The content of the invention
Detection method and device that a kind of DNS full flows kidnap risk are the embodiment of the invention provides, it is complete for improving DNS
Flow kidnaps the Detection accuracy of risk.
In a first aspect, the invention provides the detection method that a kind of DNS full flows kidnap risk, including:
Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk;Wherein, described one
Individual or multiple target domain names are specially wide area network domain name;
Dns resolution is carried out to one or more of target domain names, the corresponding target of each described target domain name is obtained mutual
Networking protocol IP address, and then obtain one or more target ip address;
Judge to whether there is lan address in one or more of target ip address;
When there is lan address in one or more of target ip address, determine that user equipment (UE) has DNS complete
Flow kidnaps risk.
Optionally, when not existing lan address in one or more of target ip address, methods described also includes:
Judge to whether there is identical address in one or more of target ip address;Wherein, one or more of mesh
Known IP address corresponding to mark domain name is differed;
When there is identical address in one or more of target ip address, determine that the UE has the misfortune of DNS full flows
Hold risk.
Optionally, methods described also includes:
When not existing identical address in one or more of target ip address, determine that the UE flows entirely in the absence of DNS
Amount kidnaps risk.
Optionally, obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk, bag
Include:
Reception server corresponding with the UE is read to issue and store one in the memory space of the UE
Or multiple target domain names;Or
From multiple alternative domain names, it is determined that meeting one or more pre-conditioned domain names for one or more of targets
Domain name.
Optionally, before dns resolution is carried out to one or more of target domain names, also include:
Judge whether the UE has accessed new wireless access point AP;
When the UE has accessed new AP, dns resolution is being carried out to one or more of target domain names described in execution
The step of.
Second aspect, the invention provides the detection method that a kind of DNS full flows kidnap risk, including:
Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk;Wherein, described one
Known IP address corresponding to individual or multiple target domain names is differed;
Dns resolution is carried out to one or more of target domain names, the corresponding target of each described target domain name is obtained mutual
Networking protocol IP address, and then obtain one or more target ip address;
Judge to whether there is identical address in one or more of target ip address;
When there is identical address in one or more of target ip address, determine that the UE has the misfortune of DNS full flows
Hold risk.
Optionally, when not existing identical address in one or more of target ip address, methods described also includes:
Judge to whether there is lan address in one or more of target ip address;Wherein, it is one or more of
Target domain name is specially wide area network domain name;
When there is lan address in one or more of target ip address, determine that the UE has DNS full flows
Kidnap risk.
Optionally, methods described also includes:
When not existing lan address in one or more of target ip address, determine that the UE is complete in the absence of DNS
Flow kidnaps risk.
Optionally, obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk, bag
Include:
Reception server corresponding with the UE is read to issue and store one in the memory space of the UE
Or multiple target domain names;Or
From multiple alternative domain names, it is determined that meeting one or more pre-conditioned domain names for one or more of targets
Domain name.
Optionally, before dns resolution is carried out to one or more of target domain names, also include:
Judge whether the UE has accessed new wireless access point AP;
When the UE has accessed new AP, dns resolution is being carried out to one or more of target domain names described in execution
The step of.
The third aspect, the invention provides the detection method that a kind of DNS full flows kidnap risk, including:
Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk;Wherein, described one
Individual or multiple target domain names are specially wide area network domain name, and the known internet corresponding to one or more of target domain names
Protocol IP address is differed;
Dns resolution is carried out to one or more of target domain names, the corresponding Target IP of each described target domain name is obtained
Address, and then obtain one or more target ip address;
Judge to whether there is lan address, and one or more of mesh in one or more of target ip address
Whether there is identical address in mark IP address;
When there is lan address in one or more of target ip address, or one or more of Target IPs ground
When there is identical address in location, determine that user equipment (UE) has DNS full flows and kidnaps risk.
Fourth aspect, the invention provides the detection means that a kind of DNS full flows kidnap risk, including:
Module is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more aiming fields of risk
Name;Wherein, one or more of target domain names are specially wide area network domain name;
Parsing module, for carrying out dns resolution to one or more of target domain names, obtains each described target domain name
Corresponding targeted internet Protocol IP address, and then obtain one or more target ip address;
First judge module, for judging to whether there is lan address in one or more of target ip address;
First determining module, for when there is lan address in one or more of target ip address, it is determined that with
Risk kidnapped and there is DNS full flows in family equipment UE.
Optionally, when not existing lan address in one or more of target ip address, described device also includes:
Second judge module, for judging to whether there is identical address in one or more of target ip address;Wherein,
Known IP address corresponding to one or more of target domain names is differed;
Second determining module, for when there is identical address in one or more of target ip address, it is determined that described
Risk kidnapped and there is DNS full flows in UE.
Optionally, described device also includes:
3rd determining module, for when not existing identical address in one or more of target ip address, determining institute
State UE and kidnap risk in the absence of DNS full flows.
Optionally, the acquisition module is issued and stored in the UE for reading reception server corresponding with the UE
Memory space in one or more of target domain names;Or from multiple alternative domain names, it is determined that meeting pre-conditioned
One or more domain names are one or more of target domain names.
Optionally, described device also includes:
3rd judge module, for before dns resolution is carried out to one or more of target domain names, judging the UE
Whether new wireless access point AP has been accessed;
When the UE has accessed new AP, notify that the parsing module is carried out to one or more of target domain names
Dns resolution.
5th aspect, the invention provides the detection means that a kind of DNS full flows kidnap risk, including:
Module is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more aiming fields of risk
Name;Wherein, the known IP address corresponding to one or more of target domain names is differed;
Parsing module, for carrying out dns resolution to one or more of target domain names, obtains each described target domain name
Corresponding targeted internet Protocol IP address, and then obtain one or more target ip address;
First judge module, for judging to whether there is identical address in one or more of target ip address;
First determining module, for when there is identical address in one or more of target ip address, it is determined that described
Risk kidnapped and there is DNS full flows in UE.
Optionally, when not existing identical address in one or more of target ip address, described device also includes:
Second judge module, for judging to whether there is lan address in one or more of target ip address;Its
In, one or more of target domain names are specially wide area network domain name;
Second determining module, for when there is lan address in one or more of target ip address, determining institute
State UE and there is DNS full flows abduction risk.
Optionally, described device also includes:
3rd determining module, for when in one or more of target ip address do not exist lan address when, it is determined that
The UE kidnaps risk in the absence of DNS full flows.
Optionally, the acquisition module is issued and stored in the UE for reading reception server corresponding with the UE
Memory space in one or more of target domain names;Or from multiple alternative domain names, it is determined that meeting pre-conditioned
One or more domain names are one or more of target domain names.
Optionally, described device also includes:
3rd judge module, for before dns resolution is carried out to one or more of target domain names, judging the UE
Whether new wireless access point AP has been accessed;
When the UE has accessed new AP, notify that parsing module carries out DNS solutions to one or more of target domain names
Analysis.
6th aspect, the invention provides the detection means that a kind of DNS full flows kidnap risk, including:
Module is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more aiming fields of risk
Name;Wherein, one or more of target domain names are specially wide area network domain name, and one or more of target domain names institute is right
The known internet protocol address answered is differed;
Parsing module, for carrying out dns resolution to one or more of target domain names, obtains each described target domain name
Corresponding target ip address, and then obtain one or more target ip address;
Judge module, for judging to whether there is lan address, Yi Jisuo in one or more of target ip address
State in one or more target ip address with the presence or absence of identical address;
Determining module, for when there is lan address in one or more of target ip address or one
Or when in multiple target ip address there is identical address, determine that user equipment (UE) has DNS full flows and kidnaps risk.
Said one or multiple technical schemes in the embodiment of the present application, at least imitate with following one or more technology
Really:
In the technical scheme of the embodiment of the present invention, obtain for detecting that DNS full flows kidnap one or more of risk
Target domain name, wherein, one or more the target domain names in the embodiment of the present invention are specially wide area network domain name, then to one or
Multiple target domain names carry out dns resolution, obtain each corresponding target ip address of target domain name, and then obtain one or more mesh
Mark IP address, then judges to whether there is lan address in one or more target ip address.Due to target domain name correspondence
IP address be wide area network address, so when there is lan address in one or more target ip address, determine that UE is present
DNS full flows kidnap risk.Therefore, even if the target ip address that parses of target domain name is not in blacklist storehouse, if target
IP address is lan address, then show that the network that UE is currently accessed may be kidnapped by full flow, and then can determine that UE is present
DNS full flows kidnap risk.So, by above-mentioned technical proposal, realize and improve the Detection accuracy that DNS full flows are kidnapped.
Further, because the technical scheme of the embodiment of the present invention need not be contrasted with huge black list database,
And then also avoid the need for storing black list database, thus save the device resource shared by storage black list database.
Further, because the technical scheme in the embodiment of the present invention can be performed by UE, without the ginseng of server
With, it is possible to prevent lawless person to be monitored with interacting for server to UE after kidnapping DNS, so that Interference Detection, or even
The deceptive information for representing network security is sent to UE.
Specific embodiment
Detection method and device that a kind of DNS full flows kidnap risk are the embodiment of the invention provides, it is complete for improving DNS
Flow kidnaps the Detection accuracy of risk.
In order to solve the above-mentioned technical problem, the technical scheme general thought that the present invention is provided is as follows:
In the technical scheme of the embodiment of the present invention, obtain for detecting that DNS full flows kidnap one or more of risk
Then one or more target domain names are carried out dns resolution by target domain name, obtain the corresponding Target IP ground of each target domain name
Location, and then one or more target ip address are obtained, then, if the entitled wide area network domain name of one or more of aiming fields,
Then judge to whether there is lan address in one or more target ip address, if there is lan address, it is determined that UE
There is DNS full flows and kidnap risk;Or, if the domain that the entitled known IP address of one or more of aiming fields is differed
Name, then judge to whether there is identical address in one or more target ip address, if there is identical address, it is determined that UE is deposited
Risk is kidnapped in DNS full flows;Or, if the entitled wide area network domain name of one or more of aiming fields, and this or
The known IP address of multiple target domain names is differed, then judge to whether there is local entoilage in one or more target ip address
Location, and with the presence or absence of identical address, if there is lan address or identical in one or more of target ip address
Address, it is determined that UE has DNS full flows and kidnaps risk.
Technical solution of the present invention is described in detail below by accompanying drawing and specific embodiment, it should be understood that the application
Specific features in embodiment and embodiment are the detailed description to technical scheme, rather than to present techniques
The restriction of scheme, in the case where not conflicting, the technical characteristic in the embodiment of the present application and embodiment can be mutually combined.
The terms "and/or", only a kind of incidence relation for describing affiliated partner, represents there may be three kinds of passes
System, for example, A and/or B, can represent:Individualism A, while there is A and B, individualism B these three situations.In addition, herein
Middle character "/", typicallys represent forward-backward correlation pair as if a kind of relation of "or".
First aspect present invention provides the detection method that a kind of DNS full flows kidnap risk, refer to Fig. 1, is this hair
The first DNS full flow kidnaps the method flow diagram of risk supervision in bright embodiment.The method includes:
S101:Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk;Wherein,
One or more of target domain names are specially wide area network domain name;
S102:Dns resolution is carried out to one or more of target domain names, the corresponding mesh of each described target domain name is obtained
Mark internet protocol address, and then obtain one or more target ip address;
S103:Judge to whether there is lan address in one or more of target ip address;
S104:When there is lan address in one or more of target ip address, determine that user equipment (UE) is present
DNS full flows kidnap risk.
One or more aiming fields in the embodiment of the present invention are entitled for detecting one or one that DNS full flows are kidnapped
Group test domain name.Risk is kidnapped in order to pass through this or one group of target domain name detection DNS full flow, of the invention real
Apply in example, each target domain name is specially wide area network domain name.During implementing, UE can need detection DNS to flow entirely
Amount obtains one or more target domain names when kidnapping risk, it is also possible to do not need to detect DNS full flows kidnap risk when
Time is obtained ahead of time one or more target domain names, and the present invention is not particularly limited.
And the moment for performing detection DNS full flow abduction in S102 to S104 can be any time of electricity on UE, also may be used
Think every predetermined interval, for example, started one-time detection every 1 hour, can also be the moment of each access network.Or,
Before S102, also include:
Judge whether the UE has accessed new wireless access point AP;
When the UE has accessed new AP, dns resolution is being carried out to one or more of target domain names described in execution
The step of.
Specifically, in embodiments of the present invention, new AP (WAP, Access Point) specifically has two kinds.
Any time is represented with the T1 moment, the first, that UE was accessed before T1 is an AP, be have switched and first in any time
The 2nd AP different AP, then the 2nd AP is new AP;Second, UE did not accessed any AP before T1, was accessed at the T1 moment
3rd AP, then the 3rd AP is new AP.
For above-mentioned the first situation, when UE have switched AP or AC (access controller, Access Control), obtain
Access before the AP or the SSID (service set, Service Set IDentifier) of AC that are accessed after must switching and switching
The SSID of AP or AC.Then, judge the SSID AP's for accessing or AC whether preceding with switching of the AP or AC accessed after switching
SSID is identical.If the SSID of the AP accessed after switching or AC is different from the AP or the SSID of AC that are accessed before switching, then it represents that UE
New AP is accessed.Now UE not can confirm that the network being currently accessed, i.e., the network where new AP flows entirely with the presence or absence of DNS
Amount kidnaps risk, so, S102 is now performed, and then starts DNS full flows and kidnap risk supervision.In other words, when UE have switched
During new network, to perform and risk is kidnapped to new network DNS full flow in S102 to S104 detect.
For above-mentioned second situation, access AP is switched to when UE never accesses AP, is currently accessed because UE not can confirm that
Network kidnap risk with the presence or absence of DNS full flows, so, now perform S102, and then start DNS full flows and kidnap risk inspection
Survey.In other words, risk is kidnapped to network DNS full flow when UE initial access networks, in execution S102 to S104 to detect.
The method that target domain name is obtained in S101 has various, and two of which is described below.Specifically, the present invention is implemented
The S101 of example can be realized by following process:
Reception server corresponding with the UE is read to issue and store one in the memory space of the UE
Or multiple target domain names;Or
From multiple alternative domain names, it is determined that meeting one or more pre-conditioned domain names for one or more of targets
Domain name.
Specifically, one or more target domain names that the UE in the embodiment of the present invention is obtained can be by under server
Hair, it is also possible to voluntarily configured by UE and selected, can be issued with partial target domain name the reception server, while voluntarily configuration section
Target domain name.During implementing, those skilled in the art can be according to actually being selected, this
Invention is not particularly limited.
Specifically, if issuing target domain name by server, due to the entitled wide area of aiming field in the embodiment of the present invention
Domain name, so after server selects one or more wide area network domain names as target domain name, being issued to UE at any time
Target domain name.UE stores one or more target domain names after one or more target domain names that server is issued are received
In the memory space of itself, and then one or more targets are read out from memory space when needing and obtaining target domain name
Domain name.
For example, server issues the data of following JSON structures to UE,
Baifubao.com, mail.163.com, jd.com are parsed after the data of the above-mentioned JSON structures of UE receptions,
Suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn ten
Individual target domain name, and then by ten target domain name storages in the memory space of UE.When needing to obtain target domain name, from depositing
Storage reads out target domain name baifubao.com, mail.163.com, jd.com, suning.com, alipay.com in space,
95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn.
And if voluntarily configuring target domain name by UE, then UE is determined from multiple alternative domain names and is met pre-conditioned one
Individual or multiple domain names are used as target domain name.Specifically, alternative domain name is what UE history was accessed, or is currently able to what is accessed
Domain name etc., the present invention is not particularly limited.In inventive embodiments, due to the entitled wide area network domain name of aiming field, therefore default bar
Part is particularly as being wide area network domain name, and then UE selects one or more wide area network domain names as aiming field from multiple alternative domain names
Name.
During implementing, those skilled in the art can be according to actual selection above two
Obtain target domain name method in any one, it is also possible to select two methods to combine, the present invention is not particularly limited.
After one or more target domain names are obtained in S101, UE carries out dns resolution to each domain name in S102, obtains every
The corresponding IP address of individual target domain name.In embodiments of the present invention, the IP address by target domain name by dns resolution out is referred to as
Target ip address.
Next, in S103, judging to whether there is lan address in all target ip address.Specifically, judge
One target ip address whether be LAN IP address method for judge the target ip address whether in ClassA, ClassB or
Any one in ClassC is interval.Wherein, ClassA interval address realm is 10.0.0.0~10.255.255.255,
ClassB interval address realm is 172.16.0.0-172.31.255.255, and the address realm in ClassC regions is
192.168.0.0-192.168.255.255.If target ip address is any one in ClassA, ClassB or ClassC
In individual interval, then it represents that target ip address is lan address;, whereas if target ip address not in ClassA, ClassB and
In ClassC intervals, then it represents that target ip address is not lan address.
Due to the entitled wide area network domain name of aiming field in the embodiment of the present invention, and under security situation, wide area network domain name institute
Corresponding IP address is wide area network address, so, if there is lan address in one or more target ip address,
Show that AP that now UE is accessed or AC may be held as a hostage.So, when there is LAN in one or more target ip address
During address, determine that UE has the abduction of DNS full flows in S104.
By foregoing description as can be seen that because the corresponding IP address of target domain name is wide area network address, thus when one or
When there is lan address in multiple target ip address, determine that UE has DNS full flows and kidnaps risk.Therefore, even if aiming field
The target ip address that name is parsed can determine that UE has DNS full flows and kidnaps risk not in blacklist storehouse, still.So,
By the technical scheme in the embodiment of the present invention, the Detection accuracy of DNS full flows abduction is improve.
Further, because the technical scheme of the embodiment of the present invention need not be contrasted with huge black list database,
And then also avoid the need for storing black list database in electronic equipment or server, thus save storage blacklist data
The device resource that place takes.
During implementing, above-mentioned S101 to S104 can be performed by UE, or, S101 is performed extremely by UE
S102, is then performed S103 to S104, i.e. UE and to be parsed report server after target ip address and carry out detection and sentenced by server
It is disconnected.Execution S101 to S104 independent for UE, because UE does not need the participation of server, institute when detecting that DNS full flows are kidnapped
Further it is also prevented from being monitored UE with server interaction after lawless person kidnaps DNS with the present invention, so as to disturb inspection
Survey, or even the deceptive information for representing network security is sent to UE.
Further, as a kind of optional embodiment, in order to further detect the risk that DNS full flows are kidnapped, when one
Or when in multiple target ip address in the absence of lan address, can further include:
Judge to whether there is identical address in one or more of target ip address;Wherein, one or more of mesh
Known IP address corresponding to mark domain name is differed;
When there is identical address in one or more of target ip address, determine that the UE has the misfortune of DNS full flows
Hold risk.
Specifically, in embodiments of the present invention, target domain name is not only wide area network domain name, and target domain name is known
IP address is different.In other words, target domain name is specially the wide area network domain name that correspond to different IP addresses.
Therefore, if target domain name is issued by server, server is verified by parsing, and selects one or more institutes
The different wide area network domain name of corresponding IP address is issued to UE as target domain name, stores UE, and then is obtaining target domain name
When, UE reads out the wide area network domain name that one or more known IP address are differed from memory space.
For example, by parsing checking, server determines there is baifubao.com, mail.163.com, jd.com,
Suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn ten
The corresponding IP address of individual wide area network domain name is different.Ten domain names and the corresponding IP address of each domain name are as shown in table 1.
Table 1
Therefore, server issues the data of following JSON structures to UE,
Baifubao.com, mail.163.com, jd.com are parsed after the data of the above-mentioned JSON structures of UE receptions,
Suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn ten
Individual target domain name, and then by ten target domain name storages in the memory space of UE.When needing to obtain target domain name, from depositing
Storage reads out target domain name baifubao.com, mail.163.com, jd.com, suning.com, alipay.com in space,
95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn.
And if target domain name is determined by UE, then it is pre-conditioned to be specially the different wide area network domain name of correspondence IP address, enter
And multiple alternative domain names are carried out with dns resolution, and corresponding one or more IP address of each alternative domain name are parsed, then select
Go out identical ip addresses for empty set, and be the alternative domain name of wide area network domain name as target domain name.
During implementing, it is wide area network address that lawless person is likely to the IP address that UE is returned, so, at this
In inventive embodiments, when not existing lan address in one or more target ip address, one or more are determined whether
The risk that DNS full flows are kidnapped is detected in target ip address with the presence or absence of identical address.
In the full-range abduction of generation DNS, accessing all of domain name will all return to the same IP address of UE.Meanwhile, have
When lawless person in order to avoid being found, can at random return to an IP address to UE from one group of IP address, and this group of IP address
All it is the IP address of the server of lawless person's control.So, if there is identical address in one or more Target IP ground,
Show that AP that now UE is accessed or AC may be held as a hostage.So, when in one or more target ip address do not exist local
Net address, but when there is identical address, determine that UE has the abduction of DNS full flows.
As an example it is assumed that target ip address specifically includes 123.125.112.202,220.181.12.208,
111.206.227.118,110.76.19.33 and 123.125.112.202.Do not exist equal local entoilage in 5 target ip address
Location, but the 1st target ip address and the 5th target ip address are identical, so determine there is identical address in target ip address,
And then determine that UE has DNS full flows and kidnaps risk.
Or, then as an example it is assumed that target ip address specifically includes 123.125.112.202,110.76.19.33,
111.206.227.118,110.76.19.33 and 123.125.112.202.Do not exist equal local entoilage in 5 target ip address
Location, but the 1st target ip address and the 5th target ip address are identical, the 2nd target ip address and the 4th target ip address
It is identical, so there is identical address in determining target ip address, and then determine that UE has DNS full flows and kidnaps risk.
By foregoing description as can be seen that when in the target ip address that UE is parsed do not exist lan address when, further
Judge in target ip address whether identical address, if there is identical address, it is determined that UE has the abduction of DNS full flows.So,
By judging to whether there is lan address in target ip address, and determined whether when in the absence of lan address
Detect that DNS full flows kidnap risk in target ip address with the presence or absence of identical address, further increase the embodiment of the present invention
Detection accuracy.
Further, with reference to above-described embodiment, the method in the embodiment of the present invention also includes:
When not existing identical address in one or more of target ip address, determine that the UE flows entirely in the absence of DNS
Amount kidnaps risk.
Specifically, when not existing identical address in one or more target ip address, current each aiming field is represented
Name can be accurately resolved on different wide area network IP address, therefore the possibility that now generation DNS full flows are kidnapped is relatively low,
So not existing lan address in one or more target ip address, when further also not existing identical address, UE is determined
Risk is kidnapped in the absence of DNS full flows.
Second aspect present invention provides the detection method that another kind DNS full flows kidnap risk, refer to Fig. 2, is this
Second method flow diagram of DNS full flows abduction risk supervision in inventive embodiments.The method includes:
S201:Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk;Wherein,
Known IP address corresponding to one or more of target domain names is differed;
S202:Dns resolution is carried out to one or more of target domain names, the corresponding mesh of each described target domain name is obtained
Mark internet protocol address, and then obtain one or more target ip address;
S203:Judge to whether there is identical address in one or more of target ip address;
S204:When there is identical address in one or more of target ip address, determine that the UE has DNS and flows entirely
Amount kidnaps risk.
Start second detection method of DNS full flows abduction risk during implementing to detect network security
Moment is identical with the detection method Startup time that the first DNS full flow kidnaps risk, and just it is no longer repeated herein.Upper
State in step, S201 is similar with S101, S202 is similar with S102, due to having carried out retouching in detail to S101 and S102 in above-mentioned
State, thus the embodiment of the present invention to something in common just it is no longer repeated.
S201 and S101 differences are that it is different that the target domain name in the embodiment of the present invention is specially known IP address
Domain name, so if target domain name is issued by server, then server is verified by parsing, and is selected corresponding to one or more
The different domain name of IP address be issued to UE as target domain name, store UE, and then when target domain name is obtained, UE is from storage
The different target domain name of one or more known corresponding IP address is read out in space.
For example, by parsing checking, server determines there is baifubao.com, mail.163.com, jd.com,
Suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn ten
The corresponding IP address of individual domain name is different, as shown in table 1.
Therefore, server issues the data of following JSON structures to UE,
Baifubao.com, mail.163.com, jd.com are parsed after the data of the above-mentioned JSON structures of UE receptions,
Suning.com, alipay.com, 95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn ten
Individual target domain name, and then by ten target domain name storages in the memory space of UE.When needing to obtain target domain name, from depositing
Storage reads out target domain name baifubao.com, mail.163.com, jd.com, suning.com, alipay.com in space,
95516.com, so.cn, ccb.com, icbc.com.cn and www.cmbc.com.cn.
In addition, S201 also differ in that with S101, the target domain name in the embodiment of the present invention is specially known IP ground
The different domain name in location, so if target domain name is determined by UE, then the pre-conditioned corresponding IP address of domain name that is specially is different, enters
And multiple alternative domain names are carried out with dns resolution, and corresponding one or more IP address of each alternative domain name are parsed, then select
Identical ip addresses are the alternative domain name of empty set as target domain name.
Next, in S203, judging that one or more target ip address whether there is identical address.Specifically, exist
During the full-range abduction of generation DNS, accessing all of domain name will all return to the same IP address of UE.Meanwhile, sometimes illegal point
Son can at random return to an IP address to UE in order to avoid being found from one group of IP address, and this group of IP address is all in fact not
The IP address of the server of method molecular Control.So, if there is identical address in one or more Target IP ground, show this
When the UE AP that is accessed or AC may be held as a hostage.So, when there is identical address in one or more target ip address,
Determine that UE has the abduction of DNS full flows in S204.
As an example it is assumed that target ip address specifically includes 123.125.112.202,220.181.12.208,
111.206.227.118,110.76.19.33 and 123.125.112.202, the 1st target ip address and the 5th Target IP ground
Location is identical, so there is identical address in determining target ip address, and then determines that UE has DNS full flows and kidnaps risk.
Or, then as an example it is assumed that target ip address specifically includes 123.125.112.202,110.76.19.33,
111.206.227.118,110.76.19.33 and 123.125.112.202, the 1st target ip address and the 5th Target IP ground
Location is identical, and the 2nd target ip address and the 4th target ip address are identical, so determine there is identical address in target ip address,
And then determine that UE has DNS full flows and kidnaps risk.
By foregoing description as can be seen that because the corresponding IP address of known target domain name is differed, thus when one or
When there is identical address in multiple target ip address, determine that UE has DNS full flows and kidnaps risk.Therefore, even if target domain name
The target ip address for parsing can determine that UE has DNS full flows and kidnaps risk not in blacklist storehouse, still.So, lead to
The technical scheme crossed in the embodiment of the present invention, improves the Detection accuracy of DNS full flows abduction.
Further, because the technical scheme of the embodiment of the present invention need not be contrasted with huge black list database,
And then also avoid the need for storing black list database in electronic equipment or server, thus save storage blacklist data
The device resource that place takes.
During implementing, above-mentioned S201 to S204 can be performed by UE, or, S201 is performed extremely by UE
S202, is then performed S203 to S204, i.e. UE and to be parsed report server after target ip address and carry out detection and sentenced by server
It is disconnected.Execution S201 to S204 independent for UE, because UE does not need the participation of server, institute when detecting that DNS full flows are kidnapped
Further it is also prevented from being monitored UE with server interaction after lawless person kidnaps DNS with the present invention, so as to disturb inspection
Survey, or even the deceptive information for representing network security is sent to UE.
Further, as a kind of optional embodiment, in order to further detect the risk that DNS full flows are kidnapped, when one
Or when in multiple target ip address in the absence of identical address, can further include:
Judge to whether there is lan address in one or more of target ip address;Wherein, it is one or more of
Target domain name is specially wide area network domain name;
When there is lan address in one or more of target ip address, determine that the UE has DNS full flows
Kidnap risk.
Specifically, in embodiments of the present invention, target domain name is not only the domain name that known IP address is different, and mesh
Mark domain name is also wide area network domain name.In other words, target domain name is specially the wide area network domain name that correspond to different IP addresses.
Therefore, if target domain name is issued by server, server is verified by parsing, and selects one or more institutes
The different wide area network domain name of corresponding IP address is issued to UE as target domain name, stores UE, and then is obtaining target domain name
When, UE reads out one or more known IP address from memory space and differs, and is the target domain name of wide area network domain name.
And if target domain name is determined by UE, then it is pre-conditioned to be specially the different wide area network domain name of corresponding IP address,
And then dns resolution is carried out to multiple alternative domain names, parse corresponding one or more IP address of each alternative domain name, Ran Houxuan
Identical ip addresses are selected out for empty set, and is the alternative domain name of wide area network domain name as target domain name.
During implementing, the target ip address that lawless person may differ to UE returns just, but this
Lan address in a little target ip address can equally expose abduction, so, in embodiments of the present invention, when one or more
When not existing identical address in target ip address, determine whether to whether there is local entoilage in one or more target ip address
Location come detect DNS full flows kidnap risk.
Judge whether one or more target ip address are that the method for LAN IP address hereinbefore has been carried out in detail
It is thin to introduce, therefore just it is no longer repeated here.
Due to the entitled wide area network domain name of aiming field in the embodiment of the present invention, and under security situation, wide area network domain name institute
Corresponding IP address is wide area network address, so, if there is lan address in one or more target ip address,
Show that AP that now UE is accessed or AC may be held as a hostage.So, it is identical when not existing in one or more target ip address
Address, but when there is lan address, determine that UE has the abduction of DNS full flows.
By foregoing description as can be seen that when not existing identical address in the target ip address that UE is parsed, further sentencing
In disconnected target ip address whether lan address, if there is lan address, it is determined that UE has the abduction of DNS full flows.Institute
By judging to whether there is identical address in target ip address, and to be determined whether when in the absence of identical address
Detect that DNS full flows kidnap risk in target ip address with the presence or absence of lan address, further increase implementation of the present invention
The Detection accuracy of example.
Further, with reference to above-described embodiment, the method in the embodiment of the present invention also includes:
When not existing lan address in one or more of target ip address, determine that the UE is complete in the absence of DNS
Flow kidnaps risk.
Specifically, when not existing lan address in one or more target ip address, current each target is represented
Domain name can be accurately resolved on different wide area network IP address, thus now occur possibility that DNS full flows kidnap compared with
It is low, so when not existing identical address in one or more target ip address, when further also not existing lan address, really
Determine UE and kidnap risk in the absence of DNS full flows.
Third aspect present invention provides the detection method that another kind DNS full flows kidnap risk, refer to Fig. 3, is this
The third DNS full flow kidnaps the method flow diagram of risk supervision in inventive embodiments.The method includes:
S301:Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk;Wherein,
One or more of target domain names are specially wide area network domain name, and known corresponding to one or more of target domain names
Internet protocol address is differed;
S302:Dns resolution is carried out to one or more of target domain names, the corresponding mesh of each described target domain name is obtained
Mark IP address, and then obtain one or more target ip address;
S303:Judge in one or more of target ip address with the presence or absence of lan address, and it is one or
Whether there is identical address in multiple target ip address;
S304:When there is lan address, or one or more of mesh in one or more of target ip address
When there is identical address in mark IP address, determine that user equipment (UE) has DNS full flows and kidnaps risk.
Start the detection method of the third DNS full flow abduction risk during implementing to detect network security
Moment is identical with the detection method Startup time that the first and second DNS full flow kidnap risk, is just not repeated to go to live in the household of one's in-laws on getting married herein
State.In above-mentioned steps, S301 is similar with S101 and S201, and S302 is similar with S102 and S202, due to right in above-mentioned
S101 and S102 have been described in detail, thus the embodiment of the present invention to something in common just it is no longer repeated.
S301 and S101 differences are that the target domain name in the embodiment of the present invention is specially wide area network domain name, and
Known IP address is differed, so if target domain name is issued by server, then server is verified by parsing, and selects one
The different wide area network domain name of IP address corresponding to individual or multiple is issued to UE as target domain name, stores UE, and then is obtaining
During target domain name, UE reads out one or more known IP address from memory space and differs, and is wide area network domain name
Target domain name.
And if target domain name is determined by UE, then it is pre-conditioned to be specially the different wide area network of corresponding IP address, and then
Dns resolution is carried out to multiple alternative domain names, corresponding one or more IP address of each alternative domain name are parsed, then selected
Identical ip addresses are empty set, and are the alternative domain name of wide area network domain name as target domain name.
Next, in S303, judging one or more target ip address with the presence or absence of lan address, and whether deposit
In identical address.If there is lan address in one or more Target IP ground, or there is identical address, then show now
The AP or AC that UE is accessed may be held as a hostage.So, when there is lan address in one or more target ip address, or
When there is identical address, determine that UE has the abduction of DNS full flows in S304.
As an example it is assumed that target ip address specifically includes 123.125.112.202,220.181.12.208,
111.206.227.118,110.76.19.33 and 123.125.112.202.5 target ip address are wide area network address, the 1st
Individual target ip address and the 5th target ip address are identical, determine that UE has DNS full flows and kidnaps risk.
Or, then as an example it is assumed that target ip address specifically includes 123.125.112.202,220.181.12.208,
111.206.227.118,175.25.168.40 and 192.168.1.1.5 target ip address are differed, the 5th Target IP
Address is lan address, and then determines that UE has DNS full flows and kidnaps risk.
Or, then as an example it is assumed that target ip address specifically includes 123.125.112.202,
123.125.112.202,111.206.227.118,175.25.168.40 and 192.168.1.1, the 5th target ip address be
Lan address, the 1st target ip address and the 2nd target ip address are identical, and then determine that UE has DNS full flows and kidnaps wind
Danger.
By foregoing description as can be seen that due to the known target domain name different known IP address of correspondence, and it is known each
Know that IP address is wide area network address, so there is lan address in working as one or more target ip address, or there is phase
During with target ip address, determine that UE has DNS full flows and kidnaps risk.Therefore, though target domain name parse Target IP ground
Location can determine that UE has DNS full flows and kidnaps risk not in blacklist storehouse, still.So, by the embodiment of the present invention
Technical scheme, improve DNS full flows abduction Detection accuracy.
Further, because the technical scheme of the embodiment of the present invention need not be contrasted with huge black list database,
And then also avoid the need for storing black list database in electronic equipment or server, thus save storage blacklist data
The device resource that place takes.
During implementing, above-mentioned S301 to S304 can be performed by UE, or, S301 is performed extremely by UE
S302, is then performed S303 to S304, i.e. UE and to be parsed report server after target ip address and carry out detection and sentenced by server
It is disconnected.Execution S301 to S304 independent for UE, because UE does not need the participation of server, institute when detecting that DNS full flows are kidnapped
Further it is also prevented from being monitored UE with server interaction after lawless person kidnaps DNS with the present invention, so as to disturb inspection
Survey, or even the deceptive information for representing network security is sent to UE.
Further, with reference to above-described embodiment, the method in the embodiment of the present invention also includes:
When not existing lan address, and one or more of Target IPs in one or more of target ip address
When not existing identical address in address, determine that the UE kidnaps risk in the absence of DNS full flows.
Specifically, when not existing lan address in one or more target ip address, and during in the absence of identical address,
Represent that current each target domain name can be accurately resolved on different wide area network IP address, therefore DNS now occurs and flow entirely
Measure the possibility kidnapped relatively low, so do not exist lan address in one or more target ip address, and in the absence of identical
During address, determine that UE kidnaps risk in the absence of DNS full flows.
Based on the same inventive concept of the detection method that risk is kidnapped with DNS full flows in first aspect, the present invention the 4th
Aspect provides the detection means that the first DNS full flow kidnaps risk, as shown in figure 4, including:
Module 101 is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more targets of risk
Domain name;Wherein, one or more of target domain names are specially wide area network domain name;
Parsing module 102, for carrying out dns resolution to one or more of target domain names, obtains each described target
The corresponding targeted internet Protocol IP address of domain name, and then obtain one or more target ip address;
First judge module 103, for judging to whether there is lan address in one or more of target ip address;
First determining module 104, for when there is lan address in one or more of target ip address, it is determined that
Risk kidnapped and there is DNS full flows in user equipment (UE).
Further, when not existing lan address in one or more target ip address, the dress in the embodiment of the present invention
Putting also includes:
Second judge module, for judging to whether there is identical address in one or more of target ip address;Wherein,
Known IP address corresponding to one or more of target domain names is differed;
Second determining module, for when there is identical address in one or more of target ip address, it is determined that described
Risk kidnapped and there is DNS full flows in UE.
Further, the described device in the embodiment of the present invention also includes:
3rd determining module, for when not existing identical address in one or more of target ip address, determining institute
State UE and kidnap risk in the absence of DNS full flows.
Wherein, specifically, obtain module 101 and issue and store for reading reception server corresponding with the UE
One or more of target domain names in the memory space of the UE;Or from multiple alternative domain names, it is determined that meeting default
One or more domain names of condition are one or more of target domain names.
Further, the device in the embodiment of the present invention also includes:
3rd judge module, for before dns resolution is carried out to one or more of target domain names, judging the UE
Whether new wireless access point AP has been accessed;
When the UE has accessed new AP, notify that the parsing module is carried out to one or more of target domain names
Dns resolution.
The first DNS full flow in the embodiment of earlier figures 1 kidnaps the various change mode and tool of the detection method of risk
Body example is equally applicable to the detection means of the DNS full flows abduction risk of the present embodiment, and DNS full flows are kidnapped by foregoing
The detailed description of the detection method of risk, DNS full flows are kidnapped during those skilled in the art are clear that the present embodiment
The implementation of the detection means of risk, thus it is succinct for specification, will not be described in detail herein.
Based on the same inventive concept of the detection method that risk is kidnapped with DNS full flows in second aspect, the present invention the 5th
Aspect provides second detection means of DNS full flows abduction risk, as shown in figure 5, including:
Module 201 is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more targets of risk
Domain name;Wherein, the known IP address corresponding to one or more of target domain names is differed;
Parsing module 202, for carrying out dns resolution to one or more of target domain names, obtains each described target
The corresponding targeted internet Protocol IP address of domain name, and then obtain one or more target ip address;
First judge module 203, for judging to whether there is identical address in one or more of target ip address;
First determining module 204, for when there is identical address in one or more of target ip address, determining institute
State UE and there is DNS full flows abduction risk.
Further, when not existing identical address in one or more target ip address, the device in the embodiment of the present invention
Also include:
Second judge module, for judging to whether there is lan address in one or more of target ip address;Its
In, one or more of target domain names are specially wide area network domain name;
Second determining module, for when there is lan address in one or more of target ip address, determining institute
State UE and there is DNS full flows abduction risk.
Further, the device that the present invention is implemented in embodiment also includes:
3rd determining module, for when in one or more of target ip address do not exist lan address when, it is determined that
The UE kidnaps risk in the absence of DNS full flows.
Specifically, obtain module 201 and issue and store described for reading reception server corresponding with the UE
One or more of target domain names in the memory space of UE;Or from multiple alternative domain names, it is determined that meeting pre-conditioned
One or more domain names be one or more of target domain names.
Further, the device in the embodiment of the present invention also includes:
3rd judge module, for before dns resolution is carried out to one or more of target domain names, judging the UE
Whether new wireless access point AP has been accessed;
When the UE has accessed new AP, notify that parsing module carries out DNS solutions to one or more of target domain names
Analysis.
Second DNS full flow in the embodiment of earlier figures 2 kidnaps the various change mode and tool of the detection method of risk
Body example is equally applicable to the detection means of the DNS full flows abduction risk of the present embodiment, and DNS full flows are kidnapped by foregoing
The detailed description of the detection method of risk, DNS full flows are kidnapped during those skilled in the art are clear that the present embodiment
The implementation of the detection means of risk, thus it is succinct for specification, will not be described in detail herein.
Based on the same inventive concept of the detection method that risk is kidnapped with DNS full flows in the third aspect, the present invention the 6th
Aspect provides the detection means that the third DNS full flow kidnaps risk, as shown in fig. 6, including:
Module 301 is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more targets of risk
Domain name;Wherein, one or more of target domain names are specially wide area network domain name, and one or more of target domain name institutes
Corresponding known internet protocol address is differed;
Parsing module 302, for carrying out dns resolution to one or more of target domain names, obtains each described target
The corresponding target ip address of domain name, and then obtain one or more target ip address;
Judge module 303, for judging to whether there is lan address in one or more of target ip address, and
Whether there is identical address in one or more of target ip address;
Determining module 304, for when there is lan address, or described one in one or more of target ip address
When there is identical address in individual or multiple target ip address, determine that user equipment (UE) has DNS full flows and kidnaps risk.
The third DNS full flow in the embodiment of earlier figures 3 kidnaps the various change mode and tool of the detection method of risk
Body example is equally applicable to the detection means of the DNS full flows abduction risk of the present embodiment, and DNS full flows are kidnapped by foregoing
The detailed description of the detection method of risk, DNS full flows are kidnapped during those skilled in the art are clear that the present embodiment
The implementation of the detection means of risk, thus it is succinct for specification, will not be described in detail herein.
Said one or multiple technical schemes in the embodiment of the present application, at least imitate with following one or more technology
Really:
In the technical scheme of the embodiment of the present invention, obtain for detecting that DNS full flows kidnap one or more of risk
Target domain name, wherein, one or more the target domain names in the embodiment of the present invention are specially wide area network domain name, then to one or
Multiple target domain names carry out dns resolution, obtain each corresponding target ip address of target domain name, and then obtain one or more mesh
Mark IP address, then judges to whether there is lan address in one or more target ip address.Due to target domain name correspondence
IP address be wide area network address, so when there is lan address in one or more target ip address, determine that UE is present
DNS full flows kidnap risk.Therefore, even if the target ip address that parses of target domain name is not in blacklist storehouse, if target
IP address is lan address, then show that the network that UE is currently accessed may be kidnapped by full flow, and then can determine that UE is present
DNS full flows kidnap risk.So, by above-mentioned technical proposal, realize and improve the Detection accuracy that DNS full flows are kidnapped.
Further, because the technical scheme of the embodiment of the present invention need not be contrasted with huge black list database,
And then also avoid the need for storing black list database, thus save the device resource shared by storage black list database.
Further, because the technical scheme in the embodiment of the present invention can be performed by UE, without the ginseng of server
With, it is possible to prevent lawless person to be monitored with interacting for server to UE after kidnapping DNS, so that Interference Detection, or even
The deceptive information for representing network security is sent to UE.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with based on teaching in this.As described above, construct required by this kind of system
Structure be obvious.Additionally, the present invention is not also directed to any certain programmed language.It is understood that, it is possible to use it is various
Programming language realizes the content of invention described herein, and the description done to language-specific above is to disclose this hair
Bright preferred forms.
In specification mentioned herein, numerous specific details are set forth.It is to be appreciated, however, that implementation of the invention
Example can be put into practice in the case of without these details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify one or more that the disclosure and helping understands in each inventive aspect, exist
Above to the description of exemplary embodiment of the invention in, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.More precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, and wherein each claim is in itself
All as separate embodiments of the invention.
Those skilled in the art are appreciated that can be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Unit or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, can use any
Combine to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so disclosed appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit is required, summary and accompanying drawing) disclosed in each feature can the alternative features of or similar purpose identical, equivalent by offer carry out generation
Replace.
Although additionally, it will be appreciated by those of skill in the art that some embodiments in this include institute in other embodiments
Including some features rather than further feature, but the combination of the feature of different embodiments means in the scope of the present invention
Within and form different embodiments.For example, in the following claims, embodiment required for protection it is any it
One mode can use in any combination.
All parts embodiment of the invention can be realized with hardware, or be run with one or more processor
Software module realize, or with combinations thereof realize.It will be understood by those of skill in the art that can use in practice
Microprocessor or digital signal processor (DSP) are come in realizing gateway according to embodiments of the present invention, proxy server, system
Some or all parts some or all functions.The present invention is also implemented as performing side as described herein
Some or all equipment or program of device (for example, computer program and computer program product) of method.It is such
Realize that program of the invention can be stored on a computer-readable medium, or there can be the shape of one or more signal
Formula.Such signal can be downloaded from internet website and obtained, or be provided on carrier signal, or with any other shape
Formula is provided.
It should be noted that above-described embodiment the present invention will be described rather than limiting the invention, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol being located between bracket should not be configured to limitations on claims.Word "comprising" is not excluded the presence of not
Element listed in the claims or step.Word "a" or "an" before element is not excluded the presence of as multiple
Element.The present invention can come real by means of the hardware for including some different elements and by means of properly programmed computer
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
The invention discloses A1, a kind of DNS full flows kidnap the detection method of risk, it is characterised in that including:
Obtain for detecting that domain name system DNS full flow kidnaps one or more target domain names of risk;Wherein, described one
Known IP address corresponding to individual or multiple target domain names is differed;
Dns resolution is carried out to one or more of target domain names, the corresponding target of each described target domain name is obtained mutual
Networking protocol IP address, and then obtain one or more target ip address;
Judge to whether there is identical address in one or more of target ip address;
When there is identical address in one or more of target ip address, determine that the UE has the misfortune of DNS full flows
Hold risk.
A2, the method according to A1, it is characterised in that identical when not existing in one or more of target ip address
During address, methods described also includes:
Judge to whether there is lan address in one or more of target ip address;Wherein, it is one or more of
Target domain name is specially wide area network domain name;
When there is lan address in one or more of target ip address, determine that the UE has DNS full flows
Kidnap risk.
A3, the method according to A2, it is characterised in that methods described also includes:
When not existing lan address in one or more of target ip address, determine that the UE is complete in the absence of DNS
Flow kidnaps risk.
A4, the method according to any one of A1-A3, it is characterised in that obtain for detecting domain name system DNS full flow
One or more target domain names of risk are kidnapped, including:
Reception server corresponding with the UE is read to issue and store one in the memory space of the UE
Or multiple target domain names;Or
From multiple alternative domain names, it is determined that meeting one or more pre-conditioned domain names for one or more of targets
Domain name.
A5, the method according to any one of A1-A3, it is characterised in that enter to one or more of target domain names
Before row dns resolution, also include:
Judge whether the UE has accessed new wireless access point AP;
When the UE has accessed new AP, dns resolution is being carried out to one or more of target domain names described in execution
The step of.
B6, a kind of DNS full flows kidnap the detection means of risk, it is characterised in that including:
Module is obtained, for obtaining for detecting that domain name system DNS full flow kidnaps one or more aiming fields of risk
Name;Wherein, the known IP address corresponding to one or more of target domain names is differed;
Parsing module, for carrying out dns resolution to one or more of target domain names, obtains each described target domain name
Corresponding targeted internet Protocol IP address, and then obtain one or more target ip address;
First judge module, for judging to whether there is identical address in one or more of target ip address;
First determining module, for when there is identical address in one or more of target ip address, it is determined that described
Risk kidnapped and there is DNS full flows in UE.
B7, the device according to B6, it is characterised in that identical when not existing in one or more of target ip address
During address, described device also includes:
Second judge module, for judging to whether there is lan address in one or more of target ip address;Its
In, one or more of target domain names are specially wide area network domain name;
Second determining module, for when there is lan address in one or more of target ip address, determining institute
State UE and there is DNS full flows abduction risk.
B8, the device according to B7, it is characterised in that described device also includes:
3rd determining module, for when in one or more of target ip address do not exist lan address when, it is determined that
The UE kidnaps risk in the absence of DNS full flows.
B9, the device according to any one of B6-B8, it is characterised in that the acquisition module is used to read reception and institute
The corresponding servers of UE are stated to issue and store the one or more of target domain names in the memory space of the UE;Or from
In multiple alternative domain names, it is determined that meeting one or more pre-conditioned domain names for one or more of target domain names.
B10, the device according to any one of B6-B8, it is characterised in that described device also includes:
3rd judge module, for before dns resolution is carried out to one or more of target domain names, judging the UE
Whether new wireless access point AP has been accessed;
When the UE has accessed new AP, notify that parsing module carries out DNS solutions to one or more of target domain names
Analysis.