CN105530327B - A kind of DNS key message processing method and system - Google Patents

A kind of DNS key message processing method and system Download PDF

Info

Publication number
CN105530327B
CN105530327B CN201410583420.7A CN201410583420A CN105530327B CN 105530327 B CN105530327 B CN 105530327B CN 201410583420 A CN201410583420 A CN 201410583420A CN 105530327 B CN105530327 B CN 105530327B
Authority
CN
China
Prior art keywords
data
dns
queue
key message
record
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201410583420.7A
Other languages
Chinese (zh)
Other versions
CN105530327A (en
Inventor
刘俊
张则梁
王逐尘
景晓军
沈智杰
唐新民
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
SURFILTER NETWORK TECHNOLOGY Co Ltd
Original Assignee
SURFILTER NETWORK TECHNOLOGY Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by SURFILTER NETWORK TECHNOLOGY Co Ltd filed Critical SURFILTER NETWORK TECHNOLOGY Co Ltd
Priority to CN201410583420.7A priority Critical patent/CN105530327B/en
Publication of CN105530327A publication Critical patent/CN105530327A/en
Application granted granted Critical
Publication of CN105530327B publication Critical patent/CN105530327B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention provides a kind of DNS key message processing methods, are related to acquisition module, protocol identification module, DNS decoder module, output module, transmission module and convergence center node server;The following steps are included: S1, acquiring network data in real time;S2, DNS reply data is analyzed from network data;S3, data statistics is carried out to DNS reply data while being decoded and generating key message data;S4, storage key message data;S5, corresponding file is generated;S6, file is sent;S7, duplicate removal and compression are carried out to file and is stored.Corresponding key message is extracted from initial data, is stored one by one according to different DNS data types by the acquisition and analysis to DNS data, guarantees the maximum integrality of information.It is obtained more comprehensively from DNS reply data, further types of original record only stores initial data, do not analyze, and third party can according to need the data for obtaining corresponding types, and depth is excavated, and the statistics of various dimensions is carried out.

Description

A kind of DNS key message processing method and system
Technical field
The present invention relates to field of Internet communication, more specifically to a kind of DNS key message processing method and are System.
Background technique
DNS (domain name analysis system) is highly important the Internet infrastructure, and main function is to provide domain name and IP Conversion between address, various web services, Email service based on internet, route service all directly or indirectly rely on DNS.With online crowd rapid growth, the optical fiber of broadband network, internet services data explosive growth therewith, DNS produces the data traffic log of magnanimity.
In order to ensure the online quality of client, major operation commercial city is established the DNS network of oneself by region, and DNS net Network is made of several DNS nodes, each node it is most crucial be exactly dns server cluster, for responding the DNS query of user Request.Currently, in order to grasp the day-to-day operation situation of DNS network, existing mode is to obtain various systems by analysis DNS flow Meter index is sampled analysis to flow, is that DNS flow is very huge using the reason of these modes, records the complete of user User behaviors log is extremely difficult.For statistical indicator, compare solidification, depth excavation can not be carried out again;And sampling analysis, it will lead to big The missing of valid data is measured, analysis loses accuracy.
Summary of the invention
The technical problem to be solved in the present invention is that overcoming the drawbacks described above of the prior art, a kind of DNS key message is provided Processing method and system are mentioned from initial data by the acquisition and analysis to DNS data according to different DNS data types Corresponding key message is taken, is stored one by one, guarantees the maximum integrality of information.It is obtained more comprehensively from DNS reply data, more multiclass The original record of type only stores initial data, does not analyze, and third party can according to need the number for obtaining corresponding types According to, and depth is excavated, and the statistics of various dimensions is carried out.
The technical solution adopted by the present invention to solve the technical problems is: providing a kind of DNS key message processing method, relates to And acquisition module, protocol identification module, DNS decoder module, output module, transmission module and convergence center node server;
The following steps are included:
S1, the acquisition module acquire network data in real time and the network data are sent to the protocol identification mould Block;
S2, the protocol identification module analyze DNS reply data from the network data, and by the DNS response Data are sent to the DNS decoder module;
S3, the DNS decoder module carry out data statistics to the DNS reply data, and statistics file is sent to institute Output module is stated, while the DNS reply data is decoded, and generates the DNS response according to different query types Corresponding key message data in data;
S4, the DNS decoder module store the key message data to right according to its corresponding described query type In the memory queue answered;
S5, the output module read the key message data in the memory queue, and by the key message Data file corresponding with statistics file generation, while the file being sent in memory file system catalogue;
The file in the memory file system catalogue is sent to the convergence center section by S6, the transmission module Point server;
S7, the convergence center node server carry out duplicate removal and compression to the file by the preset time cycle, and Duplicate removal and the compressed file are stored.
Preferably, the step S3 is further comprising the steps of:
The problems in S31, the described DNS reply data of acquisition, and described problem is parsed;
Whether S32, the quantity for judging described problem are zero, continue to solve described problem if judging result is not zero Analysis;S33 is entered step if judging result is zero;
Answer in S33, the acquisition DNS reply data, and corresponding RDATA number is parsed according to the query type According to;
Whether S34, the quantity for judging the answer are zero, continue to solve the answer if judging result is not zero Analysis;S35 is entered step if judging result is zero;
S35, parsing result is generated into the key message data.
Preferably, the query type includes query type A, query type MX and query type NS;The pass generated Key information data include A record data corresponding with the query type, MX record data and NS record data.
Preferably, the A record data include client IP, domain name, domain name CNAME and domain name IP;
The MX record data include domain name, mail server domain name, mail server IP;
The NS record data include name server title, name server IP.
Preferably, the memory queue includes queue one, queue two, queue three and queue four;
The step S4 is further comprising the steps of:
The A record data are stored into the queue one and the queue two simultaneously;
The MX record data are stored into the queue three;
The NS record number will be stored into the queue four.
Preferably, the step S5 is further comprising the steps of:
The output module reads the record data of the A in the queue one, and judges the institute in the A record data It states domain name or whether domain name IP matches with designated domain name or designated domain name IP;If it does not match, reading the next A note Record data;It send if it does, then A record data are generated monitoring file cocurrent into the memory file system catalogue;
The output module reads the record data of the A in the queue two, and A record data are generated A note Record file cocurrent is sent into the memory file system catalogue;
The output module reads the record data of the MX in the queue three, and MX record data are generated MX Record file cocurrent is sent into the memory file system catalogue;
The output module reads the record data of the NS in the queue four, and NS record data are generated NS Record file cocurrent is sent into the memory file system catalogue.
Preferably, in the step S7 duplicate removal using HEY JUDE matrix algorithm.
The present invention also provides a kind of DNS key message processing systems, including acquisition module, protocol identification module, DNS to decode Module, output module, transmission module and convergence center node server;It further include memory queue and memory file system catalogue;
The acquisition module, the protocol identification module, the DNS decoder module, the memory queue, the output mould Block, the memory file system catalogue, the transmission module and the convergence center node server are sequentially connected;
The acquisition module is for acquiring network data in real time and the network data being sent to the protocol identification mould Block;
The protocol identification module from the network data for analyzing DNS reply data, and by the DNS response Data are sent to the DNS decoder module;
The DNS decoder module is used to carry out data statistics to the DNS reply data, and statistics file is sent to institute Transmission module is stated, is also used to be decoded the DNS reply data, and generates the DNS according to different query types and answers Answer corresponding key message data in;It is also used to the key message data according to its corresponding query type It stores into corresponding memory queue;
The memory queue is used to store the key message data of the corresponding query type;
The output module is used to read key message data in the memory queue, and by the key message Data file corresponding with statistics file generation, while the file being sent in memory file system catalogue;
The memory file system catalogue is for storing the file;
The transmission module is used to the file in the memory file system catalogue being sent to the convergence center Node server;
The convergence center node server is used to carry out duplicate removal and pressure to the network data by the preset time cycle Contracting, and duplicate removal and the compressed network data are stored.
Preferably, the DNS decoder module is also used to obtain the problems in described DNS reply data, and to described problem Whether the quantity for being parsed and being judged described problem is zero;
It is also used to obtain the answer in the DNS reply data, and corresponding RDATA is parsed according to the query type Data;And judge whether the quantity of the answer is zero;And parsing result is generated into the key message data.
Preferably, the query type includes query type A, query type MX and query type NS;The pass generated Key information data include A record data corresponding with the query type, MX record data and NS record data;
The A record data include client IP, domain name, domain name CNAME and domain name IP;The MX record data include domain Name, mail server domain name, mail server IP;The NS record data include name server title, name server IP;
The memory queue includes queue one, queue two, queue three and queue four;A record data store simultaneously to In the queue one and the queue two;The MX record data are stored into the queue three;The NS record number will store To in the queue four;
The output module is also used to read the record data of the A in the queue one, and records data according to the A In domain name or domain name IP whether match with designated domain name or designated domain name IP, by the A record data generate monitoring File cocurrent is sent into the memory file system catalogue;
The output module is also used to read the record data of the A in the queue two, and A record data are raw It send at A record file cocurrent into the memory file system catalogue;
The output module is also used to read the record data of the MX in the queue three, and the MX is recorded data MX record file cocurrent is generated to send into the memory file system catalogue;
The output module is also used to read the record data of the NS in the queue four, and the NS is recorded data NS record file cocurrent is generated to send into the memory file system catalogue.
Implement the invention has the following advantages: by the acquisition and analysis to DNS data, according to different DNS numbers According to type, corresponding key message is extracted from initial data, is stored one by one, guarantee the maximum integrality of information.From DNS response More comprehensively, further types of original record only stores initial data, does not analyze data acquisition, and third party can basis Need to obtain the data of corresponding types, and depth is excavated, and the statistics of various dimensions is carried out.
Detailed description of the invention
Present invention will be further explained below with reference to the attached drawings and examples, in attached drawing:
Fig. 1 is a kind of flow chart of one embodiment of DNS key message processing method of the present invention;
Fig. 2 is the flow chart of one embodiment of dns resolution in Fig. 1;
Fig. 3 is the block diagram that a kind of DNS key message processing system of the present invention unifies embodiment.
Specific embodiment
The present invention is directed in the prior art for statistical indicator, is compared solidification, can not be carried out depth excavation again;And it samples and divides The problem of analysis will lead to the missing of mass efficient data, and analysis loses accuracy, provides a kind of DNS key message processing side Method and system, the english abbreviation for the domain name analysis system that DNS often claims, by the acquisition and analysis to DNS data, according to difference DNS data type, corresponding key message is extracted from initial data, is stored one by one, guarantees the maximum integrality of information.From DNS reply data obtains more comprehensively, and further types of original record only stores initial data, do not analyze, third party can To obtain the data of corresponding types as needed, and depth is excavated, and the statistics of various dimensions is carried out.
For a clearer understanding of the technical characteristics, objects and effects of the present invention, now control attached drawing is described in detail A specific embodiment of the invention.
As shown in Figure 1, Fig. 1 is a kind of flow chart of one embodiment of DNS key message processing method of the present invention.The present invention mentions For a kind of DNS key message processing method, it is related to acquisition module 10, protocol identification module 20, DNS decoder module 30, output mould Block 40, transmission module 50 and convergence center node server 60;
The following steps are included:
Network data is collected to central node, the acquisition module 10 acquisition in real time simultaneously by S1, multiple DNS acquisition nodes The network data is simultaneously sent to the protocol identification module 20 by network data therein;Acquisition side in through this embodiment Formula can more comprehensively obtain network data, guarantee that the network information is more comprehensive, type is more abundant.
S2, the protocol identification module 20 analyze DNS reply data from the network data, and the DNS is answered Answer evidence is sent to the DNS decoder module 30;
S3, the DNS decoder module 30 carry out data statistics to the DNS reply data, and statistics file is sent to The output module 40, while the DNS reply data is decoded, and generate the DNS according to different query types Corresponding key message data in reply data;
In the present embodiment, the query type includes query type A, query type MX and query type NS;The institute of generation Stating key message data includes A record data corresponding with the query type, MX record data and NS record data;It is described It includes client IP, domain name, domain name CNAME (domain name alias) and domain name IP etc. that A, which records data,;The MX record data include domain Name, mail server domain name, mail server IP etc.;The NS record data include name server title, name server IP etc.;
S4, the DNS decoder module 30 by the key message data according to its corresponding described query type store to In corresponding memory queue;The data parsed place data into different shared drive queues according to request type, Placing data into the reason of shared drive queue is rather than directly to file is in order to avoid the I/O of the output module 40 (input/output) operation influences the efficiency of real-time acquisition module.
In the present embodiment, the memory queue includes queue one, queue two, queue three and queue four;The A records data It stores simultaneously into the queue one and the queue two;The MX record data are stored into the queue three;The NS note Record number will be stored into the queue four;
S5, the output module 40 read the key message data in the memory queue, and the key is believed Data file corresponding with statistics file generation is ceased, while the file being sent in memory file system catalogue;
In the present embodiment, the output module 40 reads the record data of the A in the queue one, and judges the A Whether domain name or domain name IP in record data match with designated domain name or designated domain name IP;If it does not match, reading Remove the A record data;It send if it does, then A record data are generated monitoring file cocurrent to the memory In file system directories;
The output module 40 reads the record data of the A in the queue two, and A record data are generated A Record file cocurrent is sent into the memory file system catalogue;
The output module 40 reads the record data of the MX in the queue three, and MX record data are generated MX record file cocurrent is sent into the memory file system catalogue;
The output module 40 reads the record data of the NS in the queue four, and NS record data are generated NS record file cocurrent is sent into the memory file system catalogue.
The file in the memory file system catalogue is sent to the convergence center by S6, the transmission module 50 Node server 60;
S7, the convergence center node server 60 carry out duplicate removal and compression to the file by the preset time cycle, And duplicate removal and the compressed file are stored.
Further, as shown in Fig. 2, Fig. 2 is the flow chart of one embodiment of dns resolution in Fig. 1.The step S3 further includes Following steps:
The problems in S31, the described DNS reply data of acquisition, and described problem is parsed;
Whether S32, the quantity for judging described problem are zero, continue to solve described problem if judging result is not zero Analysis;S33 is entered step if judging result is zero;
Answer in S33, the acquisition DNS reply data, and corresponding RDATA number is parsed according to the query type According to;
Whether S34, the quantity for judging the answer are zero, continue to solve the answer if judging result is not zero Analysis;S35 is entered step if judging result is zero;
S35, described problem and the parsing result of the answer are generated into the key message data.
Further, as shown in Figure 1 to Figure 2, in the step S7 duplicate removal using HEY JUDE matrix algorithm.The algorithm is former Manage as follows: the data of DNS divide two rank HEY JUDE Input matrix according to domain name and IP, and domain name A record etc. is keyed as first layer, Centre is using tab as separating, and two layers of key are then IP as key, and leaf node is the result after duplicate removal.HEY JUDE matrix is a kind of Efficient data structure belongs to one kind of variation Trie tree (word lookup tree), is one 256 fork tree in logic, and utilization is wider Shallower number tree thereby reduces the indirect number of access particular key to optimize time efficiency, avoids potential processor slow Filling bring time loss is deposited, the access of key-value pair is realized.Compared to other association type data structures, HEY JUDE will be according to key Length cleverly divides subtree, so that without the concern for the balance of tree when problem scale increases, and conventional tree structure is with problem Scale growth adjustment tree balance be it is highly difficult, in addition standard HEY JUDE has used each layer section of more than 20 kinds of different dynamic compressions Point, maximum possible stay in node in the Cache (computer Cache) of computer, improve the hit rate of Cache, subtract Lack the access times to memory to accelerate.Just because of it have the characteristics that operation efficiently and memory use it is few, it is widely used In current various mass data collection processing.It is defeated in the way of lexcographical order after use HEY JUDE logm is according to duplicate removal is carried out File is arrived out, this is perfectly in harmony with the compression thought of the library zlib (providing the function library of data compression), shows by test It after HEY JUDE matrix duplicate removal, is compressed, is twice than using the compression ratio after common algorithm duplicate removal above using the library zlib.
As shown in figure 3, Fig. 3 is the block diagram that a kind of DNS key message processing system of the present invention unifies embodiment.The present invention mentions For a kind of DNS key message processing system, including acquisition module 10, protocol identification module 20, DNS decoder module 30, output mould Block 40, transmission module 50 and convergence center node server 60;It further include memory queue and memory file system catalogue;
It is the acquisition module 10, the protocol identification module 20, the DNS decoder module 30, the memory queue, described Output module 40, the memory file system catalogue, the transmission module 50 and the convergence center node server 60 are successively Connection;
The acquisition module 10 is for acquiring network data in real time and the network data being sent to the protocol identification Module 20;
The protocol identification module 20 answers the DNS for analyzing DNS reply data from the network data Answer evidence is sent to the DNS decoder module 30;
The DNS decoder module 30 is used to carry out data statistics to the DNS reply data, and statistics file is sent to The transmission module 50 is also used to be decoded the DNS reply data, and according to described in different query type generations Corresponding key message data in DNS reply data;It is also used to according to its corresponding described look into the key message data Type is ask to store into corresponding memory queue;
The memory queue is used to store the key message data of the corresponding query type;
The output module 40 is used to read the key message data in the memory queue, and the key is believed Data file corresponding with statistics file generation is ceased, while the file being sent in memory file system catalogue;
The memory file system catalogue is for storing the file;
The transmission module 50 is for the file in the memory file system catalogue to be sent in the convergence Heart node server 60;
The convergence center node server 60 be used for by the preset time cycle to the network data carry out duplicate removal and Compression, and duplicate removal and the compressed network data are stored.
Further, as shown in figure 3, the DNS decoder module 30 is also used to obtain asking in the DNS reply data Topic, and parsed and judged whether the quantity of described problem is zero to described problem;
It is also used to obtain the answer in the DNS reply data, and corresponding RDATA is parsed according to the query type Data;And judge whether the quantity of the answer is zero;And parsing result is generated into the key message data.
Further, as shown in figure 3, the query type includes query type A, query type MX and query type NS; The key message data generated include A record data corresponding with the query type, MX record data and NS record Data;
The A record data include client IP, domain name, domain name CNAME and domain name IP;The MX record data include domain Name, mail server domain name, mail server IP;The NS record data include name server title, name server IP;
The memory queue includes queue one, queue two, queue three and queue four;A record data store simultaneously to In the queue one and the queue two;The MX record data are stored into the queue three;The NS record number will store To in the queue four;
The output module 40 is also used to read the record data of the A in the queue one, and records number according to the A Whether domain name or domain name IP in match with designated domain name or designated domain name IP, and A record data are generated prison Control file cocurrent is sent into the memory file system catalogue;
The output module 40 is also used to read the record data of the A in the queue two, and the A is recorded data A record file cocurrent is generated to send into the memory file system catalogue;
The output module 40 is also used to read the record data of the MX in the queue three, and the MX is recorded number It send according to MX record file cocurrent is generated into the memory file system catalogue;
The output module 40 is also used to read the record data of the NS in the queue four, and the NS is recorded number It send according to NS record file cocurrent is generated into the memory file system catalogue.
The embodiment of the present invention is described with above attached drawing, but the invention is not limited to above-mentioned specific Embodiment, the above mentioned embodiment is only schematical, rather than restrictive, those skilled in the art Under the inspiration of the present invention, without breaking away from the scope protected by the purposes and claims of the present invention, it can also make very much Form, all of these belong to the protection of the present invention.

Claims (10)

1. a kind of DNS key message processing method, which is characterized in that be related to acquisition module (10), protocol identification module (20), DNS decoder module (30), output module (40), transmission module (50) and convergence center node server (60);Including following step It is rapid:
S1, the acquisition module (10) acquire network data in real time and the network data are sent to the protocol identification module (20);
S2, the protocol identification module (20) analyze DNS reply data from the network data, and by the DNS response Data are sent to the DNS decoder module (30);
S3, the DNS decoder module (30) carry out data statistics to the DNS reply data, and statistics file is sent to institute It states output module (40), while the DNS reply data is decoded, and generate the DNS according to different query types Corresponding key message data in reply data;
S4, the DNS decoder module (30) store the key message data to right according to its corresponding described query type In the memory queue answered;
S5, the output module (40) read the key message data in the memory queue, and by the key message Data file corresponding with statistics file generation, while corresponding file is sent to memory file system catalogue In;
Corresponding file in the memory file system catalogue is sent to the convergence by S6, the transmission module (50) Central node server (60);
S7, the convergence center node server (60) carry out duplicate removal and compression to the file by the preset time cycle, and Duplicate removal and compressed corresponding file are stored.
2. a kind of DNS key message processing method according to claim 1, which is characterized in that the step S3 further includes Following steps:
The problems in S31, the described DNS reply data of acquisition, and described problem is parsed;
Whether S32, the quantity for judging described problem are zero, continue to parse described problem if judging result is not zero; S33 is entered step if judging result is zero;
Answer in S33, the acquisition DNS reply data, and corresponding RDATA data are parsed according to the query type;
Whether S34, the quantity for judging the answer are zero, continue to parse the answer if judging result is not zero; S35 is entered step if judging result is zero;
S35, parsing result is generated into the key message data.
3. according to claim 1 to a kind of 2 described in any item DNS key message processing methods, which is characterized in that the inquiry Type includes query type A, query type MX and query type NS;Generate the key message data include and the inquiry The corresponding A record data of type, MX record data and NS record data.
4. a kind of DNS key message processing method according to claim 3, which is characterized in that
The A record data include client IP, domain name, domain name CNAME and domain name IP;
The MX record data include domain name, mail server domain name, mail server IP;
The NS record data include name server title, name server IP.
5. a kind of DNS key message processing method according to claim 4, which is characterized in that the memory queue includes Queue one, queue two, queue three and queue four;
The step S4 is further comprising the steps of:
The A record data are stored into the queue one and the queue two simultaneously;
The MX record data are stored into the queue three;
The NS record number will be stored into the queue four.
6. a kind of DNS key message processing method according to claim 5, which is characterized in that the step S5 further includes Following steps:
The output module (40) reads the A in the queue one and records data, and judges the institute in the A record data It states domain name or whether domain name IP matches with designated domain name or designated domain name IP;If it does not match, reading the next A note Record data;It send if it does, then A record data are generated monitoring file cocurrent into the memory file system catalogue;
The output module (40) reads the A in the queue two and records data, and A record data are generated A note Record file cocurrent is sent into the memory file system catalogue;
The output module (40) reads the MX in the queue three and records data, and MX record data are generated MX Record file cocurrent is sent into the memory file system catalogue;
The output module (40) reads the NS in the queue four and records data, and NS record data are generated NS Record file cocurrent is sent into the memory file system catalogue.
7. a kind of DNS key message processing method according to claim 1, which is characterized in that duplicate removal in the step S7 Using HEY JUDE matrix algorithm.
8. a kind of DNS key message processing system, which is characterized in that including acquisition module (10), protocol identification module (20), DNS decoder module (30), output module (40), transmission module (50) and convergence center node server (60);It further include memory Queue and memory file system catalogue;
The acquisition module (10), the protocol identification module (20), the DNS decoder module (30), the memory queue, institute State output module (40), the memory file system catalogue, the transmission module (50) and the convergence center node server (60) it is sequentially connected;
The acquisition module (10) is for acquiring network data in real time and the network data being sent to the protocol identification mould Block (20);
The protocol identification module (20) from the network data for analyzing DNS reply data, and by the DNS response Data are sent to the DNS decoder module (30);
The DNS decoder module (30) is used to carry out data statistics to the DNS reply data, and statistics file is sent to institute Transmission module (50) are stated, are also used to be decoded the DNS reply data, and according to described in different query type generations Corresponding key message data in DNS reply data;It is also used to according to its corresponding described look into the key message data Type is ask to store into corresponding memory queue;
The memory queue is used to store the key message data of the corresponding query type;
The output module (40) is used to read key message data in the memory queue, and by the key message Data file corresponding with statistics file generation, while corresponding file is sent to memory file system catalogue In;
The memory file system catalogue is for storing corresponding file;
The transmission module (50) is used to the corresponding file in the memory file system catalogue being sent to the remittance Poly- central node server (60);
The convergence center node server (60) is used to carry out duplicate removal and pressure to the network data by the preset time cycle Contracting, and duplicate removal and the compressed network data are stored.
9. a kind of DNS key message processing system according to claim 8, which is characterized in that the DNS decoder module (30) it is also used to obtain the problems in described DNS reply data, and the number of described problem is parsed and judged to described problem Whether amount is zero;
It is also used to obtain the answer in the DNS reply data, and corresponding RDATA number is parsed according to the query type According to;And judge whether the quantity of the answer is zero;And parsing result is generated into the key message data.
10. a kind of DNS key message processing system according to claim 8, which is characterized in that the query type includes Query type A, query type MX and query type NS;The key message data generated include opposite with the query type A record data, MX record data and the NS record data answered;
The A record data include client IP, domain name, domain name CNAME and domain name IP;The MX record data include domain name, postal Part server domain name, mail server IP;The NS record data include name server title, name server IP;
The memory queue includes queue one, queue two, queue three and queue four;The A record data are stored to described simultaneously In queue one and the queue two;The MX record data are stored into the queue three;The NS record number will be stored to institute It states in queue four;
The output module (40) is also used to read the record data of the A in the queue one, and records data according to the A In domain name or domain name IP whether match with designated domain name or designated domain name IP, by the A record data generate monitoring File cocurrent is sent into the memory file system catalogue;
The output module (40) is also used to read the record data of the A in the queue two, and A record data are raw It send at A record file cocurrent into the memory file system catalogue;
The output module (40) is also used to read the record data of the MX in the queue three, and the MX is recorded data MX record file cocurrent is generated to send into the memory file system catalogue;
The output module (40) is also used to read the record data of the NS in the queue four, and the NS is recorded data NS record file cocurrent is generated to send into the memory file system catalogue.
CN201410583420.7A 2014-10-27 2014-10-27 A kind of DNS key message processing method and system Active CN105530327B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410583420.7A CN105530327B (en) 2014-10-27 2014-10-27 A kind of DNS key message processing method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410583420.7A CN105530327B (en) 2014-10-27 2014-10-27 A kind of DNS key message processing method and system

Publications (2)

Publication Number Publication Date
CN105530327A CN105530327A (en) 2016-04-27
CN105530327B true CN105530327B (en) 2018-12-11

Family

ID=55772300

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410583420.7A Active CN105530327B (en) 2014-10-27 2014-10-27 A kind of DNS key message processing method and system

Country Status (1)

Country Link
CN (1) CN105530327B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111917899B (en) * 2020-07-28 2022-05-17 平安科技(深圳)有限公司 Domain name compression method and related product thereof
CN112019652B (en) * 2020-08-27 2023-01-24 北京亚鸿世纪科技发展有限公司 Method and device for judging IPV6 address field
CN113572854B (en) * 2021-08-10 2023-11-14 北京无线电测量研究所 Data transmission method and system based on Kafka component

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008001021A1 (en) * 2006-06-30 2008-01-03 France Telecom Method and device for managing the configuring of equipment of a network
CN101739424A (en) * 2008-11-13 2010-06-16 中国科学院计算机网络信息中心 Method and system for converting and storing keyword and resource record of keyword
CN102184196A (en) * 2011-04-21 2011-09-14 中国电子信息产业集团有限公司第六研究所 Petition integrated management information system
CN103399908A (en) * 2013-07-30 2013-11-20 北京北纬通信科技股份有限公司 Method and system for fetching business data

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008001021A1 (en) * 2006-06-30 2008-01-03 France Telecom Method and device for managing the configuring of equipment of a network
CN101739424A (en) * 2008-11-13 2010-06-16 中国科学院计算机网络信息中心 Method and system for converting and storing keyword and resource record of keyword
CN102184196A (en) * 2011-04-21 2011-09-14 中国电子信息产业集团有限公司第六研究所 Petition integrated management information system
CN103399908A (en) * 2013-07-30 2013-11-20 北京北纬通信科技股份有限公司 Method and system for fetching business data

Also Published As

Publication number Publication date
CN105530327A (en) 2016-04-27

Similar Documents

Publication Publication Date Title
US11681678B2 (en) Fast circular database
Wullink et al. ENTRADA: A high-performance network traffic data streaming warehouse
US20200021506A1 (en) Hierarchical aggregation of select network traffic statistics
CN109033471B (en) Information asset identification method and device
JP6490059B2 (en) Method for processing data, tangible machine readable recordable storage medium and device, and method for querying features extracted from a data record, tangible machine readable recordable storage medium and device
EP2240854B1 (en) Method of resolving network address to host names in network flows for network device
US9608879B2 (en) Methods and apparatus to collect call packets in a communications network
CN109684052B (en) Transaction analysis method, device, equipment and storage medium
CA2534121A1 (en) Network asset tracker for identifying users of networked computers
CN107465690B (en) A kind of passive type abnormal real-time detection method and system based on flow analysis
CN107818120A (en) Data processing method and device based on big data
US20090141638A1 (en) Method for partitioning network flows based on their time information
CN106789242B (en) Intelligent identification application analysis method based on mobile phone client software dynamic feature library
CN105530327B (en) A kind of DNS key message processing method and system
CN110474994A (en) Domain name analytic method, device, electronic equipment and storage medium
CN113162818A (en) Method and system for realizing distributed flow acquisition and analysis
Yu et al. Behavior Analysis based DNS Tunneling Detection and Classification with Big Data Technologies.
CN112632129A (en) Code stream data management method, device and storage medium
Zhu et al. Mining information on bitcoin network data
Song et al. Det: Enabling efficient probing of ipv6 active addresses
WO2009038384A1 (en) Query processing system and methods for a database with packet information by dividing a table and query
Valdez et al. How to discover IoT devices when network traffic is encrypted
US11477161B1 (en) Systems and methods for detecting DNS communications through time-to-live analyses
Djatmiko et al. Federated flow-based approach for privacy preserving connectivity tracking
WO2017124660A1 (en) System and method for associating multi-stage assembly transactions

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant