CN112954683A - Domain name resolution method, domain name resolution device, electronic equipment and storage medium - Google Patents
Domain name resolution method, domain name resolution device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN112954683A CN112954683A CN202110520001.9A CN202110520001A CN112954683A CN 112954683 A CN112954683 A CN 112954683A CN 202110520001 A CN202110520001 A CN 202110520001A CN 112954683 A CN112954683 A CN 112954683A
- Authority
- CN
- China
- Prior art keywords
- domain name
- name resolution
- resolution
- information
- record
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
- H04L9/3242—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3265—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate chains, trees or paths; Hierarchical trust model
Abstract
The embodiment of the application provides a domain name resolution method, a domain name resolution device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring a domain name resolution request of a terminal in a digital cellular network, and extracting domain name resolution information in the domain name resolution request based on a deep packet inspection technology; sending the domain name resolution information to a credible Domain Name System (DNS) server, and receiving a resolution record fed back by the credible DNS server; and sending the analysis record to the terminal. According to the method and the device, the terminal processes the domain name resolution information of the terminal and receives the resolution record through the proxy mechanism, the safety of domain name resolution in a wireless communication system is enhanced, the negative influence of domain name resolution attack on wireless communication is reduced, and the user information safety is enhanced.
Description
Technical Field
The present invention relates to the field of network communication technologies, and in particular, to a domain name resolution method and apparatus, an electronic device, and a storage medium.
Background
A Domain Name System (DNS) is one of the most critical infrastructures of the Internet, and is mainly used for mapping a Domain name to an Internet Protocol (IP) address, thereby ensuring smooth execution of a network application. However, the DNS protocol has the greatest defect that the resolution requester cannot verify the authenticity of the received response information, and the malicious use of the DNS protocol vulnerability has become the second largest attack medium of the internet at present, and common DNS attack modes include Distributed Denial of Service (DDOS) attack, cache poisoning, and domain hijacking. These DNS attacks often result in websites being inaccessible and visitors being redirected to fake phishing websites, thereby posing a threat to user network security. In a data cellular communication system, a mobile terminal User (User Equipment, UE) also faces a security risk caused by DNS attack, and mainly threatens attack behaviors such as domain name hijacking and DNS message poisoning from the internet side. At present, a method for analyzing a security domain name is needed in the field of wireless communication to improve the information security of a user.
Disclosure of Invention
The embodiments of the present application mainly aim to provide a domain name resolution method, an apparatus, an electronic device, and a storage medium, which are used to improve the security of domain name resolution in a wireless communication system, reduce the influence of domain name resolution attack on wireless communication, and enhance the security of user information.
The embodiment of the application provides a domain name resolution method, which comprises the following steps:
acquiring a domain name resolution request of a terminal in a digital cellular network, and extracting domain name resolution information in the domain name resolution request based on a deep packet inspection technology;
sending the domain name resolution information to a credible Domain Name System (DNS) server, and receiving a resolution record fed back by the credible DNS server;
and sending the analysis record to the terminal.
An embodiment of the present application further provides a domain name resolution apparatus, and the apparatus includes:
the information analysis module is used for acquiring a domain name analysis request of a terminal in a digital cellular network and extracting domain name analysis information in the domain name analysis request based on a deep packet inspection technology;
the resolution record module is used for sending the domain name resolution information to a credible domain name system DNS server and receiving a resolution record fed back by the credible domain name system DNS server;
and the information feedback module is used for sending the analysis record to the terminal.
An embodiment of the present application further provides an electronic device, including:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement a domain name resolution method as described in any of the embodiments of the present application.
Embodiments of the present application further provide a computer-readable storage medium, on which a computer program is stored, and the computer program, when executed by a processor, implements the domain name resolution method according to any of the embodiments of the present application.
According to the method and the device, the domain name resolution request of the terminal is acquired from the digital cellular network, the domain name resolution information in the domain name resolution request is extracted according to the depth detection technology and is forwarded to the credible DNS server to resolve the domain name resolution information, the resolution record fed back by the credible DNS server is acquired, and the resolution record is sent to the terminal, so that the safe resolution of the domain name resolution request of the terminal is realized, the information safety of a user can be enhanced, and the safety of a wireless communication network is improved.
Drawings
Fig. 1 is an architecture diagram of a domain name resolution method provided in an embodiment of the present application;
fig. 2 is a flowchart of a domain name resolution method provided in an embodiment of the present application;
fig. 3 is a flowchart of another domain name resolution method provided in an embodiment of the present application;
fig. 4 is a flowchart of another domain name resolution method provided in an embodiment of the present application;
fig. 5 is a flowchart of another domain name resolution method provided in an embodiment of the present application;
fig. 6 is an exemplary diagram of a domain name resolution method provided in an embodiment of the present application;
fig. 7 is an exemplary diagram of a domain name resolution method provided in an embodiment of the present application;
fig. 8 is an exemplary diagram of a domain name resolution method provided in an embodiment of the present application;
fig. 9 is a schematic structural diagram of a domain name resolution apparatus according to an embodiment of the present application;
fig. 10 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
In the following description, suffixes such as "module", "part", or "unit" used to denote elements are used only for facilitating the explanation of the present invention, and have no peculiar meaning in itself. Thus, "module", "component" or "unit" may be used mixedly.
Fig. 1 is an architecture diagram of a domain name resolution method provided in an embodiment of the present application, and referring to fig. 1, a network view related to domain name resolution in a wireless communication network may include a mobile user terminal UE, a digital cellular network communication device, and a trusted DNS server, where the trusted DNS server is a device provided by a network service provider and supporting a DNS protocol security protection mechanism, and in a process of accessing a mobile internet by a user, the UE assumes a role of a DNS client, and the digital cellular network communication device assumes a role of a transparent DNS Proxy and is responsible for converting an unsafe DNS resolution process initiated by the UE into a safe DNS resolution process. The UE accesses the Internet through the digital cellular communication equipment, and before initiating access to Internet applications, a DNS resolution process is initiated on domain names served by the network applications. The DNS analysis process comprises the steps that UE constructs a domain name analysis request message, sends the domain name analysis request message to a designated DNS server, waits for the DNS server to answer an analysis request, and the DNS server can analyze a domain name and generate an analysis response message to return through mapping data of resource records such as the domain name, an IP address and the like, so that the UE can acquire the IP address of the Internet application. The route for the UE to pass DNS resolution data may be divided into two segments, one segment is a digital cellular communication network, and the other segment is the open internet. In the former section, the DNS packet is transmitted through the radio access network and the radio core network having integrity and confidentiality protection mechanisms, but in the transmission process of the internet opened in the latter section, the data transmission process lacks a security protection mechanism and is vulnerable to network attacks.
Fig. 2 is a flowchart of a domain name resolution method provided in an embodiment of the present application, where the embodiment of the present application may be applicable to domain name resolution in a wireless communication network, and the method may be executed by a domain name resolution device, which is implemented by software and/or hardware and is generally integrated in a digital cellular communication network device, and referring to fig. 2, the method provided in an embodiment of the present application specifically includes the following steps:
The digital cellular network may be a mobile communication network architecture, and may be composed of a mobile station, a base station subsystem and a network subsystem, where the mobile station is a network terminal device and may include a mobile phone and a cellular industrial control device, the base station subsystem may include a mobile base station, a wireless transceiver device, a private network and a wireless digital device, and the base station subsystem may be regarded as a converter between a wireless network and a wired network. Further, the network similar to the digital cellular network may further include a wireless communication network such as a wireless wide area network, a wireless local area network, a wireless metropolitan area network, and the like, where the domain name resolution request may be a domain name resolution request directly sent by the user equipment UE, the domain name resolution request may include information such as a domain name of the requested network application and a user equipment source address, and the domain name may be a location identifier of an information system such as a network application server and a host, for example, www.abc.com. The domain name resolution information may be information to be subjected to domain name resolution, and the domain name resolution information may specifically be a domain name of a network application service accessed by the terminal.
In this embodiment of the present application, a domain name resolution device may receive an original domain name resolution request sent by a terminal, and acquire domain name resolution information to be resolved in the original domain name resolution request. For example, a character string corresponding to a query Name (Name) field in a query question area (Queries) can be located as domain Name resolution information according to a domain Name resolution request based on a deep packet inspection technology.
And step 120, sending domain name resolution information to a credible domain name system DNS server, and receiving a resolution record fed back by the credible domain name system DNS server.
The trusted Domain Name System (DNS) server may be a server provided by a service provider and storing mapping of type resource records such as Domain names and IP addresses, and the trusted DNS server may support a DNS protocol security protection mechanism and may transmit a trusted resolution record. The resolution record may be information corresponding to domain name resolution information, and specifically may be a resource record of a type such as an IP address corresponding to a domain name of the network application service, and the resolution record and the domain name resolution information may be stored in a trusted server in an associated manner.
Specifically, the domain name resolution information may be sent to a trusted DNS server, the DNS server may search for a corresponding resolution record according to the domain name resolution information, and the DNS server may feed back the searched resolution record, so that the device implementing the method according to the embodiment of the present application acquires the resolution record. Further, the analysis record fed back by the DNS server may be information accompanied by a security protection mechanism, for example, a hash may be calculated for the entire analysis record, and then the hash value is encrypted by a preset cryptographic algorithm, so that authenticity and integrity protection of the analysis record is realized by the encrypted value.
Further, on the basis of the embodiment of the application, the trusted DNS server is located on the internet.
In this embodiment of the application, the trusted DNS server may be located in the open internet, and the trusted server may provide a safe and reliable domain name resolution service for the terminal, where the trusted server may be preset by a service operator, for example, information of the trusted server may be preset in the domain name resolution device, so that the terminal performs safe and reliable internet access.
In this embodiment, the domain name resolution device may send the resolution record to the terminal, for example, the resolution record may be first subjected to security verification in the domain name resolution device, and then the verified resolution record may be sent to the terminal, or the resolution record received through a secure transmission mode such as a security transport layer TLS protocol channel or an internet security protocol IPsec channel may be directly sent to the terminal. According to the method and the device, the domain name resolution request is acquired in the wireless communication network, the domain name resolution information in the domain name resolution request is extracted, the domain name resolution information is sent to the credible DNS, the resolution record fed back by the credible DNS is received, and the resolution record is sent to the terminal, so that the safe resolution of the domain name resolution request of the terminal is realized, and the safety of the wireless communication network is improved.
In an exemplary manner, implementing domain name resolution in a wireless communication network such as a wireless wide area network, a wireless local area network, a wireless metropolitan area network, etc., may include the steps of: the domain name resolution device can acquire a domain name resolution request sent by a terminal in a wireless communication network such as a wireless wide area network, a wireless local area network, a wireless metropolitan area network and the like, can extract domain name resolution information according to a message format corresponding to the domain name resolution request, send the domain name resolution information to a credible Domain Name System (DNS) server, receive a resolution record fed back by the credible DNS server, and send the resolution record to the wireless communication network such as the wireless wide area network, the wireless local area network, the wireless metropolitan area network and the like so that the terminal can acquire the resolution record.
Fig. 3 is a flowchart of another domain name resolution method provided in an embodiment of the present application, which is embodied on the basis of the embodiment of the present application, and refer to fig. 3. In the embodiment of the application, the security protection policy is DNS Over TLS, the trust status used for TLS protocol channel negotiation is a certificate chain identifying the identity of a trusted DNS server, and no additional preset verification information is required for a domain name resolution record. The method provided by the embodiment of the application specifically comprises the following steps:
In this embodiment of the present application, the wireless communication network may specifically be a digital cellular communication network, and the terminal UE may send the domain name resolution request according to the existing domain name resolution mode without updating or upgrading.
And step 220, extracting domain name resolution information in the domain name resolution request based on a deep packet inspection technology.
The deep packet inspection technology may be a method for implementing packet parsing based on an application layer traffic inspection and control technology, and may analyze and identify a packet according to a source address, a destination address, a source port, a destination port, a protocol type, and application layer information of a UE-related IP packet carried in a digital cellular network, and acquire corresponding information, and the deep packet inspection technology may analyze a packet according to a feature word, analyze a packet according to a service flow, and identify a packet according to a terminal behavior pattern, respectively.
In this embodiment of the present application, a received original domain name resolution request may be processed by a Deep Packet Inspection (DPI) technology, and a website domain name requested to be resolved in the original domain name resolution request is obtained as domain name resolution information.
And step 230, sending the domain name resolution information to the trusted DNS server through a security transport layer TLS protocol channel pre-established with the trusted DNS server.
The Transport Layer Security (TLS) protocol channel may use a Transport channel constructed by the TLS protocol, and may prevent information from being intercepted and tampered during data exchange.
Specifically, a secure transmission channel can be established between the domain name resolution agent and the trusted DNS server in advance according to the TLS protocol according to the security protection policy, and the identity of the DNS server is verified using the configured credentials during the negotiation of establishing the TLS protocol channel. The domain name resolution agent can send the obtained domain name resolution information to the credible DNS server through the transmission channel, so that the safe transmission of the domain name resolution information is realized.
And 240, monitoring a TLS protocol channel to acquire a resolution record fed back by the trusted DNS server.
In the embodiment of the present application, the parsing record may be transmitted through the already constructed TLS protocol channel. The TLS protocol tunnel may be monitored to obtain a resolution record transmitted by the DNS server through the TLS protocol tunnel.
And step 250, sending the analysis record to the terminal.
Specifically, when the analysis record is transmitted in the secure TLS protocol channel, the security of the analysis record may be protected by using a TLS session key generated by dynamic negotiation, and the security verification may be automatically completed according to the session key when the data is received. Therefore, due to the confidentiality and integrity protection mechanism of the TLS protocol channel, the domain name resolution record successfully received from the TLS protocol channel can be regarded as successful verification and meets the requirements of integrity and authenticity, and the domain name resolution agent can send the resolution record to the terminal. For such a situation, the analysis record transmitted by the TLS may be further verified before being sent to the terminal, and the security verification of the analysis record is implemented by the security verification of the TLS transmission and the customized verification, so as to further improve the security of the analysis record.
Fig. 4 is a flowchart of another domain name resolution method provided in an embodiment of the present application, which is embodied on the basis of the embodiment of the present application, and refer to fig. 4. In the embodiment of the application, the security protection policy is DNS Over IPsec, the trust state used for IPsec channel negotiation is a certificate chain or a pre-shared key for identifying and protecting the identity of a security gateway of a trusted DNS server, and no additional authentication information needs to be preset for a domain name resolution record. The method provided by the embodiment of the application specifically comprises the following steps:
In this embodiment of the present application, the wireless communication network may specifically be a digital cellular communication network, and the terminal UE may send the domain name resolution request according to the existing domain name resolution mode without updating or upgrading.
And step 320, extracting domain name resolution information in the domain name resolution request based on the deep packet inspection technology.
The deep packet inspection technology may be a method for implementing packet parsing based on an application layer traffic inspection and control technology, and may analyze and identify a packet according to a source address, a destination address, a source port, a destination port, a protocol type, and application layer information of an IP packet received from a UE by a digital cellular network, and acquire corresponding information, and the deep packet inspection technology may parse a packet according to a feature word, parse a packet according to a service flow, and identify a packet according to a terminal behavior pattern, respectively.
In this embodiment of the present application, a received original domain name resolution request may be processed by a Deep Packet Inspection (DPI) technology, and a website domain name requested to be resolved in the original domain name resolution request is obtained as domain name resolution information.
And step 330, sending the domain name resolution information to a security gateway through an internet security protocol IPsec channel pre-established with the security gateway of the credible DNS server, so that the security gateway forwards the domain name resolution information to the credible DNS server.
The security gateway can be a gateway device provided with a security policy, can be used for protecting a trusted DNS server, and can prevent attack information from being transmitted to the trusted DNS server, the security gateway can be a physical device independent of the trusted DNS server, and the security gateway can also be a software device in the trusted DNS server. An Internet Protocol Security (IPsec) channel may be a transmission channel constructed by the IPsec, and data transmitted by the channel may encrypt and authenticate packets of the IP Protocol to realize secure information transmission.
In the embodiment of the application, a security channel based on the IPsec can be established in advance between the domain name resolution device and a security gateway of the trusted DNS server according to a security protection policy, and during the process of negotiating and establishing the IPsec channel, the identity of the security gateway is verified by using a configured credential. After the domain name resolution device obtains the domain name resolution information, the IPsec channel can be used to transmit the domain name resolution information to the security gateway, and the security gateway forwards the domain name resolution information to the trusted DNS server.
And 340, monitoring the IPsec channel to acquire an analysis record forwarded by the security gateway, wherein the analysis record is fed back by the trusted DNS server.
Specifically, the resolution record is transmitted through the IPsec channel, and the resolution record forwarded by the security gateway in the IPsec channel can be obtained, where the resolution record can be generated by a trusted DNS server.
And step 350, sending the analysis record to the terminal.
Specifically, when the analysis record is transmitted in the secure IPsec channel, the security of the analysis record is protected by using a session key generated by dynamic negotiation, and the security verification is automatically completed according to the session key when data is received. Therefore, due to the safety protection mechanism of the IPsec channel, the domain name resolution record successfully received from the IPsec channel can be regarded as successful verification and meets the requirements of integrity and authenticity, and the domain name resolution agent sends the resolution record to the terminal.
Fig. 5 is a flowchart of another domain name resolution method provided in an embodiment of the present application, which is embodied on the basis of the embodiment of the present application, and refer to fig. 5. In this embodiment of the application, the security protection policy may include, but is not limited to, a DNSSEC protocol, where the verification policy in the preset verification information for domain name resolution records is a resolution record digital signature, and the verification credential is a credential such as a signature verification key or a digital certificate. The method provided by the embodiment of the application specifically comprises the following steps:
Specifically, the wireless communication network may specifically be a digital cellular communication network, and the terminal UE may send the domain name resolution request according to the existing domain name resolution mode without updating or upgrading, and the domain name resolution device in this embodiment of the present application may process, based on the deep packet inspection technology, the domain name resolution request sent by the terminal UE and received in the wireless digital cellular communication network, and extract domain name resolution information in the domain name resolution request.
And step 420, sending domain name resolution information to the credible domain name system DNS server, and receiving resolution records fed back by the credible domain name system DNS server.
The verification information may be information for performing integrity protection on the analysis record, and the verification information may be a section of encrypted ciphertext generated by the trusted DNS server.
Specifically, the verification information and the generation method of the verification information may be based on, but not limited to, a symmetric encryption/decryption algorithm, an asymmetric encryption/decryption algorithm, or a homomorphic encryption/decryption algorithm. For example, a signature is generated using a Message Authentication Code (MAC) as verification information, which may be the same symmetric encryption key as the signature key. For another example, the signature may be generated using an asymmetric cryptographic algorithm, the signature key may be a private key of the parse record generator, and the authentication credential may be a public key of the parse record generator.
The pre-stored verification information may be preset information including a verification policy and a verification credential. The authentication policy is an authentication algorithm and protocol, and the use of the authentication credential should comply with the provision of the authentication policy, and can be used for authenticating the security of the resolution record fed back by the trusted DNS server. The verification credential can be a security credential for directly verifying the authenticity and integrity of the analysis record fed back by the trusted DNS server; or, the authentication credential may also be used as a root of trust in the authentication process, thereby playing a role of indirect authentication. The authentication credential may specifically be a symmetric encryption algorithm key, a public key of an asymmetric encryption algorithm or a homomorphic encryption algorithm, a pre-shared password, a token, a digital certificate, a trust anchor, and the like. The authentication policy in the preset authentication information may be configured in advance by a user instruction, and the authentication credential may be configured by a user instruction or generated by a protocol. For example, for a verification policy in a digital signature manner, a user may configure a public key certificate corresponding to an analytic record signature as a verification credential to directly verify the security of a domain name analytic record with a digital signature.
In the embodiment of the application, the resolution record can only implement integrity and authenticity protection, the resolution record fed back by the trusted DNS server can be accompanied by a verification signature, and the domain name resolution agent can verify the verification signature by using preset check information.
In this embodiment, the received resolution record may be verified by using the verification information to determine whether the resolution record is complete and from an authentic and trusted DNS server, and it is understood that the resolution record may be information supporting a security protection mechanism of the DNS protocol, that is, integrity and authenticity protection data based on a cryptographic algorithm may exist along with the resolution record, including but not limited to digital signature information, a Message Authentication Code (MAC), and the like. Specifically, the analysis record related protection data can be verified through the pre-stored verification information, if the verification is successful, the authenticity and integrity of the analysis record can be determined, if the verification is failed, the analysis record can be considered to be unreliable, the analysis record passing the verification can be fed back to the terminal, and the response to the terminal domain name analysis request is realized.
Further, on the basis of the embodiment of the above application, the method further comprises: the transaction context in the domain name resolution request is stored.
In the embodiment of the application, after the domain name resolution information is extracted from the domain name resolution request, the context of the transaction of the domain name resolution request can be stored, so that a domain name resolution response matched with the domain name resolution request can be generated conveniently, the terminal cannot sense the domain name security resolution process, and the use experience of a user is improved.
Further, on the basis of the embodiment of the above application, the sending the analysis record to the terminal includes: generating a domain name resolution response matching the domain name resolution request based on the transaction context and the resolution record; and sending a domain name resolution response to the terminal.
In the embodiment of the application, after receiving the resolution record fed back by the trusted DNS server, the domain name resolution agent can construct a domain name resolution response of the matched original domain name resolution request according to the stored transaction context and the resolution record, and send the original domain name resolution response to the terminal, so that the terminal does not sense the domain name resolution agent process, and does not need to upgrade or update the device by the UE, thereby reducing the influence of the secure domain name resolution on the user experience.
In an exemplary embodiment, a transparent DNS proxy processing module is added to a digital cellular communications network device. The module can support the DNS protocol message interacted between the UE and the internet to be analyzed and identified through a DPI technology, a security protection mechanism is added to a DNS analysis request from the UE according to locally configured trusted DNS server information and security protection strategy information, the DNS analysis request is redirected to the trusted DNS server, a DNS analysis response message with the security protection mechanism is obtained from the trusted DNS server, authenticity and integrity of analysis data are verified, and then the DNS analysis response message matched with the original DNS analysis request message is constructed and fed back to the UE. Therefore, the UE can acquire complete and real domain name resolution data.
In the embodiment of the application, the safe DNS analysis process is centralized and converged between the digital cellular communication network equipment and the credible DNS server, the problem that mobile terminals of different models are difficult to implement a DNS safety mechanism in a unified mode is solved, and meanwhile the risk of DOS attack to the DNS server is relieved.
The identification of the DNS packet related to the UE, which is processed by the digital cellular communication network device through the DPI technology in the embodiment of the present application, is determined by a transport layer Protocol port number characteristic of an IP packet of an end User carried by the digital cellular communication system, where the transport layer Protocol includes a Transmission Control Protocol (TCP) and a User Datagram Protocol (UDP), and may include, for example, a known port number 53 of the DNS Protocol or a port number specified by configuration.
The digital cellular communication network device mentioned in the embodiments of the present application includes, but is not limited to, 2/3/4/5G digital cellular communication system, and any physical or logical network functional entity that processes UE data packets in a Mobile Edge Computing (MEC) system. The digital cellular communication system includes a Radio Access Network (RAN) and a Core Network (Core Network, CN).
The trusted DNS server information mentioned in the embodiments of the present application refers to service address information of a DNS server that is provided by a trusted network service provider and supports a DNS security protection mechanism, such as an IP address and a service port number thereof, and the security protection policy information refers to a protocol algorithm type of security protection supported by the domain name server and a credential parameter interoperating with the protocol algorithm type, including but not limited to a key, a certificate, a token, a password, and the like. For example, if DNS Over TLS is employed, the credential parameter is a chain of trust certificates that can verify the identity of the other party; if DNS Over IPSec is adopted, the trusting parameter is a chain of trusting certificates or a pre-shared key and the like which can verify the identity of a security gateway of an opposite terminal for protecting a trusted DNS server.
Here, the DNS Protocol Security protection policy includes well-known protocols and methods such as Domain Name System Security Extensions (DNSSEC), Domain Name System Security Over Transport Layer Security TLS (DNS Over TLS), Domain Name System Security Over Internet Protocol Security (DNS Over IPSec) protected by an Internet Security Protocol, Domain Name System Security Over Hyper Text Transfer Security Over DNS Protocol (DNS Over HTTPS), and any algorithms, protocols, procedures and methods capable of guaranteeing integrity and authenticity of resolved Domain Name data.
This information needs to be pre-configured to be available in the digital cellular communication network device in which the transparent DNS proxy processing module is located so that the transparent DNS proxy processing module can access the acquisition as needed.
And the DNS resolution request and the response message between the transparent DNS proxy and the credible DNS server are interacted to follow the security protection strategy in the configuration information, and the real integrity and the confidentiality of the domain name resolution data received from the credible DNS server are verified according to the preset verification information.
The transparent proxy module receives domain name resolution data from a credible DNS server and checks the domain name resolution data, a transaction context corresponding to an original DNS resolution request from UE is found, a DNS resolution response message matched with the original DNS resolution request message is packaged and constructed and sent to the UE, and the matching includes that the transaction identifiers of the request and the response are consistent, and the protocol standards are consistent.
In an exemplary implementation manner, fig. 6 is an exemplary diagram of a domain name resolution method provided in an embodiment of the present application, and referring to fig. 6, a security protection policy based on a DNSSEC protocol implements a domain name resolution agent, which specifically includes the following steps:
001. a mobile terminal User (UE) successfully accesses the internet through a digital cellular communication system, and sends an original DNS resolution request message as a DNS client for a domain name of an application service to be accessed.
002. A DNS proxy module in the digital cellular communication network equipment analyzes IP messages related to UE (user equipment) encapsulated in a transmission bearer through a deep message detection technology, and identifies and captures original DNS analysis request messages sent by the UE. The identification is based on the known transport layer protocol port number 53 of the DNS protocol, where the known transport layer protocol includes TCP and UDP, or a specified port value is configured. After identifying and capturing a DNS request message sent by the UE, the DNS proxy module needs to store context information of an original resolution transaction, that is, a six-element group consisting of a source IP address + a destination IP address + a transport layer protocol type + a source port number + a destination port number + a transaction identification field of a message, for identifying a domain name resolution transaction.
003. The DNS proxy module acquires information of a trusted DNS server supporting a DNSSEC protection mechanism according to configuration, redirects an original DNS request message to the trusted server, namely modifies a target IP address and a target port in the original request message into a service IP address and a port number of the trusted DNS server to construct a corresponding second analysis request message, and encapsulates and transmits the second analysis request message through an inherent uplink (indicating the direction from UE to the Internet) transmission bearer channel of the digital cellular communication network equipment.
004. And the trusted DNS server supporting the DNSSEC mechanism receives the second DNS analysis request message, inquires and acquires domain name analysis result data, constructs and returns a second DNS analysis response message, and the analysis result data carried in the message is attached with the signature of the data generator and the public key trust chain of the signature.
005. And a DNS proxy module in the digital cellular communication network equipment identifies and captures a second analysis response message from a credible DNS server through a DPI technology to obtain analysis data with a signature, and according to preset verification information, a trust anchor corresponding to the DNS server is used as a verification credential to verify the signature step by step, so that the authenticity and the integrity of the analysis data are finally proved.
Furthermore, the verified analytic data can be directly fed back to the UE, and can also be cached in the digital cellular communication network equipment for the subsequent DNS analytic request from the UE to be quickly matched, so that the load of a DNS server is reduced.
006. And matching the second DNS resolution response message with the original DNS resolution transaction, and constructing an original resolution response message matched with the original domain name resolution request message according to the second DNS resolution response message. In the original resolution response message, the carried DNS resolution data does not carry signature information.
007. And the DNS proxy module sends the second DNS analysis response message to the UE through a downlink (indicating the direction from the Internet to the UE) transmission bearer channel inherent to the digital cellular communication network equipment. So far, the UE successfully receives and acquires a real domain name resolution result.
In an exemplary implementation manner, fig. 7 is an exemplary diagram of a domain name resolution method provided in an embodiment of the present application, and referring to fig. 7, a domain name resolution protection mechanism based on DNS Over TLS specifically includes the following steps:
001. a DNS proxy module in a wireless Access Network (Radio Access Network) device reads configured information of a trusted DNS server supporting a DNS Over TLS protection mechanism, acquires corresponding trust state parameters, wherein the trust state parameters can be a trust certificate chain of the DNS server, and actively initiates a negotiation process for establishing a TLS protocol channel. And finally, successfully establishing a secure TLS protocol channel. The TLS protocol channel is a long connection which is established in advance and is kept in use in the subsequent DNS analysis process all the time, so that the performance impact of frequently deleting the established channel on the credible DNS server is avoided.
