CN105681358A - Domain name hijacking detection method, device and system - Google Patents

Domain name hijacking detection method, device and system Download PDF

Info

Publication number
CN105681358A
CN105681358A CN201610201605.6A CN201610201605A CN105681358A CN 105681358 A CN105681358 A CN 105681358A CN 201610201605 A CN201610201605 A CN 201610201605A CN 105681358 A CN105681358 A CN 105681358A
Authority
CN
China
Prior art keywords
domain name
analysis result
trusted
domain
workspace server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610201605.6A
Other languages
Chinese (zh)
Inventor
刘士超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Qizhi Software Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd, Qizhi Software Beijing Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201610201605.6A priority Critical patent/CN105681358A/en
Publication of CN105681358A publication Critical patent/CN105681358A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Abstract

The invention discloses a domain name hijacking detection method, device and system. The method comprises the following steps: obtaining a domain name set to be detected; for all domain names in the domain name set, sending the domain names to a plurality of work servers distributed in different domains for domain name resolution, and receiving domain name resolution results returned by the work servers respectively; obtaining a trusted resolution result of each domain name; if the trusted resolution result of each domain name is obtained, comparing the domain name resolution result returned by each work server with the corresponding trusted resolution result; and judging whether each region, where the corresponding work server locates, has domain name hijacking according to the comparison result. The technical scheme can effectively know domain name resolution states of multiple regions, can correctly judge whether some region has the domain name hijacking, and plays an active role in guaranteeing rights and interests of both sides of internet users and website operators.

