CN112311722B - Access control method, device, equipment and computer readable storage medium - Google Patents

Access control method, device, equipment and computer readable storage medium Download PDF

Info

Publication number
CN112311722B
CN112311722B CN201910682149.5A CN201910682149A CN112311722B CN 112311722 B CN112311722 B CN 112311722B CN 201910682149 A CN201910682149 A CN 201910682149A CN 112311722 B CN112311722 B CN 112311722B
Authority
CN
China
Prior art keywords
domain name
response message
dns server
name address
access request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910682149.5A
Other languages
Chinese (zh)
Other versions
CN112311722A (en
Inventor
安宁宇
胡入祯
邵妍
戴晶
刘阳
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Communications Ltd Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Communications Ltd Research Institute filed Critical China Mobile Communications Group Co Ltd
Priority to CN201910682149.5A priority Critical patent/CN112311722B/en
Publication of CN112311722A publication Critical patent/CN112311722A/en
Application granted granted Critical
Publication of CN112311722B publication Critical patent/CN112311722B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/30Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
    • H04L63/306Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Abstract

The invention discloses an access control method, an access control device, access control equipment and a computer readable storage medium, relates to the technical field of communication, and aims to solve the problem that an existing scheme cannot monitor websites adopting an HTTPS protocol for encryption transmission. The method comprises the following steps: acquiring a second response message sent to the first DNS server by the second DNS server, wherein the second response message comprises a first domain name address obtained by the second DNS server according to the access request sent by the first DNS server; and under the condition that the first domain name address is illegal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises the second domain name address which is a false domain name address. The embodiment of the invention can realize monitoring of the website adopting the HTTPS protocol for encryption transmission, thereby improving the security of data access.

