CN110581842A - DNS request processing method and server - Google Patents
DNS request processing method and server Download PDFInfo
- Publication number
- CN110581842A CN110581842A CN201910763346.XA CN201910763346A CN110581842A CN 110581842 A CN110581842 A CN 110581842A CN 201910763346 A CN201910763346 A CN 201910763346A CN 110581842 A CN110581842 A CN 110581842A
- Authority
- CN
- China
- Prior art keywords
- domain name
- requested
- dns request
- dns
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The embodiment of the invention relates to the technical field of Internet, and discloses a DNS request processing method and a server. The DNS request processing method comprises the following steps: when a DNS request is received, if the DNS request is in a preset statistical period, entering a determining step; the determining step comprises the steps of increasing the number of requests of domain names matched with domain names to be requested in the DNS request according to a first preset mode when responding to the DNS request; when the counting period is finished, determining the state of each domain name at least according to the request number of each domain name; and if the counting period is finished, responding to the DNS request according to the state of the domain name to be requested determined in the counting period. According to the invention, the domain name under attack can be predetermined, so that when the DNS server receives the attack of the fixed domain name, the domain name under attack is prevented in time, and the response of the domain name without attack is prevented from being influenced.
Description
Technical Field
The embodiment of the invention relates to the technical field of internet, in particular to a DNS request processing method and a server.
Background
A Domain Name System (DNS) is a System for resolving a host Domain Name or an electronic mail address which is convenient for people to remember into an IP address which can be recognized by a computer, and is a distributed database in which a Domain Name inputted by a user is converted into the IP address by a special DNS server. For the DNS server, whether the request is attacked or not can be judged according to the total number of the requests received in the unit time, so that the DNS server can be protected when the request is attacked.
The inventor finds that at least the following problems exist in the prior art: when the DNS server is attacked, it can protect all requests for domain names managed by the DNS server, for example, degradation processing or discarding the requests, which is likely to cause false kill and affect the response of normal requests.
Disclosure of Invention
The embodiments of the present invention provide a method and a server for processing a DNS request, which can predetermine an attacked domain name, so that when a DNS server receives an attack of a fixed domain name, the attacked domain name is prevented in time, and a response of an un-attacked domain name is prevented from being affected.
In order to solve the above technical problem, an embodiment of the present invention provides a method for processing a DNS request, which is applied to a server, and the method includes: when a DNS request is received, if the DNS request is in a preset statistical period, entering a determining step; the determining step comprises the steps of increasing the number of requests of domain names matched with domain names to be requested in the DNS request according to a first preset mode when responding to the DNS request; when the counting period is finished, determining the state of each domain name at least according to the request number of each domain name; and if the counting period is finished, responding to the DNS request according to the state of the domain name to be requested determined in the counting period.
An embodiment of the present invention further provides a server, including: at least one processor; and a memory communicatively coupled to the at least one processor; the memory stores instructions executable by the at least one processor, and the instructions are executed by the at least one processor to enable the at least one processor to execute the DNS request processing method.
compared with the prior art, the method and the device have the advantages that for each DNS request received in the counting period, the request number of the domain name matched with the domain name to be requested in the DNS request is increased according to a first preset mode while the DNS request is responded, and the state of each domain name is determined at least according to the request number of each domain name when the counting period is finished, namely the attacked domain name can be determined in the counting period in advance; therefore, after the statistical period is finished, when the DNS request is received, the DNS request can be responded according to the state of the domain name to be requested in the DNS request determined in the statistical period; therefore, when the DNS server receives the attack of the fixed domain name, the attacked domain name is prevented in time, and the response of the domain name which is not attacked is prevented from being influenced. Meanwhile, the statistics of the request quantity of the domain name managed by the server is facilitated.
in addition, responding to the DNS request according to the state of the domain name to be requested determined in the statistical period comprises the following steps: judging whether the domain name to be requested is in an attacked state; and when the domain name to be requested is judged to be in the attacked state, responding to the DNS request according to a second preset mode. The present embodiment provides a specific implementation manner of responding to a DNS request according to the state of a domain name to be requested determined within a statistical period.
in addition, when the number of requests of the domain name matched with the domain name to be requested in the DNS request is increased according to the first preset mode, the method further includes: increasing the number of requests of a domain name area to which a domain name matched with a domain name to be requested belongs according to a first preset mode; after determining the state of each domain name according to at least the request number of each domain name, the method further comprises the following steps: for each domain name area, if each domain name corresponding to the domain name area is in a normal state, determining the state of the domain name area at least according to the request number of the domain name area; when the domain name to be requested is judged to be in a normal state, judging whether a domain name area to which the domain name to be requested belongs is in an attacked state; and if the domain name area to which the domain name to be requested belongs is judged to be in an attacked state, responding to the DNS request according to a third preset mode. In the embodiment, statistics of the number of requests for each domain name area is added in the statistics period, so that whether each domain name area is attacked by the random domain name is determined in advance, and therefore after the statistics period is finished, the domain name area attacked by the random domain name can be prevented, and the influence of the random domain name attack on the normal domain name is reduced.
In addition, the determining step further includes: determining the state of the server according to the number of the DNS requests received in the counting period; before responding to the DNS request according to the state of the domain name to be requested determined in the statistical period, the method further comprises the following steps: judging whether the server is in an attacked state or not; and if the server is in the attacked state, entering a state of the domain name to be requested determined in the statistical period, and responding to the DNS request. In the embodiment, the determination of the server state is added in the statistical period, so that after the statistical period is finished, the attacked domain name is prevented only when the server is in the attacked state; if the server is in a normal state, all DNS requests are responded; namely, the DNS request is responded as much as possible within the bearing range of the server, so that the probability of killing the normal request by mistake is reduced.
In addition, before responding to the DNS request according to the status of the domain name to be requested determined in the statistical period, the method further includes: judging whether the domain name to be requested is located in a preset domain name white list or not; if the domain name to be requested is located in the domain name white list, entering a state of the domain name to be requested determined in a statistical period, and responding to the DNS request; and if the domain name to be requested is positioned outside the domain name white list, forbidding responding to the DNS request. In the embodiment, the domain name white list is preset in the DNS server, and the DNS request aiming at the domain names outside the domain name white list is directly not responded, so that random domain name attack can be well prevented.
in addition, according to a second preset mode, responding to the DNS request includes: and determining whether to respond to the DNS request according to the number of the responded DNS requests including the domain name to be requested. The embodiment provides a specific implementation mode for responding to the DNS request according to the second preset mode, so that the probability of mistakenly killing the normal request aiming at the attacked domain name can be reduced to a certain extent, and the influence on normal users is reduced.
In addition, according to a third preset mode, responding to the DNS request includes: and determining whether to respond to the DNS request according to the number of DNS requests corresponding to the domain name region to which the responded domain name to be requested belongs. The embodiment provides a specific implementation mode for responding to the DNS request according to the third preset mode, so that the probability of mistakenly killing a normal request in a domain name area attacked by a random domain name can be reduced to a certain extent, and the influence on normal users is reduced.
In addition, when responding to the DNS request, increasing the number of requests for a domain name that matches a domain name to be requested in the DNS request in a first preset manner, includes: when a domain name to be requested in the DNS request belongs to any domain name region in domain name regions managed by a server, responding to the DNS request, and judging whether any domain name is matched with the domain name to be requested in the domain name corresponding to any domain name region; if any domain name does not match with the domain name to be requested, adding a target domain name matched with the domain name to be requested in the domain name corresponding to any domain name area, and increasing the number of requests of the added target domain name according to a first preset mode; and if any domain name is matched with the domain name to be requested, increasing the request number of any domain name according to a first preset mode. The present embodiment provides a specific implementation manner for increasing the number of requests for a domain name matched with a domain name to be requested in a DNS request according to a first preset manner when responding to the DNS request.
In addition, determining the state of each domain name according to at least the request number of each domain name comprises: and for each domain name, determining the state of the domain name according to the request number of the domain name and the number of the DNS requests received in the counting period. This embodiment provides a specific implementation for determining the status of each domain name based at least on the number of requests for each domain name.
in addition, the number of requests of the domain name matched with the domain name to be requested in the DNS request is increased according to a first preset mode, specifically: and adding a preset numerical value to the current request number of the domain name matched with the domain name to be requested in the DNS request to obtain the increased request number of the domain name. The present embodiment provides a specific implementation manner for increasing the number of requests for a domain name matched with a domain name to be requested in a DNS request according to a first preset manner.
the number of initial requests for each domain name is equal.
Drawings
One or more embodiments are illustrated by way of example in the accompanying drawings, which correspond to the figures in which like reference numerals refer to similar elements and which are not to scale unless otherwise specified.
fig. 1 is a detailed flowchart of a method for processing a DNS request according to a first embodiment of the present invention;
Fig. 2 is a schematic diagram of a domain name tree according to a first embodiment of the present invention;
Fig. 3 is a detailed flowchart of a method for processing a DNS request according to a second embodiment of the present invention;
Fig. 4 is a schematic diagram of a domain name tree according to a second embodiment of the present invention;
Fig. 5 is a detailed flowchart of a method for processing a DNS request according to a third embodiment of the present invention;
Fig. 6 is a detailed flowchart of a DNS request processing method according to a fourth embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, embodiments of the present invention will be described in detail below with reference to the accompanying drawings. However, it will be appreciated by those of ordinary skill in the art that numerous technical details are set forth in order to provide a better understanding of the present application in various embodiments of the present invention. However, the technical solution claimed in the present application can be implemented without these technical details and various changes and modifications based on the following embodiments.
The first embodiment of the present invention relates to a method for processing a DNS request, which is applied to a server, and the server may be a single DNS server or a clustered DNS server.
Fig. 1 shows a specific flow of the DNS request processing method according to the present embodiment.
Step 101, when receiving a DNS request, determining whether the DNS request is within a preset statistical period. If yes, entering a determination step 102; if not, go to step 103.
Specifically, a user may send a DNS request to a DNS server through an electronic device, where a statistics period is set in the DNS server, that is, statistics is performed once every preset time, and when it is determined that the statistics period is within the statistics period, the determination step 102 is performed; otherwise, it indicates that the counting period has ended, and step 103 is entered. The duration of the statistical period may be set as required, for example, 1S, 3S, 10S, and the like.
the determining step 102 comprises the following sub-steps:
And a substep 1021, when responding to the DNS request, increasing the number of requests for the domain name matching the domain name to be requested in the DNS request according to a first preset manner.
Specifically, for the DNS server, domain name ZONEs (ZONEs) managed by the DNS server are preset inside the DNS server, and generally, a plurality of domain name ZONEs are managed by each DNS server; for each domain name zone, it may correspond to a domain name or domain name zone, and its corresponding domain name zone may be referred to as a sub-domain name zone; the sub domain name region may also correspond to a domain name or a domain name region, so that a domain name corresponding to each domain name region in the domain name region managed by the DNS server can be obtained.
When the counting period starts, the initial request number of each domain name is generally preset, and the initial request number of each domain name may be equal or unequal, and this embodiment and the following embodiments are described by taking the example that the initial request number of each domain name is equal and set to 0; for each DNS request received in a counting period, the DNS server analyzes the DNS request, acquires a domain name to be requested in the DNS request, judges whether the domain name to be requested belongs to a domain name area managed by the server, responds to the DNS request if the domain name to be requested belongs to any domain name area in the domain name areas managed by the server, and increases the request number of the domain name matched with the domain name to be requested according to a first preset mode when responding to the DNS request; specifically, the DNS server firstly judges that a domain name matched with the domain name to be requested exists in the domain name corresponding to the domain name region to which the domain name to be requested belongs, if the domain name does not exist, a target domain name matched with the domain name to be requested is newly added in the domain name corresponding to the domain name region to which the domain name to be requested belongs, and the request number of the domain name matched with the domain name to be requested is increased according to a first preset mode; and if so, increasing the request number of the domain name matched with the domain name to be requested according to a first preset mode.
The first preset mode may be that the current request number of the domain name is added with a preset value to serve as the increased request number of the domain name, but is not limited thereto, and the first preset mode may also be that the current request number of the domain name is multiplied by the preset value to serve as the increased request number of the domain name; it should be noted that, in this embodiment and the following embodiments, the first preset manner is to add a preset value to the current request number of the domain name, where the preset value is 1, and the current request number is taken as the increased request number of the domain name.
In this embodiment, the manner of counting the number of requests of each domain name in the counting period may be a domain name tree, a list, and the like, and this example and the following embodiments all use the manner of counting the number of requests of each domain name in the counting period by using the domain name tree as an example to describe in detail, specifically as follows:
Firstly, an initial domain name tree is created according to domain name areas managed by a DNS server and domain names corresponding to the domain name areas. For example, the DNS server manages 4 domain name areas, which are, respectively, example1.com, example2.com, example3.com, and example4.com, and the sub domain name areas corresponding to example1.com are, respectively, those of example 1.example1.com, those of example 2.example1.com, those of example 1.example1.com, those of sub domain name area example 1.example1.com are, those of example 1.example1.com, those of example 2.example 1.example1.com, those of example 2.example 1.example, those of sub domain name area example 2.example 1.example1.com are, those of example 2.example 2.1.example, those of domain name area example 2.example corresponding to example 1.1.example 1.example1.com have, those of example 2.example corresponding to domain name areas have, those of example 2.example 2.1.1.example, and those of example 2.example 2.1.1.com, and thus each of the initial node of the domain name area includes a node corresponding to be a node corresponding to a node, and the node of example2.com, and the node of.
and secondly, perfecting the domain name tree. For each DNS request received in a statistical period, analyzing to obtain a domain name to be requested in the DNS request, judging whether the domain name to be requested belongs to the management of a local DNS server, if so, finding out a domain name region to which the domain name to be requested belongs from a domain name region managed by the DNS server, traversing all leaf nodes under the domain name region, judging whether leaf nodes commanded by a host head of the domain name to be requested exist or not, namely, judging whether a domain name matched with the domain name to be requested exists or not under the domain name region, and if so, adding QC +1 of the leaf node corresponding to the domain name; if the domain name matched with the domain name to be requested does not exist in the domain name area, adding a leaf node under the domain name area, wherein the leaf node corresponds to a target domain name matched with the domain name to be requested, the target domain name is the domain name to be requested, and the QC of the leaf node is set to be 1. If the domain name to be requested does not belong to the DNS server management, the domain name to be requested does not belong to the DNS server analysis, a leaf node named as "/" is newly established, and the QC of the leaf node is set to be 1. It should be noted that if a domain name to be requested that does not belong to the management of the DNS server is not received in the first statistical period, a situation that a "/" leaf node is not newly created may occur, and in the subsequent statistical period, when it is determined that the domain name to be requested does not belong to the management of the DNS server, it may be determined first whether a "/" leaf node exists below a root node, and if so, QC +1 of the "/" leaf node is used; otherwise, a "/" leaf node is newly added under the root node, and the QC of the leaf node is set to 1.
and a substep 1022 of determining the status of each domain name based on at least the number of requests for each domain name at the end of the counting period.
Specifically, when the counting period is over, the QC of the leaf node corresponding to each domain name can be obtained from the domain name tree and used as the QC of each domain name, so that the state of each domain name can be determined according to the QC of each domain name, and the state of each domain name includes two types: one is an attacked state; one is the normal state.
In an example, for each domain name, the number of requests Per Second (Query Per Second, abbreviated as QPS) of the domain name can be calculated according to the QC of the domain name and the duration of the statistical period, a threshold is preset in the DNS server, and when the QPS of the domain name is greater than the preset threshold, it is determined that the domain name is in an attacked state; and when the QPS of the domain name is less than or equal to a preset threshold, judging that the domain name is in a normal state.
In one example, for each domain name, the status of the domain name can be determined according to the QC of the domain name and the number of DNS requests received in a statistical period; specifically, a ratio of the QC of the domain name to the number of received DNS requests is calculated, a threshold is preset in the DNS server, and when the ratio is greater than the preset threshold, it is determined that the domain name is in an attacked state; and when the occupation ratio value is less than or equal to a preset threshold value, judging that the domain name is in a normal state. The determination mode of the number of the received DNS requests in the statistical period is as follows: when the domain name tree is perfected, when the QC +1 of the leaf node is used, the QC +1 of the root node is used, and when the counting period is finished, the QC of the root node is the number of DNS requests received by the DNS server in the counting period.
if the initial number of requests for each domain name is not 0, the state of the domain name needs to be determined by combining the initial number of requests for each domain name with the number of requests for the domain name counted in the counting period.
and 103, responding to the DNS request according to the state of the domain name to be requested determined in the counting period.
specifically, for a received DNS request after a counting period is finished, the DNS server resolves the DNS request, obtains a domain name to be requested in the DNS request, determines whether the domain name to be requested belongs to the management of the local DNS server, obtains a state of the domain name to be requested according to a state of each domain name that has been determined in the counting period if it is determined that the domain name to be requested belongs to the management of the local DNS server, and responds to the DNS request according to the state of the domain name to be requested; for example, if the domain name to be requested is in an attacked state, the DNS request is not responded to; and if the domain name to be requested is in a normal state, responding to the DNS request.
Compared with the prior art, the method has the advantages that for each DNS request received in the counting period, the request number of the domain name matched with the domain name to be requested in the DNS request is increased according to a first preset mode while the DNS request is responded, and the state of each domain name is determined at least according to the request number of each domain name when the counting period is finished, namely the attacked domain name can be determined in the counting period in advance; therefore, after the statistical period is finished, when the DNS request is received, the DNS request can be responded according to the state of the domain name to be requested in the DNS request determined in the statistical period; therefore, when the DNS server receives the attack of the fixed domain name, the attacked domain name is prevented in time, and the response of the domain name which is not attacked is prevented from being influenced. Meanwhile, the statistics of the request quantity of the domain name managed by the server is facilitated.
The second embodiment of the present invention relates to a method for processing a DNS request, and the present embodiment is an improvement on the first embodiment, and the main improvement is that: in the counting period, the determination of the status of the domain name area is increased.
Fig. 3 shows a specific flow of the DNS request processing method according to the present embodiment.
Step 201, when receiving a DNS request, determining whether the DNS request is within a preset statistical period. If yes, enter into determining step 202; if not, go to step 203.
Specifically, step 201 is substantially the same as step 101 in the first embodiment, and is not described herein again.
The determining step 202 comprises the following sub-steps:
In the substep 2021, when responding to the DNS request, the number of requests for the domain name matching the domain name to be requested in the DNS request is increased according to the first preset mode, and the number of requests for the domain name region to which the domain name matching the domain name to be requested belongs is increased according to the first preset mode.
Specifically, substantially the same as the sub-step 1021 in the first embodiment, the main difference is that: when the counting period starts, the initial request number of each domain name region is set at the same time, and the initial request number of each domain name region may be equal or unequal. In addition, when the request number of the domain name matching the domain name to be requested is added with 1, the request number of the domain name area to which the domain name belongs is added with 1. In the present embodiment, when the number of requests is increased, the domain name and the domain name area are increased in the same manner, but the present invention is not limited thereto, and when the number of requests is increased, the domain name and the domain name area may be increased in different manners, for example, by different numerical values.
continuing with the example in the first embodiment, when creating the initial domain name tree, setting the initial request number of the leaf node corresponding to the domain name area to 0 at the same time; when the domain name tree is perfected, when the QC +1 of the leaf node is used, the QC +1 of the father node and the ancestor node of the leaf node is used at the same time, and therefore the QC of the leaf node corresponding to each domain name area can be counted.
For example, during a statistical period, the DNS server receives DNS requests for the following domain names (the number of requests after the domain name):
a1.son1.example1.com 200
a2.son1.example1.com 210
b1.son2.example1.com 220
c1.example1.com 230
d1.example2.com 240
e1.example3.com 250
f1.example4.com 260
f2.g2.example4.com 270
h1.example5.com 80
h2.example5.com 90
The resulting domain name tree after the end of the counting period is shown in fig. 4.
substep 2022, at the end of the counting period, determines the status of each domain name based at least on the number of requests for each domain name.
In substep 2023, for each domain name zone, if each domain name corresponding to the domain name zone is in a normal state, determining the state of the domain name zone at least according to the number of requests of the domain name zone.
specifically, when the counting period is finished, traversing the QC of the leaf node from the bottommost layer of the domain name tree, and determining the state of the leaf node according to the QC of the leaf node for each leaf node; if the leaf node is in the attacked state, marking a father node and a ancestor node of the leaf node, if the leaf node is in the normal state, continuously determining the state of the next leaf node until the states of the leaf nodes in the layer are all determined; if the previous layer is not the root node, repeating the process, traversing the QC of the leaf node of the previous layer, acquiring the state of each leaf node until the previous layer is the root node, and finishing the traversal, thereby acquiring the state of each leaf node, namely acquiring the state of each domain name area and the state of each domain name; if any leaf node is in an attacked state in all leaf nodes belonging to the same father node, the state of the father node is not determined; that is, for a certain domain name region, it corresponds to multiple domain names, and if any domain name exists in the multiple domain names corresponding to the domain name region and is in an attacked state, it indicates that the domain name region is attacked by the fixed domain name, and the state of the domain name region is no longer determined; otherwise, all domain names corresponding to the domain name area are in a normal state, and the state of the domain name area is determined at least according to the request number of the domain name area, namely whether the domain name area is attacked by the random domain name is determined.
The determination of the status of the domain name area includes the following two ways: firstly, calculating the request number Per Second (Query Per Second, abbreviated as QPS) of the domain name region according to the QC of the domain name region and the duration of a statistical period, wherein a threshold is preset in the DNS server, and when the QPS of the domain name region is greater than the preset threshold, it is determined that the domain name region is in an attacked state, that is, the domain name region is attacked by a random domain name; when the QPS of the domain name is smaller than or equal to a preset threshold value, judging that the domain name is in a normal state; secondly, determining the state of the domain name area according to the QC of the domain name area and the number of DNS requests received in a counting period; specifically, a ratio of the QC of the domain name area to the number of received DNS requests is calculated, a threshold is preset in the DNS server, and when the ratio is greater than the preset threshold, it is determined that the domain name is in an attacked state, that is, the domain name area is attacked by a random domain name; and when the occupation ratio value is less than or equal to a preset threshold value, judging that the domain name is in a normal state.
Step 203, comprising the following substeps:
Sub-step 2031, determining whether the domain name to be requested is in an attacked state. If so, then sub-step 2032 is entered. If not, then 2033 is entered.
Specifically, the state of the domain name to be requested determined in the statistical period is obtained, and if the domain name to be requested is in an attacked state, the substep 2032 is performed; if the domain name to be requested is in a normal state, the sub-step 2033 is entered. In one example, in a statistical period, a domain name in an attacked state is marked; therefore, after the counting period is finished, whether the domain name is in an attacked state can be judged according to whether the domain name is marked or not.
sub-step 2032, according to a second preset mode, responds to the DNS request.
Specifically, if the domain name to be requested is in an attacked state, it is indicated that the DNS server is attacked by the fixed domain name of the domain name to be requested, and the DNS request is responded according to a second preset manner.
In one example, whether the DNS request is responded is determined according to the number of DNS requests corresponding to the responded domain name to be requested, specifically, the DNS server may reduce the service specification of the domain name, only respond to the request of the preset number of domain names, determine whether the number of DNS requests corresponding to the responded domain name to be requested reaches the preset number, and if the preset number is not reached, respond to the DNS request of this time; if the preset number is reached, the DNS request is not responded, so that the probability of mistakenly killing the normal request aiming at the attacked domain name can be reduced to a certain extent, and the influence on normal users is reduced.
in an example, the DNS server may also only respond to a request of a preset percentage of the domain name, for example, the preset percentage is fifty percent, when receiving the DNS request for the domain name, a value is randomly selected between 0 and 1, when the value is 1, the DNS request is responded, and when the value is 0, the DNS request is not responded, so that the probability that a normal request for the attacked domain name is mistakenly killed can be reduced to some extent, and the influence on a normal user is reduced.
Sub-step 2033, determining whether the domain name area to which the domain name to be requested belongs is in an attacked state. If so, then sub-step 2034 is entered. If not, the process is ended directly.
Specifically, the state of the domain name region to which the domain name to be requested belongs, which is determined in the statistical period, is obtained, and if the domain name region to which the domain name to be requested belongs is in an attacked state, the substep 2034 is performed; and if the domain name area to which the domain name to be requested belongs is in a normal state, directly responding to the DNS request. In one example, in a statistical period, marking is carried out on domain name areas in an attacked state; therefore, after the counting period is finished, whether the domain name area is in an attacked state can be judged according to whether the domain name area is marked.
sub-step 2034, responding to the DNS request according to a third preset manner.
Specifically, if the domain name area to which the domain name to be requested belongs is in an attacked state, it is indicated that the domain name area is attacked by the random domain name, and the DNS request is responded according to a third preset manner.
In one example, whether the DNS request is responded is determined according to the number of DNS requests corresponding to a domain name area to which a responded domain name to be requested belongs; specifically, the DNS server may reduce the service specification of the domain name area, only respond to the requests of the preset number of domain names, determine whether the number of DNS requests corresponding to the domain name area that has responded reaches the preset number, and respond to the DNS request of this time if the number of DNS requests has not reached the preset number; if the preset number is reached, the DNS request is not responded, so that the probability of mistakenly killing the normal request in the domain name area attacked by the random domain name can be reduced to a certain extent, and the influence on normal users is reduced.
In an example, the DNS server may also only respond to the request of the preset percentage of the domain name, for example, the preset percentage is fifty percent, when receiving the DNS request for the domain name area, the value is randomly taken between 0 and 1, when the value is 1, the DNS request is responded, and when the value is 0, the DNS request is not responded, so that the probability that the normal request is mistakenly killed in the domain name area under the attack of the random domain name can be reduced to a certain extent, and the influence on the normal user is reduced.
Compared with the first embodiment, the embodiment adds statistics of the number of requests of each domain name area in the statistical period so as to determine whether each domain name area is attacked by the random domain name in advance, so that after the statistical period is finished, the domain name area attacked by the random domain name can be prevented, and the influence of the random domain name attack on the normal domain name is reduced.
the third embodiment of the present invention relates to a method for processing a DNS request, and the present embodiment is an improvement on the first embodiment, and the main improvement is that: the DNS request can be responded to in conjunction with the status of the DNS server.
fig. 5 shows a specific flow of the DNS request processing method according to the present embodiment.
Step 301, when receiving a DNS request, determining whether the DNS request is within a preset statistical period. If yes, enter decision step 302; if not, go to step 303.
Specifically, step 301 is substantially the same as step 101 in the first embodiment, and is not repeated here.
a determining step 302, comprising the sub-steps of:
In sub-step 3021, when responding to the DNS request, the number of requests for a domain name that matches the domain name to be requested in the DNS request is increased in a first preset manner.
Specifically, the sub-step 3021 is substantially the same as the sub-step 1021 in the first embodiment, and will not be described herein.
Substep 3022, upon completion of the statistics period, determining a status of each domain name based at least on the number of requests for each domain name.
specifically, the sub-step 3022 is substantially the same as the sub-step 1022 in the first embodiment, and will not be described herein.
Sub-step 3023, determining the status of the server based on the number of DNS requests received within the statistical period.
Specifically, a QPS of the DNS server is calculated according to the number of DNS requests received in a counting period and the duration of the counting period, a threshold value is preset in the DNS server, and when the QPS of the DNS server is larger than or equal to the threshold value, the DNS server is judged to be in an attacked state; when the QPS of the DNS server is less than the threshold value, the DNS server is determined to be in a normal state.
Step 303, determine whether the server is in an attacked state. If yes, go to step 304; if not, the process is ended directly.
Specifically, the state of the DNS server determined in the statistical period is obtained, and if the DNS server is in an attacked state, step 304 is performed to respond to the DNS request according to the state of the domain name to be requested determined in the statistical period; otherwise, the DNS server is in a normal state, that is, the DNS server is not overloaded, and the DNS request can be directly responded without determining whether the domain name to be requested in the DNS request is attacked.
Step 304, responding to the DNS request according to the state of the domain name to be requested determined in the counting period.
Specifically, the method is substantially the same as step 103 in the first embodiment, and is not repeated here.
compared with the first embodiment, the embodiment adds the determination of the server state in the statistical period, so that after the statistical period is finished, the attacked domain name is prevented only when the server is in the attacked state; if the server is in a normal state, all DNS requests are responded; namely, the DNS request is responded as much as possible within the bearing range of the server, so that the probability of killing the normal request by mistake is reduced. This embodiment mode can also be an improvement on the second embodiment mode, and can achieve the same technical effects.
The fourth embodiment of the present invention relates to a method for processing a DNS request, and the present embodiment is an improvement on the first embodiment, and the main improvement is that: and the random domain name attack is prevented by setting a domain name white list.
Fig. 6 shows a specific flow of the DNS request processing method according to the present embodiment.
Step 401, step 402, and step 404 are substantially the same as steps 101 to 103, and are not described herein again, the main difference is that step 403 and step 405 are added, which is specifically as follows:
Step 403, determining whether the domain name to be requested is located in a preset domain name white list. If yes, go to step 404; if not, go to step 405.
Specifically, a domain name white list is preset in the DNS server, and before responding to a DNS request, it is first determined whether a domain name to be requested in the DNS request is located in the preset domain name white list; if yes, entering step 404 to respond to the DNS request according to the state of the domain name to be requested in the DNS request determined in the statistical period; if not, then step 405 is entered to prohibit responding to the DNS request, i.e., not responding to the DNS request.
step 405, refraining from responding to the DNS request.
It should be noted that, in the counting period, the request number of each domain name may also be counted in combination with the domain name white list, and the statistics of the request number of the domain names outside the domain name white list is removed.
In this embodiment, the domain name white list may be set according to the domain name and the domain name area resolved by the DNS server, and dynamically updated, or the domain name that normally responds within a preset time is counted as the domain name white list.
Compared with the first embodiment, the domain name white list is preset in the DNS server, and a DNS request for a domain name outside the domain name white list is not directly responded, so that random domain name attack can be better prevented. The present embodiment can also be an improvement on the second or third embodiment, and can achieve the same technical effects.
a fifth embodiment of the present invention relates to a server, which may be a single DNS server or a clustered DNS server.
The server includes: at least one processor; and a memory communicatively coupled to the at least one processor; wherein the memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of processing a DNS request of any one of the first to fourth embodiments.
Where the memory and processor are connected by a bus, the bus may comprise any number of interconnected buses and bridges, the buses connecting together one or more of the various circuits of the processor and the memory. The bus may also connect various other circuits such as peripherals, voltage regulators, power management circuits, and the like, which are well known in the art, and therefore, will not be described any further herein. A bus interface provides an interface between the bus and the transceiver. The transceiver may be one element or a plurality of elements, such as a plurality of receivers and transmitters, providing a means for communicating with various other apparatus over a transmission medium. The data processed by the processor is transmitted over a wireless medium via an antenna, which further receives the data and transmits the data to the processor.
the processor is responsible for managing the bus and general processing and may also provide various functions including timing, peripheral interfaces, voltage regulation, power management, and other control functions. And the memory may be used to store data used by the processor in performing operations.
It will be understood by those of ordinary skill in the art that the foregoing embodiments are specific examples for carrying out the invention, and that various changes in form and details may be made therein without departing from the spirit and scope of the invention in practice.
Claims (12)
1. A DNS request processing method is applied to a server, and the method comprises the following steps:
when a DNS request is received, if the DNS request is in a preset statistical period, entering a determining step;
The step of determining includes the step of determining,
When the DNS request is responded, increasing the number of requests of the domain name matched with the domain name to be requested in the DNS request according to a first preset mode;
When the counting period is finished, determining the state of each domain name at least according to the request number of each domain name;
and if the counting period is finished, responding to the DNS request according to the state of the domain name to be requested determined in the counting period.
2. The method according to claim 1, wherein the responding to the DNS request according to the status of the domain name to be requested determined in the statistical period includes:
Judging whether the domain name to be requested is in an attacked state;
And responding to the DNS request according to a second preset mode when the domain name to be requested is judged to be in the attacked state.
3. the method according to claim 2, wherein when increasing the number of requests for the domain name matching the domain name to be requested in the DNS request in the first preset manner, the method further includes:
Increasing the number of requests of the domain name area to which the domain name matched with the domain name to be requested belongs according to the first preset mode;
after the determining the state of each domain name according to at least the request number of each domain name, the method further comprises:
for each domain name region, if each domain name corresponding to the domain name region is in a normal state, determining the state of the domain name region at least according to the request number of the domain name region;
When the domain name to be requested is judged to be in a normal state, judging whether the domain name area to which the domain name to be requested belongs is in an attacked state;
And if the domain name area to which the domain name to be requested belongs is judged to be in an attacked state, responding to the DNS request according to a third preset mode.
4. the method of claim 1, wherein the determining step further comprises:
Determining the state of the server according to the number of the DNS requests received in the counting period;
before responding to the DNS request according to the state of the domain name to be requested determined in the statistical period, the method further includes:
Judging whether the server is in an attacked state or not;
and if the server is in an attacked state, entering the state of the domain name to be requested determined in the statistical period, and responding to the DNS request.
5. the method according to claim 1, wherein before responding to the DNS request according to the status of the domain name to be requested determined in the statistical period, the method further comprises:
Judging whether the domain name to be requested is located in a preset domain name white list or not;
If the domain name to be requested is located in the domain name white list, entering the state of the domain name to be requested determined in the counting period, and responding to the DNS request;
And if the domain name to be requested is positioned outside the domain name white list, forbidding to respond to the DNS request.
6. The method according to claim 2, wherein the responding to the DNS request according to the second preset manner includes:
And determining whether to respond to the DNS request according to the number of the responded DNS requests including the domain name to be requested.
7. the method according to claim 3, wherein the responding to the DNS request according to the third preset manner includes:
And determining whether to respond to the DNS request according to the number of the DNS requests corresponding to the domain name area to which the responded domain name to be requested belongs.
8. The method according to claim 1, wherein the increasing, in response to the DNS request, the number of requests for the domain name that matches the domain name to be requested in the DNS request in a first preset manner includes:
When the domain name to be requested in the DNS request belongs to any one of domain name areas managed by the server, responding to the DNS request, and judging whether any one of the domain names corresponding to any one of the domain name areas is matched with the domain name to be requested;
If any domain name does not match with the domain name to be requested, adding a target domain name matched with the domain name to be requested in the domain name corresponding to any domain name region, and increasing the number of requests of the added target domain name according to the first preset mode;
And if any domain name is matched with the domain name to be requested, increasing the request number of the domain name according to the first preset mode.
9. The method according to claim 1, wherein determining the status of each domain name according to at least the number of requests for each domain name comprises:
and for each domain name, determining the state of the domain name according to the request number of the domain name and the number of the DNS requests received in the counting period.
10. the method for processing the DNS request according to claim 1, wherein the increasing the number of requests for the domain name matched with the domain name to be requested in the DNS request in a first preset manner specifically includes:
And adding a preset numerical value to the current request number of the domain name matched with the domain name to be requested in the DNS request to serve as the increased request number of the domain name.
11. The method of claim 1, wherein the initial number of requests for each domain name is equal.
12. A server, comprising: at least one processor; and the number of the first and second groups,
A memory communicatively coupled to the at least one processor; wherein the content of the first and second substances,
The memory stores instructions executable by the at least one processor to enable the at least one processor to perform the method of DNS request processing of any of claims 1 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910763346.XA CN110581842B (en) | 2019-08-19 | 2019-08-19 | DNS request processing method and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910763346.XA CN110581842B (en) | 2019-08-19 | 2019-08-19 | DNS request processing method and server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110581842A true CN110581842A (en) | 2019-12-17 |
| CN110581842B CN110581842B (en) | 2022-07-19 |
Family
ID=68811137
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910763346.XA Active CN110581842B (en) | 2019-08-19 | 2019-08-19 | DNS request processing method and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110581842B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114401246A (en) * | 2021-12-27 | 2022-04-26 | 中国电信股份有限公司 | Method and device for accessing domain name |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102549562A (en) * | 2009-04-07 | 2012-07-04 | 弗里塞恩公司 | Existent domain name DNS traffic capture and analysis |
| CN103152357A (en) * | 2013-03-22 | 2013-06-12 | 北京网御星云信息技术有限公司 | Defense method, device and system for DNS (Domain Name System) services |
| CN103685317A (en) * | 2013-12-31 | 2014-03-26 | 山石网科通信技术有限公司 | Protection system and device for domain name system |
| CN104243408A (en) * | 2013-06-14 | 2014-12-24 | 中国移动通信集团公司 | Method, device and system for monitoring messages in domain name resolution service DNS system |
| CN108667782A (en) * | 2017-04-01 | 2018-10-16 | 贵州白山云科技有限公司 | A kind of ddos attack defence method and system for DNS service |
-
2019
- 2019-08-19 CN CN201910763346.XA patent/CN110581842B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102549562A (en) * | 2009-04-07 | 2012-07-04 | 弗里塞恩公司 | Existent domain name DNS traffic capture and analysis |
| CN103152357A (en) * | 2013-03-22 | 2013-06-12 | 北京网御星云信息技术有限公司 | Defense method, device and system for DNS (Domain Name System) services |
| CN104243408A (en) * | 2013-06-14 | 2014-12-24 | 中国移动通信集团公司 | Method, device and system for monitoring messages in domain name resolution service DNS system |
| CN103685317A (en) * | 2013-12-31 | 2014-03-26 | 山石网科通信技术有限公司 | Protection system and device for domain name system |
| CN108667782A (en) * | 2017-04-01 | 2018-10-16 | 贵州白山云科技有限公司 | A kind of ddos attack defence method and system for DNS service |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114401246A (en) * | 2021-12-27 | 2022-04-26 | 中国电信股份有限公司 | Method and device for accessing domain name |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110581842B (en) | 2022-07-19 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11652793B2 (en) | Dynamic firewall configuration | |
| CN110535777B (en) | Access request control method and device, electronic equipment and readable storage medium | |
| CN105282047B (en) | Access request processing method and device | |
| CN109495467B (en) | Method and device for updating interception rule and computer readable storage medium | |
| CN110417747B (en) | Method and device for detecting violent cracking behavior | |
| US8477753B2 (en) | Wireless LAN device | |
| CN110581842B (en) | DNS request processing method and server | |
| US20070265976A1 (en) | License distribution in a packet data network | |
| CN110944016A (en) | DDoS attack detection method, device, network equipment and storage medium | |
| CN110944007B (en) | Network access management method, system, device and storage medium | |
| CN114301700B (en) | Method, device, system and storage medium for adjusting network security defense scheme | |
| CN114389882B (en) | Gateway flow control method, device, computer equipment and storage medium | |
| CN104902033B (en) | Log in address recording method and device | |
| US20190109851A1 (en) | Highly scalable fine grained rate limiting | |
| CN111556109B (en) | Request processing method and device, electronic equipment and storage medium | |
| CN112839005B (en) | DNS domain name abnormal access monitoring method and device | |
| CN109379344B (en) | Authentication method and authentication server for access request | |
| CN109218461B (en) | Method and device for detecting tunnel domain name | |
| CN114172707B (en) | Fast-Flux botnet detection method, device, equipment and storage medium | |
| CN115065512B (en) | Account login method, system, device, electronic equipment and storage medium | |
| US11405384B2 (en) | Method and device of regulating website load | |
| CN111835504A (en) | Identification code generation method and server | |
| US11468191B2 (en) | Method and apparatus for identifying applets of risky content based on differential privacy preserving | |
| CN115022008A (en) | Access risk assessment method, device, equipment and medium | |
| CN109492376B (en) | Device access authority control method and device and bastion machine |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |