CN111314502B - Domain name deployment method and device based on domain name resolution system - Google Patents

Domain name deployment method and device based on domain name resolution system Download PDF

Info

Publication number
CN111314502B
CN111314502B CN202010155607.2A CN202010155607A CN111314502B CN 111314502 B CN111314502 B CN 111314502B CN 202010155607 A CN202010155607 A CN 202010155607A CN 111314502 B CN111314502 B CN 111314502B
Authority
CN
China
Prior art keywords
domain name
server
name resolution
resolution server
attack
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010155607.2A
Other languages
Chinese (zh)
Other versions
CN111314502A (en
Inventor
梁素琴
陈单江
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wangsu Science and Technology Co Ltd
Original Assignee
Wangsu Science and Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wangsu Science and Technology Co Ltd filed Critical Wangsu Science and Technology Co Ltd
Priority to CN202010155607.2A priority Critical patent/CN111314502B/en
Publication of CN111314502A publication Critical patent/CN111314502A/en
Application granted granted Critical
Publication of CN111314502B publication Critical patent/CN111314502B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention discloses a domain name deployment method and a domain name deployment device based on a domain name resolution system, which are used for solving the problem of low resource utilization rate of the domain name deployment method in the prior art, and the method comprises the following steps: a private domain name resolution server is deployed for any domain name in a domain name resolution system, and a common domain name resolution server is deployed for two or more domain names. The availability of domain name resolution is ensured by deploying the private domain name resolution server and the common domain name resolution server for the domain names, a plurality of private domain name resolution servers do not need to be configured for each domain name, the occupation amount of resources is reduced, and the utilization rate of the resources is improved; and even if the domain name is attacked, the domain name resolution service of each domain name on the common domain name resolution server of the domain name is unavailable, and the private domain name resolution server of each domain name is deployed, other domain names can also perform domain name resolution through the private domain name resolution server, so the attack prevention effect is better.

