CN112671779B - DoH server-based domain name query method, device, equipment and medium - Google Patents
DoH server-based domain name query method, device, equipment and medium Download PDFInfo
- Publication number
- CN112671779B CN112671779B CN202011572464.1A CN202011572464A CN112671779B CN 112671779 B CN112671779 B CN 112671779B CN 202011572464 A CN202011572464 A CN 202011572464A CN 112671779 B CN112671779 B CN 112671779B
- Authority
- CN
- China
- Prior art keywords
- domain name
- information
- https
- client
- name query
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Abstract
The present disclosure provides a domain name query method based on a DoH server, including: receiving an HTTPS domain name query request sent by a client, and authenticating the identity of a user according to the query request; for the user passing the authentication, judging whether the user has the right to access the content corresponding to the query request; for a user with authority, acquiring key pair information corresponding to a domain name inquired by the user, wherein the key pair information comprises a public key and a private key; sending the public key to a client, and sending an HTTPS domain name query request to a domain name resolution server for domain name resolution; receiving domain name query response information of a domain name resolution server, generating signature information of a queried domain name according to the domain name query response information and a private key, and sending the domain name query response information and the signature information to a client, so that the client verifies the signature information according to a public key, and the domain name query response information is obtained after the verification is passed. The present disclosure also provides a domain name query device, device and medium.
Description
Technical Field
The present disclosure relates to the field of internet security technologies, and in particular, to a method, an apparatus, a device, and a medium for querying a domain name based on a DoH server.
Background
The Domain Name System (DNS) is a System for solving the naming of machines on the Internet, and is a core service of the Internet, and it is a distributed database that can map Domain names and IP addresses to each other, so that people can access the Internet more conveniently without remembering IP strings that can be read directly by machines. Due to the design defects of the DNS, no proper information protection and authentication mechanism is provided, so that the DNS is vulnerable to attacks. Being the most successful distributed database system worldwide, the efficiency and popularity of the distributed database system are incomparable with other services. Once under attack, immeasurable losses are brought to the whole internet. The vulnerability of protocol design results in the data information authenticity and integrity being not guaranteed. For example, once inside the network, users (including threat actors and malicious insiders) are free to move around, access, and even reveal any data outside of their rights. Network security problems such as digital certificate false issuance, invalidation, malicious use, etc. may also occur due to accidents or human causes.
Disclosure of Invention
In view of this, the present disclosure provides a method, an apparatus, a device, and a medium for domain name query based on a DoH server.
One aspect of the present disclosure provides a domain name query method based on a DoH server, including: receiving an HTTPS domain name query request sent by a client, and authenticating the user identity according to the HTTPS domain name query request; for the user passing the authentication, judging whether the user has the right to access the content corresponding to the HTTPS domain name inquiry request; for a user with authority, acquiring key pair information corresponding to a domain name inquired by the user, wherein the key pair information comprises a public key and a private key which are in one-to-one correspondence; sending the public key to the client, and sending the HTTPS domain name query request to a domain name resolution server for domain name resolution; receiving domain name query response information of the domain name resolution server, generating signature information of the queried domain name according to the domain name query response information and the private key, and sending the domain name query response information and the signature information to the client, so that the client verifies the signature information according to the public key, and the domain name query response information is obtained after the verification is passed.
According to an embodiment of the present disclosure, the authenticating the user identity according to the HTTPS domain name query request includes: and authenticating identity information contained in the HTTPS domain name inquiry request according to data information, IP address information, MAC address information and operating system information, wherein the data information comprises a user name and/or a password and/or a verification code and/or a fingerprint.
According to an embodiment of the present disclosure, after receiving the HTTPS domain name query request sent by the client, the method further includes: and establishing a secure connection channel between the client and the DoH server in an HTTPS mode.
According to an embodiment of the present disclosure, before the receiving an HTTPS domain name query request sent by a client, the method further includes: and configuring key pairs for all domain names to be queried, wherein each domain name corresponds to a unique pair of key pairs, and the key pairs are different between the domain names.
According to an embodiment of the present disclosure, the method further comprises: and recording result information of successful domain name query or result information of failed query.
