CN106713309A - Method and apparatus for reducing DNS hijacking risk - Google Patents
Method and apparatus for reducing DNS hijacking risk Download PDFInfo
- Publication number
- CN106713309A CN106713309A CN201611192329.8A CN201611192329A CN106713309A CN 106713309 A CN106713309 A CN 106713309A CN 201611192329 A CN201611192329 A CN 201611192329A CN 106713309 A CN106713309 A CN 106713309A
- Authority
- CN
- China
- Prior art keywords
- dns server
- configuration information
- dynamic configuration
- server address
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
Abstract
The invention provides a method and apparatus for reducing a DNS hijacking risk. The method comprises the following steps: sending a dynamic configuration request to a dynamic host configuration protocol DHCP device in a local area network; receiving dynamic configuration information returned by the DHCP, wherein the dynamic configuration information comprises a main primary domain name resolution system DNS server address; switching a dynamic configuration networking state to a static networking state, wherein the dynamic configuration networking state is a state of receiving the dynamic configuration information sent by the DHCP device and accessing the network based on the dynamic configuration information, the static networking state is a state of accessing the network according to static secure configuration information, and the main DNS server address of the secure configuration information is a target wide area network DNS server address; and accessing the network based on the secure configuration information.
Description
Technical field
The present invention relates to electronic technology field, more particularly to the method and apparatus that a kind of reduction DNS kidnaps risk.
Background technology
A kind of common LAN DNS (domain name analysis system, Domain Name System) abduction is attacker in office
Build a pseudo- dns server for malicious act in the network of domain, and invade the LAN DHCP (DHCP,
Dynamic Host Configuration Protocol) DHCP equipment is UE (user equipment, User by equipment
Equipment) dns server address of distribution is revised as pseudo- dns server address.So, UE is based on DHCP dynamically distributes
Network configuration is connected to pseudo- dns server, there is abduction risk.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on
State the method and apparatus that the reduction DNS of problem kidnaps risk.
In a first aspect, the invention provides a kind of method that reduction DNS kidnaps risk, including:
Dynamic configuration requests are sent to the dynamic host configuration protocol DHCP equipment in LAN;
The dynamic configuration information that the DHCP is returned is received, the dynamic configuration information includes Main Domain resolution system
Dns server address;
Net state in static state is switched to by net state in dynamic configuration, net state is described to receive in the dynamic configuration
The dynamic configuration information that DHCP equipment sends, and the state based on the dynamic configuration information access network, the static state
Upper net state is the state according to static security configuration information access network;The primary dns server of the security configuration information
Address is target wide area network dns server address;
Based on the security configuration information access network.
Optionally, net state is switched in static state before net state on by dynamic configuration, is also included:
When the primary dns server address in the dynamic configuration information is lan address, the dynamic configuration is judged
Whether the gateway address in information is consistent with the primary dns server address in the dynamic configuration information;
When the primary dns server address in the gateway address and the dynamic configuration information is inconsistent, it is determined that in the presence of
LAN DNS kidnaps risk, perform described in the step of switch to net state in static state by net state in dynamic configuration.
Optionally, net state is switched in static state after net state on by dynamic configuration, is also included:
Obtain the target wide area network dns server address;
The target wide area network dns server address is defined as the primary dns server ground in the security configuration information
Location.
Optionally, the target wide area network dns server address is obtained, including:
Detect the network connectivty of one or more wide area network dns servers;
The address of the optimal wide area network dns server of the network connectivty is defined as the target wide area network DNS clothes
Business device address.
Optionally, net state is switched in static state after net state on by dynamic configuration, is also included:
Extract the primary dns server address in the dynamic configuration information or standby dns server address;
Primary dns server address in the dynamic configuration information or standby dns server address are defined as the peace
Standby dns server address in full configuration information.
Second aspect, the invention provides the device that a kind of reduction DNS kidnaps risk, including:
Dynamic configuration requests module, for sending dynamic configuration to the dynamic host configuration protocol DHCP equipment in LAN
Request;
Receiver module, for receiving the dynamic configuration information that the DHCP is returned, the dynamic configuration information includes master
Domain name analysis system dns server address;
Handover module, it is netted in the dynamic configuration for switching to net state in static state by net state in dynamic configuration
State is to receive the dynamic configuration information that the DHCP equipment sends, and the shape based on the dynamic configuration information access network
State, the static upper net state is the state according to static security configuration information access network;The security configuration information
Primary dns server address is target wide area network dns server address;
AM access module, for based on the security configuration information access network.
Optionally, described device also includes:
Judge module, switches in static state before net state for the net state on by dynamic configuration, when the dynamic is matched somebody with somebody
When primary dns server address in confidence breath is lan address, the gateway address in the dynamic configuration information and institute are judged
Whether the primary dns server address stated in dynamic configuration information is consistent;
First determining module, for when the primary dns server address in the gateway address and the dynamic configuration information
When inconsistent, it is determined that there is LAN DNS kidnaps risk, and notify that the handover module is switched to by net state in dynamic configuration
Net state in static state.
Optionally, described device also includes:
Acquisition module, switches in static state after net state for the net state on by dynamic configuration, obtains the target
Wide area network dns server address;
Second determining module, for the target wide area network dns server address to be defined as into the security configuration information
In primary dns server address.
Optionally, the acquisition module is used to detect the network connectivty of one or more wide area network dns servers;By institute
The address for stating the optimal wide area network dns server of network connectivty is defined as the target wide area network dns server address.
Optionally, described device also includes:
Extraction module, switches in static state after net state for the net state on by dynamic configuration, extracts the dynamic
Primary dns server address or standby dns server address in configuration information;
3rd determining module, for by the primary dns server address in the dynamic configuration information or for dns server
Address is defined as the standby dns server address in the security configuration information.
The technical scheme provided in the embodiment of the present application, at least has the following technical effect that or advantage:
In the technical scheme of the embodiment of the present invention, dynamic configuration requests are sent to the DHCP equipment in LAN first,
And the dynamic configuration information that DHCP is returned is received, dynamic configuration information includes primary dns server address, then by dynamic configuration
Upper net state switches to net state in static state.Net state is the shape according to static security configuration information access network in static state
State, and the primary dns server address of security configuration information is target wide area network dns server address.Due to kidnapping wide area network DNS
The difficulty of server is generally very big, and after kidnapping and occurring, and the attendant of wide area network dns server can have found different in time
Often and it is rapid repair, so relative access to LAN dns server, it is lower to access the risk that wide area network dns server is held as a hostage,
Security is higher.So, the present invention is realized reduces the risk that DNS is kidnapped.
Described above is only the general introduction of technical solution of the present invention, in order to better understand technological means of the invention,
And can be practiced according to the content of specification, and in order to allow the above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by specific embodiment of the invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, various other advantages and benefit is common for this area
Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention
Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 is the method flow diagram of reduction DNS abduction risks in the embodiment of the present invention;
Fig. 2 is the apparatus structure schematic diagram of reduction DNS abduction risks in the embodiment of the present invention.
Specific embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although showing the disclosure in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.Conversely, there is provided these embodiments are able to be best understood from the disclosure, and can be by the scope of the present disclosure
Complete conveys to those skilled in the art.
The method and apparatus that a kind of reduction DNS kidnaps risk are the embodiment of the invention provides, is used to reduce DNS abduction wind
Danger.Fig. 1 is refer to, is the method flow diagram of reduction DNS abduction risks in the embodiment of the present invention, the method includes:
S101:Dynamic configuration requests are sent to the dynamic host configuration protocol DHCP equipment in LAN;
S102:Receive the dynamic configuration information that the DHCP is returned;
S103:Net state in static state is switched to by net state in dynamic configuration, net state is reception in the dynamic configuration
The dynamic configuration information that the DHCP equipment sends, and the state based on the dynamic configuration information access network, it is described
Net state is the state according to static security configuration information access network in static state;The main DNS clothes of the security configuration information
Business device address is target wide area network dns server address;
S104:Based on the security configuration information access network.
Specifically, when UE needs to access a LAN, can be to DHCP (the dynamic host configuration associations in the LAN
View, Dynamic Host Configuration Protocol) equipment transmission dynamic configuration requests, to ask DHCP equipment to be
UE configures dynamic configuration information.Then, DHCP equipment receive UE transmission dynamic configuration requests after, according to dynamic configuration plan
Slightly, it is UE configuration dynamic configuration informations, and the dynamic configuration information that will be configured returns to UE.And then, UE is received in S102
The dynamic configuration information that DHCP equipment sends.
In embodiments of the present invention, dynamic configuration information includes primary dns server address.During implementing, move
State configuration information still further comprises gateway address, IP (Internet protocol, Internet Protocol) address, subnet mask
With standby dns server address.
Next, due to that cannot confirm now whether LAN occurs DNS and kidnap, so in S103, UE is by upper net state
Net state in static state is switched to by dynamic configuration status.
Specifically, the UE in the embodiment of the present invention has two kinds of upper net states, specially in dynamic configuration net state and
Net state in static state.During implementing, net state on other can also be included, the present invention is not particularly limited.Wherein,
Net state is to receive the dynamic configuration information that DHCP sends in dynamic configuration, and the shape based on dynamic configuration information access network
State.In other words, under net state in dynamic configuration, UE will access dynamic according to the IP address in dynamic configuration information and subnet mask
Main DNS in gateway and dynamic configuration information in state configuration information indicated by gateway address indicated by primary dns server address
Server (or the standby dns server indicated by standby dns server address).And static upper net state is then according to static safety
The state of configuration information access network.Wherein, the security configuration information during the present invention is implemented at least includes primary dns server ground
Primary dns server address in location, and security configuration information is the target wide area network dns server address of known safety.When
So, security configuration information can further include IP address, subnet mask, gateway address and standby dns server address, this hair
It is bright to be not particularly limited.
Next, in S104, based on security configuration information access network, and then when dns server is accessed, will access
Wide area network dns server, rather than access to LAN dns server.
Because the difficulty for kidnapping wide area network dns server is generally very big, and after generation is kidnapped, wide area network DNS service
The attendant of device can in time note abnormalities and repair rapidly, so relative access to LAN dns server, accesses wide area network
The risk that dns server is held as a hostage is lower, and security is higher.So, the present invention is realized reduces the risk that DNS is kidnapped.
As a kind of optional implementation, before the S103 of the embodiment of the present invention, can further include:
When the primary dns server address in the dynamic configuration information is lan address, the dynamic configuration is judged
Whether the gateway address in information is consistent with the primary dns server address in the dynamic configuration information;
When the primary dns server address in the gateway address and the dynamic configuration information is inconsistent, it is determined that in the presence of
LAN DNS kidnaps risk, perform described in the step of switch to net state in static state by net state in dynamic configuration.
Specifically, UE obtains the primary dns server address in dynamic configuration information, then judges the primary dns server
Whether address is lan address.Wherein, judge whether the primary dns server address in dynamic configuration information is local entoilage
Whether location, be in ClassA, ClassB or ClassC specifically by the main dns address judged in dynamic configuration information
It is interval.Wherein, ClassA interval address realm is 10.0.0.0~10.255.255.255, ClassB interval address realm
It is 172.16.0.0-172.31.255.255, the address realm in ClassC regions is 192.168.0.0-
192.168.255.255.If the primary dns server address of dynamic configuration information is located in ClassA, ClassB or ClassC
Any one interval in, then it represents that primary dns server address in dynamic configuration information is lan address;, whereas if
Primary dns server address in dynamic configuration information is not in ClassA, ClassB and ClassC interval, then it represents that dynamic configuration
Primary dns server address in information is not lan address.
Further, if the primary dns server address that DHCP equipment is configured is lan address, generally under request,
The gateway address that DHCP equipment is configured is consistent with primary dns server address, for example, be all 192.168.1.1, therefore, when
Primary dns server address in dynamic configuration information is the gateway address and main DNS in lan address, and dynamic configuration information
Server address is consistent, represents that current LAN dns server is normal, and the possibility being held as a hostage is relatively low.Conversely, working as dynamic configuration
Primary dns server address in information is lan address, and gateway address and the primary dns server ground in dynamic configuration information
Location is inconsistent, then it represents that the primary dns server exception in LAN, may be held as a hostage.So, in embodiment of the present invention S104
In, when the primary dns server address in gateway address and dynamic configuration information in dynamic configuration information is inconsistent, will determine
There is currently LAN DNS and kidnap risk.
Further, when UE determines that there is LAN DNS kidnaps risk, prompt message can be exported to user, for example, is shown
Show the text information of " current local area network has risk " or play warning tones etc., to point out the timely local area network DNS of user to rob
Risk is held to be processed.
After it is determined that there is LAN DNS abduction risks, if continued with net state access network in dynamic configuration, may
The danger such as cause user's property loss, stealthy information stolen, so now UE performs S103, is switched by net state in dynamic configuration
To static upper net state, and according to security configuration information access network.
By foregoing description as can be seen that when the primary dns server address of dynamic configuration information is lan address, passing through
Judge whether the gateway address in dynamic configuration information is consistent with primary dns server address and detect LAN safety, and in net
Determine that there is LAN DNS kidnaps risk, is achieved that and detect in a local network when closing address and inconsistent primary dns server
DNS kidnaps the technique effect of risk.Meanwhile, according still further to net state access network in static state when it is determined that there is LAN DNS risks
Network, it is to avoid the power consumption that UE frequently accesses wide area network dns server and brings is high and the problems such as slow networking speed.
In embodiments of the present invention, security configuration information can be the default information for prestoring.For example in advance will acquiescence
It is the IP address of safety, subnet mask, gateway address, primary dns server address (i.e. target wide area network dns server address) and standby
Dns server address is stored as security configuration information, being switched in static state after net state, then reads the safety for prestoring and matches somebody with somebody
Confidence ceases.Or, security configuration information can also be generated based on user input.For example, user is known according to prompt message working as
When preceding LAN has DNS abduction risks, safe IP address, subnet mask, gateway address, primary dns server are voluntarily input into
Address (i.e. target wide area network dns server address) and standby dns server address, so UE according to the IP address of user input,
Subnet mask, gateway address, primary dns server address and standby dns server address generate security configuration information.Or, safety
Configuration information can also be to switch to be generated according to actual conditions after net state in static state.
And then, with reference to any of the above-described embodiment, as a kind of optional embodiment, the net state switching on by dynamic configuration
On to static state after net state, can further include:
Obtain the target wide area network dns server address;
Using the target wide area network dns server address as the primary dns server address in the security configuration information.
Specifically, it is being switched in static state after net state, UE obtains target wide area network dns server address.Wherein, mesh
Mark wide area network dns server can be currently able to access one or more wide area network dns servers in any one, enter
And UE obtains the address of any one wide area network dns server as target wide area network dns server address.Or, in order to keep away
Exempt from not connecting wide area network dns server or connection speed is slow, can also be according to the geographical position of each wide area network dns server
Put, the address for obtaining the wide area network dns server nearest apart from UE is the address of target wide area network dns server.Or, also may be used
With by following Procedure Acquisition target wide area network dns server address:
Detect the network connectivty of one or more wide area network dns servers;
The address of the optimal wide area network dns server of the network connectivty is defined as the target wide area network DNS clothes
The address of business device.
Specifically, UE is detected to the network connectivty of one or more wide area network dns servers.Wherein, this hair
Network connectivty in bright embodiment represents switching performance of the wide area network dns server for UE, and network connectivty can include
Whether wide area network dns server has access to, accesses the time-consuming of the wide area network dns server, the band of the wide area network dns server
The wide, load capacity of the wide area network dns server and geographical position etc., the present invention is not particularly limited.
UE measurements obtain whether each wide area network dns server has access to, accesses time-consuming, bandwidth, load capacity and geography
Position etc., and then obtain the network connectivty of each wide area network dns server.
During implementing, obtaining the method for the network connectivty of each wide area network dns server has various, this hair
Bright those of ordinary skill in the art can be according to actually being selected, and the present invention is not particularly limited.
For example, in advance for the parameter type of each wide area network dns server sets weight, then according to each wide area network
The parameter of dns server calculates the weights of each wide area network dns server, and then the weights of wide area network dns server are made
It is the network connectivty of the wide area network dns server.As an example it is assumed that UE needs to measure the parameter of wide area network dns server
Whether type can be whether that the parameter type having access to sets 0.5 to have access to, accessing time-consuming and geographic distance, then
Weight, is the weight of the parameter type setting -0.2 of geographic distance to access the weight that time-consuming parameter type sets -0.3.It is right
First wide area network dns server is measured, and measurement obtains first wide area network dns server can not be accessed, turn-on time
Time-out (assuming that time-out time is 3 minutes, time-out is calculated by time-out time), geographic distance 10km.To second wide area network DNS clothes
Business device is measured, and measurement obtains second wide area network dns server can be accessed, 0.5 minute turn-on time, geographic distance 8km.
So, first weights of wide area network dns server is 0*0.5-0.3*3-0.2*10=-2.9, second wide area network DNS clothes
The weights of business device are 1*0.5-0.3*0.5-0.2*8=-1.25.As can be seen here, the weights of second wide area network dns server are big
In first weights of wide area network dns server, so second network connectivty of wide area network dns server is better than first
The network connectivty of wide area network dns server.
Next, in embodiments of the present invention, the optimal wide area network dns server of network connectivty that UE will be measured
Address is defined as the address of target wide area network dns server.
Seen from the above description, by wide area network DNS that network connectivty in one or more wide area network dns servers is optimal
The address of server makes UE have access to the optimal wide area network of network connectivty as the address of target wide area network dns server
Dns server, and then reduce and do not connect wide area network dns server or the slow probability of connection speed.
Further, after target wide area network dns server address is obtained, UE is by the address of target wide area network dns server
Used as the primary dns server address in security configuration information, and then UE is accessing primary dns server based on security configuration information
When, wide area network dns server will be accessed, rather than the LAN dns server accessed in the presence of abduction risk.
Because the difficulty for kidnapping wide area network dns server is generally very big, and after generation is kidnapped, wide area network DNS service
The attendant of device can in time note abnormalities and repair rapidly, so relative access to LAN dns server, accesses wide area network
The risk that dns server is held as a hostage is lower, and security is higher.So, the present invention is realized reduces the risk that DNS is kidnapped.
Further, the security configuration information in the embodiment of the present invention also includes standby dns server address.For security configuration
The standby dns server address of information, also there is various possibility.Specifically, it is similar with primary dns server address, standby dns server
Address can also be the default information for prestoring, or user input address.Or, be switched in static state net state it
Afterwards, the address of the optimal wide area network dns server of network connectivty is defined as UE the primary dns server ground of security configuration information
Location, the address that then network connectivty is only second to another wide area network dns server of target wide area network dns server determines
Standby dns server address in for security configuration information.Or, after switching to static online by net state in dynamic configuration,
Can further include:
Extract the primary dns server address in the dynamic configuration information or standby dns server address;
Primary dns server address in the dynamic configuration information or standby dns server address are defined as the peace
Standby dns server address in full configuration information.
Specifically, another implementation for determining the standby dns server address in security configuration information is that UE is cutting
Change in static state after net state, extract the primary dns server address in dynamic configuration information or standby dns server address, then
The primary dns server address of the dynamic configuration information that will be extracted or standby dns server address are defined as security configuration information
Standby dns server address.
Further, during implementing, the primary dns server in LAN is relatively generally more reliable for dns server,
And be easier to find failure and modified in time, so the primary dns server address in dynamic configuration information is defined as
Standby dns server address in security configuration information is preferably selection.
In addition, for the IP address in security configuration information, subnet mask and gateway address etc., it is also possible to directly using dynamic
IP address, subnet mask and gateway address in state configuration information, the present invention are not particularly limited.
Based on the inventive concept same with the method that DNS abduction risks are reduced in previous embodiment, second aspect present invention
The device that a kind of reduction DNS kidnaps risk is also provided, as shown in Fig. 2 including:
Dynamic configuration requests module 101, for sending dynamic to the dynamic host configuration protocol DHCP equipment in LAN
Configuring request;
Receiver module 102, for receiving the dynamic configuration information that the DHCP is returned, the dynamic configuration information includes
Main Domain resolution system dns server address;
Handover module 103, for switching to net state in static state, the dynamic configuration online by net state in dynamic configuration
State is to receive the dynamic configuration information that the DHCP equipment sends, and based on the dynamic configuration information access network
State, the static upper net state is the state according to static security configuration information access network;The security configuration information
Primary dns server address be target wide area network dns server address;
AM access module 104, for based on the security configuration information access network.
Further, the device in the embodiment of the present invention also includes:
Judge module, switches in static state before net state for the net state on by dynamic configuration, when the dynamic is matched somebody with somebody
When primary dns server address in confidence breath is lan address, the gateway address in the dynamic configuration information and institute are judged
Whether the primary dns server address stated in dynamic configuration information is consistent;
First determining module, for when the primary dns server address in the gateway address and the dynamic configuration information
When inconsistent, it is determined that there is LAN DNS kidnaps risk, and notify that the handover module is switched to by net state in dynamic configuration
Net state in static state.
Further, the device in the embodiment of the present invention also includes:
Acquisition module, switches in static state after net state for the net state on by dynamic configuration, obtains the target
Wide area network dns server address;
Second determining module, for the target wide area network dns server address to be defined as into the security configuration information
In primary dns server address.
Wherein, acquisition module is used to detect the network connectivty of one or more wide area network dns servers;By the network
The address of connective optimal wide area network dns server is defined as the target wide area network dns server address.
Further, the device in the embodiment of the present invention also includes:
Extraction module, switches in static state after net state for the net state on by dynamic configuration, extracts the dynamic
Primary dns server address or standby dns server address in configuration information;
3rd determining module, for by the primary dns server address in the dynamic configuration information or for dns server
Address is defined as the standby dns server address in the security configuration information.
The various change mode and instantiation that reduction DNS in the embodiment of earlier figures 1 kidnaps the method for risk are equally fitted
Reduction DNS for the present embodiment kidnaps the device of risk, is retouched by foregoing the detailed of method for kidnapping reducing DNS risk
State, those skilled in the art reduce the implementation that DNS kidnaps the device of risk in being clear that the present embodiment, so
It is succinct for specification, will not be described in detail herein.
The technical scheme provided in the embodiment of the present application, at least has the following technical effect that or advantage:
In the technical scheme of the embodiment of the present invention, dynamic configuration requests are sent to the DHCP equipment in LAN first,
And the dynamic configuration information that DHCP is returned is received, dynamic configuration information includes primary dns server address, then by dynamic configuration
Upper net state switches to net state in static state.Net state is the shape according to static security configuration information access network in static state
State, and the primary dns server address of security configuration information is target wide area network dns server address.Due to kidnapping wide area network DNS
The difficulty of server is generally very big, and after kidnapping and occurring, and the attendant of wide area network dns server can have found different in time
Often and it is rapid repair, so relative access to LAN dns server, it is lower to access the risk that wide area network dns server is held as a hostage,
Security is higher.So, the present invention is realized reduces the risk that DNS is kidnapped.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.Additionally, the present invention is not also directed to any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this hair
Bright preferred forms.
In specification mentioned herein, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify one or more that the disclosure and helping understands in each inventive aspect, exist
Above to the description of exemplary embodiment of the invention in, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, and wherein each claim is in itself
All as separate embodiments of the invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Unit or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, can use any
Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit is required, summary and accompanying drawing) disclosed in each feature can the alternative features of or similar purpose identical, equivalent by offer carry out generation
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments in this include institute in other embodiments
Including some features rather than further feature, but the combination of the feature of different embodiments means in the scope of the present invention
Within and form different embodiments.For example, in the following claims, embodiment required for protection it is any it
One mode can use in any combination.
All parts embodiment of the invention can be realized with hardware, or be run with one or more processor
Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) are come in realizing gateway according to embodiments of the present invention, proxy server, system
Some or all parts some or all functions.The present invention is also implemented as performing side as described herein
Some or all equipment or program of device (for example, computer program and computer program product) of method.It is such
Realize that program of the invention can be stored on a computer-readable medium, or there can be the shape of one or more signal
Formula.Such signal can be downloaded from internet website and obtained, or be provided on carrier signal, or with any other shape
Formula is provided.
It should be noted that above-described embodiment the present invention will be described rather than limiting the invention, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol being located between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element listed in the claims or step.Word "a" or "an" before element is not excluded the presence of as multiple
Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
The invention discloses a kind of method that A1, reduction DNS kidnap risk, it is characterised in that including:
Dynamic configuration requests are sent to the dynamic host configuration protocol DHCP equipment in LAN;
The dynamic configuration information that the DHCP is returned is received, the dynamic configuration information includes Main Domain resolution system
Dns server address;
Net state in static state is switched to by net state in dynamic configuration, net state is described to receive in the dynamic configuration
The dynamic configuration information that DHCP equipment sends, and the state based on the dynamic configuration information access network, the static state
Upper net state is the state according to static security configuration information access network;The primary dns server of the security configuration information
Address is target wide area network dns server address;
Based on the security configuration information access network.
A2, the method according to A1, it is characterised in that net state switches to net state in static state on by dynamic configuration
Before, also include:
When the primary dns server address in the dynamic configuration information is lan address, the dynamic configuration is judged
Whether the gateway address in information is consistent with the primary dns server address in the dynamic configuration information;
When the primary dns server address in the gateway address and the dynamic configuration information is inconsistent, it is determined that in the presence of
LAN DNS kidnaps risk, perform described in the step of switch to net state in static state by net state in dynamic configuration.
A3, the method according to A1 or A2, it is characterised in that net state switches to static online on by dynamic configuration
After state, also include:
Obtain the target wide area network dns server address;
The target wide area network dns server address is defined as the primary dns server ground in the security configuration information
Location.
A4, the method according to A3, it is characterised in that obtain the target wide area network dns server address, including:
Detect the network connectivty of one or more wide area network dns servers;
The address of the optimal wide area network dns server of the network connectivty is defined as the target wide area network DNS clothes
Business device address.
A5, the method according to A1 or A2, it is characterised in that net state switches to static online on by dynamic configuration
After state, also include:
Extract the primary dns server address in the dynamic configuration information or standby dns server address;
Primary dns server address in the dynamic configuration information or standby dns server address are defined as the peace
Standby dns server address in full configuration information.
B6, a kind of reduction DNS kidnap the device of risk, it is characterised in that including:
Dynamic configuration requests module, for sending dynamic configuration to the dynamic host configuration protocol DHCP equipment in LAN
Request;
Receiver module, for receiving the dynamic configuration information that the DHCP is returned, the dynamic configuration information includes master
Domain name analysis system dns server address;
Handover module, it is netted in the dynamic configuration for switching to net state in static state by net state in dynamic configuration
State is to receive the dynamic configuration information that the DHCP equipment sends, and the shape based on the dynamic configuration information access network
State, the static upper net state is the state according to static security configuration information access network;The security configuration information
Primary dns server address is target wide area network dns server address;
AM access module, for based on the security configuration information access network.
B7, the device according to B6, it is characterised in that described device also includes:
Judge module, switches in static state before net state for the net state on by dynamic configuration, when the dynamic is matched somebody with somebody
When primary dns server address in confidence breath is lan address, the gateway address in the dynamic configuration information and institute are judged
Whether the primary dns server address stated in dynamic configuration information is consistent;
First determining module, for when the primary dns server address in the gateway address and the dynamic configuration information
When inconsistent, it is determined that there is LAN DNS kidnaps risk, and notify that the handover module is switched to by net state in dynamic configuration
Net state in static state.
B8, the device according to B6 or B7, it is characterised in that described device also includes:
Acquisition module, switches in static state after net state for the net state on by dynamic configuration, obtains the target
Wide area network dns server address;
Second determining module, for the target wide area network dns server address to be defined as into the security configuration information
In primary dns server address.
B9, the device according to B8, it is characterised in that the acquisition module is used to detect one or more wide area networks
The network connectivty of dns server;The address of the optimal wide area network dns server of the network connectivty is defined as the mesh
Mark wide area network dns server address.
B10, the device according to B6 or B7, it is characterised in that described device also includes:
Extraction module, switches in static state after net state for the net state on by dynamic configuration, extracts the dynamic
Primary dns server address or standby dns server address in configuration information;
3rd determining module, for by the primary dns server address in the dynamic configuration information or for dns server
Address is defined as the standby dns server address in the security configuration information.
Claims (10)
1. a kind of method that reduction DNS kidnaps risk, it is characterised in that including:
Dynamic configuration requests are sent to the dynamic host configuration protocol DHCP equipment in LAN;
The dynamic configuration information that the DHCP is returned is received, the dynamic configuration information includes that Main Domain resolution system DNS takes
Business device address;
Net state in static state is switched to by net state in dynamic configuration, net state sets to receive the DHCP in the dynamic configuration
The dynamic configuration information that preparation is sent, and the state based on the dynamic configuration information access network, it is described static netted
State is the state according to static security configuration information access network;The primary dns server address of the security configuration information is
Target wide area network dns server address;
Based on the security configuration information access network.
2. the method for claim 1, it is characterised in that net state switches to net state in static state on by dynamic configuration
Before, also include:
When the primary dns server address in the dynamic configuration information is lan address, the dynamic configuration information is judged
In gateway address it is whether consistent with the primary dns server address in the dynamic configuration information;
When the primary dns server address in the gateway address and the dynamic configuration information is inconsistent, it is determined that there is local
Net DNS kidnaps risk, perform described in the step of switch to net state in static state by net state in dynamic configuration.
3. method as claimed in claim 1 or 2, it is characterised in that net state switches to static online on by dynamic configuration
After state, also include:
Obtain the target wide area network dns server address;
The target wide area network dns server address is defined as the primary dns server address in the security configuration information.
4. method as claimed in claim 3, it is characterised in that obtain the target wide area network dns server address, including:
Detect the network connectivty of one or more wide area network dns servers;
The address of the optimal wide area network dns server of the network connectivty is defined as the target wide area network dns server
Address.
5. method as claimed in claim 1 or 2, it is characterised in that net state switches to static online on by dynamic configuration
After state, also include:
Extract the primary dns server address in the dynamic configuration information or standby dns server address;
Primary dns server address in the dynamic configuration information or standby dns server address are defined as the safety and matched somebody with somebody
Standby dns server address in confidence breath.
6. a kind of reduction DNS kidnaps the device of risk, it is characterised in that including:
Dynamic configuration requests module, please for sending dynamic configuration to the dynamic host configuration protocol DHCP equipment in LAN
Ask;
Receiver module, for receiving the dynamic configuration information that the DHCP is returned, the dynamic configuration information includes Main Domain
Resolution system dns server address;
Handover module, for switching to net state in static state by net state in dynamic configuration, net state is in the dynamic configuration
The dynamic configuration information that the DHCP equipment sends, and the state based on the dynamic configuration information access network are received,
The static upper net state is the state according to static security configuration information access network;The master of the security configuration information
Dns server address is target wide area network dns server address;
AM access module, for based on the security configuration information access network.
7. device as claimed in claim 6, it is characterised in that described device also includes:
Judge module, switches in static state before net state for the net state on by dynamic configuration, when dynamic configuration letter
When primary dns server address in breath is lan address, judges the gateway address in the dynamic configuration information and described move
Whether the primary dns server address in state configuration information is consistent;
First determining module, for differing when the primary dns server address in the gateway address and the dynamic configuration information
During cause, it is determined that there is LAN DNS kidnaps risk, and notify that the handover module switches to static state by net state in dynamic configuration
Upper net state.
8. device as claimed in claims 6 or 7, it is characterised in that described device also includes:
Acquisition module, switches in static state after net state for the net state on by dynamic configuration, obtains the target wide area
Net dns server address;
Second determining module, for the target wide area network dns server address to be defined as in the security configuration information
Primary dns server address.
9. device as claimed in claim 8, it is characterised in that the acquisition module is used to detect one or more wide area networks
The network connectivty of dns server;The address of the optimal wide area network dns server of the network connectivty is defined as the mesh
Mark wide area network dns server address.
10. device as claimed in claims 6 or 7, it is characterised in that described device also includes:
Extraction module, switches in static state after net state for the net state on by dynamic configuration, extracts the dynamic configuration
Primary dns server address or standby dns server address in information;
3rd determining module, for by the primary dns server address in the dynamic configuration information or for dns server address
It is defined as the standby dns server address in the security configuration information.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611192329.8A CN106713309A (en) | 2016-12-21 | 2016-12-21 | Method and apparatus for reducing DNS hijacking risk |
| PCT/CN2017/117689 WO2018113727A1 (en) | 2016-12-21 | 2017-12-21 | Method and apparatus for reducing the risk of dns hijacking |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611192329.8A CN106713309A (en) | 2016-12-21 | 2016-12-21 | Method and apparatus for reducing DNS hijacking risk |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN106713309A true CN106713309A (en) | 2017-05-24 |
Family
ID=58938530
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611192329.8A Pending CN106713309A (en) | 2016-12-21 | 2016-12-21 | Method and apparatus for reducing DNS hijacking risk |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN106713309A (en) |
| WO (1) | WO2018113727A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018113727A1 (en) * | 2016-12-21 | 2018-06-28 | 北京奇虎科技有限公司 | Method and apparatus for reducing the risk of dns hijacking |
| WO2018113729A1 (en) * | 2016-12-21 | 2018-06-28 | 北京奇虎科技有限公司 | Method and apparatus for detecting local area network dns hijacking |
| WO2018113731A1 (en) * | 2016-12-21 | 2018-06-28 | 北京奇虎科技有限公司 | Method and device for reducing risk of dns hijacking |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040083306A1 (en) * | 2002-10-24 | 2004-04-29 | International Business Machines Corporation | Method and apparatus for maintaining internet domain name data |
| CN103561121A (en) * | 2013-10-11 | 2014-02-05 | 北京奇虎科技有限公司 | Method and device for analyzing DNS and browser |
| CN103916490A (en) * | 2014-04-03 | 2014-07-09 | 深信服网络科技(深圳)有限公司 | DNS tamper-proof method and device |
| CN104468866A (en) * | 2014-12-26 | 2015-03-25 | 陈晨 | Fast roaming method for multi-gateway terminal in wireless local area network |
| CN105142243A (en) * | 2015-08-14 | 2015-12-09 | 江苏轩博电子科技有限公司 | Intelligent double-channel broadband gateway and working method of intelligent broadband gateway |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105262858B (en) * | 2015-11-06 | 2018-09-11 | 北京金山安全软件有限公司 | Method and device for detecting safety of Domain Name System (DNS) server |
| CN106713311B (en) * | 2016-12-21 | 2021-01-15 | 北京奇虎科技有限公司 | Method and device for reducing DNS hijacking risk |
| CN106713309A (en) * | 2016-12-21 | 2017-05-24 | 北京奇虎科技有限公司 | Method and apparatus for reducing DNS hijacking risk |
-
2016
- 2016-12-21 CN CN201611192329.8A patent/CN106713309A/en active Pending
-
2017
- 2017-12-21 WO PCT/CN2017/117689 patent/WO2018113727A1/en active Application Filing
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040083306A1 (en) * | 2002-10-24 | 2004-04-29 | International Business Machines Corporation | Method and apparatus for maintaining internet domain name data |
| CN103561121A (en) * | 2013-10-11 | 2014-02-05 | 北京奇虎科技有限公司 | Method and device for analyzing DNS and browser |
| CN103916490A (en) * | 2014-04-03 | 2014-07-09 | 深信服网络科技(深圳)有限公司 | DNS tamper-proof method and device |
| CN104468866A (en) * | 2014-12-26 | 2015-03-25 | 陈晨 | Fast roaming method for multi-gateway terminal in wireless local area network |
| CN105142243A (en) * | 2015-08-14 | 2015-12-09 | 江苏轩博电子科技有限公司 | Intelligent double-channel broadband gateway and working method of intelligent broadband gateway |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018113727A1 (en) * | 2016-12-21 | 2018-06-28 | 北京奇虎科技有限公司 | Method and apparatus for reducing the risk of dns hijacking |
| WO2018113729A1 (en) * | 2016-12-21 | 2018-06-28 | 北京奇虎科技有限公司 | Method and apparatus for detecting local area network dns hijacking |
| WO2018113731A1 (en) * | 2016-12-21 | 2018-06-28 | 北京奇虎科技有限公司 | Method and device for reducing risk of dns hijacking |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2018113727A1 (en) | 2018-06-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103957201B (en) | Domain-name information processing method based on DNS, apparatus and system | |
| US8640239B2 (en) | Network intrusion detection in a network that includes a distributed virtual switch fabric | |
| RU2583703C2 (en) | Malicious attack detection and analysis | |
| CN105745869B (en) | For regional network/home network security gateway | |
| CN109714312B (en) | Acquisition strategy generation method and system based on external threats | |
| US9648033B2 (en) | System for detecting the presence of rogue domain name service providers through passive monitoring | |
| CN107483572A (en) | The dispositions method and device of a kind of server | |
| CN104484259A (en) | Application program traffic monitoring method and device, and mobile terminal | |
| CN106713311B (en) | Method and device for reducing DNS hijacking risk | |
| CN105897947B (en) | The Network Access Method and device of mobile terminal | |
| US20150156069A1 (en) | Method and Apparatus for Configuring Proxy Server | |
| CN103095778A (en) | Web application firewall and web application safety protection method | |
| CN104168339A (en) | Method and device for preventing domain name from being intercepted | |
| CN106713309A (en) | Method and apparatus for reducing DNS hijacking risk | |
| CN107689965A (en) | Means of defence, the apparatus and system of the network equipment | |
| CN106685891A (en) | Verification method and apparatus for accessing network | |
| CN101150583A (en) | Anti-virus method and device for terminal device | |
| CN106656636A (en) | Cloud platform fault detection method and device | |
| CN106209918A (en) | The method of a kind of internet security management and terminal | |
| CN114745356B (en) | Domain name resolution method, device, equipment and readable storage medium | |
| McLaughlin et al. | Secure communications in smart grid: Networking and protocols | |
| CN106506544B (en) | A kind of method and apparatus that local area network DNS kidnaps detection | |
| CN106790077A (en) | A kind of DNS full flows kidnap the detection method and device of risk | |
| CN108333449B (en) | Online monitoring method and device for transformer substation equipment | |
| CN106790071B (en) | Method and device for detecting DNS full-flow hijacking risk |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20170524 |