CN104253875B - A kind of DNS flow analysis methods - Google Patents
A kind of DNS flow analysis methods Download PDFInfo
- Publication number
- CN104253875B CN104253875B CN201310268521.0A CN201310268521A CN104253875B CN 104253875 B CN104253875 B CN 104253875B CN 201310268521 A CN201310268521 A CN 201310268521A CN 104253875 B CN104253875 B CN 104253875B
- Authority
- CN
- China
- Prior art keywords
- domain name
- dns
- dns query
- relation
- relationship
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000005206 flow analysis Methods 0.000 title claims abstract description 15
- 238000004450 types of analysis Methods 0.000 claims abstract description 11
- 239000000284 extract Substances 0.000 claims abstract description 6
- 230000000875 corresponding Effects 0.000 claims description 7
- 238000010586 diagrams Methods 0.000 description 9
- 238000004458 analytical methods Methods 0.000 description 7
- 238000000034 methods Methods 0.000 description 6
- 241001495632 Galium murale Species 0.000 description 3
- 241000894007 species Species 0.000 description 3
- 241000212893 Chelon labrosus Species 0.000 description 2
- 241001269238 Data Species 0.000 description 2
- 230000015572 biosynthetic process Effects 0.000 description 1
- 239000000969 carriers Substances 0.000 description 1
- 238000006243 chemical reactions Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000005516 engineering processes Methods 0.000 description 1
- 239000000686 essences Substances 0.000 description 1
- 238000004880 explosion Methods 0.000 description 1
- 244000144992 flock Species 0.000 description 1
- 238000005755 formation reactions Methods 0.000 description 1
- 239000010410 layers Substances 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006011 modification reactions Methods 0.000 description 1
- 238000002360 preparation methods Methods 0.000 description 1
- 238000006467 substitution reactions Methods 0.000 description 1
Abstract
This application discloses a kind of DNS flow analysis methods, this method gathers the message information in network in real time first, carries out DNS flow pretreatments to the message information gathered, therefrom extracts the DNS flow informations of needs;Then, DNS analyses are carried out to the DNS flow informations extracted, obtains DNS domain name domain name set of relationship, DNS domain name IP set of relationship;Finally, merger operation is carried out to the DNS domain name domain name set of relationship and DNS domain name IP set of relationship, obtains DNS domain name IP relationship resource tables.Using technical solution disclosed in the present application, the complexity of DNS flow analyses can be simplified, and be best understood from DNS traffic conditions.
Description
Technical field
This application involves network traffic analysis technical field, more particularly to a kind of DNS flow analysis methods.
Background technology
DNS (Domain Name System, domain name system) realizes the IP of uninteresting difficult note(Internet Protocol)
Conversion between address and the domain name easily remembered is infrastructure the most key on internet, nearly all to be based on IP network
The information communication service of network will position corresponding Internet resources by domain name access.Therefore, by dividing DNS flows
Analysis, can be best understood from current Network status.
With the high speed development of internet, the growth of explosion type is presented in more and more users and application, brings therewith
Internet flow sharply increase.For now, the equipment of online telecom operators all generates TB grades even daily
PB grades of stream record data, the data volume of corresponding DNS records is also very big, and how to handle the data of such magnanimity is one huge
Challenge.
Existing flow analysis method, either software are analyzed or hardware analysis, and the research and analysis of DNS are all concentrated
Safety and protection, dns server in DNS performance in itself and the research of configuration etc., purpose is all to find DNS query
In wrong data, it is and also fewer for the analysis of networks congestion control information included in DNS correct data.
The content of the invention
This application provides a kind of DNS flow analysis methods, it is intended to simplify the complexity of DNS flow analyses, and preferably
Understand DNS traffic conditions.
A kind of DNS flow analysis methods that the application provides, including:
A, the message information in network is gathered in real time;
B, DNS flow pretreatments are carried out to the message information gathered, therefrom extracts the DNS flow informations of needs;
C, DNS analyses are carried out to the DNS flow informations that are extracted, obtain DNS domain name-domain name set of relationship, DNS domain name-
IP set of relationship;
D, merger operation is carried out to the DNS domain name-domain name set of relationship and DNS domain name-IP set of relationship, obtains DNS
Domain name-IP relationship resource tables.
It is preferred that the C includes:
To each DNS flow informations, obtain nslookup therein and return to domain name, by the nslookup got and
Each returns to field name respectively constitutes a DNS domain name-domain name relation pair, DNS domain name-domain name relation of all DNS flow informations
To forming DNS domain name-domain name set of relationship;
To each DNS flow informations, nslookup and server response IP address therein is obtained, is looked into what is got
It askes domain name and each server response IP address respectively constitutes a DNS domain name-IP relation pair, the DNS of all DNS flow informations
Domain name-IP relation pairs form DNS domain name-IP set of relationship.
It is preferred that the D includes:
D1, merger operation is carried out to the DNS domain name-domain name set of relationship, obtains DNS domain name-domain name relation dictionary;
D2, merger operation is carried out to the DNS domain name-IP set of relationship, obtains DNS domain name-IP relation dictionaries;
D3, the DNS domain name-domain name relation dictionary and DNS domain name-IP relation dictionaries are integrated, obtains DNS domain
Name-IP relationship resource tables.
It is preferred that the D1 includes:
The 1st DNS domain name-domain name relation pair in D11, input DNS domain name-domain name set of relationship, is denoted as(A1, B1);
If A1!=B1 then generates set of domains C1={ A1, B1 };
Otherwise, if A1==B1, set of domains C1={ A1 } is generated;
I-th in D12, input DNS domain name-domain name set of relationship(i>=2)DNS domain name-domain name relation pair, is denoted as
(Ai, Bi),
If Ai!=Bi then compares Ai and Bi with the element in existing set of domains respectively:
If a) existing set of domains Cm includes Ai, and Cn includes Bi, and m==n, then performs step D13;
If b) existing set of domains Cm includes Ai, and Cn includes Bi, and m!=n, then by existing set of domains Cm and
Cn is merged, and the element of Cn is added in Cm, and deletes Cn;
If c) existing set of domains Cm includes Ai, and Bi is not included by arbitrary existing set of domains, then by Bi
It is added in set Cm;Alternatively, if existing set of domains Cm includes Bi, and Ai is not by arbitrary existing set of domains institute
Comprising then Ai is added in set Cm;
If d) Ai and Bi is not included by arbitrary existing set of domains, set of domains Ci={ Ai, Bi } is generated;
If Ai==Bi compares Ai with the element in existing set of domains:
If a) Ai is not included by arbitrary existing set of domains, set of domains Ci={ Ai } is generated;
If b) Ai is included by set of domains Cm, step D13 is performed;
D13, step D12 is repeated, until at all DNS domain name-domain name relation pairs in DNS domain name-domain name set of relationship
Reason finishes, and obtained all set of domains form DNS domain name-domain name relation dictionary.
It is preferred that the D2 includes:
The 1st DNS domain name-IP relation pair in D21, input DNS domain name-IP set of relationship, according to the 1st DNS
Domain name-IP relation pairs generate a new DNS domain name-IP set;
I-th in D22, input DNS domain name-IP set of relationship(i>=2)DNS domain name-IP relation pairs, by described i-th
Nslookup in DNS domain name-IP relation pairs is denoted as Ai;
Ai is compared with the element in existing DNS domain name-IP set:
A) if existing DNS domain name-IP set Cm includes Ai, will be in i-th DNS domain name-IP relation pairs
Server response IP address is added in Cm;
B) if Ai is not included by arbitrary existing DNS domain name-IP set, according to i-th DNS domain name-IP
Relation pair generates a new DNS domain name-IP set;
D23, step D22 is repeated, until all DNS domain name-IP relation pairs in DNS domain name-IP set of relationship have been handled
Finish, obtained all DNS domain name-IP set forms DNS domain name-IP relation dictionaries.
It is preferred that the D3 includes:
D31, entire DNS domain name-IP relation dictionaries are read in, generates an empty DNS domain name-IP relationship resource table;
D32, DNS domain name-domain name relation dictionary is read in by row, for the every a line read in:
If all domain names in the row are not present in DNS domain name-IP relation dictionaries, according to predetermined form
Domain name is output in DNS domain name-IP relationship resource tables;
It is first according to predetermined form if at least 1 domain name is appeared in DNS domain name-IP relation dictionaries in the row
Domain name is output in DNS domain name-IP relationship resource tables, all corresponding server response IP address are then output to DNS
In domain name-IP relationship resource tables;
D33, step D32 is repeated, finishes, obtain until every a line in DNS domain name-domain name relation dictionary is all processed
DNS domain name-IP relationship resource tables.
As seen from the above technical solution, the DNS flow analysis methods that the application provides by gathering the report in network in real time
Literary information carries out DNS flow pretreatments to the message information gathered, therefrom extracts the DNS flow informations of needs;Then,
DNS analyses are carried out to the DNS flow informations extracted, obtain DNS domain name-domain name set of relationship, DNS domain name-IP set of relationship;
Finally, merger operation is carried out to the DNS domain name-domain name set of relationship and DNS domain name-IP set of relationship, reduces DNS flows
Domain name species so that more there is specific aim to the analyses of DNS flows, and can be best understood from the whole current
DNS traffic conditions.
Description of the drawings
Fig. 1 is the application DNS flow collections and analytic process schematic diagram;
Fig. 2 is the sequence diagram of the application DNS flow analysis methods;
Fig. 3 is the flow diagram that the application carries out DNS domain name-domain name relation pair domain name merger operation;
Fig. 4 generates for the application DNS domain name-IP relationship resources table(Or update)Flow diagram.
Specific embodiment
Object, technical solution and advantage to make the application are more clearly understood, and develop simultaneously embodiment referring to the drawings, right
The application is described in further detail.
The application's is main by using domain name conflation algorithm, to reduce the domain name species in DNS flows, so as to simplified pair
The complexity of DNS flow analyses.
For traditional flow analysis method, the application is paid close attention to and analyzes in DNS data between 3 important informations
Deep layer contacts, this 3 important informations are respectively:Nslookup returns to domain name and service device response IP address.To a certain degree
On, rather complicated mapping relations, such as one-to-one, one-to-many, many-one are deposited between this 3 important informations.Such as:In reality
A usual domain name has multiple alias, and a server response IP address can also correspond to multiple domain names, thus the application pass through it is every
Relevant domain name is integrated into a set of domains by one inquiry record, is directed toward same ISP (Internet Service
Provider), shaped like xxx.cn xxx.com.cn xxx.com.It is necessary that these directions are same in the analysis of relevance
The domain name or IP of one ISP flocks together, and forms an exclusive set.Magnanimity DNS is flowed with technical scheme
Amount is analyzed, and can obtain related domain name set of relationship and corresponding domain name-IP between DNS domain name and DNS domain name
Set of relationship can be best understood from DNS traffic conditions with this set of relationship.
Fig. 1 is the application DNS flow collections and analytic process schematic diagram.The key step of process shown in Fig. 1 is described as follows:
First, message information is gathered from carrier network by message harvester in real time and stored.
Then, DNS flow pretreatment operations are carried out to the message information gathered, therefrom extracts required DNS streams
Measure information.For example, DNS flows example of fields such as 1 institute of table that DNS flow pretreatments obtain afterwards is typically carried out to message information
Show.
| Field name | Example | Annotation |
| qsec | 1343527269 | Query time(Second) |
| qusec | 785887 | Query time(Microsecond) |
| intvlsec | 0 | Inquiry-answering interval(Second) |
| intvlusec | 3839 | Inquiry-answering interval(Microsecond) |
| clientIP | 0a124aea | User IP |
| serverIP | 70040cc8 | Server ip |
| transID | 50857 | For unique mark a pair of inquiry response between client and server |
| opCode | 0 | Inquiry, acknowledgement type(0 standard, 1 reversely, the request of 2 server states) |
| isAA | 0 | Whether response result comes from authoritative server |
| isTC | 0 | Whether response result is truncated |
| isRD | 1 | Whether recursive query request is had |
| isRA | 1 | Whether recursive query can be carried out |
| rCode | 0 | The error state of response(0 is error-free;3 be without this domain name etc.) |
| queryNum | 1 | Ask number |
| queryType | 1 | Query type(1 is A, ipv4;28 be AAAA, ipv6) |
| queryName | mobilelogin.sj.91.com | Inquire about content |
| resNum | 1 | Response number |
| resType | 1 | Acknowledgement type(5 be alias;1 is IP etc.) |
| resName | mobilelogin.sj.91.com | The data parsed are needed, it is identical with inquiry content before parsing |
| resData | 79cff2ef | Obtained content is parsed, after parsing |
| resTTL | 18 | The TTL of reply data |
Table 1
Since DNS flows are very huge, the DNS flow files of magnanimity are stored in distributed storage cluster by the application
The distributed storage file system HDFS of Hadoop(Hadoop Distributed File System)On, to carry out in next step
DNS analysis operations carry out data preparation.
Finally, DNS analyses are carried out to DNS flows, obtains DNS domain name-domain name set of relationship, DNS domain name-IP set of relations
It closes, and finally obtains DNS domain name-IP relationship resource tables.The following detailed description of the application DNS flow analysis methods.
Fig. 2 is the sequence diagram of the application DNS flow analysis methods, referring to Fig. 2, is mainly included the following steps that:
Action1:MR(Mapreduce)Operation, to the DNS source datas being located on HDFS(That is DNS flows)In inquiry
Domain name and return domain name are screened, and obtain DNS domain name-domain name relation pair.
It is operated by this, a nslookup is then simplified as exporting if there is multiple return domain names in DNS discharge records
Multiple domain names-domain name relation pair.If for example, there is such nslookup www.taobao.com in a DNS discharge record, and
It, which returns to domain name, 3, respectively 11.taobao.com, 22.taobao.com, 33.taobao.com, then the DNS domain exported
Name-domain name relation pair be (www.taobao.com11.taobao.com), (www.taobao.com22.taobao.com),
(www.taobao.com33.taobao.com)。
Action2:MR is operated, and IP address is responded to the nslookup and server being located in the DNS source datas on HDFS
It is screened, obtains DNS domain name-IP relation pairs.
Same Action1, after being operated by Action2, a nslookup is if there is multiple servers in DNS discharge records
The situation of IP address is responded, then is simplified as exporting multiple domain name-IP relation pairs.
Operation in above-mentioned Action1 and Action2 can be real with the distributed programmed frames of mapreduce of hadoop
It is existing, magnanimity DNS flows can be quickly handled parallel, so as to greatly improve data-handling capacity.
Action3:Hadoop shell-commands operate, and DNS domain name-domain name relation pair positioned at HDFS is locally downloading
In catalogue to be operated.
Action4:Hadoop shell-commands operate, and will treat positioned at the DNS domain name-IP relation pairs of HDFS are locally downloading
It operates in catalogue.
Action5:Merger operation is carried out to the DNS domain name-domain name relation pair being located locally(Specifically see Fig. 3 and its say
It is bright), obtained result " DNS domain name-domain name relation dictionary " is stored in the local catalogue to be operated specified.
Action6:Merger operation, the result " DNS domain that will be obtained are carried out to the DNS domain name-IP relation pairs being located locally
Name-IP relation dictionaries " are stored in the catalogue to be operated of the local specified.
Action7:The DNS domain being located locally name-domain name relation dictionary and DNS domain name-IP relation dictionaries are integrated,
It finally obtains DNS domain name-IP relationship resources table and is stored in the local directory specified.
Fig. 3 is the flow diagram that the application carries out DNS domain name-domain name relation pair domain name merger operation, referring to Fig. 3,
Input, processing and the output of domain name merger operation are described as follows first:
Input:N DNS domain name-domain name relation pair(Including nslookup and return to domain name)+ DNS domain name-domain name relation word
Allusion quotation.
Processing spec:
1) for DNS domain name-domain name relation dictionary generation operation, the value of DNS domain name-domain name relation dictionary of input is
Null。
2) for DNS domain name-domain name relation dictionary update operation, DNS domain name-domain name relation dictionary of input is the last time
Obtained DNS domain name-domain name relation dictionary.
Output:DNS domain name-domain name relation dictionary.
The operative algorithm processing procedure of domain name merger shown in Fig. 3 is as follows:
1)The 1st article of DNS domain name-domain name relation pair is inputted, is denoted as(A1, B1), wherein, A1 is nslookup, and B1 is return
Domain name.
If nslookup is different from returning to domain name, i.e. A1!=B1, then by two domain name merger into a new domain name collection
Close C1={ A1, B1 };
Otherwise, i.e. A1==B1 then only needs to form new set of domains C1={ A1 } with a domain name.
2) i-th is inputted(i>=2)Domain name pair(Ai, Bi).
If Ai!=Bi then compares them with the element in existing set of domains respectively:
If a) existing set of domains Cm includes Ai, and Cn includes Bi, and m==n, then does not operate;
If b) existing set of domains Cm includes Ai, and Cn includes Bi, and m!=n, then by existing two set of domains
Cm and Cn are merged, and the element of Cn is added in Cm, and deletes Cn;
C) if existing set of domains Cm includes Ai(Or Bi), and Bi(Or Ai)Not by arbitrary existing set of domains bag
Contain, then Bi(Or Ai)It is added in set Cm;
If d) Ai and Bi is not included by arbitrary existing set of domains, the new set of domains of formation one Ai,
Bi}。
If Ai==Bi, with Ai compared with the middle element of already existing set of domains:
If a) Ai is not included by arbitrary existing set of domains, a new domain name set { Ai } is formed;
If b) Ai is included by set of domains Cm, operated into next step.
3) step 2 is repeated, until all domain names are finished to all processed, you can each set of domains after output merger.
Here, all set of domains form domain name dictionary.
It needs to carry out DNS domain name-IP relation pairs merger operation in above-mentioned Action6, input, processing and output explanation
It is as follows:
Input:N DNS domain name-IP relation pair(Including nslookup and server response IP address)+ DNS domain name-IP is closed
It is dictionary.
Processing spec:
1) generate and operate for DNS domain name-IP relation dictionaries, the value of the DNS domain name-IP relation dictionaries of input is Null.
2) update and operate for DNS domain name-IP relation dictionaries, the DNS domain name-IP relation dictionaries of input obtain for the last time
DNS domain name-IP relation dictionaries.
Output:DNS domain name-IP relation dictionaries.
Generation(Or update)The processing procedure of DNS domain name-IP relation dictionaries is as follows:
1) since first DNS domain name-IP relation pair, i-th DNS domain name-IP relation pair is inputted, such as(A.com,
192.168.0.1,192.168.0.2);
If a) a.com is present in DNS domain name-IP relation dictionaries, 192.168.0.1 and 192.168.0.2 are added
Enter into corresponding DNS domain name-IP set;
If b) a.com is not present in DNS domain name-IP relation dictionaries, this is recorded to the DNS domain new as one
Name-IP set is added in DNS domain name-IP relation dictionaries;
2) finished up to all DNS domain name-IP relation pairs are all processed, you can output generation(Or after update)DNS
Domain name-IP relation dictionaries.
Fig. 4 generates for the application DNS domain name-IP relationship resources table(Or update)Flow diagram, i.e.,:DNS shown in Fig. 2
The flow diagram of the last one committed step Action7 of flow analysis method.Input, the processing and defeated of Action7 operations
Go out to be described as follows:
Input:DNS domain name-domain name relation dictionary+DNS domain name-IP relation dictionaries;
Output:DNS domain name-IP relationship resource tables.
Generation shown in Fig. 4(Or update)The processing procedure of DNS domain name-IP relationship resource tables is as follows:
1)It is whole to read in DNS domain name-IP relation dictionaries, generate an empty DNS domain name-IP relationship resource table;
2)DNS domain name-domain name relation dictionary is read in by row, for the every a line read in:
If a) all domain names in the row are not present in DNS domain name-IP relation dictionaries(I.e.:There is no 1 in the row
A domain name is appeared in DNS domain name-IP relation dictionaries), then domain name is output to DNS domain name-IP according to certain form and is closed
It is in resource table;
If b) at least 1 domain name is appeared in DNS domain name-IP relation dictionaries in the row, then according to certain lattice
Domain name is first output in DNS domain name-IP relationship resource tables by formula, then again that all corresponding server response IP address are defeated
Go out into DNS domain name-IP relationship resource tables;
3)Repeat step 2), until every a line in DNS domain name-domain name relation dictionary is all processed and finishes, you can obtain
Final DNS domain name-IP relationship resource tables.
As seen from the above technical solution, the DNS flow analysis methods that the application provides by gathering the report in network in real time
Literary information carries out DNS flow pretreatments to the message information gathered, therefrom extracts the DNS flow informations of needs;Then,
DNS analyses are carried out to the DNS flow informations extracted, obtain DNS domain name-domain name set of relationship, DNS domain name-IP set of relationship;
Finally, merger operation is carried out to the DNS domain name-domain name set of relationship and DNS domain name-IP set of relationship, reduces DNS flows
Domain name species so that more there is specific aim to the analyses of DNS flows, and can be best understood from the whole current
DNS traffic conditions.
The foregoing is merely the preferred embodiment of the application, not limiting the application, all essences in the application
God and any modification, equivalent substitution, improvement and etc. within principle, done, should be included within the scope of the application protection.
Claims (6)
1. a kind of DNS flow analysis methods, which is characterized in that including:
A, the message information in network is gathered in real time;
B, DNS flow pretreatments are carried out to the message information gathered, therefrom extracts the DNS flow informations of needs;
C, DNS analyses are carried out to the DNS flow informations extracted, obtains DNS query domain name-return domain name set of relationship, DNS is looked into
Ask domain name-IP set of relationship;
D, merger operation is carried out to the DNS query domain name-return domain name set of relationship and DNS query domain name-IP set of relationship,
Obtain DNS query domain name-IP relationship resource tables.
2. according to the method described in claim 1, it is characterized in that, the C includes:
It to each DNS flow informations, obtains nslookup therein and returns to domain name, by the nslookup got and each
Returns to field name respectively constitutes a DNS query domain name-return domain name relation pair, and the DNS query domain names of all DNS flow informations-
It returns to domain name relation pair and forms DNS query domain name-return domain name set of relationship;
To each DNS flow informations, nslookup and server response IP address therein, the inquiry field that will be got are obtained
Name and each server response IP address respectively constitute a DNS query domain name-IP relation pair, the DNS of all DNS flow informations
Nslookup-IP relation pairs form DNS query domain name-IP set of relationship.
3. method according to claim 1 or 2, which is characterized in that the D includes:
D1, merger operation is carried out to the DNS query domain name-return domain name set of relationship, obtains DNS query domain name-returns to field
Name relation dictionary;
D2, merger operation is carried out to the DNS query domain name-IP set of relationship, obtains DNS query domain name-IP relation dictionaries;
D3, the DNS query domain name-return domain name relation dictionary and DNS query domain name-IP relation dictionaries are integrated, obtained
To DNS query domain name-IP relationship resource tables.
4. according to the method described in claim 3, it is characterized in that, the D1 includes:
The 1st DNS query domain name-return domain name relation pair in D11, input DNS query domain name-return domain name set of relationship,
It is denoted as (A1, B1);
If A1 ≠ B1, set of domains C1={ A1, B1 } is generated;
Otherwise, if A1=B1, set of domains C1={ A1 } is generated;
I-th DNS query domain name-return domain name relation pair in D12, input DNS query domain name-return domain name set of relationship,
(Ai, Bi) is denoted as, wherein, i>=2,
If Ai ≠ Bi, Ai and Bi is compared respectively with the element in existing set of domains:
If a) existing set of domains Cm includes Ai, and Cn includes Bi, and m=n, then performs step D13;
If b) existing set of domains Cm includes Ai, and Cn includes Bi, and m ≠ n, then by existing set of domains Cm and Cn into
Row merges, and the element of Cn is added in Cm, and deletes Cn;
If c) existing set of domains Cm includes Ai, and Bi is not included by arbitrary existing set of domains, then is added in Bi
Into set Cm;Alternatively, if existing set of domains Cm includes Bi, and Ai is not wrapped by arbitrary existing set of domains
Contain, then Ai is added in set Cm;
If d) Ai and Bi is not included by arbitrary existing set of domains, set of domains Ci={ Ai, Bi } is generated;
If Ai=Bi, Ai is compared with the element in existing set of domains:
If a) Ai is not included by arbitrary existing set of domains, set of domains Ci={ Ai } is generated;
If b) Ai is included by set of domains Cm, step D13 is performed;
D13, step D12 is repeated, until all DNS query domain name-returns in DNS query domain name-return domain name set of relationship
Domain name relation pair is disposed, and obtained all set of domains form DNS query domain name-return domain name relation dictionary.
5. according to the method described in claim 3, it is characterized in that, the D2 includes:
The 1st DNS query domain name-IP relation pair in D21, input DNS query domain name-IP set of relationship, according to described 1st
DNS query domain name-IP relation pairs generate a new DNS query domain name-IP set;
I-th DNS query domain name-IP relation pair in D22, input DNS query domain name-IP set of relationship, by described i-th
Nslookup in DNS query domain name-IP relation pairs is denoted as Ai;Wherein, i>=2;
Ai is compared with the element in existing DNS query domain name-IP set:
A) if existing DNS query domain name-IP set Cm includes Ai, by i-th DNS query domain name-IP relation pairs
In server response IP address be added in Cm;
B) if Ai is not included by arbitrary existing DNS query domain name-IP set, according to i-th DNS query domain
Name-IP relation pairs generate a new DNS query domain name-IP set;
D23, step D22 is repeated, until at all DNS query domain name-IP relation pairs in DNS query domain name-IP set of relationship
Reason finishes, and obtained all DNS query domain name-IP set forms DNS query domain name-IP relation dictionaries.
6. according to the method described in claim 3, it is characterized in that, the D3 includes:
D31, entire DNS query domain name-IP relation dictionaries are read in, generates an empty DNS query domain name-IP relationship resource table;
D32, DNS query domain name-return domain name relation dictionary is read in by row, for the every a line read in:
If all nslookups in the row are not present in DNS query domain name-IP relation dictionaries, according to predetermined
Nslookup is output in DNS query domain name-IP relationship resource tables by form;
If at least 1 nslookup is appeared in DNS query domain name-IP relation dictionaries in the row, according to predetermined lattice
Nslookup is first output in DNS query domain name-IP relationship resource tables by formula, and all corresponding servers then are responded IP
Address is output in DNS query domain name-IP relationship resource tables;
D33, step D32 is repeated, finishes, obtain until every a line in DNS query domain name-return domain name relation dictionary is all processed
To DNS query domain name-IP relationship resource tables.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310268521.0A CN104253875B (en) | 2013-06-28 | 2013-06-28 | A kind of DNS flow analysis methods |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310268521.0A CN104253875B (en) | 2013-06-28 | 2013-06-28 | A kind of DNS flow analysis methods |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104253875A CN104253875A (en) | 2014-12-31 |
| CN104253875B true CN104253875B (en) | 2018-05-22 |
Family
ID=52188396
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310268521.0A Active CN104253875B (en) | 2013-06-28 | 2013-06-28 | A kind of DNS flow analysis methods |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104253875B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104639391A (en) * | 2015-01-04 | 2015-05-20 | 中国联合网络通信集团有限公司 | Method for generating network flow record and corresponding flow detection equipment |
| CN106302850B (en) * | 2016-08-04 | 2019-07-26 | 北京迅达云成科技有限公司 | A kind of authority's DNS method for optimizing configuration and device |
| CN108462675A (en) * | 2017-02-20 | 2018-08-28 | 沪江教育科技(上海)股份有限公司 | A kind of network accesses recognition methods and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101719847A (en) * | 2009-10-15 | 2010-06-02 | 上海寰雷信息技术有限公司 | High-performance monitoring method for DNS traffic |
| CN102082836A (en) * | 2009-11-30 | 2011-06-01 | 中国移动通信集团四川有限公司 | DNS (Domain Name Server) safety monitoring system and method |
| CN102549562A (en) * | 2009-04-07 | 2012-07-04 | 弗里塞恩公司 | Existent domain name DNS traffic capture and analysis |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2007132112A2 (en) * | 2006-05-17 | 2007-11-22 | France Telecom | Server and method for managing domain names in a network |
-
2013
- 2013-06-28 CN CN201310268521.0A patent/CN104253875B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102549562A (en) * | 2009-04-07 | 2012-07-04 | 弗里塞恩公司 | Existent domain name DNS traffic capture and analysis |
| CN101719847A (en) * | 2009-10-15 | 2010-06-02 | 上海寰雷信息技术有限公司 | High-performance monitoring method for DNS traffic |
| CN102082836A (en) * | 2009-11-30 | 2011-06-01 | 中国移动通信集团四川有限公司 | DNS (Domain Name Server) safety monitoring system and method |
Non-Patent Citations (1)
| Title |
|---|
| 基于DNS数据流的僵尸网络检测技术研究;康乐;《中国优秀硕士学位论文全文数据库信息科技辑》;20120515(第2012年第05期);正文第31-32页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104253875A (en) | 2014-12-31 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Gupta et al. | Sonata: Query-driven streaming network telemetry | |
| Wullink et al. | ENTRADA: A high-performance network traffic data streaming warehouse | |
| CA3028273C (en) | Cybersecurity system | |
| US8898272B1 (en) | Identifying information in resource locators | |
| WO2013044564A1 (en) | User network behaviour analysis method, device and system | |
| CN104283723B (en) | Network access log processing method and processing device | |
| JP6490059B2 (en) | Method for processing data, tangible machine readable recordable storage medium and device, and method for querying features extracted from a data record, tangible machine readable recordable storage medium and device | |
| US9317514B2 (en) | Synthesized identifiers for system information database | |
| CN104253875B (en) | A kind of DNS flow analysis methods | |
| US20120254398A1 (en) | Traffic Like NXDomains | |
| Hesselman et al. | Increasing DNS security and stability through a control plane for top-level domain operators | |
| Schales et al. | FCCE: highly scalable distributed feature collection and correlation engine for low latency big data analytics | |
| US20100281053A1 (en) | Method, apparatus, and computer-readable medium for distributing a query | |
| US10194001B1 (en) | Automatic discovery of API information | |
| US9367610B2 (en) | Knowledge registry systems and methods | |
| EP2426894A1 (en) | System and method of processing DNS request and DNS reply | |
| CN102255969A (en) | Representational-state-transfer-based web service security model | |
| Wullink et al. | ENTRADA: enabling DNS big data applications | |
| CN103729479A (en) | Web page content statistical method and system based on distributed file storage | |
| CN104202418B (en) | Recommend the method and system of the content distributing network of business for content supplier | |
| TWI634769B (en) | Method for detecting domain name transformation botnet through proxy server log | |
| Pape et al. | Restful correlation and consolidation of distributed logging data in cloud environments | |
| US10171415B2 (en) | Characterization of domain names based on changes of authoritative name servers | |
| US9742674B1 (en) | Methods for distributed application visibility and reporting and devices thereof | |
| JP2015186001A (en) | Communication service classification device, method, and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| C06 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| C10 | Entry into substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 100142 No. 14, No. 45, North dewa Road, Haidian District, Beijing, 102 Patentee after: BEIJING HAOHAN DATA INFORMATION TECHNOLOGY CO., LTD. Address before: No. 45 North dewa Road, Haidian District, Beijing Patentee before: BEIJING KUANGUANG TELECOM HIGH-TECH DEVELOPMENT CO., LTD. |
|
| CP03 | Change of name, title or address |