip address mapping Table.

Step 208, when the load request of the second webpage is received, extracts the domain name in the load request；

It should be noted that can be adding outside the load request for the first webpage for the load request of the second webpage Request is carried, and the second webpage can be identical with the first webpage, it is also possible to differ with the first webpage.Similarly, second webpage The domain name of the second webpage can be included in load request.

Step 209, using the domain name in the load request carry out in the legitimate ip address mapping table domain name Match somebody with somebody；

Step 210, when the match is successful, extracts the corresponding legal IP address of domain name.

The domain name of the second webpage for extracting is carried out into the matching of domain name in legitimate ip address mapping table, when the match is successful When, show the IP address of the second webpage has carried out first legitimacy verifies（Can be browser side verified, or The corresponding server side in browser side is verified）, directly can be entered using the IP address described in legitimate ip address mapping table The loading of the webpage of row second.

With reference to Fig. 3, flow the step of show a kind of analytic method embodiment 3 of DNS according to an embodiment of the invention Cheng Tu, specifically may comprise steps of：

Step 301 is original by present terminal when browser side monitors the dns resolution mistake for the first webpage Dns server address resets to the dns server address specified；

Step 302, to the dns server address specified the dns resolution request of first webpage is sent, described Dns resolution request includes the domain name of first webpage；The dns server specified is used for please according to the dns resolution Solve corresponding one or more IP address of domain name of analysis first webpage；

Step 303, receives one or more IP address that the dns server specified is returned；

Step 304, when one or more IP address for verifying the dns server return specified are legal, extracts institute State legal IP address；

Step 305, is carried out using the dns server address of present terminal in preset dns server address blacklist The matching of dns server address；

In practice, lawless person is usually distorted the dns server address arranged in client for malicious DNS server Address, lawless person can be by malicious DNS server address normal network address analysis to fishing website or by illegal point On the main frame of son control, to reach the purpose gained user's wealth by cheating or steal privacy of user.

Dns server address blacklist can be the malicious DNS server address list collected in advance.For example, DNS service Device address blacklist can be the one group of illegal dns server address collected in advance by security firm, the malice of the advance collection Dns server address list can be the malicious DNS server address list collected in advance in client database, or also may be used Think the malicious DNS server address list being downloaded to from website in client database.

Step 306, when the match is successful, by the dns server address of present terminal the DNS service specified is reset to Device address；

If the match is successful, the dns server address for illustrating client is the dns server address of malice, then will dislike Meaning dns server address is revised as the dns server address specified.For example, by edit the registry key assignments, make its sensing legal Dns server address, so as to reach edit the registry in key assignments purpose；If matching is unsuccessful, the DNS service of letting pass Device address, can access corresponding website.

Step 307, the dns server address specified is stored in DNS CACHE；

Restart DNS CACHE（NDS client services）Equivalent to being updated to DNS CACHE, so as to specified DNS Server address is stored in DNS CACHE.

If being stored with malicious DNS server address in DNS CACHE, the DNS service specified can be updated to Device address.DNS CACHE be used for it is temporary parse for the first time after dns server address, when user asks again, DNS can be with Directly dns server address is obtained from DNS CACHE, so as to improve inquiry of the domain name efficiency.

Specifically, when the request of dns resolution next time is reached, the dns resolution request of corresponding functional query can be called Whether corresponding dns server address is in local caching.If inquiring, the parsing data through encrypting storing are carried out Decryption, and user is returned to, if not inquiring, to dns server analysis request is proposed.Because rogue program is attacked to internal memory Hitting difficulty can be more than the attack difficulty to file, so the DNS by the way that buffer setting in internal memory, can be met caching parsing Response demand, while attack of the rogue program to caching can be avoided.

Step 308, when present terminal uses DHCP service, obtains the DNS of the peripheral equipment for providing the DHCP service Server address；

At present, there is provided DHCP（Dynamic Host Configuration Protocol, DHCP）Clothes The peripheral equipment of business is increasingly popularized, and the peripheral equipment of the offer DHCP service being related in the embodiment of the present invention include but not It is limited to：Router（Including but not limited to radio network router, intelligence flow control router, dynamic speed limit router, virtual flow-line Device or broadband router etc.）, gateway etc..Wherein, router can realize addressing, Route Selection, segmentation/conjunction section, storage-turn Send out, the function such as packet filtering.Increasing family and enterprise realize the network interconnection using router.However, in router Configuration on, therefore there are security breaches in default username and password that substantial amounts of user is also provided using manufacturer.Illegal point Son can just distort easily any setting on router, arrange including DNS.So, it is all to be connected to by illegal point Son distorted arrange router on client all by risk.In practice, lawless person usually will set on router The dns server address put is distorted as malicious DNS server address, so as to malicious DNS server will be normal network address solution Analyse on fishing website or the main frame by lawless person's control, to reach the mesh gained user's wealth by cheating or steal privacy of user 's.

In implementing, can judge whether client makes by the network interface ID in acquisition client registers table With DHCP service.Because what is recorded in registration table is accurate dhcp server ip address, in this way can be with Judge whether client has used DHCP service exactly.For example, can by the HKLM in the registration table of reading client SYSTEM CurrentControlSet Services Tcpip Parameters Interfaces { GUID } Numerical value in EnableDHCP whether used DHCP service on network interface to check.Wherein, it is generally the case that if Numerical value in EnableDHCP is 1, then it represents that DHCP service has been used on network interface, has illustrated that client is from DHCP service The DNS configurations of acquisition.

Furthermore, it is also possible to by the DNS clothes for obtaining the peripheral equipment with DHCP functions provided by network equipment vendor It is engaged in device address to judge whether client has used DHCP service.It is as the peripheral equipment with DHCP functions using router Example, the default DNS server address of the router that some producers provide is 192.168.0.1 or 192.168.1.1 etc..Cause This, can pass through to check that the default DNS server address of router can also judge whether client has used DHCP service.

Further, it is also possible to pass through to obtain the IP address pointed by the gateway of client to judge whether client uses DHCP service.

In one preferred embodiment of the invention, step 308 can specifically include following sub-step：

Sub-step S31, when present terminal uses DHCP service, obtains from present terminal registration table and provides DHCP service Peripheral equipment IP address；

In actual applications, can by the HKLM from registration table SYSTEM CurrentControlSet Services Tcpip Parameters Interfaces { GUID } DhcpServer read and DHCP service is provided outreaches The IP address of equipment.

Sub-step S32, sets up the network connection with present terminal, by the company by the IP address of the peripheral equipment The HTTP header data in the packet of return are connect, the model of the peripheral equipment that DHCP service is provided is obtained；

In actual applications, can be by being connected to the peripheral equipment IP address of the offer DHCP service（For example： http://RouterIP）, it is connected so as to obtain with the IP address of the peripheral equipment for providing DHCP service, and receive from the address Returned data bag, the returned data bag includes HTTP header data, and HTTP header data include being provided with the outer of DHCP functions The model of connection equipment.By taking TP-LINK R860 routers as an example, include in the HTTP header data of returned data bag：WWW- Authenticate:Basic realm=＂ TP-LINK Router R860 ＂, according to this information the type of router can be obtained Number.

Sub-step S33, using the IP address and model of the peripheral equipment, accesses the DHCP configuration pages of the peripheral equipment Face, obtains the dns server address of the peripheral equipment from the configuration page.

According to the IP address of the network access device of acquired offer DHCP service and the outer of DHCP service can be provided The model of connection equipment, using corresponding username and password, you can access the DHCP configurations of the peripheral equipment that DHCP service is provided The page.For example, by taking TP-LINK routers as an example, username and password is admin, and the DHCP configuration pages of access are： http:// 192.168.1.1/userRpm/LanDhcpServerRpm.htm, by the page DNS of router can be obtained IP address.

Step 309, the dns server address of the peripheral equipment is carried out in the dns server address blacklist The matching of dns server address；

In the embodiment of the present invention, the dns server address to peripheral equipment is needed to carry out the verification of legitimacy, specifically can be with It is the matching that malicious DNS server address is carried out using dns server address blacklist.

Step 310, when the match is successful, by the dns server address of the peripheral equipment DNS for specifying is reset to Server address.

Specifically, specified dns server address can be sent to the peripheral equipment for providing DHCP service, this outreaches and sets For in response to specified dns server address, the DNS service that the dns server address of the peripheral equipment is revised as specifying Device address.Wherein, specified dns server address can be built into specific data before transmitting.Further specifically, Because the configuration page of the dns server address of the peripheral equipment of the offer DHCP service of different manufacturers production is different, institute To need for specified dns server address to be built into the data being consistent therewith（For example：The configuration page）, then the data are sent out The peripheral equipment that DHCP service is provided is delivered to, the network access device of the offer DHCP service is received after the data, automatically The dns server address that malicious DNS server address is revised as specifying by ground.

By taking router as an example, this modification process can show as being modified by webpage.Specifically, it is logical in client Crossing browser submits to the configuration page, router to receive after the configuration page, and the processor in router can be run to route The software that device is configured and managed, is automatically revised as legal dns server address by malicious DNS server address.

By taking TP-LINK routers as an example, by specified router dns server address send to：http:// 192.168.1.1/userRpm/LanDhcpServerRpm.htm?dhcpserver=1&ip1=192.168.1.100&ip2= 192.168.1.199&Lease=120&gateway=0.0.0.0&domain=&d nsserver=101.226.4.6& Dnsserver2=8.8.8.8＆Submit=%B1%A3+%B4%E6, so as to pass through to change DNS clothes of the corresponding configuration router Repair normal in business device address.

With reference to Fig. 4, flow the step of show a kind of analytic method embodiment 4 of DNS according to an embodiment of the invention Cheng Tu, specifically may comprise steps of：

Step 401 is original by present terminal when browser side monitors the dns resolution mistake for the first webpage Dns server address resets to the dns server address specified；

Step 402, to the dns server address specified the dns resolution request of first webpage is sent, described Dns resolution request includes the domain name of first webpage；The dns server specified is used for please according to the dns resolution Solve corresponding one or more IP address of domain name of analysis first webpage；

Step 403, receives one or more IP address that the dns server specified is returned；

Step 404, when one or more IP address for verifying the dns server return specified are legal, extracts institute State legal IP address；

Step 405, by the legal IP address and its corresponding domain name, the ID of active user and current end The terminal iidentification at end is uploaded to the corresponding server side in browser side；

In the embodiment of the present invention, can be by legal IP address and its corresponding domain name and the terminal iidentification one of present terminal Rise bound after, uploaded with the personal information of the browser client, so as to user in specified equipment automatically The parsing that calling the analysis result carries out IP address is used.

Specifically, for different application scene, terminal iidentification can have different implications.For example, it is wired for common Online, terminal iidentification can be terminal unit number（The device number of such as computer）+ static ip address；For WIFI（Wireless network Road communication technology）Scene, terminal iidentification can be terminal unit number（Such as device number of the equipment such as mobile phone, PAD）+ access Device number+static ip address of WIFI equipment, etc..

Step 406, it is corresponding from browser side according to the load request when the load request of the 3rd webpage is received It is corresponding that server side obtains the ID of active user, the domain name of the 3rd webpage of the terminal iidentification of present terminal and instruction Legal IP address.

It should be noted that can be adding outside the load request for the first webpage for the load request of the 3rd webpage Request is carried, and the 3rd webpage can be identical with the first webpage, it is also possible to differ with the first webpage.

Similarly, the domain name of the 3rd webpage can be included in the load request of the 3rd webpage.Specifically, browser side can be with To the legal IP address of server side acquisition request, the request includes the ID of active user, the terminal of present terminal Identify and indicate the domain name of corresponding 3rd webpage；Server side is used to search user's mark of active user according to the request The corresponding legal IP address of domain name of knowledge, the terminal iidentification of present terminal and corresponding 3rd webpage of instruction, then sends To browser side.

When browser side gets the legal IP address, then the legal IP address can be accessed, load the 3rd net Page.

It should be noted that for embodiment of the method, in order to be briefly described, therefore it to be all expressed as a series of action group Close, but those skilled in the art should know, and the application is not limited by described sequence of movement, because according to this Shen Please, some steps can adopt other orders or while carry out.Secondly, those skilled in the art also should know, description Described in embodiment belong to preferred embodiment, necessary to involved action not necessarily the application.

With reference to Fig. 5, a kind of resolver embodiment of DNS according to an embodiment of the invention is shown, specifically can be with Including such as lower module：

First dns server address resets module 501, is suitable to monitor to be solved for the DNS of the first webpage in browser side During analysis mistake, the original dns server address of present terminal is reset to the dns server address specified；

Dns resolution request module 502, is suitable to send the DNS of first webpage to the dns server address specified Analysis request, the dns resolution request includes the domain name of first webpage；The dns server specified is used for foundation Corresponding one or more IP address of the domain name of the first webpage described in the dns resolution request analysis；

IP address receiver module 503, is suitable to receive one or more IP address that the dns server specified is returned；

First IP address extraction module 504, is suitable to verifying one or more IP that the dns server specified is returned When address is legal, the legal IP address is extracted.

In one preferred embodiment of the invention, the dns server address resets module and can be adapted to：

In one preferred embodiment of the invention, the legitimate ip address extraction module can be adapted to：

And/or,

In one preferred embodiment of the invention, can also include such as lower module：

For device embodiment, due to itself and embodiment of the method basic simlarity, so description is fairly simple, it is related Part is illustrated referring to the part of embodiment of the method.

The invention also discloses a kind of browser, specifically can include such as lower module：

And/or,

For browser embodiment, due to itself and embodiment of the method basic simlarity, so fairly simple, the phase of description The part that part is closed referring to embodiment of the method illustrates.

Provided herein algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment. Various general-purpose systems can also be used together based on teaching in this.As described above, construct required by this kind of system Structure be obvious.Additionally, the present invention is also not for any certain programmed language.It is understood that, it is possible to use it is various Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this Bright preferred forms.

In description mentioned herein, a large amount of details are illustrated.It is to be appreciated, however, that the enforcement of the present invention Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.

Similarly, it will be appreciated that in order to simplify the disclosure and help understand one or more in each inventive aspect, exist Above in the description of the exemplary embodiment of the present invention, each of the present invention is grouped together into single enforcement when being assigned with In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention：I.e. required guarantor It is specified more specified that the application claims ratio of shield is expressly recited in each claim.More precisely, such as following Claims reflect as, inventive aspect be less than single embodiment disclosed above it is all specify.Therefore, Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim itself All as the separate embodiments of the present invention.

Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Unit or component are combined into a module or unit or component, and can be divided in addition multiple submodule or subelement or Sub-component.In addition at least some in such specified and/or process or unit is excluded each other, can adopt any Combination is to this specification（Including adjoint claim, summary and accompanying drawing）Disclosed in all specify and so disclosed appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification（Including adjoint power Profit requires, makes a summary and accompanying drawing）Disclosed in each specify can by provide it is identical, equivalent or similar purpose replacement specify come generation Replace.

Although additionally, it will be appreciated by those of skill in the art that some embodiments described herein include other embodiments In some included specify rather than other are specified, but the combination specified of different embodiment means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment required for protection appoint One of meaning can in any combination mode using.

The present invention all parts embodiment can be realized with hardware, or with one or more processor operation Software module realize, or with combinations thereof realization.It will be understood by those of skill in the art that can use in practice Microprocessor or digital signal processor（DSP）Come some in the analyzing device for realizing DNS according to embodiments of the present invention Or some or all functions of whole parts.The present invention be also implemented as perform method as described herein one Partly or completely equipment or program of device（For example, computer program and computer program）.It is such to realize this The program of invention can be stored on a computer-readable medium, or can have the form of one or more signal.So Signal can download from internet website and obtain, or provide on carrier signal, or provide in any other form.

It should be noted that above-described embodiment the present invention will be described rather than limits the invention, and ability Field technique personnel can design without departing from the scope of the appended claims alternative embodiment.In the claims, Any reference markss between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not Element listed in the claims or step.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and be run after fame Claim.

The invention discloses A1, a kind of analytic method of DNS, including：

Receive one or more IP address that the dns server specified is returned；

A2, the method as described in A1, the dns server address that present terminal is original resets to the DNS clothes specified The step of business device address, includes：

A3, the method as described in A1, one or more IP address that the dns server specified when verification is described is returned When legal, include the step of extract the legal IP address：

And/or,

A4, the method as described in A1, on one or more IP ground that the dns server specified when verification is described is returned When location is legal, the step of extract the legal IP address after, also include：

A5, the method as described in A4, also include：

A6, the method as described in A4, also include：

A7, the method as described in A1 or A2 or A3 or A4, in when the verification specified dns server return Or multiple IP address it is legal when, the step of extract the legal IP address after, also include：

A8, the method as described in A7, also include：

The dns server address specified is stored in DNS CACHE.

A9, the method as described in A7, also include：

A10, the method as described in A1 or A3, also include：

A11, the method as described in A10, also include：

The invention also discloses B12, a kind of resolver of DNS, including：

B13, the device as described in B12, the dns server address resets module and is further adapted for：

B14, the device as described in B12, the legitimate ip address extraction module is further adapted for：

And/or,

B15, the device as described in B12, also include：

B16, the device as described in B15, also include：

B17, the device as described in B15, also include：

B18, the device as described in B12 or B13 or B14 or B15, also include：

B19, the device as described in B18, also include：

B20, the device as described in B18, also include：

B21, the device as described in B12 or B14, also include：

B22, the device as described in B21, also include：

The invention also discloses C23, a kind of browser, including the resolver of the DNS any one of B12 to B22.

Claims

1. a kind of analytic method of DNS, including：

When browser side monitors the dns resolution mistake for the first webpage, by the original dns server address of present terminal Reset to the dns server address specified；

The dns resolution request of first webpage is sent to the dns server address specified, in the dns resolution request Including the domain name of first webpage；The dns server specified is used for according to first described in the dns resolution request analysis Corresponding one or more IP address of domain name of webpage；

Receive one or more IP address that the dns server specified is returned；

When one or more IP address for verifying the dns server return specified are legal, the legal IP ground is extracted Location；

Dns server address is carried out in preset dns server address blacklist using the dns server address of present terminal Matching；

2. the method for claim 1, it is characterised in that the dns server address that present terminal is original resets For specified dns server address the step of include：

DNS service is carried out in preset dns server address white list using the address of the original dns server of present terminal The matching of the address of device；

3. the method for claim 1, it is characterised in that the dns server specified when verification is described return one When individual or multiple IP address are legal, include the step of extract the legal IP address：

And/or,

4. the method for claim 1, it is characterised in that return in the dns server specified when verification is described When one or more IP address are legal, the step of extract the legal IP address after, also include：

5. method as claimed in claim 4, it is characterised in that also include：

6. method as claimed in claim 4, it is characterised in that also include：

7. method as claimed in claim 1 or 2 or 3 or 4, it is characterised in that also include：

The dns server address specified is stored in DNS CACHE.

8. method as claimed in claim 1 or 2 or 3 or 4, it is characterised in that also include：

When present terminal uses DHCP service, the dns server address of the peripheral equipment that the DHCP service is provided is obtained；

The dns server address of the peripheral equipment is carried out into dns server address in the dns server address blacklist Matching；

When the match is successful, the dns server address of the peripheral equipment is reset to into the dns server address specified.

9. the method as described in claim 1 or 3, it is characterised in that also include：

By the legal IP address and its terminal iidentification of corresponding domain name, the ID of active user and present terminal It is uploaded to the corresponding server side in browser side.

10. method as claimed in claim 9, it is characterised in that also include：

When the load request of the 3rd webpage is received, obtain from the corresponding server side in browser side according to the load request The ID of active user, the corresponding legal IP ground of the domain name of the 3rd webpage of the terminal iidentification of present terminal and instruction Location.

A kind of 11. resolvers of DNS, including：

First dns server address resets module, is suitable to monitor the dns resolution mistake for the first webpage in browser side When, the original dns server address of present terminal is reset to the dns server address specified；

Dns resolution request module, the dns resolution for being suitable to send first webpage to the dns server address specified please Ask, the dns resolution request includes the domain name of first webpage；The dns server specified is used for according to the DNS Analysis request parses corresponding one or more IP address of domain name of first webpage；

First IP address extraction module, is suitable to verifying one or more IP address conjunctions that the dns server specified is returned During method, the legal IP address is extracted；

Dns server address blacklist matching module, the dns server address for being suitable for use with present terminal takes in preset DNS The matching of dns server address is carried out in the blacklist of business device address；

Second dns server address resets module, is suitable to, when the match is successful, the dns server address of present terminal be reset For the dns server address specified.

12. devices as claimed in claim 11, it is characterised in that the dns server address resets module and is further adapted for：

13. devices as claimed in claim 11, it is characterised in that the legitimate ip address extraction module is further adapted for：

And/or,

14. devices as claimed in claim 11, it is characterised in that also include：

Legitimate ip address mapping table management module, is suitable for use with the legal IP address and its corresponding domain name is generated or updated Legitimate ip address mapping table.

15. devices as claimed in claim 14, it is characterised in that also include：

Domain name extraction module, is suitable to, when the load request of the second webpage is received, extract the domain name in the load request；

Domain name matching module, be suitable for use with the domain name in the load request carries out domain name in the legitimate ip address mapping table Matching；

16. devices as claimed in claim 14, it is characterised in that also include：

Legitimate ip address mapping table update module, is suitable for use with domain name and its corresponding IP address updates the legal IP ground Location mapping table.

17. devices as described in claim 11 or 12 or 13 or 14, it is characterised in that also include：

18. devices as described in claim 11 or 12 or 13 or 14, it is characterised in that also include：

Dns server address acquisition module, is suitable to, when present terminal uses DHCP service, obtain and provide the DHCP service The dns server address of peripheral equipment；

Dns server address blacklist matching module, is suitable to take the dns server address of the peripheral equipment in the DNS The matching of dns server address is carried out in the blacklist of business device address；

3rd dns server address resets module, when being suitable to that the match is successful, by the dns server address weight of the peripheral equipment It is set to the dns server address specified.

19. devices as described in claim 11 or 13, it is characterised in that also include：

Transmission module in information, be suitable to by the legal IP address and its corresponding domain name, the ID of active user and The terminal iidentification of present terminal is uploaded to the corresponding server side in browser side.

20. devices as claimed in claim 19, it is characterised in that also include：

IP address acquisition module, is suitable to when the load request of the 3rd webpage is received, according to the load request from browser The corresponding server side in side obtains the ID of active user, the domain of the 3rd webpage of the terminal iidentification of present terminal and instruction The corresponding legal IP address of name.

A kind of 21. browsers, including：