Description

The methods, devices and systems of detection Domain Hijacking
Technical field
The present invention relates to information security field, be specifically related to a kind of methods, devices and systems detecting Domain Hijacking.
Background technology
Domain Hijacking is exactly the request intercepting domain name mapping in the network range kidnapped, the domain name of analysis request, request beyond examination scope is let pass, otherwise directly returning to IP address that is false or that forge or do nothing to make to call request and lose response, its effect is exactly that what specific network address can not be accessed or be accessed is network address that is false or that forge.
Domain Hijacking is likely on the one hand affect the online experience of user, user be introduced to personation website so that cannot normal browsing webpage, and after the bigger website domain name of customer volume is held as a hostage, baneful influence can constantly expand; Another aspect user is likely to be inveigled to counterfeit website to carry out the operations such as login and causes revealing private data.
Summary of the invention
In view of the above problems, it is proposed that the present invention is to provide a kind of methods, devices and systems detecting Domain Hijacking overcoming the problems referred to above or solving the problems referred to above at least in part.
According to one aspect of the present invention, it is provided that a kind of method detecting Domain Hijacking, including:
Obtain set of domains to be detected;
For domain name each in domain name set, this domain name is sent to the multiple workspace servers being distributed in different geographical and carries out domain name mapping, receive the analysis result of this domain name that each workspace server returns;
Obtain the trusted analysis result of this domain name;
If obtaining the trusted analysis result of this domain name, then the analysis result of this domain name returned by each workspace server and described trusted analysis result compare;
Judge whether the region residing for each workspace server exists Domain Hijacking according to described result of the comparison.
Alternatively, judge whether the region residing for each workspace server exists Domain Hijacking and farther include according to described result of the comparison:
If the analysis result of a workspace server return is inconsistent with described trusted analysis result, it is determined that the region residing for this workspace server exists Domain Hijacking.
Alternatively, judge whether the region residing for each workspace server exists Domain Hijacking and farther include according to described result of the comparison:
If the analysis result of a workspace server return is consistent with described trusted analysis result, it is determined that the region described in this workspace server is absent from Domain Hijacking.
Alternatively, the trusted analysis result of described this domain name of acquisition includes:
Inquire about, from local trusted domain name mapping list, the analysis result that this domain name is corresponding;
Or,
Trusted server is utilized to initiate the analysis request of this domain name, it is thus achieved that the analysis result of this domain name.
Alternatively, the set of domains that described acquisition is to be detected includes:
Obtain initial set of domains;
From initial set of domains, get rid of CNAME record, retain A record, obtain set of domains to be detected.
Alternatively, the method farther includes:
Will determine as the analysis result of workspace server return corresponding to the region that there is Domain Hijacking and send the carrier server to respective regions.
Alternatively, the method farther includes:
The IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares;
If it is identical more than or equal to the analysis result that the workspace server of preset value returns to there is quantity, and the IP address information that records in described identical analysis result and prediction scheme system is inconsistent, then according to described identical analysis result, prediction scheme system is corrected.
Alternatively, it is corrected farther including to prediction scheme system according to described identical analysis result:
Described identical analysis result is added into prediction scheme system; Or,
IP address information corresponding in prediction scheme system is replaced with described identical analysis result.
Alternatively, if not obtaining the trusted analysis result of this domain name, the method farther includes:
The IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares;
If it is identical more than or equal to the analysis result that the workspace server of preset value returns to there is quantity, and the IP address information that records in described identical analysis result and prediction scheme system is inconsistent, then according to described identical analysis result, prediction scheme system is corrected; Described correction includes: described identical analysis result is added into prediction scheme system, or replaces IP address information corresponding in prediction scheme system with described identical analysis result.
Alternatively, if not obtaining the trusted analysis result of this domain name, the method farther includes:
The IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares;
If it is identical less than the analysis result that the workspace server of preset value returns to there is quantity, and the IP address information that records in described identical analysis result and prediction scheme system is inconsistent, it is determined that return to the region residing for the workspace server of inconsistent analysis result and there is Domain Hijacking.
According to another aspect of the present invention, it is provided that a kind of device detecting Domain Hijacking, including:
Domain Name acquisition unit, is suitable to obtain set of domains to be detected;
Transmit-Receive Unit, is suitable to for domain name each in domain name set, this domain name is sent to the multiple workspace servers being distributed in different geographical and carries out domain name mapping, receives the analysis result of this domain name that each workspace server returns;
Trusted result acquiring unit, is suitable to obtain the trusted analysis result of this domain name;
Comparing unit, if being suitable to described trusted result get the analysis result of this domain name returned by each workspace server when unit obtains the trusted analysis result of this domain name and compare with described trusted analysis result, judge whether the region residing for each workspace server exists Domain Hijacking according to described result of the comparison.
Alternatively, described comparing unit, it is further adapted for when the analysis result that a workspace server returns and described trusted analysis result are inconsistent, it is determined that the region residing for this workspace server exists Domain Hijacking.
Alternatively, described comparing unit, it is further adapted for when the analysis result that a workspace server returns is consistent with described trusted analysis result, it is determined that the region described in this workspace server is absent from Domain Hijacking
Alternatively, described trusted result acquiring unit, it is further adapted for and inquires about, from local trusted domain name mapping list, the analysis result that this domain name is corresponding; Or, utilize trusted server to initiate the analysis request of this domain name, it is thus achieved that the analysis result of this domain name.
Alternatively, domain name acquiring unit, it is further adapted for the initial set of domains of acquisition, from initial set of domains, gets rid of CNAME record, retain A record, obtain set of domains to be detected.
Alternatively, described Transmit-Receive Unit, it is further adapted for the analysis result that will determine as workspace server return corresponding to the region that there is Domain Hijacking and sends the carrier server to respective regions.
Alternatively, this device farther includes:
Prediction scheme correction unit, is suitable to the IP address information that the analysis result of this domain name that returned by each server and this domain name record in prediction scheme system and compares; If it is identical more than or equal to the analysis result that the workspace server of preset value returns to there is quantity, and the IP address information that records in described identical analysis result and prediction scheme system is inconsistent, then according to described identical analysis result, prediction scheme system is corrected.
Alternatively, described prediction scheme correction unit, it is further adapted for the prediction scheme system that is added into by described identical analysis result, or replaces IP address information corresponding in prediction scheme system with described identical analysis result.
Alternatively, described prediction scheme correction unit, being further adapted for when described trusted result acquiring unit does not obtain the trusted analysis result of this domain name, the IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares; Identical more than or equal to the analysis result that the workspace server of preset value returns when there is quantity, and when the IP address information that records in described identical analysis result and prediction scheme system is inconsistent, according to described identical analysis result, prediction scheme system is corrected;
Described correction includes: described identical analysis result is added into prediction scheme system, or replaces IP address information corresponding in prediction scheme system with described identical analysis result.
Alternatively, described prediction scheme correction unit, being further adapted for when trusted result acquiring unit does not obtain the trusted analysis result to this domain name, the IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares; Identical less than the analysis result that the workspace server of preset value returns when there is quantity, and the IP address information that records in described identical analysis result and prediction scheme system inconsistent time, it is determined that return to the region residing for the workspace server of inconsistent analysis result and there is Domain Hijacking.
According to another aspect of the present invention, it is provided that a kind of system detecting Domain Hijacking, including: the device as described in above-mentioned any one, and it is distributed in multiple workspace servers of different geographical.
Alternatively, the plurality of workspace server is distributed in different regions, and has the multiple workspace servers belonging to different operators network in each region.
From the above, technical scheme, domain name mapping is carried out by each domain name in the set of domains to be detected got is sent to the multiple workspace servers being distributed in different geographical, analysis result according to this domain name that each workspace server received returns, compare with the trusted analysis result of the domain name got, it is judged that whether the region residing for each workspace server exists Domain Hijacking. This technical scheme can understand polytopic domain name mapping situation effectively, correctly judges whether a certain region exists Domain Hijacking, to safeguarding network security, ensures that both sides' rights and interests of Internet user and website operator suffer from positive effect.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, and can be practiced according to the content of description, and in order to above and other objects of the present invention, feature and advantage can be become apparent, below especially exemplified by the specific embodiment of the present invention.
Accompanying drawing explanation
By reading hereafter detailed description of the preferred embodiment, various other advantage and benefit those of ordinary skill in the art be will be clear from understanding. Accompanying drawing is only for illustrating the purpose of preferred implementation, and is not considered as limitation of the present invention. And in whole accompanying drawing, it is denoted by the same reference numerals identical parts. In the accompanying drawings:
Fig. 1 illustrates the schematic flow sheet of a kind of according to an embodiment of the invention method detecting Domain Hijacking;
Fig. 2 illustrates the structural representation of a kind of according to an embodiment of the invention device detecting Domain Hijacking; And
Fig. 3 illustrates the structural representation of a kind of according to an embodiment of the invention system detecting Domain Hijacking.
Detailed description of the invention
It is more fully described the exemplary embodiment of the disclosure below with reference to accompanying drawings. Although accompanying drawing showing the exemplary embodiment of the disclosure, it being understood, however, that may be realized in various forms the disclosure and should do not limited by embodiments set forth here. On the contrary, it is provided that these embodiments are able to be best understood from the disclosure, and complete for the scope of the present disclosure can be conveyed to those skilled in the art.
Fig. 1 illustrates the flow chart of a kind of according to an embodiment of the invention method detecting Domain Hijacking, as it is shown in figure 1, the method includes:
Step S110, obtains set of domains to be detected.
Step S120, for domain name each in set of domains, is sent to this domain name the multiple workspace servers being distributed in different geographical and carries out domain name mapping, receives the analysis result of this domain name that each workspace server returns.
Domain name mapping is that domain name is pointed to web space IP, allows the domain name that people pass through registration can have access to website one service easily. Owing to IP address is the numeric address identifying website on network, it is difficult to be remembered by user, therefore to facilitate user to access, adopts domain name to replace IP address designation site address. And the IP address remaining website of user's actual access, therefore it is accomplished by domain name mapping, the domain name addresses that user inputs is converted to IP address and conducts interviews. The parsing work of domain name is completed by DNS (DomainNameSystem, domain name system) server.
In general, generally there is reliable name server website on the internet, such as conventional 114DNS server (address 114.114.115.115), Google's dns server (address 8.8.8.8). Additionally, owing to user uses the network that common carrier provides to be connected to the Internet, each common carrier also provides for corresponding dns server, but owing to dns server is deployed in various places, its reference address is likely to exist for difference, such as, Shenzhen City, Guangdong Province (China Telecom) first-selected dns server address is 202.96.128.86, and backup dns server address is 202.96.128.166; And Guangzhou, Guangdong (China Telecom) first-selected dns server address is 61.144.56.100, alternative DNS server address is 61.144.56.101. Additionally, the dns server address of same region Nei Ge operator is likely to difference, for instance, Guangzhou, Guangdong (China Railway Telecom) first-selected dns server address is 61.235.70.98, and backup dns server address is 211.98.4.1.
Therefore, the multiple workspace servers being deployed in each region can carry out domain name mapping to the dns server transmission domain name of local multiple common carriers respectively, obtains the analysis result of this domain name. Such as, workspace server A is responsible for accessing Liaoning and moves the network of offer, utilizes the dns server address that offer is moved in Liaoning to carry out domain name mapping; Workspace server B is responsible for accessing the network that Liaoning UNICOM provides, and utilizes the dns server address that Liaoning UNICOM provides to carry out domain name mapping, etc.
Step S130, obtains the trusted analysis result of this domain name.
Step S140, if obtaining the trusted analysis result of this domain name, then the analysis result of this domain name returned by each workspace server and trusted analysis result compare.
According to result of the comparison, step S150, judges whether the region residing for each workspace server exists Domain Hijacking.
Visible, method shown in Fig. 1, domain name mapping is carried out by each domain name in the set of domains to be detected got is sent to the multiple workspace servers being distributed in different geographical, analysis result according to this domain name that each workspace server received returns, compare with the trusted analysis result of the domain name got, it is judged that whether the region residing for each workspace server exists Domain Hijacking. This technical scheme can understand polytopic domain name mapping situation effectively, correctly judges whether a certain region exists Domain Hijacking, to safeguarding network security, ensures that both sides' rights and interests of Internet user and website operator suffer from positive effect.
In one embodiment of the invention, in method shown in Fig. 1, judge whether the region residing for each workspace server exists Domain Hijacking and farther include according to result of the comparison: if the analysis result of a workspace server return is inconsistent with trusted analysis result, it is determined that the region residing for this workspace server exists Domain Hijacking.
Such as, trusted analysis result is 1.2.3.4 (only for example), but the analysis result that some workspace server returns is 4.3.2.1 (only for example), then determine that the region residing for this workspace server exists Domain Hijacking, more specifically, determine that the network (such as Shanghai Telecom, only for example) of the common carrier that this workspace server accesses exists Domain Hijacking.
In one embodiment of the invention, in said method, judge whether the region residing for each workspace server exists Domain Hijacking and farther include according to result of the comparison: if the analysis result of a workspace server return is consistent with trusted analysis result, it is determined that the region of this workspace server is absent from Domain Hijacking.
Such as, trusted analysis result is 1.2.3.4 (only for example), the analysis result of one workspace server return is also 1.2.3.4, then determine that the region of this workspace server is absent from Domain Hijacking, more specifically, determine that the network (such as Heilungkiang UNICOM, only for example) of the common carrier that this workspace server accesses is absent from Domain Hijacking.
In one embodiment of the invention, in said method, the trusted analysis result obtaining this domain name includes: inquire about, from local trusted domain name mapping list, the analysis result that this domain name is corresponding; Or, utilize trusted server to initiate the analysis request of this domain name, it is thus achieved that the analysis result of this domain name.
As above, owing to IP address is the numeric address identifying website on network, being difficult to be remembered by user, therefore to facilitate user to access, adopt domain name to replace IP address designation site address, therefore IP address and domain name substantially exist for corresponding relation. Therefore, it can safeguard a trusted domain name mapping list, the analysis result that therefrom nslookup is corresponding. Resolve further, it is also possible to domain name to be sent to trusted dns server such as DNSPOD, obtain the trusted analysis result of this domain name.
In one embodiment of the invention, in said method, obtain set of domains to be detected and include: obtain initial set of domains; From initial set of domains, get rid of CNAME record, retain A record, obtain set of domains to be detected.
A record is exactly a domain name mapping to IP address (A refers to Address, refers in particular to numeric IP addresses), and CNAME record is exactly domain name mapping to another one domain name. In other words, several host name are pointed to an alias by CNAME, are the same with pointing to IP address in fact, because this alias to be also what A recorded. Once resolve therefore, it is also desirable to this domain name being resolved to is entered, and the domain name that this is resolved to is likely in initial set of domains. Therefore, if the domain name that CNAME record is resolved to is also in initial set of domains, CNAME record is carried out domain name mapping just simply wastes resource. So in the present embodiment, from initial set of domains, get rid of CNAME record, retain A record.
In one embodiment of the invention, said method farther includes: will determine as the analysis result of workspace server return corresponding to the region that there is Domain Hijacking and sends the carrier server to respective regions.
Such as, there is Domain Hijacking in the workspace server of access communications operator (such as Mobile Henan, only for example), then this analysis result reports the server of operator so that operator can find and process the situation of Domain Hijacking in time.
In one embodiment of the invention, said method farther includes: the IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares; If it is inconsistent to there is the IP address information recorded in identical more than or equal to the analysis result that the workspace server of preset value returns and the identical analysis result of quantity and prediction scheme system, then according to identical analysis result, prediction scheme system is corrected.
Prediction scheme system can ensure that accurate schedules traffic when machine room or mechanical disorder, it is thus desirable to the relation that record domain name is mutually corresponding with IP address information, but sometimes, website change, additions and deletions domain name and IP address information corresponding relation, but during the prediction scheme system that do not upgrade in time, arise that the situation that the analysis result of the domain name that server returns is inconsistent with the IP address information that this domain name records in prediction scheme system. such as, the web IP address that domain name is corresponding for abc.com (only for example) is 1.2.3.4 (only for example), but the development along with website, IP address 4.3.2.1 (only for example) is used by this website too, and the IP address information that therefore actual abc.com can be resolved to should be 1.2.3.4 and 4.3.2.1. certainly, owing to different geographical uses the network of different communication operator offer, the speed accessing each IP address is likely to difference, therefore uses the analysis result that different dns server obtains to be likely to difference. but if the IP address information of the domain name record of abc.com is not upgraded in time by prediction scheme system, arise that the situation inconsistent for IP address information 1.2.3.4 recorded in analysis result 4.3.2.1 and prediction scheme system. if the analysis result that multiple workspace servers (such as 5 servers) return all comprises 4.3.2.1, then being likely to illustrate is not occur in that Domain Hijacking, but prediction scheme system does not upgrade in time. so can pass through predetermined threshold value, identical more than or equal to the analysis result that the workspace server of preset value returns when there is quantity, and the situation that the IP address information that records in this analysis result and prediction scheme system is inconsistent, just prediction scheme system is corrected, analysis result 4.3.2.1 can be added in the abc.com IP address information recorded in prediction scheme system in another embodiment of the present invention in the above case said, in said method, it is corrected farther including to prediction scheme system according to identical analysis result: identical analysis result is added into prediction scheme system, or, replace IP address information corresponding in prediction scheme system with identical analysis result. such as, the IP address information in prediction scheme system goes out of use, and the analysis result that all working server returns does not comprise the IP address information of record in prediction scheme system, now can replace IP address information corresponding in prediction scheme system with identical analysis result.
In one embodiment of the invention, in said method, if not obtaining the trusted analysis result of this domain name, the method farther includes: the IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares; If it is inconsistent to there is the IP address information recorded in identical more than or equal to the analysis result that the workspace server of preset value returns and the identical analysis result of quantity and prediction scheme system, then according to identical analysis result, prediction scheme system is corrected; Correction includes: identical analysis result is added into prediction scheme system, or replaces IP address information corresponding in prediction scheme system with identical analysis result.
Consider that the extreme case not obtaining the trusted analysis result of this domain name (such as needs the analysis request utilizing trusted server to initiate this domain name in the present embodiment, but Network Abnormal), prediction scheme system now just can be utilized to judge whether Domain Hijacking. With previous embodiment similarly, predetermined threshold value can be passed through, if the identical analysis result that the workspace server meeting or exceeding this number of thresholds returns is not in the IP address information of prediction scheme system log (SYSLOG), this analysis result then can be added to prediction scheme system, if the analysis result that all working server returns does not comprise the IP address information of record in prediction scheme system, now IP address information corresponding in prediction scheme system can be replaced with identical analysis result. So same, if it is identical less than the analysis result that the workspace server of preset value returns to there is quantity, and the IP address information that records in identical analysis result and prediction scheme system is inconsistent, it is determined that return to the region residing for the workspace server of inconsistent analysis result and there is Domain Hijacking.
Fig. 2 illustrates the structural representation of a kind of according to an embodiment of the invention device detecting Domain Hijacking, as in figure 2 it is shown, the device 200 of detection Domain Hijacking includes:
Domain Name acquisition unit 210, is suitable to obtain set of domains to be detected.
Transmit-Receive Unit 220, is suitable to for domain name each in set of domains, this domain name is sent to the multiple workspace servers being distributed in different geographical and carries out domain name mapping, receives the analysis result of this domain name that each workspace server returns.
Trusted result acquiring unit 230, is suitable to obtain the trusted analysis result of this domain name.
Comparing unit 240, if being suitable to trusted result get the analysis result of this domain name returned by each workspace server when unit 230 obtains the trusted analysis result of this domain name and compare with trusted analysis result, judge whether the region residing for each workspace server exists Domain Hijacking according to result of the comparison.
Visible, device shown in Fig. 2, cooperating by each unit, each domain name in the set of domains to be detected got is sent to the multiple workspace servers being distributed in different geographical and carries out domain name mapping, analysis result according to this domain name that each workspace server received returns, compare with the trusted analysis result of the domain name got, it is judged that whether the region residing for each workspace server exists Domain Hijacking. This technical scheme can understand polytopic domain name mapping situation effectively, correctly judges whether a certain region exists Domain Hijacking, to safeguarding network security, ensures that both sides' rights and interests of Internet user and website operator suffer from positive effect.
In one embodiment of the invention, in the device shown in Fig. 2, comparing unit, it is further adapted for when the analysis result that a workspace server returns and trusted analysis result are inconsistent, it is determined that the region residing for this workspace server exists Domain Hijacking.
In one embodiment of the invention, in said apparatus, comparing unit, it is further adapted for when the analysis result that a workspace server returns is consistent with trusted analysis result, it is determined that the region of this workspace server is absent from Domain Hijacking
In one embodiment of the invention, in said apparatus, trusted result acquiring unit, it is further adapted for and inquires about, from local trusted domain name mapping list, the analysis result that this domain name is corresponding; Or, utilize trusted server to initiate the analysis request of this domain name, it is thus achieved that the analysis result of this domain name.
In one embodiment of the invention, in said apparatus, domain Name acquisition unit, it is further adapted for the initial set of domains of acquisition, from initial set of domains, gets rid of CNAME record, retain A record, obtain set of domains to be detected.
In one embodiment of the invention, in said apparatus, Transmit-Receive Unit, it is further adapted for the analysis result that will determine as workspace server return corresponding to the region that there is Domain Hijacking and sends the carrier server to respective regions.
In one embodiment of the invention, said apparatus farther includes: prediction scheme correction unit, is suitable to the IP address information that the analysis result of this domain name that returned by each server and this domain name record in prediction scheme system and compares; If it is inconsistent to there is the IP address information recorded in identical more than or equal to the analysis result that the workspace server of preset value returns and the identical analysis result of quantity and prediction scheme system, then according to identical analysis result, prediction scheme system is corrected.
In one embodiment of the invention, in said apparatus, prediction scheme correction unit, it is further adapted for the prediction scheme system that is added into by identical analysis result, or replaces IP address information corresponding in prediction scheme system with identical analysis result.
In one embodiment of the invention, in said apparatus, prediction scheme correction unit, being further adapted for when trusted result acquiring unit does not obtain the trusted analysis result of this domain name, the IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares; When exist the IP address information recorded in identical more than or equal to the analysis result that the workspace server of preset value returns and the identical analysis result of quantity and prediction scheme system inconsistent time, according to identical analysis result, prediction scheme system is corrected; Correction includes: identical analysis result is added into prediction scheme system, or replaces IP address information corresponding in prediction scheme system with identical analysis result.
In one embodiment of the invention, in said apparatus, prediction scheme correction unit, being further adapted for when trusted result acquiring unit does not obtain the trusted analysis result of this domain name, the IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares; Identical less than the analysis result that the workspace server of preset value returns when there is quantity, and the IP address information that records in identical analysis result and prediction scheme system inconsistent time, it is determined that return to the region residing for the workspace server of inconsistent analysis result and there is Domain Hijacking.
It should be noted that the detailed description of the invention of above-mentioned each device embodiment is identical with the detailed description of the invention of aforementioned corresponding method embodiment, do not repeat them here.
Fig. 3 illustrates the structural representation of a kind of according to an embodiment of the invention system detecting Domain Hijacking, as shown in Figure 3, the system 300 of detection Domain Hijacking includes: the device 310 of the detection Domain Hijacking in above-mentioned any embodiment, and is distributed in multiple workspace servers 320 of different geographical.
In one embodiment of the invention, in the system shown in Fig. 3, multiple workspace servers are distributed in different regions, and have the multiple workspace servers belonging to different operators network in each region.
In sum, technical scheme, domain name mapping is carried out by each domain name in the set of domains to be detected got is sent to the multiple workspace servers being distributed in different geographical, analysis result according to this domain name that each workspace server received returns, compare with the trusted analysis result of the domain name got, it is judged that whether the region residing for each workspace server exists Domain Hijacking. This technical scheme can understand polytopic domain name mapping situation effectively, correctly judges whether a certain region exists Domain Hijacking, to safeguarding network security, ensures that both sides' rights and interests of Internet user and website operator suffer from positive effect.
It should be understood that
Not intrinsic to any certain computer, virtual bench or miscellaneous equipment relevant in algorithm and the display of this offer. Various fexible units can also with use based on together with this teaching. As described above, the structure constructed required by this kind of device is apparent from. Additionally, the present invention is also not for any certain programmed language. It is understood that, it is possible to utilize various programming language to realize the content of invention described herein, and the description above language-specific done is the preferred forms in order to disclose the present invention.
In description mentioned herein, describe a large amount of detail. It is to be appreciated, however, that embodiments of the invention can be put into practice when not having these details. In some instances, known method, structure and technology it are not shown specifically, in order to do not obscure the understanding of this description.
Similarly, it is to be understood that, one or more in order to what simplify that the disclosure helping understands in each inventive aspect, herein above in the description of the exemplary embodiment of the present invention, each feature of the present invention is grouped together in single embodiment, figure or descriptions thereof sometimes. But, the method for the disclosure should be construed to and reflect an intention that namely the present invention for required protection requires feature more more than the feature being expressly recited in each claim. More precisely, as the following claims reflect, inventive aspect is in that all features less than single embodiment disclosed above. Therefore, it then follows claims of detailed description of the invention are thus expressly incorporated in this detailed description of the invention, wherein each claim itself as the independent embodiment of the present invention.
Those skilled in the art are appreciated that, it is possible to carry out the module in the equipment in embodiment adaptively changing and they being arranged in one or more equipment different from this embodiment. Module in embodiment or unit or assembly can be combined into a module or unit or assembly, and multiple submodule or subelement or sub-component can be put them in addition. Except at least some in such feature and/or process or unit excludes each other, it is possible to adopt any combination that all processes or the unit of all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed any method or equipment are combined. Unless expressly stated otherwise, each feature disclosed in this specification (including adjoint claim, summary and accompanying drawing) can be replaced by the alternative features providing purpose identical, equivalent or similar.
In addition, those skilled in the art it will be appreciated that, although embodiments more described herein include some feature included in other embodiments rather than further feature, but the combination of the feature of different embodiment means to be within the scope of the present invention and form different embodiments. Such as, in the following claims, the one of any of embodiment required for protection can mode use in any combination.
The all parts embodiment of the present invention can realize with hardware, or realizes with the software module run on one or more processor, or realizes with their combination. It will be understood by those of skill in the art that the some or all functions of the some or all parts that microprocessor or digital signal processor (DSP) can be used in practice to realize in the device detecting Domain Hijacking according to embodiments of the present invention and system. The present invention is also implemented as part or all the equipment for performing method as described herein or device program (such as, computer program and computer program). The program of such present invention of realization can store on a computer-readable medium, or can have the form of one or more signal. Such signal can be downloaded from internet website and obtain, or provides on carrier signal, or provides with any other form.
The present invention will be described rather than limits the invention to it should be noted above-described embodiment, and those skilled in the art can design alternative embodiment without departing from the scope of the appended claims. In the claims, any reference marks that should not will be located between bracket is configured to limitations on claims. Word " comprises " and does not exclude the presence of the element or step not arranged in the claims. Word "a" or "an" before being positioned at element does not exclude the presence of multiple such element. The present invention by means of including the hardware of some different elements and can realize by means of properly programmed computer. In the unit claim listing some devices, several in these devices can be through same hardware branch and specifically embody. Word first, second and third use do not indicate that any order. Can be title by these word explanations.
The invention discloses A1, a kind of method detecting Domain Hijacking, wherein, the method includes:
Obtain set of domains to be detected;
For domain name each in domain name set, this domain name is sent to the multiple workspace servers being distributed in different geographical and carries out domain name mapping, receive the analysis result of this domain name that each workspace server returns;
Obtain the trusted analysis result of this domain name;
If obtaining the trusted analysis result of this domain name, then the analysis result of this domain name returned by each workspace server and described trusted analysis result compare;
Judge whether the region residing for each workspace server exists Domain Hijacking according to described result of the comparison.
According to described result of the comparison, A2, method as described in A1, wherein, judge whether the region residing for each workspace server exists Domain Hijacking and farther include:
If the analysis result of a workspace server return is inconsistent with described trusted analysis result, it is determined that the region residing for this workspace server exists Domain Hijacking.
According to described result of the comparison, A3, method as described in A1 or A2, wherein, judge whether the region residing for each workspace server exists Domain Hijacking and farther include:
If the analysis result of a workspace server return is consistent with described trusted analysis result, it is determined that the region described in this workspace server is absent from Domain Hijacking.
A4, method as according to any one of A1-A3, wherein, the trusted analysis result of described this domain name of acquisition includes:
Inquire about, from local trusted domain name mapping list, the analysis result that this domain name is corresponding;
Or,
Trusted server is utilized to initiate the analysis request of this domain name, it is thus achieved that the analysis result of this domain name.
A5, method as according to any one of A1-A4, wherein, described acquisition set of domains to be detected includes:
Obtain initial set of domains;
From initial set of domains, get rid of CNAME record, retain A record, obtain set of domains to be detected.
A6, method as according to any one of A1-A5, wherein, the method farther includes:
Will determine as the analysis result of workspace server return corresponding to the region that there is Domain Hijacking and send the carrier server to respective regions.
A7, method as according to any one of A1-A6, wherein, the method farther includes:
The IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares;
If it is identical more than or equal to the analysis result that the workspace server of preset value returns to there is quantity, and the IP address information that records in described identical analysis result and prediction scheme system is inconsistent, then according to described identical analysis result, prediction scheme system is corrected.
A8, method as according to any one of A1-A7, wherein, be corrected farther including to prediction scheme system according to described identical analysis result:
Described identical analysis result is added into prediction scheme system; Or,
IP address information corresponding in prediction scheme system is replaced with described identical analysis result.
A9, method as according to any one of A1-A8, wherein, if not obtaining the trusted analysis result of this domain name, the method farther includes:
The IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares;
If it is identical more than or equal to the analysis result that the workspace server of preset value returns to there is quantity, and the IP address information that records in described identical analysis result and prediction scheme system is inconsistent, then according to described identical analysis result, prediction scheme system is corrected; Described correction includes: described identical analysis result is added into prediction scheme system, or replaces IP address information corresponding in prediction scheme system with described identical analysis result.
A10, method as according to any one of A1-A9, wherein, if not obtaining the trusted analysis result of this domain name, the method farther includes:
The IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares;
If it is identical less than the analysis result that the workspace server of preset value returns to there is quantity, and the IP address information that records in described identical analysis result and prediction scheme system is inconsistent, it is determined that return to the region residing for the workspace server of inconsistent analysis result and there is Domain Hijacking.
The invention also discloses B11, a kind of device detecting Domain Hijacking, wherein, this device includes:
Domain Name acquisition unit, is suitable to obtain set of domains to be detected;
Transmit-Receive Unit, is suitable to for domain name each in domain name set, this domain name is sent to the multiple workspace servers being distributed in different geographical and carries out domain name mapping, receives the analysis result of this domain name that each workspace server returns;
Trusted result acquiring unit, is suitable to obtain the trusted analysis result of this domain name;
Comparing unit, if being suitable to described trusted result get the analysis result of this domain name returned by each workspace server when unit obtains the trusted analysis result of this domain name and compare with described trusted analysis result, judge whether the region residing for each workspace server exists Domain Hijacking according to described result of the comparison.
B12, device as described in B11, wherein,
Described comparing unit, is further adapted for when the analysis result that a workspace server returns and described trusted analysis result are inconsistent, it is determined that the region residing for this workspace server exists Domain Hijacking.
B13, device as described in B11 or B12, wherein,
Described comparing unit, is further adapted for when the analysis result that a workspace server returns is consistent with described trusted analysis result, it is determined that the region described in this workspace server is absent from Domain Hijacking
B14, device as according to any one of B11-B13, wherein,
Described trusted result acquiring unit, is further adapted for and inquires about, from local trusted domain name mapping list, the analysis result that this domain name is corresponding; Or, utilize trusted server to initiate the analysis request of this domain name, it is thus achieved that the analysis result of this domain name.
B15, device as according to any one of B11-B14, wherein,
Domain name acquiring unit, is further adapted for the initial set of domains of acquisition, gets rid of CNAME record, retain A record, obtain set of domains to be detected from initial set of domains.
B16, device as according to any one of B11-B15, wherein,
Described Transmit-Receive Unit, is further adapted for the analysis result that will determine as workspace server return corresponding to the region that there is Domain Hijacking and sends the carrier server to respective regions.
B17, device as according to any one of B11-B16, wherein, this device farther includes:
Prediction scheme correction unit, is suitable to the IP address information that the analysis result of this domain name that returned by each server and this domain name record in prediction scheme system and compares; If it is identical more than or equal to the analysis result that the workspace server of preset value returns to there is quantity, and the IP address information that records in described identical analysis result and prediction scheme system is inconsistent, then according to described identical analysis result, prediction scheme system is corrected.
B18, device as according to any one of B11-B17, wherein,
Described prediction scheme correction unit, is further adapted for the prediction scheme system that is added into by described identical analysis result, or replaces IP address information corresponding in prediction scheme system with described identical analysis result.
B19, device as according to any one of B11-B18, wherein,
Described prediction scheme correction unit, being further adapted for when described trusted result acquiring unit does not obtain the trusted analysis result of this domain name, the IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares; Identical more than or equal to the analysis result that the workspace server of preset value returns when there is quantity, and when the IP address information that records in described identical analysis result and prediction scheme system is inconsistent, according to described identical analysis result, prediction scheme system is corrected;
Described correction includes: described identical analysis result is added into prediction scheme system, or replaces IP address information corresponding in prediction scheme system with described identical analysis result.
B20, device as according to any one of B11-B19, wherein,
Described prediction scheme correction unit, being further adapted for when trusted result acquiring unit does not obtain the trusted analysis result to this domain name, the IP address information that the analysis result of this domain name returned by each server and this domain name record in prediction scheme system compares; Identical less than the analysis result that the workspace server of preset value returns when there is quantity, and the IP address information that records in described identical analysis result and prediction scheme system inconsistent time, it is determined that return to the region residing for the workspace server of inconsistent analysis result and there is Domain Hijacking.
The invention also discloses C21, a kind of system detecting Domain Hijacking, wherein, this system includes: the device as according to any one of B11-B20, and is distributed in multiple workspace servers of different geographical.
C22, system as described in C20, wherein,
The plurality of workspace server is distributed in different regions, and has the multiple workspace servers belonging to different operators network in each region.

Claims (10)

1. the method detecting Domain Hijacking, wherein, the method includes:
Obtain set of domains to be detected;
For domain name each in domain name set, this domain name is sent to the multiple workspace servers being distributed in different geographical and carries out domain name mapping, receive the analysis result of this domain name that each workspace server returns;
Obtain the trusted analysis result of this domain name;
If obtaining the trusted analysis result of this domain name, then the analysis result of this domain name returned by each workspace server and described trusted analysis result compare;
Judge whether the region residing for each workspace server exists Domain Hijacking according to described result of the comparison.
2. the method for claim 1, wherein judge whether the region residing for each workspace server exists Domain Hijacking and farther include according to described result of the comparison:
If the analysis result of a workspace server return is inconsistent with described trusted analysis result, it is determined that the region residing for this workspace server exists Domain Hijacking.
3. according to described result of the comparison, method as claimed in claim 1 or 2, wherein, judges whether the region residing for each workspace server exists Domain Hijacking and farther include:
If the analysis result of a workspace server return is consistent with described trusted analysis result, it is determined that the region described in this workspace server is absent from Domain Hijacking.
4. the method as according to any one of claim 1-3, wherein, the trusted analysis result of described this domain name of acquisition includes:
Inquire about, from local trusted domain name mapping list, the analysis result that this domain name is corresponding;
Or,
Trusted server is utilized to initiate the analysis request of this domain name, it is thus achieved that the analysis result of this domain name.
5. detecting a device for Domain Hijacking, wherein, this device includes:
Domain Name acquisition unit, is suitable to obtain set of domains to be detected;
Transmit-Receive Unit, is suitable to for domain name each in domain name set, this domain name is sent to the multiple workspace servers being distributed in different geographical and carries out domain name mapping, receives the analysis result of this domain name that each workspace server returns;
Trusted result acquiring unit, is suitable to obtain the trusted analysis result of this domain name;
Comparing unit, if being suitable to described trusted result get the analysis result of this domain name returned by each workspace server when unit obtains the trusted analysis result of this domain name and compare with described trusted analysis result, judge whether the region residing for each workspace server exists Domain Hijacking according to described result of the comparison.
6. device as claimed in claim 5, wherein,
Described comparing unit, is further adapted for when the analysis result that a workspace server returns and described trusted analysis result are inconsistent, it is determined that the region residing for this workspace server exists Domain Hijacking.
7. the device as described in claim 5 or 6, wherein,
Described comparing unit, is further adapted for when the analysis result that a workspace server returns is consistent with described trusted analysis result, it is determined that the region described in this workspace server is absent from Domain Hijacking.
8. the device as according to any one of claim 5-7, wherein,
Described trusted result acquiring unit, is further adapted for and inquires about, from local trusted domain name mapping list, the analysis result that this domain name is corresponding; Or, utilize trusted server to initiate the analysis request of this domain name, it is thus achieved that the analysis result of this domain name.
9. detecting a system for Domain Hijacking, wherein, this system includes: the device as according to any one of claim 5-8, and is distributed in multiple workspace servers of different geographical.
10. system as claimed in claim 9, wherein,
The plurality of workspace server is distributed in different regions, and has the multiple workspace servers belonging to different operators network in each region.
CN201610201605.6A 2016-03-31 2016-03-31 Domain name hijacking detection method, device and system Pending CN105681358A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610201605.6A CN105681358A (en) 2016-03-31 2016-03-31 Domain name hijacking detection method, device and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610201605.6A CN105681358A (en) 2016-03-31 2016-03-31 Domain name hijacking detection method, device and system

Publications (1)

Publication Number Publication Date
CN105681358A true CN105681358A (en) 2016-06-15

Family

ID=56225768

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610201605.6A Pending CN105681358A (en) 2016-03-31 2016-03-31 Domain name hijacking detection method, device and system

Country Status (1)

Country Link
CN (1) CN105681358A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106657050A (en) * 2016-12-15 2017-05-10 迈普通信技术股份有限公司 Domain name resolution anomaly detection method, detection management server and gateway equipment
CN106790077A (en) * 2016-12-21 2017-05-31 北京奇虎科技有限公司 A kind of DNS full flows kidnap the detection method and device of risk
CN106888280A (en) * 2017-03-29 2017-06-23 北京奇虎科技有限公司 DNS update methods, apparatus and system
CN107135236A (en) * 2017-07-06 2017-09-05 广州优视网络科技有限公司 A kind of detection method and system of target Domain Hijacking
CN107528817A (en) * 2016-06-22 2017-12-29 广州市动景计算机科技有限公司 The detection method and device of Domain Hijacking
CN108282495A (en) * 2018-03-14 2018-07-13 北京奇艺世纪科技有限公司 A kind of DNS kidnaps defence method and device
CN108650211A (en) * 2018-03-14 2018-10-12 北京奇艺世纪科技有限公司 A kind of detection method and device of DNS abduction
CN108881146A (en) * 2017-12-28 2018-11-23 北京安天网络安全技术有限公司 Recognition methods, device, electronic equipment and the storage medium that domain name system is kidnapped
CN110572390A (en) * 2019-09-06 2019-12-13 深圳平安通信科技有限公司 Method, device, computer equipment and storage medium for detecting domain name hijacking
CN110855636A (en) * 2019-10-25 2020-02-28 武汉绿色网络信息服务有限责任公司 DNS hijacking detection method and device
CN113286016A (en) * 2021-07-20 2021-08-20 中国人民解放军国防科技大学 Method and device for analyzing service range of cache domain name system
CN113905017A (en) * 2021-10-14 2022-01-07 牙木科技股份有限公司 Domain name resolution caching method, DNS (Domain name Server) and computer readable storage medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090070377A1 (en) * 2004-12-03 2009-03-12 Intergrichain, Inc. System And Method For Intelligent Information Gathering And Analysis
CN101834911A (en) * 2010-03-31 2010-09-15 联想网御科技(北京)有限公司 Defense method of domain name hijacking and network outlet equipment
CN103561120A (en) * 2013-10-08 2014-02-05 北京奇虎科技有限公司 Method and device for detecting suspicious DNS and method and system for processing suspicious DNS
CN103825895A (en) * 2014-02-24 2014-05-28 联想(北京)有限公司 Information processing method and electronic device
CN103957201A (en) * 2014-04-18 2014-07-30 上海聚流软件科技有限公司 Method, device and system for processing domain name information based on DNS
CN103973506A (en) * 2013-01-30 2014-08-06 腾讯科技(深圳)有限公司 Domain name verifying method, device and system
CN104113447A (en) * 2014-07-10 2014-10-22 北京蓝汛通信技术有限责任公司 Method, device and system for monitoring domain name resolution pollution
CN104348669A (en) * 2013-07-23 2015-02-11 深圳市腾讯计算机系统有限公司 Domain name hijacking method, system and apparatus
CN104683290A (en) * 2013-11-26 2015-06-03 腾讯科技(深圳)有限公司 Method and device for monitoring phishing and terminal

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090070377A1 (en) * 2004-12-03 2009-03-12 Intergrichain, Inc. System And Method For Intelligent Information Gathering And Analysis
CN101834911A (en) * 2010-03-31 2010-09-15 联想网御科技(北京)有限公司 Defense method of domain name hijacking and network outlet equipment
CN103973506A (en) * 2013-01-30 2014-08-06 腾讯科技(深圳)有限公司 Domain name verifying method, device and system
CN104348669A (en) * 2013-07-23 2015-02-11 深圳市腾讯计算机系统有限公司 Domain name hijacking method, system and apparatus
CN103561120A (en) * 2013-10-08 2014-02-05 北京奇虎科技有限公司 Method and device for detecting suspicious DNS and method and system for processing suspicious DNS
CN104683290A (en) * 2013-11-26 2015-06-03 腾讯科技(深圳)有限公司 Method and device for monitoring phishing and terminal
CN103825895A (en) * 2014-02-24 2014-05-28 联想(北京)有限公司 Information processing method and electronic device
CN103957201A (en) * 2014-04-18 2014-07-30 上海聚流软件科技有限公司 Method, device and system for processing domain name information based on DNS
CN104113447A (en) * 2014-07-10 2014-10-22 北京蓝汛通信技术有限责任公司 Method, device and system for monitoring domain name resolution pollution

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107528817B (en) * 2016-06-22 2021-05-18 阿里巴巴(中国)有限公司 Domain name hijacking detection method and device
CN107528817A (en) * 2016-06-22 2017-12-29 广州市动景计算机科技有限公司 The detection method and device of Domain Hijacking
CN106657050A (en) * 2016-12-15 2017-05-10 迈普通信技术股份有限公司 Domain name resolution anomaly detection method, detection management server and gateway equipment
CN106790077B (en) * 2016-12-21 2020-05-26 北京奇虎科技有限公司 Method and device for detecting DNS full-flow hijacking risk
WO2018113732A1 (en) * 2016-12-21 2018-06-28 北京奇虎科技有限公司 Method and apparatus for detecting dns full traffic hijack risk
CN106790077A (en) * 2016-12-21 2017-05-31 北京奇虎科技有限公司 A kind of DNS full flows kidnap the detection method and device of risk
CN106888280A (en) * 2017-03-29 2017-06-23 北京奇虎科技有限公司 DNS update methods, apparatus and system
CN107135236A (en) * 2017-07-06 2017-09-05 广州优视网络科技有限公司 A kind of detection method and system of target Domain Hijacking
CN108881146A (en) * 2017-12-28 2018-11-23 北京安天网络安全技术有限公司 Recognition methods, device, electronic equipment and the storage medium that domain name system is kidnapped
CN108282495A (en) * 2018-03-14 2018-07-13 北京奇艺世纪科技有限公司 A kind of DNS kidnaps defence method and device
CN108650211A (en) * 2018-03-14 2018-10-12 北京奇艺世纪科技有限公司 A kind of detection method and device of DNS abduction
CN108282495B (en) * 2018-03-14 2021-10-15 北京奇艺世纪科技有限公司 DNS hijacking defense method and device
CN110572390A (en) * 2019-09-06 2019-12-13 深圳平安通信科技有限公司 Method, device, computer equipment and storage medium for detecting domain name hijacking
CN110855636A (en) * 2019-10-25 2020-02-28 武汉绿色网络信息服务有限责任公司 DNS hijacking detection method and device
CN113286016A (en) * 2021-07-20 2021-08-20 中国人民解放军国防科技大学 Method and device for analyzing service range of cache domain name system
CN113905017A (en) * 2021-10-14 2022-01-07 牙木科技股份有限公司 Domain name resolution caching method, DNS (Domain name Server) and computer readable storage medium

Similar Documents

Publication Publication Date Title
CN105681358A (en) Domain name hijacking detection method, device and system
CN107438079B (en) Method for detecting unknown abnormal behaviors of website
US9578040B2 (en) Packet receiving method, deep packet inspection device and system
US9270693B2 (en) Detection of infected network devices and fast-flux networks by tracking URL and DNS resolution changes
US20090327487A1 (en) Method and system for discovering dns resolvers
CN110830458A (en) Domain name access method, system and equipment
AU2016247760A1 (en) Rule-based network-threat detection
CN104468860B (en) The recognition methods of domain name resolution server danger and device
CN103561120A (en) Method and device for detecting suspicious DNS and method and system for processing suspicious DNS
CN111861140A (en) Service processing method, device, storage medium and electronic device
CN110572390A (en) Method, device, computer equipment and storage medium for detecting domain name hijacking
CN105245633A (en) Safe domain name system and fault handling method
CN108924005A (en) Network detecting method, network detection device, medium and equipment
US9282078B2 (en) Managing domain name abuse
CN106302862A (en) The collection method of a kind of DNS recursion server and system
CN105610993A (en) Method, device and system for domain name resolution
CN109729058B (en) Traffic hijacking analysis method and device
CN106411819A (en) Method and apparatus for recognizing proxy Internet protocol address
CN106790077B (en) Method and device for detecting DNS full-flow hijacking risk
CN106790071B (en) Method and device for detecting DNS full-flow hijacking risk
CN111371914A (en) IP library generation method, domain name resolution method, electronic device and readable storage medium
CN112769967B (en) Domain name resolution processing method and device and electronic equipment
CN105592173A (en) Method and system for preventing DNS (Domain Name System) cache from being stained and local DNS server
CN110071936B (en) System and method for identifying proxy IP
WO2017007982A1 (en) Passive delegations and records

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20160615