CN106453399A - Method and system for domain name resolution service of user-oriented privacy protection - Google Patents
Method and system for domain name resolution service of user-oriented privacy protection Download PDFInfo
- Publication number
- CN106453399A CN106453399A CN201611032442.XA CN201611032442A CN106453399A CN 106453399 A CN106453399 A CN 106453399A CN 201611032442 A CN201611032442 A CN 201611032442A CN 106453399 A CN106453399 A CN 106453399A
- Authority
- CN
- China
- Prior art keywords
- domain name
- server
- secret protection
- user
- hidden
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention proposes a method and system for domain name resolution service of user-oriented privacy protection. The method comprises the following steps of acquiring an original domain name to be accessed, which is inputted by a user; combining a domain name of a privacy protection server and the original domain name to form a first hidden domain name; and carrying out an access operation by the privacy protection server. The domain name resolution service proposed by the invention can effectively prevent various privacy disclosure risks of the user; and the existing other DNS (Domain Name Servers) are not modified, and therefore, the domain name resolution service has the advantage of low deployment cost; the domain name resolution service is transparent for the user, whether the domain name resolution service is used or not can be determined according to the own specific situation, and the domain name resolution service does not have any enforceablility, and therefore, the domain name resolution service has the advantage of flexible deployment.
Description
Technical field
The present invention relates to computer realm, more particularly, to a kind of domain name resolution service method of user oriented secret protection and
System.
Background technology
Domain name service (DNS) is the infrastructure service of the Internet, for realizing domain name to the positioning of host IP address.For mutual
For on-line customer, almost all of network behavior is required for being found by DNS and positions corresponding Internet resources.Therefore,
DNS contains the abundant sensitive information being related to user's internet access behavior.However, DNS, at the beginning of design, does not consider wherein
Potential privacy leakage problem, leads to the disparate networks privacy currently carried out by DNS to be excavated and more drills with network monitoring behavior
Stronger so that DNS privacy leakage risk increasingly highlights, start to become the hot issue of industry extensive concern.
According to existing DNS Protocol, the resolving of the DNS query request that user side is initiated is as shown in Figure 1.First, use
The request of this DNS query is sent to recursion server set in advance (step at family end (the specifically DNS resolver of user side)
Rapid 1);After recursion server receives this request, first check for whether there is corresponding resource record in local cache, if existing,
Directly this record is returned to user's (step 5), otherwise the request of this DNS query can be issued authoritys at different levels by recursion server successively
Server (step 2-4), until obtaining the authoritative response with regard to the request of this DNS query.Finally, recursion server should by this authority
Answer loading caching, and return to user's (step 5).
By above-mentioned resolving it is found that each DNS query for user is asked, it is required for by recursion service
Receiving corresponding response message, in other words, recursion server is able to record that all DNS query solicited messages of user to device;
Likewise, asking for each DNS query that user sends, recursion server (not considering caching factor) is required for being forwarded
To authoritative servers at different levels to obtain authoritative response accordingly, in other words, authoritative servers at different levels also can obtain accordingly
Substantial amounts of DNS query solicited message.Therefore, recursion server and authoritative server at different levels can easily grasp DNS query
Solicited message, therefrom realizes pry and the mining analysis of user privacy information.On the other hand, due to the request analysis of current DNS
Process is substantially the plaintext transmission based on udp protocol, and this also leads to the whole DNS request resolving can be easily by third party
Implement the network monitoring based on communication link.
Content of the invention
The purpose of the present invention is achieved through the following technical solutions.
The present invention proposes a kind of domain name resolution service method of user oriented secret protection, and it comprises the following steps:
Obtain the original domain name that will access of user input;
The domain name of secret protection server and described original domain name are combined into the first hidden domain name;
Conducted interviews operation by described secret protection server.
Wherein, the described domain name by secret protection server and described original domain name be combined into the first hidden domain name it
Before, also include:First domain name is set for secret protection server, described first domain name is the domain of described secret protection server
Name.
