CN112637340B - Domain name resolution system, monitoring method, cache cleaning method, device and medium - Google Patents
Domain name resolution system, monitoring method, cache cleaning method, device and medium Download PDFInfo
- Publication number
- CN112637340B CN112637340B CN202011532042.1A CN202011532042A CN112637340B CN 112637340 B CN112637340 B CN 112637340B CN 202011532042 A CN202011532042 A CN 202011532042A CN 112637340 B CN112637340 B CN 112637340B
- Authority
- CN
- China
- Prior art keywords
- domain name
- name resolution
- container
- poisoning
- dns cache
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5011—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
- G06F9/5022—Mechanisms to release resources
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5027—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals
- G06F9/505—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resource being a machine, e.g. CPUs, Servers, Terminals considering the load
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1001—Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
- H04L67/1004—Server selection for load balancing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/566—Grouping or aggregating service requests, e.g. for unified processing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure provides a domain name resolution system for IPv6, including: a front-end server and a back-end server; the front-end server is provided with an LVS + Keepaldhigh-availability load balancing system, a front-end Keepaldd + Nginx Gao Keyong load balancing container and a front-end Nginx reverse proxy container; the LVS + keepalive high-availability load balancing system is used for receiving a DNS request; the front end Keepalived + Nginx Gao Keyong load balancing container and the front end Nginx reverse proxy container are used for forwarding the DNS request; a rear-end keepalive + Nginx Gao Keyong load balancing container and an Unbound domain name resolution and DNS cache anti-poisoning container are deployed on the rear-end server, the rear-end keepalive + Nginx Gao Keyong load balancing container is used for forwarding a DNS request, and the Unbound domain name resolution and DNS cache anti-poisoning container is used for performing domain name resolution according to the DNS request and clearing domain names which do not meet conditions in a cache; the front-end server is also provided with a monitoring service system which is used for monitoring the running state of the Unbound domain name resolution and DNS cache poisoning prevention container and increasing or destroying the Unbound domain name resolution and DNS cache poisoning prevention container according to the running state.
Description
Technical Field
The present disclosure relates to the field of internet technologies, and in particular, to a domain name resolution system, a monitoring method, a cache cleaning method, a device, and a medium.
Background
Information on the internet is very wide, many of the information are hot spot information concerned by people, the hot spots represent the most concerned parts of the internet information, with the promotion of the national network information strategy, the development of IPv6 is greatly promoted, more and more sites supporting IPv6 access are provided, but most domain name servers are not good for supporting IPv6, and the experience of accessing the sites supporting IPv6 by users is not good due to the performance of a domain name resolution server, network delay or single point failure and the like.
Disclosure of Invention
In view of the above, the present disclosure provides a domain name resolution system, a monitoring method, a cache cleaning method, a device, and a medium.
One aspect of the present disclosure provides a domain name resolution system for IPv6, including: at least one front-end server and at least one back-end server; the front-end server is provided with an LVS + Keepallyd high-availability load balancing system, a front-end Keepalld + Nginx Gao Keyong load balancing container and a front-end Nginx reverse proxy container; the LVS + keepalive high-availability load balancing system is used for receiving a DNS request, and selecting a Real Server to process the DNS request according to a scheduling algorithm; the front-end Keepallved + Nginx Gao Keyong load balancing container and the front-end Nginx reverse proxy container are used for forwarding the DNS request; a rear-end keepalive + Nginx Gao Keyong load balancing container and an Unbound domain name resolution and DNS cache anti-poisoning container are deployed on the rear-end server, the rear-end keepalive + Nginx Gao Keyong load balancing container is used for forwarding the DNS request, and the Unbound domain name resolution and DNS cache anti-poisoning container is used for performing domain name resolution according to the DNS request and clearing domain names which do not meet conditions in a cache; and the front-end server is also provided with a monitoring service system which is used for monitoring the running state of the unbounded domain name resolution and DNS cache poisoning prevention container and increasing or destroying the unbounded domain name resolution and DNS cache poisoning prevention container according to the running state.
According to the embodiment of the disclosure, the monitoring service system is further configured to monitor a trigger event of the unbounded domain name resolution and DNS cache anti-poisoning container, where the trigger event includes insufficient memory and/or false death of an unbounded process and/or illegal modification; when a trigger event exists in the monitoring, the monitoring service system adds the Unbound domain name resolution and DNS cache anti-poisoning container and cancels the Unbound domain name resolution and DNS cache anti-poisoning container with the trigger event.
According to the embodiment of the disclosure, the monitoring service system is further configured to monitor alarm events, which include heartbeat alarms and/or alarms based on a performance threshold and/or alarms based on statistical anomaly detection, of a load balancing system with LVS + keepalive high availability deployed on the front-end server, a front-end keepalive + Nginx Gao Keyong load balancing container, and a rear-end keepalive + Nginx Gao Keyong load balancing container deployed on the rear-end server.
According to the embodiment of the disclosure, a Docker private warehouse based on a hardor and supporting IPv6 access is also deployed on the front-end server, the Docker private warehouse is used for storing images of a front-end keepalive + Nginx Gao Keyong load balancing container, a front-end Nginx reverse proxy container rear-end keepalive + Nginx Gao Keyong load balancing container and an Unbound domain name resolution and DNS cache anti-poisoning container, and each front-end server and each rear-end server download images from the Docker private warehouse.
According to the embodiment of the disclosure, the front-end keepalive + Nginx Gao Keyong load balancing container, the front-end Nginx reverse proxy container, the rear-end keepalive + Nginx Gao Keyong load balancing container and the Unbound domain name resolution and DNS cache anti-poisoning container are deployed based on a Docker virtualization technology.
According to the embodiment of the disclosure, the monitoring service system comprises an infrastructure automatic operation and maintenance module, and the infrastructure automatic operation and maintenance module is used for adding or destroying the Unbound domain name resolution and DNS cache poisoning prevention container by adopting an infrastructure automatic operation and maintenance technology.
Another aspect of the present disclosure provides a monitoring method for an IPv6 domain name resolution system based on the foregoing method, including: configuring the number of initial Unbound domain name resolution and DNS cache poisoning prevention containers and the maximum performance threshold and the minimum performance threshold of each Unbound domain name resolution and DNS cache poisoning prevention container; monitoring the running state of each Unbound domain name resolution and DNS cache poisoning prevention container; acquiring the performance values of the Unbound domain name resolution and DNS cache poisoning prevention containers corresponding to the running state according to the running state, and sequencing the performance values of the Unbound domain name resolution and DNS cache poisoning prevention containers; if all the performance values are larger than the maximum performance threshold value and the number of DNS requests is increased, increasing the number of the Unbound domain name resolution and DNS cache poisoning prevention containers; if the number of the current Unbound domain name resolution and DNS cache poisoning prevention containers is larger than the number of the initial Unbound domain name resolution and DNS cache poisoning prevention containers, all the performance values are smaller than the maximum performance threshold value, and the minimum performance value in all the performance values is smaller than the minimum performance threshold value, destroying the Unbound domain name resolution and DNS cache poisoning prevention container corresponding to the minimum performance value.
Another aspect of the present disclosure provides a cache cleaning method for an IPv6 domain name resolution system based on the foregoing method, including: extracting a DNS cache list in an unbounded domain name resolution and DNS cache poisoning prevention container; judging whether the IP address changes according to the corresponding relation between the commonly used domain name and the IP address in the DNS cache list; sequentially judging whether other domain names except the common domain name support the https protocol, whether a common name field of the SSL certificate is consistent with the domain name, whether the SSL certificate is expired, whether the SSL certificate is a self-signed certificate, whether the SSL certificate is issued by an international famous certificate issuing authority, and whether NS records are null; and clearing the domain name which does not meet the condition according to the judgment result.
Another aspect of the present disclosure provides an electronic device including: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically shows a block diagram of a domain name resolution system for IPv6 according to an embodiment of the present disclosure;
fig. 2 schematically illustrates a flow chart of a monitoring method for a domain name resolution system for IPv6 according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of a cache cleaning method for an IPv6 domain name resolution system according to an embodiment of the present disclosure;
FIG. 4 schematically illustrates a flow diagram of a domain name resolution system deployment method for IPv6 in accordance with an embodiment of the present disclosure;
fig. 5 schematically shows a flowchart of a domain name resolution method of IPv6 according to an embodiment of the present disclosure;
fig. 6 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction should be interpreted in the sense one having ordinary skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B, a and C, B and C, and/or A, B, C, etc.). Where a convention analogous to "A, B or at least one of C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B or C" would include, but not be limited to, systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In order to optimize the access of a user to hot information sites supporting IPv6, the speed of analyzing the IPv6 address of the domain name is increased, and the experience of the user in inquiring hot information sites is improved. The embodiment of the disclosure provides a method for implementing a million-level high-concurrency IPv6 DNS cluster analysis technology, which is based on an IPv6 technology, a Docker virtualization technology, an Ansible automatic operation and maintenance technology, a host LVS + Keepalld Gao Keyong load balancing system, a front-end Keepalld + Nginx Gao Keyong load balancing system, a front-end Nginx reverse proxy system, a rear-end Keepalld + Nginx Gao Keyong load balancing system, a rear-end Unbound domain name analysis and DNS cache anti-poisoning system, a Docker private warehouse and an Unbound container performance threshold monitoring server, and implements a high-availability and high-concurrency IPv6 DNS cluster analysis technology to improve the IPv6 address analysis speed of a domain name and improve the experience of a user for accessing a hotspot information site. The following detailed description is made with reference to the accompanying drawings.
Fig. 1 schematically shows a block diagram of a domain name resolution system for IPv6 according to an embodiment of the present disclosure.
As shown in fig. 1, the domain name resolution system for IPv6 includes at least a front-end server and at least one back-end server.
Each front-end server is deployed with an LVS + Keepalld high-availability load balancing system, a front-end Keepalld + Nginx Gao Keyong load balancing container and a front-end Nginx reverse proxy container, and is configured as a Docker virtualization environment. Each front-end server is provided with a monitoring service system. Each back-end server is provided with a back-end Keepalived + Nginx Gao Keyong load balancing container and an Unbound domain name resolution and DNS cache anti-poisoning container.
According to the embodiment of the disclosure, deploying the LVS + keepalive high-availability load balancing system means that a LVS + keepalive high-availability load balancing environment is established on a host of each front-end server, and a virtual IPv6 address of an external service is provided. The LVS load balancer receives all inbound requests, and determines which Real Server processes the request according to a scheduling algorithm; the Keepalived realizes high availability based on VRRP protocol, avoids single point of failure by using the Keepalived, and provides a virtual IPv6 address of external service.
According to the embodiment of the disclosure, a front-end Keepalld + Nginx Gao Keyong load balancing container is deployed by adopting a Docker virtualization technology to form a front-end Keepalld + Nginx Gao Keyong load balancing system, and the Keepalld + Nginx Gao Keyong load balancing system of each front-end server can provide a virtual IPv6 address of an external service.
According to the embodiment of the disclosure, a front-end Nginx reverse proxy container is deployed by adopting a Docker virtualization technology to form a front-end Nginx reverse proxy system. The number of the containers is determined according to the actual application situation, for example, six front-end nginnx reverse proxy containers are deployed on each front-end server, and the six front-end nginnx reverse proxy containers deployed on each front-end server together form a front-end nginnx reverse proxy system container cluster.
According to the embodiment of the disclosure, a Docker virtualization technology is adopted to deploy a rear-end Keepalld + Nginx Gao Keyong load balancing container to form a rear-end Keepalld + Nginx Gao Keyong load balancing system, and the Keepalld + Nginx Gao Keyong load balancing system of each rear-end server can provide a virtual IPv6 address of an external service.
According to the embodiment of the disclosure, a Unbound domain name resolution and DNS cache poisoning prevention container is deployed by adopting a Docker virtualization technology to form an Unbound domain name resolution and DNS cache poisoning prevention system. The number of the containers is determined according to the actual application, for example, six unbounded domain name resolution and DNS cache anti-poisoning containers may be arranged, and all of the unbounded domain name resolution and DNS cache anti-poisoning containers of each backend server form an unbounded domain name resolution and DNS cache anti-poisoning system. When DNS request data arrives, the Unbound domain name resolution and DNS cache anti-poisoning container firstly queries the cache record of the Unbound domain name resolution and DNS cache anti-poisoning container, if the record of the request data exists in the cache, the record result is directly returned to a user, and if the record of the request data does not exist in the cache, the Unbound domain name resolution and DNS cache anti-poisoning container also queries a DNS root server until the final result of the DNS request data is queried, and the result is returned to the user. The method comprises the steps that a DNS cache anti-poisoning cleaning program configured on an Unbound domain name analysis and DNS cache anti-poisoning container periodically extracts an Unbound DNS cache list, firstly, a common domain name and an IP address corresponding table are compared, whether an IP address changes is judged, whether other domain names support https or not is sequentially judged, whether a common name field of an SSL certificate is consistent with the domain name or not, whether the SSL certificate is expired or not, whether the SSL certificate is a self-signed certificate or not, whether the SSL certificate is issued by an international famous certificate issuing organization or not, whether NS records are empty or not, conditions such as the domain name of ANY records are inquired, and the domain name which does not meet the conditions and is screened out from a cache is automatically cleaned.
According to the embodiment of the disclosure, the front-end server is further provided with a monitoring service system, which means that a monitoring server for monitoring the real-time performance change of the unbounded container is established on the front-end server, the monitoring server monitors the real-time performance change of all the unbounded containers through an API (application programming interface) interface and uses an alarm automatic operation and maintenance technology to perform corresponding processing in time, when the DNS request of a user is increased suddenly, the real-time detection result of the performance of the unbounded container is increased, when the DNS request queue of the unbounded container is increased suddenly, the domain name resolution speed of the unbounded domain name is reduced, the monitoring server sets a maximum predefined threshold value and a minimum predefined threshold value according to various factors influencing the domain name resolution speed of the unbounded container, such as the CPU utilization rate, the memory use condition, the memory failure counter, the IO throughput, the network error rate, the DNS request queue number of the unbounded domain name resolution system container and the like, and obtaining real-time ranking of all the real-time performance monitoring results of the Unbound containers by using a quick sequencing algorithm, increasing the number of the Unbound containers by using an ansable automatic operation and maintenance technology when the real-time performance monitoring results of the Unbound containers exceed a set maximum predefined threshold value, timely reducing the pressure of an Unbound container system, and automatically releasing system resources of the Unbound containers by using the ansable automatic operation and maintenance technology when the number of the Unbound containers is greater than 12, the real-time performance monitoring results of all the Unbound containers are smaller than the set maximum predefined threshold value, and the real-time performance monitoring results of the last Unbound containers in real-time ranking are smaller than the set minimum predefined destruction threshold value.
According to the embodiment of the disclosure, in the whole high-availability high-concurrency IPv6 DNS domain name resolution system cluster, when DNS request data of all users in the front-end host LVS + Keepalived Gao Keyong load balancing system, the front-end Keepalived + Nginx Gao Keyong load balancing system, the front-end Nginx reverse proxy system, and the rear-end Keepalived + Nginx Gao Keyong load balancing system pass through these systems, the DNS request data are directly forwarded, and these systems hardly have any pressure and bottleneck, so the pressure of the whole high-availability high-concurrency IPv6 DNS domain name resolution system cluster occurs in the rear-end ubound domain name resolution system container cluster. The speed of domain name resolution of the unbounded container cluster set by the method directly influences the performance of the whole domain name resolution system, optimizes the performance of the unbounded container cluster, and greatly improves the domain name resolution capability of the whole system.
According to an embodiment of the present disclosure, the monitoring service system is further configured to monitor a triggering event of an unbounded domain name resolution and DNS cache anti-poisoning container, where the triggering event may include: it is not a common practice to modify deployed containers in production, the commit may represent a "hacking" when changes to the container file system are committed. When one of the three triggering events occurs, the monitoring service system timely processes the corresponding Unbound domain name resolution system container, firstly, a new container is started, and then, the Unbound container corresponding to the triggering event is destroyed. The monitoring service system comprises an infrastructure automatic operation and maintenance module which is used for adding or destroying the Unbound domain name resolution and DNS cache poisoning prevention container by adopting an infrastructure automatic operation and maintenance technology.
According to the embodiment of the disclosure, the monitoring service system is further configured to monitor alarm events of a load balancing system deployed on the front-end server and having LVS + keepalive high availability, a front-end keepalive + Nginx Gao Keyong load balancing container, and a back-end keepalive + Nginx Gao Keyong load balancing container deployed on the back-end server, where the alarm events include heartbeat alarms and/or alarms based on performance thresholds and/or alarms based on statistical anomaly detection. And the heartbeat alarm is notified when the high-availability system is switched between the main system and the standby system. An alarm based on a performance threshold is notified when the metric value exceeds a predefined threshold. Alarms based on statistical anomaly detection may be notified when the metric values suddenly change and deviate from the baseline. The monitoring service system can timely monitor the existence of the alarm event so as to timely process the alarm event and ensure the rapid and normal operation of domain name resolution.
According to the embodiment of the disclosure, a Docker private warehouse based on a hardor and supporting IPv6 access is also deployed on the front-end server, the Docker private warehouse is used for storing images of a front-end Keeplived + Nginx Gao Keyong load balancing container, a front-end Nginx reverse proxy container rear-end Keeplaleved + Nginx Gao Keyong load balancing container and an Unbound domain name resolution and DNS cache anti-poisoning container, and each front-end server and each rear-end server downloads images from the Docker private warehouse. Each server node opens a request for downloading the mirror image based on the https mode, and the safety of the Docker private warehouse is improved.
By the domain name resolution system for IPv6 provided by the embodiment of the disclosure, the resolution speed of the domain name IPv6 address can be improved, single-point failure of the system is avoided, and the experience of a user for accessing a hot spot information site is improved.
Based on the same inventive concept, the embodiment of the disclosure also provides a monitoring method based on the above domain name resolution system for IPv 6.
Fig. 2 schematically shows a flowchart of a monitoring method for a domain name resolution system of IPv6 according to an embodiment of the present disclosure.
As shown in fig. 2, the method may include, for example, operations S201 to S205.
In operation S201, the number of initial unbounded domain name resolution and DNS cache poisoning prevention containers and the maximum performance threshold and the minimum performance threshold of each unbounded domain name resolution and DNS cache poisoning prevention container are configured.
In operation S202, the operation status of each unbounded domain name resolution and DNS cache anti-poisoning container is monitored.
In operation S203, the performance values of the unbounded domain name resolution and DNS cache poisoning prevention containers corresponding to the running state are obtained according to the running state, and the performance values of the unbounded domain name resolution and DNS cache poisoning prevention containers are sorted.
In operation S204, in case all performance values are greater than the maximum performance threshold and the number of DNS requests increases, the number of Unbound domain name resolution and DNS cache anti-poisoning containers is increased.
In operation S205, under the condition that the number of current unbounded domain name resolution and DNS cache anti-poisoning containers is greater than the number of initial unbounded domain name resolution and DNS cache anti-poisoning containers, and all performance values are smaller than the maximum performance threshold, and the minimum performance value of all performance values is smaller than the minimum performance threshold, the unbounded domain name resolution and DNS cache anti-poisoning container corresponding to the minimum performance value is destroyed.
By the monitoring method of the embodiment of the disclosure, containers can be increased and consumed in time, system resources are released, and the resolution speed of domain name resolution is improved.
Based on the same inventive concept, the embodiment of the present disclosure further provides a cache cleaning method based on the above domain name resolution system for IPv 6.
Fig. 3 schematically shows a flowchart of a cache cleaning method for an IPv6 domain name resolution system according to an embodiment of the present disclosure.
As shown in fig. 3, the method may include operations S301 to S303, for example.
In operation S301, a DNS cache list in the unbounded domain name resolution and DNS cache anti-poisoning container is extracted.
In operation S302, whether an IP address changes is determined according to a correspondence between a commonly used domain name and an IP address in the DNS cache list; and then sequentially judging whether other domain names except the common domain name support the https protocol, whether the common name field of the SSL certificate is consistent with the domain name, whether the SSL certificate is expired, whether the SSL certificate is a self-signed certificate, whether the SSL certificate is issued by an international known certificate issuing authority, and whether the NS record is empty.
In operation S303, the domain name that does not meet the condition is removed according to the determination result.
According to the embodiment of the disclosure, whether the IP address changes or other domain names except the common domain name do not support https protocol, or the common name field of the SSL certificate is inconsistent with the domain name, or the SSL certificate expires, or the SSL certificate is not a self-signed certificate, or the SSL certificate is not issued by an internationally known certificate authority, or the domain name corresponding to the NS record as null is an unsatisfied domain name, and the unsatisfied domain names are removed from the cache.
By the monitoring method of the embodiment of the disclosure, the domain names which do not meet the conditions can be cleared from the cache in time, system resources are released, and the resolution speed of domain name resolution is improved.
It should be noted that, the method embodiment portion of the present disclosure corresponds to the data device embodiment portion of the present disclosure, and the specific implementation details and the technical effects thereof are also similar, and are not described herein again.
The embodiment of the disclosure also provides a method for deploying the domain name resolution system for IPv 6.
Fig. 4 schematically shows a flowchart of a domain name resolution system deployment method for IPv6 according to an embodiment of the present disclosure.
As shown in fig. 4, the method may include operations S401 to S403, for example.
In operation S401, a Docker virtualization environment supporting IPv6 is deployed.
In operation S402, a Docker private warehouse is established to facilitate downloading of the image by other servers.
In operation S403, a front-end Keepalived + Nginx Gao Keyong load balancing mirror image is created and the created mirror image is imported into the Docker private warehouse.
In operation S404, a front-end nginnx reverse proxy image is created and the created image is imported into a Docker private repository.
In operation S405, a rear-end Keepallved + Nginx Gao Keyong load balancing mirror image is manufactured and the manufactured mirror image is imported into a Docker private warehouse
In operation S406, an unbounded domain name resolution and DNS cache anti-poisoning mirror image is created and the created mirror image is imported into the Docker private warehouse.
In operation S407, a host LVS + Keepalived Gao Keyong load balancing system, a front Keepalived + Nginx Gao Keyong load balancing system, a front Nginx reverse proxy system, a rear Keepalived + Nginx Gao Keyong load balancing system, a rear ubound domain name resolution system, and a monitoring server for a performance threshold of an ubound container are established.
Based on the above domain name resolution system for IPv6, the embodiment of the present disclosure further provides a domain name resolution method for IPv 6.
Fig. 5 schematically shows a flowchart of a domain name resolution method of IPv6 according to an embodiment of the present disclosure.
As shown in fig. 5, the method for resolving a domain name in IPv6 includes operations S501 to S505.
In operation S501, a user transmits DNS request data.
In operation S502, the host LVS + Keepalived high-available load balancing system receives the user DNS request data and adds the data to forward to the front-end Keepalived + Nginx Gao Keyong load balancing system.
In operation S503, the front-end Keepalived + Nginx high-available load balancing system receives the user DNS request data forwarded by the host LVS + Keepalived Gao Keyong load balancing system and forwards the data to the front-end Nginx reverse proxy system.
In operation S504, the front-end nginnx reverse proxy system receives the user DNS request data forwarded by the front-end Keepalived + ngnx Gao Keyong load balancing system and forwards the data to the back-end Keepalived + ngx Gao Keyong load balancing system.
In operation S505, the back-end Keepalived + Nginx Gao Keyong load balancing system receives the user DNS request data forwarded by the front-end Nginx reverse proxy system and forwards the data to the back-end ubound domain name resolution system.
In operation S506, the rear-end unbounded domain name resolution and DNS cache poisoning prevention system receives user DNS request data forwarded by the rear-end Keepalived + Nginx Gao Keyong load balancing system, and first, queries whether there is a record result of the DNS request data in the local cache. If yes, the result is directly sent to the user, if not, the DNS request is recursively inquired until the final result is obtained, and then the final result is sent to the user.
Fig. 6 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure. The electronic device shown in fig. 6 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 6, an electronic device 600 according to an embodiment of the present disclosure includes a processor 601, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. Processor 601 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 601 may also include on-board memory for caching purposes. Processor 601 may include a single processing unit or multiple processing units for performing different actions of a method flow according to embodiments of the disclosure.
In the RAM603, various programs and data necessary for the operation of the electronic apparatus 600 are stored. The processor 601, the ROM 602, and the RAM603 are connected to each other via a bus 604. The processor 601 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 602 and/or RAM 603. It is to be noted that the programs may also be stored in one or more memories other than the ROM 602 and RAM 603. The processor 601 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, the method flow according to an embodiment of the present disclosure may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611. The computer program, when executed by the processor 601, performs the above-described functions defined in the system of the embodiments of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be embodied in the device/apparatus/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to an embodiment of the present disclosure, a computer-readable storage medium may include ROM 602 and/or RAM603 and/or one or more memories other than ROM 602 and RAM603 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It will be appreciated by those skilled in the art that various combinations and/or combinations of the features recited in the various embodiments of the disclosure and/or the claims may be made even if such combinations or combinations are not explicitly recited in the disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (10)
1. A domain name resolution system for IPv6, comprising: at least one front-end server and at least one back-end server;
the front-end server is provided with an LVS + Keepallyd high-availability load balancing system, a front-end Keepalld + Nginx Gao Keyong load balancing container and a front-end Nginx reverse proxy container; the LVS + keepalive high-availability load balancing system is used for receiving a DNS request, and selecting a Real Server to process the DNS request according to a scheduling algorithm; the front-end Keepalived + Nginx Gao Keyong load balancing container and the front-end Nginx reverse proxy container are used for forwarding the DNS request; wherein, real Server is a Real host;
a rear-end keepalive + Nginx Gao Keyong load balancing container and an Unbound domain name resolution and DNS cache anti-poisoning container are deployed on the rear-end server, the rear-end keepalive + Nginx Gao Keyong load balancing container is used for forwarding the DNS request, and the Unbound domain name resolution and DNS cache anti-poisoning container is used for performing domain name resolution according to the DNS request and clearing domain names which do not meet conditions in a cache;
the front-end server is also provided with a monitoring service system which is used for monitoring the running state of the Unbound domain name resolution and DNS cache poisoning prevention container and adding or destroying the Unbound domain name resolution and DNS cache poisoning prevention container according to the running state; wherein, the adding or destroying the Unbound domain name resolution and DNS cache anti-poisoning container according to the running state comprises: acquiring Unbound domain name resolution and DNS cache poisoning-prevention container performance values corresponding to the running state according to the running state, and sequencing the Unbound domain name resolution and DNS cache poisoning-prevention container performance values; increasing the number of the unbounded domain name resolution and DNS cache poisoning prevention containers under the condition that all performance values are larger than a maximum performance threshold value and the number of DNS requests is increased; and under the condition that the number of the current Unbound domain name resolution and DNS cache anti-poisoning containers is greater than that of the initial Unbound domain name resolution and DNS cache anti-poisoning containers, all performance values are smaller than a maximum performance threshold, and the minimum performance value in all performance values is smaller than a minimum performance threshold, destroying the Unbound domain name resolution and DNS cache anti-poisoning container corresponding to the minimum performance value.
2. The domain name resolution system for IPv6 according to claim 1, wherein the monitoring service system is further configured to monitor a trigger event of the unbounded domain name resolution and DNS cache poisoning prevention container, where the trigger event includes insufficient memory and/or an unbounded process is bogus and/or an illegal modification exists;
when a trigger event exists in the monitoring, the monitoring service system increases the Unbound domain name resolution and DNS cache poisoning prevention container, and destroys the Unbound domain name resolution and DNS cache poisoning prevention container with the trigger event.
3. The domain name resolution system for IPv6 according to claim 1, wherein the monitoring service system is further configured to monitor alarm events of a load balancing system deployed on the front-end server and having LVS + keepalive high availability, a front-end keepalive + Nginx Gao Keyong load balancing container, and a back-end keepalive + Nginx Gao Keyong load balancing container deployed on the back-end server, the alarm events including heartbeat alarms and/or alarms based on performance thresholds and/or alarms based on statistical anomaly detection.
4. The domain name resolution system for IPv6 according to claim 1, wherein a Docker private warehouse based on a hardor and supporting IPv6 access is further deployed on the front-end server, the Docker private warehouse is configured to store images of a front-end keepalive + Nginx Gao Keyong load balancing container, a front-end Nginx reverse proxy container, a rear-end keepalive + Nginx Gao Keyong load balancing container, and an unbounded domain name resolution and DNS cache anti-poisoning container, and each of the front-end server and the rear-end server downloads images from the Docker private warehouse.
5. The domain name resolution system for IPv6 of claim 1, wherein the front-end Keepalived + Nginx Gao Keyong load-balancing container, front-end Nginx reverse-proxy container, back-end keepalive + Nginx Gao Keyong load-balancing container, and unbounded domain name resolution and DNS cache anti-poisoning container are deployed based on Docker virtualization technology.
6. The domain name resolution system for IPv6 according to claim 1, wherein the monitoring service system includes an anchor automated operation and maintenance module, configured to add or destroy the Unbound domain name resolution and DNS cache anti-poisoning container by using an anchor automated operation and maintenance technology.
7. A monitoring method for a domain name resolution system for IPv6 based on any one of claims 1 to 6, comprising:
configuring the number of initial Unbound domain name resolution and DNS cache poisoning prevention containers and the maximum performance threshold and the minimum performance threshold of each Unbound domain name resolution and DNS cache poisoning prevention container;
monitoring the running state of each Unbound domain name resolution and DNS cache poisoning prevention container;
acquiring the performance values of the Unbound domain name resolution and DNS cache poisoning prevention containers corresponding to the running state according to the running state, and sequencing the performance values of the Unbound domain name resolution and DNS cache poisoning prevention containers;
if all the performance values are larger than the maximum performance threshold value and the number of DNS requests is increased, increasing the number of unbounded domain name resolution and DNS cache poisoning prevention containers;
if the number of the current Unbound domain name resolution and DNS cache anti-poisoning containers is larger than the number of the initial Unbound domain name resolution and DNS cache anti-poisoning containers, all the performance values are smaller than the maximum performance threshold, and the minimum performance value in all the performance values is smaller than the minimum performance threshold, destroying the Unbound domain name resolution and DNS cache anti-poisoning container corresponding to the minimum performance value.
8. A cache cleaning method for the IPv6 domain name resolution system based on any one of claims 1 to 6, comprising:
extracting a DNS cache list in an unbounded domain name resolution and DNS cache poisoning prevention container;
judging whether the IP address changes according to the corresponding relation between the commonly used domain name and the IP address in the DNS cache list; sequentially judging whether other domain names except the common domain name support the https protocol, whether a common name field of the SSL certificate is consistent with the domain name, whether the SSL certificate is expired, whether the SSL certificate is a self-signed certificate, whether the SSL certificate is issued by an international famous certificate issuing authority, and whether NS records are null;
and clearing the domain name which does not meet the condition according to the judgment result.
9. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of claim 7 or 8.
10. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of claim 7 or 8.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011532042.1A CN112637340B (en) | 2020-12-22 | 2020-12-22 | Domain name resolution system, monitoring method, cache cleaning method, device and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011532042.1A CN112637340B (en) | 2020-12-22 | 2020-12-22 | Domain name resolution system, monitoring method, cache cleaning method, device and medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN112637340A CN112637340A (en) | 2021-04-09 |
CN112637340B true CN112637340B (en) | 2023-03-10 |
Family
ID=75322009
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202011532042.1A Active CN112637340B (en) | 2020-12-22 | 2020-12-22 | Domain name resolution system, monitoring method, cache cleaning method, device and medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN112637340B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103152443A (en) * | 2013-03-04 | 2013-06-12 | 北京快网科技有限公司 | Controllable load balancing method based on domain name analyzing technology |
CN108009028A (en) * | 2017-11-29 | 2018-05-08 | 中国平安人寿保险股份有限公司 | Message treatment method, device, equipment and computer-readable recording medium |
CN109151092A (en) * | 2018-10-11 | 2019-01-04 | 深圳互联先锋科技有限公司 | A kind of domain name analytic method |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10530738B2 (en) * | 2014-08-07 | 2020-01-07 | Citrix Systems, Inc. | DNS resolution replay for bare domain names that map to “A” records |
-
2020
- 2020-12-22 CN CN202011532042.1A patent/CN112637340B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103152443A (en) * | 2013-03-04 | 2013-06-12 | 北京快网科技有限公司 | Controllable load balancing method based on domain name analyzing technology |
CN108009028A (en) * | 2017-11-29 | 2018-05-08 | 中国平安人寿保险股份有限公司 | Message treatment method, device, equipment and computer-readable recording medium |
CN109151092A (en) * | 2018-10-11 | 2019-01-04 | 深圳互联先锋科技有限公司 | A kind of domain name analytic method |
Also Published As
Publication number | Publication date |
---|---|
CN112637340A (en) | 2021-04-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20220060539A1 (en) | Distributed network services | |
US10791168B1 (en) | Traffic aware network workload management system | |
US10785255B1 (en) | Cluster configuration within a scalable malware detection system | |
CN106302565B (en) | Scheduling method and system of service server | |
US7016972B2 (en) | Method and system for providing and viewing performance analysis of resource groups | |
KR20190004350A (en) | Handle network traffic to defend against attacks | |
US20090043881A1 (en) | Cache expiry in multiple-server environment | |
CN108933829A (en) | A kind of load-balancing method and device | |
JP6272190B2 (en) | Computer system, computer, load balancing method and program thereof | |
US10999131B2 (en) | Method and system for detecting abnormalities in network element operation | |
WO2019242455A1 (en) | Method and apparatus for user request forwarding, reverse proxy and computer readable storage medium | |
CN113835836B (en) | System, method, computer device and medium for dynamic publishing container service | |
JP2006524872A (en) | Distributed search methods, architectures, systems, and software | |
US10291730B1 (en) | Throttling push notifications using predictive workload modeling | |
US9600251B1 (en) | Enhancing API service schemes | |
US10180914B2 (en) | Dynamic domain name service caching | |
CN112637340B (en) | Domain name resolution system, monitoring method, cache cleaning method, device and medium | |
US20150220379A1 (en) | Dynamically determining an external systems management application to report system errors | |
US11063975B2 (en) | Malicious content detection with retrospective reporting | |
US20230069845A1 (en) | Using a threat intelligence framework to populate a recursive dns server cache | |
CN107483637B (en) | NFS-based client link management method and device | |
CN107231339B (en) | Method and device for detecting DDoS attack | |
US20050132237A1 (en) | Method, apparatus and program storage device for providing a remote power reset at a remote server through a network connection | |
CN110049065B (en) | Attack defense method, device, medium and computing equipment of security gateway | |
CN113905092A (en) | Method, device, terminal and storage medium for determining reusable agent queue |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20211221 Address after: 100084 Beijing Haidian District Zhongguancun East Road 1 hospital Qinghua science and Technology Park 8 Building B block seal building Applicant after: CERNET Co.,Ltd. Address before: 100084 B1001-C 8, building 1, Zhongguancun East Road, Haidian District, Beijing, 2. Applicant before: NEXT GENERATION INTERNET MAJOR APPLICATION TECHNOLOGY (BEIJING) ENGINEERING RESEARCH CENTER Co.,Ltd. |
|
TA01 | Transfer of patent application right | ||
GR01 | Patent grant | ||
GR01 | Patent grant |