Description

Domain name deployment method and device based on domain name resolution system
Technical Field
The invention relates to the technical field of network security, in particular to a domain name deployment method and device based on a domain name resolution system.
Background
In the field of network security technology, in order to improve the availability of domain name resolution, a plurality of unique domain name resolution servers are usually configured for a domain name at the same time, so that when a certain domain name resolution server corresponding to the domain name is attacked to cause that the domain name resolution service is unavailable, the local domain name server can also send resolution requests to other standby domain name resolution servers, and the other standby domain name resolution servers provide resolution services.
However, although the above method can improve the anti-attack effect of the domain name, when the domain name is not attacked, many domain name resolution servers in the domain name resolution servers corresponding to the domain name are in a non-operating state, so that the resource utilization rate of domain name resolution is low, and the resource waste is serious.
In summary, there is a need for a domain name deployment method based on a domain name resolution system, so as to solve the technical problem of low resource utilization rate of the domain name deployment method in the prior art.
Disclosure of Invention
The invention provides a domain name deployment method and device based on a domain name resolution system, which are used for solving the technical problem of low resource utilization rate of a domain name deployment method in the prior art.
In a first aspect, the present invention provides a domain name deployment method based on a domain name resolution system, where the method includes:
deploying a private domain name resolution server corresponding to the domain name for any domain name in the domain name resolution system, and deploying a common domain name resolution server for two or more domain names in the domain name resolution system; wherein, deploying a domain name resolution server for the domain name comprises: and authorizing the domain name authorization information of the domain name to the domain name resolution server.
In the invention, the domain name is provided with the private domain name resolution server and the common domain name resolution server to ensure the availability of domain name resolution, and each domain name does not need to be provided with a plurality of private domain name resolution servers, thereby reducing the resource occupation and improving the utilization efficiency of resources; in addition, the invention not only deploys a unique private domain name resolution server for each domain name, but also deploys a common domain name resolution server for two or more domain names, thus, even if a certain domain name is attacked in a short time, the domain name resolution service of each domain name on the common domain name resolution server of the domain name is unavailable, and because the private domain name resolution server of each domain name is deployed, other domain names can also carry out the domain name resolution service through the private domain name resolution server, so that the attack of the certain domain name can not influence the resolution effect of other domain names, and the anti-attack effect is better.
In a possible implementation manner, the domain name resolution system is further provided with a central management device and at least one anti-attack server; the method further comprises the following steps: the central management equipment receives attack identification information reported by a first domain name resolution server, and if the first domain name resolution server is determined to be attacked according to the attack identification information, domain name authorization information on the first domain name resolution server is changed to the at least one anti-attack server.
In the implementation mode, the attack identification information is automatically reported by the first domain name resolution server, the attack pre-judgment is carried out on the first domain name resolution server based on the attack identification information, the attack can be identified in time, and when the first domain name resolution server is pre-judged to be attacked, the domain name resolution service can be continuously provided by the anti-attack server while the attacked first domain name resolution server is quickly isolated by changing the domain name authorization information on the first domain name resolution server to the anti-attack server, so that the availability of the domain name resolution service is improved.
In a possible implementation manner, the at least one anti-attack server includes a first anti-attack server and a preset common domain name resolution server; the step of changing the domain name authorization information on the first domain name resolution server to the at least one anti-attack server by the central management device includes: if the central management device determines that the first domain name resolution server is the common domain name resolution server, the central management device changes domain name authorization information corresponding to the attacked domain name on the first domain name resolution server to the first anti-attack server, and changes domain name authorization information corresponding to other domain names on the first domain name resolution server to the preset common domain name resolution server.
In the implementation mode, when a certain domain name on the common domain name resolution server is attacked, the private domain name servers of other domain names can continue to provide resolution by utilizing a mechanism that the local dns server can retry, so that the availability of each domain name is ensured; and the resolution efficiency of each domain name can be ensured by simultaneously changing the domain name authorization information of the domain name which is not attacked.
In a possible implementation manner, the at least one attack-prevention server further includes a second attack-prevention server; the method further comprises the following steps: the central management equipment determines a private domain name resolution server of the attacked domain name; and the central management equipment changes the domain name authorization information corresponding to the attacked domain name on the private domain name resolution server to the second anti-attack server.
In the implementation manner, when a certain domain name on the common domain name resolution server is attacked, the domain name authorization information on the private domain name resolution server which is not attacked is changed at the same time, so that the problem that the private domain name resolution server is also attacked due to the fact that an attacker simultaneously attacks the domain name in large quantity can be solved, the availability of the domain name on the private domain name resolution server is ensured, and the attack prevention capability is improved.
In one possible implementation, the at least one attack-prevention server includes a first attack-prevention server; the step of changing the domain name authorization information on the first domain name resolution server to the at least one anti-attack server by the central management device includes: if the central management device determines that the first domain name resolution server is the private domain name resolution server of the attacked domain name, the central management device changes the domain name authorization information corresponding to the attacked domain name on the first domain name resolution server to the first anti-attack server.
In the implementation manner, the first anti-attack server is arranged to receive the domain name authorization information of the attacked domain name, and a standby domain name resolution server is not arranged for each domain name, so that the deployment number of the domain name resolution servers can be reduced, and the utilization efficiency of resources is improved.
In a possible implementation manner, the at least one anti-attack server further includes a second anti-attack server and a preset common domain name resolution server; the central management equipment also determines a common domain name resolution server of the attacked domain name; and the central management equipment changes the domain name authorization information corresponding to the attacked domain name on the common domain name resolution server to the second anti-attack server, and changes the domain name authorization information corresponding to other domain names on the common domain name resolution server to the preset common domain name resolution server.
In the implementation mode, when the private domain name resolution server of a certain domain name is attacked, all domain name authorization information on the common domain name resolution server of the domain name is changed at the same time, so that the problem that the common domain name resolution server is attacked at the same time due to the fact that an attacker launches a large number of attacks to the domain name at the same time can be solved, the domain name resolution information on all the domain name resolution servers where the attacked domain name is located is changed in advance, the availability of each domain name is ensured, and the anti-attack capability is improved.
In a possible implementation manner, after the central management device changes the domain name authorization information on the first domain name resolution server to the at least one anti-attack server, if it is determined that the attack on the first domain name resolution server is released, the domain name authorization information on the anti-attack server is changed back to the first domain name resolution server.
In the implementation mode, the original domain name authorization information is migrated back after the attack on the first domain name resolution server is determined to be released, so that the domain name authorization information can be prevented from occupying the anti-attack server for a long time, the performance loss of the system is reduced, and the utilization efficiency of resources is improved.
In one possible implementation manner, the attack identification information is generated by the first domain name resolution server by: acquiring the access times of each domain name on the first domain name resolution server in the current time period, determining an attacked domain name on the first domain name resolution server according to the access times, and generating attack identification information according to the identifier of the attacked domain name; or, the attack identification information includes the number of times of access of each domain name on the first domain name resolution server in the current time period, and the attack identification information is used by the central management device to determine whether the first domain name resolution server is attacked.
In the implementation mode, the attack prejudgment process can be executed by the first domain name resolution server or by the central management equipment, and a user can set a corresponding executive party according to the actual scene requirement, so that the flexibility is better; and the attack judgment process is executed by using the first domain name resolution server, and the attack judgment is carried out without using the central management equipment, so that the working pressure of the central management equipment can be reduced, and the attack judgment process and the domain name change process are decoupled, thereby avoiding the interference of the attack judgment process on the normal execution of the domain name change process, and improving the accuracy and timeliness of the domain name change.
In one possible implementation manner, the first domain name resolution server determines the attacked domain name on the first domain name resolution server by: and determining an access time increment according to the access times of the domain name in the current period and the access times of the domain name in the previous period aiming at any domain name on the first domain name resolution server, if the access time increment is larger than a first preset threshold value, determining that the domain name is an attacked domain name, and if the access time increment is smaller than or equal to the first preset threshold value, determining that the domain name is not the attacked domain name.
In the implementation manner, by taking the domain name as the basic unit to perform attack judgment, whether each domain name on the first domain name resolution server is attacked or not can be judged, and the accuracy and comprehensiveness of the attack judgment result are improved.
In one possible implementation manner, the determining, by the first domain name resolution server, the attacked domain name on the first domain name resolution server by the following method includes: counting the total number of times of access of each domain name on the first domain name resolution server in the current time period; if the total number of access times is greater than a second preset threshold value, determining that the first domain name resolution server is attacked, and determining the attacked domain name according to the number of access times of each domain name; if the total number of access times is less than or equal to the second preset threshold, it is determined that the first domain name resolution server is not attacked, and the attacked domain name does not exist in each domain name.
In the implementation manner, attack judgment is performed on the first domain name resolution by taking the total access times as a unit, and the attacked domain name is identified when the first domain name resolution server is determined to be attacked, so that each domain name can be prevented from being identified when the first domain name resolution server is not attacked, unnecessary operation is saved, resource consumption is reduced, and attack judgment efficiency is improved.
In a second aspect, the present invention provides a domain name deployment apparatus based on a domain name resolution system, where the apparatus includes:
a private domain name resolution deployment module, configured to deploy a private domain name resolution server corresponding to the domain name for any domain name in the domain name resolution system;
a common domain name resolution deployment module, configured to deploy a common domain name resolution server for two or more domain names in the domain name resolution system;
the private domain name resolution deployment module or the common domain name resolution deployment module deploys the domain name to the domain name resolution server in the following way: and authorizing the domain name authorization information of the domain name to the domain name resolution server.
In a possible implementation manner, the domain name resolution system is further provided with a central management device and at least one anti-attack server; the center management device includes:
the receiving and sending module is used for receiving attack identification information reported by the first domain name resolution server;
and the domain name authorization changing module is used for changing the domain name authorization information on the first domain name resolution server to the at least one anti-attack server if the first domain name resolution server is determined to be attacked according to the attack identification information.
In a possible implementation manner, the at least one anti-attack server includes a first anti-attack server and a preset common domain name resolution server; the domain name authorization changing module is specifically configured to: if the first domain name resolution server is determined to be the common domain name resolution server, changing domain name authorization information corresponding to the attacked domain name on the first domain name resolution server to the first anti-attack server, and changing domain name authorization information corresponding to other domain names on the first domain name resolution server to the preset common domain name resolution server.
In a possible implementation manner, the at least one attack-prevention server further includes a second attack-prevention server; the domain name authorization changing module is further configured to: and determining a private domain name resolution server of the attacked domain name, and changing domain name authorization information corresponding to the attacked domain name on the private domain name resolution server to the second anti-attack server.
In one possible implementation, the at least one attack-prevention server includes a first attack-prevention server; the domain name authorization changing module is specifically configured to: if the first domain name resolution server is determined to be the private domain name resolution server of the attacked domain name, changing domain name authorization information corresponding to the attacked domain name on the first domain name resolution server to the first anti-attack server.
In a possible implementation manner, the at least one anti-attack server further includes a second anti-attack server and a preset common domain name resolution server; the domain name authorization changing module is further configured to: and determining a common domain name resolution server of the attacked domain name, changing domain name authorization information corresponding to the attacked domain name on the common domain name resolution server to the second anti-attack server, and changing domain name authorization information corresponding to other domain names on the common domain name resolution server to the preset common domain name resolution server.
In a possible implementation manner, after the domain name authorization changing module changes the domain name authorization information on the first domain name resolution server to the first anti-attack server, the domain name authorization changing module is further configured to: and if the attack on the first domain name resolution server is determined to be released, changing the domain name authorization information on the anti-attack server back to the first domain name resolution server.
In one possible implementation manner, the attack identification information is generated by the first domain name resolution server, and the first domain name resolution server includes:
the acquisition module is used for acquiring the access times of each domain name on the first domain name resolution server in the current time period;
the determining module is used for determining the attacked domain name on the first domain name resolution server according to the access times;
the generating module is used for generating the attack identification information according to the identification of the attacked domain name;
or the attack identification information includes the number of times of access of each domain name on the first domain name resolution server in the current time period; the central management device further comprises an attack identification module, and the attack identification module is used for:
and determining whether the first domain name resolution server is attacked or not according to the attack identification information.
In a possible implementation manner, the determining module is specifically configured to: and determining an access time increment according to the access times of the domain name in the current period and the access times of the domain name in the previous period aiming at any domain name on the first domain name resolution server, if the access time increment is larger than a first preset threshold value, determining that the domain name is an attacked domain name, and if the access time increment is smaller than or equal to the first preset threshold value, determining that the domain name is not the attacked domain name.
In a possible implementation manner, the determining module is specifically configured to: counting the total number of times of access of each domain name on the first domain name resolution server in the current time period, if the total number of times of access is greater than a second preset threshold value, determining that the first domain name resolution server is attacked, and determining the attacked domain name according to the number of times of access of each domain name; if the total number of access times is less than or equal to the second preset threshold, it is determined that the first domain name resolution server is not attacked, and the attacked domain name does not exist in each domain name.
In a third aspect, an embodiment of the present invention provides a computing device, including at least one processor and at least one memory, where the memory stores a computer program, and when the program is executed by the processor, the processor is caused to execute the attack prevention method according to any of the first aspect.
In a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium, which stores a computer program executable by a computing device, and when the program runs on the computing device, the computer program causes the computing device to execute the anti-attack method according to any of the first aspects.
These and other implementations of the invention will be more readily understood from the following description of the embodiments.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 is a schematic diagram of a deployment architecture of a domain name resolution system according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a system architecture of a domain name resolution system according to an embodiment of the present invention;
fig. 3 is a schematic flow chart corresponding to an attack prevention method provided in an embodiment of the present invention;
fig. 4 is a schematic flowchart of domain name resolution according to an embodiment of the present invention;
fig. 5 is a schematic overall flow chart corresponding to an attack prevention method provided in an embodiment of the present invention;
fig. 6 is an interaction flow diagram corresponding to an attack prevention method provided in an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a deployment apparatus based on a domain name resolution system according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a central management device according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of a domain name resolution server according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of a computing device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the present invention will be described in further detail with reference to the accompanying drawings, and it is apparent that the described embodiments are only a part of the embodiments of the present invention, not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic diagram of a deployment architecture of a domain name resolution system according to an embodiment of the present invention, and as shown in fig. 1, when the deployment is performed, a corresponding private domain name resolution server may be deployed for each domain name in the domain name resolution system, and a corresponding common domain name resolution server may also be deployed for two or more domain names in the domain name resolution system, so as to ensure that each domain name is deployed with a corresponding private domain name resolution server and a common domain name resolution server. The deploying a domain name resolution server for a domain name may specifically refer to: and configuring the domain name authorization information of the domain name to a domain name resolution server. In this way, for any domain name in the domain name resolution system, the domain name authorization information of the domain name can be configured to the common domain name resolution server corresponding to the domain name and the private domain name resolution server corresponding to the domain name at the same time.
For example, as shown in fig. 1, the domain name resolution server 111 is a private domain name resolution server of domain name test1, the domain name resolution server 112 is a private domain name resolution server of domain name test2, and the domain name resolution server 113 is a private domain name resolution server of domain name test 3; the domain name resolution server 121 is a common domain name resolution server of the domain names test1 and test2, and the domain name resolution server 122 is a common domain name resolution server of the domain names test2 and test 3. In this way, the domain name registration node 110 can simultaneously allocate the domain name authority information of the domain name test1 to the private domain name resolution server 111 and the common domain name resolution server 121, simultaneously allocate the domain name authority information of the domain name test2 to the private domain name resolution server 112, the common domain name resolution server 121, and the common domain name resolution server 122, and simultaneously allocate the domain name authority information of the domain name test3 to the private domain name resolution server 113 and the common domain name resolution server 122.
In the prior art, a plurality of private domain name resolution servers are generally configured for each domain name to improve the attack prevention capability corresponding to the domain name, but in the embodiment of the invention, a unique private domain name resolution server is deployed for each domain name, and a common domain name resolution server is deployed for two or more domain names, so that even if a certain domain name is attacked in a short time, the domain name resolution service of each domain name on the common domain name resolution server of the domain name is unavailable, and because the private domain name resolution server of each domain name is deployed, other domain names can also carry out the domain name resolution service through the domain name private resolution servers, the attack of the certain domain name cannot influence other domain names, and the attack prevention effect is better; in addition, the domain name is provided with the private domain name resolution server and the common domain name resolution server to ensure the availability of domain name resolution, and each domain name server is not required to be provided with a plurality of private domain name resolution servers, so that compared with the prior art, the anti-attack domain name resolution method and the system can ensure the anti-attack effect, reduce the occupied amount of resources and improve the utilization efficiency of the resources.
It should be noted that fig. 1 is only an exemplary illustration and does not limit the present disclosure, and in a specific implementation, each domain name may also be simultaneously deployed with a plurality of private domain name resolution servers, and each domain name may also be simultaneously deployed with a plurality of common domain name resolution servers, which is not limited specifically.
Based on the deployment architecture illustrated in fig. 1, fig. 2 is a system architecture schematic diagram of a domain name resolution system provided in an embodiment of the present invention, and as shown in fig. 2, the system may further include a central management device 200 and at least one anti-attack server, such as the anti-attack server 131. The central management device 200 may be connected to any domain name resolution server, and may also be connected to an attack prevention server, for example, the central management device may be connected to the domain name resolution server in a wired manner, or may be connected to the attack prevention server in a wireless manner, which is not limited specifically.
In the embodiment of the present invention, the anti-attack server may be a private domain name resolution server, but does not configure a corresponding domain name, and subsequently can configure domain name authorization information corresponding to a domain name according to an instruction of the domain name registration node 110; or, the anti-attack server may also be a preset common domain name resolution server, and not configure each corresponding domain name, and then may configure domain name authorization information corresponding to a plurality of domain names simultaneously according to an instruction of the domain name registration node 110, which is not limited specifically.
As an example, each of the domain name resolution server and the anti-attack server may further be connected to the client 300, and when the client 300 has a domain name resolution requirement, the client 300 may send a domain name resolution request to the corresponding domain name resolution server, and carry a domain name to be resolved in the domain name resolution request. Accordingly, after receiving the domain name resolution request, the domain name resolution server may query a correspondence between an internally stored domain name and an Internet Protocol (IP) address to obtain an IP address corresponding to the domain name to be resolved, and send the IP address to the client 300, so that the client 300 may access the corresponding server using the IP address.
It should be noted that the central management device 200 and the attack prevention server shown in fig. 2 are only an exemplary illustration, and do not constitute a limitation to the present solution; in a specific implementation, the central management device 200 may be a single central management server, may also be multiple central management servers deployed according to a cluster, and may also be a process in the central management server, and accordingly, the anti-attack server may exist in a form of a single anti-attack server or a form of an anti-attack server cluster, which is not limited specifically.
Based on the system architecture illustrated in fig. 2, fig. 3 is a schematic flowchart corresponding to an anti-attack method provided in an embodiment of the present invention, where the method is applied to a central management device 200, and the method includes:
step 301, receiving attack identification information reported by a first domain name resolution server.
Here, the first domain name resolution server may be any domain name resolution server connected to the central management apparatus 200, such as the private domain name resolution server 111, the private domain name resolution server 112, or the private domain name resolution server 113, or may be the common domain name resolution server 121 or the common domain name resolution server 122, which is not limited specifically.
In specific implementation, the attack identification information may have two possibilities:
the following steps are possible: the attack identification information is used for indicating whether the first domain name resolution server is attacked or not.
In the embodiment of the invention, an attack identification assembly can be deployed in the first domain name resolution server, and the attack identification assembly is nested in the first domain name resolution server and can detect the domain name resolution condition on the first domain name resolution server in real time; and the attack identification component can also analyze the domain name resolution condition by using a set attack rule so as to determine whether the first domain name resolution server is attacked or not. If it is determined that the first domain name resolution server is attacked, attack identification information may be generated and reported to the central management device 200, where the attack identification information carries an identifier of the attacked domain name, and if it is determined that the first domain name resolution server is not attacked, no processing may be performed.
In one example, setting the attack rule includes a request delta for a single domain name being less than or equal to a first preset threshold. In specific implementation, for any domain name, the attack identification component may count the number of access requests, which are received by the first domain name resolution server in a current time period and used for resolving the domain name, and then calculate a request increment of the domain name according to the number and the number in a previous time period, if the request increment is greater than a first preset threshold, it may be determined that the domain name in the first domain name resolution server is attacked, and if the request increment is less than or equal to the first preset threshold, it may be determined that the domain name in the first domain name resolution server is not attacked.
In this example, by performing attack determination with the domain name as the basic unit, it can be determined whether each domain name on the first domain name resolution server is attacked, so that the accuracy and comprehensiveness of the attack determination result are improved.
In another example, the setting of the attack rule further includes that the total number of requests for each domain name is less than or equal to a second preset threshold, in a specific implementation, the attack recognition component may count the total number of requests for the access request for analyzing each domain name received by the first domain name resolution server in a current time period, then compare the total number of requests with the second preset threshold, and if the total number of requests is greater than the second preset threshold, it may be determined that the first domain name resolution server is attacked, and thus, the attack recognition operation may be performed on each domain name based on the number of access requests for each domain name; if the total number of the requests is smaller than or equal to the second preset threshold, it can be determined that the first domain name resolution server is not attacked, and therefore attack identification operation can be performed on each domain name.