Wherein, the described domain name by secret protection server and described original domain name are combined into the first hidden domain name and specifically wrap
Include:
Using the first encryption key, described original domain name is encrypted and obtains the first dark text;
Described first domain name is added to described first dark text and obtains the first hidden domain name as suffix.
Wherein, described being conducted interviews by described secret protection server operates inclusion:
Described first hidden domain name is transmitted to by described secret protection server by recursion server;
After described secret protection server parses the described first hidden domain name, obtain the original domain name that user's request accesses;
Access described original domain name place authoritative server.
Wherein, described by described secret protection server conduct interviews operation also include:
Described secret protection server obtains the access result of described authoritative server, and dark text form is returned accessing result
Back to described recursion server;
Described recursion server returns to the user of request by accessing result;
By the first encryption key, described access result is decrypted, obtains final analysis result.
The invention allows for a kind of domain name resolution service system of user oriented secret protection, it includes:
User access device, it is used for input for the original domain name that will access;
Recursion server, for the information of transmission between described user access device and secret protection server;
Secret protection server, it is used for transmitting information between described recursion server and authoritative server;
Authoritative server, it is used for storing the data that described user access device will access.
Wherein, described user access device is additionally operable to:
Using the first encryption key, described original domain name is encrypted and obtains the first dark text;
Described first domain name is added to described first dark text and obtains the first hidden domain name as suffix;
Described first hidden domain name is passed to described recursion server.
Wherein, described secret protection server is additionally operable to:Parse the described first hidden domain name, obtain what user's request accessed
Original domain name.
It is an advantage of the current invention that:
Domain name resolution service proposed by the invention can effectively prevent the various privacy leakage risks that user is faced;
Domain name resolution service proposed by the invention, compared with existing domain name resolution service, increase only secret protection clothes
Other existing dns servers are not made an amendment, therefore have the advantages that lower deployment cost is low by business device assembly;
Domain name resolution service proposed by the invention is transparent for a user, and can be according to the concrete feelings of itself
Condition decides whether to use, and does not have any mandatory, therefore has the advantages that flexible deployment.
Brief description
By reading the detailed description of hereafter preferred implementation, various other advantages and benefit are common for this area
Technical staff will be clear from understanding.Accompanying drawing is only used for illustrating the purpose of preferred implementation, and is not considered as to the present invention
Restriction.And in whole accompanying drawing, it is denoted by the same reference numerals identical part.In the accompanying drawings:
Accompanying drawing 1 shows DNS query request analysis procedure chart in prior art;
Accompanying drawing 2 shows the stream of the domain name resolution service method of the user oriented secret protection according to embodiment of the present invention
Cheng Tu;
Accompanying drawing 3 shows the mistake of the domain name resolution service method of the user oriented secret protection according to embodiment of the present invention
Cheng Tu;
Accompanying drawing 4 shows the domain name resolution service system frame of the user oriented secret protection according to embodiment of the present invention
Figure.
Specific embodiment
It is more fully described the illustrative embodiments of the disclosure below with reference to accompanying drawings.Although showing this public affairs in accompanying drawing
The illustrative embodiments opened are it being understood, however, that may be realized in various forms the disclosure and the reality that should not illustrated here
The mode of applying is limited.On the contrary, these embodiments are provided to be able to be best understood from the disclosure, and can be by this public affairs
What the scope opened was complete conveys to those skilled in the art.
As shown in Fig. 2 according to the embodiment of the present invention, a kind of domain name resolution service of user oriented secret protection is proposed
Method, it comprises the following steps:
Obtain the original domain name that will access of user input;
The domain name of secret protection server and described original domain name are combined into the first hidden domain name;
Conducted interviews operation by described secret protection server.
Wherein, the described domain name by secret protection server and described original domain name be combined into the first hidden domain name it
Before, also include:First domain name is set for secret protection server, described first domain name is the domain of described secret protection server
Name.
Wherein, the described domain name by secret protection server and described original domain name are combined into the first hidden domain name and specifically wrap
Include:
Using the first encryption key, described original domain name is encrypted and obtains the first dark text;
Described first domain name is added to described first dark text and obtains the first hidden domain name as suffix.
Wherein, described being conducted interviews by described secret protection server operates inclusion:
Described first hidden domain name is transmitted to by described secret protection server by recursion server;
After described secret protection server parses the described first hidden domain name, obtain the original domain name that user's request accesses;
Access described original domain name place authoritative server.
Wherein, described by described secret protection server conduct interviews operation also include:
Described secret protection server obtains the access result of described authoritative server, and dark text form is returned accessing result
Back to described recursion server;
Described recursion server returns to the user of request by accessing result;
By the first encryption key, described access result is decrypted, obtains final analysis result.
As shown in figure 3, user is before issuing recursion server by inquiry of the domain name request, first by certain secret protection
Original domain name (such as " www.example.cn ") is converted into dark text (it is assumed that being changed into after encryption by the key that server is provided
" e5sdn49imw "), and using the domain name (such as " privacy.cn ") of this secret protection server as suffix, thus being combined into
One hidden domain name (i.e. " e5sdn49imw.privacy.cn ") (step is 1.);Recursion server receives to this hidden domain name
After inquiry request, secret protection server (step is 2.) will be forwarded it to by existing dns resolution flow process;Secret protection services
Device is deciphered original domain name therein and is carried out traditional domain name resolution process to it, but is returned analysis result with dark text form again
Back to recursion server (step 3. -5.), recursion server the most at last this result return to user.
According to existing domain name service framework it is found that recursion server connects user and authoritative server due to being in
Hub site, have the reception power to DNS data and transmission route, therefore recursion server is for the nothing of DNS data simultaneously
Hiding transmitting-receiving is the immediate cause leading to privacy of user disclosure risk.Therefore, domain name resolution service proposed by the invention increases
Secret protection server this significant components.User by inquiry of the domain name request issue recursion server before, first by
Original domain name is converted into dark text, and the domain name with this secret protection server by the key that certain secret protection server is provided
As suffix, thus being combined into a hidden domain name;After recursion server receives the inquiry request to this hidden domain name for the user, will
Secret protection server is forwarded it to by existing dns resolution flow process;Secret protection server deciphers original domain name therein
And traditional domain name resolution process is carried out to it, but again analysis result is returned to by recursion server, recurrence with dark text form
Server the most at last this result return to user;End user is decrypted to this result by key, obtains final parsing
Result.
As can be seen that the arbitrary communication link server in above-mentioned whole domain name resolution process, it is right all to will be unable to realize
Obtain while IP address and looked into original domain name, such that it is able to effectively avoid previously mentioned every kind of DNS privacy to let out
Divulge a secret danger, and existing dns server is not changed, this domain name resolution service that therefore present invention intends proposing has pole
High effectiveness and availability.
As shown in figure 4, the invention allows for a kind of domain name resolution service system of user oriented secret protection, its bag
Include:
User access device, it is used for input for the original domain name that will access;
Recursion server, for the information of transmission between described user access device and secret protection server;
Secret protection server, it is used for transmitting information between described recursion server and authoritative server;
Authoritative server, it is used for storing the data that described user access device will access.
Wherein, described user access device is additionally operable to:
Using the first encryption key, described original domain name is encrypted and obtains the first dark text;
Described first domain name is added to described first dark text and obtains the first hidden domain name as suffix;
Described first hidden domain name is passed to described recursion server.
Wherein, described secret protection server is additionally operable to:Parse the described first hidden domain name, obtain what user's request accessed
Original domain name.
The above, the only present invention preferably specific embodiment, but protection scope of the present invention is not limited thereto,
Any those familiar with the art the invention discloses technical scope in, the change or replacement that can readily occur in,
All should be included within the scope of the present invention.Therefore, protection scope of the present invention should be with the protection model of described claim
Enclose and be defined.
Claims (8)
1. a kind of domain name resolution service method of user oriented secret protection, it comprises the following steps:
Obtain the original domain name that will access of user input;
The domain name of secret protection server and described original domain name are combined into the first hidden domain name;
Conducted interviews operation by described secret protection server.
2. the method for claim 1, wherein in the described domain name by secret protection server and described original domain name group
Before synthesizing the first hidden domain name, also include:First domain name is set for secret protection server, described first domain name is described hidden
The domain name of private protection server.
3. method as claimed in claim 2, the wherein said domain name by secret protection server is combined with described original domain name
The first hidden domain name is become to specifically include:
Using the first encryption key, described original domain name is encrypted and obtains the first dark text;
Described first domain name is added to described first dark text and obtains the first hidden domain name as suffix.
4. the method for claim 1, wherein said being conducted interviews by described secret protection server operates inclusion:
Described first hidden domain name is transmitted to by described secret protection server by recursion server;
After described secret protection server parses the described first hidden domain name, obtain the original domain name that user's request accesses;
Access described original domain name place authoritative server.
5. method as claimed in claim 4, wherein said by described secret protection server conduct interviews operation also include:
Described secret protection server obtains the access result of described authoritative server, and dark text form returns to accessing result
Described recursion server;
Described recursion server returns to the user of request by accessing result;
By the first encryption key, described access result is decrypted, obtains final analysis result.
6. a kind of domain name resolution service system of user oriented secret protection, it includes:
User access device, it is used for input for the original domain name that will access;
Recursion server, for the information of transmission between described user access device and secret protection server;
Secret protection server, it is used for transmitting information between described recursion server and authoritative server;
Authoritative server, it is used for storing the data that described user access device will access.
7. system as claimed in claim 6, wherein said user access device is additionally operable to:
Using the first encryption key, described original domain name is encrypted and obtains the first dark text;
Described first domain name is added to described first dark text and obtains the first hidden domain name as suffix;
Described first hidden domain name is passed to described recursion server.
8. system as claimed in claim 7, wherein said secret protection server is additionally operable to:Parse the described first hidden domain
Name, obtains the original domain name that user's request accesses.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611032442.XA CN106453399B (en) | 2016-11-16 | 2016-11-16 | A kind of domain name resolution service method and system of user oriented secret protection |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201611032442.XA CN106453399B (en) | 2016-11-16 | 2016-11-16 | A kind of domain name resolution service method and system of user oriented secret protection |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106453399A true CN106453399A (en) | 2017-02-22 |
CN106453399B CN106453399B (en) | 2019-06-14 |
Family
ID=58220912
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201611032442.XA Active CN106453399B (en) | 2016-11-16 | 2016-11-16 | A kind of domain name resolution service method and system of user oriented secret protection |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106453399B (en) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105338128A (en) * | 2015-09-25 | 2016-02-17 | 互联网域名系统北京市工程研究中心有限公司 | Domain name resolution method and device |
CN113014561A (en) * | 2021-02-18 | 2021-06-22 | 支付宝(杭州)信息技术有限公司 | Privacy protection method and device for DNS request message |
CN114157713A (en) * | 2021-10-09 | 2022-03-08 | 北京邮电大学 | Method and system for capturing hidden service flow |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120017078A1 (en) * | 2010-07-13 | 2012-01-19 | Computer Associates Think, Inc. | Perimeter encryption method and system |
CN102780711A (en) * | 2011-05-09 | 2012-11-14 | 腾讯科技(深圳)有限公司 | Method, device and system for accessing application data of SNS (Social Network Site) |
CN103391272A (en) * | 2012-05-08 | 2013-11-13 | 深圳市腾讯计算机系统有限公司 | Method and system for detecting false attack sources |
CN105491110A (en) * | 2015-11-23 | 2016-04-13 | 北京天地互连信息技术有限公司 | Root server extension method and network based on hypertext transfer protocol (HTTP) or hypertext transfer protocol over secure socket layer (HTTPS) |
CN105991604A (en) * | 2015-02-27 | 2016-10-05 | 中兴通讯股份有限公司 | Method and device for preventing form domain name hijacking |
-
2016
- 2016-11-16 CN CN201611032442.XA patent/CN106453399B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20120017078A1 (en) * | 2010-07-13 | 2012-01-19 | Computer Associates Think, Inc. | Perimeter encryption method and system |
CN102780711A (en) * | 2011-05-09 | 2012-11-14 | 腾讯科技(深圳)有限公司 | Method, device and system for accessing application data of SNS (Social Network Site) |
CN103391272A (en) * | 2012-05-08 | 2013-11-13 | 深圳市腾讯计算机系统有限公司 | Method and system for detecting false attack sources |
CN105991604A (en) * | 2015-02-27 | 2016-10-05 | 中兴通讯股份有限公司 | Method and device for preventing form domain name hijacking |
CN105491110A (en) * | 2015-11-23 | 2016-04-13 | 北京天地互连信息技术有限公司 | Root server extension method and network based on hypertext transfer protocol (HTTP) or hypertext transfer protocol over secure socket layer (HTTPS) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105338128A (en) * | 2015-09-25 | 2016-02-17 | 互联网域名系统北京市工程研究中心有限公司 | Domain name resolution method and device |
CN105338128B (en) * | 2015-09-25 | 2018-09-25 | 互联网域名系统北京市工程研究中心有限公司 | Domain name analytic method and domain name mapping device |
CN113014561A (en) * | 2021-02-18 | 2021-06-22 | 支付宝(杭州)信息技术有限公司 | Privacy protection method and device for DNS request message |
CN113014561B (en) * | 2021-02-18 | 2022-09-06 | 支付宝(杭州)信息技术有限公司 | Privacy protection method and device for DNS request message |
CN114157713A (en) * | 2021-10-09 | 2022-03-08 | 北京邮电大学 | Method and system for capturing hidden service flow |
Also Published As
Publication number | Publication date |
---|---|
CN106453399B (en) | 2019-06-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9894041B2 (en) | Secure domain name resolution in computer networks | |
US9794215B2 (en) | Private tunnel network | |
CN114884822B (en) | Virtual network authentication service | |
JP5587732B2 (en) | Computer-implemented method, computer program, and system for managing access to a domain name service (DNS) database | |
US6557037B1 (en) | System and method for easing communications between devices connected respectively to public networks such as the internet and to private networks by facilitating resolution of human-readable addresses | |
EP2245837B1 (en) | Dynamic DNS system for private networks | |
TW201012155A (en) | Secure resource name resolution using a cache | |
US10341286B2 (en) | Methods and systems for updating domain name service (DNS) resource records | |
US10848479B2 (en) | Enabling encrypted communications between a user and a third party hosting service via a proxy server | |
CN110401641B (en) | User authentication method and device and electronic equipment | |
US20130124685A1 (en) | Distributing overlay network ingress information | |
US20120278854A1 (en) | System and method for device addressing | |
CN109862130B (en) | Method, device, equipment and computer medium for accessing IPv4 external link | |
CN107528865A (en) | The method for down loading and system of file | |
CN105981009A (en) | Caching of encrypted content | |
DeKok | The network access identifier | |
CN104348838B (en) | A kind of document file management system and method | |
CN1820264B (en) | System and method for name resolution | |
CN106453399A (en) | Method and system for domain name resolution service of user-oriented privacy protection | |
US10965651B2 (en) | Secure domain name system to support a private communication service | |
US10057300B2 (en) | Selective access control to mobile IP network | |
CN108418906A (en) | A kind of domain name analytic method and system | |
US9906503B1 (en) | Notifying a registrant if communications between a user and a third party hosting service are not secure | |
CN108183896A (en) | Page acquisition methods, device and the electronic equipment of browser | |
CN110266715B (en) | Remote access method, device, equipment and computer readable storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |