CN107623693B - Domain name resolution protection method, device, system, computing equipment and storage medium - Google Patents
Domain name resolution protection method, device, system, computing equipment and storage medium Download PDFInfo
- Publication number
- CN107623693B CN107623693B CN201710915052.5A CN201710915052A CN107623693B CN 107623693 B CN107623693 B CN 107623693B CN 201710915052 A CN201710915052 A CN 201710915052A CN 107623693 B CN107623693 B CN 107623693B
- Authority
- CN
- China
- Prior art keywords
- domain name
- name resolution
- result
- address
- cloud
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The invention discloses a domain name resolution protection method, a device, a system, a computing device and a storage medium, wherein the method comprises the following steps: sending a domain name resolution request carrying domain name information to a DNS (domain name server) for resolution, and intercepting a domain name resolution result returned by the DNS; analyzing the domain name resolution result according to the local rule and/or the cloud searching and killing result, and judging whether the domain name resolution result is hijacked data or not; and if so, repairing the domain name resolution result and returning the repaired domain name resolution result. By intercepting the returned domain name resolution result, a barrier is constructed between the user and the DNS server, and the network security is guaranteed. The domain name resolution result is analyzed according to the local rule and/or the cloud searching and killing result, so that whether the domain name resolution result is hijacked or not can be judged more accurately, and the analysis efficiency is improved. And after the judgment, the domain name resolution result is repaired, and the returned correct domain name resolution result effectively protects the domain name resolution.
Description
Technical Field
The invention relates to the field of network security, in particular to a domain name resolution protection method, a domain name resolution protection device, a domain name resolution protection system, a computing device and a computer storage medium.
Background
The DNS (Domain Name System) is called a network translator, and a distributed database on the internet as a mapping between Domain names and IP addresses is currently the basic device of the internet. The DNS server enables a user to more conveniently access the internet without having to remember the IP strings that can be read directly by the machine. The DNS server resolves the domain name into a language (Ip) used by the machine, and the existence of the DNS server facilitates the access of a user to a website and provides convenient network service for the user.
With the growing growth of networks, DNS has become an essential infrastructure for networks today. However, since DNS was designed as an early Internet, it is not considered sufficiently in terms of security in order to seek high speed in efficiency, and its protocol system is completely open, and there is not only no authentication mechanism for encryption and access but also no problem such as verification for various query requests, which makes management of DNS difficult. At the same time. DNS servers are also becoming larger and DNS systems are becoming weaker, which are all the reasons why DNS is vulnerable to attacks and hijacking. The security problem of the DNS poses a great threat to the internet surfing security of the user. In fact, DNS has become a common means for hackers and non-molecular attacks on users, and DNS hijacking is ubiquitous.
Therefore, a domain name resolution protection method is needed to ensure the security of the user accessing the network.
Disclosure of Invention
In view of the above, the present invention is proposed to provide a domain name resolution protection method and apparatus, a computing device, a computer storage medium, which overcome or at least partially solve the above problems.
According to an aspect of the present invention, there is provided a domain name resolution protection method, including:
sending a domain name resolution request carrying domain name information to a DNS (domain name server) for resolution, and intercepting a domain name resolution result returned by the DNS;
analyzing the domain name resolution result according to the local rule and/or the cloud searching and killing result, and judging whether the domain name resolution result is hijacked data or not;
and if so, repairing the domain name resolution result and returning the repaired domain name resolution result.
According to another aspect of the present invention, there is provided a domain name resolution guard, comprising:
the intercepting module is suitable for sending a domain name resolution request carrying domain name information to the DNS server for resolution and intercepting a domain name resolution result returned by the DNS server;
the analysis and judgment module is suitable for analyzing the domain name resolution result according to the local rule and/or the cloud searching and killing result and judging whether the domain name resolution result is hijacked data or not;
and the repairing module is suitable for repairing the domain name resolution result if the domain name resolution result is correct and returning the repaired domain name resolution result.
According to another aspect of the present invention, a domain name resolution protection system is provided, which includes a cloud server and the domain name resolution protection apparatus.
According to yet another aspect of the present invention, there is provided a computing device comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction enables the processor to execute the operation corresponding to the domain name resolution protection method.
According to another aspect of the present invention, a computer storage medium is provided, where at least one executable instruction is stored in the storage medium, and the executable instruction causes a processor to perform an operation corresponding to the domain name resolution protection method.
According to the domain name resolution protection method, the domain name resolution protection device, the domain name resolution protection system, the computing equipment and the storage medium, a domain name resolution request carrying domain name information is sent to a DNS (domain name server) for resolution, and a domain name resolution result returned by the DNS is intercepted; analyzing the domain name resolution result according to the local rule and/or the cloud searching and killing result, and judging whether the domain name resolution result is hijacked data or not; and if so, repairing the domain name resolution result and returning the repaired domain name resolution result. By intercepting the returned domain name resolution result, a barrier is constructed between the user and the DNS server, and the network security is guaranteed. The domain name resolution result is analyzed according to the local rule and/or the cloud searching and killing result, whether the domain name resolution result is hijacked or not can be judged timely and actively, the judgment is more accurate, and the analysis efficiency is improved. And after the judgment, the domain name resolution result is repaired, the returned correct domain name resolution result does not influence the normal use of the user while ensuring the network safety, and the domain name resolution is effectively protected.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 illustrates a flow diagram of a method of domain name resolution protection according to one embodiment of the invention;
FIG. 2 shows a flow diagram of a domain name resolution prevention method according to another embodiment of the invention;
FIG. 3 illustrates a functional block diagram of a domain name resolution guard according to one embodiment of the present invention;
FIG. 4 illustrates a functional block diagram of a domain name resolution guard according to one embodiment of the present invention;
FIG. 5 illustrates a schematic structural diagram of a computing device, according to an embodiment of the invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Fig. 1 shows a flow diagram of a domain name resolution protection method according to one embodiment of the invention. As shown in fig. 1, the domain name resolution protection method specifically includes the following steps:
step S101, sending a domain name resolution request carrying domain name information to a DNS server for resolution, and intercepting a domain name resolution result returned by the DNS server.
The DNS server directly returns the domain name resolution request after resolving the domain name resolution request, and when the DNS is hijacked, the returned domain name resolution result can be falsified, so that the real requirements of the user cannot be realized. Therefore, the domain name resolution result returned by the DNS server needs to be intercepted, so as to facilitate subsequent analysis and judgment of the domain name resolution result, and avoid returning the hijacked domain name resolution result.
Specifically, when the domain name resolution request carrying the domain name information is sent to the DNS server for resolution, the remote procedure call protocol request function may be hooked by using a fake function, and the domain name resolution request carrying the domain name information may be sent to the DNS server for resolution. For example, based on the Hook technology, a Fakefunc function is constructed to Hook off a request function of an original remote procedure call protocol, and a callback function is set to intercept a domain name resolution result returned by a DNS server, so as to avoid direct return of the domain name resolution result.
And S102, analyzing the domain name resolution result according to the local rule and/or the cloud searching and killing result, and judging whether the domain name resolution result is hijacked data or not.
After the driver intercepts the domain name resolution result, the present embodiment uses an asynchronous manner to transmit the domain name resolution result to privilege level 3 for analysis. Different analysis strategies can be used for different operating system versions and different versions of internet protocols, and a special data structure can be customized according to implementation conditions during implementation, so that a domain name resolution result is analyzed to obtain corresponding data information, such as IP addresses and the like.
During specific analysis, the domain name resolution result can be analyzed according to a local rule, namely a rule formulated by the client. And analyzing according to a cloud searching and killing result executed by the cloud server, and judging whether the domain name resolution result is hijacked data or not. If so, go to step S103, otherwise, do not process, let the data go, go to step S104.
And step S103, if so, repairing the domain name resolution result.
And when the domain name resolution result is judged to be hijacked data, the domain name resolution result needs to be repaired. During repair, according to the region information carried in the previous domain name resolution request, the cloud server screens the big data of statistics of the region information, the domain name information and the like. The cloud server can obtain and return the corresponding white IP address according to the condition that the normal user located in the region information accesses the domain name information, so that the white IP address corresponding to the region information is obtained. If a normal user accesses a certain IP1 multiple times in a certain area a, the IP1 is obtained. If a local white list of the local IP addresses exists locally, the white IP addresses can be obtained according to the regional information, domain name information, operator information, and other information. And repairing the domain name resolution result by using the acquired white IP address.
And step S104, returning a domain name resolution result.
And returning the repaired or non-hijacked domain name resolution result so as to access the corresponding page by using the domain name resolution result in the following.
According to the domain name resolution protection method provided by the invention, a domain name resolution request carrying domain name information is sent to a DNS (domain name server) for resolution, and a domain name resolution result returned by the DNS is intercepted; analyzing the domain name resolution result according to the local rule and/or the cloud searching and killing result, and judging whether the domain name resolution result is hijacked data or not; and if so, repairing the domain name resolution result and returning the repaired domain name resolution result. By intercepting the returned domain name resolution result, a barrier is constructed between the user and the DNS server, and the network security is guaranteed. The domain name resolution result is analyzed according to the local rule and/or the cloud searching and killing result, whether the domain name resolution result is hijacked or not can be judged timely and actively, the judgment is more accurate, and the analysis efficiency is improved. And after the judgment, the domain name resolution result is repaired, the returned correct domain name resolution result does not influence the normal use of the user while ensuring the network safety, and the domain name resolution is effectively protected.
Fig. 2 shows a flow diagram of a domain name resolution protection method according to another embodiment of the invention. As shown in fig. 2, the domain name resolution protection method specifically includes the following steps:
step S201, sending a domain name resolution request carrying domain name information to a DNS server for resolution, and intercepting a domain name resolution result returned by the DNS server.
This step is described with reference to step S101 in the embodiment of fig. 1, and is not described herein again.
Step S202, judging whether the IP address included in the domain name resolution result belongs to a local IP address white list according to a local rule.
And judging whether the IP address included in the domain name resolution result belongs to a local IP address white list or not according to a local rule, if the IP address belongs to the local IP address white list, judging that the domain name resolution result is not hijacked data, directly releasing without processing, and executing the step S206. If the IP address does not belong to the local IP address white list, step S203 is executed.
Step S203, determining whether the IP address included in the domain name resolution result belongs to a local IP address blacklist according to a local rule.
And judging whether the IP address included in the domain name resolution result belongs to a local IP address blacklist or not according to the local rule, if the IP address belongs to the local IP address blacklist, judging that the domain name resolution result is hijacked data, and executing the step S205. If the IP address does not belong to the local IP address blacklist, step S204 needs to be continuously executed, and the domain name resolution result is further analyzed according to various cloud searching and killing results.
The execution sequence of step S202 and step S203 is not limited as above. The local IP address white list and/or the local IP address blacklist are required to be downloaded from the cloud server at regular time, and the local IP address white list and/or the local IP address blacklist are updated according to the cloud IP address white list and/or the cloud IP address blacklist so as to guarantee the comprehensiveness of data of the local IP address white list and/or the local IP address blacklist.
The cloud IP address white list can send domain name resolution requests to one or more white DNS servers through distribution in each data center to obtain corresponding white IP addresses, and the corresponding white IP addresses are added into the cloud IP address white list. In order to expand the number of the white IP addresses, the same domain name resolution request can be sent to a plurality of white DNS servers to obtain a collection of all resolution results. Or dotting in logs such as a web shield and the like, calculating to obtain each white IP address (including corresponding regional information, operator information and the like), and adding the white IP addresses into the cloud IP address white list.
The cloud IP address blacklist can be collected through a big data operation platform, and the collection comprises valid black IP addresses of all domain names and valid black IP addresses of all domain names.
And step S204, analyzing the domain name resolution result according to the cloud searching and killing result, and judging whether the domain name resolution result is hijacked data or not.
The domain name resolution result is analyzed according to the local rule, and when the domain name resolution result cannot be judged whether to be hijacked data or not, the judgment can be carried out according to the cloud searching and killing result. The cloud searching and killing result is obtained by sending the domain name information, the IP address included in the domain name resolution result and the like to the cloud server so that the cloud server can perform cloud searching and killing processing according to the domain name information, the IP address and the like.
Because the local IP address white list and/or the local IP address black list are not updated in real time, the data real-time performance of the cloud IP address white list and/or the cloud IP address black list is stronger, and the data is more comprehensive. The cloud server judges whether the IP address belongs to a cloud IP address white list or not according to the IP address included in the domain name resolution result, and if the IP address belongs to the cloud IP address white list, the cloud searching and killing result that the domain name resolution result is not hijacked data is obtained. And if the IP address does not belong to the cloud IP address white list, judging whether the IP address belongs to a cloud IP address black list. And if the IP address belongs to the cloud IP address blacklist, obtaining a cloud searching and killing result of the hijacked data of the domain name resolution result. Therefore, whether the domain name resolution result is hijacked data or not is judged according to the cloud searching and killing result. And if the IP address does not belong to the cloud IP address white list or the cloud IP address black list, further sending a domain name resolution request carrying domain name information to a pre-configured DNS server belonging to a DNS server white list, and acquiring a safe IP address obtained by DNS resolution. The first page is downloaded according to the secure IP address. The first page is a page corresponding to the secure IP address, and the page may be a main page of a website corresponding to the secure IP address. And carrying out network request according to the IP address and the sender host information included in the domain name resolution result, and downloading the second page. The second page is a page corresponding to the IP address, and the page may be a main page of a website corresponding to the IP address. And comparing the first page with the second page, and obtaining a cloud searching and killing result according to the similarity comparison result of the pages.
When the first page and the second page are compared, the first page and the second page can be respectively analyzed to obtain the corresponding DOM trees. And comparing the DOM numbers of the two nodes of the DOM numbers to obtain a similarity comparison result of the two pages of the DOM numbers. The similarity comparison result includes a difference value between the first page and the second page. If the difference value is larger than the preset threshold value, such as 20%, the first page and the second page are considered to be dissimilar, otherwise, the first page and the second page are considered to be similar. In addition, the first page and the second page can be compared in other manners to obtain a page similarity comparison result. And are not limited herein.
According to the result of the similarity comparison between the two pages, the Http status code of the first page and the Http status code of the second page, if the Http status code of the second page is not 200, the second page fails to be accessed, for example, the Http status codes are 404 and 503. At this time, there is a high possibility that the domain name resolution result is hijacked data. Further judgment of the similarity comparison result is required. And if the similarity comparison result is that the first page and the second page are not similar, obtaining a cloud searching and killing result that the domain name resolution result is hijacked data. And if the Http status code of the second page is 200, that is, the second page is successfully accessed, and the similarity comparison result is that the first page is similar to the second page, obtaining a cloud searching and killing result that the domain name resolution result is not the hijacked data. Or the Http status code of the second page is different from the Http status code of the first page, and the similarity comparison result indicates that the first page is not similar to the second page, so that the domain name resolution result is the cloud searching and killing result of the hijacked data. Or the Http status code of the second page is the same as the Http status code of the first page, and the similarity comparison result indicates that the first page is similar to the second page, and the cloud searching and killing result that the domain name resolution result is not the hijacked data is obtained.
If the Http status code of the second page is not 200, but the similarity comparison result is that the first page is similar to the second page, or the Http status code of the second page is different from the Http status code of the first page, but the similarity comparison result is that the first page is similar to the second page, further checking is required at this time to obtain a cloud checking and killing result of the data whether the domain name resolution result is hijacked.
Because the types of the IP addresses are different, before downloading, the downloading rules of the first page and/or the second page can be preset according to the type of the IP addresses, so that the pages which are easier to compare can be downloaded when the first page and the second page are compared.
And judging whether the domain name resolution result is hijacked data or not according to the cloud searching and killing result. If so, go to step S205, otherwise, go to step S206 without processing.
Further, when the domain name resolution result is determined to be hijacked data through the above steps S202 to S204, the corresponding DNS server may also be checked, and after the external influence factor is eliminated and determined to be a black DNS server, the black DNS server is performed to avoid sending the request to the black DNS server again.
Step S205, the domain name resolution result is repaired.
And step S206, returning the repaired domain name resolution result.
The above steps refer to the description of steps S103-S104 in the embodiment of fig. 1, and are not described again here.
It should be noted that steps S202 to S204 may be specifically executed by a first process, and step S205 is specifically executed by a second process. The first process and the second process are in an asynchronous processing mode, so that the concurrent processing speed can be improved during processing.
According to the domain name resolution protection method provided by the invention, after a domain name resolution result returned by the DNS server is intercepted, the domain name resolution result is analyzed in sequence according to local rules, cloud searching and killing results and the like, and whether the domain name resolution result is hijacked data or not is judged. Whether the domain name resolution result is hijacked or not can be judged timely and actively. And the judgment is firstly carried out locally, and the execution speed is high. If the local rule cannot be judged, judgment is carried out through the cloud searching and killing result, and the judgment accuracy is guaranteed. If the domain name resolution result is hijacked data, the domain name resolution result is repaired, the returned correct domain name resolution result after repair does not influence the normal use of the user while ensuring the network safety, and the domain name resolution is effectively protected.
FIG. 3 illustrates a functional block diagram of a domain name resolution guard, according to one embodiment of the invention. As shown in fig. 3, the domain name resolution guard includes the following modules:
the intercepting module 310 is adapted to send a domain name resolution request carrying domain name information to the DNS server for resolution, and intercept a domain name resolution result returned by the DNS server.
The DNS server directly returns the domain name resolution request after resolving the domain name resolution request, and when the DNS is hijacked, the returned domain name resolution result can be falsified, so that the real requirements of the user cannot be realized. Therefore, the intercepting module 310 is required to intercept the domain name resolution result returned by the DNS server, so as to facilitate subsequent analysis and judgment of the domain name resolution result, and avoid returning the hijacked domain name resolution result.
When sending the domain name resolution request carrying the domain name information to the DNS server for resolution, the intercepting module 310 may hook the remote procedure call protocol request function using a fake function, and send the domain name resolution request carrying the domain name information to the DNS server for resolution. For example, the intercepting module 310 constructs a Fakefunc function to Hook off a request function of an original remote procedure call protocol based on the Hook technology, and sets a callback function to intercept a domain name resolution result returned by the DNS server, so as to avoid direct return of the domain name resolution result.
The analysis and determination module 320 is adapted to analyze the domain name resolution result according to the local rule and/or the cloud searching and killing result, and determine whether the domain name resolution result is hijacked data.
After the intercepting module 310 intercepts the domain name resolution result, the present embodiment uses an asynchronous manner to transfer the domain name resolution result to privilege level 3 for analysis. The analysis and determination module 320 may use different analysis strategies for different operating system versions and internet protocols of different versions, and may customize a special data structure according to implementation conditions during implementation, and analyze a domain name resolution result to obtain corresponding data information, such as information of an IP address.
When the analysis determining module 320 performs the analysis, the domain name resolution result may be analyzed according to a local rule, i.e., a rule formulated by the client. The analysis and determination module 320 may further perform analysis according to a cloud searching and killing result executed by the cloud server, and determine whether the domain name resolution result is hijacked data. If the analyzing and determining module 320 determines that the domain name resolution result is hijacked data, the repairing module 330 is executed, otherwise, the data is released without processing.
The analysis and judgment module 320 includes a local judgment module 321 and/or a cloud searching and killing result obtaining module 322.
The local judgment module 321 is adapted to judge whether the IP address included in the domain name resolution result belongs to a local IP address white list and/or a local IP address black list; if the IP address belongs to a local IP address white list, judging that the domain name resolution result is not hijacked data; and if the IP address belongs to the local IP address blacklist, judging that the domain name resolution result is hijacked data.
The local determining module 321 determines whether the IP address included in the domain name resolution result belongs to a local IP address white list according to a local rule, and if the IP address belongs to the local IP address white list, the local determining module 321 determines that the domain name resolution result is not hijacked data, and directly releases the hijacked data without processing. If the IP address does not belong to the local IP address white list, the local determining module 321 determines whether the IP address included in the domain name resolution result belongs to the local IP address black list according to the local rule, and if the IP address belongs to the local IP address black list, the local determining module 321 determines that the domain name resolution result is hijacked data, and executes the repairing module 330. If the IP address does not belong to the local IP address blacklist, the cloud searching and killing result obtaining module 322 may be continuously executed, and the domain name resolution result may be analyzed according to various cloud searching and killing results.
In the above, the execution sequence of the local determining module 321 first determining whether the IP address belongs to the local IP address white list or the IP address belongs to the local IP address black list is not limited.
Because the data of the local IP address white list and/or the local IP address black list needs to be updated according to the actual situation, the apparatus further includes a timing update module 340.
The timing updating module 340 is suitable for downloading a cloud IP address white list and/or a cloud IP address black list from a cloud server at regular time; and updating the local IP address white list and/or the local IP address black list according to the cloud IP address white list and/or the cloud IP address black list.
The timing updating module 340 downloads the cloud IP address white list and/or the cloud IP address blacklist from the cloud server at regular time, and updates the local IP address white list and/or the local IP address blacklist according to the cloud IP address white list and/or the cloud IP address blacklist, so as to ensure the comprehensiveness of the local IP address white list and/or the local IP address blacklist data.
The cloud server may send domain name resolution requests to one or more white DNS servers through distribution in each data center to obtain corresponding white IP addresses, and add the white IP addresses to the cloud IP address white list. In order to expand the number of the white IP addresses, the cloud server can also send the same domain name resolution request to a plurality of white DNS servers to obtain a collection of all resolution results. Or the cloud server calculates and obtains each white IP address (including corresponding region information, operator information and the like) by dotting in logs such as a web shield and the like, and adds the white IP addresses into a cloud IP address white list.
The cloud IP address blacklist can be collected through a big data operation platform, and the collection comprises valid black IP addresses of all domain names and valid black IP addresses of all domain names.
The cloud searching and killing result obtaining module 322 is adapted to send the domain name information and/or the IP address included in the domain name resolution result to the cloud server, so that the cloud server performs cloud searching and killing processing according to the domain name information and/or the IP address to obtain a cloud searching and killing result; and judging whether the domain name resolution result is hijacked data or not according to the cloud searching and killing result.
The local determining module 321 may further perform the cloud searching and killing result obtaining module 322 to determine whether the domain name resolution result is hijacked data. The cloud searching and killing result is obtained by the cloud searching and killing result obtaining module 322 sending the domain name information, the IP address included in the domain name resolution result, and the like to the cloud server for the cloud server to perform cloud searching and killing processing according to the domain name information, the IP address, and the like. After obtaining the cloud searching and killing result, the cloud searching and killing result obtaining module 322 determines whether the domain name resolution result is the hijacked data according to the cloud searching and killing result that the domain name resolution result is the hijacked data or the cloud searching and killing result that the domain name resolution result is not the hijacked data.
And the repairing module 330 is adapted to repair the domain name resolution result if the domain name resolution result is correct, and return the repaired domain name resolution result.
When the analysis and determination module 320 determines that the domain name resolution result is hijacked data, the domain name resolution result needs to be repaired by the repair module 330. When the repair module 330 performs repair, the cloud server screens the big data of the domain name information according to the region information carried in the domain name resolution request. The cloud server may obtain and return the corresponding white IP address according to a condition that a normal user located in the region information accesses the domain name information, so that the repair module 330 obtains the white IP address corresponding to the region information. If a normal user accesses a certain IP1 multiple times in a certain domain a, the repair module 330 acquires the IP 1. If a white list of local IP addresses exists locally, the repair module 330 may obtain the white IP addresses according to the regional information, domain name information, or operator information. The repairing module 330 repairs the domain name resolution result by using the obtained white IP address, and returns the repaired domain name resolution result.
The analysis and judgment module 320 is specifically executed by a first process, and the repair module 330 is executed by a second process. The first process and the second process are in an asynchronous processing mode.
According to the domain name resolution protection device provided by the invention, after a domain name resolution result returned by the DNS server is intercepted, the domain name resolution result is analyzed in sequence according to local rules, cloud searching and killing results and the like, and whether the domain name resolution result is hijacked data or not is judged. Whether the domain name resolution result is hijacked or not can be judged timely and actively. And the judgment is firstly carried out locally, and the execution speed is high. If the local rule cannot be judged, judgment is carried out through the cloud searching and killing result, and the judgment accuracy is guaranteed. If the domain name resolution result is hijacked data, the domain name resolution result is repaired, the returned correct domain name resolution result after repair does not influence the normal use of the user while ensuring the network safety, and the domain name resolution is effectively protected.
FIG. 4 illustrates a functional block diagram of a domain name resolution protection system according to one embodiment of the present invention. As shown in fig. 4, the domain name resolution protection system includes a cloud server 400, such as the domain name resolution protection device 300 shown in fig. 3.
Wherein the cloud server 400 is adapted to: receiving the domain name information and/or the IP address included in the domain name resolution result sent by the domain name resolution protection device 300, performing cloud searching and killing processing according to the domain name information and/or the IP address, obtaining a cloud searching and killing result, and returning the cloud searching and killing result to the domain name resolution protection device 300.
The cloud server 400 includes a cloud IP searching and killing module 410 and a web searching and killing module 420.
The cloud IP searching and killing module 410 is adapted to determine whether the IP address included in the domain name resolution result belongs to a cloud IP address white list and/or a cloud IP address black list; if the IP address belongs to the cloud IP address white list, obtaining a cloud searching and killing result that the domain name resolution result is not hijacked data; and if the IP address belongs to the cloud IP address blacklist, obtaining a cloud searching and killing result of the hijacked data of the domain name resolution result.
Because the local IP address white list and/or the local IP address black list are not updated in real time, the data real-time performance of the cloud IP address white list and/or the cloud IP address black list is stronger, and the data is more comprehensive. The cloud IP searching and killing module 410 firstly determines according to the IP address included in the domain name resolution result, and determines whether the IP address belongs to a cloud IP address white list, and if the IP address belongs to the cloud IP address white list, the cloud IP searching and killing module 410 obtains a cloud searching and killing result that the domain name resolution result is not hijacked data. If the cloud IP searching and killing module 410 determines that the IP address does not belong to the cloud IP address white list, it determines whether the IP address belongs to the cloud IP address black list. If the IP address belongs to the cloud IP address blacklist, the cloud IP searching and killing module 410 obtains a cloud searching and killing result that the domain name resolution result is hijacked data. If the cloud IP searching and killing module 410 determines that the IP address does not belong to the cloud IP address white list or the cloud IP address black list, the web searching and killing module 420 is executed.
The web page searching and killing module 420 is adapted to send a domain name resolution request carrying domain name information to a pre-configured DNS server belonging to a DNS server white list, and obtain a secure IP address obtained by DNS resolution; downloading the first page according to the secure IP address; the first page is a page corresponding to the safe IP address; performing a network request according to the IP address and the sender host information included in the domain name resolution result, and downloading a second page; the second page is a page corresponding to the IP address; and comparing the first page with the second page, and obtaining a cloud searching and killing result according to the similarity comparison result of the pages.
The web page searching and killing module 420 sends the domain name resolution request carrying the domain name information to a pre-configured DNS server belonging to a DNS server white list, and obtains a secure IP address obtained by DNS resolution. The web page killing module 420 downloads the first page according to the secure IP address. The first page is a page corresponding to the secure IP address, and the page may be a main page of a website corresponding to the secure IP address. The web page searching and killing module 420 makes a network request according to the IP address and the sender host information included in the domain name resolution result, and downloads the second page. The second page is a page corresponding to the IP address, and the page may be a main page of a website corresponding to the IP address. The webpage searching and killing module 420 compares the first page with the second page, and obtains a cloud searching and killing result according to the similarity comparison result of the pages.
When the webpage searching and killing module 420 compares the first page with the second page, the first page and the second page may be respectively parsed to obtain the respective corresponding DOM trees. The web page searching and killing module 420 compares the two DOM numbers of each tree node to obtain a similarity comparison result of the two pages. The similarity comparison result includes a difference value between the first page and the second page. If the difference value is greater than the preset threshold value, for example, 20%, the web page searching and killing module 420 considers that the first page is not similar to the second page, otherwise, the web page searching and killing module 420 considers that the first page is similar to the second page. In addition, the web page searching and killing module 420 may also compare the first page with the second page in other manners to obtain a similarity comparison result of the pages. And are not limited herein.
The web page killing module 420 compares the result of the similarity between the two pages, and the Http status code of the first page and the Http status code of the second page, and if the Http status code of the second page is not 200, the second page fails to be accessed, for example, the Http status codes are 404 and 503. At this time, there is a high possibility that the domain name resolution result is hijacked data. The web page searching and killing module 420 needs to further determine the similarity comparison result. If the similarity comparison result indicates that the first page and the second page are not similar, the web page searching and killing module 420 obtains a cloud searching and killing result that the domain name resolution result is hijacked data. If the Http status code of the second page is 200, that is, the second page is successfully accessed, and the similarity comparison result is that the first page is similar to the second page, the web page searching and killing module 420 obtains a cloud searching and killing result that the domain name resolution result is not the hijacked data. Or the Http status code of the second page is different from the Http status code of the first page, and the similarity comparison result indicates that the first page and the second page are not similar, and the web page searching and killing module 420 obtains a cloud searching and killing result that the domain name resolution result is hijacked data. Or the Http status code of the second page is the same as the Http status code of the first page, and the similarity comparison result indicates that the first page is similar to the second page, the web page searching and killing module 420 obtains a cloud searching and killing result that the domain name resolution result is not the hijacked data.
If the Http status code of the second page is not 200, but the similarity comparison result is that the first page is similar to the second page, or the Http status code of the second page is different from the Http status code of the first page, but the similarity comparison result is that the first page is similar to the second page, the web page searching and killing module 420 further checks to obtain a cloud searching and killing result of the data indicating whether the domain name resolution result is hijacked.
The cloud server 400 further includes a download rule module 430 due to different types of IP addresses. Before downloading, the downloading rule module 430 may also preset the downloading rule of the first page and/or the second page according to the type of the IP address, so that when comparing the first page with the second page, the web page searching and killing module 420 may download a page that is easier to compare.
The description of the domain name resolution protection device refers to the description of the embodiment in fig. 3, and is not repeated herein.
According to the domain name resolution protection system provided by the invention, a domain name resolution request carrying domain name information is sent to a DNS (domain name server) for resolution, and a domain name resolution result returned by the DNS is intercepted; analyzing the domain name resolution result according to the local rule and/or the cloud searching and killing result, and judging whether the domain name resolution result is hijacked data or not; and if so, repairing the domain name resolution result and returning the repaired domain name resolution result. By intercepting the returned domain name resolution result, a barrier is constructed between the user and the DNS server, and the network security is guaranteed. The domain name resolution result is analyzed according to the local rule and/or the cloud searching and killing result, whether the domain name resolution result is hijacked or not can be judged timely and actively, the judgment is more accurate, and the analysis efficiency is improved. And after the judgment, the domain name resolution result is repaired, the returned correct domain name resolution result does not influence the normal use of the user while ensuring the network safety, and the domain name resolution is effectively protected.
The application also provides a non-volatile computer storage medium, wherein the computer storage medium stores at least one executable instruction, and the computer executable instruction can execute the domain name resolution protection method in any method embodiment.
Fig. 5 is a schematic structural diagram of a computing device according to an embodiment of the present invention, and the specific embodiment of the present invention does not limit the specific implementation of the computing device.
As shown in fig. 5, the computing device may include: a processor (processor)502, a Communications Interface 504, a memory 506, and a communication bus 508.
Wherein:
the processor 502, communication interface 504, and memory 506 communicate with one another via a communication bus 508.
A communication interface 504 for communicating with network elements of other devices, such as clients or other servers.
The processor 502 is configured to execute the program 510, and may specifically perform relevant steps in the above embodiments of the domain name resolution protection method.
In particular, program 510 may include program code that includes computer operating instructions.
The processor 502 may be a central processing unit CPU, or an Application Specific Integrated Circuit (ASIC), or one or more Integrated circuits configured to implement an embodiment of the present invention. The computing device includes one or more processors, which may be the same type of processor, such as one or more CPUs; or may be different types of processors such as one or more CPUs and one or more ASICs.
And a memory 506 for storing a program 510. The memory 506 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 510 may specifically be used to cause the processor 502 to perform the following operations:
in an optional implementation manner, the program 510 is configured to enable the processor 502 to send a domain name resolution request carrying domain name information to a DNS server for resolution, and intercept a domain name resolution result returned by the DNS server; analyzing the domain name resolution result according to the local rule and/or the cloud searching and killing result, and judging whether the domain name resolution result is hijacked data or not; and if so, repairing the domain name resolution result and returning the repaired domain name resolution result.
In an alternative embodiment, the program 510 is configured to enable the processor 502 to hook a remote procedure call protocol request function by using a fake function, and send a domain name resolution request carrying domain name information to a DNS server for resolution; and setting a callback function to intercept a domain name resolution result returned by the DNS.
In an alternative embodiment, program 510 is configured to cause processor 502 to pass the domain name resolution result to privilege level 3 for analysis in an asynchronous manner after the driver intercepts the domain name resolution result.
In an alternative embodiment, program 510 is configured to enable processor 502 to determine whether an IP address included in the domain name resolution result belongs to a local IP address white list and/or a local IP address black list; if the IP address belongs to a local IP address white list, judging that the domain name resolution result is not hijacked data; and if the IP address belongs to the local IP address blacklist, judging that the domain name resolution result is hijacked data.
In an alternative embodiment, the program 510 is configured to cause the processor 502 to periodically download a cloud IP address white list and/or a cloud IP address black list from a cloud server; and updating the local IP address white list and/or the local IP address black list according to the cloud IP address white list and/or the cloud IP address black list.
In an optional implementation manner, the program 510 is configured to enable the processor 502 to send the domain name information and/or the IP address included in the domain name resolution result to the cloud server, so that the cloud server performs cloud searching and killing processing according to the domain name information and/or the IP address to obtain a cloud searching and killing result; and judging whether the domain name resolution result is hijacked data or not according to the cloud searching and killing result.
In an alternative embodiment, the program 510 is configured to enable the processor 502 to determine whether the IP address included in the domain name resolution result belongs to a cloud IP address white list and/or a cloud IP address black list; if the IP address belongs to the cloud IP address white list, obtaining a cloud searching and killing result that the domain name resolution result is not hijacked data; and if the IP address belongs to the cloud IP address blacklist, obtaining a cloud searching and killing result of the hijacked data of the domain name resolution result.
In an optional implementation manner, the program 510 is configured to enable the processor 502 to send a domain name resolution request carrying domain name information to a preconfigured DNS server belonging to a DNS server white list, and obtain a secure IP address obtained by DNS resolution; downloading the first page according to the secure IP address; the first page is a page corresponding to the safe IP address; performing a network request according to the IP address and the sender host information included in the domain name resolution result, and downloading a second page; the second page is a page corresponding to the IP address; and comparing the first page with the second page, and obtaining a cloud searching and killing result according to the similarity comparison result of the pages.
In an alternative embodiment, the program 510 is configured to enable the processor 502 to obtain a similarity comparison result between the first page and the second page, and an Http status code of the first page and an Http status code of the second page; and obtaining a cloud searching and killing result according to the similarity comparison result, the Http state code of the first page and the Http state code of the second page.
In an alternative embodiment, the program 510 is configured to enable the processor 502 to obtain a cloud killing result that the domain name resolution result is the hijacked data if the Http status code of the second page is not 200 and the similarity comparison result is not similar.
In an alternative embodiment, the program 510 is configured to enable the processor 502 to obtain a cloud killing result that the domain name resolution result is hijacked data if the Http status code of the second page is different from the Http status code of the first page and the similarity comparison result is not similar.
In an alternative embodiment, the program 510 is configured to enable the processor 502 to preset the download rule of the first page and/or the second page according to the type of the IP address.
In an optional implementation manner, the program 510 is configured to enable the processor 502 to perform, by the first process, a step of analyzing the domain name resolution result according to the local rule and/or the cloud killing result, and determining whether the domain name resolution result is hijacked data; a step of repairing the domain name resolution result and returning the repaired domain name resolution result by the second process; the first process and the second process are in an asynchronous processing mode.
In an alternative embodiment, the program 510 is configured to enable the processor 502 to obtain a white IP address corresponding to the domain name information according to the domain name information carried in the domain name resolution request; and repairing the domain name resolution result by using the white IP address, and returning the repaired domain name resolution result.
For specific implementation of each step in the program 510, reference may be made to corresponding steps and corresponding descriptions in units in the foregoing domain name resolution protection embodiment, which are not described herein again. It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described devices and modules may refer to the corresponding process descriptions in the foregoing method embodiments, and are not described herein again.
According to the scheme provided by the embodiment, a domain name resolution request carrying domain name information is sent to a DNS (domain name server) for resolution, and a domain name resolution result returned by the DNS is intercepted; analyzing the domain name resolution result according to the local rule and/or the cloud searching and killing result, and judging whether the domain name resolution result is hijacked data or not; and if so, repairing the domain name resolution result and returning the repaired domain name resolution result. By intercepting the returned domain name resolution result, a barrier is constructed between the user and the DNS server, and the network security is guaranteed. The domain name resolution result is analyzed according to the local rule and/or the cloud searching and killing result, whether the domain name resolution result is hijacked or not can be judged timely and actively, the judgment is more accurate, and the analysis efficiency is improved. And after the judgment, the domain name resolution result is repaired, the returned correct domain name resolution result does not influence the normal use of the user while ensuring the network safety, and the domain name resolution is effectively protected.
The algorithms and displays presented herein are not inherently related to any particular computer, virtual machine, or other apparatus. Various general purpose systems may also be used with the teachings herein. The required structure for constructing such a system will be apparent from the description above. Moreover, the present invention is not directed to any particular programming language. It is appreciated that a variety of programming languages may be used to implement the teachings of the present invention as described herein, and any descriptions of specific languages are provided above to disclose the best mode of the invention.
In the description provided herein, numerous specific details are set forth. It is understood, however, that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure an understanding of this description.
Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, various features of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. However, the disclosed method should not be interpreted as reflecting an intention that: that the invention as claimed requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the device in an embodiment may be adaptively changed and disposed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and furthermore they may be divided into a plurality of sub-modules or sub-units or sub-components. All of the features disclosed in this specification (including any accompanying claims, abstract and drawings), and all of the processes or elements of any method or apparatus so disclosed, may be combined in any combination, except combinations where at least some of such features and/or processes or elements are mutually exclusive. Each feature disclosed in this specification (including any accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.
Furthermore, those skilled in the art will appreciate that while some embodiments described herein include some features included in other embodiments, rather than other features, combinations of features of different embodiments are meant to be within the scope of the invention and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.
The various component embodiments of the invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or Digital Signal Processor (DSP) may be used in practice to implement some or all of the functions of some or all of the components in an apparatus for domain name resolution protection according to embodiments of the present invention. The present invention may also be embodied as apparatus or device programs (e.g., computer programs and computer program products) for performing a portion or all of the methods described herein. Such programs implementing the present invention may be stored on computer-readable media or may be in the form of one or more signals. Such a signal may be downloaded from an internet website or provided on a carrier signal or in any other form.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The usage of the words first, second and third, etcetera do not indicate any ordering. These words may be interpreted as names.
Claims (27)
1. A method of domain name resolution protection, comprising:
hooking a remote procedure call protocol request function by using a fake function, sending a domain name resolution request carrying domain name information to a DNS (domain name server) for resolution, and setting a callback function to intercept a domain name resolution result returned by the DNS;
analyzing the domain name resolution result according to a local rule and/or a cloud searching and killing result, and judging whether the domain name resolution result is hijacked data or not;
if so, repairing the domain name resolution result and returning the repaired domain name resolution result;
wherein, the analyzing the domain name resolution result according to the local rule and/or the cloud searching and killing result further comprises:
after the driver intercepts the domain name resolution result, the domain name resolution result is transmitted to a privilege level 3 for analysis in an asynchronous mode;
and analyzing the domain name resolution result by using different analysis strategies according to different operating system versions and different versions of internet protocols and customizing a special data structure according to implementation conditions to obtain corresponding data information, wherein the data information is data for judging whether the domain name resolution result is hijacked or not.
2. The method of claim 1, wherein the analyzing the domain name resolution result according to local rules and determining whether the domain name resolution result is hijacked data further comprises:
judging whether the IP address included in the domain name resolution result belongs to a local IP address white list and/or a local IP address black list;
if the IP address belongs to a white list of local IP addresses, judging that the domain name resolution result is not hijacked data;
and if the IP address belongs to a local IP address blacklist, judging that the domain name resolution result is hijacked data.
3. The method of claim 2, wherein the method further comprises:
downloading a cloud IP address white list and/or a cloud IP address black list from a cloud server at regular time;
and updating the local IP address white list and/or the local IP address black list according to the cloud IP address white list and/or the cloud IP address black list.
4. The method of claim 1, wherein the analyzing the domain name resolution result according to the cloud searching and killing result, and the determining whether the domain name resolution result is hijacked data further comprises:
sending the domain name information and/or the IP address included in the domain name resolution result to a cloud server for the cloud server to perform cloud searching and killing processing according to the domain name information and/or the IP address to obtain a cloud searching and killing result;
and judging whether the domain name resolution result is hijacked data or not according to the cloud searching and killing result.
5. The method of claim 4, wherein the cloud server performs cloud searching and killing processing according to the IP address, and obtaining the cloud searching and killing result further comprises:
judging whether the IP address included in the domain name resolution result belongs to a cloud IP address white list and/or a cloud IP address black list;
if the IP address belongs to a cloud IP address white list, obtaining a cloud searching and killing result that the domain name resolution result is not hijacked data;
and if the IP address belongs to the cloud IP address blacklist, obtaining a cloud searching and killing result that the domain name resolution result is hijacked data.
6. The method of claim 4, wherein the cloud server performs cloud searching and killing processing according to the domain name information and/or the IP address, and obtaining a cloud searching and killing result further comprises:
sending a domain name resolution request carrying the domain name information to a pre-configured DNS server belonging to a DNS server white list, and acquiring a safe IP address obtained by DNS resolution;
downloading a first page according to the safe IP address; the first page is a page corresponding to the safe IP address;
performing a network request according to the IP address and the sender host information included in the domain name resolution result, and downloading a second page; the second page is a page corresponding to the IP address;
and comparing the first page with the second page, and obtaining a cloud searching and killing result according to the similarity comparison result of the pages.
7. The method according to claim 6, wherein the comparing the first page and the second page, and the obtaining the cloud searching and killing result according to the similarity comparison result of the pages further comprises:
obtaining a similarity comparison result of a first page and a second page, and an Http status code of the first page and an Http status code of the second page;
and acquiring a cloud searching and killing result according to the similarity comparison result, the Http state code of the first page and the Http state code of the second page.
8. The method of claim 7, wherein the obtaining a cloud killing result according to the similarity comparison result, the Http status code of the first page, and the Http status code of the second page further comprises:
and if the Http state code of the second page is not 200 and the similarity comparison result is not similar, obtaining that the domain name resolution result is the cloud searching and killing result of the hijacked data.
9. The method of claim 7, wherein the obtaining a cloud killing result according to the similarity comparison result, the Http status code of the first page, and the Http status code of the second page further comprises:
and if the Http state code of the second page is different from the Http state code of the first page and the similarity comparison result is not similar, obtaining that the domain name resolution result is a cloud searching and killing result of the hijacked data.
10. The method according to any one of claims 6-9, wherein the method further comprises:
and presetting a downloading rule of the first page and/or the second page according to the type of the IP address.
11. The method according to any one of claims 1 to 9, wherein the step of analyzing the domain name resolution result according to local rules and/or cloud killing results and determining whether the domain name resolution result is hijacked data is specifically performed by a first process;
the step of repairing the domain name resolution result and returning the repaired domain name resolution result is specifically executed by a second process;
wherein the first process and the second process are in an asynchronous processing mode.
12. The method according to any one of claims 1 to 9, wherein the repairing the domain name resolution result and returning the repaired domain name resolution result further comprises:
acquiring a white IP address corresponding to the region information according to the region information carried in the domain name resolution request;
and repairing the domain name resolution result by using the white IP address, and returning the repaired domain name resolution result.
13. A domain name resolution guard, comprising:
the intercepting module is suitable for hooking a remote procedure call protocol request function by using a fake function, sending a domain name resolution request carrying domain name information to the DNS server for resolution, and setting a domain name resolution result returned by the DNS server intercepted by the callback function;
the analysis and judgment module is suitable for analyzing the domain name resolution result according to local rules and/or cloud searching and killing results and judging whether the domain name resolution result is hijacked data or not;
the recovery module is suitable for recovering the domain name resolution result and returning the recovered domain name resolution result if the analysis and judgment module judges that the domain name resolution result is the hijacked data;
wherein the analysis determination module is further adapted to:
after the driver intercepts the domain name resolution result, the domain name resolution result is transmitted to a privilege level 3 for analysis in an asynchronous mode;
and analyzing the domain name resolution result by using different analysis strategies according to different operating system versions and different versions of internet protocols and customizing a special data structure according to implementation conditions to obtain corresponding data information, wherein the data information is data for judging whether the domain name resolution result is hijacked or not.
14. The apparatus of claim 13, wherein the analysis determination module further comprises:
the local judgment module is suitable for judging whether the IP address included in the domain name resolution result belongs to a local IP address white list and/or a local IP address black list; if the IP address belongs to a white list of local IP addresses, judging that the domain name resolution result is not hijacked data; and if the IP address belongs to a local IP address blacklist, judging that the domain name resolution result is hijacked data.
15. The apparatus of claim 14, wherein the apparatus further comprises:
the timing updating module is suitable for downloading a cloud IP address white list and/or a cloud IP address black list from a cloud server at regular time; and updating the local IP address white list and/or the local IP address black list according to the cloud IP address white list and/or the cloud IP address black list.
16. The apparatus of any of claims 13-15, wherein the analysis determination module further comprises:
the cloud searching and killing result acquisition module is suitable for sending the domain name information and/or the IP address included in the domain name resolution result to a cloud server so that the cloud server can perform cloud searching and killing processing according to the domain name information and/or the IP address to acquire a cloud searching and killing result; and judging whether the domain name resolution result is hijacked data or not according to the cloud searching and killing result.
17. The apparatus according to any of claims 13-15, wherein the analysis determination module is specifically run by a first process;
the repair module is run by a second process;
wherein the first process and the second process are in an asynchronous processing mode.
18. The apparatus according to any one of claims 13-15, wherein the repair module is further adapted to:
acquiring a white IP address corresponding to the region information according to the region information carried in the domain name resolution request; and repairing the domain name resolution result by using the white IP address, and returning the repaired domain name resolution result.
19. A domain name resolution protection system, comprising: a cloud server and the domain name resolution guard of any of claims 13-18;
the cloud server is adapted to: and receiving the domain name information and/or the IP address included in the domain name resolution result sent by the domain name resolution protection device, performing cloud searching and killing processing according to the domain name information and/or the IP address, acquiring a cloud searching and killing result, and returning the cloud searching and killing result to the domain name resolution protection device.
20. The system of claim 19, wherein the cloud server comprises:
the cloud IP searching and killing module is suitable for judging whether the IP address included in the domain name resolution result belongs to a cloud IP address white list and/or a cloud IP address black list; if the IP address belongs to a cloud IP address white list, obtaining a cloud searching and killing result that the domain name resolution result is not hijacked data; and if the IP address belongs to the cloud IP address blacklist, obtaining a cloud searching and killing result that the domain name resolution result is hijacked data.
21. The system of claim 19, wherein the cloud server comprises:
the webpage searching and killing module is suitable for sending a domain name resolution request carrying the domain name information to a pre-configured DNS server belonging to a DNS server white list to acquire a safe IP address obtained by DNS resolution; downloading a first page according to the safe IP address; the first page is a page corresponding to the safe IP address; performing a network request according to the IP address and the sender host information included in the domain name resolution result, and downloading a second page; the second page is a page corresponding to the IP address; and comparing the first page with the second page, and obtaining a cloud searching and killing result according to the similarity comparison result of the pages.
22. The system of claim 21, wherein the web page killing module is further adapted to:
obtaining a similarity comparison result of a first page and a second page, and an Http status code of the first page and an Http status code of the second page; and acquiring a cloud searching and killing result according to the similarity comparison result, the Http state code of the first page and the Http state code of the second page.
23. The system of claim 21, wherein the web page killing module is further adapted to:
and if the Http state code of the second page is not 200 and the similarity comparison result is not similar, obtaining that the domain name resolution result is the cloud searching and killing result of the hijacked data.
24. The system of claim 21, wherein the web page killing module is further adapted to:
and if the Http state code of the second page is different from the Http state code of the first page and the similarity comparison result is not similar, obtaining that the domain name resolution result is a cloud searching and killing result of the hijacked data.
25. The system of any of claims 21-24, wherein the cloud server further comprises:
and the downloading rule module is suitable for presetting the downloading rule of the first page and/or the second page according to the type of the IP address.
26. A computing device, comprising: the system comprises a processor, a memory, a communication interface and a communication bus, wherein the processor, the memory and the communication interface complete mutual communication through the communication bus;
the memory is used for storing at least one executable instruction, and the executable instruction causes the processor to execute the operation corresponding to the domain name resolution protection method according to any one of claims 1-12.
27. A computer storage medium having stored therein at least one executable instruction for causing a processor to perform operations corresponding to the domain name resolution protection method according to any one of claims 1-12.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710915052.5A CN107623693B (en) | 2017-09-30 | 2017-09-30 | Domain name resolution protection method, device, system, computing equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710915052.5A CN107623693B (en) | 2017-09-30 | 2017-09-30 | Domain name resolution protection method, device, system, computing equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107623693A CN107623693A (en) | 2018-01-23 |
| CN107623693B true CN107623693B (en) | 2021-03-19 |
Family
ID=61091821
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710915052.5A Active CN107623693B (en) | 2017-09-30 | 2017-09-30 | Domain name resolution protection method, device, system, computing equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107623693B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108650211A (en) * | 2018-03-14 | 2018-10-12 | 北京奇艺世纪科技有限公司 | A kind of detection method and device of DNS abduction |
| CN108282495B (en) * | 2018-03-14 | 2021-10-15 | 北京奇艺世纪科技有限公司 | DNS hijacking defense method and device |
| CN109474625A (en) * | 2018-12-25 | 2019-03-15 | 北京知道创宇信息技术有限公司 | Network safety protection method, device and embedded system |
| CN110191203B (en) * | 2019-05-15 | 2022-02-01 | 聚好看科技股份有限公司 | Method for realizing dynamic access of server and electronic equipment |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6973507B2 (en) * | 2001-06-01 | 2005-12-06 | Nitgen Technologies, Inc. | Method for resolution services of special domain names |
| CN101984713A (en) * | 2010-10-20 | 2011-03-09 | 中兴通讯股份有限公司 | Method, terminal and system for realizing business data shunting |
| CN103581363A (en) * | 2013-11-29 | 2014-02-12 | 杜跃进 | Method and device for controlling baleful domain name and illegal access |
| CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
| CN104079682A (en) * | 2014-07-07 | 2014-10-01 | 中国联合网络通信集团有限公司 | Address translation method and device based on domain name system (DNS) |
| CN107018156A (en) * | 2017-06-01 | 2017-08-04 | 北京云端智度科技有限公司 | The defence support method of Domain Hijacking |
| US9755886B2 (en) * | 2009-09-30 | 2017-09-05 | Micro Focus Software Inc. | Techniques for conditional name resolution and configuration |
| CN107147662A (en) * | 2017-06-01 | 2017-09-08 | 北京云端智度科技有限公司 | The method that Domain Hijacking is found |
Family Cites Families (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050030917A1 (en) * | 2001-08-17 | 2005-02-10 | Amit Haller | Device, system, method and computer readable medium obtaining a network attribute, such as a DNS address, for a short distance wireless network |
| US20100106854A1 (en) * | 2008-10-29 | 2010-04-29 | Hostway Corporation | System and method for controlling non-existing domain traffic |
| CN102790807B (en) * | 2011-05-16 | 2016-05-25 | 北京奇虎科技有限公司 | Domain name resolution agent method and system, domain name resolution agent server |
| CN103607385B (en) * | 2013-11-14 | 2017-01-18 | 北京奇虎科技有限公司 | Method and apparatus for security detection based on browser |
| CN103825895B (en) * | 2014-02-24 | 2019-06-25 | 联想(北京)有限公司 | A kind of information processing method and electronic equipment |
| CN105991604A (en) * | 2015-02-27 | 2016-10-05 | 中兴通讯股份有限公司 | Method and device for preventing form domain name hijacking |
| US10645124B2 (en) * | 2016-02-19 | 2020-05-05 | Secureworks Corp. | System and method for collection of forensic and event data |
| US10594728B2 (en) * | 2016-06-29 | 2020-03-17 | AVAST Software s.r.o. | Detection of domain name system hijacking |
| CN106686020A (en) * | 2017-03-29 | 2017-05-17 | 北京奇虎科技有限公司 | Detection method, device and system for safety of domain names |
-
2017
- 2017-09-30 CN CN201710915052.5A patent/CN107623693B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6973507B2 (en) * | 2001-06-01 | 2005-12-06 | Nitgen Technologies, Inc. | Method for resolution services of special domain names |
| US9755886B2 (en) * | 2009-09-30 | 2017-09-05 | Micro Focus Software Inc. | Techniques for conditional name resolution and configuration |
| CN101984713A (en) * | 2010-10-20 | 2011-03-09 | 中兴通讯股份有限公司 | Method, terminal and system for realizing business data shunting |
| CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
| CN103581363A (en) * | 2013-11-29 | 2014-02-12 | 杜跃进 | Method and device for controlling baleful domain name and illegal access |
| CN104079682A (en) * | 2014-07-07 | 2014-10-01 | 中国联合网络通信集团有限公司 | Address translation method and device based on domain name system (DNS) |
| CN107018156A (en) * | 2017-06-01 | 2017-08-04 | 北京云端智度科技有限公司 | The defence support method of Domain Hijacking |
| CN107147662A (en) * | 2017-06-01 | 2017-09-08 | 北京云端智度科技有限公司 | The method that Domain Hijacking is found |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107623693A (en) | 2018-01-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103607385B (en) | Method and apparatus for security detection based on browser | |
| US9537897B2 (en) | Method and apparatus for providing analysis service based on behavior in mobile network environment | |
| CN107623693B (en) | Domain name resolution protection method, device, system, computing equipment and storage medium | |
| CN109768992B (en) | Webpage malicious scanning processing method and device, terminal device and readable storage medium | |
| CN103384888A (en) | Systems and methods for malware detection and scanning | |
| CN107046544B (en) | Method and device for identifying illegal access request to website | |
| CN112929326A (en) | Malicious domain name access detection method and device and computer readable storage medium | |
| KR102271545B1 (en) | Systems and Methods for Domain Generation Algorithm (DGA) Malware Detection | |
| US8584240B1 (en) | Community scan for web threat protection | |
| CN112291258B (en) | Gateway risk control method and device | |
| US10122722B2 (en) | Resource classification using resource requests | |
| WO2014032619A1 (en) | Web address access method and system | |
| US20100306184A1 (en) | Method and device for processing webpage data | |
| CN110213375A (en) | A kind of method, apparatus and electronic equipment of the IP access control based on cloud WAF | |
| CN111431753A (en) | Asset information updating method, device, equipment and storage medium | |
| CN108028843B (en) | Method, system and computing device for securing delivery of computer-implemented functionality | |
| JP5752642B2 (en) | Monitoring device and monitoring method | |
| CN107231364B (en) | Website vulnerability detection method and device, computer device and storage medium | |
| CN105939320A (en) | Message processing method and device | |
| CN113810381B (en) | Crawler detection method, web application cloud firewall device and storage medium | |
| CN108809950B (en) | Wireless router protection method and system based on cloud shadow system | |
| JP6169497B2 (en) | Connection destination information determination device, connection destination information determination method, and program | |
| CN113190838A (en) | Web attack behavior detection method and system based on expression | |
| US10757118B2 (en) | Method of aiding the detection of infection of a terminal by malware | |
| CN114039778A (en) | Request processing method, device, equipment and readable storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220913 Address after: No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science and Technology Park, High-tech Zone, Binhai New District, Tianjin 300000 Patentee after: 3600 Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. |
|
| TR01 | Transfer of patent right |