In this example, by performing attack judgment on the first domain name resolution by taking the total access times as a unit, and identifying the attacked domain name when it is determined that the first domain name resolution server is attacked, it is possible to avoid identifying each domain name when the first domain name resolution server is not attacked, thereby saving unnecessary operations, reducing resource consumption, and improving the efficiency of attack judgment.
In another example, the setting of the attack rule further includes that the number of requests for a single domain name is less than or equal to a third preset threshold, in a specific implementation, for any domain name, the attack identification component may count the number of requests for access to resolve the domain name, which are received by the first domain name resolution server in the current time period, and then compare the number of requests with the third preset threshold, where if the number of requests is greater than the third preset threshold, it may be determined that the domain name in the first domain name resolution server is attacked, and if the number of requests is less than or equal to the third preset threshold, it may be determined that the domain name in the first domain name resolution server is not attacked.
In the above example, the preset thresholds (i.e. the first preset threshold, the second preset threshold, and the third preset threshold) may be set by a person skilled in the art according to experience, or may be set by a user according to actual service needs, which is not limited specifically.
Optionally, each preset threshold may be set based on the service capability of the first domain name resolution server, for example, the preset threshold may be set as an upper limit value of the service capability of the first domain name resolution server, or may be set slightly smaller than the upper limit value of the service capability of the first domain name resolution server, so as to improve the capability of preventing false alarm and improve the accuracy of attack judgment. Taking the second preset threshold as an example, since the service capability of the first domain name resolution server may be determined based on the total number of requests received by the first domain name resolution server in the historical period, the second preset threshold may be set slightly smaller than the maximum total number of requests received in the historical period.
It should be noted that, in the embodiment of the present invention, the set attack rule may include any one or any multiple of the foregoing rules; moreover, the attack identification component can also support a user to modify the existing rules or self-define new rules according to actual service requirements so as to continuously update and set the attack rules and improve the accuracy of attack detection.
In specific implementation, if it is determined that the first domain name resolution server is attacked, the first domain name resolution server may further determine the attacked domain name from the deployed domain names, and then generate attack identification information according to the attacked domain name. The attack identification information may carry an identifier of the first domain name resolution server and an identifier of the attacked domain name. By carrying the identification of the attacked domain name in the attack identification information, the central management device can determine the attacked domain name in the first domain name resolution server conveniently, and the accuracy and flexibility of distributing the domain name authorization information of each domain name are improved.
As an example, the attack identification information may carry, in addition to the identity of the attacked domain name, the total number of requests and/or the request increment of the attacked domain name. In this way, after the central management device 200 receives the attack identification information, the secondary attack determination may be performed on the attacked domain name according to the total number of requests and/or the request increment of the attacked domain name, so as to avoid isolating the domain name that is not attacked under the condition that the determination of the first domain name resolution server is in error, and improve the accuracy of preventing the attack.
In the possible mode, the attack judgment process is executed by using the domain name resolution server, and the attack judgment is performed without using the central management equipment, so that the working pressure of the central management equipment can be reduced, the attack judgment process and the domain name change process are decoupled, the interference of the attack judgment process on the normal execution of the domain name change process is avoided, and the accuracy and timeliness of the domain name change are improved.
And the possibility of two: the attack identification information is used for indicating the resolution condition of the first domain name resolution server to each domain name in the current time period.
In the embodiment of the present invention, the attack identification information reported by the first domain name resolution server may include the number of requests of the first domain name resolution server to receive an access request for resolving each domain name in the current time period, where the first domain name resolution server may be only responsible for resolving one domain name, or may be simultaneously responsible for resolving multiple (i.e., two or more) domain names. For example, when the duration of the current time period is 10 minutes, since the domain name resolution server 121 is responsible for resolving the domain name test1 and the domain name test2, the attack identification information reported by the domain name resolution server 121 may include the number of requests for access requests for resolving the domain name test1 received by the domain name resolution server 121 in the 10-minute time period and the number of requests for access requests for resolving the domain name test2 received by the domain name resolution server 121 in the 10-minute time period.
In specific implementation, the attack identification information may be reported to the central management device 200 by the first domain name resolution server in a fixed period or in real time, or the central management device 200 may first send an acquisition request to the first domain name resolution server, and then the first domain name resolution server reports the attack identification information after receiving the acquisition request, which is not limited.
In the possible mode, the central management equipment is used for executing the attack judgment process, so that attack judgment can be uniformly carried out on each domain name resolution server, the counterfeiting behavior of the domain name resolution server is avoided, and the accuracy of the attack judgment is improved.
Step 302, determining whether the first domain name resolution server is attacked or not according to the attack identification information.
In a specific implementation, if the attack determination is performed in the first possible manner, after receiving the attack identification information, the central management device 200 may determine the attacked domain name resolution server and the attacked domain name directly according to the identifier of the attacked domain name resolution server and the identifier of the attacked domain name in the attack identification information. Correspondingly, if the attack judgment is performed in the second possible manner, after receiving the attack identification information, the central management device 200 may analyze the attack identification information by using a set attack rule to determine whether the first domain name resolution server is attacked, and determine an attacked domain name from the domain names deployed by the first domain name resolution server after determining that the first domain name resolution server is attacked.
Step 303, if it is determined that the first domain name resolution server is attacked, changing the domain name authorization information on the first domain name resolution server to an attack prevention server.
In The embodiment of The present application, The domain name registration node 110 is set by The domain name registration office of The Internet Corporation for Assigned Names and Numbers (ICANN) or national code Top-Level domain Names (ccTLD), and can manage each domain name in a specified domain name registration database, and also manage domain name authorization information of each domain name, for example, acquire domain name authorization information of a certain domain name on a domain name resolution server, or configure certain domain name authorization information to The domain name resolution server, or release certain domain name authorization information from The domain name resolution server, and The like.
In a specific implementation, if it is determined that the first domain name resolution server is attacked, the central management device 200 may send a domain name change request to the domain name registration node 110, where the domain name change request carries an identifier of the first domain name resolution server and an identifier of the attack-prevention server, and the domain name change request is used to instruct the domain name registration node 110 to change domain name authorization information on the first domain name resolution server. Thus, after the domain name registration node 110 receives the domain name change request, the domain name authorization information on the first domain name resolution server may be changed to the anti-attack server by modifying the domain name configuration information, for example, the domain name authorization information on the first domain name resolution server may be obtained first, then the domain name authorization information is configured to the anti-attack server, and finally the domain name authorization information is released from the first domain name resolution server, thereby realizing the change of the domain name authorization information.
For example, if the original domain name configuration information stored in the domain name registration node 110 is:
test1.com ns ns1.test1.com
ns1.test1.com in a ips1
tosec.org ns ns1.tosec.org
ns1.tosec.org in a ipsv1
then according to the original domain name configuration information, the domain name authorization information of the domain name test1 is sequentially authorized to the first domain name resolution server ips1 through the root domain name server com, the top level domain name server test1.com and the first level domain name server ns1.test1.com, and the original domain name configuration information is also configured with an anti-attack server ipsv1, and the anti-attack server ipsv1 is sequentially traced through the root domain name server org, the top level domain name server tosec. org and the first level domain name server ns1.tosec. org.
In a specific implementation, if the first domain name resolution server ips1 detects that the request increment of the access request of the domain name test1 in the current time period exceeds a first preset threshold, it may be determined that the domain name test1 is attacked, and therefore, the first domain name resolution server ips1 may report attack identification information to the central management device 200, and the attack identification information carries the identifier of the first domain name resolution server ips1 and the identifier of the attacked domain name test1. Accordingly, after receiving the attack identification information sent by the first domain name resolution server ips1, the central management device 200 determines that the domain name test1 on the first domain name resolution server ips1 is attacked, and thus may modify the original domain name configuration information by scheduling the domain name registration node 110, so as to change the domain name authorization information of the domain name test1 to the attack prevention server ipsv 1.
The modification mode may be that the original first-level domain name server ns1.test1.com corresponding to the domain name test1 is scheduled to be the first-level domain name server ns1.tosec. org corresponding to the attack-prevention server ipsv1, and thus, the modified domain name configuration information may be:
test1.com ns ns1.tosec.org
ns1.test1.com in a ips1
tosec.org ns ns1.tosec.org
ns1.tosec.org in a ipsv1
according to the modified domain name configuration information, the original domain name resolution server ips1 storing the domain name authorization information of the domain name test1 is isolated, and the domain name authorization information of the domain name test1 is authorized to the attack prevention server ipsv1 through the top level domain name server tosec. In this way, when it is determined in advance that the domain name resolution server ips1 is attacked, the domain name authorization information on the domain name resolution server ips1 is changed to the attack prevention server ipsv1, so that the attack prevention server ipsv1 can continue to provide the domain name resolution server for the domain name test1, and thus the domain name resolution service has high availability and strong attack prevention capability.
In the embodiment of the present invention, the first domain name resolution server may be a private domain name resolution server or a common domain name resolution server, and if the first domain name resolution server is a common domain name resolution server, the zhongxing management device 200 may change domain name authorization information corresponding to an attacked domain name on the first domain name resolution server to the first anti-attack server, and may also change domain name authorization information corresponding to other domain names on the first domain name resolution server to a preset common domain name resolution server. Therefore, when a certain domain name on the common domain name resolution server is attacked, the private domain name servers of other domain names can normally provide resolution by utilizing a mechanism that the local dns server retries, so that the availability of each domain name is ensured; and the resolution efficiency of each domain name can be ensured by simultaneously changing the domain name authorization information of the domain name which is not attacked.
For example, the central management device 200 may further determine a private domain name resolution server of the attacked domain name, and change domain name authorization information corresponding to the attacked domain name on the private domain name resolution server to the second anti-attack server. Therefore, when a certain domain name on the common domain name resolution server is attacked, the domain name authorization information on the private domain name resolution server which is not attacked is changed at the same time, so that the problem that the private domain name resolution server is also attacked due to the fact that an attacker simultaneously attacks a large number of domain names can be solved, the availability of the domain name on the private domain name resolution server is ensured, and the anti-attack capability is improved.
Or, if it is determined that the first domain name resolution server is a private domain name resolution server of the attacked domain name, the central management device 200 may change the domain name authorization information corresponding to the attacked domain name on the first domain name resolution server to the first anti-attack server. Therefore, the first anti-attack server is arranged to receive the domain name authorization information of the attacked domain name, and a standby domain name resolution server is not arranged for each domain name, so that the deployment number of the domain name resolution servers can be reduced, and the utilization efficiency of resources is improved.
For example, the central management device 200 may further determine a common domain name resolution server of the attacked domain name, change the domain name authorization information corresponding to the attacked domain name on the common domain name resolution server to the second anti-attack server, and change the domain name authorization information corresponding to other domain names on the common domain name resolution server to the preset common domain name resolution server. Therefore, when a private domain name resolution server of a certain domain name is attacked, all domain name authorization information on the common domain name resolution server of the domain name is changed at the same time, the problem that the common domain name resolution server is attacked at the same time due to the fact that an attacker attacks the domain name in a large amount at the same time can be solved, domain name resolution information on all domain name resolution servers where the attacked domain name is located is changed in advance, the availability of each domain name is guaranteed, and the anti-attack capability is improved.
Based on the above, fig. 4 is a corresponding overall flowchart schematic diagram of an anti-attack method provided in an embodiment of the present invention, where the method is applied to the central management device 200, and the method includes:
step 401, receiving attack identification information reported by a first domain name resolution server.
Step 402, determining whether the first domain name resolution server is attacked or not according to the attack identification information, if so, executing step 403, and if not, periodically executing step 401.
Step 403, determining whether the first domain name resolution server is a private domain name resolution server of the attacked domain name, if yes, executing step 404, and if not, executing step 407.
Step 404, changing the domain name authorization information corresponding to the attacked domain name on the first domain name resolution server to the first anti-attack server.
Step 405, determine the common domain name resolution server of the attacked domain name.
Step 406, changing the domain name authorization information corresponding to the attacked domain name on the common domain name resolution server to a second anti-attack server, and simultaneously changing the domain name authorization information corresponding to other domain names on the common domain name resolution server to a preset common domain name resolution server.
Step 407, determining whether the first domain name resolution server is a common domain name resolution server of the attacked domain name, if yes, executing step 408, and if not, executing step 411.
Step 408, changing the domain name authorization information corresponding to the attacked domain name on the first domain name resolution server to the first anti-attack server, and changing the domain name authorization information corresponding to other domain names on the first domain name resolution server to a preset common domain name resolution server.
Step 409, determine the private domain name resolution server of the attacked domain name.
Step 410, changing the domain name authorization information corresponding to the attacked domain name on the private domain name resolution server to the second anti-attack server.
In step 411, a system error occurs, and an alarm is given.
For ease of understanding, a specific example is listed below, in which the original domain name configuration information stored in the domain name registration node 110 is:
test1.com ns ns1.test1.com
ns1.test1.com in a ips1
test1.com ns dns5.tosec.org
test2.com ns ns1.test2.com
ns1.test2.com in a ips2
test2.com ns dns5.tosec.org
……
testn.com ns ns1.testn.com
ns1.testn.com in a ipsn
testn.com ns dns5.tosec.org
tosec.org ns ns1.tosec.org
tosec.org ns ns2.tosec.org
ns1.tosec.org in a ipsv1
ns2.tosec.org in a ipsv2
dns5.tosec.org ns dns5.tosec1.org
dns5.tosec1.org in a ipsc1
dns5.tosec2.org in a ipsc2
then, as can be seen from the original domain name configuration information, for any domain name (such as domain name test1), the domain name authorization information for domain name test1 is sequentially granted to the private domain name resolution server ips1 and the common domain name server dns5.tosec. org via the root domain name server com, the top level domain name server test1.com, and the first level domain name server ns1.test1.com, and to the common domain name resolution server ipsc1 via the common domain name server dns5.tosec. org and the domain name server dns5.tosec1. org. And the original domain name configuration information is also configured with an attack prevention server ipsv1, an attack prevention server ipsv2 and a preset shared domain name resolution server ipsc2, wherein the attack prevention server ipsv1 is obtained by tracing through a root domain name server org, a top level domain name server tose.org and a first level domain name server ns1. tose.org in sequence, and the attack prevention server ipsv2 is obtained by tracing through the root domain name server org, the top level domain name server tose.org and the first level domain name server ns2. tose.org in sequence.
In a specific implementation, after receiving the attack identification information sent by the first domain name resolution server, the central management device 200 may first determine whether the first domain name resolution server is a private domain name resolution server of the attacked domain name or a common domain name resolution server, and then modify the original domain name configuration information through the adjustment domain name registration node 110, and execute a corresponding change operation. For example, when the attacked domain name is test1, if the first domain name resolution server is ips1, and the first domain name resolution server ips1 is a private domain name resolution server of the attacked domain name test1, the central management apparatus 200 may directly change the domain name authorization information corresponding to the attacked domain name test1 on the first domain name resolution server ips1 to the first attack-prevention server ipsv1, or may change the domain name authorization information corresponding to the attacked domain name test1 on the shared domain name resolution server ipsc 35 1 of the attacked domain name test1 to the second attack-prevention server ipsv2, and simultaneously change the domain name authorization information corresponding to the other domain name test1 on the shared domain name resolution server ipsc1 to the preset shared domain name resolution server ipsc 2.
Correspondingly, if the first domain name resolution server is ipsc1, and the first domain name resolution server ipsc1 is a common domain name resolution server of the attacked domain name test1, the central management device 200 may change the domain name authorization information corresponding to the attacked domain name test1 on the first domain name resolution server ipsc1 to the first anti-attack server ipsv1, and change the domain name authorization information corresponding to the other domain name test1 on the common domain name resolution server ipsc1 to the preset common domain name resolution server ipsc2, or may change the domain name authorization information corresponding to the attacked domain name test1 on the private domain name resolution server ips1 of the attacked domain name test1 to the second anti-attack server ipsv 2.
Taking the first domain name resolution server as ipsc1 as an example, the original domain name configuration information may be modified by scheduling the domain name registration node 110, and the modification may be performed in such a manner that the original first-level domain name server ns1.test1.com corresponding to the domain name test1 is scheduled as the first-level domain name server ns1.tosec. org corresponding to the attack-prevention server ipsv1, and the common domain name server dns5.tosec. org corresponding to the domain name test1 is scheduled as the first-level domain name server ns2.tosec. org corresponding to the attack-prevention server ipsv2, or may also be performed in such a manner that the common domain name server dns5.tosec1.org corresponding to another domain name is scheduled as the first-level domain name server dns5.tosec2.org corresponding to the preset common domain name resolution server ipsc 2.
Thus, the modified domain name configuration information may be:
test1.com ns ns1.tosec.org
test1.com ns ns2.tosec.org
ns1.test1.com in a ips1
test1.com ns dns5.tosec.org
test2.com ns ns1.test2.com
ns1.test2.com in a ips2
test2.com ns dns5.tosec.org
……
testn.com ns ns1.testn.com
ns1.testn.com in a ipsn
testn.com ns dns5.tosec.org
tosec.org ns ns1.tosec.org
tosec.org ns ns2.tosec.org
ns1.tosec.org in a ipsv1
ns2.tosec.org in a ipsv2
dns5.tosec.org ns dns5.tosec2.org
dns5.tosec1.org in a ipsc1
dns5.tosec2.org in a ipsc2
according to the modified domain name configuration information, the original private domain name resolution server ips1 storing the domain name authorization information of the domain name test1 is isolated, and the domain name authorization information of the domain name test1 on the original private domain name resolution server ips1 is authorized to the attack-prevention server ipsv1 through a top-level domain name server test1.com and a level-level domain name server ns1.tosec. org; accordingly, the original common domain name resolution server ipsc1 storing domain name authority information of the domain name test1 is isolated, and the domain name authority information of the domain name test1 on the original common domain name resolution server ipsc1 is authorized to the preset common domain name resolution server ipsc2 via the top level domain name server test2.com-test n.com, the first level domain name server dns5.tosec2.org, the second level domain name server dns5.tosec2.org, and the domain name authority information of the other domain name test2-testn on the original common domain name resolution server ipsc1 is authorized to the attack prevention server ipsv2 via the top level domain name server test1.com and the first level domain name server nss 2.tosec. org.
In this way, by changing all domain name authorization information on the shared domain name resolution server ipsc1 and the private domain name resolution server ips1 when it is determined in advance that the shared domain name resolution server ipsc1 is attacked, the domain name resolution system can continue to provide a better domain name resolution service for each domain name, and the domain name resolution service has enough available space and strong attack prevention capability.
Based on the modified configuration information, fig. 5 is a schematic flowchart of domain name resolution provided in the embodiment of the present invention, and as shown in fig. 5, the process includes:
in step 501, the client 300 sends a domain name resolution request to the local domain name server, where the domain name resolution request carries an identifier of the domain name test1.
Step 502, after receiving the Domain Name resolution request, the local Domain Name server queries a local cache, and if a Domain Name resolution System (DNS) record corresponding to the Domain Name test1 exists in the local cache, directly returns a query result to the client 300, and carries a DNS record corresponding to the Domain Name test1 in the query result; and if the DNS record corresponding to the domain name test1 does not exist in the local cache, sending a domain name resolution request to the root domain name server.
As shown in fig. 5, in this example, there is no DNS record corresponding to the domain name test1 in the local cache, so the local domain name server may send a domain name resolution request to the root domain name server com, where the domain name resolution request carries an identifier of the domain name test1.
In step 503, the root domain name server com records the addresses of the top level domain name servers corresponding to the domain name test1, so that the root domain name server com returns the IP address of the top level domain name server test1.com corresponding to the domain name test1 to the local domain name server after receiving the domain name resolution request.
In step 504, after receiving the IP address of the top-level domain name server test1.com, the local domain name server sends a domain name resolution request to the top-level domain name server test1.com through the IP address, where the domain name resolution request carries an identifier of the domain name test1.
Step 505, after receiving the domain name resolution request, the top level domain name server test1.com queries the local cache of the top level domain name server, and if the local cache has a DNS record corresponding to the domain name test1, returns a query result to the local domain name server to be returned to the client 300 via the local domain name server, where the query result carries the DNS record corresponding to the domain name test 1; correspondingly, if the DNS record corresponding to the domain name test1 does not exist in the local cache, the IP address of the next domain name server is returned to the local domain name server.
As shown in fig. 5, in this example, the DNS record corresponding to domain name test1 does not exist in the local cache of the top level domain name server test1.com, so the top level domain name server test1.com sends the IP address of the next level domain name server ns1.tosec. org to the local domain name server.
In step 506, after receiving the IP address of the next domain name server ns1.tosec. org, the local domain name server sends a domain name resolution request to the next domain name server ns1.tosec. org through the IP address, where the domain name resolution request carries the identifier of domain name test1.
Step 507, after receiving the domain name resolution request, the next-level domain name server ns1.tosec. org queries its local cache, and if a DNS record corresponding to domain name test1 exists in the local cache, returns a query result to the local domain name server to be returned to the client 300 via the local domain name server, where the query result carries a DNS record corresponding to domain name test 1; correspondingly, if the DNS record corresponding to the domain name test1 does not exist in the local cache, the IP address of the next domain name server is returned to the local domain name server.
As shown in fig. 5, in this example, the DNS record corresponding to the domain name test1 does not exist in the local cache of the next-level domain name server ns1.tosec. org, and therefore the next-level domain name server ns1.tosec. org sends the IP address of the attack-prevention server ipsv1 to the local domain name server.
Step 508, after receiving the IP address of the attack prevention server ipsv1, the local domain name server sends a domain name resolution request to the ipsv1 through the IP address, where the domain name resolution request carries the identifier of the domain name test1.
In step 509, the attack-prevention server ipsv1 stores a DNS record corresponding to the domain name test1 (that is, domain name authorization information of the domain name test1), and after receiving a domain name resolution request sent by the local domain name server, since the local cache stores the DNS record corresponding to the domain name test1, the attack-prevention server ipsv1 may query the DNS record corresponding to the domain name test1 to determine each server corresponding to the domain name test1, and then select the server closest to the local domain name server, and return the IP address of the closest server to the local domain name server.
In step 510, the local domain name server sends the domain name resolution result to the client 300, where the domain name resolution result carries the IP address of the nearest server.
In addition, the local domain name server also stores the IP address of the nearest server corresponding to the domain name test1 in the local cache, so that the IP address of the nearest server corresponding to the domain name test1 is directly obtained from the local cache after the next request for accessing the domain name test1 is received.
In step 511, after receiving the domain name resolution result, the client 300 sends a data request to the IP address of the nearest server corresponding to the domain name test1.
In the embodiment of the invention, the attack identification information is automatically reported by the first domain name resolution server, the attack pre-judgment is carried out on the first domain name resolution server based on the attack identification information, the attack can be identified in time, and when the first domain name resolution server is pre-judged to be attacked, the domain name resolution service can be continuously provided by the anti-attack server while the attacked first domain name resolution server is quickly isolated by changing the domain name authorization information on the first domain name resolution server to the anti-attack server, so that the availability of the domain name resolution service is improved.
Fig. 6 is a schematic diagram of an overall interaction flow corresponding to an attack prevention method provided in an embodiment of the present invention, where the method includes:
step 601, the first domain name resolution server obtains the access number of each domain name in the current time period.
Step 602, the first domain name resolution server analyzes the access number of each domain name by using a preset attack rule, and determines whether the first domain name resolution server is attacked in the current time period, if not, step 603 is executed, and if yes, step 604 is executed.
Step 603, no processing is performed.
Step 604, the first domain name resolution server sends attack identification information to the central management device, where the attack identification information carries an identifier of the attacked domain name.
605, the central management device generates a change instruction according to the attacked domain name and the first domain name resolution server; the change instruction is used for indicating that the domain name authorization information corresponding to the attacked domain name on the first domain name resolution server is changed to the first anti-attack server.
Step 606, the central management device sends a change instruction to the domain name registration node.
Step 607, after receiving the change instruction, the domain name registration node modifies the domain name configuration information, and the modified domain name configuration information is used to change the domain name authorization information corresponding to the attacked domain name on the first domain name resolution server to the first anti-attack server.
In one example, the alteration instruction is further to indicate: if the first domain name resolution server is a common domain name resolution server of the attacked domain name, indicating the domain name registration node to change domain name authorization information corresponding to other domain names on the first domain name resolution server to a preset common domain name resolution server, and simultaneously changing domain name authorization information corresponding to the attacked domain name on a private domain name resolution server of the attacked domain name to a second anti-attack server; if the first domain name resolution server is a private domain name resolution server of the attacked domain name, the domain name registration node is indicated to change domain name authorization information corresponding to the attacked domain name on a common domain name resolution server of the attacked domain name to a second anti-attack server, and meanwhile, the domain name authorization information corresponding to other domain names on the common domain name resolution server of the attacked domain name is changed to a preset common domain name resolution server.
In the embodiment of the present invention, the central management device receives the attack identification information reported by the first domain name resolution server, determines whether the first domain name resolution server is attacked or not according to the attack identification information, and changes the domain name authorization information on the first domain name resolution server to the anti-attack server if it is determined that the first domain name resolution server is attacked. In the embodiment of the invention, the attack identification information is automatically reported by the first domain name resolution server, the attack pre-judgment is carried out on the first domain name resolution server based on the attack identification information, the attack can be identified in time, and when the first domain name resolution server is pre-judged to be attacked, the domain name resolution service can be continuously provided by the anti-attack server while the attacked first domain name resolution server is quickly isolated by changing the domain name authorization information on the first domain name resolution server to the anti-attack server, so that the availability of the domain name resolution service is improved.
Aiming at the method flow, the embodiment of the invention also provides an anti-attack device, and the specific content of the device can be implemented by referring to the method.
Fig. 7 is a schematic structural diagram of a domain name deployment apparatus based on a domain name resolution system according to an embodiment of the present invention, including:
a private domain name resolution deployment module 701, configured to deploy a private domain name resolution server corresponding to the domain name for any domain name in the domain name resolution system;
a common domain name resolution deployment module 702, configured to deploy a common domain name resolution server for two or more domain names in the domain name resolution system;
the private domain name resolution deployment module 701 or the common domain name resolution deployment module 702 deploys the domain name to the domain name resolution server in the following manner: and authorizing the domain name authorization information of the domain name to the domain name resolution server.
In a possible implementation manner, the domain name resolution system is further provided with a central management device and at least one anti-attack server; fig. 8 is a schematic structural diagram of a central management device according to an embodiment of the present invention, where the central management device includes:
a transceiver module 801, configured to receive attack identification information reported by a first domain name resolution server;
a domain name authorization changing module 802, configured to change the domain name authorization information on the first domain name resolution server to the at least one anti-attack server if it is determined that the first domain name resolution server is attacked according to the attack identification information.
In a possible implementation manner, the at least one anti-attack server includes a first anti-attack server and a preset common domain name resolution server;
the domain name authorization changing module 802 is specifically configured to:
if the first domain name resolution server is determined to be the common domain name resolution server, changing domain name authorization information corresponding to the attacked domain name on the first domain name resolution server to the first anti-attack server, and changing domain name authorization information corresponding to other domain names on the first domain name resolution server to the preset common domain name resolution server.
In a possible implementation manner, the at least one attack-prevention server further includes a second attack-prevention server;
the domain name authority changing module 802 is further configured to:
and determining a private domain name resolution server of the attacked domain name, and changing domain name authorization information corresponding to the attacked domain name on the private domain name resolution server to the second anti-attack server.
In one possible implementation, the at least one attack-prevention server includes a first attack-prevention server;
the domain name authorization changing module 802 is specifically configured to:
if the first domain name resolution server is determined to be the private domain name resolution server of the attacked domain name, changing domain name authorization information corresponding to the attacked domain name on the first domain name resolution server to the first anti-attack server.
In a possible implementation manner, the at least one anti-attack server further includes a second anti-attack server and a preset common domain name resolution server;
the domain name authority changing module 802 is further configured to:
and determining a common domain name resolution server of the attacked domain name, changing domain name authorization information corresponding to the attacked domain name on the common domain name resolution server to the second anti-attack server, and changing domain name authorization information corresponding to other domain names on the common domain name resolution server to the preset common domain name resolution server.
In a possible implementation manner, after the domain name authorization changing module 802 changes the domain name authorization information on the first domain name resolution server to the first anti-attack server, the domain name authorization changing module is further configured to:
and if the attack on the first domain name resolution server is determined to be released, changing the domain name authorization information on the anti-attack server back to the first domain name resolution server.
In a possible implementation manner, the attack identification information is generated by the first domain name resolution server, and fig. 9 is a schematic structural diagram of a central management device according to an embodiment of the present invention, where the first domain name resolution server includes:
an obtaining module 901, configured to obtain the number of times that each domain name on the first domain name resolution server accesses in the current time period;
a determining module 902, configured to determine, according to the access times, an attacked domain name on the first domain name resolution server;
a generating module 903, configured to generate the attack identification information according to the identifier of the attacked domain name;
or the attack identification information includes the number of times of access of each domain name on the first domain name resolution server in the current time period;
the central management device further comprises an attack identification module 803, and the attack identification module 803 is configured to:
and determining whether the first domain name resolution server is attacked or not according to the attack identification information.
In a possible implementation manner, the determining module 902 is specifically configured to:
and determining an access time increment according to the access times of the domain name in the current period and the access times of the domain name in the previous period aiming at any domain name on the first domain name resolution server, if the access time increment is larger than a first preset threshold value, determining that the domain name is an attacked domain name, and if the access time increment is smaller than or equal to the first preset threshold value, determining that the domain name is not the attacked domain name.
In a possible implementation manner, the determining module 902 is specifically configured to:
counting the total number of times of access of each domain name on the first domain name resolution server in the current time period, if the total number of times of access is greater than a second preset threshold value, determining that the first domain name resolution server is attacked, and determining the attacked domain name according to the number of times of access of each domain name; if the total number of access times is less than or equal to the second preset threshold, it is determined that the first domain name resolution server is not attacked, and the attacked domain name does not exist in each domain name.
From the above, it can be seen that: in the above embodiment of the present invention, a private domain name resolution server corresponding to the domain name is deployed for any domain name in the domain name resolution system, and a common domain name resolution server is deployed for two or more domain names in the domain name resolution system; wherein, deploying a domain name resolution server for the domain name comprises: and authorizing the domain name authorization information of the domain name to the domain name resolution server. In the invention, the domain name is provided with the private domain name resolution server and the common domain name resolution server to ensure the availability of domain name resolution, and each domain name does not need to be provided with a plurality of private domain name resolution servers, thereby reducing the resource occupation and improving the utilization efficiency of resources; in addition, the invention not only deploys a unique private domain name resolution server for each domain name, but also deploys a common domain name resolution server for two or more domain names, thus, even if a certain domain name is attacked in a short time, the domain name resolution service of each domain name on the common domain name resolution server of the domain name is unavailable, and because the private domain name resolution server of each domain name is deployed, other domain names can also carry out the domain name resolution service through the private domain name resolution server, so that the attack of the certain domain name can not influence the resolution effect of other domain names, and the anti-attack effect is better.
Based on the same inventive concept, an embodiment of the present invention further provides a computing device, as shown in fig. 10, including at least one processor 1001 and a memory 1002 connected to the at least one processor, where a specific connection medium between the processor 1001 and the memory 1002 is not limited in the embodiment of the present invention, and the processor 1001 and the memory 1002 in fig. 10 are connected through a bus as an example. The bus may be divided into an address bus, a data bus, a control bus, etc.
In the embodiment of the present invention, the memory 1002 stores instructions executable by the at least one processor 1001, and the at least one processor 1001, by executing the instructions stored in the memory 1002, may perform the steps included in the foregoing domain name resolution system-based deployment method.
The processor 1001 is a control center of the computing device, and may connect various parts of the computing device by using various interfaces and lines, and implement data processing by executing or executing instructions stored in the memory 1002 and calling data stored in the memory 1002. Optionally, the processor 1001 may include one or more processing units, and the processor 1001 may integrate an application processor and a modem processor, where the application processor mainly processes an operating system, a user interface, an application program, and the like, and the modem processor mainly processes an issued instruction. It will be appreciated that the modem processor described above may not be integrated into the processor 1001. In some embodiments, the processor 1001 and the memory 1002 may be implemented on the same chip, or in some embodiments, they may be implemented separately on separate chips.
The processor 1001 may be a general-purpose processor, such as a Central Processing Unit (CPU), a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof, configured to implement or perform the methods, steps, and logic blocks disclosed in the embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in connection with the domain name resolution system-based deployment embodiment may be directly embodied as being performed by a hardware processor, or may be performed by a combination of hardware and software modules in the processor.
Memory 1002, which is a non-volatile computer-readable storage medium, may be used to store non-volatile software programs, non-volatile computer-executable programs, and modules. The Memory 1002 may include at least one type of storage medium, and may include, for example, a flash Memory, a hard disk, a multimedia card, a card-type Memory, a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Programmable Read Only Memory (PROM), a Read Only Memory (ROM), a charge Erasable Programmable Read Only Memory (EEPROM), a magnetic Memory, a magnetic disk, an optical disk, and so on. The memory 1002 is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 1002 of embodiments of the present invention may also be circuitry or any other device capable of performing a storage function to store program instructions and/or data.
Based on the same inventive concept, the embodiment of the present invention further provides a computer-readable storage medium, which stores a computer program executable by a computing device, and when the program runs on the computing device, the computer program causes the computing device to execute any of the above-mentioned anti-attack methods.
It should be apparent to those skilled in the art that embodiments of the present invention may be provided as a method, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present invention without departing from the spirit and scope of the invention. Thus, if such modifications and variations of the present invention fall within the scope of the claims of the present invention and their equivalents, the present invention is also intended to include such modifications and variations.

Claims (12)

1. A domain name deployment method based on a domain name resolution system is characterized by comprising the following steps:
deploying a private domain name resolution server corresponding to the domain name for any domain name in the domain name resolution system;
deploying a common domain name resolution server for two or more domain names in the domain name resolution system;
wherein, deploying a domain name resolution server for the domain name comprises: authorizing domain name authorization information of the domain name to the domain name resolution server;
the domain name resolution system is also provided with a central management device and at least one anti-attack server; the method further comprises the following steps:
the central management equipment receives attack identification information reported by a first domain name resolution server;
and if the central management equipment determines that the first domain name resolution server is attacked according to the attack identification information, the central management equipment changes the domain name authorization information on the first domain name resolution server to the at least one anti-attack server.
2. The method according to claim 1, wherein the at least one anti-attack server comprises a first anti-attack server and a preset common domain name resolution server;
the step of changing the domain name authorization information on the first domain name resolution server to the at least one anti-attack server by the central management device includes:
if the central management device determines that the first domain name resolution server is the common domain name resolution server, the central management device changes domain name authorization information corresponding to the attacked domain name on the first domain name resolution server to the first anti-attack server, and changes domain name authorization information corresponding to other domain names on the first domain name resolution server to the preset common domain name resolution server.
3. The method of claim 2, wherein the at least one anti-attack server further comprises a second anti-attack server; the method further comprises the following steps:
the central management equipment determines a private domain name resolution server of the attacked domain name;
and the central management equipment changes the domain name authorization information corresponding to the attacked domain name on the private domain name resolution server to the second anti-attack server.
4. The method according to any one of claims 1 to 3, wherein the at least one anti-attack server comprises a first anti-attack server;
the step of changing the domain name authorization information on the first domain name resolution server to the at least one anti-attack server by the central management device includes:
if the central management device determines that the first domain name resolution server is the private domain name resolution server of the attacked domain name, the central management device changes the domain name authorization information corresponding to the attacked domain name on the first domain name resolution server to the first anti-attack server.
5. The method according to claim 4, wherein the at least one anti-attack server further comprises a second anti-attack server and a preset common domain name resolution server; the method further comprises the following steps:
the central management equipment determines a common domain name resolution server of the attacked domain name;
and the central management equipment changes the domain name authorization information corresponding to the attacked domain name on the common domain name resolution server to the second anti-attack server, and changes the domain name authorization information corresponding to other domain names on the common domain name resolution server to the preset common domain name resolution server.
6. The method according to any one of claims 1 to 3, wherein after the central management device changes the domain name authority information on the first domain name resolution server to the at least one anti-attack server, the method further comprises:
and if the central management equipment determines that the attack on the first domain name resolution server is released, the domain name authorization information on the anti-attack server is changed back to the first domain name resolution server.
7. The method according to any one of claims 1 to 3,
the attack identification information is generated by the first domain name resolution server in the following way:
acquiring the access times of each domain name on the first domain name resolution server in the current time period, determining an attacked domain name on the first domain name resolution server according to the access times, and generating attack identification information according to the identifier of the attacked domain name;
or, the attack identification information includes the number of times of access of each domain name on the first domain name resolution server in the current time period, and the attack identification information is used by the central management device to determine whether the first domain name resolution server is attacked.
8. The method of claim 7, wherein the first domain name resolution server determines the attacked domain name on the first domain name resolution server by:
and determining an access time increment according to the access times of the domain name in the current period and the access times of the domain name in the previous period aiming at any domain name on the first domain name resolution server, if the access time increment is larger than a first preset threshold value, determining that the domain name is an attacked domain name, and if the access time increment is smaller than or equal to the first preset threshold value, determining that the domain name is not the attacked domain name.
9. The method of claim 7, wherein the first domain name resolution server determines the attacked domain name on the first domain name resolution server by:
counting the total number of times of access of each domain name on the first domain name resolution server in the current time period;
if the total number of access times is greater than a second preset threshold value, determining that the first domain name resolution server is attacked, and determining the attacked domain name according to the number of access times of each domain name; if the total number of access times is less than or equal to the second preset threshold, it is determined that the first domain name resolution server is not attacked, and the attacked domain name does not exist in each domain name.
10. A domain name deployment device based on a domain name resolution system is characterized in that the device comprises:
a private domain name resolution deployment module, configured to deploy a private domain name resolution server corresponding to the domain name for any domain name in the domain name resolution system;
a common domain name resolution deployment module, configured to deploy a common domain name resolution server for two or more domain names in the domain name resolution system;
the private domain name resolution deployment module or the common domain name resolution deployment module deploys the domain name to the domain name resolution server in the following way: authorizing domain name authorization information of the domain name to the domain name resolution server;
the domain name resolution system is also provided with a central management device and at least one anti-attack server; the center management device includes:
the receiving and sending module is used for receiving attack identification information reported by the first domain name resolution server;
and the domain name authorization changing module is used for changing the domain name authorization information on the first domain name resolution server to the at least one anti-attack server if the first domain name resolution server is determined to be attacked according to the attack identification information.
11. A computing device comprising at least one processor and at least one memory, wherein the memory stores a computer program that, when executed by the processor, causes the processor to perform the method of any of claims 1 to 9.
12. A computer-readable storage medium storing a computer program executable by a computing device, the program, when run on the computing device, causing the computing device to perform the method of any of claims 1 to 9.
CN202010155607.2A 2020-03-09 2020-03-09 Domain name deployment method and device based on domain name resolution system Active CN111314502B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010155607.2A CN111314502B (en) 2020-03-09 2020-03-09 Domain name deployment method and device based on domain name resolution system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010155607.2A CN111314502B (en) 2020-03-09 2020-03-09 Domain name deployment method and device based on domain name resolution system

Publications (2)

Publication Number Publication Date
CN111314502A CN111314502A (en) 2020-06-19
CN111314502B true CN111314502B (en) 2022-02-18

Family

ID=71149631

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010155607.2A Active CN111314502B (en) 2020-03-09 2020-03-09 Domain name deployment method and device based on domain name resolution system

Country Status (1)

Country Link
CN (1) CN111314502B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112054941B (en) * 2020-09-07 2023-03-24 平安科技(深圳)有限公司 Automatic testing method, device and equipment for private domain name and storage medium
CN115604227B (en) * 2022-11-16 2023-04-04 神州数码融信云技术服务有限公司 Communication control method and apparatus, communication system, and computer-readable storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103501358A (en) * 2013-09-18 2014-01-08 北京蓝汛通信技术有限责任公司 Domain name hosting management method and device
CN105072211A (en) * 2015-08-12 2015-11-18 网宿科技股份有限公司 Domain name deployment system and domain name deployment method based on DNS (Domain Name Server)
CN108471458A (en) * 2018-07-10 2018-08-31 北京云枢网络科技有限公司 authoritative DNS service providing method and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR100470493B1 (en) * 2001-06-01 2005-02-07 니트젠테크놀러지스 주식회사 Method for the Service resolving special domain name
CN107222492A (en) * 2017-06-23 2017-09-29 网宿科技股份有限公司 A kind of DNS anti-attack methods, equipment and system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103501358A (en) * 2013-09-18 2014-01-08 北京蓝汛通信技术有限责任公司 Domain name hosting management method and device
CN105072211A (en) * 2015-08-12 2015-11-18 网宿科技股份有限公司 Domain name deployment system and domain name deployment method based on DNS (Domain Name Server)
CN108471458A (en) * 2018-07-10 2018-08-31 北京云枢网络科技有限公司 authoritative DNS service providing method and system

Also Published As

Publication number Publication date
CN111314502A (en) 2020-06-19

Similar Documents

Publication Publication Date Title
CN106302434B (en) Server adaptation method, device and system
CN111314502B (en) Domain name deployment method and device based on domain name resolution system
US20200334384A1 (en) Method of dynamically configuring fpga and network security device
CN113067875B (en) Access method, device and equipment based on dynamic flow control of micro-service gateway
US10749867B1 (en) Systems and methods for device detection and registration
CN106533961B (en) Flow control method and device
CN106708636B (en) Data caching method and device based on cluster
CN112087401B (en) Method and device for realizing service quality in distributed storage
CN111787129A (en) Method and system for configuring local DNS server for client
CN111385370A (en) ID allocation method, device, storage medium and ID allocation system
CN113315853B (en) Cloud protection node scheduling method, system and storage medium
CN108964822B (en) Method and system for acquiring network time in parallel by multiple schemes
CN114185763A (en) Dynamic allocation method, device, storage medium and electronic equipment
CN111124631A (en) Task processing method and device based on block chain network
CN111198756A (en) Application scheduling method and device of kubernets cluster
US20210382872A1 (en) Blockchain-based Data Storage Method, Related Device and Storage Medium
CN114070820B (en) Domain name redirection method, device, medium and electronic equipment
CN105763508B (en) Data access method and application server
CN114338133A (en) Application access system, method, communication device and storage medium
CN112218121B (en) Content delivery network scheduling method and device
CN110688350B (en) Method and device for storing logs
CN113010897A (en) Cloud computing security management method and system
CN113032188A (en) Method, device, server and storage medium for determining main server
CN113923260B (en) Method, device, terminal and storage medium for processing agent environment
CN117076125A (en) Resource management and control method, device, equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant