CN112637340B - Domain name resolution system, monitoring method, cache cleaning method, device and medium - Google Patents

Domain name resolution system, monitoring method, cache cleaning method, device and medium Download PDF

Info

Publication number
CN112637340B
CN112637340B CN202011532042.1A CN202011532042A CN112637340B CN 112637340 B CN112637340 B CN 112637340B CN 202011532042 A CN202011532042 A CN 202011532042A CN 112637340 B CN112637340 B CN 112637340B
Authority
CN
China
Prior art keywords
domain name
name resolution
container
poisoning
dns cache
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011532042.1A
Other languages
Chinese (zh)
Other versions
CN112637340A (en
Inventor
黄友俊
李星
吴建平
郝子剑
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CERNET Corp
Original Assignee
CERNET Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CERNET Corp filed Critical CERNET Corp
Priority to CN202011532042.1A priority Critical patent/CN112637340B/en
Publication of CN112637340A publication Critical patent/CN112637340A/en
Application granted granted Critical
Publication of CN112637340B publication Critical patent/CN112637340B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5011Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
    • G06F9/5022Mechanisms to release resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5005Allocation of resources, e.g. of the central processing unit [CPU] to service a request
    • G06F9/5027Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
    • G06F9/505Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering the load
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/566Grouping or aggregating service requests, e.g. for unified processing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present disclosure provides a domain name resolution system for IPv6, including: a front-end server and a back-end server; the front-end server is provided with an LVS + Keepaldhigh-availability load balancing system, a front-end Keepaldd + Nginx Gao Keyong load balancing container and a front-end Nginx reverse proxy container; the LVS + keepalive high-availability load balancing system is used for receiving a DNS request; the front end Keepalived + Nginx Gao Keyong load balancing container and the front end Nginx reverse proxy container are used for forwarding the DNS request; a rear-end keepalive + Nginx Gao Keyong load balancing container and an Unbound domain name resolution and DNS cache anti-poisoning container are deployed on the rear-end server, the rear-end keepalive + Nginx Gao Keyong load balancing container is used for forwarding a DNS request, and the Unbound domain name resolution and DNS cache anti-poisoning container is used for performing domain name resolution according to the DNS request and clearing domain names which do not meet conditions in a cache; the front-end server is also provided with a monitoring service system which is used for monitoring the running state of the Unbound domain name resolution and DNS cache poisoning prevention container and increasing or destroying the Unbound domain name resolution and DNS cache poisoning prevention container according to the running state.

Description

Domain name resolution system, monitoring method, cache cleaning method, device and medium
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to a domain name resolution system, a monitoring method, a cache cleaning method, a device, and a medium.
Background
Information on the internet is very wide, many of the information are hot spot information concerned by people, the hot spots represent the most concerned parts of the internet information, with the promotion of the national network information strategy, the development of IPv6 is greatly promoted, more and more sites supporting IPv6 access are provided, but most domain name servers are not good for supporting IPv6, and the experience of accessing the sites supporting IPv6 by users is not good due to the performance of a domain name resolution server, network delay or single point failure and the like.
Disclosure of Invention
In view of the above, the present disclosure provides a domain name resolution system, a monitoring method, a cache cleaning method, a device, and a medium.
One aspect of the present disclosure provides a domain name resolution system for IPv6, including: at least one front-end server and at least one back-end server; the front-end server is provided with an LVS + Keepallyd high-availability load balancing system, a front-end Keepalld + Nginx Gao Keyong load balancing container and a front-end Nginx reverse proxy container; the LVS + keepalive high-availability load balancing system is used for receiving a DNS request, and selecting a Real Server to process the DNS request according to a scheduling algorithm; the front-end Keepallved + Nginx Gao Keyong load balancing container and the front-end Nginx reverse proxy container are used for forwarding the DNS request; a rear-end keepalive + Nginx Gao Keyong load balancing container and an Unbound domain name resolution and DNS cache anti-poisoning container are deployed on the rear-end server, the rear-end keepalive + Nginx Gao Keyong load balancing container is used for forwarding the DNS request, and the Unbound domain name resolution and DNS cache anti-poisoning container is used for performing domain name resolution according to the DNS request and clearing domain names which do not meet conditions in a cache; and the front-end server is also provided with a monitoring service system which is used for monitoring the running state of the unbounded domain name resolution and DNS cache poisoning prevention container and increasing or destroying the unbounded domain name resolution and DNS cache poisoning prevention container according to the running state.
According to the embodiment of the disclosure, the monitoring service system is further configured to monitor a trigger event of the unbounded domain name resolution and DNS cache anti-poisoning container, where the trigger event includes insufficient memory and/or false death of an unbounded process and/or illegal modification; when a trigger event exists in the monitoring, the monitoring service system adds the Unbound domain name resolution and DNS cache anti-poisoning container and cancels the Unbound domain name resolution and DNS cache anti-poisoning container with the trigger event.
According to the embodiment of the disclosure, the monitoring service system is further configured to monitor alarm events, which include heartbeat alarms and/or alarms based on a performance threshold and/or alarms based on statistical anomaly detection, of a load balancing system with LVS + keepalive high availability deployed on the front-end server, a front-end keepalive + Nginx Gao Keyong load balancing container, and a rear-end keepalive + Nginx Gao Keyong load balancing container deployed on the rear-end server.
According to the embodiment of the disclosure, a Docker private warehouse based on a hardor and supporting IPv6 access is also deployed on the front-end server, the Docker private warehouse is used for storing images of a front-end keepalive + Nginx Gao Keyong load balancing container, a front-end Nginx reverse proxy container rear-end keepalive + Nginx Gao Keyong load balancing container and an Unbound domain name resolution and DNS cache anti-poisoning container, and each front-end server and each rear-end server download images from the Docker private warehouse.
According to the embodiment of the disclosure, the front-end keepalive + Nginx Gao Keyong load balancing container, the front-end Nginx reverse proxy container, the rear-end keepalive + Nginx Gao Keyong load balancing container and the Unbound domain name resolution and DNS cache anti-poisoning container are deployed based on a Docker virtualization technology.
According to the embodiment of the disclosure, the monitoring service system comprises an infrastructure automatic operation and maintenance module, and the infrastructure automatic operation and maintenance module is used for adding or destroying the Unbound domain name resolution and DNS cache poisoning prevention container by adopting an infrastructure automatic operation and maintenance technology.
Another aspect of the present disclosure provides a monitoring method for an IPv6 domain name resolution system based on the foregoing method, including: configuring the number of initial Unbound domain name resolution and DNS cache poisoning prevention containers and the maximum performance threshold and the minimum performance threshold of each Unbound domain name resolution and DNS cache poisoning prevention container; monitoring the running state of each Unbound domain name resolution and DNS cache poisoning prevention container; acquiring the performance values of the Unbound domain name resolution and DNS cache poisoning prevention containers corresponding to the running state according to the running state, and sequencing the performance values of the Unbound domain name resolution and DNS cache poisoning prevention containers; if all the performance values are larger than the maximum performance threshold value and the number of DNS requests is increased, increasing the number of the Unbound domain name resolution and DNS cache poisoning prevention containers; if the number of the current Unbound domain name resolution and DNS cache poisoning prevention containers is larger than the number of the initial Unbound domain name resolution and DNS cache poisoning prevention containers, all the performance values are smaller than the maximum performance threshold value, and the minimum performance value in all the performance values is smaller than the minimum performance threshold value, destroying the Unbound domain name resolution and DNS cache poisoning prevention container corresponding to the minimum performance value.
Another aspect of the present disclosure provides a cache cleaning method for an IPv6 domain name resolution system based on the foregoing method, including: extracting a DNS cache list in an unbounded domain name resolution and DNS cache poisoning prevention container; judging whether the IP address changes according to the corresponding relation between the commonly used domain name and the IP address in the DNS cache list; sequentially judging whether other domain names except the common domain name support the https protocol, whether a common name field of the SSL certificate is consistent with the domain name, whether the SSL certificate is expired, whether the SSL certificate is a self-signed certificate, whether the SSL certificate is issued by an international famous certificate issuing authority, and whether NS records are null; and clearing the domain name which does not meet the condition according to the judgment result.
Another aspect of the present disclosure provides an electronic device including: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically shows a block diagram of a domain name resolution system for IPv6 according to an embodiment of the present disclosure;
fig. 2 schematically illustrates a flow chart of a monitoring method for a domain name resolution system for IPv6 according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of a cache cleaning method for an IPv6 domain name resolution system according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow diagram of a domain name resolution system deployment method for IPv6 in accordance with an embodiment of the present disclosure;
fig. 5 schematically shows a flowchart of a domain name resolution method of IPv6 according to an embodiment of the present disclosure;
fig. 6 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction should be interpreted in the sense one having ordinary skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B, a and C, B and C, and/or A, B, C, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include, but not be limited to, systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In order to optimize the access of a user to hot information sites supporting IPv6, the speed of analyzing the IPv6 address of the domain name is increased, and the experience of the user in inquiring hot information sites is improved. The embodiment of the disclosure provides a method for implementing a million-level high-concurrency IPv6 DNS cluster analysis technology, which is based on an IPv6 technology, a Docker virtualization technology, an Ansible automatic operation and maintenance technology, a host LVS + Keepalld Gao Keyong load balancing system, a front-end Keepalld + Nginx Gao Keyong load balancing system, a front-end Nginx reverse proxy system, a rear-end Keepalld + Nginx Gao Keyong load balancing system, a rear-end Unbound domain name analysis and DNS cache anti-poisoning system, a Docker private warehouse and an Unbound container performance threshold monitoring server, and implements a high-availability and high-concurrency IPv6 DNS cluster analysis technology to improve the IPv6 address analysis speed of a domain name and improve the experience of a user for accessing a hotspot information site. The following detailed description is made with reference to the accompanying drawings.
Fig. 1 schematically shows a block diagram of a domain name resolution system for IPv6 according to an embodiment of the present disclosure.
As shown in fig. 1, the domain name resolution system for IPv6 includes at least a front-end server and at least one back-end server.
Each front-end server is deployed with an LVS + Keepalld high-availability load balancing system, a front-end Keepalld + Nginx Gao Keyong load balancing container and a front-end Nginx reverse proxy container, and is configured as a Docker virtualization environment. Each front-end server is provided with a monitoring service system. Each back-end server is provided with a back-end Keepalived + Nginx Gao Keyong load balancing container and an Unbound domain name resolution and DNS cache anti-poisoning container.
According to the embodiment of the disclosure, deploying the LVS + keepalive high-availability load balancing system means that a LVS + keepalive high-availability load balancing environment is established on a host of each front-end server, and a virtual IPv6 address of an external service is provided. The LVS load balancer receives all inbound requests, and determines which Real Server processes the request according to a scheduling algorithm; the Keepalived realizes high availability based on VRRP protocol, avoids single point of failure by using the Keepalived, and provides a virtual IPv6 address of external service.
According to the embodiment of the disclosure, a front-end Keepalld + Nginx Gao Keyong load balancing container is deployed by adopting a Docker virtualization technology to form a front-end Keepalld + Nginx Gao Keyong load balancing system, and the Keepalld + Nginx Gao Keyong load balancing system of each front-end server can provide a virtual IPv6 address of an external service.
According to the embodiment of the disclosure, a front-end Nginx reverse proxy container is deployed by adopting a Docker virtualization technology to form a front-end Nginx reverse proxy system. The number of the containers is determined according to the actual application situation, for example, six front-end nginnx reverse proxy containers are deployed on each front-end server, and the six front-end nginnx reverse proxy containers deployed on each front-end server together form a front-end nginnx reverse proxy system container cluster.
According to the embodiment of the disclosure, a Docker virtualization technology is adopted to deploy a rear-end Keepalld + Nginx Gao Keyong load balancing container to form a rear-end Keepalld + Nginx Gao Keyong load balancing system, and the Keepalld + Nginx Gao Keyong load balancing system of each rear-end server can provide a virtual IPv6 address of an external service.
According to the embodiment of the disclosure, a Unbound domain name resolution and DNS cache poisoning prevention container is deployed by adopting a Docker virtualization technology to form an Unbound domain name resolution and DNS cache poisoning prevention system. The number of the containers is determined according to the actual application, for example, six unbounded domain name resolution and DNS cache anti-poisoning containers may be arranged, and all of the unbounded domain name resolution and DNS cache anti-poisoning containers of each backend server form an unbounded domain name resolution and DNS cache anti-poisoning system. When DNS request data arrives, the Unbound domain name resolution and DNS cache anti-poisoning container firstly queries the cache record of the Unbound domain name resolution and DNS cache anti-poisoning container, if the record of the request data exists in the cache, the record result is directly returned to a user, and if the record of the request data does not exist in the cache, the Unbound domain name resolution and DNS cache anti-poisoning container also queries a DNS root server until the final result of the DNS request data is queried, and the result is returned to the user. The method comprises the steps that a DNS cache anti-poisoning cleaning program configured on an Unbound domain name analysis and DNS cache anti-poisoning container periodically extracts an Unbound DNS cache list, firstly, a common domain name and an IP address corresponding table are compared, whether an IP address changes is judged, whether other domain names support https or not is sequentially judged, whether a common name field of an SSL certificate is consistent with the domain name or not, whether the SSL certificate is expired or not, whether the SSL certificate is a self-signed certificate or not, whether the SSL certificate is issued by an international famous certificate issuing organization or not, whether NS records are empty or not, conditions such as the domain name of ANY records are inquired, and the domain name which does not meet the conditions and is screened out from a cache is automatically cleaned.
According to the embodiment of the disclosure, the front-end server is further provided with a monitoring service system, which means that a monitoring server for monitoring the real-time performance change of the unbounded container is established on the front-end server, the monitoring server monitors the real-time performance change of all the unbounded containers through an API (application programming interface) interface and uses an alarm automatic operation and maintenance technology to perform corresponding processing in time, when the DNS request of a user is increased suddenly, the real-time detection result of the performance of the unbounded container is increased, when the DNS request queue of the unbounded container is increased suddenly, the domain name resolution speed of the unbounded domain name is reduced, the monitoring server sets a maximum predefined threshold value and a minimum predefined threshold value according to various factors influencing the domain name resolution speed of the unbounded container, such as the CPU utilization rate, the memory use condition, the memory failure counter, the IO throughput, the network error rate, the DNS request queue number of the unbounded domain name resolution system container and the like, and obtaining real-time ranking of all the real-time performance monitoring results of the Unbound containers by using a quick sequencing algorithm, increasing the number of the Unbound containers by using an ansable automatic operation and maintenance technology when the real-time performance monitoring results of the Unbound containers exceed a set maximum predefined threshold value, timely reducing the pressure of an Unbound container system, and automatically releasing system resources of the Unbound containers by using the ansable automatic operation and maintenance technology when the number of the Unbound containers is greater than 12, the real-time performance monitoring results of all the Unbound containers are smaller than the set maximum predefined threshold value, and the real-time performance monitoring results of the last Unbound containers in real-time ranking are smaller than the set minimum predefined destruction threshold value.
According to the embodiment of the disclosure, in the whole high-availability high-concurrency IPv6 DNS domain name resolution system cluster, when DNS request data of all users in the front-end host LVS + Keepalived Gao Keyong load balancing system, the front-end Keepalived + Nginx Gao Keyong load balancing system, the front-end Nginx reverse proxy system, and the rear-end Keepalived + Nginx Gao Keyong load balancing system pass through these systems, the DNS request data are directly forwarded, and these systems hardly have any pressure and bottleneck, so the pressure of the whole high-availability high-concurrency IPv6 DNS domain name resolution system cluster occurs in the rear-end ubound domain name resolution system container cluster. The speed of domain name resolution of the unbounded container cluster set by the method directly influences the performance of the whole domain name resolution system, optimizes the performance of the unbounded container cluster, and greatly improves the domain name resolution capability of the whole system.
According to an embodiment of the present disclosure, the monitoring service system is further configured to monitor a triggering event of an unbounded domain name resolution and DNS cache anti-poisoning container, where the triggering event may include: it is not a common practice to modify deployed containers in production, the commit may represent a "hacking" when changes to the container file system are committed. When one of the three triggering events occurs, the monitoring service system timely processes the corresponding Unbound domain name resolution system container, firstly, a new container is started, and then, the Unbound container corresponding to the triggering event is destroyed. The monitoring service system comprises an infrastructure automatic operation and maintenance module which is used for adding or destroying the Unbound domain name resolution and DNS cache poisoning prevention container by adopting an infrastructure automatic operation and maintenance technology.
According to the embodiment of the disclosure, the monitoring service system is further configured to monitor alarm events of a load balancing system deployed on the front-end server and having LVS + keepalive high availability, a front-end keepalive + Nginx Gao Keyong load balancing container, and a back-end keepalive + Nginx Gao Keyong load balancing container deployed on the back-end server, where the alarm events include heartbeat alarms and/or alarms based on performance thresholds and/or alarms based on statistical anomaly detection. And the heartbeat alarm is notified when the high-availability system is switched between the main system and the standby system. An alarm based on a performance threshold is notified when the metric value exceeds a predefined threshold. Alarms based on statistical anomaly detection may be notified when the metric values suddenly change and deviate from the baseline. The monitoring service system can timely monitor the existence of the alarm event so as to timely process the alarm event and ensure the rapid and normal operation of domain name resolution.
According to the embodiment of the disclosure, a Docker private warehouse based on a hardor and supporting IPv6 access is also deployed on the front-end server, the Docker private warehouse is used for storing images of a front-end Keeplived + Nginx Gao Keyong load balancing container, a front-end Nginx reverse proxy container rear-end Keeplaleved + Nginx Gao Keyong load balancing container and an Unbound domain name resolution and DNS cache anti-poisoning container, and each front-end server and each rear-end server downloads images from the Docker private warehouse. Each server node opens a request for downloading the mirror image based on the https mode, and the safety of the Docker private warehouse is improved.
By the domain name resolution system for IPv6 provided by the embodiment of the disclosure, the resolution speed of the domain name IPv6 address can be improved, single-point failure of the system is avoided, and the experience of a user for accessing a hot spot information site is improved.
Based on the same inventive concept, the embodiment of the disclosure also provides a monitoring method based on the above domain name resolution system for IPv 6.
Fig. 2 schematically shows a flowchart of a monitoring method for a domain name resolution system of IPv6 according to an embodiment of the present disclosure.
As shown in fig. 2, the method may include, for example, operations S201 to S205.
In operation S201, the number of initial unbounded domain name resolution and DNS cache poisoning prevention containers and the maximum performance threshold and the minimum performance threshold of each unbounded domain name resolution and DNS cache poisoning prevention container are configured.
In operation S202, the operation status of each unbounded domain name resolution and DNS cache anti-poisoning container is monitored.
In operation S203, the performance values of the unbounded domain name resolution and DNS cache poisoning prevention containers corresponding to the running state are obtained according to the running state, and the performance values of the unbounded domain name resolution and DNS cache poisoning prevention containers are sorted.
In operation S204, in case all performance values are greater than the maximum performance threshold and the number of DNS requests increases, the number of Unbound domain name resolution and DNS cache anti-poisoning containers is increased.
In operation S205, under the condition that the number of current unbounded domain name resolution and DNS cache anti-poisoning containers is greater than the number of initial unbounded domain name resolution and DNS cache anti-poisoning containers, and all performance values are smaller than the maximum performance threshold, and the minimum performance value of all performance values is smaller than the minimum performance threshold, the unbounded domain name resolution and DNS cache anti-poisoning container corresponding to the minimum performance value is destroyed.
By the monitoring method of the embodiment of the disclosure, containers can be increased and consumed in time, system resources are released, and the resolution speed of domain name resolution is improved.
Based on the same inventive concept, the embodiment of the present disclosure further provides a cache cleaning method based on the above domain name resolution system for IPv 6.
Fig. 3 schematically shows a flowchart of a cache cleaning method for an IPv6 domain name resolution system according to an embodiment of the present disclosure.
As shown in fig. 3, the method may include operations S301 to S303, for example.
In operation S301, a DNS cache list in the unbounded domain name resolution and DNS cache anti-poisoning container is extracted.
In operation S302, whether an IP address changes is determined according to a correspondence between a commonly used domain name and an IP address in the DNS cache list; and then sequentially judging whether other domain names except the common domain name support the https protocol, whether the common name field of the SSL certificate is consistent with the domain name, whether the SSL certificate is expired, whether the SSL certificate is a self-signed certificate, whether the SSL certificate is issued by an international known certificate issuing authority, and whether the NS record is empty.
In operation S303, the domain name that does not meet the condition is removed according to the determination result.
According to the embodiment of the disclosure, whether the IP address changes or other domain names except the common domain name do not support https protocol, or the common name field of the SSL certificate is inconsistent with the domain name, or the SSL certificate expires, or the SSL certificate is not a self-signed certificate, or the SSL certificate is not issued by an internationally known certificate authority, or the domain name corresponding to the NS record as null is an unsatisfied domain name, and the unsatisfied domain names are removed from the cache.
By the monitoring method of the embodiment of the disclosure, the domain names which do not meet the conditions can be cleared from the cache in time, system resources are released, and the resolution speed of domain name resolution is improved.
It should be noted that, the method embodiment portion of the present disclosure corresponds to the data device embodiment portion of the present disclosure, and the specific implementation details and the technical effects thereof are also similar, and are not described herein again.
The embodiment of the disclosure also provides a method for deploying the domain name resolution system for IPv 6.
Fig. 4 schematically shows a flowchart of a domain name resolution system deployment method for IPv6 according to an embodiment of the present disclosure.
As shown in fig. 4, the method may include operations S401 to S403, for example.
In operation S401, a Docker virtualization environment supporting IPv6 is deployed.
In operation S402, a Docker private warehouse is established to facilitate downloading of the image by other servers.
In operation S403, a front-end Keepalived + Nginx Gao Keyong load balancing mirror image is created and the created mirror image is imported into the Docker private warehouse.
In operation S404, a front-end nginnx reverse proxy image is created and the created image is imported into a Docker private repository.
In operation S405, a rear-end Keepallved + Nginx Gao Keyong load balancing mirror image is manufactured and the manufactured mirror image is imported into a Docker private warehouse
In operation S406, an unbounded domain name resolution and DNS cache anti-poisoning mirror image is created and the created mirror image is imported into the Docker private warehouse.
In operation S407, a host LVS + Keepalived Gao Keyong load balancing system, a front Keepalived + Nginx Gao Keyong load balancing system, a front Nginx reverse proxy system, a rear Keepalived + Nginx Gao Keyong load balancing system, a rear ubound domain name resolution system, and a monitoring server for a performance threshold of an ubound container are established.
Based on the above domain name resolution system for IPv6, the embodiment of the present disclosure further provides a domain name resolution method for IPv 6.
Fig. 5 schematically shows a flowchart of a domain name resolution method of IPv6 according to an embodiment of the present disclosure.
As shown in fig. 5, the method for resolving a domain name in IPv6 includes operations S501 to S505.
In operation S501, a user transmits DNS request data.
In operation S502, the host LVS + Keepalived high-available load balancing system receives the user DNS request data and adds the data to forward to the front-end Keepalived + Nginx Gao Keyong load balancing system.
In operation S503, the front-end Keepalived + Nginx high-available load balancing system receives the user DNS request data forwarded by the host LVS + Keepalived Gao Keyong load balancing system and forwards the data to the front-end Nginx reverse proxy system.
In operation S504, the front-end nginnx reverse proxy system receives the user DNS request data forwarded by the front-end Keepalived + ngnx Gao Keyong load balancing system and forwards the data to the back-end Keepalived + ngx Gao Keyong load balancing system.
In operation S505, the back-end Keepalived + Nginx Gao Keyong load balancing system receives the user DNS request data forwarded by the front-end Nginx reverse proxy system and forwards the data to the back-end ubound domain name resolution system.
In operation S506, the rear-end unbounded domain name resolution and DNS cache poisoning prevention system receives user DNS request data forwarded by the rear-end Keepalived + Nginx Gao Keyong load balancing system, and first, queries whether there is a record result of the DNS request data in the local cache. If yes, the result is directly sent to the user, if not, the DNS request is recursively inquired until the final result is obtained, and then the final result is sent to the user.
Fig. 6 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure. The electronic device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 6, an electronic device 600 according to an embodiment of the present disclosure includes a processor 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. Processor 601 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 601 may also include on-board memory for caching purposes. Processor 601 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM603, various programs and data necessary for the operation of the electronic apparatus 600 are stored. The processor 601, the ROM 602, and the RAM603 are connected to each other via a bus 604. The processor 601 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 602 and/or RAM 603. It is to be noted that the programs may also be stored in one or more memories other than the ROM 602 and RAM 603. The processor 601 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 600 may also include input/output (I/O) interface 605, input/output (I/O) interface 605 also connected to bus 604, according to an embodiment of the disclosure. The electronic device 600 may also include one or more of the following components connected to the I/O interface 605: an input portion 603 including a keyboard, a mouse, and the like; an output portion 607 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted in the storage section 608 as necessary.
According to an embodiment of the present disclosure, the method flow according to an embodiment of the present disclosure may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program, when executed by the processor 601, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be embodied in the device/apparatus/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to an embodiment of the present disclosure, a computer-readable storage medium may include ROM 602 and/or RAM603 and/or one or more memories other than ROM 602 and RAM603 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It will be appreciated by those skilled in the art that various combinations and/or combinations of the features recited in the various embodiments of the disclosure and/or the claims may be made even if such combinations or combinations are not explicitly recited in the disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (10)

1. A domain name resolution system for IPv6, comprising: at least one front-end server and at least one back-end server;
the front-end server is provided with an LVS + Keepallyd high-availability load balancing system, a front-end Keepalld + Nginx Gao Keyong load balancing container and a front-end Nginx reverse proxy container; the LVS + keepalive high-availability load balancing system is used for receiving a DNS request, and selecting a Real Server to process the DNS request according to a scheduling algorithm; the front-end Keepalived + Nginx Gao Keyong load balancing container and the front-end Nginx reverse proxy container are used for forwarding the DNS request; wherein, real Server is a Real host;
a rear-end keepalive + Nginx Gao Keyong load balancing container and an Unbound domain name resolution and DNS cache anti-poisoning container are deployed on the rear-end server, the rear-end keepalive + Nginx Gao Keyong load balancing container is used for forwarding the DNS request, and the Unbound domain name resolution and DNS cache anti-poisoning container is used for performing domain name resolution according to the DNS request and clearing domain names which do not meet conditions in a cache;
the front-end server is also provided with a monitoring service system which is used for monitoring the running state of the Unbound domain name resolution and DNS cache poisoning prevention container and adding or destroying the Unbound domain name resolution and DNS cache poisoning prevention container according to the running state; wherein, the adding or destroying the Unbound domain name resolution and DNS cache anti-poisoning container according to the running state comprises: acquiring Unbound domain name resolution and DNS cache poisoning-prevention container performance values corresponding to the running state according to the running state, and sequencing the Unbound domain name resolution and DNS cache poisoning-prevention container performance values; increasing the number of the unbounded domain name resolution and DNS cache poisoning prevention containers under the condition that all performance values are larger than a maximum performance threshold value and the number of DNS requests is increased; and under the condition that the number of the current Unbound domain name resolution and DNS cache anti-poisoning containers is greater than that of the initial Unbound domain name resolution and DNS cache anti-poisoning containers, all performance values are smaller than a maximum performance threshold, and the minimum performance value in all performance values is smaller than a minimum performance threshold, destroying the Unbound domain name resolution and DNS cache anti-poisoning container corresponding to the minimum performance value.
2. The domain name resolution system for IPv6 according to claim 1, wherein the monitoring service system is further configured to monitor a trigger event of the unbounded domain name resolution and DNS cache poisoning prevention container, where the trigger event includes insufficient memory and/or an unbounded process is bogus and/or an illegal modification exists;
when a trigger event exists in the monitoring, the monitoring service system increases the Unbound domain name resolution and DNS cache poisoning prevention container, and destroys the Unbound domain name resolution and DNS cache poisoning prevention container with the trigger event.
3. The domain name resolution system for IPv6 according to claim 1, wherein the monitoring service system is further configured to monitor alarm events of a load balancing system deployed on the front-end server and having LVS + keepalive high availability, a front-end keepalive + Nginx Gao Keyong load balancing container, and a back-end keepalive + Nginx Gao Keyong load balancing container deployed on the back-end server, the alarm events including heartbeat alarms and/or alarms based on performance thresholds and/or alarms based on statistical anomaly detection.
4. The domain name resolution system for IPv6 according to claim 1, wherein a Docker private warehouse based on a hardor and supporting IPv6 access is further deployed on the front-end server, the Docker private warehouse is configured to store images of a front-end keepalive + Nginx Gao Keyong load balancing container, a front-end Nginx reverse proxy container, a rear-end keepalive + Nginx Gao Keyong load balancing container, and an unbounded domain name resolution and DNS cache anti-poisoning container, and each of the front-end server and the rear-end server downloads images from the Docker private warehouse.
5. The domain name resolution system for IPv6 of claim 1, wherein the front-end Keepalived + Nginx Gao Keyong load-balancing container, front-end Nginx reverse-proxy container, back-end keepalive + Nginx Gao Keyong load-balancing container, and unbounded domain name resolution and DNS cache anti-poisoning container are deployed based on Docker virtualization technology.
6. The domain name resolution system for IPv6 according to claim 1, wherein the monitoring service system includes an anchor automated operation and maintenance module, configured to add or destroy the Unbound domain name resolution and DNS cache anti-poisoning container by using an anchor automated operation and maintenance technology.
7. A monitoring method for a domain name resolution system for IPv6 based on any one of claims 1 to 6, comprising:
configuring the number of initial Unbound domain name resolution and DNS cache poisoning prevention containers and the maximum performance threshold and the minimum performance threshold of each Unbound domain name resolution and DNS cache poisoning prevention container;
monitoring the running state of each Unbound domain name resolution and DNS cache poisoning prevention container;
acquiring the performance values of the Unbound domain name resolution and DNS cache poisoning prevention containers corresponding to the running state according to the running state, and sequencing the performance values of the Unbound domain name resolution and DNS cache poisoning prevention containers;
if all the performance values are larger than the maximum performance threshold value and the number of DNS requests is increased, increasing the number of unbounded domain name resolution and DNS cache poisoning prevention containers;
if the number of the current Unbound domain name resolution and DNS cache anti-poisoning containers is larger than the number of the initial Unbound domain name resolution and DNS cache anti-poisoning containers, all the performance values are smaller than the maximum performance threshold, and the minimum performance value in all the performance values is smaller than the minimum performance threshold, destroying the Unbound domain name resolution and DNS cache anti-poisoning container corresponding to the minimum performance value.
8. A cache cleaning method for the IPv6 domain name resolution system based on any one of claims 1 to 6, comprising:
extracting a DNS cache list in an unbounded domain name resolution and DNS cache poisoning prevention container;
judging whether the IP address changes according to the corresponding relation between the commonly used domain name and the IP address in the DNS cache list; sequentially judging whether other domain names except the common domain name support the https protocol, whether a common name field of the SSL certificate is consistent with the domain name, whether the SSL certificate is expired, whether the SSL certificate is a self-signed certificate, whether the SSL certificate is issued by an international famous certificate issuing authority, and whether NS records are null;
and clearing the domain name which does not meet the condition according to the judgment result.
9. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of claim 7 or 8.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of claim 7 or 8.
CN202011532042.1A 2020-12-22 2020-12-22 Domain name resolution system, monitoring method, cache cleaning method, device and medium Active CN112637340B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011532042.1A CN112637340B (en) 2020-12-22 2020-12-22 Domain name resolution system, monitoring method, cache cleaning method, device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011532042.1A CN112637340B (en) 2020-12-22 2020-12-22 Domain name resolution system, monitoring method, cache cleaning method, device and medium

Publications (2)

Publication Number Publication Date
CN112637340A CN112637340A (en) 2021-04-09
CN112637340B true CN112637340B (en) 2023-03-10

Family

ID=75322009

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011532042.1A Active CN112637340B (en) 2020-12-22 2020-12-22 Domain name resolution system, monitoring method, cache cleaning method, device and medium

Country Status (1)

Country Link
CN (1) CN112637340B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152443A (en) * 2013-03-04 2013-06-12 北京快网科技有限公司 Controllable load balancing method based on domain name analyzing technology
CN108009028A (en) * 2017-11-29 2018-05-08 中国平安人寿保险股份有限公司 Message treatment method, device, equipment and computer-readable recording medium
CN109151092A (en) * 2018-10-11 2019-01-04 深圳互联先锋科技有限公司 A kind of domain name analytic method

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10530738B2 (en) * 2014-08-07 2020-01-07 Citrix Systems, Inc. DNS resolution replay for bare domain names that map to “A” records

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103152443A (en) * 2013-03-04 2013-06-12 北京快网科技有限公司 Controllable load balancing method based on domain name analyzing technology
CN108009028A (en) * 2017-11-29 2018-05-08 中国平安人寿保险股份有限公司 Message treatment method, device, equipment and computer-readable recording medium
CN109151092A (en) * 2018-10-11 2019-01-04 深圳互联先锋科技有限公司 A kind of domain name analytic method

Also Published As

Publication number Publication date
CN112637340A (en) 2021-04-09

Similar Documents

Publication Publication Date Title
US20220060539A1 (en) Distributed network services
US10791168B1 (en) Traffic aware network workload management system
US10785255B1 (en) Cluster configuration within a scalable malware detection system
CN106302565B (en) Scheduling method and system of service server
US7016972B2 (en) Method and system for providing and viewing performance analysis of resource groups
KR20190004350A (en) Handle network traffic to defend against attacks
US20090043881A1 (en) Cache expiry in multiple-server environment
CN108933829A (en) A kind of load-balancing method and device
JP6272190B2 (en) Computer system, computer, load balancing method and program thereof
US10999131B2 (en) Method and system for detecting abnormalities in network element operation
WO2019242455A1 (en) Method and apparatus for user request forwarding, reverse proxy and computer readable storage medium
CN113835836B (en) System, method, computer device and medium for dynamic publishing container service
JP2006524872A (en) Distributed search methods, architectures, systems, and software
US10291730B1 (en) Throttling push notifications using predictive workload modeling
US9600251B1 (en) Enhancing API service schemes
US10180914B2 (en) Dynamic domain name service caching
CN112637340B (en) Domain name resolution system, monitoring method, cache cleaning method, device and medium
US20150220379A1 (en) Dynamically determining an external systems management application to report system errors
US11063975B2 (en) Malicious content detection with retrospective reporting
US20230069845A1 (en) Using a threat intelligence framework to populate a recursive dns server cache
CN107483637B (en) NFS-based client link management method and device
CN107231339B (en) Method and device for detecting DDoS attack
US20050132237A1 (en) Method, apparatus and program storage device for providing a remote power reset at a remote server through a network connection
CN110049065B (en) Attack defense method, device, medium and computing equipment of security gateway
CN113905092A (en) Method, device, terminal and storage medium for determining reusable agent queue

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
TA01 Transfer of patent application right

Effective date of registration: 20211221

Address after: 100084 Beijing Haidian District Zhongguancun East Road 1 hospital Qinghua science and Technology Park 8 Building B block seal building

Applicant after: CERNET Co.,Ltd.

Address before: 100084 B1001-C 8, building 1, Zhongguancun East Road, Haidian District, Beijing, 2.

Applicant before: NEXT GENERATION INTERNET MAJOR APPLICATION TECHNOLOGY (BEIJING) ENGINEERING RESEARCH CENTER Co.,Ltd.

TA01 Transfer of patent application right
GR01 Patent grant
GR01 Patent grant