According to the embodiment of the disclosure, an elliptic curve public key cryptographic algorithm or an asymmetric encryption algorithm is adopted to configure key pairs for all domain names to be queried.
According to an embodiment of the present disclosure, the verifying, by the client, the signature information according to the public key includes: and the client judges whether a private key contained in the signature information is a private key in a key pair corresponding to the public key sent by the DoH server, and if so, the client passes the verification.
Another aspect of the present disclosure provides a domain name querying device based on a DoH server, including: the authentication module is used for receiving an HTTPS domain name query request sent by a client and authenticating the user identity according to the HTTPS domain name query request; the judging module is used for judging whether the user passes the authentication and has the right to access the content corresponding to the HTTPS domain name inquiry request; the system comprises an acquisition module, a search module and a search module, wherein the acquisition module is used for acquiring key pair information corresponding to a domain name inquired by a user with authority, and the key pair information comprises a public key and a private key which are in one-to-one correspondence; the forwarding module is used for sending the public key to the client and sending the HTTPS domain name query request to a domain name resolution server for domain name resolution; the receiving module is used for receiving the domain name query response information of the domain name resolution server; and the generation module is used for generating signature information of the queried domain name according to the domain name query response information and the private key, and sending the domain name query response information and the signature information to the client, so that the client verifies the signature information according to the public key, and acquires the domain name query response information after the verification passes.
Another aspect of the present disclosure provides an electronic device including: one or more processors; memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method as described above.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions for implementing the method as described above when executed.
Another aspect of the disclosure provides a computer program comprising computer executable instructions for implementing the method as described above when executed.
According to the domain name query method, the domain name query device, the domain name key pair information base and the domain name key pair information base, the strong identity verification rule and the domain name key pair information base of the user are established, the domain name query needs to pass identity authentication every time, and a DNS-over-HTTPS technology with high safety is used as a basic safety protection means in the domain name query communication process. The HTTPS technology is used for encrypting and transmitting the communication information in the whole process, so that the encrypted and transmitted communication information becomes a first barrier of domain name inquiry safety guarantee, and the confidentiality and the integrity of transmitted data are guaranteed.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of the embodiments of the present disclosure with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates a flow chart of a DoH server-based domain name querying method according to an embodiment of the present disclosure;
fig. 2 schematically illustrates an information interaction diagram of a domain name query process based on a DoH server according to an embodiment of the present disclosure;
fig. 3 schematically illustrates a block diagram of a domain name querying device based on a DoH server according to an embodiment of the present disclosure;
fig. 4 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B, and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B, and C" would include but not be limited to systems that have A alone, B alone, C alone, A and B together, A and C together, B and C together, and/or A, B, and C together, etc.). Where a convention analogous to "at least one of A, B, or C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B, or C" would include but not be limited to systems that have A alone, B alone, C alone, A and B together, A and C together, B and C together, and/or A, B, and C together, etc.).
In order to ensure privacy and safety of DNS information in a communication process, an embodiment of the present disclosure provides a DNS-over-HTTPS (DoH) -based network domain name query method, which adds an identity authentication link in connection with HTTPS and embeds a corresponding digital signature according to a queried domain name to improve security performance of domain name query. The following detailed description is made with reference to the accompanying drawings.
Fig. 1 schematically shows a flowchart of a domain name querying method based on a DoH server according to an embodiment of the present disclosure. Fig. 2 schematically illustrates an information interaction diagram of a DoH server-based domain name querying process according to an embodiment of the present disclosure.
Referring to fig. 1 in conjunction with fig. 2, the method may include operations S101 to S104, for example.
In operation S101, an HTTPS domain name query request sent by a client is received, and a user identity is authenticated according to the HTTPS domain name query request.
According to the embodiment of the disclosure, after a client side sends a domain name query request to a DoH server, a secure connection channel between the client side and the DoH server side is established in an HTTPS mode. The next communication transmission is established on the basis, and all information is encrypted and transmitted by the HTTPS.
According to the embodiment of the disclosure, a user identity authentication rule is established on the DoH server, for example, real-name authentication is performed through a mode of, but not limited to, a mobile phone number, weChat and the like. The DoH server can receive an HTTPS domain name query request sent by the client through the reverse proxy server and then authenticate the user identity according to the HTTPS domain name query request. The identity authentication can be based on the identity information contained in the HTTPS domain name query request authenticated according to data information (such as a user name and/or a password and/or a verification code and/or a fingerprint), IP address information, MAC address information, operating system information and the like, namely, the authentication process is not limited to the data information, and also comprises P address information, MAC address information, operating system information and the like. If the identity authentication is not passed, the DoH server denies the client access, terminates the domain name query activity, and if the identity authentication is passed, performs operation S102.
In operation S102, it is determined whether the user has a right to access the content corresponding to the HTTPS domain name query request for the user who passes the authentication.
According to the embodiment of the present disclosure, when the user identity authentication passes, it is determined whether the user has an authority to access the content corresponding to the HTTPS domain name query request, if not, the access is denied, the domain name query activity is terminated, and if so, operation S103 is performed. In addition, the process results of user identity authentication and authority judgment at each time can be recorded, so that the measurement of the user credit and the safety audit work are facilitated.
In operation S103, for an authorized user, key pair information corresponding to a domain name queried by the user is obtained, the public key is sent to the client, and the HTTPS domain name query request is sent to the domain name resolution server for domain name resolution, where the key pair information includes a public key and a private key that correspond to each other one to one.
According to the embodiment of the disclosure, the DoH service finds the key pair information corresponding to the searched domain name in the domain name key pair information base, and sends the public key to the client for verifying the domain name query response information signature, wherein the key pair information comprises the public key and the private key which are in one-to-one correspondence. And forwarding the HTTPS domain name query request to a domain name resolution server for domain name resolution.
In operation S104, domain name query response information of the domain name resolution server is received, signature information of the queried domain name is generated according to the domain name query response information and the private key, and the domain name query response information and the signature information are sent to the client, so that the client verifies the signature information according to the public key, and obtains the domain name query response information after the verification is passed.
According to the embodiment of the disclosure, the DoH service sends the domain name query request to the DNS server for domain name resolution, and domain name query response information is obtained. And generating signature information exclusive to the domain name through the domain name query response information and a private key corresponding to the domain name. And sending the domain name query response information and the signature information of the domain name to the client. The signature information refers to a digital string which can be generated only by a sender of the information and cannot be forged by others, and the digital string is also a valid proof of the authenticity of the information sent by the sender of the information.
And the client receives the domain name query response information returned by the DoH service through the reverse proxy server. Firstly, the domain name signature is verified by using the previously acquired domain name public key, and the signature generated by using the exclusive private key corresponding to the domain name can only be verified by the exclusive public key of the domain name, so that the method can increase the security. The attacker cannot generate a correct signature without a private key, and as long as data in the transmission process is tampered, the signature cannot pass through the domain name public key verification, and if the signature is not tampered, the signature passes through the verification.
According to the embodiment of the disclosure, the private key is stored in the domain name key pair information base and is not disclosed to the outside, so that the absolute secrecy of the signature is ensured. If the domain name signature verification fails, the domain name query response information is considered as illegal information, the domain name query activity is terminated, and the failure result information of the domain name query is recorded; if the domain name signature passes the verification, the domain name query activity is safe and effective, the domain name query response information obtained at this time can be safely used, and the successful result information of the domain name query at this time is recorded. The signature information generation and verification method can adopt a cryptographic algorithm SM2 and an asymmetric encryption algorithm. The national cipher algorithm is a series of algorithms which are set by the national cipher bureau and comprise a symmetric encryption algorithm, an elliptic curve asymmetric encryption algorithm and a hash algorithm. Asymmetric encryption algorithms require two keys: public keys (public keys for short) and private keys (private keys for short). The public key and the private key are a pair, and if data is encrypted with the public key, only the corresponding private key can be used for decryption.
According to an embodiment of the present disclosure, before receiving an HTTPS domain name query request sent by a client, the domain name query method further includes: and configuring key pairs for all domain names to be queried, wherein each domain name corresponds to a unique pair of key pairs, and the key pairs are different between the domain names. And establishing a key pair information base according to the key pair information, wherein the key pair information base at least comprises the information recorded in the table 1.
TABLE 1
According to an embodiment of the present disclosure, the domain name querying method further includes: and recording result information of successful domain name query or result information of failed query, wherein the result information of successful domain name query or the result information of failed query can be used as reference information for domain name query security audit.
According to the domain name query method provided by the embodiment of the disclosure, a strong user identity authentication rule and domain name specific digital signature information are added on the basis of DNS-over-HTTPS, and the security of the domain name is more reliable through the verification of the user identity and the digital signature, so that a zero-trust secure network environment is established. Compared with the DoH technology, the encryption algorithm of the domain name signature can adopt a state secret algorithm SM2, the execution process can be formulated by a DoH service provider, the algorithm and the key information can be changed as required, and therefore the method has certain concealment and confusion performance, each domain name has a special key pair, and the key pairs between the domain names are not common. Even if the HTTPS technology is attacked by the vulnerability, the loss caused by the domain name inquiry attack can be reduced, and time is strived for repairing the vulnerability and protecting the attack. The national cryptographic algorithm is adopted, the safety of important data is protected through the autonomous controllable domestic cryptographic technology, and the method is an important measure for effectively improving the information safety guarantee level.
In summary, the method provided by the embodiment of the present disclosure is ultimately intended to establish a zero-trust secure network environment, based on the principle that nothing goes in and out of a network cannot be trusted. All communication depends on HTTPS safe connection, and data confidentiality in the network communication transmission process is guaranteed. Strong authentication rules ensure that users with network access are trusted and reliable, and meet minimum permission assignment rules. Digital signature entry data integrity. All process result records generated by security verification increase information basis for tracing reasons when security problems occur. The domain name query method enables the network domain name query to be based on software defined boundaries, safety planning and access control, and realizes high-strength safety protection on important data and application.
Based on the same inventive concept, the embodiment of the disclosure provides a domain name query device based on a DoH server.
Fig. 3 schematically illustrates a block diagram of a domain name querying device based on a DoH server according to an embodiment of the present disclosure.
As shown in fig. 3, the DoH server-based domain name querying device 300 may include, for example: the system comprises an authentication module 310, a judgment module 320, an acquisition module 330, a forwarding module 340, a receiving module 350 and a generation module 360.
The authentication module 310 is configured to receive an HTTPS domain name query request sent by a client, and authenticate a user identity according to the HTTPS domain name query request.
The determining module 320 is configured to determine, for the authenticated user, whether the user has a right to access the content corresponding to the HTTPS domain name query request.
The obtaining module 330 is configured to obtain, for an authorized user, key pair information corresponding to a domain name queried by the user, where the key pair information includes a public key and a private key that correspond to each other one to one.
The forwarding module 340 is configured to send the public key to the client, and send the HTTPS domain name query request to the domain name resolution server for domain name resolution.
The receiving module 350 is configured to receive domain name query response information of the domain name resolution server.
The generating module 360 is configured to generate signature information of the queried domain name according to the domain name query response information and the private key, and send the domain name query response information and the signature information to the client, so that the client verifies the signature information according to the public key, and obtains the domain name query response information after the verification is passed.
Any number of modules, sub-modules, units, sub-units, or at least part of the functionality of any number thereof according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, and sub-units according to the embodiments of the present disclosure may be implemented by being split into a plurality of modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in any other reasonable manner of hardware or firmware by integrating or packaging a circuit, or in any one of or a suitable combination of software, hardware, and firmware implementations. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the disclosure may be at least partially implemented as a computer program module, which when executed may perform the corresponding functions.
For example, any plurality of the authentication module 310, the determination module 320, the obtaining module 330, the forwarding module 340, the receiving module 350, and the generating module 360 may be combined into one module/unit/sub-unit to be implemented, or any one of the modules/units/sub-units may be split into a plurality of modules/units/sub-units. Alternatively, at least part of the functionality of one or more of these modules/units/sub-units may be combined with at least part of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to an embodiment of the present disclosure, at least one of the authentication module 310, the determination module 320, the obtaining module 330, the forwarding module 340, the receiving module 350, and the generating module 360 may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementations of software, hardware, and firmware, or a suitable combination of any several of them. Alternatively, at least one of the authentication module 310, the determination module 320, the obtaining module 330, the forwarding module 340, the receiving module 350, and the generating module 360 may be implemented at least partially as a computer program module that, when executed, may perform a corresponding function.
It should be noted that, in the embodiment of the present disclosure, the domain name query device portion based on the DoH server corresponds to the domain name query method portion based on the DoH server in the embodiment of the present disclosure, and specific implementation details and technical effects thereof are also the same, and are not described herein again.
Fig. 4 schematically shows a block diagram of an electronic device adapted to implement the above described method according to an embodiment of the present disclosure. The electronic device shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 4, an electronic device 400 according to an embodiment of the present disclosure includes a processor 401 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 402 or a program loaded from a storage section 408 into a Random Access Memory (RAM) 403. Processor 401 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 401 may also include onboard memory for caching purposes. Processor 401 may include a single processing unit or multiple processing units for performing the different actions of the method flows in accordance with embodiments of the present disclosure.
In the RAM403, various programs and data necessary for the operation of the electronic apparatus 400 are stored. The processor 401, ROM 402 and RAM403 are connected to each other by a bus 404. The processor 401 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 402 and/or the RAM 403. Note that the programs may also be stored in one or more memories other than the ROM 402 and RAM 403. The processor 401 may also perform various operations of method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, electronic device 400 may also include an input/output (I/O) interface 405, input/output (I/O) interface 405 also being connected to bus 404. Electronic device 400 may also include one or more of the following components connected to I/O interface 405: an input section 406 including a keyboard, a mouse, and the like; an output section 407 including a display device such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 408 including a hard disk and the like; and a communication section 409 including a network interface card such as a LAN card, a modem, or the like. The communication section 409 performs communication processing via a network such as the internet. A drive 410 is also connected to the I/O interface 405 as needed. A removable medium 411 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 410 as necessary, so that a computer program read out therefrom is mounted into the storage section 408 as necessary.
According to an embodiment of the present disclosure, the method flow according to an embodiment of the present disclosure may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program containing program code for performing the method illustrated by the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 409, and/or installed from the removable medium 411. The computer program, when executed by the processor 401, performs the above-described functions defined in the system of the embodiments of the present disclosure. The above described systems, devices, apparatuses, modules, units, etc. may be implemented by computer program modules according to embodiments of the present disclosure.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement a method according to an embodiment of the disclosure.
According to an embodiment of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, a computer-readable storage medium may include ROM 402 and/or RAM403 and/or one or more memories other than ROM 402 and RAM403 described above.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
It will be appreciated by those skilled in the art that various combinations and/or combinations of the features recited in the various embodiments of the disclosure and/or the claims may be made even if such combinations or combinations are not explicitly recited in the disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the disclosure, and these alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (7)
1. A domain name query method based on a DoH server comprises the following steps:
configuring key pairs for all domain names to be inquired by adopting an elliptic curve public key cryptographic algorithm or an asymmetric encryption algorithm, wherein each domain name corresponds to a unique key pair, and the key pairs are different between the domain names;
receiving an HTTPS domain name query request sent by a client, and authenticating the user identity according to the HTTPS domain name query request;
for the user passing the authentication, judging whether the user has the right to access the content corresponding to the HTTPS domain name inquiry request;
for a user with authority, acquiring key pair information corresponding to a domain name inquired by the user, wherein the key pair information comprises a public key and a private key which are in one-to-one correspondence;
sending the public key to the client, and sending the HTTPS domain name query request to a domain name resolution server for domain name resolution;
receiving domain name query response information of the domain name resolution server, generating signature information of the queried domain name according to the domain name query response information and the private key, and sending the domain name query response information and the signature information to the client, so that the client verifies the signature information according to the public key, and the domain name query response information is obtained after the verification is passed.
2. The domain name querying method according to claim 1, wherein the authenticating the user identity according to the HTTPS domain name querying request comprises:
and authenticating identity information contained in the HTTPS domain name inquiry request according to data information, IP address information, MAC address information and operating system information, wherein the data information comprises a user name and/or a password and/or a verification code and/or a fingerprint.
3. The domain name querying method according to claim 1, wherein after receiving the HTTPS domain name querying request sent by the client, the method further comprises:
and establishing a secure connection channel between the client and the DoH server in an HTTPS mode.
4. The domain name querying method according to claim 1, wherein the method further comprises:
and recording result information of successful domain name query or result information of failed query.
5. A domain name querying device based on a DoH server, comprising:
the configuration module is used for configuring key pairs for all domain names to be inquired by adopting an elliptic curve public key cryptographic algorithm or an asymmetric cryptographic algorithm, wherein each domain name corresponds to a unique pair of key pairs, and the key pairs are different between the domain names;
the authentication module is used for receiving an HTTPS domain name query request sent by a client and authenticating the user identity according to the HTTPS domain name query request;
the judging module is used for judging whether the user passes the authentication and has the right to access the content corresponding to the HTTPS domain name inquiry request;
the system comprises an acquisition module, a search module and a search module, wherein the acquisition module is used for acquiring key pair information corresponding to a domain name inquired by a user with authority, and the key pair information comprises a public key and a private key which are in one-to-one correspondence;
the forwarding module is used for sending the public key to the client and sending the HTTPS domain name query request to a domain name resolution server for domain name resolution;
the receiving module is used for receiving the domain name query response information of the domain name resolution server;
and the generation module is used for generating signature information of the queried domain name according to the domain name query response information and the private key, and sending the domain name query response information and the signature information to the client, so that the client verifies the signature information according to the public key, and the domain name query response information is acquired after the verification.
6. An electronic device, comprising:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-4.
7. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to carry out the method of any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011572464.1A CN112671779B (en) | 2020-12-25 | 2020-12-25 | DoH server-based domain name query method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011572464.1A CN112671779B (en) | 2020-12-25 | 2020-12-25 | DoH server-based domain name query method, device, equipment and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112671779A CN112671779A (en) | 2021-04-16 |
| CN112671779B true CN112671779B (en) | 2022-10-18 |
Family
ID=75410170
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011572464.1A Active CN112671779B (en) | 2020-12-25 | 2020-12-25 | DoH server-based domain name query method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112671779B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114553430B (en) * | 2022-01-21 | 2024-02-06 | 华北电力大学 | SDP-based safety access system for power service terminal |
| CN114553828B (en) * | 2022-02-24 | 2023-01-31 | 中国人民解放军国防科技大学 | DNS operation and maintenance management method, device, equipment and medium |
| CN114979071B (en) * | 2022-06-16 | 2024-03-26 | Oppo广东移动通信有限公司 | Dynamic domain name configuration method, device, electronic equipment and storage medium |
| CN115208640B (en) * | 2022-06-24 | 2024-04-12 | 中通服创发科技有限责任公司 | Named data networking public key management method based on blockchain intelligent contract |
| CN115190107B (en) * | 2022-07-07 | 2023-04-18 | 四川川大智胜系统集成有限公司 | Multi-subsystem management method based on extensive domain name, management terminal and readable storage medium |
| CN115333927B (en) * | 2022-07-29 | 2023-10-27 | 上海浦东发展银行股份有限公司 | Client domain name switching method and device, electronic equipment and storage medium |
| CN117176479A (en) * | 2023-11-02 | 2023-12-05 | 北京安博通科技股份有限公司 | Bypass decryption national cipher flow auditing method and device and electronic equipment |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101841521A (en) * | 2010-01-22 | 2010-09-22 | 中国科学院计算机网络信息中心 | Method, server and system for authenticating identify information in DNS message |
| CN109886036A (en) * | 2019-01-02 | 2019-06-14 | 广州大学 | Domain name distributed authentication method, device and block chain network based on block chain |
| CN110874464A (en) * | 2018-09-03 | 2020-03-10 | 巍乾全球技术有限责任公司 | Method and equipment for managing user identity authentication data |
Family Cites Families (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10277554B2 (en) * | 2014-03-04 | 2019-04-30 | Cisco Technology, Inc. | Transparent proxy authentication via DNS processing |
| CN104468865B (en) * | 2014-12-25 | 2019-03-05 | 北京奇虎科技有限公司 | Domain name mapping control, response method and corresponding device |
| WO2016202397A1 (en) * | 2015-06-18 | 2016-12-22 | Huawei Technologies Co., Ltd. | Dns based pki system |
| CN108400953A (en) * | 2017-02-06 | 2018-08-14 | 中兴通讯股份有限公司 | Control terminal is surfed the Internet and the method for terminal online, router device and terminal |
| CN109995723B (en) * | 2017-12-29 | 2022-04-15 | 中移(杭州)信息技术有限公司 | Method, device and system for DNS information interaction of domain name resolution system |
| US10785192B2 (en) * | 2018-02-28 | 2020-09-22 | Sling Media Pvt. Ltd. | Methods and systems for secure DNS routing |
| CN109729080B (en) * | 2018-12-20 | 2021-05-11 | 全链通有限公司 | Access attack protection method and system based on block chain domain name system |
| RU2726879C2 (en) * | 2018-12-28 | 2020-07-16 | Акционерное общество "Лаборатория Касперского" | System and method of connecting secure dns resolution protocol |
| CN109981814A (en) * | 2019-03-19 | 2019-07-05 | 全链通有限公司 | Domain name information inquiry method and system based on block chain network service node |
| US11012414B2 (en) * | 2019-04-30 | 2021-05-18 | Centripetal Networks, Inc. | Methods and systems for prevention of attacks associated with the domain name system |
| CN111901319A (en) * | 2020-07-16 | 2020-11-06 | 广州大学 | Client DNS cache verification method, system, device and medium |
| CN111818196B (en) * | 2020-07-22 | 2023-04-07 | 深圳市有方科技股份有限公司 | Domain name resolution method and device, computer equipment and storage medium |
| CN111953681B (en) * | 2020-08-11 | 2022-06-07 | 福州职业技术学院 | DNS identity authentication method and terminal |
-
2020
- 2020-12-25 CN CN202011572464.1A patent/CN112671779B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101841521A (en) * | 2010-01-22 | 2010-09-22 | 中国科学院计算机网络信息中心 | Method, server and system for authenticating identify information in DNS message |
| CN110874464A (en) * | 2018-09-03 | 2020-03-10 | 巍乾全球技术有限责任公司 | Method and equipment for managing user identity authentication data |
| CN109886036A (en) * | 2019-01-02 | 2019-06-14 | 广州大学 | Domain name distributed authentication method, device and block chain network based on block chain |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112671779A (en) | 2021-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN112671779B (en) | DoH server-based domain name query method, device, equipment and medium | |
| CN109787988B (en) | Identity strengthening authentication and authorization method and device | |
| JP5860815B2 (en) | System and method for enforcing computer policy | |
| US10333930B2 (en) | System and method for transparent multi-factor authentication and security posture checking | |
| US10594479B2 (en) | Method for managing smart home environment, method for joining smart home environment and method for connecting communication session with smart device | |
| CN110990827A (en) | Identity information verification method, server and storage medium | |
| CN114553568A (en) | Resource access control method based on zero-trust single packet authentication and authorization | |
| US20130061310A1 (en) | Security server for cloud computing | |
| US10263782B2 (en) | Soft-token authentication system | |
| CN108418691A (en) | Dynamic network identity identifying method based on SGX | |
| US11005828B1 (en) | Securing data at rest | |
| US10812272B1 (en) | Identifying computing processes on automation servers | |
| US10291614B2 (en) | Method, device, and system for identity authentication | |
| US20200195617A1 (en) | Securing data in motion | |
| KR20170019308A (en) | Method for providing trusted right information, method for issuing user credential including trusted right information, and method for obtaining user credential | |
| US10122755B2 (en) | Method and apparatus for detecting that an attacker has sent one or more messages to a receiver node | |
| CN115277168B (en) | Method, device and system for accessing server | |
| CN110572392A (en) | Identity authentication method based on HyperLegger network | |
| US20170295142A1 (en) | Three-Tiered Security and Computational Architecture | |
| Sung et al. | Security analysis of mobile authentication using qr-codes | |
| CN116707983A (en) | Authorization authentication method and device, access authentication method and device, equipment and medium | |
| CN114553566B (en) | Data encryption method, device, equipment and storage medium | |
| Tutubala et al. | A hybrid framework to improve data security in cloud computing | |
| US10979226B1 (en) | Soft-token authentication system with token blocking after entering the wrong PIN | |
| Sun et al. | DNA-X: Dynamic network authentication using SGX |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |