CN106453399A - Method and system for domain name resolution service of user-oriented privacy protection - Google Patents

Method and system for domain name resolution service of user-oriented privacy protection Download PDF

Info

Publication number
CN106453399A
CN106453399A CN201611032442.XA CN201611032442A CN106453399A CN 106453399 A CN106453399 A CN 106453399A CN 201611032442 A CN201611032442 A CN 201611032442A CN 106453399 A CN106453399 A CN 106453399A
Authority
CN
China
Prior art keywords
domain name
server
secret protection
user
hidden
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201611032442.XA
Other languages
Chinese (zh)
Other versions
CN106453399B (en
Inventor
李晓东
尉迟学彪
耿光刚
延志伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Internet Network Information Center
Original Assignee
China Internet Network Information Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Internet Network Information Center filed Critical China Internet Network Information Center
Priority to CN201611032442.XA priority Critical patent/CN106453399B/en
Publication of CN106453399A publication Critical patent/CN106453399A/en
Application granted granted Critical
Publication of CN106453399B publication Critical patent/CN106453399B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0407Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention proposes a method and system for domain name resolution service of user-oriented privacy protection. The method comprises the following steps of acquiring an original domain name to be accessed, which is inputted by a user; combining a domain name of a privacy protection server and the original domain name to form a first hidden domain name; and carrying out an access operation by the privacy protection server. The domain name resolution service proposed by the invention can effectively prevent various privacy disclosure risks of the user; and the existing other DNS (Domain Name Servers) are not modified, and therefore, the domain name resolution service has the advantage of low deployment cost; the domain name resolution service is transparent for the user, whether the domain name resolution service is used or not can be determined according to the own specific situation, and the domain name resolution service does not have any enforceablility, and therefore, the domain name resolution service has the advantage of flexible deployment.

Description

A kind of domain name resolution service method and system of user oriented secret protection
Technical field
The present invention relates to computer realm, more particularly, to a kind of domain name resolution service method of user oriented secret protection and System.
Background technology
Domain name service (DNS) is the infrastructure service of the Internet, for realizing domain name to the positioning of host IP address.For mutual For on-line customer, almost all of network behavior is required for being found by DNS and positions corresponding Internet resources.Therefore, DNS contains the abundant sensitive information being related to user's internet access behavior.However, DNS, at the beginning of design, does not consider wherein Potential privacy leakage problem, leads to the disparate networks privacy currently carried out by DNS to be excavated and more drills with network monitoring behavior Stronger so that DNS privacy leakage risk increasingly highlights, start to become the hot issue of industry extensive concern.
According to existing DNS Protocol, the resolving of the DNS query request that user side is initiated is as shown in Figure 1.First, use The request of this DNS query is sent to recursion server set in advance (step at family end (the specifically DNS resolver of user side) Rapid 1);After recursion server receives this request, first check for whether there is corresponding resource record in local cache, if existing, Directly this record is returned to user's (step 5), otherwise the request of this DNS query can be issued authoritys at different levels by recursion server successively Server (step 2-4), until obtaining the authoritative response with regard to the request of this DNS query.Finally, recursion server should by this authority Answer loading caching, and return to user's (step 5).
By above-mentioned resolving it is found that each DNS query for user is asked, it is required for by recursion service Receiving corresponding response message, in other words, recursion server is able to record that all DNS query solicited messages of user to device; Likewise, asking for each DNS query that user sends, recursion server (not considering caching factor) is required for being forwarded To authoritative servers at different levels to obtain authoritative response accordingly, in other words, authoritative servers at different levels also can obtain accordingly Substantial amounts of DNS query solicited message.Therefore, recursion server and authoritative server at different levels can easily grasp DNS query Solicited message, therefrom realizes pry and the mining analysis of user privacy information.On the other hand, due to the request analysis of current DNS Process is substantially the plaintext transmission based on udp protocol, and this also leads to the whole DNS request resolving can be easily by third party Implement the network monitoring based on communication link.
Content of the invention
The purpose of the present invention is achieved through the following technical solutions.
The present invention proposes a kind of domain name resolution service method of user oriented secret protection, and it comprises the following steps:
Obtain the original domain name that will access of user input;
The domain name of secret protection server and described original domain name are combined into the first hidden domain name;
Conducted interviews operation by described secret protection server.
Wherein, the described domain name by secret protection server and described original domain name be combined into the first hidden domain name it Before, also include:First domain name is set for secret protection server, described first domain name is the domain of described secret protection server Name.
Wherein, the described domain name by secret protection server and described original domain name are combined into the first hidden domain name and specifically wrap Include:
Using the first encryption key, described original domain name is encrypted and obtains the first dark text;
Described first domain name is added to described first dark text and obtains the first hidden domain name as suffix.
Wherein, described being conducted interviews by described secret protection server operates inclusion:
Described first hidden domain name is transmitted to by described secret protection server by recursion server;
After described secret protection server parses the described first hidden domain name, obtain the original domain name that user's request accesses;
Access described original domain name place authoritative server.
Wherein, described by described secret protection server conduct interviews operation also include:
Described secret protection server obtains the access result of described authoritative server, and dark text form is returned accessing result Back to described recursion server;
Described recursion server returns to the user of request by accessing result;
By the first encryption key, described access result is decrypted, obtains final analysis result.
The invention allows for a kind of domain name resolution service system of user oriented secret protection, it includes:
User access device, it is used for input for the original domain name that will access;
Recursion server, for the information of transmission between described user access device and secret protection server;
Secret protection server, it is used for transmitting information between described recursion server and authoritative server;
Authoritative server, it is used for storing the data that described user access device will access.
Wherein, described user access device is additionally operable to:
Using the first encryption key, described original domain name is encrypted and obtains the first dark text;
Described first domain name is added to described first dark text and obtains the first hidden domain name as suffix;
Described first hidden domain name is passed to described recursion server.
Wherein, described secret protection server is additionally operable to:Parse the described first hidden domain name, obtain what user's request accessed Original domain name.
It is an advantage of the current invention that:
Domain name resolution service proposed by the invention can effectively prevent the various privacy leakage risks that user is faced;
Domain name resolution service proposed by the invention, compared with existing domain name resolution service, increase only secret protection clothes Other existing dns servers are not made an amendment, therefore have the advantages that lower deployment cost is low by business device assembly;
Domain name resolution service proposed by the invention is transparent for a user, and can be according to the concrete feelings of itself Condition decides whether to use, and does not have any mandatory, therefore has the advantages that flexible deployment.
Brief description
By reading the detailed description of hereafter preferred implementation, various other advantages and benefit are common for this area Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as to the present invention Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Accompanying drawing 1 shows DNS query request analysis procedure chart in prior art;
Accompanying drawing 2 shows the stream of the domain name resolution service method of the user oriented secret protection according to embodiment of the present invention Cheng Tu;
Accompanying drawing 3 shows the mistake of the domain name resolution service method of the user oriented secret protection according to embodiment of the present invention Cheng Tu;
Accompanying drawing 4 shows the domain name resolution service system frame of the user oriented secret protection according to embodiment of the present invention Figure.
Specific embodiment
It is more fully described the illustrative embodiments of the disclosure below with reference to accompanying drawings.Although showing this public affairs in accompanying drawing The illustrative embodiments opened are it being understood, however, that may be realized in various forms the disclosure and the reality that should not illustrated here The mode of applying is limited.On the contrary, these embodiments are provided to be able to be best understood from the disclosure, and can be by this public affairs What the scope opened was complete conveys to those skilled in the art.
As shown in Fig. 2 according to the embodiment of the present invention, a kind of domain name resolution service of user oriented secret protection is proposed Method, it comprises the following steps:
Obtain the original domain name that will access of user input;
The domain name of secret protection server and described original domain name are combined into the first hidden domain name;
Conducted interviews operation by described secret protection server.
Wherein, the described domain name by secret protection server and described original domain name be combined into the first hidden domain name it Before, also include:First domain name is set for secret protection server, described first domain name is the domain of described secret protection server Name.
Wherein, the described domain name by secret protection server and described original domain name are combined into the first hidden domain name and specifically wrap Include:
Using the first encryption key, described original domain name is encrypted and obtains the first dark text;
Described first domain name is added to described first dark text and obtains the first hidden domain name as suffix.
Wherein, described being conducted interviews by described secret protection server operates inclusion:
Described first hidden domain name is transmitted to by described secret protection server by recursion server;
After described secret protection server parses the described first hidden domain name, obtain the original domain name that user's request accesses;
Access described original domain name place authoritative server.
Wherein, described by described secret protection server conduct interviews operation also include:
Described secret protection server obtains the access result of described authoritative server, and dark text form is returned accessing result Back to described recursion server;
Described recursion server returns to the user of request by accessing result;
By the first encryption key, described access result is decrypted, obtains final analysis result.
As shown in figure 3, user is before issuing recursion server by inquiry of the domain name request, first by certain secret protection Original domain name (such as " www.example.cn ") is converted into dark text (it is assumed that being changed into after encryption by the key that server is provided " e5sdn49imw "), and using the domain name (such as " privacy.cn ") of this secret protection server as suffix, thus being combined into One hidden domain name (i.e. " e5sdn49imw.privacy.cn ") (step is 1.);Recursion server receives to this hidden domain name After inquiry request, secret protection server (step is 2.) will be forwarded it to by existing dns resolution flow process;Secret protection services Device is deciphered original domain name therein and is carried out traditional domain name resolution process to it, but is returned analysis result with dark text form again Back to recursion server (step 3. -5.), recursion server the most at last this result return to user.
According to existing domain name service framework it is found that recursion server connects user and authoritative server due to being in Hub site, have the reception power to DNS data and transmission route, therefore recursion server is for the nothing of DNS data simultaneously Hiding transmitting-receiving is the immediate cause leading to privacy of user disclosure risk.Therefore, domain name resolution service proposed by the invention increases Secret protection server this significant components.User by inquiry of the domain name request issue recursion server before, first by Original domain name is converted into dark text, and the domain name with this secret protection server by the key that certain secret protection server is provided As suffix, thus being combined into a hidden domain name;After recursion server receives the inquiry request to this hidden domain name for the user, will Secret protection server is forwarded it to by existing dns resolution flow process;Secret protection server deciphers original domain name therein And traditional domain name resolution process is carried out to it, but again analysis result is returned to by recursion server, recurrence with dark text form Server the most at last this result return to user;End user is decrypted to this result by key, obtains final parsing Result.
As can be seen that the arbitrary communication link server in above-mentioned whole domain name resolution process, it is right all to will be unable to realize Obtain while IP address and looked into original domain name, such that it is able to effectively avoid previously mentioned every kind of DNS privacy to let out Divulge a secret danger, and existing dns server is not changed, this domain name resolution service that therefore present invention intends proposing has pole High effectiveness and availability.
As shown in figure 4, the invention allows for a kind of domain name resolution service system of user oriented secret protection, its bag Include:
User access device, it is used for input for the original domain name that will access;
Recursion server, for the information of transmission between described user access device and secret protection server;
Secret protection server, it is used for transmitting information between described recursion server and authoritative server;
Authoritative server, it is used for storing the data that described user access device will access.
Wherein, described user access device is additionally operable to:
Using the first encryption key, described original domain name is encrypted and obtains the first dark text;
Described first domain name is added to described first dark text and obtains the first hidden domain name as suffix;
Described first hidden domain name is passed to described recursion server.
Wherein, described secret protection server is additionally operable to:Parse the described first hidden domain name, obtain what user's request accessed Original domain name.
The above, the only present invention preferably specific embodiment, but protection scope of the present invention is not limited thereto, Any those familiar with the art the invention discloses technical scope in, the change or replacement that can readily occur in, All should be included within the scope of the present invention.Therefore, protection scope of the present invention should be with the protection model of described claim Enclose and be defined.

Claims (8)

1. a kind of domain name resolution service method of user oriented secret protection, it comprises the following steps:
Obtain the original domain name that will access of user input;
The domain name of secret protection server and described original domain name are combined into the first hidden domain name;
Conducted interviews operation by described secret protection server.
2. the method for claim 1, wherein in the described domain name by secret protection server and described original domain name group Before synthesizing the first hidden domain name, also include:First domain name is set for secret protection server, described first domain name is described hidden The domain name of private protection server.
3. method as claimed in claim 2, the wherein said domain name by secret protection server is combined with described original domain name The first hidden domain name is become to specifically include:
Using the first encryption key, described original domain name is encrypted and obtains the first dark text;
Described first domain name is added to described first dark text and obtains the first hidden domain name as suffix.
4. the method for claim 1, wherein said being conducted interviews by described secret protection server operates inclusion:
Described first hidden domain name is transmitted to by described secret protection server by recursion server;
After described secret protection server parses the described first hidden domain name, obtain the original domain name that user's request accesses;
Access described original domain name place authoritative server.
5. method as claimed in claim 4, wherein said by described secret protection server conduct interviews operation also include:
Described secret protection server obtains the access result of described authoritative server, and dark text form returns to accessing result Described recursion server;
Described recursion server returns to the user of request by accessing result;
By the first encryption key, described access result is decrypted, obtains final analysis result.
6. a kind of domain name resolution service system of user oriented secret protection, it includes:
User access device, it is used for input for the original domain name that will access;
Recursion server, for the information of transmission between described user access device and secret protection server;
Secret protection server, it is used for transmitting information between described recursion server and authoritative server;
Authoritative server, it is used for storing the data that described user access device will access.
7. system as claimed in claim 6, wherein said user access device is additionally operable to:
Using the first encryption key, described original domain name is encrypted and obtains the first dark text;
Described first domain name is added to described first dark text and obtains the first hidden domain name as suffix;
Described first hidden domain name is passed to described recursion server.
8. system as claimed in claim 7, wherein said secret protection server is additionally operable to:Parse the described first hidden domain Name, obtains the original domain name that user's request accesses.
CN201611032442.XA 2016-11-16 2016-11-16 A kind of domain name resolution service method and system of user oriented secret protection Active CN106453399B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201611032442.XA CN106453399B (en) 2016-11-16 2016-11-16 A kind of domain name resolution service method and system of user oriented secret protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611032442.XA CN106453399B (en) 2016-11-16 2016-11-16 A kind of domain name resolution service method and system of user oriented secret protection

Publications (2)

Publication Number Publication Date
CN106453399A true CN106453399A (en) 2017-02-22
CN106453399B CN106453399B (en) 2019-06-14

Family

ID=58220912

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611032442.XA Active CN106453399B (en) 2016-11-16 2016-11-16 A kind of domain name resolution service method and system of user oriented secret protection

Country Status (1)

Country Link
CN (1) CN106453399B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105338128A (en) * 2015-09-25 2016-02-17 互联网域名系统北京市工程研究中心有限公司 Domain name resolution method and device
CN113014561A (en) * 2021-02-18 2021-06-22 支付宝(杭州)信息技术有限公司 Privacy protection method and device for DNS request message
CN114157713A (en) * 2021-10-09 2022-03-08 北京邮电大学 Method and system for capturing hidden service flow

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120017078A1 (en) * 2010-07-13 2012-01-19 Computer Associates Think, Inc. Perimeter encryption method and system
CN102780711A (en) * 2011-05-09 2012-11-14 腾讯科技(深圳)有限公司 Method, device and system for accessing application data of SNS (Social Network Site)
CN103391272A (en) * 2012-05-08 2013-11-13 深圳市腾讯计算机系统有限公司 Method and system for detecting false attack sources
CN105491110A (en) * 2015-11-23 2016-04-13 北京天地互连信息技术有限公司 Root server extension method and network based on hypertext transfer protocol (HTTP) or hypertext transfer protocol over secure socket layer (HTTPS)
CN105991604A (en) * 2015-02-27 2016-10-05 中兴通讯股份有限公司 Method and device for preventing form domain name hijacking

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120017078A1 (en) * 2010-07-13 2012-01-19 Computer Associates Think, Inc. Perimeter encryption method and system
CN102780711A (en) * 2011-05-09 2012-11-14 腾讯科技(深圳)有限公司 Method, device and system for accessing application data of SNS (Social Network Site)
CN103391272A (en) * 2012-05-08 2013-11-13 深圳市腾讯计算机系统有限公司 Method and system for detecting false attack sources
CN105991604A (en) * 2015-02-27 2016-10-05 中兴通讯股份有限公司 Method and device for preventing form domain name hijacking
CN105491110A (en) * 2015-11-23 2016-04-13 北京天地互连信息技术有限公司 Root server extension method and network based on hypertext transfer protocol (HTTP) or hypertext transfer protocol over secure socket layer (HTTPS)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105338128A (en) * 2015-09-25 2016-02-17 互联网域名系统北京市工程研究中心有限公司 Domain name resolution method and device
CN105338128B (en) * 2015-09-25 2018-09-25 互联网域名系统北京市工程研究中心有限公司 Domain name analytic method and domain name mapping device
CN113014561A (en) * 2021-02-18 2021-06-22 支付宝(杭州)信息技术有限公司 Privacy protection method and device for DNS request message
CN113014561B (en) * 2021-02-18 2022-09-06 支付宝(杭州)信息技术有限公司 Privacy protection method and device for DNS request message
CN114157713A (en) * 2021-10-09 2022-03-08 北京邮电大学 Method and system for capturing hidden service flow

Also Published As

Publication number Publication date
CN106453399B (en) 2019-06-14

Similar Documents

Publication Publication Date Title
US9894041B2 (en) Secure domain name resolution in computer networks
US9794215B2 (en) Private tunnel network
CN114884822B (en) Virtual network authentication service
JP5587732B2 (en) Computer-implemented method, computer program, and system for managing access to a domain name service (DNS) database
US6557037B1 (en) System and method for easing communications between devices connected respectively to public networks such as the internet and to private networks by facilitating resolution of human-readable addresses
EP2245837B1 (en) Dynamic DNS system for private networks
TW201012155A (en) Secure resource name resolution using a cache
US10341286B2 (en) Methods and systems for updating domain name service (DNS) resource records
US10848479B2 (en) Enabling encrypted communications between a user and a third party hosting service via a proxy server
CN110401641B (en) User authentication method and device and electronic equipment
US20130124685A1 (en) Distributing overlay network ingress information
US20120278854A1 (en) System and method for device addressing
CN109862130B (en) Method, device, equipment and computer medium for accessing IPv4 external link
CN107528865A (en) The method for down loading and system of file
CN105981009A (en) Caching of encrypted content
DeKok The network access identifier
CN104348838B (en) A kind of document file management system and method
CN1820264B (en) System and method for name resolution
CN106453399A (en) Method and system for domain name resolution service of user-oriented privacy protection
US10965651B2 (en) Secure domain name system to support a private communication service
US10057300B2 (en) Selective access control to mobile IP network
CN108418906A (en) A kind of domain name analytic method and system
US9906503B1 (en) Notifying a registrant if communications between a user and a third party hosting service are not secure
CN108183896A (en) Page acquisition methods, device and the electronic equipment of browser
CN110266715B (en) Remote access method, device, equipment and computer readable storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant