CN103916490B - DNS tamper-proof method and device - Google Patents

DNS tamper-proof method and device Download PDF

Info

Publication number
CN103916490B
CN103916490B CN201410133605.8A CN201410133605A CN103916490B CN 103916490 B CN103916490 B CN 103916490B CN 201410133605 A CN201410133605 A CN 201410133605A CN 103916490 B CN103916490 B CN 103916490B
Authority
CN
China
Prior art keywords
address
dns server
server address
legal
extraction
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410133605.8A
Other languages
Chinese (zh)
Other versions
CN103916490A (en
Inventor
曾加良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Network Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Network Technology Shenzhen Co Ltd filed Critical Sangfor Network Technology Shenzhen Co Ltd
Priority to CN201410133605.8A priority Critical patent/CN103916490B/en
Publication of CN103916490A publication Critical patent/CN103916490A/en
Application granted granted Critical
Publication of CN103916490B publication Critical patent/CN103916490B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a DNS tamper-proof method and device. The method includes the steps that DNS data, sent by intranet equipment, in network flow are received and analyzed on a gateway, and a DNS server address and domain data are extracted from the DNS data; whether the extracted DNS server address is a legal address or not is judged according to a first preset rule; if not, the extracted DNS server address is abandoned, and a legal DNS server address is obtained according to a second preset rule; the domain data are sent to the legal DNS server address so as to obtain an IP address corresponding to the domain data; the obtained IP address corresponding to the domain data is returned to the intranet equipment. By the adoption of the DNS tamper-proof method and device, the network security problem that when a DNS server address on the internet equipment is tampered into a malicious DNS IP address, a normal address is analyzed to a phishing website or a host controlled by hackers is avoided.

Description

A kind of domain name system DNS tamper resistant method and device
Technical field
The present invention relates to field of mobile communication, a kind of domain name system DNS tamper resistant method and device are related specifically to.
Background technology
In computer communication network, domain name(Domain Name, referred to as DN)With procotol(Internet Protocol, referred to as IP)There are one-to-one or many-to-one mapping relations between address.User is usually used to be easy to memory Domain name access network on computer, but intercomputer must enter row data communication using IP address.Therefore, communication network Middle to need in the presence of domain name to the service system of IP address conversion is provided the user, the service system is referred to as domain name system(Domain Name System, DNS).Provide the user the main frame of this Transformation Service, referred to as dns server.Domain name turns to IP address Change process, referred to as dns resolution or address resolution.
Internet is passed through with user(Internet)Access Baidu(www.baidu.com)As a example by:When operating system is received After the browse request of user, query message, the IP address corresponding to inquiry www.baidu.com are sent to dns server first. After operating system receives the response bag of dns server, first parse the IP address corresponding to www.baidu.com, then with this Individual IP address carries out network service, and user side can normally access www.baidu.com.But, during network communication, Hei Kechang It is malicious DNS server address that often the dns server address set in client is distorted, so as to normal network address analysis are arrived On fishing website or the main frame controlled by hacker, to reach the purpose gained user's wealth by cheating or steal privacy of user;To trigger Serious network security problem, economic loss and information leakage risk are brought to enterprise or government or individual.
To solve drawbacks described above, it is by the way of in the prior art:In client(Intranet equipment)Prevention-Security is set Product, the Prevention-Security product judges whether the dns server address set in client is legal, to illegal DNS Server address is modified;But there is following defect using this kind of mode:Need to set Prevention-Security in each client Product,, in enterprises, the workload of deployment and management are to bother very much, and efficiency is very low, and some Prevention-Security products for this (Such as certain fail-safe software), operate on windows, for much operating in the client in Linux system, do not have protection and make With.
The above is only used for auxiliary and understands technical scheme, does not represent and recognizes that the above is existing skill Art.
The content of the invention
The main object of the present invention is a kind of domain name system DNS tamper resistant method of offer and device, it is intended to avoided due to interior The dns server address set in net equipment is tampered during for malice DNS IP address, and normal network address analysis to fishing On website or the main frame controlled by hacker, the network security problem of initiation.
The present invention provides a kind of domain name system DNS tamper resistant method, and the method includes:
Receive and parse through the DNS data in the network traffics that Intranet equipment is sended on gateway, and from the DNS numbers According to middle extraction dns server address and domain name data;
The gateway judges whether the dns server address of the extraction is legal address according to the first preset rules;
If the dns server address of the extraction is not legal address, the gateway abandons the DNS service of the extraction Device address, and obtain a legal dns server address according to the second preset rules;
Domain name data is activation is given the legal dns server address by the gateway, to obtain domain name data Corresponding IP address;And the corresponding IP address of domain name data of acquisition is returned into the Intranet equipment.
Preferably, the gateway judges whether the dns server address of the extraction is legal according to the first preset rules The step of address, includes:
Whether the gateway judges the dns server address of the extraction in default malicious DNS server address base;
If the dns server address of the extraction is in default malicious DNS server address base, the gateway determines The dns server address of the extraction is not legal address;
If the dns server address of the extraction is not in default malicious DNS server address base, the gateway is true The dns server address of the fixed extraction is legal address.
Preferably, the step of one legal dns server address of acquisition according to the second preset rules includes:
The mapping relations of malicious DNS server address according to user preset and legal dns server address, or according to net The malicious DNS server address of acquiescence and the mapping relations of legal dns server address are closed, the DNS service of the extraction is obtained The corresponding legal dns server address in device address.
Preferably, the DNS data received and parsed through on gateway in the network traffics that Intranet equipment is sended over, and After the step of dns server address and domain name data are extracted from the DNS data, the method also includes:The gateway from The IP address of Intranet equipment is extracted in the DNS data;
The gateway according to the first preset rules judge the extraction dns server address whether be legal address step Suddenly include:
The gateway obtains the network area belonging to the IP address of the Intranet equipment, and according to default network area with The mapping relations of dns server address obtain the corresponding dns server address of IP address of the Intranet equipment;
Whether the gateway judges the dns server address of extraction DNS clothes corresponding with the IP address of Intranet equipment Business device address is identical;
If the dns server address of extraction dns server address corresponding from the IP address of Intranet equipment is different, The gateway determines that the dns server address of the extraction is not legal address;
If the dns server address of extraction dns server address corresponding with the IP address of Intranet equipment is identical, The gateway determines that the dns server address of the extraction is legal address.
Preferably, the step of one legal dns server address of acquisition according to the second preset rules includes:
The corresponding dns server address of IP address of the Intranet equipment that will be obtained is used as legal dns server address.
Preferably, the gateway abandons the dns server address of the extraction, and obtains one according to the second preset rules Before or after the step of legal dns server address or simultaneously, the method also includes:
The gateway gives a warning information.
The present invention also provides a kind of domain name system DNS tamper resistant device, and the device includes gateway, and the gateway includes:
Parsing module is received, for receiving and parsing through the DNS data in the network traffics that Intranet equipment is sended over, and from Dns server address and domain name data are extracted in the DNS data;
Judge module, whether the dns server address for judging the extraction according to the first preset rules is legally Location;
When processing module for the dns server address in the extraction is not legal address, the extraction is abandoned Dns server address, and obtain a legal dns server address according to the second preset rules;
Transceiver module, for giving the legal dns server address by domain name data is activation, to obtain domain name The corresponding IP address of data;And the corresponding IP address of domain name data of acquisition is returned into the Intranet equipment.
Preferably, the judge module includes the first judging unit, and first judging unit is used for the DNS for judging to extract Server address whether in default malicious DNS server address base, if the dns server address of the extraction is default In malicious DNS server address base, it is determined that the dns server address of the extraction is not legal address, if the extraction Dns server address is not in default malicious DNS server address base, it is determined that the dns server address of the extraction is Legal address.
Preferably, the processing module includes first processing units, for the judged result in first judging unit When not being legal address for the dns server address for extracting, malicious DNS server address and legal DNS according to user preset The mapping relations of server address, or malicious DNS server address and the legal dns server address given tacit consent to according to gateway reflects Relation is penetrated, the corresponding legal dns server address of dns server address of the extraction is obtained.
Preferably, it is described to receive the IP address that parsing module is additionally operable to be extracted from the DNS data Intranet equipment;
The judge module includes the second judging unit, for obtaining the network area belonging to the IP address of the Intranet equipment Domain, and it is corresponding with the IP address that the mapping relations of dns server address obtain the Intranet equipment according to default network area Dns server address, if extract dns server address dns server address corresponding with the IP address of Intranet equipment not Together, it is determined that the dns server address of the extraction is not legal address, if the dns server address and Intranet of the extraction The corresponding dns server address of IP address of equipment is identical, it is determined that the dns server address of the extraction is legal address.
Preferably, the processing module includes second processing unit, for the judged result in second judging unit When being differed for the dns server address of extraction dns server address corresponding with the IP address of Intranet equipment, by what is obtained The corresponding dns server address of IP address of the Intranet equipment is used as legal dns server address.
Preferably, the gateway also includes alarm module, for being the extraction in the judged result of the judge module When dns server address is not legal address, give a warning information.
Using the present invention, the DNS data in the network traffics that Intranet equipment is sended over is received and parsed through on gateway, and Dns server address and domain name data are extracted from the DNS data;The gateway is carried according to the first preset rules judge Whether the dns server address for taking is legal address;If the dns server address of the extraction is not legal address, described Gateway abandons the dns server address of the extraction, and obtains a legal dns server address according to the second preset rules; Domain name data is activation is given the legal dns server address by the gateway, to obtain the corresponding IP of domain name data Address;And the corresponding IP address of domain name data of acquisition is returned into the Intranet equipment;Can avoid due to Intranet equipment The dns server address of upper setting is tampered during for malice DNS IP address, and normal network address analysis to fishing website or On main frame of the person by hacker's control, the network security problem of initiation.
Brief description of the drawings
Fig. 1 is the first embodiment schematic flow sheet of domain name system DNS tamper resistant method of the present invention;
Fig. 2 is an embodiment schematic flow sheet of step S20 in Fig. 1;
Fig. 3 is another embodiment schematic flow sheet of step S20 in Fig. 1;
Fig. 4 is the second embodiment schematic flow sheet of domain name system DNS tamper resistant method of the present invention;
Fig. 5 is the first embodiment structural representation of domain name system DNS tamper resistant device of the present invention;
Fig. 6 is the second embodiment structural representation of domain name system DNS tamper resistant device of the present invention.
The realization of the object of the invention, functional characteristics and advantage will be described further referring to the drawings in conjunction with the embodiments.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
Reference picture 1, Fig. 1 is the first embodiment schematic flow sheet of domain name system DNS tamper resistant method of the present invention, the method Including:
S10, the DNS data received and parsed through on gateway in the network traffics that Intranet equipment is sended over, and from the DNS Extracting data dns server address and domain name data.
In step S10, the DNS data in gateway receives and parses through the network traffics that Intranet equipment is sended over, The gateway can receive the DNS data in the network traffics that one or more Intranet equipment are sended over;In gateway according to RFC DNS Protocol, the DNS data in parsing network traffics, to extract dns server address and domain name data, the DNS clothes for such as extracting Business device address is 8.8.8.8, and domain name data is:baidu.com.Further, Intranet equipment can be also extracted in the DNS data IP address.
S20, the gateway judge whether the dns server address of the extraction is legal address according to the first preset rules, if The dns server address of the extraction is not legal address, then perform step S30;If the dns server address of the extraction is legal Address, then perform step S40.
In step S20, the gateway judges whether the dns server address of the extraction is to close according to the first preset rules Method address.
Specifically, in one embodiment, step S20 includes(As shown in Figure 2):
Whether S21, the gateway judge the dns server address of the extraction in default malicious DNS server address base, If the dns server address of the extraction is in default malicious DNS server address base, step S22 is performed;If the extraction Dns server address then performs step S23 not in default malicious DNS server address base.
The default malicious DNS server address base can be preset by keeper, and such as keeper is according to actual conditions It is construed as malicious DNS server address to be added in malicious DNS server address base, the malicious DNS server address base Can be updated by keeper.The malicious DNS server address that the default malicious DNS server address base includes is such as: 8.80.8.80。
S22, the gateway determine that the dns server address of the extraction is not legal address.
S23, the gateway determine that the dns server address of the extraction is legal address.
In another embodiment, step S20 includes(As shown in Figure 3):
S24, the gateway obtain the network area belonging to the IP address of the Intranet equipment, and according to default network area with The mapping relations of dns server address obtain the corresponding dns server address of IP address of the Intranet equipment.
In step S24, the gateway obtains the network area belonging to the IP address of the Intranet equipment, such as gets this interior Network area belonging to the IP address of net equipment is region one.
The default network area can be set by keeper with the mapping relations of dns server address according to actual conditions, The mapping relations of the default network area and dns server address are as shown in Table 1.
Table one:
Network area Dns server address
Region one 1.1.1.1
Region two 2.2.2.2
Region three 8.8.8.8
…… ……
Network area as belonging to the IP address when Intranet equipment is region two, then from the default network area and DNS The corresponding dns server address of IP address that the Intranet equipment can be learnt in the mapping relations of server address is 2.2.2.2.
Whether S25, the gateway judge the dns server address of extraction DNS clothes corresponding with the IP address of Intranet equipment Business device address is identical, if the dns server address of extraction dns server address corresponding with the IP address of Intranet equipment is not Together, then step S26 is performed;If the dns server address of extraction dns server address corresponding with the IP address of Intranet equipment It is identical, then perform step S27.
In step S25, judge whether the dns server address of the extraction is corresponding with the IP address of Intranet equipment Dns server address is identical, and the dns server address for such as extracting is 8.8.8.8, the corresponding DNS clothes of IP address of Intranet equipment Business device address is 8.8.8.8, then illustrate the dns server address DNS service corresponding with the IP address of Intranet equipment of the extraction Device address is identical;Dns server address as extracted is 8.8.8.8, the corresponding dns server address of IP address of Intranet equipment It is 2.2.2.2, then illustrates the dns server address dns server address corresponding with the IP address of Intranet equipment of the extraction not Together.
S26, the gateway determine that the dns server address of the extraction is not legal address.
S27, the gateway determine that the dns server address of the extraction is legal address.
S30, the gateway abandon the dns server address of the extraction, and obtain a legal DNS according to the second preset rules Server address, then performs step S40.
In step S30, the gateway provides agent functionality(It is anti-tamper), the gateway abandons the dns server of the extraction Address, i.e., when the dns server address of the extraction is not legal address, abandoned, without that will be extracted from Intranet equipment The domain name data for going out carries out domain name data to the parsing of IP address in being sent to the dns server address of the extraction.
Specifically, in one embodiment, a legal DNS service is obtained according to the second preset rules in step S30 Device address includes:The mapping relations of malicious DNS server address according to user preset and legal dns server address, or root The malicious DNS server address given tacit consent to according to gateway and the mapping relations of legal dns server address, obtain the DNS clothes of the extraction The corresponding legal dns server address in business device address.
The default malicious DNS server address can be advance by keeper with the mapping relations of legal dns server address Setting, such as keeper are according to actual conditions by malicious DNS server address 8.80.8.80 and legal dns server address 8.8.8.8 correspondence is carried out, then when the dns server address of the extraction is 8.80.8.80, obtains the dns server of the extraction 8.80.8.80 corresponding legal dns server address in address is 8.8.8.8.
The malicious DNS server address of gateway acquiescence is automatic by gateway with the mapping relations of legal dns server address Set, such as gateway according to actual conditions by malicious DNS server address 9.90.9.90 and legal dns server address 9.9.9.9 Correspondence is carried out, then when the dns server address of the extraction is 9.90.9.90, obtains the dns server address of the extraction 9.90.9.90 corresponding legal dns server address is 9.9.9.9.
Specifically, in another embodiment, a legal DNS clothes are obtained according to the second preset rules in step S30 Business device address includes:The corresponding dns server address of IP address of the Intranet equipment that will be obtained in step S24 is used as legal Dns server address.
The corresponding dns server address of IP address such as the Intranet equipment for obtaining in step s 24 is 2.2.2.2, then Using dns server address 2.2.2.2 as legal dns server address.
The domain name data is sent to the legal dns server address by S40, the gateway, to obtain domain name data correspondence IP address;And the corresponding IP address of the domain name data for obtaining is returned into the Intranet equipment.
In step S40, domain name data is sent to the legal dns server address by the gateway, such as by domain name data Baidu.com is sent to legal dns server address 8.8.8.8, by address for 8.8.8.8 dns server to baidu.com Parsed, generated corresponding IP address, be such as by the IP address that baidu.com is parsed into:222.234.23.12.In the step In rapid S40, the corresponding IP address of the domain name data for obtaining also is returned into the Intranet equipment, such as by IP address 222.234.23.12 the Intranet equipment is returned to, then the Intranet equipment is initiated to access according to IP address 222.234.23.12 Request.In the specific implementation, in step S40, the domain name data is sent to the legal dns server address by the gateway Afterwards, the legal dns server generates corresponding packet according to the domain name data, and the packet includes that the domain name data is corresponding The packet of the generation is sent to the gateway by IP address and other data, the legal dns server, and the gateway receives the data Wrap and the packet is returned into the Intranet equipment, the Intranet equipment initiates corresponding access request according to the packet for receiving.
Reference picture 4, Fig. 4 is the second embodiment schematic flow sheet of domain name system DNS tamper resistant method of the present invention.
Based on the first embodiment schematic flow sheet of above-mentioned domain name system DNS tamper resistant method, before step S30 or it Afterwards or simultaneously, the method also includes:
S50, the gateway give a warning information.
In step S50, i.e., when the dns server address of gateway discovery Intranet equipment is illegal(Such as when Intranet sets The standby dns server address for setting is distorted by hackers), give a warning information, and the warning message can be with text information or sound Message ceases, specifically, warning message can be sent into keeper by modes such as short message, mails.
Reference picture 5, Fig. 5 is the first embodiment structural representation of domain name system DNS tamper resistant device of the present invention, the device Including gateway 100, the gateway 100 includes:Reception parsing module 10, the judge module 20 being connected with the reception parsing module 10, The processing module 30 being connected with the judge module 20, the transceiver module 40 being connected with the processing module 30, the judge module 20 is also It is connected with the transceiver module 40, wherein:
The reception parsing module 10, for receiving and parsing through the DNS data in the network traffics that Intranet equipment is sended over, And dns server address and domain name data are extracted from the DNS data;
The judge module 20, whether the dns server address for judging the extraction according to the first preset rules is legal Address;
When the processing module 30 for the dns server address in the extraction is not legal address, the extraction is abandoned Dns server address, and obtain a legal dns server address according to the second preset rules;
The transceiver module 40, for the domain name data to be sent into the legal dns server address, to obtain the domain name number According to corresponding IP address;And the corresponding IP address of the domain name data for obtaining is returned into the Intranet equipment.
The reception parsing module 10 receives and parses through the DNS data in the network traffics that Intranet equipment is sended over, and this connects Receive the DNS data that parsing module 10 can be received in the network traffics that one or more Intranet equipment are sended over;The reception is parsed According to RFC DNS Protocol at module 10, the DNS data in parsing network traffics, to extract dns server address and domain name number According to the dns server address for such as extracting is 8.8.8.8, and domain name data is:baidu.com.Further, reception parsing mould Block 10 can also extract the IP address of Intranet equipment in the DNS data.
In one embodiment, the judge module 20 includes the first judging unit, and first judging unit is carried for judgement The dns server address for taking whether in default malicious DNS server address base, if the dns server address of the extraction exists In default malicious DNS server address base, it is determined that the dns server address of the extraction is not legal address, if the extraction Dns server address not in default malicious DNS server address base, it is determined that the dns server address of the extraction is Legal address.
The default malicious DNS server address base can be preset by keeper, and such as keeper is according to actual conditions It is construed as malicious DNS server address to be added in malicious DNS server address base, the malicious DNS server address base Can be updated by keeper.The malicious DNS server address that the default malicious DNS server address base includes is such as: 8.80.8.80。
The processing module 30 provides agent functionality(It is anti-tamper), dns server address of the processing module 30 in the extraction When being not legal address, abandoned, without the domain name data extracted from Intranet equipment is sent by transceiver module 40 Domain name data to the parsing of IP address is carried out in the dns server address of the extraction.
In one embodiment, the processing module 30 includes first processing units, the first processing units be used for this When the judged result of one judging unit is that the dns server address for extracting not is legal address, the malice DNS according to user preset The mapping relations of server address and legal dns server address, or the malicious DNS server address given tacit consent to according to gateway with close The mapping relations of method dns server address, obtain the corresponding legal dns server address of dns server address of the extraction.
The default malicious DNS server address can be advance by keeper with the mapping relations of legal dns server address Setting, such as keeper are according to actual conditions by malicious DNS server address 8.80.8.80 and legal dns server address 8.8.8.8 correspondence is carried out, then when the dns server address of the extraction is 8.80.8.80, obtains the dns server of the extraction 8.80.8.80 corresponding legal dns server address in address is 8.8.8.8.
The malicious DNS server address of gateway acquiescence is automatic by gateway with the mapping relations of legal dns server address Set, such as gateway according to actual conditions by malicious DNS server address 9.90.9.90 and legal dns server address 9.9.9.9 Correspondence is carried out, then when the dns server address of the extraction is 9.90.9.90, obtains the dns server address of the extraction 9.90.9.90 corresponding legal dns server address is 9.9.9.9.
In another embodiment, the reception parsing module 10 is additionally operable to extract Intranet equipment from the DNS data IP address;The judge module 20 includes the second judging unit, and second judging unit is used to obtain the IP address of the Intranet equipment Affiliated network area, and obtain the Intranet equipment according to the mapping relations of default network area and dns server address The corresponding dns server address of IP address, if the dns server address for extracting DNS clothes corresponding with the IP address of Intranet equipment Business device address is different, it is determined that the dns server address of the extraction is not legal address, if the dns server address of the extraction Dns server address corresponding with the IP address of Intranet equipment is identical, it is determined that the dns server address of the extraction is legally Location.
Second judging unit obtains the network area belonging to the IP address of the Intranet equipment, such as gets the Intranet equipment IP address belonging to network area be region one.
The default network area can be set by keeper with the mapping relations of dns server address according to actual conditions, The mapping relations of the default network area and dns server address are as shown in above-mentioned table one.Such as when the IP address of Intranet equipment Affiliated network area is region two, then can be learnt from the mapping relations of the default network area with dns server address The corresponding dns server address of IP address of the Intranet equipment is 2.2.2.2.
Second judging unit judges whether the dns server address of the extraction is corresponding with the IP address of Intranet equipment Dns server address is identical, and the dns server address for such as extracting is 8.8.8.8, the corresponding DNS clothes of IP address of Intranet equipment Business device address is 8.8.8.8, then illustrate the dns server address DNS service corresponding with the IP address of Intranet equipment of the extraction Device address is identical;Dns server address as extracted is 8.8.8.8, the corresponding dns server address of IP address of Intranet equipment It is 2.2.2.2, then illustrates the dns server address dns server address corresponding with the IP address of Intranet equipment of the extraction not Together.
In another embodiment, the processing module 30 includes second processing unit, and the second processing unit is used at this The judged result of the second judging unit is the dns server address DNS service corresponding with the IP address of Intranet equipment of the extraction When device address differs, using the corresponding dns server address of IP address of the Intranet equipment of the acquisition as legal DNS service Device address;The corresponding dns server address of IP address such as the Intranet equipment of the second judging unit acquisition is 2.2.2.2, then Using dns server address 2.2.2.2 as legal dns server address.
The domain name data is sent to the legal dns server address by the transceiver module 40, such as by domain name data Baidu.com is sent to legal dns server address 8.8.8.8, is the dns server pair of 8.8.8.8 by the address Baidu.com is parsed, and generates corresponding IP address, is such as by the IP address that baidu.com is parsed into: 222.234.23.12.The corresponding IP address of the domain name data for obtaining also is returned to the Intranet equipment by the transceiver module 40, such as IP address 222.234.23.12 is returned into the Intranet equipment, then the Intranet equipment is according to IP address 222.234.23.12 Initiate access request.In the specific implementation, the domain name data is sent to the legal dns server address by the transceiver module 40 Afterwards, the legal dns server generates corresponding packet according to the domain name data, and the packet includes that the domain name data is corresponding The packet of the generation is sent to the gateway, the transceiver module of the gateway by IP address and other data, the legal dns server Receive the packet and the packet is returned into the Intranet equipment, the Intranet equipment initiates corresponding according to the packet for receiving Access request.
Reference picture 6, Fig. 6 is the second embodiment structural representation of domain name system DNS tamper resistant device of the present invention.
Based on the first embodiment of above-mentioned domain name system DNS tamper resistant device, the gateway 100 also includes and the judge module The alarm module 50 of 20 connections, the alarm module 50 is used in the DNS service that the judged result of the judge module 20 is the extraction When device address is not legal address, give a warning information.I.e. when the dns server address of gateway discovery Intranet equipment is illegal (Such as when the dns server address that Intranet equipment is set is distorted by hackers), given a warning information by alarm module 50, should Warning message can be with text information or acoustic information, specifically, warning message can be sent into pipe by modes such as short message, mails Reason person.
The preferred embodiments of the present invention are the foregoing is only, the scope of the claims of the invention, every utilization is not thereby limited Equivalent structure or equivalent flow conversion that description of the invention and accompanying drawing content are made, or directly or indirectly it is used in other correlations Technical field, be similarly included in scope of patent protection of the invention.

Claims (10)

1. a kind of domain name system DNS tamper resistant method, it is characterised in that the method includes:
The DNS data in the network traffics that Intranet equipment is sended over is received and parsed through on gateway, and from the DNS data Extract dns server address and domain name data, and the IP address for extracting Intranet equipment;
The gateway judges whether the dns server address of the extraction is legal address according to the first preset rules;
If the dns server address of the extraction is not legal address, the gateway abandons the dns server ground of the extraction Location, and obtain a legal dns server address according to the second preset rules;
Domain name data is activation is given the legal dns server address by the gateway, to obtain domain name data correspondence IP address;And the corresponding IP address of domain name data of acquisition is returned into the Intranet equipment;
Wherein, the gateway judges whether the dns server address of the extraction is legal address according to the first preset rules Step includes:
The gateway obtains the network area belonging to the IP address of the Intranet equipment, and according to default network area and DNS The mapping relations of server address obtain the corresponding dns server address of IP address of the Intranet equipment;
Whether the gateway judges the dns server address of extraction dns server corresponding with the IP address of Intranet equipment Address is identical;
If the dns server address of extraction dns server address corresponding from the IP address of Intranet equipment is different, described Gateway determines that the dns server address of the extraction is not legal address;
If the dns server address of extraction dns server address corresponding with the IP address of Intranet equipment is identical, described Gateway determines that the dns server address of the extraction is legal address.
2. method according to claim 1, it is characterised in that the gateway judges the extraction according to the first preset rules Dns server address include the step of whether be legal address:
Whether the gateway judges the dns server address of the extraction in default malicious DNS server address base;
If the dns server address of the extraction is in default malicious DNS server address base, the gateway determines described The dns server address of extraction is not legal address;
If not in default malicious DNS server address base, the gateway determines institute to the dns server address of the extraction The dns server address for stating extraction is legal address.
3. method according to claim 2, it is characterised in that described to obtain a legal DNS according to the second preset rules The step of server address, includes:
The mapping relations of malicious DNS server address according to user preset and legal dns server address, or it is silent according to gateway The malicious DNS server address recognized and the mapping relations of legal dns server address, obtain the dns server ground of the extraction The corresponding legal dns server address in location.
4. method according to claim 1, it is characterised in that described to obtain a legal DNS according to the second preset rules The step of server address, includes:
The corresponding dns server address of IP address of the Intranet equipment that will be obtained is used as legal dns server address.
5. described method according to claim 1, it is characterised in that then the gateway abandons the dns server of the extraction Address, and according to the second preset rules obtain a legal dns server address the step of before or after or simultaneously, the method Also include:
The gateway gives a warning information.
6. a kind of domain name system DNS tamper resistant device, it is characterised in that the device includes gateway, the gateway includes:
Parsing module is received, for receiving and parsing through the DNS data in the network traffics that Intranet equipment is sended over, and from described Dns server address and domain name data, and the IP address for extracting Intranet equipment are extracted in DNS data;
Judge module, whether the dns server address for judging the extraction according to the first preset rules is legal address;
When processing module for the dns server address in the extraction is not legal address, the DNS clothes of the extraction are abandoned Business device address, and obtain a legal dns server address according to the second preset rules;
Transceiver module, for giving the legal dns server address by domain name data is activation, to obtain domain name data Corresponding IP address;And the corresponding IP address of domain name data of acquisition is returned into the Intranet equipment;
Wherein, the judge module includes the second judging unit, for obtaining the network belonging to the IP address of the Intranet equipment Region, and the IP address pair of the Intranet equipment is obtained according to the mapping relations of default network area and dns server address The dns server address answered, if the dns server address dns server address corresponding with the IP address of Intranet equipment for extracting It is different, it is determined that the dns server address of the extraction is not legal address, if the dns server address of the extraction with it is interior The corresponding dns server address of IP address of net equipment is identical, it is determined that the dns server address of the extraction is legally Location.
7. device according to claim 6, it is characterised in that the judge module includes the first judging unit, described the Whether one judging unit is used to judge the dns server address for extracting in default malicious DNS server address base, if described The dns server address of extraction is in default malicious DNS server address base, it is determined that the dns server ground of the extraction Location is not legal address, if the dns server address of the extraction is not in default malicious DNS server address base, really The dns server address of the fixed extraction is legal address.
8. device according to claim 7, it is characterised in that the processing module includes first processing units, for When the judged result of first judging unit is that the dns server address for extracting not is legal address, according to user preset The mapping relations of malicious DNS server address and legal dns server address, or the malicious DNS server given tacit consent to according to gateway Address and the mapping relations of legal dns server address, obtain the corresponding legal DNS clothes of dns server address of the extraction Business device address.
9. device according to claim 6, it is characterised in that the processing module includes second processing unit, for The judged result of second judging unit is the dns server address DNS corresponding with the IP address of Intranet equipment of the extraction When server address is differed, the corresponding dns server address of IP address of the Intranet equipment that will be obtained is used as legal DNS Server address.
10. device according to claim 6, it is characterised in that the gateway also includes alarm module, for sentencing described When the judged result of disconnected module is that the dns server address of the extraction is not legal address, give a warning information.
CN201410133605.8A 2014-04-03 2014-04-03 DNS tamper-proof method and device Active CN103916490B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410133605.8A CN103916490B (en) 2014-04-03 2014-04-03 DNS tamper-proof method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410133605.8A CN103916490B (en) 2014-04-03 2014-04-03 DNS tamper-proof method and device

Publications (2)

Publication Number Publication Date
CN103916490A CN103916490A (en) 2014-07-09
CN103916490B true CN103916490B (en) 2017-05-24

Family

ID=51041886

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410133605.8A Active CN103916490B (en) 2014-04-03 2014-04-03 DNS tamper-proof method and device

Country Status (1)

Country Link
CN (1) CN103916490B (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9912634B2 (en) * 2015-03-12 2018-03-06 General Motors Llc Enhancing DNS availability
CN106161347A (en) * 2015-03-30 2016-11-23 中兴通讯股份有限公司 The control method of network security and device
CN105262722B (en) * 2015-09-07 2018-09-21 深信服网络科技(深圳)有限公司 Terminal malicious traffic stream rule update method, cloud server and security gateway
CN106612239B (en) * 2015-10-22 2020-03-20 中国电信股份有限公司 DNS query flow control method, equipment and system
CN106657422B (en) * 2015-10-30 2020-02-21 北京国双科技有限公司 Method, device and system for crawling website page and storage medium
CN105610812B (en) * 2015-12-24 2019-12-06 北京奇虎科技有限公司 Method and device for preventing webpage from being hijacked
CN106302384A (en) * 2016-07-25 2017-01-04 中国联合网络通信集团有限公司 DNS message processing method and device
CN106713309A (en) * 2016-12-21 2017-05-24 北京奇虎科技有限公司 Method and apparatus for reducing DNS hijacking risk
CN108924165A (en) * 2018-08-24 2018-11-30 北京和利时工业软件有限公司 A kind of Intranet remote access method and its device and Intranet gateway
CN110247897B (en) * 2019-05-20 2023-04-07 中国平安财产保险股份有限公司 System login method, device, gateway and computer readable storage medium
JP7376288B2 (en) * 2019-09-10 2023-11-08 アズビル株式会社 Specific device and method
CN114039799B (en) * 2021-12-10 2023-11-17 国网福建省电力有限公司 Network security protection system and method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102244613A (en) * 2011-08-11 2011-11-16 深信服网络科技(深圳)有限公司 DNS (domain name system)-based multilink traffic balancing method, gateway and network
CN102685074A (en) * 2011-03-14 2012-09-19 国基电子(上海)有限公司 Anti-phishing network communication system and method
CN102761500A (en) * 2011-04-26 2012-10-31 国基电子(上海)有限公司 Gateway and method for phishing defense
CN103269389A (en) * 2013-06-03 2013-08-28 北京奇虎科技有限公司 Method and device for detecting and repairing malicious DNS setting
US8578166B2 (en) * 2007-08-06 2013-11-05 Morgamon SA System and method for authentication, data transfer, and protection against phishing

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8578166B2 (en) * 2007-08-06 2013-11-05 Morgamon SA System and method for authentication, data transfer, and protection against phishing
CN102685074A (en) * 2011-03-14 2012-09-19 国基电子(上海)有限公司 Anti-phishing network communication system and method
CN102761500A (en) * 2011-04-26 2012-10-31 国基电子(上海)有限公司 Gateway and method for phishing defense
CN102244613A (en) * 2011-08-11 2011-11-16 深信服网络科技(深圳)有限公司 DNS (domain name system)-based multilink traffic balancing method, gateway and network
CN103269389A (en) * 2013-06-03 2013-08-28 北京奇虎科技有限公司 Method and device for detecting and repairing malicious DNS setting

Also Published As

Publication number Publication date
CN103916490A (en) 2014-07-09

Similar Documents

Publication Publication Date Title
CN103916490B (en) DNS tamper-proof method and device
CN103825895B (en) A kind of information processing method and electronic equipment
CN103179100B (en) A kind of method and apparatus preventing domain name system Tunnel Attack
CN102739684B (en) Portal authentication method based on virtual IP address, and server thereof
CN101557405A (en) Portal authentication method and corresponding gateway equipment and server thereof
KR101606352B1 (en) System, user terminal, and method for detecting rogue access point and computer program for the same
CN105721457A (en) Network security defense system and network security defense method based on dynamic transformation
CN104219339A (en) Method and device for detecting address resolution protocol attack in local area network
CN104168339A (en) Method and device for preventing domain name from being intercepted
CN106657035B (en) A kind of network message transmission method and device
JP2020017809A (en) Communication apparatus and communication system
CN105611534A (en) Method and device for recognizing pseudo WiFi network by wireless terminal
CN110557358A (en) Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device
WO2015014215A1 (en) Domain name resolution method, system and device
CN104935551A (en) Webpage tampering protecting device and method thereof
CN108574673A (en) ARP message aggression detection method and device applied to gateway
Masoud et al. On tackling social engineering web phishing attacks utilizing software defined networks (SDN) approach
CN106789413A (en) A kind of method and apparatus for detecting proxy surfing
WO2014206152A1 (en) Network safety monitoring method and system
CN106790073B (en) Blocking method and device for malicious attack of Web server and firewall
CN106789858A (en) A kind of access control method and device and server
CN112231679B (en) Terminal equipment verification method and device and storage medium
US8724506B2 (en) Detecting double attachment between a wired network and at least one wireless network
CN109167758A (en) A kind of message processing method and device
CN102624724B (en) Security gateway and method for securely logging in server by gateway

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20200611

Address after: Nanshan District Xueyuan Road in Shenzhen city of Guangdong province 518000 No. 1001 Nanshan Chi Park building A1 layer

Patentee after: SANGFOR TECHNOLOGIES Inc.

Address before: 518000 Nanshan Science and Technology Pioneering service center, No. 1 Qilin Road, Guangdong, Shenzhen 418, 419,

Patentee before: Shenxin network technology (Shenzhen) Co.,Ltd.