CN112311722B - Access control method, device, equipment and computer readable storage medium - Google Patents
Access control method, device, equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN112311722B CN112311722B CN201910682149.5A CN201910682149A CN112311722B CN 112311722 B CN112311722 B CN 112311722B CN 201910682149 A CN201910682149 A CN 201910682149A CN 112311722 B CN112311722 B CN 112311722B
- Authority
- CN
- China
- Prior art keywords
- domain name
- response message
- dns server
- name address
- access request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
- H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Abstract
The invention discloses an access control method, an access control device, access control equipment and a computer readable storage medium, relates to the technical field of communication, and aims to solve the problem that an existing scheme cannot monitor websites adopting an HTTPS protocol for encryption transmission. The method comprises the following steps: acquiring a second response message sent to the first DNS server by the second DNS server, wherein the second response message comprises a first domain name address obtained by the second DNS server according to the access request sent by the first DNS server; and under the condition that the first domain name address is illegal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises the second domain name address which is a false domain name address. The embodiment of the invention can realize monitoring of the website adopting the HTTPS protocol for encryption transmission, thereby improving the security of data access.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an access control method, apparatus, device, and computer readable storage medium.
Background
The scheme adopted by the current domain name management and control system (flow control system) for blocking illegal domain names is as follows: and carrying out bypass beam splitting/restoration on network link data, restoring HTTP (HyperText Transfer Protocol ) data packets accessed by clients in the links, and then plugging the domain names hit on a blacklist in the HTTP data packets by a flow control system. The flow control system then sends a Reset message of TCP (Transmission Control Protocol ) to the normal client and the target website, respectively, to interrupt the TCP connection between the client and the target website.
Because non-encrypted information including a client access domain name, a port (HOST), a jump URL (Uniform Resource Locator ) (reference) field, and the like, is available in the HTTP packet, in the above scheme, the flow control system may match the HOST information with an existing blacklist, thereby cutting off client access.
With the great popularization of internet companies and finance companies, websites encrypted by HTTPS (Hypertext Transfer Protocol Secure, hypertext transfer security protocol) are increasing. The HTTPS protocol has the capabilities of encryption, tamper resistance, identity authentication and the like, and is very beneficial to protecting the privacy of a client. However, since all content transmission information is encrypted, content including a request of the client access URL, get, POST cannot be acquired, and therefore, a domain name accessed by the client cannot be matched with a blacklist of the flow control system, and thus, a Reset message of the TCP cannot be sent to block illegal access of the client.
Therefore, a solution for monitoring websites using HTTPS protocol for encrypted transmission needs to be proposed.
Disclosure of Invention
The embodiment of the invention provides an access control method, an access control device, access control equipment and a computer readable storage medium, which are used for solving the problem that the existing scheme can not monitor websites adopting an HTTPS protocol for encrypted transmission.
In a first aspect, an embodiment of the present invention provides an access control method, applied to a first DNS server, including:
receiving an access request of a client;
sending the access request to a second DNS server under the condition that domain name resolution cannot be carried out on the access request or a first domain name address corresponding to the access request is not stored;
receiving a first response message sent by a flow control system;
sending the first response message to the client;
wherein the first response message includes a second domain name address, and the second domain name address is a false domain name address.
Wherein the second DNS server includes at least two domain name system servers, and each domain name system server has a different priority;
the sending the access request to the second DNS server includes:
And sequentially sending the access requests to the at least two domain name system servers according to the order of the priority from high to low.
Wherein after the receiving the access request of the client, the method further comprises:
under the condition that the access request can be subjected to domain name resolution and a first domain name corresponding to the access request is stored, resolving the domain name access request to obtain the first domain name address;
determining whether the first domain name address is legal;
and discarding a domain name query result under the condition that the first domain name address is determined to be illegal, wherein the domain name query result comprises the first domain name address.
Wherein, in the case that the first domain name address is determined to be legal, the method further comprises:
and sending the domain name query result to the client.
In a second aspect, an embodiment of the present invention provides an access control method, which is applied to a fluidic system, including:
acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server;
And under the condition that the first domain name address is not legal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address.
Wherein the sending, according to the second response message, the first response message to the first DNS server or the client includes:
resolving the second response message to obtain the first domain name address;
filling a second domain name address into a response field of the second response message to obtain the first response message;
and sending a first response message to the first DNS server or the client.
In a third aspect, an embodiment of the present invention provides an access control method, applied to a client, including:
sending an access request to a first DNS server;
receiving a first response message sent by the first DNS server or the flow control system;
the first response message includes a second domain name address, which is a false domain name address.
In a fourth aspect, an embodiment of the present invention provides an access control apparatus, applied to a first DNS server, including: a processor and a transceiver; wherein the transceiver is configured to:
Receiving an access request of a client;
sending the access request to a second DNS server under the condition that domain name resolution cannot be carried out on the access request or a first domain name address corresponding to the access request is not stored;
receiving a first response message sent by a flow control system;
sending the first response message to the client;
wherein the first response message includes a second domain name address, and the second domain name address is a false domain name address.
In a fifth aspect, an embodiment of the present invention provides an access control device, applied to a fluidic system, including: a processor and a transceiver; wherein the transceiver is configured to:
acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server;
and under the condition that the first domain name address is not legal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address.
In a sixth aspect, an embodiment of the present invention provides an access control apparatus, applied to a client, including: a processor and a transceiver; wherein the transceiver is configured to:
sending an access request to a first DNS server;
receiving a first response message sent by the first DNS server or the flow control system;
the first response message includes a second domain name address, which is a false domain name address.
In a seventh aspect, an embodiment of the present invention provides a communication device, including: a transceiver, a memory, a processor, and a computer program stored on the memory and executable on the processor;
the processor is configured to read a program in the memory to implement the steps in the method according to the first aspect; or to implement the steps in the method as described in the second aspect; or to implement the steps in the method as described in the third aspect.
In an eighth aspect, an embodiment of the present invention provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method according to the first aspect; or to implement the steps in the method as described in the second aspect; or to implement the steps in the method as described in the third aspect.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. According to the embodiment of the invention, the access flow of the user accessing the external domain name server is restored by monitoring the DNS flow, the DNS data packet hitting the illegal domain name is screened out, the DNS data packet carrying the false domain name is sent to the local domain name server or the client, the false domain name accessed by the user is resolved to the IP address which the user cannot access/does not exist, the user cannot complete the correct resolution of the false domain name, and the target website cannot be accessed, so that the website encrypted and transmitted by adopting the HTTPS protocol is monitored, and the safety of data access is effectively improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments of the present invention will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.
FIG. 1 is one of the flowcharts of an access control method provided by an embodiment of the present invention;
FIG. 2 is a second flowchart of an access control method according to an embodiment of the present invention;
FIG. 3 is a third flowchart of an access control method according to an embodiment of the present invention;
FIG. 4 is a fourth flowchart of an access control method according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a domain name resolution process according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a plugging process according to an embodiment of the present invention;
fig. 7 is a block diagram of an access control apparatus according to an embodiment of the present invention;
FIG. 8 is a second block diagram of an access control device according to an embodiment of the present invention;
FIG. 9 is a third block diagram of an access control device according to an embodiment of the present invention;
fig. 10 is a block diagram of a communication device according to an embodiment of the present invention;
FIG. 11 is a second block diagram of a communication device according to an embodiment of the present invention;
fig. 12 is a third block diagram of the communication device according to the embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As described above, in the manner of recovering the HTTP message, only the user can access the website using the HTTP protocol, but the website using the HTTPs protocol for encrypted transmission cannot be monitored. Before a user accesses a website, a DNS analysis service is needed to analyze a domain name system server into an IP address, so that the embodiment of the invention provides a scheme for restoring and monitoring based on DNS data packets, thereby realizing monitoring of encrypted HTTPS traffic. Specific implementations are described in detail below in connection with various embodiments.
Referring to fig. 1, fig. 1 is a flowchart of an access control method provided by an embodiment of the present invention, applied to a first (Domain Name System ) server, as shown in fig. 1, including the following steps:
When the client needs to visit the website, a visit request for the target website is initiated. Accordingly, the first DNS server receives an access request from the client.
Upon receiving the access request, the first DNS server determines whether configured for local resolution. If the configuration is local resolution, that is, if the domain name resolution can be performed on the access request and the first domain name corresponding to the access request is stored, the access request is resolved to obtain the first domain name address. Then, whether the first domain name address is legal or not can be determined by querying a locally configured blacklist. And discarding a domain name query result under the condition that the first domain name address is determined to be illegal, wherein the domain name query result comprises the first domain name address. And if the first domain name address is legal, sending the domain name query result to the client, and allowing the user to access a target website.
If the configuration is not locally resolved or the first domain name address is not stored, the first DNS server sends the access request to the second DNS server.
In an embodiment of the present invention, the second DNS server includes at least two domain name system servers, and each domain name system server has a different priority. Then, specifically, the sending the access request to the second DNS server includes: and sequentially sending the access requests to the at least two domain name system servers according to the order of the priority from high to low.
For example, the second DNS server may include a root domain name server, an authoritative domain name server, a top-level domain name server, etc., and the priority is from high to low.
Thus, the first DNS server may send access requests to the root domain name server, the authoritative domain name server, and the top domain name server in order of priority from high to low. Typically, the root domain name server will send a response message to the first DNS server to indicate whether the access request was successfully resolved. If resolution is successful, the resolution activity domain name address is included in the response message. However, in the embodiment of the present invention, the flow control system listens for DNS messages between the first DNS server and the second DNS server. When the response message of the second DNS server indicates that the access request is successfully resolved, the flow control system intercepts the response message and judges whether the resolution result of the second DNS server is legal or not. If not, the flow control system can prevent the response message of the second DNS server from being sent to the first DNS server. If the legal or response message indicates that the resolution is not successful, the flow control system does not block the response message of the second DNS server.
Therefore, in the embodiment of the present invention, when the first DNS server does not receive a response message of any one of the second DNS servers, or receives a response message of a certain second DNS server (at this time, the response message indicates that the resolution is not successful), it is not necessary to send an access request to another second DNS server.
Wherein the second domain name address may be considered a false domain name address. The meaning of a false domain name address refers to a domain name address that is not true after domain name resolution of an access request. In this way, the client may be prevented from accessing the target website.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. Because the second domain name address returned by the flow control system is a false domain name address, the user cannot access the true domain name address, and therefore, by monitoring and restoring the DNS traffic, the website adopting the HTTPS protocol for encryption transmission can be monitored, and the safety of data access can be improved.
Referring to fig. 2, fig. 2 is a flowchart of an access control method according to an embodiment of the present invention, which is applied to a fluidic system, as shown in fig. 2, and includes the following steps:
The second response message includes a first domain name address obtained by the second DNS server according to the access request sent by the first DNS server.
In the embodiment of the invention, the flow control system monitors the DNS message between the first DNS server and the second DNS server. When the response message of the second DNS server indicates that the access request is successfully resolved, the flow control system intercepts the response message and judges whether the resolution result of the second DNS server is legal or not. If not, the response message of the second DNS server is prevented from being sent to the first DNS server. If the legal or response message indicates that the resolution is not successful, the flow control system does not block the response message of the second DNS server.
Wherein the second domain name address may be considered a false domain name address. The meaning of a false domain name address refers to a domain name address that is not true after domain name resolution of an access request. In this way, the client may be prevented from accessing the target website.
Specifically, in this step, the flow control system parses the second response message to obtain the first domain name address. And then, filling the second domain name address into a response field of the second response message to obtain the first response message, and sending the first response message to the first DNS server or the client.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. Because the second domain name address returned by the flow control system is a false domain name address, the user cannot access the true domain name address, and therefore, by monitoring and restoring the DNS traffic, the website adopting the HTTPS protocol for encryption transmission can be monitored, and the safety of data access can be improved.
Referring to fig. 3, fig. 3 is a flowchart of an access control method provided by an embodiment of the present invention, applied to a client, as shown in fig. 3, including the following steps:
Wherein the second domain name address may be considered a false domain name address. The meaning of a false domain name address refers to a domain name address that is not true after domain name resolution of an access request. In this way, the client may be prevented from accessing the target website.
According to the first response message, the client cannot access the target website which is expected to be accessed.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. Because the second domain name address returned by the flow control system is a false domain name address, the user cannot access the true domain name address, and therefore, by monitoring and restoring the DNS traffic, the website adopting the HTTPS protocol for encryption transmission can be monitored, and the safety of data access can be improved.
Referring to fig. 4, fig. 4 is a flowchart of an access control method according to an embodiment of the present invention, including the following steps:
step 401, a client initiates a website access request.
Step 404, the local DNS server determines whether the domain name address to be accessed is cached. If so, go to step 405; if not, the local DNS server sends a query request to an off-network DNS server (including a root domain name server, an authoritative domain name server, a top-level domain name server, etc.), jumping to step 406.
When a user accesses a target website, the user needs to obtain an IP address and a port of the website through domain name resolution system (DNS) resolution, and then sends data to the IP and the port to request access. Wherein the domain name resolution flow is shown in fig. 5.
In general, firstly, a local DNS server 501 queries whether there is an IP address of a domain name to be accessed, and if so, the local DNS server directly responds to the user; otherwise, the local DNS server sequentially makes recursive queries to the authoritative domain name server 502, the root domain name server 503, and the top-level domain name server 504, and returns the query result to the user until the query is completed.
The local DNS server is typically an internal domain name server of the operator, and the other authoritative domain name servers, the root domain name server, and the top domain name server are external/overseas domain name servers, so that the ordinary user needs to access across operators.
However, in the embodiment of the present invention, the messages returned to the local DNS server 501 by the authoritative domain name server 502, the root domain name server 503, and the top-level domain name server 504 are monitored. When the domain name obtained by analysis is detected to be illegal, the message is required to be blocked.
Fig. 6 is a schematic diagram of a plugging process according to an embodiment of the invention. For the user to access the local DNS server, a DNS blacklist matching mode can be adopted to block the DNS resolution request of the illegal domain name. For users accessing external domain name servers, monitoring can only be performed on links. In the embodiment of the invention, the monitoring steps of the flow control system are as follows:
(1) And for the analysis of the user accessing the local DNS server, blocking can be performed in a blacklist matching mode, so that the user is prevented from acquiring the IP address of the domain name.
(2) For users accessing non-local DNS servers, the portion of the user's (inter-network) access traffic may be restored and DNS access packets filtered out.
The flow control system 505 screens DNS packets for hit against the domain name. The flow control system sends forged DNS data packets to a local DNS server or a common user, and resolves illegal domain names accessed by the user to IP addresses which cannot be accessed/do not exist by the user.
The user cannot complete the correct resolution of the offending domain name, because the user cannot access the target website and the completion is blocked.
As previously described, the flow control system needs to send a false DNS response to the client or local DNS server. Since DNS packets use UDP (User Datagram Protocol ) protocol, as long as the response arrival time of the flow control system is before the response of the external domain name server, the client or the local DNS server receives the DNS response of the flow control system, and then no further DNS response is received.
In the embodiment of the invention, the DNS data message, whether the request message or the response message returned by the DNS server, can use a uniform format. The request message includes a Header and a query. Wherein the header includes fields for request ID (identification), request type, whether to recursion, etc.; the query fields include fields for query domain name, protocol type, query class, etc. The response message includes three parts with the same format, i.e., answer (response field)/authorization (Additional field)/Additional (Additional field), besides the fields of Header, question, where Answer (response field) includes fields such as domain name, protocol type code, lifetime, resource data length, resource data (IP address), etc.
If the DNS response packet is to be forged, for example, the original query packet is [ id=0x6123A? www.ict.ac.cn, namely, inquiring the IP address corresponding to the 'www.ict.ac.cn' website; the correct response packet is id= 0x6123in A www.ict.ac.cn 159.226.97.70, i.e. the IP address corresponding to response "www.ict.ac.cn" is "159.226.97.70". If the packet is forged, the tamper-evident packet is [ id= 0x6123in A www.ict.ac.cn 1.1.1.1], i.e. the user's query for "www.ict.ac.cn" returns an address of "1.1.1.1", the user cannot obtain the real IP address and cannot access "www.ict.ac.cn".
According to the scheme provided by the embodiment of the invention, DNS traffic can be used for restoring and monitoring, and the traffic accessed by the user of the HTTPS protocol can be blocked, so that the defect that the original traffic monitoring method can only monitor the traffic of the HTTP protocol but can not monitor the encrypted HTTPS traffic is overcome, and the safety of data access is improved.
As shown in fig. 7, the access control device of the embodiment of the present invention is applied to a first DNS server, and includes: a processor 701 and a transceiver 702.
Wherein the transceiver 702 is configured to: receiving an access request of a client; sending the access request to a second DNS server under the condition that domain name resolution cannot be carried out on the access request or a first domain name address corresponding to the access request is not stored; receiving a first response message sent by a flow control system; sending the first response message to the client; wherein the first response message includes a second domain name address, and the second domain name address is a false domain name address.
Optionally, the second DNS server includes at least two domain name system servers, and each domain name system server has a different priority; the transceiver 702 is configured to: and sequentially sending the access requests to the at least two domain name system servers according to the order of the priority from high to low.
Optionally, the processor 701 is configured to, when the domain name resolution can be performed on the access request and a first domain name corresponding to the access request is stored, resolve the domain name access request to obtain the first domain name address; determining whether the first domain name address is legal; and discarding a domain name query result under the condition that the first domain name address is determined to be illegal, wherein the domain name query result comprises the first domain name address.
Optionally, the transceiver 702 is configured to send the domain name query result to the client.
The working principle of the device according to the embodiment of the invention can be referred to the description of the embodiment of the method.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. Because the second domain name address returned by the flow control system is a false domain name address, the user cannot access the true domain name address, and therefore, by monitoring and restoring the DNS traffic, the website adopting the HTTPS protocol for encryption transmission can be monitored, and the safety of data access can be improved.
As shown in fig. 8, an access control device according to an embodiment of the present invention is applied to a fluidic system, and includes: a processor 801 and a transceiver 802.
Wherein, the transceiver 802 is configured to: acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server; and under the condition that the first domain name address is not legal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address.
Optionally, the transceiver 802 is further configured to parse the second response message to obtain the first domain name address; filling a second domain name address into a response field of the second response message to obtain the first response message; and sending a first response message to the first DNS server or the client.
The working principle of the device according to the embodiment of the invention can be referred to the description of the embodiment of the method.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. Because the second domain name address returned by the flow control system is a false domain name address, the user cannot access the true domain name address, and therefore, by monitoring and restoring the DNS traffic, the website adopting the HTTPS protocol for encryption transmission can be monitored, and the safety of data access can be improved.
As shown in fig. 9, an access control device according to an embodiment of the present invention is applied to a client, and includes: a processor 901 and a transceiver 902.
Wherein, the transceiver 902 is configured to: acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server; and under the condition that the first domain name address is not legal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address.
The working principle of the device according to the embodiment of the invention can be referred to the description of the embodiment of the method.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. Because the second domain name address returned by the flow control system is a false domain name address, the user cannot access the true domain name address, and therefore, by monitoring and restoring the DNS traffic, the website adopting the HTTPS protocol for encryption transmission can be monitored, and the safety of data access can be improved.
As shown in fig. 10, the communication device of the embodiment of the present invention is applied to a first DNS server, and includes: processor 1000, for reading the program in memory 1020, performs the following processes:
A transceiver 1010 for receiving and transmitting data under the control of the processor 1000.
Wherein in fig. 10, a bus architecture may comprise any number of interconnected buses and bridges, and in particular one or more processors represented by the processor 1000 and various circuits of the memory, represented by the memory 1020, are chained together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 1010 may be a number of elements, including a transmitter and a transceiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 1000 is responsible for managing the bus architecture and general processing, and the memory 1020 may store data used by the processor 1000 in performing operations.
The processor 1000 is responsible for managing the bus architecture and general processing, and the memory 1020 may store data used by the processor 1000 in performing operations.
The second DNS server comprises at least two domain name system servers, and each domain name system server has different priorities; the processor 1000 is further configured to read the computer program and perform the following steps:
the access requests are sent to the at least two domain name system servers sequentially in order of priority from high to low via transceiver 1010.
The processor 1000 is further configured to read the computer program and perform the following steps:
under the condition that the access request can be subjected to domain name resolution and a first domain name corresponding to the access request is stored, resolving the domain name access request to obtain the first domain name address;
determining whether the first domain name address is legal;
and discarding a domain name query result under the condition that the first domain name address is determined to be illegal, wherein the domain name query result comprises the first domain name address.
The processor 1000 is further configured to read the computer program and perform the following steps:
the domain name query results are sent to the client via transceiver 1010.
The communication device provided in the embodiment of the present invention may execute the above method embodiment, and its implementation principle and technical effects are similar, and this embodiment will not be described herein.
As shown in fig. 11, a communication device according to an embodiment of the present invention is applied to a fluidic system, and includes: the processor 1100, configured to read the program in the memory 1120, performs the following procedures:
the processor 1100, configured to read the program in the memory 1120, performs the following procedures: acquiring a second response message sent to the first DNS server by the second DNS server through the transceiver 1111, where the second response message includes a first domain name address obtained by resolving by the second DNS server according to the access request sent by the first DNS server; and under the condition that the first domain name address is not legal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address.
A transceiver 1111 for receiving and transmitting data under the control of the processor 1100.
Wherein in fig. 11, a bus architecture may comprise any number of interconnected buses and bridges, and in particular one or more processors represented by processor 1100 and various circuits of memory represented by memory 1120, linked together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 1111 may be a number of elements, including a transmitter and a transceiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 1100 is responsible for managing the bus architecture and general processing, and the memory 1120 may store data used by the processor 1100 in performing operations.
The processor 1100 is responsible for managing the bus architecture and general processing, and the memory 1120 may store data used by the processor 1100 in performing operations.
The processor 1000 is further configured to read the computer program and perform the following steps:
resolving the second response message to obtain the first domain name address;
filling a second domain name address into a response field of the second response message to obtain the first response message;
and sending a first response message to the first DNS server or the client.
The communication device provided in the embodiment of the present invention may execute the above method embodiment, and its implementation principle and technical effects are similar, and this embodiment will not be described herein.
As shown in fig. 12, a communication device according to an embodiment of the present invention is applied to a client, and includes: processor 1200 for reading the program in memory 1220, performs the following process:
sending an access request to a first DNS server through transceiver 1210; receiving a first response message sent by the first DNS server or the flow control system; the first response message includes a second domain name address, which is a false domain name address.
A transceiver 1210 for receiving and transmitting data under the control of the processor 1200.
Wherein in fig. 12, a bus architecture may comprise any number of interconnected buses and bridges, and in particular, one or more processors represented by processor 1200 and various circuits of memory represented by memory 1220, linked together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 1210 may be a number of elements, i.e. include a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium. The client interface 1230 may also be an interface capable of interfacing with an inscribed desired device for a different client device, including but not limited to a keypad, display, speaker, microphone, joystick, etc.
The processor 1200 is responsible for managing the bus architecture and general processing, and the memory 1220 may store data used by the processor 1200 in performing operations.
The communication device provided in the embodiment of the present invention may execute the above method embodiment, and its implementation principle and technical effects are similar, and this embodiment will not be described herein.
Furthermore, a computer-readable storage medium of an embodiment of the present invention stores a computer program executable by a processor to implement the steps of:
receiving an access request of a client;
sending the access request to a second DNS server under the condition that domain name resolution cannot be carried out on the access request or a first domain name address corresponding to the access request is not stored;
receiving a first response message sent by a flow control system;
sending the first response message to the client;
wherein the first response message includes a second domain name address, and the second domain name address is a false domain name address.
Wherein the second DNS server includes at least two domain name system servers, and each domain name system server has a different priority;
the sending the access request to the second DNS server includes:
and sequentially sending the access requests to the at least two domain name system servers according to the order of the priority from high to low.
Wherein after the receiving the access request of the client, the method further comprises:
under the condition that the access request can be subjected to domain name resolution and a first domain name corresponding to the access request is stored, resolving the domain name access request to obtain the first domain name address;
Determining whether the first domain name address is legal;
and discarding a domain name query result under the condition that the first domain name address is determined to be illegal, wherein the domain name query result comprises the first domain name address.
Wherein, in the case that the first domain name address is determined to be legal, the method further comprises:
and sending the domain name query result to the client.
Furthermore, a computer-readable storage medium of an embodiment of the present invention stores a computer program executable by a processor to implement the steps of:
acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server;
and under the condition that the first domain name address is not legal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address.
The sending a first response message to the first DNS server or the client according to the second response message includes:
Resolving the second response message to obtain the first domain name address;
filling a second domain name address into a response field of the second response message to obtain the first response message;
and sending a first response message to the first DNS server or the client.
Furthermore, a computer-readable storage medium of an embodiment of the present invention stores a computer program executable by a processor to implement the steps of:
sending an access request to a first DNS server;
receiving a first response message sent by the first DNS server or the flow control system;
the first response message includes a second domain name address, which is a false domain name address.
In the several embodiments provided in this application, it should be understood that the disclosed methods and apparatus may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may be physically included separately, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
The integrated units implemented in the form of software functional units described above may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium, and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform part of the steps of the transceiving method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.
Claims (11)
1. An access control method applied to a flow control system, comprising:
acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server;
under the condition that the first domain name address is illegal, a first response message is sent to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address;
the sending a first response message to the first DNS server or the client according to the second response message includes:
resolving the second response message to obtain the first domain name address;
filling a second domain name address into a response field of the second response message to obtain the first response message;
and sending a first response message to the first DNS server or the client.
2. An access control method applied to a first domain name system DNS server, comprising:
Receiving an access request of a client;
sending the access request to a second DNS server under the condition that domain name resolution cannot be carried out on the access request or a first domain name address corresponding to the access request is not stored;
receiving a first response message sent by a flow control system;
sending the first response message to the client;
the first response message is sent under the condition that the flow control system determines that a first domain name address corresponding to the access request is illegal, and the first response message comprises a second domain name address which is a false domain name address; the first response message is obtained by filling a second domain name address into a response field of the second response message by the flow control system; the second response message is sent to the first DNS server by the second DNS server, and the second response message comprises a first domain name address obtained by the second DNS server according to the access request sent by the first DNS server.
3. The method of claim 2, wherein the second DNS server comprises at least two domain name system servers, and each domain name system server has a different priority;
The sending the access request to the second DNS server includes:
and sequentially sending the access requests to the at least two domain name system servers according to the order of the priority from high to low.
4. The method of claim 2, wherein after the receiving the access request of the client, the method further comprises:
under the condition that the access request can be subjected to domain name resolution and a first domain name corresponding to the access request is stored, the access request is resolved to obtain the first domain name address;
and discarding a domain name query result under the condition that the first domain name address is determined to be illegal, wherein the domain name query result comprises the first domain name address.
5. The method of claim 4, wherein in the event that the first domain name address is determined to be legitimate, the method further comprises:
and sending the domain name query result to the client.
6. An access control method applied to a client, comprising:
sending an access request to a first DNS server;
receiving a first response message sent by the first DNS server or the flow control system;
The first response message comprises a second domain name address, wherein the second domain name address is a false domain name address;
the first response message is sent under the condition that the flow control system determines that a first domain name address corresponding to the access request is illegal, and the first response message is obtained by filling a second domain name address into a response field of the second response message by the flow control system; the second response message is sent to the first DNS server by the second DNS server, and the second response message comprises a first domain name address obtained by the second DNS server according to the access request sent by the first DNS server.
7. An access control apparatus applied to a first DNS server, comprising: a processor and a transceiver; wherein the transceiver is configured to:
receiving an access request of a client;
sending the access request to a second DNS server under the condition that domain name resolution cannot be carried out on the access request or a first domain name address corresponding to the access request is not stored;
receiving a first response message sent by a flow control system;
sending the first response message to the client;
Wherein the first response message includes a second domain name address, the second domain name address being a false domain name address; the first response message is obtained by filling a second domain name address into a response field of the second response message by the flow control system; the second response message is sent to the first DNS server by the second DNS server, and the second response message comprises a first domain name address obtained by the second DNS server according to the access request sent by the first DNS server.
8. An access control device for use in a fluidic system, comprising: a processor and a transceiver; wherein the transceiver is configured to:
acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server;
under the condition that the first domain name address is illegal, a first response message is sent to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address;
The sending a first response message to the first DNS server or the client according to the second response message includes:
resolving the second response message to obtain the first domain name address;
filling a second domain name address into a response field of the second response message to obtain the first response message;
and sending a first response message to the first DNS server or the client.
9. An access control apparatus, applied to a client, comprising: a processor and a transceiver; wherein the transceiver is configured to:
sending an access request to a first DNS server;
receiving a first response message sent by the first DNS server or the flow control system;
the first response message comprises a second domain name address, wherein the second domain name address is a false domain name address; the first response message is sent under the condition that the flow control system determines that a first domain name address corresponding to the access request is illegal, the first response message is obtained by filling a second domain name address into a response field of a second response message by the flow control system, the second response message is sent to a first DNS server by a second DNS server, and the second response message comprises the first domain name address obtained by the second DNS server according to the access request sent by the first DNS server.
10. A communication device, comprising: a transceiver, a memory, a processor, and a computer program stored on the memory and executable on the processor; it is characterized in that the method comprises the steps of,
the processor for reading a program in a memory to implement the steps in the method of claim 1; or to carry out the steps of the method according to any one of claims 2 to 5; or to implement the steps in the method as claimed in claim 6.
11. A computer readable storage medium storing a computer program, which when executed by a processor performs the steps of the method according to claim 1; or to carry out the steps of the method according to any one of claims 2 to 5; or to implement the steps in the method as claimed in claim 6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910682149.5A CN112311722B (en) | 2019-07-26 | 2019-07-26 | Access control method, device, equipment and computer readable storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910682149.5A CN112311722B (en) | 2019-07-26 | 2019-07-26 | Access control method, device, equipment and computer readable storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112311722A CN112311722A (en) | 2021-02-02 |
CN112311722B true CN112311722B (en) | 2023-05-09 |
Family
ID=74328806
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910682149.5A Active CN112311722B (en) | 2019-07-26 | 2019-07-26 | Access control method, device, equipment and computer readable storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112311722B (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113206785B (en) * | 2021-05-28 | 2023-01-10 | 深圳市中科明望通信软件有限公司 | Network request method and device, terminal equipment and storage medium |
CN115396516A (en) * | 2022-08-26 | 2022-11-25 | 中国建设银行股份有限公司 | Access request processing method, device, equipment and storage medium |
CN115720174B (en) * | 2022-11-30 | 2023-05-23 | 广西壮族自治区信息中心 | Blacklist exception setting method, device, equipment and storage medium |
Family Cites Families (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6074781B2 (en) * | 2012-12-26 | 2017-02-08 | ▲ホア▼▲ウェイ▼技術有限公司Huawei Technologies Co.,Ltd. | Method and apparatus for preventing unauthorized service access |
CN104219200B (en) * | 2013-05-30 | 2017-10-17 | 杭州迪普科技股份有限公司 | A kind of apparatus and method for taking precautions against DNS cache attack |
CN106534141A (en) * | 2016-11-22 | 2017-03-22 | 汉柏科技有限公司 | Method and system for preventing domain name server from being attacked and firewall |
CN109246256A (en) * | 2017-07-10 | 2019-01-18 | 中国电信股份有限公司 | Domain name analytic method and system, credit domain name system server |
-
2019
- 2019-07-26 CN CN201910682149.5A patent/CN112311722B/en active Active
Also Published As
Publication number | Publication date |
---|---|
CN112311722A (en) | 2021-02-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7370354B2 (en) | Method of remotely managing a firewall | |
US8434141B2 (en) | System for preventing normal user being blocked in network address translation (NAT) based web service and method for controlling the same | |
CN112311722B (en) | Access control method, device, equipment and computer readable storage medium | |
US8621229B2 (en) | System and method of facilitating the identification of a computer on a network | |
US20070124806A1 (en) | Techniques for tracking actual users in web application security systems | |
US20040103314A1 (en) | System and method for network intrusion prevention | |
US10218733B1 (en) | System and method for detecting a malicious activity in a computing environment | |
JP2003529254A (en) | Internet / network security method and system for checking customer security from a remote device | |
US8726384B2 (en) | Apparatus, and system for determining and cautioning users of internet connected clients of potentially malicious software and method for operating such | |
CN111314381A (en) | Safety isolation gateway | |
CN106790073B (en) | Blocking method and device for malicious attack of Web server and firewall | |
KR20070079781A (en) | Intrusion prevention system using extract of http request information and method url cutoff using the same | |
CN107786489A (en) | Access request verification method and device | |
US11979374B2 (en) | Local network device connection control | |
Carrier et al. | A recursive session token protocol for use in computer forensics and tcp traceback | |
CN115883574A (en) | Access equipment identification method and device in industrial control network | |
CN115633359A (en) | PFCP session security detection method, device, electronic equipment and storage medium | |
CN110995738B (en) | Violent cracking behavior identification method and device, electronic equipment and readable storage medium | |
CN112491910B (en) | DOT protocol-based flow identification method, DOT protocol-based flow identification device, DOT protocol-based flow identification equipment and storage medium | |
CN112491909B (en) | DOH protocol-based traffic identification method, device, equipment and storage medium | |
US20230328102A1 (en) | Network security with server name indication | |
CN108632090B (en) | Network management method and system | |
CN117424741A (en) | Network attacker tracing method, device and medium of cloud WAF | |
CN117834246A (en) | Traffic identity identification method, traffic identity identification device, zero-trust control center and storage medium | |
Stephens | Network Forensics |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |