CN107769957A - A kind of domain name system failure cause analysis method and device - Google Patents

A kind of domain name system failure cause analysis method and device Download PDF

Info

Publication number
CN107769957A
CN107769957A CN201710766110.2A CN201710766110A CN107769957A CN 107769957 A CN107769957 A CN 107769957A CN 201710766110 A CN201710766110 A CN 201710766110A CN 107769957 A CN107769957 A CN 107769957A
Authority
CN
China
Prior art keywords
dns
bag
exception
packet
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710766110.2A
Other languages
Chinese (zh)
Other versions
CN107769957B (en
Inventor
符立佳
苗辉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guizhou Baishan cloud Polytron Technologies Inc
Original Assignee
Guizhou White Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Guizhou White Cloud Technology Co Ltd filed Critical Guizhou White Cloud Technology Co Ltd
Priority to CN201710766110.2A priority Critical patent/CN107769957B/en
Publication of CN107769957A publication Critical patent/CN107769957A/en
Application granted granted Critical
Publication of CN107769957B publication Critical patent/CN107769957B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0677Localisation of faults
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0631Management of faults, events, alarms or notifications using root cause analysis; using analysis of correlation between notifications, alarms or events based on decision criteria, e.g. hierarchy, tree or time analysis
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/069Management of faults, events, alarms or notifications using logs of notifications; Post-processing of notifications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/06Generation of reports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Abstract

The invention provides a kind of domain name system failure cause analysis method and device.It is related to computer network field;Solve the problems, such as that efficiency is low, cost of labor is high, accuracy is poor caused by artificial crawl, failure judgement mode.This method includes:Monitor domain name system DNS process;When DNS process exceptions exit, packet capturing is opened, captures exception request bag;The exception request bag and standard normal data packet are contrasted, determines problem business unit in the exception request bag.Technical scheme provided by the invention is applied to DNS software development applications, realizes the fault location of system automatic and accurate.

Description

A kind of domain name system failure cause analysis method and device
Technical field
The present invention relates to computer network field, more particularly to a kind of domain name system (DNS) failure cause analysis method and Device.
Background technology
Entrance of the dns resolution as internet access, plays vital effect in network access procedure.For carrying The purpose of network service quality and availability is risen, many companies or organizational choice are ground or in DNS basis of software of increasing income certainly at present Upper carry out secondary development, makes DNS softwares meet special demand.Grind certainly with during secondary development, if can not understand All DNS protocol specification and technical characteristic is solved, great risk be present and occur because doubtful exception request message causes program different Often to the failure haveing, and due to the foresight deficiency to problem, now program is likely to no Core Dump or preparation is detailed Error log, confirm to bring great difficulty to the positioning wrapped extremely and failure cause.
Existing fault location mode is typically completed by artificial crawl, judgement, following defect be present:
A) manually crawl exception message and confirmation reason, inefficient, cost of labor are high;
B) manually judge fault time, stop packet capturing manually, confirm exception request bag further according to the alarm time of monitoring Scope, accuracy is poor, often in minute level, influences location efficiency, and the data APMB package captured can be very big, influences subsequent filter Processing.
The content of the invention
Present invention seek to address that problem as described above.
According to the first aspect of the invention, there is provided a kind of DNS failure cause analysis methods, including:
Monitor DNS processes;
When DNS process exceptions exit, packet capturing is opened, captures exception request bag;
The exception request bag and standard normal data packet are contrasted, determines problem business unit in the exception request bag.
Preferably, the exception request bag and standard normal data packet are contrasted, determines problem industry in the exception request bag It is engaged in including the step of unit:
(1) each minimal service unit in the exception request bag is obtained;
(2) a minimal service unit in the exception request bag is selected, is replaced in the standard normal data packet Corresponding minimal service unit, obtains restructuring request bag:
(3) send the restructuring request bag and give DNS softwares;
(4) received in the DNS softwares after the restructuring request guarantee for returns goes out, the minimum industry of selection in determination step (2) Business unit is problem business unit;
(5) repeat step (1)-(4), until traveling through whole minimal service units in the exception request bag;
(6) at least one problem business unit that analysis determines, the abnormal bag of exception request bag described in unique match is obtained Unique features rule.
Preferably, the step of monitoring domain name system DNS process includes:
Monitor whether that DNS processes, which occur, to be exited;
When monitoring that DNS processes, which occur, to be exited:
Filter operation daily record, and/or,
Filtration system daily record and/or the daily record that reports an error;
When filter operation daily record notes abnormalities operation, and/or,
When filtration system daily record and/or the daily record that reports an error find the error information that instruction DNS process exceptions exit,
Judge that DNS process exceptions, which occur, to be exited.
Preferably, it is described when DNS process exceptions exit, open packet capturing, capture exception request bag the step of include:
Packet is captured, the packet includes request bag and response bag;
Filtration system daily record and error log, obtain the very first time of error information when DNS processes exit;
The request message before the very first time is analyzed, screening obtains doubtful exception request message;
The doubtful exception request message is sent to the DNS processes exited extremely, detecting the doubtful exception please Ask whether each packet in message can cause the exception of the DNS processes to exit;
The packet exited for the exception that can cause the DNS processes, labeled as exception request bag.
Preferably, the request message before the very first time is analyzed, the step of obtaining doubtful exception request message is screened and wraps Include:
Only asked for first before last request message before the very first time is the very first time When bag and the message without response bag, the request message is extracted as doubtful exception request message;
First only request bag and without response bag request message when after the very first time, extract respectively Last N number of request message before the very first time and earliest N number of only request bag and without the request message of response bag, As doubtful exception request message, N is positive integer;
It is earliest N number of without response message in the absence of error information and when can not determine the very first time, extracting Request message is as doubtful exception request message;
In the absence of error information, can not determine the very first time and in the absence of only request bag there is no a response bag please When seeking message, the second time of local parsing failure is obtained, N number of request bag after second time is extracted, as doubtful Exception request message.
Preferably, before the step of capturing packet, in addition to:
The current dns server list for having been switched on packet capturing is obtained from central server;
Exceed preset packet capturing threshold value in the quantity for opening name server record NS corresponding to the dns server of packet capturing When, it is not turned on the packet capturing operation of this dns server;
Described preset grab is not above in the quantity for opening name server record NS corresponding to the dns server of packet capturing During bag threshold value, the packet capturing operation of this dns server is opened, and notifies this dns server of central server to have turned on packet capturing, is prompted The central server renewal has turned on the dns server list of packet capturing.
Preferably, after the step of capturing packet, in addition to
Every a preset proving period, just made requests on to this dns server, confirm normal acquisition analysis result;
When analysis result normally can be obtained, judge that DNS process exceptions do not occur again to be exited, and continues packet capturing;
When analysis result normally can not be obtained, judge that DNS process exceptions occur again to be exited, start analysis acquisition and doubt Like exception request message.
Preferably, the exception request bag and standard normal data packet are contrasted, determines problem industry in the exception request bag After the step of business unit, in addition to:
Analysis report is sent, is at least carried in the analysis report any or any multinomial in following information:
Exception request bag, problem business unit, abnormal DNS software versions, difference in version document occurs (changelog), abnormal bag unique features rule.
Preferably, the exception request bag and standard normal data packet are contrasted, determines problem industry in the exception request bag After the step of business unit, in addition to:
Intercept the request bag with the abnormal bag unique features rule match.
According to another aspect of the present invention, a kind of DNS failure reason analysis device is additionally provided, including:
Monitoring the process module, for monitoring DNS processes;
Packet capturing module, for when DNS process exceptions exit, opening packet capturing, capture exception request bag;
Accident analysis locating module, for contrasting the exception request bag and standard normal data packet, determine the exception Problem business unit in request bag.
Preferably, the accident analysis locating module includes:
Packet split cells, for obtaining each minimal service unit in the exception request bag;
Recomposition unit, for selecting a minimal service unit in the exception request bag, it is normal to replace the standard Corresponding minimal service unit in packet, obtains restructuring request bag:
Request bag transmitting element, DNS softwares are given for sending the restructuring request bag;
Abnormality determination unit, for being received in the DNS softwares after the restructuring request guarantee for returns goes out, judge the restructuring The minimal service unit of Unit selection is problem business unit;
Rule generating unit, for controlling the packet split cells, the recomposition unit, the request transmitting unit The detection of problem business unit is repeated with the abnormality determination unit, until traveling through all minimum in the exception request bag Business unit, at least one problem business unit of determination is analyzed, obtains the abnormal Bao Wei of exception request bag described in unique match One characterization rules.
Preferably, the monitoring the process module includes:
Monitoring unit is exited, for monitoring whether that DNS processes, which occur, to be exited;
Log analysis unit, for when monitoring that DNS processes, which occur, to be exited:
Filter operation daily record, and/or,
Filtration system daily record and/or the daily record that reports an error;
Abnormality determination unit, for filter operation daily record note abnormalities operation when, and/or,
When filtration system daily record and/or the daily record that reports an error find the error information that instruction DNS process exceptions exit,
Judge that DNS process exceptions, which occur, to be exited.
Preferably, the packet capturing module includes:
First placement unit, for capturing packet, the packet includes request bag and response bag;
Error information resolution unit, for filtration system daily record and error log, obtain error information when DNS processes exit The very first time;
Doubtful exception request message filter unit, for analyzing the request message before the very first time, screening is doubted Like exception request message;
Abnormal authentication unit, for the doubtful exception request message to be sent into the DNS processes exited extremely, inspection Whether each packet surveyed in the doubtful exception request message can cause the exception of the DNS processes to exit;
Exception request bag determining unit, for the packet for the exception of the DNS processes can be caused to exit, it is labeled as Exception request bag.
The invention provides a kind of DNS failure cause analysis methods and device, DNS processes are monitored, are finding DNS When process exception exits, crawl first causes the abnormal exception request bag for exiting appearance, then enters one in exception request bag again Step positioning obtains causing abnormal minimal service unit, realizes the fault location of system automatic and accurate, solve artificial crawl, The problem of efficiency caused by failure judgement mode is low, cost of labor is high, accuracy is poor.
The following description for exemplary embodiment is read with reference to the drawings, other property features of the invention and advantage will It is apparent from.
Brief description of the drawings
It is incorporated into specification and the accompanying drawing of a part for constitution instruction shows embodiments of the invention, and with Description is used for the principle for explaining the present invention together.In the drawings, similar reference is used to represent similar key element.Under Accompanying drawing in the description of face is some embodiments of the present invention, rather than whole embodiments.Come for those of ordinary skill in the art Say, on the premise of not paying creative work, other accompanying drawings can be obtained according to these accompanying drawings.
Fig. 1 schematically illustrates a kind of flow of DNS failure cause analysis methods of the offer of embodiments of the invention one;
Fig. 2 schematically illustrates a kind of structure of DNS failure reason analysis device of the offer of embodiments of the invention two;
The structure for showing accident analysis locating module 203 in Fig. 2 exemplary Fig. 3;
The structure for showing monitoring the process module 201 in Fig. 2 exemplary Fig. 4;
The structure for showing packet capturing module 202 in Fig. 2 exemplary Fig. 5.
Embodiment
To make the purpose, technical scheme and advantage of the embodiment of the present invention clearer, below in conjunction with the embodiment of the present invention In accompanying drawing, the technical scheme in the embodiment of the present invention is clearly and completely described, it is clear that described embodiment is Part of the embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art The every other embodiment obtained under the premise of creative work is not made, belongs to the scope of protection of the invention.Need Illustrate, in the case where not conflicting, the feature in embodiment and embodiment in the application can be mutually combined.
Existing fault location mode is typically completed by artificial crawl, judgement, following defect be present:
A) manually crawl exception message and confirmation reason, inefficient, cost of labor are high;
B) manually judge fault time, stop packet capturing manually, confirm exception request bag further according to the alarm time of monitoring Scope, accuracy is poor, often in minute level, influences location efficiency, and the data APMB package captured can be very big, influences subsequent filter Processing.
It is right the embodiment provides a kind of DNS failure cause analysis methods and device in order to solve the above problems DNS processes are monitored, and when finding that DNS process exceptions exit, crawl first causes the abnormal exception request bag for exiting appearance, Then further positioning obtains causing abnormal minimal service unit in exception request bag again, realizes system automatic and accurate Fault location, solve the problems, such as that efficiency is low, cost of labor is high, accuracy is poor caused by artificial crawl, failure judgement mode.
First with reference to accompanying drawing, embodiments of the invention one are illustrated.
The embodiments of the invention provide a kind of DNS failure cause analysis methods, and the automatic of DNS failures is completed using this method It was found that with the flow of fault location as shown in figure 1, including:
Step 101, monitoring domain name system DNS process;
This step specifically includes:
1st, monitor whether that DNS processes, which occur, to be exited;
2nd, when monitoring that DNS processes, which occur, to be exited:
Filter operation daily record, and/or,
Filtration system daily record and/or the daily record that reports an error;
3rd, when filter operation daily record notes abnormalities operation, and/or,
When filtration system daily record and/or the daily record that reports an error find the error information that instruction DNS process exceptions exit,
Judge that DNS process exceptions, which occur, to be exited.
Abnormal operation mainly includes restart, stop, kills the operation such as process.
Step 102, when DNS process exceptions exit, open packet capturing, capture exception request bag;
This step specifically includes:
1st, packet is captured, the packet includes request bag and response bag;
2nd, filtration system daily record and error log, the very first time of error information when DNS processes exit is obtained;
3rd, the request message before the very first time is analyzed, screening obtains doubtful exception request message;
Specifically, last request message before the very first time be the very first time before first only When having request bag and the message without response bag, the request message is extracted as doubtful exception request message;
First only request bag and without response bag request message when after the very first time, extract respectively Last N number of request message before the very first time and earliest N number of only request bag and without the request message of response bag, As doubtful exception request message, N is positive integer;
It is earliest N number of without response message in the absence of error information and when can not determine the very first time, extracting Request message is as doubtful exception request message;
In the absence of error information, can not determine the very first time and in the absence of only request bag there is no a response bag please When seeking message, the second time of local parsing failure is obtained, N number of request bag after second time is extracted, as doubtful Exception request message.
4th, the doubtful exception request message is sent to the DNS processes exited extremely, detects the doubtful exception Whether each packet in request message can cause the exception of the DNS processes to exit;
5th, the packet exited for the exception that can cause the DNS processes, labeled as exception request bag.
Preferably, before the operation of packet capture, the work of dns server in current network can also first be confirmed Make situation, packet capturing wouldn't be performed in this dns server side when the dns server for performing fault detect packet capturing is excessive, to protect Hinder the progress of regular traffic, specifically:
1st, the current dns server list for having been switched on packet capturing is obtained from central server.
2nd, preset packet capturing threshold value is exceeded in the quantity for opening name server record NS corresponding to the dns server of packet capturing When, it is not turned on the packet capturing operation of this dns server;Packet capturing threshold value can be set according to network load condition.
3rd, it is not above in the quantity for opening name server record NS corresponding to the dns server of packet capturing described preset During packet capturing threshold value, the packet capturing operation of this dns server is opened, and notifies this dns server of central server to have turned on packet capturing, is carried Show that the central server renewal has turned on the dns server list of packet capturing.
Preferably, it is synchronous after packet capturing is started, it can also continue to there occurs the DNS service that DNS process exceptions exit The working condition of device is detected, and according to testing result, determines a need for continuing executing with packet capturing operation, specifically:
1st, every a preset proving period, just made requests on to this dns server, confirm that normal obtain parses knot Fruit;
2nd, when analysis result normally can be obtained, judge that DNS process exceptions do not occur again to be exited, and continues packet capturing;
3rd, when analysis result normally can not be obtained, judge that DNS process exceptions occur again to be exited, and is started analysis and is obtained Doubtful exception request message.
Step 103, the contrast exception request bag and standard normal data packet, determine problem industry in the exception request bag Business unit;
This step specifically includes:
(1) each minimal service unit in the exception request bag is obtained;
(2) a minimal service unit in the exception request bag is selected, is replaced in the standard normal data packet Corresponding minimal service unit, obtains restructuring request bag:
(3) send the restructuring request bag and give DNS softwares;
(4) received in the DNS softwares after the restructuring request guarantee for returns goes out, the minimum industry of selection in determination step (2) Business unit is problem business unit;
(5) repeat step (1)-(4), until traveling through whole minimal service units in the exception request bag;
(6) at least one problem business unit that analysis determines, the abnormal bag of exception request bag described in unique match is obtained Unique features rule.
Step 104, send analysis report;
In the embodiment of the present invention, at least carried in the analysis report any or any multinomial in following information:
Abnormal DNS software versions occur for exception request bag, problem business unit, difference in version document changelog, Abnormal bag unique features rule.
According to the abnormal bag unique features rule, the request bag for matching the abnormal bag unique features rule can be filtered out, Intercept process is carried out to this component requests bag, can effectively avoid new abnormal appearance.
Below in conjunction with the accompanying drawings, embodiments of the invention two are illustrated.
The embodiments of the invention provide a kind of domain name system failure reason analysis device, its structure as shown in Fig. 2 including:
Monitoring the process module 201, for monitoring DNS processes;
Packet capturing module 202, for when DNS process exceptions exit, opening packet capturing, capture exception request bag;
Accident analysis locating module 203, for contrasting the exception request bag and standard normal data packet, determine described different Problem business unit in normal request bag.
Preferably, the accident analysis locating module 203 structure as shown in figure 3, including:
Packet split cells 301, for obtaining each minimal service unit in the exception request bag;
Recomposition unit 302, for selecting a minimal service unit in the exception request bag, replacing the standard just Corresponding minimal service unit in regular data bag, obtains restructuring request bag:
Request bag transmitting element 303, DNS softwares are given for sending the restructuring request bag;
Abnormality determination unit 304, for being received in the DNS softwares after the restructuring request guarantee for returns goes out, described in judgement The minimal service unit of recomposition unit selection is problem business unit;
Rule generating unit 305, for controlling the packet split cells, the recomposition unit, the request to send Unit and the abnormality determination unit repeat the detection of problem business unit, until traveling through the whole in the exception request bag Minimal service unit, at least one problem business unit of determination is analyzed, obtains the exception of exception request bag described in unique match Bag unique features rule.
Preferably, the monitoring the process module 201 structure as shown in figure 4, including:
Monitoring unit 401 is exited, for monitoring whether that DNS processes, which occur, to be exited;
Log analysis unit 402, for when monitoring that DNS processes, which occur, to be exited:
Filter operation daily record, and/or,
Filtration system daily record and/or the daily record that reports an error;
Abnormality determination unit 403, for filter operation daily record note abnormalities operation when, and/or,
When filtration system daily record and/or the daily record that reports an error find the error information that instruction DNS process exceptions exit,
Judge that DNS process exceptions, which occur, to be exited.
Preferably, the packet capturing module 202 structure as shown in figure 5, including:
First placement unit 501, for capturing packet, the packet includes request bag and response bag;
Error information resolution unit 502, for filtration system daily record and error log, obtain when DNS processes exit and report an error The very first time of information;
Doubtful exception request message filter unit 503, for analyzing the request message before the very first time, screening obtains Doubtful exception request message;
Abnormal authentication unit 504, enter for the doubtful exception request message to be sent into the DNS exited extremely Whether journey, each packet detected in the doubtful exception request message can cause the exception of the DNS processes to exit;
Exception request bag determining unit 505, for the packet for the exception of the DNS processes can be caused to exit, mark It is designated as exception request bag.
Below in conjunction with the accompanying drawings, embodiments of the invention three are illustrated.
The embodiments of the invention provide a kind of DNS failure cause analysis methods, judge DNS softwares be made whether to exist because Exited extremely caused by the doubtful exception request messages of DNS, it is found that process exception automatically turns on packet capturing program and visited simultaneously after exiting DNS availabilities are surveyed, failure cause is found automatically using the method for exhaustion, subsequently to abandon the emergency processing wrapped extremely and failure cause is determined Position provides foundation.90% abnormal bag acknowledging time and more than 95% reason positioning time can be reduced.
The flow that fault location is carried out in the embodiment of the present invention is as follows:
1st, it is abnormal to judge that DNS occurs, reaches packet capturing analysis condition:
I. monitoring finds that DNS processes exit, and monitoring programme triggering carries out packet capturing judgement;
Ii. packet capturing condition criterion is carried out, confirms whether DNS processes are that exception exits, and continue to judge if abnormal exit, If it is determined that normally exit then without follow-up packet capturing condition criterion and packet capturing.Decision method is:
A. filter operation daily record, if abnormal operation, such as:Restart, stop, the operation such as process is killed, then regarded as Normally exit, otherwise continue to judge;
B. filtration system daily record and the daily record that reports an error, the error information specified is exited if there is abnormal process, then is regarded as Exception exits, and continues to judge in next step;Otherwise regard as normally exiting;
Iii. the current dns server quantity for having been switched on packet capturing is judged, if it exceeds DNS corresponding to the NS of packet capturing threshold value Server has begun to packet capturing, then does not continue next step packet capturing operation;If being not reaching to packet capturing threshold value, grab in next step Doubtful exception message is taken to operate.Packet capturing threshold value may be configured as the half of NS quantity.
A. every dns server starts before packet capturing as central server inquiry has turned on the dns server accounting of packet capturing;
B. confirm to be not above half, then continue packet capturing step, and message is sent to central server, illustrate that this DNS takes Business device starts packet capturing step;
C. central server renewal has turned on the dns server list of packet capturing step, and calculates new accounting situation.
2nd, doubtful exception message is captured:
I. packet capturing program is opened, captures bind serve port request bag and response bag (udp and tcp), is retained nearest 3min packet capturing result;
Ii. made requests on every a preset proving period (such as 1 millisecond) to this dns server, can confirmation just Analysis result is often obtained, if analysis result can be obtained, illustrates that process exception does not occur and exits again for the machine, continues packet capturing;Such as There is parsing failure in fruit, illustrates that the machine occurs progress exception and exited again, then stops packet capturing, carry out doubtful exception request message point Analysis;
Iii. filtration system daily record and error log, the very first time of error information when being exited is obtained, in crawl In packet, confirm whether last request message before this very first time is first and there was only request bag and should not The message of bag is answered, if it is, this message regards as doubtful exception request message, is continued if the packet not met really Recognize;
Iv. if there is error information, but first found only has request bag and the data of the message without response bag It is not inconsistent (message for not replying name before the very first time in the absence of only request bag) with error information, then obtains the very first time respectively Before last N number of message (message before and after the very first time for the information that makes a mistake doubtful exception request message be present can Energy property is higher) and earliest N number of request message without response packet voice, doubtful exception request message is regarded as, if do not had The packet met then continues to confirm;
V. if there is no error information, then by earliest N number of request message without response packet voice, regard as doubtful Exception request message;
Vi. the request message if there is no error information and without response message, then obtain local parsing failure when Between, it is doubtful exception request message in last N number of request bag of parsing Time To Failure.The parsing Time To Failure is to solve twice The interval time of analysis, when in the absence of error information, there is the possibility of doubtful exception request message in parsing Time To Failure It is larger.
Wherein, N is positive integer, is experience Configuration Values.
3rd, exception request bag is confirmed:
I. the entire packet of doubtful exception request message and crawl, including request bag and response bag are obtained;
Ii. the DNS for being sent to institute's subject to confirmation by giving out a contract for a project program by the packet of doubtful exception request message successively is soft Part (being probably the different old versions of multiple DNS softwares for being distributed in different platform or same DNS softwares), and sentence Whether fixed each packet can influence the DNS processes of online service, cause DNS process exceptions to exit, if can cause exception Exit, then it is exception request bag to confirm this packet, and obtain all DNS software versions exits situation;If it will not lead Cause process exception to exit, then continue in next step;The packet typically sent is request bag.
Iii. obtain crawl packet in all request messages, by program of giving out a contract for a project by doubtful exception request message successively The DNS softwares of institute's subject to confirmation are sent to, and judge whether each packet can influence the DNS software anomalys of online service and move back Go out, if can cause to exit, it is exception request bag to confirm this packet, and obtain all DNS software versions exits feelings The changelog of condition and DNS software versions;If will not cause process exception to exit, send a warning message to keeper, carry Abnormal data bag can not be obtained, it is necessary to manpower intervention by showing.
4th, confirmation request bag causes the reason for abnormal:
I. exception request bag is obtained;
Ii. log-on data package-restructuring program, the information of each minimal service unit of exception request bag is obtained, and one by one Corresponding informance in standard normal data packet is replaced;Restructuring request bag after replacement is sent to DNS softwares, judgement is No that DNS process exceptions can be caused to exit, minimal service unit corresponding to the restructuring request bag that can cause to exit extremely is problem Business unit, recording-related information;If all normal, send a warning message to keeper, send abnormal data bag, carry Abnormal cause can not be obtained, it is necessary to manpower intervention by showing.
Minimal service unit includes the different types of message information in packet, includes but is not limited to:IP, request domain Name, record type, flags, protocol information, edns0, DNSSEC etc..That is, can be according to the angular divisions minimum industry of above- mentioned information Business unit.
Iii. the request bag in exception request bag and normal data parcel, the packet locally captured are subjected to feature point Analysis, analyze can unique match into abnormal data bag abnormal bag unique features rule;Normal data parcel is daily accumulation The packet content that can normally handle.
5th, analysis report is sent:
At least carried in analysis report any or any multinomial in following information:
Abnormal data bag, problem business unit, the DNS software versions that exception occurs and changelog, abnormal bag are unique special Sign rule.
Analysis report can report the system unit for being exclusively used in recording failure analysis result, can also be transmitted directly to manage Member, to send alarm to keeper, keeper is reminded to carry out failture evacuation.
The embodiment provides a kind of DNS failure cause analysis methods and device, DNS processes are monitored, When finding that DNS process exceptions exit, crawl first causes the abnormal exception request bag for exiting appearance, then again in exception request Further positioning obtains causing abnormal minimal service unit in bag, realizes the fault location of system automatic and accurate, solves The problem of efficiency is low, cost of labor is high, accuracy is poor caused by artificial crawl, failure judgement mode.Reduce by 90% abnormal bag Acknowledging time and 95% positioning time.
Descriptions above can combine implementation individually or in a variety of ways, and these variants all exist Within protection scope of the present invention.
Finally it should be noted that:The above embodiments are merely illustrative of the technical solutions of the present invention, rather than its limitations.Although The present invention is described in detail with reference to the foregoing embodiments, it will be understood by those within the art that:It still may be used To be modified to the technical scheme described in foregoing embodiments, or equivalent substitution is carried out to which part technical characteristic; And these modification or replace, do not make appropriate technical solution essence depart from various embodiments of the present invention technical scheme spirit and Scope.

Claims (13)

  1. A kind of 1. domain name system failure cause analysis method, it is characterised in that including:
    Monitor domain name system DNS process;
    When DNS process exceptions exit, packet capturing is opened, captures exception request bag;
    The exception request bag and standard normal data packet are contrasted, determines problem business unit in the exception request bag.
  2. 2. domain name system failure cause analysis method according to claim 1, it is characterised in that contrast the exception request Bag and standard normal data packet, the step of determining problem business unit in the exception request bag, include:
    (1) each minimal service unit in the exception request bag is obtained;
    (2) a minimal service unit in the exception request bag is selected, is replaced corresponding in the standard normal data packet Minimal service unit, obtain restructuring request bag:
    (3) send the restructuring request bag and give DNS softwares;
    (4) received in the DNS softwares after the restructuring request guarantee for returns goes out, the minimal service list of selection in determination step (2) Member is problem business unit;
    (5) repeat step (1)-(4), until traveling through whole minimal service units in the exception request bag;
    (6) at least one problem business unit that analysis determines, the abnormal bag for obtaining exception request bag described in unique match are unique Characterization rules.
  3. 3. domain name system failure cause analysis method according to claim 1, it is characterised in that the monitoring domain name system The step of DNS processes, includes:
    Monitor whether that DNS processes, which occur, to be exited;
    When monitoring that DNS processes, which occur, to be exited:
    Filter operation daily record, and/or,
    Filtration system daily record and/or the daily record that reports an error;
    When filter operation daily record notes abnormalities operation, and/or,
    When filtration system daily record and/or the daily record that reports an error find the error information that instruction DNS process exceptions exit,
    Judge that DNS process exceptions, which occur, to be exited.
  4. 4. domain name system failure cause analysis method according to claim 1, it is characterised in that described different in DNS processes Often when exiting, the step of opening packet capturing, capturing exception request bag, includes:
    Packet is captured, the packet includes request bag and response bag;
    Filtration system daily record and error log, obtain the very first time of error information when DNS processes exit;
    The request message before the very first time is analyzed, screening obtains doubtful exception request message;
    The doubtful exception request message is sent to the DNS processes exited extremely, detects the doubtful exception request report Whether each packet in text can cause the exception of the DNS processes to exit;
    The packet exited for the exception that can cause the DNS processes, labeled as exception request bag.
  5. 5. domain name system failure cause analysis method according to claim 4, it is characterised in that analyze the very first time Preceding request message, screening the step of obtaining doubtful exception request message includes:
    Last request message before the very first time be the very first time before first only request bag and When not having the message of response bag, the request message is extracted as doubtful exception request message;
    First only request bag and without response bag request message when after the very first time, respectively extract described in Last N number of request message before the very first time and earliest N number of only request bag and without the request message of response bag, as Doubtful exception request message, N are positive integer;
    In the absence of error information and when can not determine the very first time, earliest N number of request without response message is extracted Message is as doubtful exception request message;
    In the absence of error information, the very first time can not be determined and there is no the request report of response bag in the absence of only request bag Wen Shi, the second time of local parsing failure is obtained, N number of request bag after second time is extracted, as doubtful exception Request message.
  6. 6. domain name system failure cause analysis method according to claim 4, it is characterised in that the step of capturing packet Before, in addition to:
    The current dns server list for having been switched on packet capturing is obtained from central server;
    When the quantity for opening name server record NS corresponding to the dns server of packet capturing exceedes preset packet capturing threshold value, no Open the packet capturing operation of this dns server;
    The preset packet capturing threshold is not above in the quantity for opening name server record NS corresponding to the dns server of packet capturing During value, the packet capturing operation of this dns server is opened, and notifies that this dns server of central server has turned on packet capturing, described in prompting Central server updates the dns server list for having turned on packet capturing.
  7. 7. domain name system failure cause analysis method according to claim 4, it is characterised in that the step of capturing packet Afterwards, in addition to
    Every a preset proving period, just made requests on to this dns server, confirm normal acquisition analysis result;
    When analysis result normally can be obtained, judge that DNS process exceptions do not occur again to be exited, and continues packet capturing;
    When analysis result normally can not be obtained, judge that DNS process exceptions occur again to be exited, and it is doubtful different to start analysis acquisition Normal request message.
  8. 8. domain name system failure cause analysis method according to claim 2, it is characterised in that contrast the exception request Bag and standard normal data packet, after the step of determining problem business unit in the exception request bag, in addition to:
    Analysis report is sent, is at least carried in the analysis report any or any multinomial in following information:
    Abnormal DNS software versions occur for exception request bag, problem business unit, and difference in version document changelog is abnormal Bag unique features rule.
  9. 9. domain name system failure cause analysis method according to claim 2, it is characterised in that contrast the exception request Bag and standard normal data packet, after the step of determining problem business unit in the exception request bag, in addition to:
    Intercept the request bag with the abnormal bag unique features rule match.
  10. A kind of 10. domain name system failure reason analysis device, it is characterised in that including:
    Monitoring the process module, for monitoring DNS processes;
    Packet capturing module, for when DNS process exceptions exit, opening packet capturing, capture exception request bag;
    Accident analysis locating module, for contrasting the exception request bag and standard normal data packet, determine the exception request Problem business unit in bag.
  11. 11. domain name system failure reason analysis device according to claim 10, it is characterised in that the accident analysis is determined Position module includes:
    Packet split cells, for obtaining each minimal service unit in the exception request bag;
    Recomposition unit, for selecting a minimal service unit in the exception request bag, replace the standard normal data Corresponding minimal service unit in bag, obtains restructuring request bag:
    Request bag transmitting element, DNS softwares are given for sending the restructuring request bag;
    Abnormality determination unit, for being received in the DNS softwares after the restructuring request guarantee for returns goes out, judge the recomposition unit The minimal service unit of selection is problem business unit;
    Rule generating unit, for controlling the packet split cells, the recomposition unit, the request transmitting unit and institute State abnormality determination unit and repeat the detection of problem business unit, until traveling through whole minimal services in the exception request bag Unit, at least one problem business unit of determination is analyzed, the abnormal bag for obtaining exception request bag described in unique match is unique special Sign rule.
  12. 12. domain name system failure reason analysis device according to claim 10, it is characterised in that the monitoring the process mould Block includes:
    Monitoring unit is exited, for monitoring whether that DNS processes, which occur, to be exited;
    Log analysis unit, for when monitoring that DNS processes, which occur, to be exited:
    Filter operation daily record, and/or,
    Filtration system daily record and/or the daily record that reports an error;
    Abnormality determination unit, for filter operation daily record note abnormalities operation when, and/or,
    When filtration system daily record and/or the daily record that reports an error find the error information that instruction DNS process exceptions exit,
    Judge that DNS process exceptions, which occur, to be exited.
  13. 13. domain name system failure reason analysis device according to claim 10, it is characterised in that the packet capturing module bag Include:
    First placement unit, for capturing packet, the packet includes request bag and response bag;
    Error information resolution unit, for filtration system daily record and error log, obtain the of error information when DNS processes exit One time;
    Doubtful exception request message filter unit, for analyzing the request message before the very first time, screening obtains doubtful different Normal request message;
    Abnormal authentication unit, for the doubtful exception request message to be sent into the DNS processes exited extremely, detect institute State whether each packet in doubtful exception request message can cause the exception of the DNS processes to exit;
    Exception request bag determining unit, for the packet for the exception of the DNS processes can be caused to exit, labeled as exception Request bag.
CN201710766110.2A 2017-08-30 2017-08-30 A kind of domain name system failure cause analysis method and device Active CN107769957B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710766110.2A CN107769957B (en) 2017-08-30 2017-08-30 A kind of domain name system failure cause analysis method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710766110.2A CN107769957B (en) 2017-08-30 2017-08-30 A kind of domain name system failure cause analysis method and device

Publications (2)

Publication Number Publication Date
CN107769957A true CN107769957A (en) 2018-03-06
CN107769957B CN107769957B (en) 2018-07-06

Family

ID=61265906

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710766110.2A Active CN107769957B (en) 2017-08-30 2017-08-30 A kind of domain name system failure cause analysis method and device

Country Status (1)

Country Link
CN (1) CN107769957B (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109819060A (en) * 2018-12-15 2019-05-28 深圳壹账通智能科技有限公司 Method for detecting abnormality, device, computer installation and storage medium
CN111131756A (en) * 2019-12-26 2020-05-08 视联动力信息技术股份有限公司 Anomaly detection method, device, equipment and medium based on video networking
CN113055225A (en) * 2021-02-08 2021-06-29 网宿科技股份有限公司 Method for acquiring network fault analysis data, terminal and server

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7853719B1 (en) * 2002-02-11 2010-12-14 Microsoft Corporation Systems and methods for providing runtime universal resource locator (URL) analysis and correction
CN103716198A (en) * 2013-07-05 2014-04-09 中国南方电网有限责任公司 Data network quality automatic dial testing method and system
CN104880222A (en) * 2015-04-28 2015-09-02 国家电网公司 3G wireless communication-based secondary equipment state monitoring system
CN106533722A (en) * 2015-09-11 2017-03-22 北京国双科技有限公司 Network monitoring method and network monitoring device
CN106571981A (en) * 2016-11-15 2017-04-19 中国互联网络信息中心 DNS (Domain Name System) server automated testing method and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7853719B1 (en) * 2002-02-11 2010-12-14 Microsoft Corporation Systems and methods for providing runtime universal resource locator (URL) analysis and correction
CN103716198A (en) * 2013-07-05 2014-04-09 中国南方电网有限责任公司 Data network quality automatic dial testing method and system
CN104880222A (en) * 2015-04-28 2015-09-02 国家电网公司 3G wireless communication-based secondary equipment state monitoring system
CN106533722A (en) * 2015-09-11 2017-03-22 北京国双科技有限公司 Network monitoring method and network monitoring device
CN106571981A (en) * 2016-11-15 2017-04-19 中国互联网络信息中心 DNS (Domain Name System) server automated testing method and system

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109819060A (en) * 2018-12-15 2019-05-28 深圳壹账通智能科技有限公司 Method for detecting abnormality, device, computer installation and storage medium
CN111131756A (en) * 2019-12-26 2020-05-08 视联动力信息技术股份有限公司 Anomaly detection method, device, equipment and medium based on video networking
CN111131756B (en) * 2019-12-26 2022-11-01 视联动力信息技术股份有限公司 Anomaly detection method, device, equipment and medium based on video network
CN113055225A (en) * 2021-02-08 2021-06-29 网宿科技股份有限公司 Method for acquiring network fault analysis data, terminal and server
CN113055225B (en) * 2021-02-08 2023-12-05 网宿科技股份有限公司 Network fault analysis data acquisition method, terminal and server

Also Published As

Publication number Publication date
CN107769957B (en) 2018-07-06

Similar Documents

Publication Publication Date Title
CN101201786B (en) Method and device for monitoring fault log
US8576724B2 (en) Method, system, and computer program product, for correlating special service impacting events
US7058861B1 (en) Network model audit and reconciliation using state analysis
US20050144505A1 (en) Network monitoring program, network monitoring method, and network monitoring apparatus
CN107769957B (en) A kind of domain name system failure cause analysis method and device
GB2456914A (en) Network management involving cross-checking identified possible root causes of events in different data subsets of events
CN106230602B (en) The integrity detection system and method for the certificate chain of digital certificate
US6836798B1 (en) Network model reconciliation using state analysis
CN109034423B (en) Fault early warning judgment method, device, equipment and storage medium
CN107707375B (en) A kind of method and apparatus of positioning parsing failure
CN108933693B (en) Domain name service system fault processing method and system
CN112350854B (en) Flow fault positioning method, device, equipment and storage medium
CN106708700A (en) Operation and maintenance monitoring method and device applied to server side
CN110088744A (en) A kind of database maintenance method and its system
CN107635003A (en) The management method of system journal, apparatus and system
CN114363151A (en) Fault detection method and device, electronic equipment and storage medium
US20160352573A1 (en) Method and System for Detecting Network Upgrades
CN108574681B (en) Intelligent server scanning method and device
CN107181721A (en) A kind of information processing method and device based on daily record
CN111526109B (en) Method and device for automatically detecting running state of web threat recognition defense system
CN111130848A (en) Fault detection method and device for authentication, authorization and accounting (AAA)
CN109218050B (en) Domain name system fault processing method and system
US7421493B1 (en) Orphaned network resource recovery through targeted audit and reconciliation
CN113852984A (en) Wireless terminal access monitoring system and method, electronic equipment and readable storage device
CN112463572A (en) Cross-border multi-service dial testing software testing system and method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: 100015 5 floor, block E, 201 IT tower, electronic city, 10 Jiuxianqiao Road, Chaoyang District, Beijing.

Patentee after: Guizhou Baishan cloud Polytron Technologies Inc

Address before: 100015 5 floor, block E, 201 IT tower, electronic city, 10 Jiuxianqiao Road, Chaoyang District, Beijing.

Patentee before: Guizhou white cloud Technology Co., Ltd.