CN103916490B - DNS tamper-proof method and device - Google Patents
DNS tamper-proof method and device Download PDFInfo
- Publication number
- CN103916490B CN103916490B CN201410133605.8A CN201410133605A CN103916490B CN 103916490 B CN103916490 B CN 103916490B CN 201410133605 A CN201410133605 A CN 201410133605A CN 103916490 B CN103916490 B CN 103916490B
- Authority
- CN
- China
- Prior art keywords
- address
- dns server
- server address
- legal
- extraction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a DNS tamper-proof method and device. The method includes the steps that DNS data, sent by intranet equipment, in network flow are received and analyzed on a gateway, and a DNS server address and domain data are extracted from the DNS data; whether the extracted DNS server address is a legal address or not is judged according to a first preset rule; if not, the extracted DNS server address is abandoned, and a legal DNS server address is obtained according to a second preset rule; the domain data are sent to the legal DNS server address so as to obtain an IP address corresponding to the domain data; the obtained IP address corresponding to the domain data is returned to the intranet equipment. By the adoption of the DNS tamper-proof method and device, the network security problem that when a DNS server address on the internet equipment is tampered into a malicious DNS IP address, a normal address is analyzed to a phishing website or a host controlled by hackers is avoided.
Description
Technical field
The present invention relates to field of mobile communication, a kind of domain name system DNS tamper resistant method and device are related specifically to.
Background technology
In computer communication network, domain name(Domain Name, referred to as DN)With procotol(Internet
Protocol, referred to as IP)There are one-to-one or many-to-one mapping relations between address.User is usually used to be easy to memory
Domain name access network on computer, but intercomputer must enter row data communication using IP address.Therefore, communication network
Middle to need in the presence of domain name to the service system of IP address conversion is provided the user, the service system is referred to as domain name system(Domain
Name System, DNS).Provide the user the main frame of this Transformation Service, referred to as dns server.Domain name turns to IP address
Change process, referred to as dns resolution or address resolution.
Internet is passed through with user(Internet)Access Baidu(www.baidu.com)As a example by:When operating system is received
After the browse request of user, query message, the IP address corresponding to inquiry www.baidu.com are sent to dns server first.
After operating system receives the response bag of dns server, first parse the IP address corresponding to www.baidu.com, then with this
Individual IP address carries out network service, and user side can normally access www.baidu.com.But, during network communication, Hei Kechang
It is malicious DNS server address that often the dns server address set in client is distorted, so as to normal network address analysis are arrived
On fishing website or the main frame controlled by hacker, to reach the purpose gained user's wealth by cheating or steal privacy of user;To trigger
Serious network security problem, economic loss and information leakage risk are brought to enterprise or government or individual.
To solve drawbacks described above, it is by the way of in the prior art:In client(Intranet equipment)Prevention-Security is set
Product, the Prevention-Security product judges whether the dns server address set in client is legal, to illegal DNS
Server address is modified;But there is following defect using this kind of mode:Need to set Prevention-Security in each client
Product,, in enterprises, the workload of deployment and management are to bother very much, and efficiency is very low, and some Prevention-Security products for this
(Such as certain fail-safe software), operate on windows, for much operating in the client in Linux system, do not have protection and make
With.
The above is only used for auxiliary and understands technical scheme, does not represent and recognizes that the above is existing skill
Art.
The content of the invention
The main object of the present invention is a kind of domain name system DNS tamper resistant method of offer and device, it is intended to avoided due to interior
The dns server address set in net equipment is tampered during for malice DNS IP address, and normal network address analysis to fishing
On website or the main frame controlled by hacker, the network security problem of initiation.
The present invention provides a kind of domain name system DNS tamper resistant method, and the method includes:
Receive and parse through the DNS data in the network traffics that Intranet equipment is sended on gateway, and from the DNS numbers
According to middle extraction dns server address and domain name data;
The gateway judges whether the dns server address of the extraction is legal address according to the first preset rules;
If the dns server address of the extraction is not legal address, the gateway abandons the DNS service of the extraction
Device address, and obtain a legal dns server address according to the second preset rules;
Domain name data is activation is given the legal dns server address by the gateway, to obtain domain name data
Corresponding IP address;And the corresponding IP address of domain name data of acquisition is returned into the Intranet equipment.
Preferably, the gateway judges whether the dns server address of the extraction is legal according to the first preset rules
The step of address, includes:
Whether the gateway judges the dns server address of the extraction in default malicious DNS server address base;
If the dns server address of the extraction is in default malicious DNS server address base, the gateway determines
The dns server address of the extraction is not legal address;
If the dns server address of the extraction is not in default malicious DNS server address base, the gateway is true
The dns server address of the fixed extraction is legal address.
Preferably, the step of one legal dns server address of acquisition according to the second preset rules includes:
The mapping relations of malicious DNS server address according to user preset and legal dns server address, or according to net
The malicious DNS server address of acquiescence and the mapping relations of legal dns server address are closed, the DNS service of the extraction is obtained
The corresponding legal dns server address in device address.
Preferably, the DNS data received and parsed through on gateway in the network traffics that Intranet equipment is sended over, and
After the step of dns server address and domain name data are extracted from the DNS data, the method also includes:The gateway from
The IP address of Intranet equipment is extracted in the DNS data;
The gateway according to the first preset rules judge the extraction dns server address whether be legal address step
Suddenly include:
The gateway obtains the network area belonging to the IP address of the Intranet equipment, and according to default network area with
The mapping relations of dns server address obtain the corresponding dns server address of IP address of the Intranet equipment;
Whether the gateway judges the dns server address of extraction DNS clothes corresponding with the IP address of Intranet equipment
Business device address is identical;
If the dns server address of extraction dns server address corresponding from the IP address of Intranet equipment is different,
The gateway determines that the dns server address of the extraction is not legal address;
If the dns server address of extraction dns server address corresponding with the IP address of Intranet equipment is identical,
The gateway determines that the dns server address of the extraction is legal address.
Preferably, the step of one legal dns server address of acquisition according to the second preset rules includes:
The corresponding dns server address of IP address of the Intranet equipment that will be obtained is used as legal dns server address.
Preferably, the gateway abandons the dns server address of the extraction, and obtains one according to the second preset rules
Before or after the step of legal dns server address or simultaneously, the method also includes:
The gateway gives a warning information.
The present invention also provides a kind of domain name system DNS tamper resistant device, and the device includes gateway, and the gateway includes:
Parsing module is received, for receiving and parsing through the DNS data in the network traffics that Intranet equipment is sended over, and from
Dns server address and domain name data are extracted in the DNS data;
Judge module, whether the dns server address for judging the extraction according to the first preset rules is legally
Location;
When processing module for the dns server address in the extraction is not legal address, the extraction is abandoned
Dns server address, and obtain a legal dns server address according to the second preset rules;
Transceiver module, for giving the legal dns server address by domain name data is activation, to obtain domain name
The corresponding IP address of data;And the corresponding IP address of domain name data of acquisition is returned into the Intranet equipment.
Preferably, the judge module includes the first judging unit, and first judging unit is used for the DNS for judging to extract
Server address whether in default malicious DNS server address base, if the dns server address of the extraction is default
In malicious DNS server address base, it is determined that the dns server address of the extraction is not legal address, if the extraction
Dns server address is not in default malicious DNS server address base, it is determined that the dns server address of the extraction is
Legal address.
Preferably, the processing module includes first processing units, for the judged result in first judging unit
When not being legal address for the dns server address for extracting, malicious DNS server address and legal DNS according to user preset
The mapping relations of server address, or malicious DNS server address and the legal dns server address given tacit consent to according to gateway reflects
Relation is penetrated, the corresponding legal dns server address of dns server address of the extraction is obtained.
Preferably, it is described to receive the IP address that parsing module is additionally operable to be extracted from the DNS data Intranet equipment;
The judge module includes the second judging unit, for obtaining the network area belonging to the IP address of the Intranet equipment
Domain, and it is corresponding with the IP address that the mapping relations of dns server address obtain the Intranet equipment according to default network area
Dns server address, if extract dns server address dns server address corresponding with the IP address of Intranet equipment not
Together, it is determined that the dns server address of the extraction is not legal address, if the dns server address and Intranet of the extraction
The corresponding dns server address of IP address of equipment is identical, it is determined that the dns server address of the extraction is legal address.
Preferably, the processing module includes second processing unit, for the judged result in second judging unit
When being differed for the dns server address of extraction dns server address corresponding with the IP address of Intranet equipment, by what is obtained
The corresponding dns server address of IP address of the Intranet equipment is used as legal dns server address.
Preferably, the gateway also includes alarm module, for being the extraction in the judged result of the judge module
When dns server address is not legal address, give a warning information.
Using the present invention, the DNS data in the network traffics that Intranet equipment is sended over is received and parsed through on gateway, and
Dns server address and domain name data are extracted from the DNS data;The gateway is carried according to the first preset rules judge
Whether the dns server address for taking is legal address;If the dns server address of the extraction is not legal address, described
Gateway abandons the dns server address of the extraction, and obtains a legal dns server address according to the second preset rules;
Domain name data is activation is given the legal dns server address by the gateway, to obtain the corresponding IP of domain name data
Address;And the corresponding IP address of domain name data of acquisition is returned into the Intranet equipment;Can avoid due to Intranet equipment
The dns server address of upper setting is tampered during for malice DNS IP address, and normal network address analysis to fishing website or
On main frame of the person by hacker's control, the network security problem of initiation.
Brief description of the drawings
Fig. 1 is the first embodiment schematic flow sheet of domain name system DNS tamper resistant method of the present invention;
Fig. 2 is an embodiment schematic flow sheet of step S20 in Fig. 1;
Fig. 3 is another embodiment schematic flow sheet of step S20 in Fig. 1;
Fig. 4 is the second embodiment schematic flow sheet of domain name system DNS tamper resistant method of the present invention;
Fig. 5 is the first embodiment structural representation of domain name system DNS tamper resistant device of the present invention;
Fig. 6 is the second embodiment structural representation of domain name system DNS tamper resistant device of the present invention.
The realization of the object of the invention, functional characteristics and advantage will be described further referring to the drawings in conjunction with the embodiments.
Specific embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
Reference picture 1, Fig. 1 is the first embodiment schematic flow sheet of domain name system DNS tamper resistant method of the present invention, the method
Including:
S10, the DNS data received and parsed through on gateway in the network traffics that Intranet equipment is sended over, and from the DNS
Extracting data dns server address and domain name data.
In step S10, the DNS data in gateway receives and parses through the network traffics that Intranet equipment is sended over,
The gateway can receive the DNS data in the network traffics that one or more Intranet equipment are sended over;In gateway according to RFC
DNS Protocol, the DNS data in parsing network traffics, to extract dns server address and domain name data, the DNS clothes for such as extracting
Business device address is 8.8.8.8, and domain name data is:baidu.com.Further, Intranet equipment can be also extracted in the DNS data
IP address.
S20, the gateway judge whether the dns server address of the extraction is legal address according to the first preset rules, if
The dns server address of the extraction is not legal address, then perform step S30;If the dns server address of the extraction is legal
Address, then perform step S40.
In step S20, the gateway judges whether the dns server address of the extraction is to close according to the first preset rules
Method address.
Specifically, in one embodiment, step S20 includes(As shown in Figure 2):
Whether S21, the gateway judge the dns server address of the extraction in default malicious DNS server address base,
If the dns server address of the extraction is in default malicious DNS server address base, step S22 is performed;If the extraction
Dns server address then performs step S23 not in default malicious DNS server address base.
The default malicious DNS server address base can be preset by keeper, and such as keeper is according to actual conditions
It is construed as malicious DNS server address to be added in malicious DNS server address base, the malicious DNS server address base
Can be updated by keeper.The malicious DNS server address that the default malicious DNS server address base includes is such as:
8.80.8.80。
S22, the gateway determine that the dns server address of the extraction is not legal address.
S23, the gateway determine that the dns server address of the extraction is legal address.
In another embodiment, step S20 includes(As shown in Figure 3):
S24, the gateway obtain the network area belonging to the IP address of the Intranet equipment, and according to default network area with
The mapping relations of dns server address obtain the corresponding dns server address of IP address of the Intranet equipment.
In step S24, the gateway obtains the network area belonging to the IP address of the Intranet equipment, such as gets this interior
Network area belonging to the IP address of net equipment is region one.
The default network area can be set by keeper with the mapping relations of dns server address according to actual conditions,
The mapping relations of the default network area and dns server address are as shown in Table 1.
Table one:
Network area | Dns server address |
Region one | 1.1.1.1 |
Region two | 2.2.2.2 |
Region three | 8.8.8.8 |
…… | …… |
Network area as belonging to the IP address when Intranet equipment is region two, then from the default network area and DNS
The corresponding dns server address of IP address that the Intranet equipment can be learnt in the mapping relations of server address is 2.2.2.2.
Whether S25, the gateway judge the dns server address of extraction DNS clothes corresponding with the IP address of Intranet equipment
Business device address is identical, if the dns server address of extraction dns server address corresponding with the IP address of Intranet equipment is not
Together, then step S26 is performed;If the dns server address of extraction dns server address corresponding with the IP address of Intranet equipment
It is identical, then perform step S27.
In step S25, judge whether the dns server address of the extraction is corresponding with the IP address of Intranet equipment
Dns server address is identical, and the dns server address for such as extracting is 8.8.8.8, the corresponding DNS clothes of IP address of Intranet equipment
Business device address is 8.8.8.8, then illustrate the dns server address DNS service corresponding with the IP address of Intranet equipment of the extraction
Device address is identical;Dns server address as extracted is 8.8.8.8, the corresponding dns server address of IP address of Intranet equipment
It is 2.2.2.2, then illustrates the dns server address dns server address corresponding with the IP address of Intranet equipment of the extraction not
Together.
S26, the gateway determine that the dns server address of the extraction is not legal address.
S27, the gateway determine that the dns server address of the extraction is legal address.
S30, the gateway abandon the dns server address of the extraction, and obtain a legal DNS according to the second preset rules
Server address, then performs step S40.
In step S30, the gateway provides agent functionality(It is anti-tamper), the gateway abandons the dns server of the extraction
Address, i.e., when the dns server address of the extraction is not legal address, abandoned, without that will be extracted from Intranet equipment
The domain name data for going out carries out domain name data to the parsing of IP address in being sent to the dns server address of the extraction.
Specifically, in one embodiment, a legal DNS service is obtained according to the second preset rules in step S30
Device address includes:The mapping relations of malicious DNS server address according to user preset and legal dns server address, or root
The malicious DNS server address given tacit consent to according to gateway and the mapping relations of legal dns server address, obtain the DNS clothes of the extraction
The corresponding legal dns server address in business device address.
The default malicious DNS server address can be advance by keeper with the mapping relations of legal dns server address
Setting, such as keeper are according to actual conditions by malicious DNS server address 8.80.8.80 and legal dns server address
8.8.8.8 correspondence is carried out, then when the dns server address of the extraction is 8.80.8.80, obtains the dns server of the extraction
8.80.8.80 corresponding legal dns server address in address is 8.8.8.8.
The malicious DNS server address of gateway acquiescence is automatic by gateway with the mapping relations of legal dns server address
Set, such as gateway according to actual conditions by malicious DNS server address 9.90.9.90 and legal dns server address 9.9.9.9
Correspondence is carried out, then when the dns server address of the extraction is 9.90.9.90, obtains the dns server address of the extraction
9.90.9.90 corresponding legal dns server address is 9.9.9.9.
Specifically, in another embodiment, a legal DNS clothes are obtained according to the second preset rules in step S30
Business device address includes:The corresponding dns server address of IP address of the Intranet equipment that will be obtained in step S24 is used as legal
Dns server address.
The corresponding dns server address of IP address such as the Intranet equipment for obtaining in step s 24 is 2.2.2.2, then
Using dns server address 2.2.2.2 as legal dns server address.
The domain name data is sent to the legal dns server address by S40, the gateway, to obtain domain name data correspondence
IP address;And the corresponding IP address of the domain name data for obtaining is returned into the Intranet equipment.
In step S40, domain name data is sent to the legal dns server address by the gateway, such as by domain name data
Baidu.com is sent to legal dns server address 8.8.8.8, by address for 8.8.8.8 dns server to baidu.com
Parsed, generated corresponding IP address, be such as by the IP address that baidu.com is parsed into:222.234.23.12.In the step
In rapid S40, the corresponding IP address of the domain name data for obtaining also is returned into the Intranet equipment, such as by IP address
222.234.23.12 the Intranet equipment is returned to, then the Intranet equipment is initiated to access according to IP address 222.234.23.12
Request.In the specific implementation, in step S40, the domain name data is sent to the legal dns server address by the gateway
Afterwards, the legal dns server generates corresponding packet according to the domain name data, and the packet includes that the domain name data is corresponding
The packet of the generation is sent to the gateway by IP address and other data, the legal dns server, and the gateway receives the data
Wrap and the packet is returned into the Intranet equipment, the Intranet equipment initiates corresponding access request according to the packet for receiving.
Reference picture 4, Fig. 4 is the second embodiment schematic flow sheet of domain name system DNS tamper resistant method of the present invention.
Based on the first embodiment schematic flow sheet of above-mentioned domain name system DNS tamper resistant method, before step S30 or it
Afterwards or simultaneously, the method also includes:
S50, the gateway give a warning information.
In step S50, i.e., when the dns server address of gateway discovery Intranet equipment is illegal(Such as when Intranet sets
The standby dns server address for setting is distorted by hackers), give a warning information, and the warning message can be with text information or sound
Message ceases, specifically, warning message can be sent into keeper by modes such as short message, mails.
Reference picture 5, Fig. 5 is the first embodiment structural representation of domain name system DNS tamper resistant device of the present invention, the device
Including gateway 100, the gateway 100 includes:Reception parsing module 10, the judge module 20 being connected with the reception parsing module 10,
The processing module 30 being connected with the judge module 20, the transceiver module 40 being connected with the processing module 30, the judge module 20 is also
It is connected with the transceiver module 40, wherein:
The reception parsing module 10, for receiving and parsing through the DNS data in the network traffics that Intranet equipment is sended over,
And dns server address and domain name data are extracted from the DNS data;
The judge module 20, whether the dns server address for judging the extraction according to the first preset rules is legal
Address;
When the processing module 30 for the dns server address in the extraction is not legal address, the extraction is abandoned
Dns server address, and obtain a legal dns server address according to the second preset rules;
The transceiver module 40, for the domain name data to be sent into the legal dns server address, to obtain the domain name number
According to corresponding IP address;And the corresponding IP address of the domain name data for obtaining is returned into the Intranet equipment.
The reception parsing module 10 receives and parses through the DNS data in the network traffics that Intranet equipment is sended over, and this connects
Receive the DNS data that parsing module 10 can be received in the network traffics that one or more Intranet equipment are sended over;The reception is parsed
According to RFC DNS Protocol at module 10, the DNS data in parsing network traffics, to extract dns server address and domain name number
According to the dns server address for such as extracting is 8.8.8.8, and domain name data is:baidu.com.Further, reception parsing mould
Block 10 can also extract the IP address of Intranet equipment in the DNS data.
In one embodiment, the judge module 20 includes the first judging unit, and first judging unit is carried for judgement
The dns server address for taking whether in default malicious DNS server address base, if the dns server address of the extraction exists
In default malicious DNS server address base, it is determined that the dns server address of the extraction is not legal address, if the extraction
Dns server address not in default malicious DNS server address base, it is determined that the dns server address of the extraction is
Legal address.
The default malicious DNS server address base can be preset by keeper, and such as keeper is according to actual conditions
It is construed as malicious DNS server address to be added in malicious DNS server address base, the malicious DNS server address base
Can be updated by keeper.The malicious DNS server address that the default malicious DNS server address base includes is such as:
8.80.8.80。
The processing module 30 provides agent functionality(It is anti-tamper), dns server address of the processing module 30 in the extraction
When being not legal address, abandoned, without the domain name data extracted from Intranet equipment is sent by transceiver module 40
Domain name data to the parsing of IP address is carried out in the dns server address of the extraction.
In one embodiment, the processing module 30 includes first processing units, the first processing units be used for this
When the judged result of one judging unit is that the dns server address for extracting not is legal address, the malice DNS according to user preset
The mapping relations of server address and legal dns server address, or the malicious DNS server address given tacit consent to according to gateway with close
The mapping relations of method dns server address, obtain the corresponding legal dns server address of dns server address of the extraction.
The default malicious DNS server address can be advance by keeper with the mapping relations of legal dns server address
Setting, such as keeper are according to actual conditions by malicious DNS server address 8.80.8.80 and legal dns server address
8.8.8.8 correspondence is carried out, then when the dns server address of the extraction is 8.80.8.80, obtains the dns server of the extraction
8.80.8.80 corresponding legal dns server address in address is 8.8.8.8.
The malicious DNS server address of gateway acquiescence is automatic by gateway with the mapping relations of legal dns server address
Set, such as gateway according to actual conditions by malicious DNS server address 9.90.9.90 and legal dns server address 9.9.9.9
Correspondence is carried out, then when the dns server address of the extraction is 9.90.9.90, obtains the dns server address of the extraction
9.90.9.90 corresponding legal dns server address is 9.9.9.9.
In another embodiment, the reception parsing module 10 is additionally operable to extract Intranet equipment from the DNS data
IP address;The judge module 20 includes the second judging unit, and second judging unit is used to obtain the IP address of the Intranet equipment
Affiliated network area, and obtain the Intranet equipment according to the mapping relations of default network area and dns server address
The corresponding dns server address of IP address, if the dns server address for extracting DNS clothes corresponding with the IP address of Intranet equipment
Business device address is different, it is determined that the dns server address of the extraction is not legal address, if the dns server address of the extraction
Dns server address corresponding with the IP address of Intranet equipment is identical, it is determined that the dns server address of the extraction is legally
Location.
Second judging unit obtains the network area belonging to the IP address of the Intranet equipment, such as gets the Intranet equipment
IP address belonging to network area be region one.
The default network area can be set by keeper with the mapping relations of dns server address according to actual conditions,
The mapping relations of the default network area and dns server address are as shown in above-mentioned table one.Such as when the IP address of Intranet equipment
Affiliated network area is region two, then can be learnt from the mapping relations of the default network area with dns server address
The corresponding dns server address of IP address of the Intranet equipment is 2.2.2.2.
Second judging unit judges whether the dns server address of the extraction is corresponding with the IP address of Intranet equipment
Dns server address is identical, and the dns server address for such as extracting is 8.8.8.8, the corresponding DNS clothes of IP address of Intranet equipment
Business device address is 8.8.8.8, then illustrate the dns server address DNS service corresponding with the IP address of Intranet equipment of the extraction
Device address is identical;Dns server address as extracted is 8.8.8.8, the corresponding dns server address of IP address of Intranet equipment
It is 2.2.2.2, then illustrates the dns server address dns server address corresponding with the IP address of Intranet equipment of the extraction not
Together.
In another embodiment, the processing module 30 includes second processing unit, and the second processing unit is used at this
The judged result of the second judging unit is the dns server address DNS service corresponding with the IP address of Intranet equipment of the extraction
When device address differs, using the corresponding dns server address of IP address of the Intranet equipment of the acquisition as legal DNS service
Device address;The corresponding dns server address of IP address such as the Intranet equipment of the second judging unit acquisition is 2.2.2.2, then
Using dns server address 2.2.2.2 as legal dns server address.
The domain name data is sent to the legal dns server address by the transceiver module 40, such as by domain name data
Baidu.com is sent to legal dns server address 8.8.8.8, is the dns server pair of 8.8.8.8 by the address
Baidu.com is parsed, and generates corresponding IP address, is such as by the IP address that baidu.com is parsed into:
222.234.23.12.The corresponding IP address of the domain name data for obtaining also is returned to the Intranet equipment by the transceiver module 40, such as
IP address 222.234.23.12 is returned into the Intranet equipment, then the Intranet equipment is according to IP address 222.234.23.12
Initiate access request.In the specific implementation, the domain name data is sent to the legal dns server address by the transceiver module 40
Afterwards, the legal dns server generates corresponding packet according to the domain name data, and the packet includes that the domain name data is corresponding
The packet of the generation is sent to the gateway, the transceiver module of the gateway by IP address and other data, the legal dns server
Receive the packet and the packet is returned into the Intranet equipment, the Intranet equipment initiates corresponding according to the packet for receiving
Access request.
Reference picture 6, Fig. 6 is the second embodiment structural representation of domain name system DNS tamper resistant device of the present invention.
Based on the first embodiment of above-mentioned domain name system DNS tamper resistant device, the gateway 100 also includes and the judge module
The alarm module 50 of 20 connections, the alarm module 50 is used in the DNS service that the judged result of the judge module 20 is the extraction
When device address is not legal address, give a warning information.I.e. when the dns server address of gateway discovery Intranet equipment is illegal
(Such as when the dns server address that Intranet equipment is set is distorted by hackers), given a warning information by alarm module 50, should
Warning message can be with text information or acoustic information, specifically, warning message can be sent into pipe by modes such as short message, mails
Reason person.
The preferred embodiments of the present invention are the foregoing is only, the scope of the claims of the invention, every utilization is not thereby limited
Equivalent structure or equivalent flow conversion that description of the invention and accompanying drawing content are made, or directly or indirectly it is used in other correlations
Technical field, be similarly included in scope of patent protection of the invention.
Claims (10)
1. a kind of domain name system DNS tamper resistant method, it is characterised in that the method includes:
The DNS data in the network traffics that Intranet equipment is sended over is received and parsed through on gateway, and from the DNS data
Extract dns server address and domain name data, and the IP address for extracting Intranet equipment;
The gateway judges whether the dns server address of the extraction is legal address according to the first preset rules;
If the dns server address of the extraction is not legal address, the gateway abandons the dns server ground of the extraction
Location, and obtain a legal dns server address according to the second preset rules;
Domain name data is activation is given the legal dns server address by the gateway, to obtain domain name data correspondence
IP address;And the corresponding IP address of domain name data of acquisition is returned into the Intranet equipment;
Wherein, the gateway judges whether the dns server address of the extraction is legal address according to the first preset rules
Step includes:
The gateway obtains the network area belonging to the IP address of the Intranet equipment, and according to default network area and DNS
The mapping relations of server address obtain the corresponding dns server address of IP address of the Intranet equipment;
Whether the gateway judges the dns server address of extraction dns server corresponding with the IP address of Intranet equipment
Address is identical;
If the dns server address of extraction dns server address corresponding from the IP address of Intranet equipment is different, described
Gateway determines that the dns server address of the extraction is not legal address;
If the dns server address of extraction dns server address corresponding with the IP address of Intranet equipment is identical, described
Gateway determines that the dns server address of the extraction is legal address.
2. method according to claim 1, it is characterised in that the gateway judges the extraction according to the first preset rules
Dns server address include the step of whether be legal address:
Whether the gateway judges the dns server address of the extraction in default malicious DNS server address base;
If the dns server address of the extraction is in default malicious DNS server address base, the gateway determines described
The dns server address of extraction is not legal address;
If not in default malicious DNS server address base, the gateway determines institute to the dns server address of the extraction
The dns server address for stating extraction is legal address.
3. method according to claim 2, it is characterised in that described to obtain a legal DNS according to the second preset rules
The step of server address, includes:
The mapping relations of malicious DNS server address according to user preset and legal dns server address, or it is silent according to gateway
The malicious DNS server address recognized and the mapping relations of legal dns server address, obtain the dns server ground of the extraction
The corresponding legal dns server address in location.
4. method according to claim 1, it is characterised in that described to obtain a legal DNS according to the second preset rules
The step of server address, includes:
The corresponding dns server address of IP address of the Intranet equipment that will be obtained is used as legal dns server address.
5. described method according to claim 1, it is characterised in that then the gateway abandons the dns server of the extraction
Address, and according to the second preset rules obtain a legal dns server address the step of before or after or simultaneously, the method
Also include:
The gateway gives a warning information.
6. a kind of domain name system DNS tamper resistant device, it is characterised in that the device includes gateway, the gateway includes:
Parsing module is received, for receiving and parsing through the DNS data in the network traffics that Intranet equipment is sended over, and from described
Dns server address and domain name data, and the IP address for extracting Intranet equipment are extracted in DNS data;
Judge module, whether the dns server address for judging the extraction according to the first preset rules is legal address;
When processing module for the dns server address in the extraction is not legal address, the DNS clothes of the extraction are abandoned
Business device address, and obtain a legal dns server address according to the second preset rules;
Transceiver module, for giving the legal dns server address by domain name data is activation, to obtain domain name data
Corresponding IP address;And the corresponding IP address of domain name data of acquisition is returned into the Intranet equipment;
Wherein, the judge module includes the second judging unit, for obtaining the network belonging to the IP address of the Intranet equipment
Region, and the IP address pair of the Intranet equipment is obtained according to the mapping relations of default network area and dns server address
The dns server address answered, if the dns server address dns server address corresponding with the IP address of Intranet equipment for extracting
It is different, it is determined that the dns server address of the extraction is not legal address, if the dns server address of the extraction with it is interior
The corresponding dns server address of IP address of net equipment is identical, it is determined that the dns server address of the extraction is legally
Location.
7. device according to claim 6, it is characterised in that the judge module includes the first judging unit, described the
Whether one judging unit is used to judge the dns server address for extracting in default malicious DNS server address base, if described
The dns server address of extraction is in default malicious DNS server address base, it is determined that the dns server ground of the extraction
Location is not legal address, if the dns server address of the extraction is not in default malicious DNS server address base, really
The dns server address of the fixed extraction is legal address.
8. device according to claim 7, it is characterised in that the processing module includes first processing units, for
When the judged result of first judging unit is that the dns server address for extracting not is legal address, according to user preset
The mapping relations of malicious DNS server address and legal dns server address, or the malicious DNS server given tacit consent to according to gateway
Address and the mapping relations of legal dns server address, obtain the corresponding legal DNS clothes of dns server address of the extraction
Business device address.
9. device according to claim 6, it is characterised in that the processing module includes second processing unit, for
The judged result of second judging unit is the dns server address DNS corresponding with the IP address of Intranet equipment of the extraction
When server address is differed, the corresponding dns server address of IP address of the Intranet equipment that will be obtained is used as legal DNS
Server address.
10. device according to claim 6, it is characterised in that the gateway also includes alarm module, for sentencing described
When the judged result of disconnected module is that the dns server address of the extraction is not legal address, give a warning information.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410133605.8A CN103916490B (en) | 2014-04-03 | 2014-04-03 | DNS tamper-proof method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201410133605.8A CN103916490B (en) | 2014-04-03 | 2014-04-03 | DNS tamper-proof method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103916490A CN103916490A (en) | 2014-07-09 |
CN103916490B true CN103916490B (en) | 2017-05-24 |
Family
ID=51041886
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201410133605.8A Active CN103916490B (en) | 2014-04-03 | 2014-04-03 | DNS tamper-proof method and device |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103916490B (en) |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9912634B2 (en) * | 2015-03-12 | 2018-03-06 | General Motors Llc | Enhancing DNS availability |
CN106161347A (en) * | 2015-03-30 | 2016-11-23 | 中兴通讯股份有限公司 | The control method of network security and device |
CN105262722B (en) * | 2015-09-07 | 2018-09-21 | 深信服网络科技(深圳)有限公司 | Terminal malicious traffic stream rule update method, cloud server and security gateway |
CN106612239B (en) * | 2015-10-22 | 2020-03-20 | 中国电信股份有限公司 | DNS query flow control method, equipment and system |
CN106657422B (en) * | 2015-10-30 | 2020-02-21 | 北京国双科技有限公司 | Method, device and system for crawling website page and storage medium |
CN105610812B (en) * | 2015-12-24 | 2019-12-06 | 北京奇虎科技有限公司 | Method and device for preventing webpage from being hijacked |
CN106302384A (en) * | 2016-07-25 | 2017-01-04 | 中国联合网络通信集团有限公司 | DNS message processing method and device |
CN106713309A (en) * | 2016-12-21 | 2017-05-24 | 北京奇虎科技有限公司 | Method and apparatus for reducing DNS hijacking risk |
CN108924165A (en) * | 2018-08-24 | 2018-11-30 | 北京和利时工业软件有限公司 | A kind of Intranet remote access method and its device and Intranet gateway |
CN110247897B (en) * | 2019-05-20 | 2023-04-07 | 中国平安财产保险股份有限公司 | System login method, device, gateway and computer readable storage medium |
JP7376288B2 (en) * | 2019-09-10 | 2023-11-08 | アズビル株式会社 | Specific device and method |
CN114039799B (en) * | 2021-12-10 | 2023-11-17 | 国网福建省电力有限公司 | Network security protection system and method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102244613A (en) * | 2011-08-11 | 2011-11-16 | 深信服网络科技(深圳)有限公司 | DNS (domain name system)-based multilink traffic balancing method, gateway and network |
CN102685074A (en) * | 2011-03-14 | 2012-09-19 | 国基电子(上海)有限公司 | Anti-phishing network communication system and method |
CN102761500A (en) * | 2011-04-26 | 2012-10-31 | 国基电子(上海)有限公司 | Gateway and method for phishing defense |
CN103269389A (en) * | 2013-06-03 | 2013-08-28 | 北京奇虎科技有限公司 | Method and device for detecting and repairing malicious DNS setting |
US8578166B2 (en) * | 2007-08-06 | 2013-11-05 | Morgamon SA | System and method for authentication, data transfer, and protection against phishing |
-
2014
- 2014-04-03 CN CN201410133605.8A patent/CN103916490B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8578166B2 (en) * | 2007-08-06 | 2013-11-05 | Morgamon SA | System and method for authentication, data transfer, and protection against phishing |
CN102685074A (en) * | 2011-03-14 | 2012-09-19 | 国基电子(上海)有限公司 | Anti-phishing network communication system and method |
CN102761500A (en) * | 2011-04-26 | 2012-10-31 | 国基电子(上海)有限公司 | Gateway and method for phishing defense |
CN102244613A (en) * | 2011-08-11 | 2011-11-16 | 深信服网络科技(深圳)有限公司 | DNS (domain name system)-based multilink traffic balancing method, gateway and network |
CN103269389A (en) * | 2013-06-03 | 2013-08-28 | 北京奇虎科技有限公司 | Method and device for detecting and repairing malicious DNS setting |
Also Published As
Publication number | Publication date |
---|---|
CN103916490A (en) | 2014-07-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103916490B (en) | DNS tamper-proof method and device | |
CN103825895B (en) | A kind of information processing method and electronic equipment | |
CN103179100B (en) | A kind of method and apparatus preventing domain name system Tunnel Attack | |
CN102739684B (en) | Portal authentication method based on virtual IP address, and server thereof | |
CN101557405A (en) | Portal authentication method and corresponding gateway equipment and server thereof | |
KR101606352B1 (en) | System, user terminal, and method for detecting rogue access point and computer program for the same | |
CN105721457A (en) | Network security defense system and network security defense method based on dynamic transformation | |
CN104219339A (en) | Method and device for detecting address resolution protocol attack in local area network | |
CN104168339A (en) | Method and device for preventing domain name from being intercepted | |
CN106657035B (en) | A kind of network message transmission method and device | |
JP2020017809A (en) | Communication apparatus and communication system | |
CN105611534A (en) | Method and device for recognizing pseudo WiFi network by wireless terminal | |
CN110557358A (en) | Honeypot server communication method, SSLStrip man-in-the-middle attack perception method and related device | |
WO2015014215A1 (en) | Domain name resolution method, system and device | |
CN104935551A (en) | Webpage tampering protecting device and method thereof | |
CN108574673A (en) | ARP message aggression detection method and device applied to gateway | |
Masoud et al. | On tackling social engineering web phishing attacks utilizing software defined networks (SDN) approach | |
CN106789413A (en) | A kind of method and apparatus for detecting proxy surfing | |
WO2014206152A1 (en) | Network safety monitoring method and system | |
CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall | |
CN106789858A (en) | A kind of access control method and device and server | |
CN112231679B (en) | Terminal equipment verification method and device and storage medium | |
US8724506B2 (en) | Detecting double attachment between a wired network and at least one wireless network | |
CN109167758A (en) | A kind of message processing method and device | |
CN102624724B (en) | Security gateway and method for securely logging in server by gateway |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20200611 Address after: Nanshan District Xueyuan Road in Shenzhen city of Guangdong province 518000 No. 1001 Nanshan Chi Park building A1 layer Patentee after: SANGFOR TECHNOLOGIES Inc. Address before: 518000 Nanshan Science and Technology Pioneering service center, No. 1 Qilin Road, Guangdong, Shenzhen 418, 419, Patentee before: Shenxin network technology (Shenzhen) Co.,Ltd. |