Description

Access control method, device, equipment and computer readable storage medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to an access control method, apparatus, device, and computer readable storage medium.
Background
The scheme adopted by the current domain name management and control system (flow control system) for blocking illegal domain names is as follows: and carrying out bypass beam splitting/restoration on network link data, restoring HTTP (HyperText Transfer Protocol ) data packets accessed by clients in the links, and then plugging the domain names hit on a blacklist in the HTTP data packets by a flow control system. The flow control system then sends a Reset message of TCP (Transmission Control Protocol ) to the normal client and the target website, respectively, to interrupt the TCP connection between the client and the target website.
Because non-encrypted information including a client access domain name, a port (HOST), a jump URL (Uniform Resource Locator ) (reference) field, and the like, is available in the HTTP packet, in the above scheme, the flow control system may match the HOST information with an existing blacklist, thereby cutting off client access.
With the great popularization of internet companies and finance companies, websites encrypted by HTTPS (Hypertext Transfer Protocol Secure, hypertext transfer security protocol) are increasing. The HTTPS protocol has the capabilities of encryption, tamper resistance, identity authentication and the like, and is very beneficial to protecting the privacy of a client. However, since all content transmission information is encrypted, content including a request of the client access URL, get, POST cannot be acquired, and therefore, a domain name accessed by the client cannot be matched with a blacklist of the flow control system, and thus, a Reset message of the TCP cannot be sent to block illegal access of the client.
Therefore, a solution for monitoring websites using HTTPS protocol for encrypted transmission needs to be proposed.
Disclosure of Invention
The embodiment of the invention provides an access control method, an access control device, access control equipment and a computer readable storage medium, which are used for solving the problem that the existing scheme can not monitor websites adopting an HTTPS protocol for encrypted transmission.
In a first aspect, an embodiment of the present invention provides an access control method, applied to a first DNS server, including:
receiving an access request of a client;
sending the access request to a second DNS server under the condition that domain name resolution cannot be carried out on the access request or a first domain name address corresponding to the access request is not stored;
receiving a first response message sent by a flow control system;
sending the first response message to the client;
wherein the first response message includes a second domain name address, and the second domain name address is a false domain name address.
Wherein the second DNS server includes at least two domain name system servers, and each domain name system server has a different priority;
the sending the access request to the second DNS server includes:
And sequentially sending the access requests to the at least two domain name system servers according to the order of the priority from high to low.
Wherein after the receiving the access request of the client, the method further comprises:
under the condition that the access request can be subjected to domain name resolution and a first domain name corresponding to the access request is stored, resolving the domain name access request to obtain the first domain name address;
determining whether the first domain name address is legal;
and discarding a domain name query result under the condition that the first domain name address is determined to be illegal, wherein the domain name query result comprises the first domain name address.
Wherein, in the case that the first domain name address is determined to be legal, the method further comprises:
and sending the domain name query result to the client.
In a second aspect, an embodiment of the present invention provides an access control method, which is applied to a fluidic system, including:
acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server;
And under the condition that the first domain name address is not legal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address.
Wherein the sending, according to the second response message, the first response message to the first DNS server or the client includes:
resolving the second response message to obtain the first domain name address;
filling a second domain name address into a response field of the second response message to obtain the first response message;
and sending a first response message to the first DNS server or the client.
In a third aspect, an embodiment of the present invention provides an access control method, applied to a client, including:
sending an access request to a first DNS server;
receiving a first response message sent by the first DNS server or the flow control system;
the first response message includes a second domain name address, which is a false domain name address.
In a fourth aspect, an embodiment of the present invention provides an access control apparatus, applied to a first DNS server, including: a processor and a transceiver; wherein the transceiver is configured to:
Receiving an access request of a client;
sending the access request to a second DNS server under the condition that domain name resolution cannot be carried out on the access request or a first domain name address corresponding to the access request is not stored;
receiving a first response message sent by a flow control system;
sending the first response message to the client;
wherein the first response message includes a second domain name address, and the second domain name address is a false domain name address.
In a fifth aspect, an embodiment of the present invention provides an access control device, applied to a fluidic system, including: a processor and a transceiver; wherein the transceiver is configured to:
acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server;
and under the condition that the first domain name address is not legal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address.
In a sixth aspect, an embodiment of the present invention provides an access control apparatus, applied to a client, including: a processor and a transceiver; wherein the transceiver is configured to:
sending an access request to a first DNS server;
receiving a first response message sent by the first DNS server or the flow control system;
the first response message includes a second domain name address, which is a false domain name address.
In a seventh aspect, an embodiment of the present invention provides a communication device, including: a transceiver, a memory, a processor, and a computer program stored on the memory and executable on the processor;
the processor is configured to read a program in the memory to implement the steps in the method according to the first aspect; or to implement the steps in the method as described in the second aspect; or to implement the steps in the method as described in the third aspect.
In an eighth aspect, an embodiment of the present invention provides a computer-readable storage medium storing a computer program which, when executed by a processor, implements the steps of the method according to the first aspect; or to implement the steps in the method as described in the second aspect; or to implement the steps in the method as described in the third aspect.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. According to the embodiment of the invention, the access flow of the user accessing the external domain name server is restored by monitoring the DNS flow, the DNS data packet hitting the illegal domain name is screened out, the DNS data packet carrying the false domain name is sent to the local domain name server or the client, the false domain name accessed by the user is resolved to the IP address which the user cannot access/does not exist, the user cannot complete the correct resolution of the false domain name, and the target website cannot be accessed, so that the website encrypted and transmitted by adopting the HTTPS protocol is monitored, and the safety of data access is effectively improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings that are needed in the description of the embodiments of the present invention will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort to a person of ordinary skill in the art.
FIG. 1 is one of the flowcharts of an access control method provided by an embodiment of the present invention;
FIG. 2 is a second flowchart of an access control method according to an embodiment of the present invention;
FIG. 3 is a third flowchart of an access control method according to an embodiment of the present invention;
FIG. 4 is a fourth flowchart of an access control method according to an embodiment of the present invention;
FIG. 5 is a schematic diagram of a domain name resolution process according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a plugging process according to an embodiment of the present invention;
fig. 7 is a block diagram of an access control apparatus according to an embodiment of the present invention;
FIG. 8 is a second block diagram of an access control device according to an embodiment of the present invention;
FIG. 9 is a third block diagram of an access control device according to an embodiment of the present invention;
fig. 10 is a block diagram of a communication device according to an embodiment of the present invention;
FIG. 11 is a second block diagram of a communication device according to an embodiment of the present invention;
fig. 12 is a third block diagram of the communication device according to the embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As described above, in the manner of recovering the HTTP message, only the user can access the website using the HTTP protocol, but the website using the HTTPs protocol for encrypted transmission cannot be monitored. Before a user accesses a website, a DNS analysis service is needed to analyze a domain name system server into an IP address, so that the embodiment of the invention provides a scheme for restoring and monitoring based on DNS data packets, thereby realizing monitoring of encrypted HTTPS traffic. Specific implementations are described in detail below in connection with various embodiments.
Referring to fig. 1, fig. 1 is a flowchart of an access control method provided by an embodiment of the present invention, applied to a first (Domain Name System ) server, as shown in fig. 1, including the following steps:
step 101, receiving an access request of a client.
When the client needs to visit the website, a visit request for the target website is initiated. Accordingly, the first DNS server receives an access request from the client.
Step 102, when domain name resolution cannot be performed on the access request or a first domain name address corresponding to the access request is not stored, sending the access request to a second DNS server.
Upon receiving the access request, the first DNS server determines whether configured for local resolution. If the configuration is local resolution, that is, if the domain name resolution can be performed on the access request and the first domain name corresponding to the access request is stored, the access request is resolved to obtain the first domain name address. Then, whether the first domain name address is legal or not can be determined by querying a locally configured blacklist. And discarding a domain name query result under the condition that the first domain name address is determined to be illegal, wherein the domain name query result comprises the first domain name address. And if the first domain name address is legal, sending the domain name query result to the client, and allowing the user to access a target website.
If the configuration is not locally resolved or the first domain name address is not stored, the first DNS server sends the access request to the second DNS server.
In an embodiment of the present invention, the second DNS server includes at least two domain name system servers, and each domain name system server has a different priority. Then, specifically, the sending the access request to the second DNS server includes: and sequentially sending the access requests to the at least two domain name system servers according to the order of the priority from high to low.
For example, the second DNS server may include a root domain name server, an authoritative domain name server, a top-level domain name server, etc., and the priority is from high to low.
Thus, the first DNS server may send access requests to the root domain name server, the authoritative domain name server, and the top domain name server in order of priority from high to low. Typically, the root domain name server will send a response message to the first DNS server to indicate whether the access request was successfully resolved. If resolution is successful, the resolution activity domain name address is included in the response message. However, in the embodiment of the present invention, the flow control system listens for DNS messages between the first DNS server and the second DNS server. When the response message of the second DNS server indicates that the access request is successfully resolved, the flow control system intercepts the response message and judges whether the resolution result of the second DNS server is legal or not. If not, the flow control system can prevent the response message of the second DNS server from being sent to the first DNS server. If the legal or response message indicates that the resolution is not successful, the flow control system does not block the response message of the second DNS server.
Therefore, in the embodiment of the present invention, when the first DNS server does not receive a response message of any one of the second DNS servers, or receives a response message of a certain second DNS server (at this time, the response message indicates that the resolution is not successful), it is not necessary to send an access request to another second DNS server.
Step 103, receiving a first response message sent by the flow control system. Wherein the first response message includes a second domain name address, and the second domain name address is a false domain name address.
Wherein the second domain name address may be considered a false domain name address. The meaning of a false domain name address refers to a domain name address that is not true after domain name resolution of an access request. In this way, the client may be prevented from accessing the target website.
Step 104, sending the first response message to the client.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. Because the second domain name address returned by the flow control system is a false domain name address, the user cannot access the true domain name address, and therefore, by monitoring and restoring the DNS traffic, the website adopting the HTTPS protocol for encryption transmission can be monitored, and the safety of data access can be improved.
Referring to fig. 2, fig. 2 is a flowchart of an access control method according to an embodiment of the present invention, which is applied to a fluidic system, as shown in fig. 2, and includes the following steps:
step 201, a second response message sent to the first DNS server by the second DNS server is obtained.
The second response message includes a first domain name address obtained by the second DNS server according to the access request sent by the first DNS server.
In the embodiment of the invention, the flow control system monitors the DNS message between the first DNS server and the second DNS server. When the response message of the second DNS server indicates that the access request is successfully resolved, the flow control system intercepts the response message and judges whether the resolution result of the second DNS server is legal or not. If not, the response message of the second DNS server is prevented from being sent to the first DNS server. If the legal or response message indicates that the resolution is not successful, the flow control system does not block the response message of the second DNS server.
Step 202, sending a first response message to the first DNS server or the client according to the second response message under the condition that the first domain name address is determined to be illegal, where the first response message includes a second domain name address, and the second domain name address is a false domain name address.
Wherein the second domain name address may be considered a false domain name address. The meaning of a false domain name address refers to a domain name address that is not true after domain name resolution of an access request. In this way, the client may be prevented from accessing the target website.
Specifically, in this step, the flow control system parses the second response message to obtain the first domain name address. And then, filling the second domain name address into a response field of the second response message to obtain the first response message, and sending the first response message to the first DNS server or the client.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. Because the second domain name address returned by the flow control system is a false domain name address, the user cannot access the true domain name address, and therefore, by monitoring and restoring the DNS traffic, the website adopting the HTTPS protocol for encryption transmission can be monitored, and the safety of data access can be improved.
Referring to fig. 3, fig. 3 is a flowchart of an access control method provided by an embodiment of the present invention, applied to a client, as shown in fig. 3, including the following steps:
step 301, an access request is sent to a first DNS server.
Step 302, receiving a first response message sent by the first DNS server or the flow control system. The first response message includes a second domain name address, which is a false domain name address.
Wherein the second domain name address may be considered a false domain name address. The meaning of a false domain name address refers to a domain name address that is not true after domain name resolution of an access request. In this way, the client may be prevented from accessing the target website.
According to the first response message, the client cannot access the target website which is expected to be accessed.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. Because the second domain name address returned by the flow control system is a false domain name address, the user cannot access the true domain name address, and therefore, by monitoring and restoring the DNS traffic, the website adopting the HTTPS protocol for encryption transmission can be monitored, and the safety of data access can be improved.
Referring to fig. 4, fig. 4 is a flowchart of an access control method according to an embodiment of the present invention, including the following steps:
step 401, a client initiates a website access request.
Step 402, the local DNS server checks to see if the DNS server is configured as local. If yes, go to step 403, otherwise go to step 406.
Step 403, the local DNS server performs domain name resolution to obtain a domain name address to be accessed.
Step 404, the local DNS server determines whether the domain name address to be accessed is cached. If so, go to step 405; if not, the local DNS server sends a query request to an off-network DNS server (including a root domain name server, an authoritative domain name server, a top-level domain name server, etc.), jumping to step 406.
Step 405, the local DNS server determines whether the domain name address to be accessed hits the domain name blacklist, if yes, discards the user DNS query result, and enters into the flow step 409; if not, flow 410 is entered.
Step 406, the local DNS server accesses the off-network DNS server to recursively query for domain name resolution.
Step 407, the DPI (Deep Packet Inspection ) system splits the user access query traffic and restores the DNS packet.
Step 408, the flow control system compares whether the DNS resolution domain name hits the blacklist. If yes, returning a forged DNS data message to the user, and entering a step 409; if not, domain name resolution is performed normally and then step 410 is entered.
Step 409, the user cannot access the destination website, and the process ends.
Step 410, returning the domain name query result of the user, enabling the user to normally access the target website, and ending the flow.
When a user accesses a target website, the user needs to obtain an IP address and a port of the website through domain name resolution system (DNS) resolution, and then sends data to the IP and the port to request access. Wherein the domain name resolution flow is shown in fig. 5.
In general, firstly, a local DNS server 501 queries whether there is an IP address of a domain name to be accessed, and if so, the local DNS server directly responds to the user; otherwise, the local DNS server sequentially makes recursive queries to the authoritative domain name server 502, the root domain name server 503, and the top-level domain name server 504, and returns the query result to the user until the query is completed.
The local DNS server is typically an internal domain name server of the operator, and the other authoritative domain name servers, the root domain name server, and the top domain name server are external/overseas domain name servers, so that the ordinary user needs to access across operators.
However, in the embodiment of the present invention, the messages returned to the local DNS server 501 by the authoritative domain name server 502, the root domain name server 503, and the top-level domain name server 504 are monitored. When the domain name obtained by analysis is detected to be illegal, the message is required to be blocked.
Fig. 6 is a schematic diagram of a plugging process according to an embodiment of the invention. For the user to access the local DNS server, a DNS blacklist matching mode can be adopted to block the DNS resolution request of the illegal domain name. For users accessing external domain name servers, monitoring can only be performed on links. In the embodiment of the invention, the monitoring steps of the flow control system are as follows:
(1) And for the analysis of the user accessing the local DNS server, blocking can be performed in a blacklist matching mode, so that the user is prevented from acquiring the IP address of the domain name.
(2) For users accessing non-local DNS servers, the portion of the user's (inter-network) access traffic may be restored and DNS access packets filtered out.
The flow control system 505 screens DNS packets for hit against the domain name. The flow control system sends forged DNS data packets to a local DNS server or a common user, and resolves illegal domain names accessed by the user to IP addresses which cannot be accessed/do not exist by the user.
The user cannot complete the correct resolution of the offending domain name, because the user cannot access the target website and the completion is blocked.
As previously described, the flow control system needs to send a false DNS response to the client or local DNS server. Since DNS packets use UDP (User Datagram Protocol ) protocol, as long as the response arrival time of the flow control system is before the response of the external domain name server, the client or the local DNS server receives the DNS response of the flow control system, and then no further DNS response is received.
In the embodiment of the invention, the DNS data message, whether the request message or the response message returned by the DNS server, can use a uniform format. The request message includes a Header and a query. Wherein the header includes fields for request ID (identification), request type, whether to recursion, etc.; the query fields include fields for query domain name, protocol type, query class, etc. The response message includes three parts with the same format, i.e., answer (response field)/authorization (Additional field)/Additional (Additional field), besides the fields of Header, question, where Answer (response field) includes fields such as domain name, protocol type code, lifetime, resource data length, resource data (IP address), etc.
If the DNS response packet is to be forged, for example, the original query packet is [ id=0x6123A? www.ict.ac.cn, namely, inquiring the IP address corresponding to the 'www.ict.ac.cn' website; the correct response packet is id= 0x6123in A www.ict.ac.cn 159.226.97.70, i.e. the IP address corresponding to response "www.ict.ac.cn" is "159.226.97.70". If the packet is forged, the tamper-evident packet is [ id= 0x6123in A www.ict.ac.cn 1.1.1.1], i.e. the user's query for "www.ict.ac.cn" returns an address of "1.1.1.1", the user cannot obtain the real IP address and cannot access "www.ict.ac.cn".
According to the scheme provided by the embodiment of the invention, DNS traffic can be used for restoring and monitoring, and the traffic accessed by the user of the HTTPS protocol can be blocked, so that the defect that the original traffic monitoring method can only monitor the traffic of the HTTP protocol but can not monitor the encrypted HTTPS traffic is overcome, and the safety of data access is improved.
As shown in fig. 7, the access control device of the embodiment of the present invention is applied to a first DNS server, and includes: a processor 701 and a transceiver 702.
Wherein the transceiver 702 is configured to: receiving an access request of a client; sending the access request to a second DNS server under the condition that domain name resolution cannot be carried out on the access request or a first domain name address corresponding to the access request is not stored; receiving a first response message sent by a flow control system; sending the first response message to the client; wherein the first response message includes a second domain name address, and the second domain name address is a false domain name address.
Optionally, the second DNS server includes at least two domain name system servers, and each domain name system server has a different priority; the transceiver 702 is configured to: and sequentially sending the access requests to the at least two domain name system servers according to the order of the priority from high to low.
Optionally, the processor 701 is configured to, when the domain name resolution can be performed on the access request and a first domain name corresponding to the access request is stored, resolve the domain name access request to obtain the first domain name address; determining whether the first domain name address is legal; and discarding a domain name query result under the condition that the first domain name address is determined to be illegal, wherein the domain name query result comprises the first domain name address.
Optionally, the transceiver 702 is configured to send the domain name query result to the client.
The working principle of the device according to the embodiment of the invention can be referred to the description of the embodiment of the method.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. Because the second domain name address returned by the flow control system is a false domain name address, the user cannot access the true domain name address, and therefore, by monitoring and restoring the DNS traffic, the website adopting the HTTPS protocol for encryption transmission can be monitored, and the safety of data access can be improved.
As shown in fig. 8, an access control device according to an embodiment of the present invention is applied to a fluidic system, and includes: a processor 801 and a transceiver 802.
Wherein, the transceiver 802 is configured to: acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server; and under the condition that the first domain name address is not legal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address.
Optionally, the transceiver 802 is further configured to parse the second response message to obtain the first domain name address; filling a second domain name address into a response field of the second response message to obtain the first response message; and sending a first response message to the first DNS server or the client.
The working principle of the device according to the embodiment of the invention can be referred to the description of the embodiment of the method.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. Because the second domain name address returned by the flow control system is a false domain name address, the user cannot access the true domain name address, and therefore, by monitoring and restoring the DNS traffic, the website adopting the HTTPS protocol for encryption transmission can be monitored, and the safety of data access can be improved.
As shown in fig. 9, an access control device according to an embodiment of the present invention is applied to a client, and includes: a processor 901 and a transceiver 902.
Wherein, the transceiver 902 is configured to: acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server; and under the condition that the first domain name address is not legal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address.
The working principle of the device according to the embodiment of the invention can be referred to the description of the embodiment of the method.
In the embodiment of the invention, when the first DNS server cannot perform domain name resolution on the access request or does not store the domain name address corresponding to the access request, the access request is sent to the second DNS server. The flow control system intercepts messages between the first DNS server and the second DNS server and generates a first response message, wherein the first response message comprises a false domain name address corresponding to the domain name address obtained by the second DNS server according to the access request. Because the second domain name address returned by the flow control system is a false domain name address, the user cannot access the true domain name address, and therefore, by monitoring and restoring the DNS traffic, the website adopting the HTTPS protocol for encryption transmission can be monitored, and the safety of data access can be improved.
As shown in fig. 10, the communication device of the embodiment of the present invention is applied to a first DNS server, and includes: processor 1000, for reading the program in memory 1020, performs the following processes:
Processor 1000, for reading the program in memory 1020, performs the following processes: receiving, by transceiver 1010, an access request of a client; sending the access request to a second DNS server under the condition that domain name resolution cannot be carried out on the access request or a first domain name address corresponding to the access request is not stored; receiving a first response message sent by a flow control system; sending the first response message to the client; wherein the first response message includes a second domain name address, and the second domain name address is a false domain name address.
A transceiver 1010 for receiving and transmitting data under the control of the processor 1000.
Wherein in fig. 10, a bus architecture may comprise any number of interconnected buses and bridges, and in particular one or more processors represented by the processor 1000 and various circuits of the memory, represented by the memory 1020, are chained together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 1010 may be a number of elements, including a transmitter and a transceiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 1000 is responsible for managing the bus architecture and general processing, and the memory 1020 may store data used by the processor 1000 in performing operations.
The processor 1000 is responsible for managing the bus architecture and general processing, and the memory 1020 may store data used by the processor 1000 in performing operations.
The second DNS server comprises at least two domain name system servers, and each domain name system server has different priorities; the processor 1000 is further configured to read the computer program and perform the following steps:
the access requests are sent to the at least two domain name system servers sequentially in order of priority from high to low via transceiver 1010.
The processor 1000 is further configured to read the computer program and perform the following steps:
under the condition that the access request can be subjected to domain name resolution and a first domain name corresponding to the access request is stored, resolving the domain name access request to obtain the first domain name address;
determining whether the first domain name address is legal;
and discarding a domain name query result under the condition that the first domain name address is determined to be illegal, wherein the domain name query result comprises the first domain name address.
The processor 1000 is further configured to read the computer program and perform the following steps:
the domain name query results are sent to the client via transceiver 1010.
The communication device provided in the embodiment of the present invention may execute the above method embodiment, and its implementation principle and technical effects are similar, and this embodiment will not be described herein.
As shown in fig. 11, a communication device according to an embodiment of the present invention is applied to a fluidic system, and includes: the processor 1100, configured to read the program in the memory 1120, performs the following procedures:
the processor 1100, configured to read the program in the memory 1120, performs the following procedures: acquiring a second response message sent to the first DNS server by the second DNS server through the transceiver 1111, where the second response message includes a first domain name address obtained by resolving by the second DNS server according to the access request sent by the first DNS server; and under the condition that the first domain name address is not legal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address.
A transceiver 1111 for receiving and transmitting data under the control of the processor 1100.
Wherein in fig. 11, a bus architecture may comprise any number of interconnected buses and bridges, and in particular one or more processors represented by processor 1100 and various circuits of memory represented by memory 1120, linked together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 1111 may be a number of elements, including a transmitter and a transceiver, providing a means for communicating with various other apparatus over a transmission medium. The processor 1100 is responsible for managing the bus architecture and general processing, and the memory 1120 may store data used by the processor 1100 in performing operations.
The processor 1100 is responsible for managing the bus architecture and general processing, and the memory 1120 may store data used by the processor 1100 in performing operations.
The processor 1000 is further configured to read the computer program and perform the following steps:
resolving the second response message to obtain the first domain name address;
filling a second domain name address into a response field of the second response message to obtain the first response message;
and sending a first response message to the first DNS server or the client.
The communication device provided in the embodiment of the present invention may execute the above method embodiment, and its implementation principle and technical effects are similar, and this embodiment will not be described herein.
As shown in fig. 12, a communication device according to an embodiment of the present invention is applied to a client, and includes: processor 1200 for reading the program in memory 1220, performs the following process:
processor 1200 for reading the program in memory 1220, performs the following process:
sending an access request to a first DNS server through transceiver 1210; receiving a first response message sent by the first DNS server or the flow control system; the first response message includes a second domain name address, which is a false domain name address.
A transceiver 1210 for receiving and transmitting data under the control of the processor 1200.
Wherein in fig. 12, a bus architecture may comprise any number of interconnected buses and bridges, and in particular, one or more processors represented by processor 1200 and various circuits of memory represented by memory 1220, linked together. The bus architecture may also link together various other circuits such as peripheral devices, voltage regulators, power management circuits, etc., which are well known in the art and, therefore, will not be described further herein. The bus interface provides an interface. The transceiver 1210 may be a number of elements, i.e. include a transmitter and a receiver, providing a means for communicating with various other apparatus over a transmission medium. The client interface 1230 may also be an interface capable of interfacing with an inscribed desired device for a different client device, including but not limited to a keypad, display, speaker, microphone, joystick, etc.
The processor 1200 is responsible for managing the bus architecture and general processing, and the memory 1220 may store data used by the processor 1200 in performing operations.
The communication device provided in the embodiment of the present invention may execute the above method embodiment, and its implementation principle and technical effects are similar, and this embodiment will not be described herein.
Furthermore, a computer-readable storage medium of an embodiment of the present invention stores a computer program executable by a processor to implement the steps of:
receiving an access request of a client;
sending the access request to a second DNS server under the condition that domain name resolution cannot be carried out on the access request or a first domain name address corresponding to the access request is not stored;
receiving a first response message sent by a flow control system;
sending the first response message to the client;
wherein the first response message includes a second domain name address, and the second domain name address is a false domain name address.
Wherein the second DNS server includes at least two domain name system servers, and each domain name system server has a different priority;
the sending the access request to the second DNS server includes:
and sequentially sending the access requests to the at least two domain name system servers according to the order of the priority from high to low.
Wherein after the receiving the access request of the client, the method further comprises:
under the condition that the access request can be subjected to domain name resolution and a first domain name corresponding to the access request is stored, resolving the domain name access request to obtain the first domain name address;
Determining whether the first domain name address is legal;
and discarding a domain name query result under the condition that the first domain name address is determined to be illegal, wherein the domain name query result comprises the first domain name address.
Wherein, in the case that the first domain name address is determined to be legal, the method further comprises:
and sending the domain name query result to the client.
Furthermore, a computer-readable storage medium of an embodiment of the present invention stores a computer program executable by a processor to implement the steps of:
acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server;
and under the condition that the first domain name address is not legal, sending a first response message to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address.
The sending a first response message to the first DNS server or the client according to the second response message includes:
Resolving the second response message to obtain the first domain name address;
filling a second domain name address into a response field of the second response message to obtain the first response message;
and sending a first response message to the first DNS server or the client.
Furthermore, a computer-readable storage medium of an embodiment of the present invention stores a computer program executable by a processor to implement the steps of:
sending an access request to a first DNS server;
receiving a first response message sent by the first DNS server or the flow control system;
the first response message includes a second domain name address, which is a false domain name address.
In the several embodiments provided in this application, it should be understood that the disclosed methods and apparatus may be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may be physically included separately, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
The integrated units implemented in the form of software functional units described above may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium, and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform part of the steps of the transceiving method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.

Claims (11)

1. An access control method applied to a flow control system, comprising:
acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server;
under the condition that the first domain name address is illegal, a first response message is sent to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address;
the sending a first response message to the first DNS server or the client according to the second response message includes:
resolving the second response message to obtain the first domain name address;
filling a second domain name address into a response field of the second response message to obtain the first response message;
and sending a first response message to the first DNS server or the client.
2. An access control method applied to a first domain name system DNS server, comprising:
Receiving an access request of a client;
sending the access request to a second DNS server under the condition that domain name resolution cannot be carried out on the access request or a first domain name address corresponding to the access request is not stored;
receiving a first response message sent by a flow control system;
sending the first response message to the client;
the first response message is sent under the condition that the flow control system determines that a first domain name address corresponding to the access request is illegal, and the first response message comprises a second domain name address which is a false domain name address; the first response message is obtained by filling a second domain name address into a response field of the second response message by the flow control system; the second response message is sent to the first DNS server by the second DNS server, and the second response message comprises a first domain name address obtained by the second DNS server according to the access request sent by the first DNS server.
3. The method of claim 2, wherein the second DNS server comprises at least two domain name system servers, and each domain name system server has a different priority;
The sending the access request to the second DNS server includes:
and sequentially sending the access requests to the at least two domain name system servers according to the order of the priority from high to low.
4. The method of claim 2, wherein after the receiving the access request of the client, the method further comprises:
under the condition that the access request can be subjected to domain name resolution and a first domain name corresponding to the access request is stored, the access request is resolved to obtain the first domain name address;
and discarding a domain name query result under the condition that the first domain name address is determined to be illegal, wherein the domain name query result comprises the first domain name address.
5. The method of claim 4, wherein in the event that the first domain name address is determined to be legitimate, the method further comprises:
and sending the domain name query result to the client.
6. An access control method applied to a client, comprising:
sending an access request to a first DNS server;
receiving a first response message sent by the first DNS server or the flow control system;
The first response message comprises a second domain name address, wherein the second domain name address is a false domain name address;
the first response message is sent under the condition that the flow control system determines that a first domain name address corresponding to the access request is illegal, and the first response message is obtained by filling a second domain name address into a response field of the second response message by the flow control system; the second response message is sent to the first DNS server by the second DNS server, and the second response message comprises a first domain name address obtained by the second DNS server according to the access request sent by the first DNS server.
7. An access control apparatus applied to a first DNS server, comprising: a processor and a transceiver; wherein the transceiver is configured to:
receiving an access request of a client;
sending the access request to a second DNS server under the condition that domain name resolution cannot be carried out on the access request or a first domain name address corresponding to the access request is not stored;
receiving a first response message sent by a flow control system;
sending the first response message to the client;
Wherein the first response message includes a second domain name address, the second domain name address being a false domain name address; the first response message is obtained by filling a second domain name address into a response field of the second response message by the flow control system; the second response message is sent to the first DNS server by the second DNS server, and the second response message comprises a first domain name address obtained by the second DNS server according to the access request sent by the first DNS server.
8. An access control device for use in a fluidic system, comprising: a processor and a transceiver; wherein the transceiver is configured to:
acquiring a second response message sent to a first DNS server by a second DNS server, wherein the second response message comprises a first domain name address which is obtained by the second DNS server according to the access request sent by the first DNS server;
under the condition that the first domain name address is illegal, a first response message is sent to the first DNS server or the client according to the second response message, wherein the first response message comprises a second domain name address which is a false domain name address;
The sending a first response message to the first DNS server or the client according to the second response message includes:
resolving the second response message to obtain the first domain name address;
filling a second domain name address into a response field of the second response message to obtain the first response message;
and sending a first response message to the first DNS server or the client.
9. An access control apparatus, applied to a client, comprising: a processor and a transceiver; wherein the transceiver is configured to:
sending an access request to a first DNS server;
receiving a first response message sent by the first DNS server or the flow control system;
the first response message comprises a second domain name address, wherein the second domain name address is a false domain name address; the first response message is sent under the condition that the flow control system determines that a first domain name address corresponding to the access request is illegal, the first response message is obtained by filling a second domain name address into a response field of a second response message by the flow control system, the second response message is sent to a first DNS server by a second DNS server, and the second response message comprises the first domain name address obtained by the second DNS server according to the access request sent by the first DNS server.
10. A communication device, comprising: a transceiver, a memory, a processor, and a computer program stored on the memory and executable on the processor; it is characterized in that the method comprises the steps of,
the processor for reading a program in a memory to implement the steps in the method of claim 1; or to carry out the steps of the method according to any one of claims 2 to 5; or to implement the steps in the method as claimed in claim 6.
11. A computer readable storage medium storing a computer program, which when executed by a processor performs the steps of the method according to claim 1; or to carry out the steps of the method according to any one of claims 2 to 5; or to implement the steps in the method as claimed in claim 6.
CN201910682149.5A 2019-07-26 2019-07-26 Access control method, device, equipment and computer readable storage medium Active CN112311722B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910682149.5A CN112311722B (en) 2019-07-26 2019-07-26 Access control method, device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910682149.5A CN112311722B (en) 2019-07-26 2019-07-26 Access control method, device, equipment and computer readable storage medium

Publications (2)

Publication Number Publication Date
CN112311722A CN112311722A (en) 2021-02-02
CN112311722B true CN112311722B (en) 2023-05-09

Family

ID=74328806

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910682149.5A Active CN112311722B (en) 2019-07-26 2019-07-26 Access control method, device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN112311722B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113206785B (en) * 2021-05-28 2023-01-10 深圳市中科明望通信软件有限公司 Network request method and device, terminal equipment and storage medium
CN115396516A (en) * 2022-08-26 2022-11-25 中国建设银行股份有限公司 Access request processing method, device, equipment and storage medium
CN115720174B (en) * 2022-11-30 2023-05-23 广西壮族自治区信息中心 Blacklist exception setting method, device, equipment and storage medium

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6074781B2 (en) * 2012-12-26 2017-02-08 ▲ホア▼▲ウェイ▼技術有限公司Huawei Technologies Co.,Ltd. Method and apparatus for preventing unauthorized service access
CN104219200B (en) * 2013-05-30 2017-10-17 杭州迪普科技股份有限公司 A kind of apparatus and method for taking precautions against DNS cache attack
CN106534141A (en) * 2016-11-22 2017-03-22 汉柏科技有限公司 Method and system for preventing domain name server from being attacked and firewall
CN109246256A (en) * 2017-07-10 2019-01-18 中国电信股份有限公司 Domain name analytic method and system, credit domain name system server

Also Published As

Publication number Publication date
CN112311722A (en) 2021-02-02

Similar Documents

Publication Publication Date Title
US7370354B2 (en) Method of remotely managing a firewall
US8434141B2 (en) System for preventing normal user being blocked in network address translation (NAT) based web service and method for controlling the same
CN112311722B (en) Access control method, device, equipment and computer readable storage medium
US8621229B2 (en) System and method of facilitating the identification of a computer on a network
US20070124806A1 (en) Techniques for tracking actual users in web application security systems
US20040103314A1 (en) System and method for network intrusion prevention
US10218733B1 (en) System and method for detecting a malicious activity in a computing environment
JP2003529254A (en) Internet / network security method and system for checking customer security from a remote device
US8726384B2 (en) Apparatus, and system for determining and cautioning users of internet connected clients of potentially malicious software and method for operating such
CN111314381A (en) Safety isolation gateway
CN106790073B (en) Blocking method and device for malicious attack of Web server and firewall
KR20070079781A (en) Intrusion prevention system using extract of http request information and method url cutoff using the same
CN107786489A (en) Access request verification method and device
US11979374B2 (en) Local network device connection control
Carrier et al. A recursive session token protocol for use in computer forensics and tcp traceback
CN115883574A (en) Access equipment identification method and device in industrial control network
CN115633359A (en) PFCP session security detection method, device, electronic equipment and storage medium
CN110995738B (en) Violent cracking behavior identification method and device, electronic equipment and readable storage medium
CN112491910B (en) DOT protocol-based flow identification method, DOT protocol-based flow identification device, DOT protocol-based flow identification equipment and storage medium
CN112491909B (en) DOH protocol-based traffic identification method, device, equipment and storage medium
US20230328102A1 (en) Network security with server name indication
CN108632090B (en) Network management method and system
CN117424741A (en) Network attacker tracing method, device and medium of cloud WAF
CN117834246A (en) Traffic identity identification method, traffic identity identification device, zero-trust control center and storage medium
Stephens Network Forensics

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant