CN103916490A - DNS tamper-proof method and device - Google Patents
DNS tamper-proof method and device Download PDFInfo
- Publication number
- CN103916490A CN103916490A CN201410133605.8A CN201410133605A CN103916490A CN 103916490 A CN103916490 A CN 103916490A CN 201410133605 A CN201410133605 A CN 201410133605A CN 103916490 A CN103916490 A CN 103916490A
- Authority
- CN
- China
- Prior art keywords
- dns server
- address
- server address
- legal
- dns
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a DNS tamper-proof method and device. The method includes the steps that DNS data, sent by intranet equipment, in network flow are received and analyzed on a gateway, and a DNS server address and domain data are extracted from the DNS data; whether the extracted DNS server address is a legal address or not is judged according to a first preset rule; if not, the extracted DNS server address is abandoned, and a legal DNS server address is obtained according to a second preset rule; the domain data are sent to the legal DNS server address so as to obtain an IP address corresponding to the domain data; the obtained IP address corresponding to the domain data is returned to the intranet equipment. By the adoption of the DNS tamper-proof method and device, the network security problem that when a DNS server address on the internet equipment is tampered into a malicious DNS IP address, a normal address is analyzed to a phishing website or a host controlled by hackers is avoided.
Description
Technical field
The present invention relates to field of mobile communication, specially refer to a kind of domain name system DNS tamper resistant method and device.
Background technology
In computer communication network, between domain name (Domain Name, referred to as DN) and procotol (Internet Protocol, referred to as IP) address, exist one to one or many-to-one mapping relations.User uses the computer on the domain name access network of being convenient to memory conventionally, but intercomputer must use IP address to carry out data communication.Therefore, need to exist for the service system that user provides domain name to arrive IP address transition in communication network, this service system is called domain name system (Domain Name System, DNS).For user provides the main frame of this Transformation Service, be called dns server.Domain name, to the transfer process of IP address, is called dns resolution or address resolution.
Access Baidu (www.baidu.com) as example taking user by internet (Internet): when operating system is received after user's browse request, first send query message to dns server, the inquiry corresponding IP of www.baidu.com address.Receive after the response packet of dns server when operating system, first parse the corresponding IP of www.baidu.com address, then carry out network service with this IP address, user side can normally access www.baidu.com.But, in network communication process, hacker usually distorts the dns server address arranging in client into malice dns server address, thus normal network address analysis to fishing website or be subject on main frame that hacker controls, to reach the object of gaining user's wealth by cheating or stealing privacy of user; To cause serious network security problem, bring economic loss and information leakage risk to enterprise or government or individual.
For addressing the aforementioned drawbacks, the mode of available technology adopting is: in client (Intranet equipment), Prevention-Security product is set, this Prevention-Security product judges whether at the dns server address of client setting be legal, and illegal dns server address is modified; But adopt this kind of mode to have following defect: need to Prevention-Security product be set in each client; this is in enterprises; workload and the management disposed are to bother very much; efficiency is very low; and some Prevention-Security products (as certain fail-safe software); operate in windows upper, for the client much operating in linux system, do not have protective effect.
Foregoing only, for auxiliary understanding technical scheme of the present invention, does not represent and admits that foregoing is prior art.
Summary of the invention
Main purpose of the present invention is for providing a kind of domain name system DNS tamper resistant method and device, while being intended to avoid be tampered as malice DNS IP address due to the dns server address arranging on Intranet equipment, and normal network address analysis to fishing website or be subject on main frame that hacker controls the network security problem of initiation.
The invention provides a kind of domain name system DNS tamper resistant method, the method comprises:
On gateway, receive and resolve the DNS data in the network traffics that Intranet equipment sends over, and from described DNS extracting data dns server address and domain name data;
Described gateway judges according to the first preset rules whether the dns server address of described extraction is legal address;
If the dns server address of described extraction is not legal address, described gateway abandons the dns server address of described extraction, and obtains a legal dns server address according to the second preset rules;
Domain name data are sent to described legal dns server address by described gateway, to obtain IP address corresponding to domain name data; And IP address corresponding the domain name data of obtaining is returned to described Intranet equipment.
Preferably, described gateway judges that according to the first preset rules whether the dns server address of described extraction is that the step of legal address comprises:
Described gateway judges that the dns server address of described extraction is whether in default malice dns server address storehouse;
If the dns server address of described extraction is in default malice dns server address storehouse, described gateway determines that the dns server address of described extraction is not legal address;
If the dns server address of described extraction is not in default malice dns server address storehouse, described gateway determines that the dns server address of described extraction is legal address.
Preferably, the described step of obtaining a legal dns server address according to the second preset rules comprises:
According to the malice dns server address of user preset and the mapping relations of legal dns server address, or according to the malice dns server address of gateway acquiescence and the mapping relations of legal dns server address, obtain the legal dns server address corresponding to dns server address of described extraction.
Preferably, the described DNS data that receive on gateway and resolve in the network traffics that Intranet equipment sends over, and after the step of described DNS extracting data dns server address and domain name data, the method also comprises: described gateway is from the IP address of described DNS extracting data Intranet equipment;
Described gateway judges that according to the first preset rules whether the dns server address of described extraction is that the step of legal address comprises:
Described gateway obtains the affiliated network area, IP address of described Intranet equipment, and obtains the dns server address corresponding to IP address of described Intranet equipment according to default network area and the mapping relations of dns server address;
Described gateway judges that the dns server address whether dns server address of described extraction is corresponding with the IP address of Intranet equipment is identical;
If the dns server address that the dns server address of described extraction is corresponding from the IP address of Intranet equipment is different, described gateway determines that the dns server address of described extraction is not legal address;
If the dns server address that the dns server address of described extraction is corresponding with the IP address of Intranet equipment is identical, described gateway determines that the dns server address of described extraction is legal address.
Preferably, the described step of obtaining a legal dns server address according to the second preset rules comprises:
Using dns server address corresponding the IP address of the described Intranet equipment obtaining as legal dns server address.
Preferably, described gateway abandons the dns server address of described extraction, and obtain the step of a legal dns server address according to the second preset rules before or after or simultaneously, the method also comprises:
The described gateway information that gives a warning.
The present invention also provides a kind of domain name system DNS tamper resistant device, and this device comprises gateway, and described gateway comprises:
Receive parsing module, for receiving and resolve the DNS data of the network traffics that Intranet equipment sends over, and from described DNS extracting data dns server address and domain name data;
Whether judge module is legal address for the dns server address that judges described extraction according to the first preset rules;
Processing module, in the time that the dns server address of described extraction is not legal address, abandons the dns server address of described extraction, and obtains a legal dns server address according to the second preset rules;
Transceiver module, for sending to domain name data described legal dns server address, to obtain IP address corresponding to domain name data; And IP address corresponding the domain name data of obtaining is returned to described Intranet equipment.
Preferably, described judge module comprises the first judging unit, whether the dns server address that described the first judging unit is used for judging extraction is in default malice dns server address storehouse, if the dns server address of described extraction is in default malice dns server address storehouse, the dns server address of determining described extraction is not legal address, if the dns server address of described extraction not in default malice dns server address storehouse, determines that the dns server address of described extraction is legal address.
Preferably, described processing module comprises the first processing unit, for being that the dns server address that extracts is while being not legal address in the judged result of described the first judging unit, according to the malice dns server address of user preset and the mapping relations of legal dns server address, or according to the malice dns server address of gateway acquiescence and the mapping relations of legal dns server address, obtain the legal dns server address corresponding to dns server address of described extraction.
Preferably, described reception parsing module is also for the IP address from described DNS extracting data Intranet equipment;
Described judge module comprises the second judging unit, for obtaining the affiliated network area, IP address of described Intranet equipment, and obtain the dns server address corresponding to IP address of described Intranet equipment according to default network area and the mapping relations of dns server address, if the dns server address that the dns server address extracting is corresponding from the IP address of Intranet equipment is different, the dns server address of determining described extraction is not legal address, if the dns server address that the dns server address of described extraction is corresponding with the IP address of Intranet equipment is identical, the dns server address of determining described extraction is legal address.
Preferably, described processing module comprises the second processing unit, when not identical for the dns server address that is this extraction in the judged result of described the second judging unit the dns server address corresponding with the IP address of Intranet equipment, using dns server address corresponding the IP address of the described Intranet equipment obtaining as legal dns server address.
Preferably, described gateway also comprises alarm module, and while being not legal address for the dns server address that is this extraction in the judged result of described judge module, information gives a warning.
Adopt the present invention, on gateway, receive and resolve the DNS data in the network traffics that Intranet equipment sends over, and from described DNS extracting data dns server address and domain name data; Described gateway judges according to the first preset rules whether the dns server address of described extraction is legal address; If the dns server address of described extraction is not legal address, described gateway abandons the dns server address of described extraction, and obtains a legal dns server address according to the second preset rules; Domain name data are sent to described legal dns server address by described gateway, to obtain IP address corresponding to domain name data; And IP address corresponding the domain name data of obtaining is returned to described Intranet equipment; Can avoid being tampered as malice DNS IP address due to the dns server address arranging on Intranet equipment time, and normal network address analysis to fishing website or be subject on main frame that hacker controls the network security problem of initiation.
Brief description of the drawings
Fig. 1 is the first embodiment schematic flow sheet of domain name system DNS tamper resistant method of the present invention;
Fig. 2 is an embodiment schematic flow sheet of step S20 in Fig. 1;
Fig. 3 is another embodiment schematic flow sheet of step S20 in Fig. 1;
Fig. 4 is the second embodiment schematic flow sheet of domain name system DNS tamper resistant method of the present invention;
Fig. 5 is the first example structure schematic diagram of domain name system DNS tamper resistant device of the present invention;
Fig. 6 is the second example structure schematic diagram of domain name system DNS tamper resistant device of the present invention.
Realization, functional characteristics and the advantage of the object of the invention, in connection with embodiment, are described further with reference to accompanying drawing.
Embodiment
Should be appreciated that specific embodiment described herein, only in order to explain the present invention, is not intended to limit the present invention.
With reference to Fig. 1, Fig. 1 is the first embodiment schematic flow sheet of domain name system DNS tamper resistant method of the present invention, and the method comprises:
S10, on gateway, receive and resolve the DNS data in the network traffics that Intranet equipment sends over, and from this DNS extracting data dns server address and domain name data.
In this step S10, receive and resolve the DNS data in the network traffics that Intranet equipment sends at gateway, this gateway can receive the DNS data in the network traffics that one or more Intranet equipment sends over; According to RFC DNS Protocol, resolve the DNS data in network traffics at gateway, to extract dns server address and domain name data, if the dns server address extracting is 8.8.8.8, domain name data is: baidu.com.Further, also can be in the IP address of this DNS extracting data Intranet equipment.
S20, this gateway judge according to the first preset rules whether the dns server address of this extraction is legal address, if the dns server address of this extraction is not legal address, performs step S30; If the dns server address of this extraction is legal address, perform step S40.
In this step S20, this gateway judges according to the first preset rules whether the dns server address of this extraction is legal address.
Concrete, in one embodiment, this step S20 comprises (as shown in Figure 2):
Whether the dns server address that S21, this gateway judge this extraction in default malice dns server address storehouse, if the dns server address of this extraction is in default malice dns server address storehouse, performs step S22; If the dns server address of this extraction, in default malice dns server address storehouse, does not perform step S23.
This default malice dns server address storehouse can be preset by keeper, as this keeper is thought that according to actual conditions malice dns server address joins in malice dns server address storehouse, this malice dns server address storehouse can be upgraded by keeper.Malice dns server address that this default malice dns server address storehouse comprises is as 8.80.8.80.
S22, this gateway determine that the dns server address of this extraction is not legal address.
S23, this gateway determine that the dns server address of this extraction is legal address.
In another embodiment, this step S20 comprises (as shown in Figure 3):
S24, this gateway obtain the affiliated network area, IP address of this Intranet equipment, and obtain the dns server address corresponding to IP address of this Intranet equipment according to default network area and the mapping relations of dns server address.
In this step S24, this gateway obtains the network area under the IP address of this Intranet equipment, as the network area getting under the IP address of this Intranet equipment is region one.
The network area that this is default and the mapping relations of dns server address can be set according to actual conditions by keeper, and the network area that this is default and the mapping relations of dns server address are as shown in Table 1.
Table one:
| Network area | Dns server address |
| Region one | 1.1.1.1 |
| Region two | 2.2.2.2 |
| Region three | 8.8.8.8 |
| …… | …… |
If the network area under the IP address of Intranet equipment is region two, from the mapping relations of this default network area and dns server address, can learn that the dns server address corresponding to IP address of this Intranet equipment is 2.2.2.2.
S25, this gateway judge that the dns server address whether dns server address of this extraction is corresponding with the IP address of Intranet equipment is identical, if the dns server address that the dns server address of this extraction is corresponding from the IP address of Intranet equipment is different, perform step S26; If the dns server address that the dns server address of this extraction is corresponding with the IP address of Intranet equipment is identical, perform step S27.
In this step S25, judge that the dns server address whether dns server address of this extraction is corresponding with the IP address of Intranet equipment is identical, if the dns server address extracting is 8.8.8.8, the dns server address corresponding to IP address of Intranet equipment is 8.8.8.8, illustrates that the dns server address that the dns server address of this extraction is corresponding with the IP address of Intranet equipment is identical; If the dns server address extracting is 8.8.8.8, the dns server address corresponding to IP address of Intranet equipment is 2.2.2.2, illustrates that the dns server address that the dns server address of this extraction is corresponding from the IP address of Intranet equipment is different.
S26, this gateway determine that the dns server address of this extraction is not legal address.
S27, this gateway determine that the dns server address of this extraction is legal address.
S30, this gateway abandon the dns server address of this extraction, and obtain a legal dns server address according to the second preset rules, then perform step S40.
In this step S30, this gateway provides agent functionality (anti-tamper), this gateway abandons the dns server address of this extraction, in the time that the dns server address of this extraction is not legal address, abandoned, carried out the parsing of domain name data to IP address and the domain name data extracting from Intranet equipment can not sent to the dns server address of this extraction.
Concrete, in one embodiment, in this step S30, obtaining a legal dns server address according to the second preset rules comprises: according to the malice dns server address of user preset and the mapping relations of legal dns server address, or according to the malice dns server address of gateway acquiescence and the mapping relations of legal dns server address, obtain the legal dns server address corresponding to dns server address of this extraction.
The malice dns server address that this is default and the mapping relations of legal dns server address can be preset by keeper, as keeper carries out corresponding by malice dns server address 8.80.8.80 with legal dns server address 8.8.8.8 according to actual conditions,, in the time that the dns server address of this extraction is 8.80.8.80, legal dns server address corresponding to dns server address 8.80.8.80 that obtains this extraction is 8.8.8.8.
The malice dns server address of this gateway acquiescence and the mapping relations of legal dns server address are by gateway Lookup protocol, as gateway carries out corresponding by malice dns server address 9.90.9.90 with legal dns server address 9.9.9.9 according to actual conditions,, in the time that the dns server address of this extraction is 9.90.9.90, legal dns server address corresponding to dns server address 9.90.9.90 that obtains this extraction is 9.9.9.9.
Concrete, in another embodiment, in this step S30, obtain a legal dns server address according to the second preset rules and comprise: using dns server address corresponding the IP address of this Intranet equipment obtaining at step S24 as legal dns server address.
Dns server address as corresponding in the IP address of this Intranet equipment obtaining in step S24 is 2.2.2.2, using this dns server address 2.2.2.2 as legal dns server address.
This domain name data is sent to this legal dns server address by S40, this gateway, to obtain the IP address that this domain name data is corresponding; And IP address corresponding this domain name data obtaining is returned to this Intranet equipment.
In this step S40, domain name data is sent to this legal dns server address by this gateway, as domain name data baidu.com sent to legal dns server address 8.8.8.8, the dns server that is 8.8.8.8 by address is resolved baidu.com, generate corresponding IP address, as the IP address that baidu.com is resolved to is: 222.234.23.12.In this step S40, also IP address corresponding this domain name data obtaining is returned to this Intranet equipment, as IP address 222.234.23.12 is returned to this Intranet equipment, then this Intranet equipment is initiated access request according to this IP address 222.234.23.12.In the specific implementation, in this step S40, this gateway sends to this domain name data after this legal dns server address, this legal dns server generates corresponding packet according to this domain name data, this packet comprises IP address and other data that this domain name data is corresponding, the Packet Generation of this generation is given this gateway by this legal dns server, this gateway receives this packet and this packet is returned to this Intranet equipment, and this Intranet equipment is initiated corresponding access request according to the packet receiving.
With reference to Fig. 4, Fig. 4 is the second embodiment schematic flow sheet of domain name system DNS tamper resistant method of the present invention.
Based on the first embodiment schematic flow sheet of above-mentioned domain name system DNS tamper resistant method, before or after step S30 or simultaneously, the method also comprises:
S50, this gateway information that gives a warning.
In this step S50, when the dns server address of gateway discovery Intranet equipment is while being illegal (as the dns server address when the setting of Intranet equipment is distorted by hacker's malice), information gives a warning, this warning message can Word message or acoustic information, concrete, can warning message be sent to keeper by the mode such as note, mail.
With reference to Fig. 5, Fig. 5 is the first example structure schematic diagram of domain name system DNS tamper resistant device of the present invention, this device comprises gateway 100, this gateway 100 comprises: receive parsing module 10, the judge module 20 being connected with this reception parsing module 10, the processing module 30 being connected with this judge module 20, the transceiver module 40 being connected with this processing module 30, this judge module 20 is also connected with this transceiver module 40, wherein:
This reception parsing module 10, for receiving and resolve the DNS data of the network traffics that Intranet equipment sends over, and from this DNS extracting data dns server address and domain name data;
Whether this judge module 20 is legal address for the dns server address that judges this extraction according to the first preset rules;
This processing module 30, in the time that the dns server address of this extraction is not legal address, abandons the dns server address of this extraction, and obtains a legal dns server address according to the second preset rules;
This transceiver module 40, for this domain name data being sent to this legal dns server address, to obtain the IP address that this domain name data is corresponding; And IP address corresponding this domain name data obtaining is returned to this Intranet equipment.
This reception parsing module 10 receives and resolves the DNS data in the network traffics that Intranet equipment sends over, and this reception parsing module 10 can receive the DNS data in the network traffics that one or more Intranet equipment sends over; These reception parsing module 10 places, according to RFC DNS Protocol, resolve the DNS data in network traffics, and to extract dns server address and domain name data, if the dns server address extracting is 8.8.8.8, domain name data is: baidu.com.Further, this reception parsing module 10 also can be in the IP address of this DNS extracting data Intranet equipment.
In one embodiment, this judge module 20 comprises the first judging unit, whether the dns server address that this first judging unit is used for judging extraction is in default malice dns server address storehouse, if the dns server address of this extraction is in default malice dns server address storehouse, the dns server address of determining this extraction is not legal address, if the dns server address of this extraction not in default malice dns server address storehouse, determines that the dns server address of this extraction is legal address.
This default malice dns server address storehouse can be preset by keeper, as this keeper is thought that according to actual conditions malice dns server address joins in malice dns server address storehouse, this malice dns server address storehouse can be upgraded by keeper.Malice dns server address that this default malice dns server address storehouse comprises is as 8.80.8.80.
This processing module 30 provides agent functionality (anti-tamper), this processing module 30 is in the time that the dns server address of this extraction is not legal address, abandoned, carried out the parsing of domain name data to IP address and the domain name data extracting from Intranet equipment can not sent to by transceiver module 40 dns server address of this extraction.
In one embodiment, this processing module 30 comprises the first processing unit, when the dns server address that it is extraction that this first processing unit is used in the judged result of this first judging unit is not legal address, according to the malice dns server address of user preset and the mapping relations of legal dns server address, or according to the malice dns server address of gateway acquiescence and the mapping relations of legal dns server address, obtain the legal dns server address corresponding to dns server address of this extraction.
The malice dns server address that this is default and the mapping relations of legal dns server address can be preset by keeper, as keeper carries out corresponding by malice dns server address 8.80.8.80 with legal dns server address 8.8.8.8 according to actual conditions,, in the time that the dns server address of this extraction is 8.80.8.80, legal dns server address corresponding to dns server address 8.80.8.80 that obtains this extraction is 8.8.8.8.
The malice dns server address of this gateway acquiescence and the mapping relations of legal dns server address are by gateway Lookup protocol, as gateway carries out corresponding by malice dns server address 9.90.9.90 with legal dns server address 9.9.9.9 according to actual conditions,, in the time that the dns server address of this extraction is 9.90.9.90, legal dns server address corresponding to dns server address 9.90.9.90 that obtains this extraction is 9.9.9.9.
In another embodiment, this reception parsing module 10 is also for the IP address from described DNS extracting data Intranet equipment, this judge module 20 comprises the second judging unit, this second judging unit is for obtaining the affiliated network area, IP address of this Intranet equipment, and obtain the dns server address corresponding to IP address of this Intranet equipment according to default network area and the mapping relations of dns server address, if the dns server address that the dns server address extracting is corresponding from the IP address of Intranet equipment is different, the dns server address of determining this extraction is not legal address, if the dns server address that the dns server address of this extraction is corresponding with the IP address of Intranet equipment is identical, the dns server address of determining this extraction is legal address.
This second judging unit obtains the network area under the IP address of this Intranet equipment, as the network area getting under the IP address of this Intranet equipment is region one.
The network area that this is default and the mapping relations of dns server address can be set according to actual conditions by keeper, and the network area that this is default and the mapping relations of dns server address are as shown in above-mentioned table one.If the network area under the IP address of Intranet equipment is region two, from the mapping relations of this default network area and dns server address, can learn that the dns server address corresponding to IP address of this Intranet equipment is 2.2.2.2.
This second judging unit judges that the dns server address whether dns server address of this extraction is corresponding with the IP address of Intranet equipment is identical, if the dns server address extracting is 8.8.8.8, the dns server address corresponding to IP address of Intranet equipment is 8.8.8.8, illustrates that the dns server address that the dns server address of this extraction is corresponding with the IP address of Intranet equipment is identical; If the dns server address extracting is 8.8.8.8, the dns server address corresponding to IP address of Intranet equipment is 2.2.2.2, illustrates that the dns server address that the dns server address of this extraction is corresponding from the IP address of Intranet equipment is different.
In another embodiment, this processing module 30 comprises the second processing unit, when this second processing unit is not identical for the dns server address that is this extraction in the judged result of this second judging unit the dns server address corresponding with the IP address of Intranet equipment, using dns server address corresponding the IP address of this this Intranet equipment obtaining as legal dns server address; The dns server address corresponding to IP address of this Intranet equipment obtaining as the second judging unit is 2.2.2.2, using this dns server address 2.2.2.2 as legal dns server address.
This domain name data is sent to this legal dns server address by this transceiver module 40, as domain name data baidu.com sent to legal dns server address 8.8.8.8, the dns server that is 8.8.8.8 by this address is resolved baidu.com, generate corresponding IP address, as the IP address that baidu.com is resolved to is: 222.234.23.12.This transceiver module 40 also returns to this Intranet equipment by IP address corresponding this domain name data obtaining, and as IP address 222.234.23.12 is returned to this Intranet equipment, then this Intranet equipment is initiated access request according to this IP address 222.234.23.12.In the specific implementation, this transceiver module 40 sends to this domain name data after this legal dns server address, this legal dns server generates corresponding packet according to this domain name data, this packet comprises IP address and other data that this domain name data is corresponding, the Packet Generation of this generation is given this gateway by this legal dns server, the transceiver module of this gateway receives this packet and this packet is returned to this Intranet equipment, and this Intranet equipment is initiated corresponding access request according to the packet receiving.
With reference to Fig. 6, Fig. 6 is the second example structure schematic diagram of domain name system DNS tamper resistant device of the present invention.
Based on the first embodiment of above-mentioned domain name system DNS tamper resistant device, this gateway 100 also comprises the alarm module 50 being connected with this judge module 20, when this alarm module 50 is not legal address for the dns server address that is this extraction in the judged result of this judge module 20, information gives a warning.When the dns server address of gateway discovery Intranet equipment is while being illegal (as the dns server address when the setting of Intranet equipment is distorted by hacker's malice), by alarm module 50 information that gives a warning, this warning message can Word message or acoustic information, concrete, can warning message be sent to keeper by the mode such as note, mail.
The foregoing is only the preferred embodiments of the present invention; not thereby limit the scope of the claims of the present invention; every equivalent structure or conversion of equivalent flow process that utilizes specification of the present invention and accompanying drawing content to do; or be directly or indirectly used in other relevant technical fields, be all in like manner included in scope of patent protection of the present invention.
Claims (12)
1. a domain name system DNS tamper resistant method, is characterized in that, the method comprises:
On gateway, receive and resolve the DNS data in the network traffics that Intranet equipment sends over, and from described DNS extracting data dns server address and domain name data;
Described gateway judges according to the first preset rules whether the dns server address of described extraction is legal address;
If the dns server address of described extraction is not legal address, described gateway abandons the dns server address of described extraction, and obtains a legal dns server address according to the second preset rules;
Domain name data are sent to described legal dns server address by described gateway, to obtain IP address corresponding to domain name data; And IP address corresponding the domain name data of obtaining is returned to described Intranet equipment.
2. method according to claim 1, is characterized in that, described gateway judges that according to the first preset rules whether the dns server address of described extraction is that the step of legal address comprises:
Described gateway judges that the dns server address of described extraction is whether in default malice dns server address storehouse;
If the dns server address of described extraction is in default malice dns server address storehouse, described gateway determines that the dns server address of described extraction is not legal address;
If the dns server address of described extraction is not in default malice dns server address storehouse, described gateway determines that the dns server address of described extraction is legal address.
3. method according to claim 2, is characterized in that, the described step of obtaining a legal dns server address according to the second preset rules comprises:
According to the malice dns server address of user preset and the mapping relations of legal dns server address, or according to the malice dns server address of gateway acquiescence and the mapping relations of legal dns server address, obtain the legal dns server address corresponding to dns server address of described extraction.
4. method according to claim 1, it is characterized in that, the described DNS data that receive on gateway and resolve in the network traffics that Intranet equipment sends over, and after the step of described DNS extracting data dns server address and domain name data, the method also comprises: described gateway is from the IP address of described DNS extracting data Intranet equipment;
Described gateway judges that according to the first preset rules whether the dns server address of described extraction is that the step of legal address comprises:
Described gateway obtains the affiliated network area, IP address of described Intranet equipment, and obtains the dns server address corresponding to IP address of described Intranet equipment according to default network area and the mapping relations of dns server address;
Described gateway judges that the dns server address whether dns server address of described extraction is corresponding with the IP address of Intranet equipment is identical;
If the dns server address that the dns server address of described extraction is corresponding from the IP address of Intranet equipment is different, described gateway determines that the dns server address of described extraction is not legal address;
If the dns server address that the dns server address of described extraction is corresponding with the IP address of Intranet equipment is identical, described gateway determines that the dns server address of described extraction is legal address.
5. method according to claim 4, is characterized in that, the described step of obtaining a legal dns server address according to the second preset rules comprises:
Using dns server address corresponding the IP address of the described Intranet equipment obtaining as legal dns server address.
6. according to the described method of claim 1, it is characterized in that, described gateway abandons the dns server address of described extraction, and obtain the step of a legal dns server address according to the second preset rules before or after or simultaneously, the method also comprises:
The described gateway information that gives a warning.
7. a domain name system DNS tamper resistant device, is characterized in that, this device comprises gateway, and described gateway comprises:
Receive parsing module, for receiving and resolve the DNS data of the network traffics that Intranet equipment sends over, and from described DNS extracting data dns server address and domain name data;
Whether judge module is legal address for the dns server address that judges described extraction according to the first preset rules;
Processing module, in the time that the dns server address of described extraction is not legal address, abandons the dns server address of described extraction, and obtains a legal dns server address according to the second preset rules;
Transceiver module, for sending to domain name data described legal dns server address, to obtain IP address corresponding to domain name data; And IP address corresponding the domain name data of obtaining is returned to described Intranet equipment.
8. device according to claim 7, it is characterized in that, described judge module comprises the first judging unit, whether the dns server address that described the first judging unit is used for judging extraction is in default malice dns server address storehouse, if the dns server address of described extraction is in default malice dns server address storehouse, the dns server address of determining described extraction is not legal address, if the dns server address of described extraction not in default malice dns server address storehouse, determines that the dns server address of described extraction is legal address.
9. device according to claim 8, it is characterized in that, described processing module comprises the first processing unit, for being that the dns server address that extracts is while being not legal address in the judged result of described the first judging unit, according to the malice dns server address of user preset and the mapping relations of legal dns server address, or according to the malice dns server address of gateway acquiescence and the mapping relations of legal dns server address, obtain the legal dns server address corresponding to dns server address of described extraction.
10. device according to claim 7, is characterized in that, described reception parsing module is also for the IP address from described DNS extracting data Intranet equipment;
Described judge module comprises the second judging unit, for obtaining the affiliated network area, IP address of described Intranet equipment, and obtain the dns server address corresponding to IP address of described Intranet equipment according to default network area and the mapping relations of dns server address, if the dns server address that the dns server address extracting is corresponding from the IP address of Intranet equipment is different, the dns server address of determining described extraction is not legal address, if the dns server address that the dns server address of described extraction is corresponding with the IP address of Intranet equipment is identical, the dns server address of determining described extraction is legal address.
11. devices according to claim 10, it is characterized in that, described processing module comprises the second processing unit, when not identical for the dns server address that is this extraction in the judged result of described the second judging unit the dns server address corresponding with the IP address of Intranet equipment, using dns server address corresponding the IP address of the described Intranet equipment obtaining as legal dns server address.
12. devices according to claim 7, is characterized in that, described gateway also comprises alarm module, and while being not legal address for the dns server address that is this extraction in the judged result of described judge module, information gives a warning.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410133605.8A CN103916490B (en) | 2014-04-03 | 2014-04-03 | DNS tamper-proof method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410133605.8A CN103916490B (en) | 2014-04-03 | 2014-04-03 | DNS tamper-proof method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103916490A true CN103916490A (en) | 2014-07-09 |
| CN103916490B CN103916490B (en) | 2017-05-24 |
Family
ID=51041886
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410133605.8A Active CN103916490B (en) | 2014-04-03 | 2014-04-03 | DNS tamper-proof method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103916490B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105262722A (en) * | 2015-09-07 | 2016-01-20 | 深信服网络科技(深圳)有限公司 | Terminal malicious traffic rule updating method, cloud server and security gateway |
| CN105610812A (en) * | 2015-12-24 | 2016-05-25 | 北京奇虎科技有限公司 | Method and device for preventing hijacking of webpage |
| CN105979020A (en) * | 2015-03-12 | 2016-09-28 | 通用汽车有限责任公司 | Enhancing dns availability |
| CN106161347A (en) * | 2015-03-30 | 2016-11-23 | 中兴通讯股份有限公司 | The control method of network security and device |
| CN106302384A (en) * | 2016-07-25 | 2017-01-04 | 中国联合网络通信集团有限公司 | DNS message processing method and device |
| CN106612239A (en) * | 2015-10-22 | 2017-05-03 | 中国电信股份有限公司 | A DNS query flow control method, device and system |
| CN106657422A (en) * | 2015-10-30 | 2017-05-10 | 北京国双科技有限公司 | Method, apparatus and system for crawling website page |
| CN106713309A (en) * | 2016-12-21 | 2017-05-24 | 北京奇虎科技有限公司 | Method and apparatus for reducing DNS hijacking risk |
| CN108924165A (en) * | 2018-08-24 | 2018-11-30 | 北京和利时工业软件有限公司 | A kind of Intranet remote access method and its device and Intranet gateway |
| CN110247897A (en) * | 2019-05-20 | 2019-09-17 | 中国平安财产保险股份有限公司 | A kind of system login method, equipment, gateway and computer readable storage medium |
| CN112565092A (en) * | 2019-09-10 | 2021-03-26 | 阿自倍尔株式会社 | Determining apparatus and determining method |
| CN114039799A (en) * | 2021-12-10 | 2022-02-11 | 国网福建省电力有限公司 | Network security protection system and method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102244613A (en) * | 2011-08-11 | 2011-11-16 | 深信服网络科技(深圳)有限公司 | DNS (domain name system)-based multilink traffic balancing method, gateway and network |
| CN102685074A (en) * | 2011-03-14 | 2012-09-19 | 国基电子(上海)有限公司 | Anti-phishing network communication system and method |
| CN102761500A (en) * | 2011-04-26 | 2012-10-31 | 国基电子(上海)有限公司 | Gateway and method for phishing defense |
| CN103269389A (en) * | 2013-06-03 | 2013-08-28 | 北京奇虎科技有限公司 | Method and device for detecting and repairing malicious DNS setting |
| US8578166B2 (en) * | 2007-08-06 | 2013-11-05 | Morgamon SA | System and method for authentication, data transfer, and protection against phishing |
-
2014
- 2014-04-03 CN CN201410133605.8A patent/CN103916490B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8578166B2 (en) * | 2007-08-06 | 2013-11-05 | Morgamon SA | System and method for authentication, data transfer, and protection against phishing |
| CN102685074A (en) * | 2011-03-14 | 2012-09-19 | 国基电子(上海)有限公司 | Anti-phishing network communication system and method |
| CN102761500A (en) * | 2011-04-26 | 2012-10-31 | 国基电子(上海)有限公司 | Gateway and method for phishing defense |
| CN102244613A (en) * | 2011-08-11 | 2011-11-16 | 深信服网络科技(深圳)有限公司 | DNS (domain name system)-based multilink traffic balancing method, gateway and network |
| CN103269389A (en) * | 2013-06-03 | 2013-08-28 | 北京奇虎科技有限公司 | Method and device for detecting and repairing malicious DNS setting |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105979020A (en) * | 2015-03-12 | 2016-09-28 | 通用汽车有限责任公司 | Enhancing dns availability |
| CN105979020B (en) * | 2015-03-12 | 2020-02-18 | 通用汽车有限责任公司 | Method and device for improving DNS availability |
| CN106161347A (en) * | 2015-03-30 | 2016-11-23 | 中兴通讯股份有限公司 | The control method of network security and device |
| CN105262722A (en) * | 2015-09-07 | 2016-01-20 | 深信服网络科技(深圳)有限公司 | Terminal malicious traffic rule updating method, cloud server and security gateway |
| CN106612239A (en) * | 2015-10-22 | 2017-05-03 | 中国电信股份有限公司 | A DNS query flow control method, device and system |
| CN106657422A (en) * | 2015-10-30 | 2017-05-10 | 北京国双科技有限公司 | Method, apparatus and system for crawling website page |
| CN105610812B (en) * | 2015-12-24 | 2019-12-06 | 北京奇虎科技有限公司 | Method and device for preventing webpage from being hijacked |
| CN105610812A (en) * | 2015-12-24 | 2016-05-25 | 北京奇虎科技有限公司 | Method and device for preventing hijacking of webpage |
| CN106302384A (en) * | 2016-07-25 | 2017-01-04 | 中国联合网络通信集团有限公司 | DNS message processing method and device |
| CN106713309A (en) * | 2016-12-21 | 2017-05-24 | 北京奇虎科技有限公司 | Method and apparatus for reducing DNS hijacking risk |
| CN108924165A (en) * | 2018-08-24 | 2018-11-30 | 北京和利时工业软件有限公司 | A kind of Intranet remote access method and its device and Intranet gateway |
| CN110247897A (en) * | 2019-05-20 | 2019-09-17 | 中国平安财产保险股份有限公司 | A kind of system login method, equipment, gateway and computer readable storage medium |
| CN110247897B (en) * | 2019-05-20 | 2023-04-07 | 中国平安财产保险股份有限公司 | System login method, device, gateway and computer readable storage medium |
| CN112565092A (en) * | 2019-09-10 | 2021-03-26 | 阿自倍尔株式会社 | Determining apparatus and determining method |
| CN112565092B (en) * | 2019-09-10 | 2023-02-28 | 阿自倍尔株式会社 | Determining apparatus and determining method |
| CN114039799A (en) * | 2021-12-10 | 2022-02-11 | 国网福建省电力有限公司 | Network security protection system and method |
| CN114039799B (en) * | 2021-12-10 | 2023-11-17 | 国网福建省电力有限公司 | Network security protection system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103916490B (en) | 2017-05-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103916490A (en) | DNS tamper-proof method and device | |
| WO2016006520A1 (en) | Detection device, detection method and detection program | |
| CN102685074B (en) | Anti-phishing network communication system and method | |
| CN109672680B (en) | Cross-domain login method | |
| CN104811449A (en) | Base collision attack detecting method and system | |
| CN108063833B (en) | HTTP DNS analysis message processing method and device | |
| CN104168339A (en) | Method and device for preventing domain name from being intercepted | |
| US8572366B1 (en) | Authenticating clients | |
| CN104410622A (en) | Safety authentication method, client side and system for logging in Web system | |
| CN105025025A (en) | Cloud-platform-based domain name active detecting method and system | |
| CN108156270B (en) | Domain name request processing method and device | |
| JP2015225500A (en) | Authentication information theft detection method, authentication information theft detection device, and program | |
| KR101996471B1 (en) | Network Securing Device and Securing method Using The Same | |
| CN104935551A (en) | Webpage tampering protecting device and method thereof | |
| CN111314381A (en) | Safety isolation gateway | |
| CN105530251A (en) | Method and device for identifying phishing website | |
| CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall | |
| CN112311722B (en) | Access control method, device, equipment and computer readable storage medium | |
| CN102223422A (en) | Domain name system (DNS) message processing method and network safety equipment | |
| CN103312724A (en) | Domain name system (DNS) request authentication method and device | |
| US8724506B2 (en) | Detecting double attachment between a wired network and at least one wireless network | |
| WO2019047693A1 (en) | Method and device for carrying out wifi network security monitoring | |
| US20230254281A1 (en) | Local network device connection control | |
| CN101771529A (en) | Terminal apparatus, relay apparatus, processing method, recording medium, and data signal | |
| CN103001928A (en) | Communication method of terminals interconnected among different networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20200611 Address after: Nanshan District Xueyuan Road in Shenzhen city of Guangdong province 518000 No. 1001 Nanshan Chi Park building A1 layer Patentee after: SANGFOR TECHNOLOGIES Inc. Address before: 518000 Nanshan Science and Technology Pioneering service center, No. 1 Qilin Road, Guangdong, Shenzhen 418, 419, Patentee before: Shenxin network technology (Shenzhen) Co.,Ltd. |
|
| TR01 | Transfer of patent right |