002. The mobile terminal user successfully accesses the internet through the wireless access network, and the mobile terminal user is used as a DNS client and sends an original DNS analysis request message aiming at the domain name of the application service to be accessed.
003. A DNS proxy module in RAN equipment analyzes an IP message related to UE packaged in a transmission bearer through a deep message detection technology, and identifies and captures an original DNS analysis request message sent by the UE. The identification is based on the known transport layer protocol port number 53 of the DNS protocol, where the known transport layer protocol includes TCP and UDP, or a specified port value is configured. After identifying and capturing a DNS request message sent by the UE, the DNS proxy module needs to store context information of an original resolution transaction, that is, a six-element group consisting of a source IP address + a destination IP address + a transport layer protocol type + a source port number + a destination port number + a transaction identification field of a message, for identifying a domain name resolution transaction.
004. The DNS proxy module acquires information of a credible DNS server supporting a DNS Over TLS protection mechanism according to configuration, redirects an original DNS request message to the credible DNS server, namely modifies a target IP address and a target port number in the original request message into a service IP address and a service port number of the credible DNS server and modifies a source IP address into a home terminal IP address of a TLS protocol channel established by the DNS proxy module to construct a corresponding second analysis request message, and sends the second analysis request message to the server through the established TLS security channel between the DNS proxy module and the credible DNS server.
005. And the trusted DNS server supporting the DNS Over TLS mechanism receives the second DNS analysis request message, inquires to obtain domain name analysis result data, constructs a second DNS analysis response message and sends the second DNS analysis response message back through the established TLS protocol channel. And a DNS proxy module in the RAN equipment monitors the established TLS protocol channel, identifies and receives a second analysis response message from the trusted DNS server, and obtains analysis result data in the second analysis response message. Here, the authenticity and integrity of the successfully received parsed data can be verified through the inherent confidentiality and integrity protection measures of the TLS protocol channel. Furthermore, the verified analytic data can be cached in the RAN network equipment in addition to being directly fed back to the UE, so as to be used for quickly matching subsequent DNS analytic requests from the UE, thereby reducing the burden of the DNS server.
Further, on the basis of the above application embodiment, in addition to the self-contained security verification of the DNS Over TLS, the second analysis response message transmitted in the TLS protocol channel may be verified by using the pre-stored verification information, and the integrity and authenticity of the analysis data are further improved by a double verification method.
006. The DNS proxy module matches the second DNS resolution reply message to the original DNS resolution transaction and constructs therefrom an original resolution reply message that matches the original domain name resolution request message.
007. And the DNS proxy module sends the second DNS analysis response message to the UE through a downlink (indicating the direction from the Internet to the UE) transmission bearer channel inherent to the RAN network equipment. So far, the UE successfully receives and acquires a real domain name resolution result.
In an exemplary implementation manner, fig. 8 is an exemplary diagram of a domain name resolution method provided in an embodiment of the present application, and referring to fig. 8, a domain name resolution protection mechanism based on DNS Over IPSec specifically includes the following steps:
001. a DNS proxy module in the RAN device reads configured information of a trusted DNS server supporting a DNS Over IPSec protection mechanism, and based on a configured credential parameter for protecting an identity of a security gateway of the trusted DNS server, where the credential parameter may include information such as a credential chain or a pre-shared key required for performing authentication with the security gateway, and actively initiates a negotiation process for establishing an IPSec channel. Finally, a secure IPSec tunnel is successfully established. The IPSec channel is a long connection channel which is established in advance and is kept in use in the subsequent DNS analysis process, so that the performance impact of frequently deleting and establishing the channel on the security gateway is avoided.
002. The mobile terminal user successfully accesses the internet through the wireless access network, and the mobile terminal user is used as a DNS client and sends an original DNS analysis request message aiming at the domain name of the application service to be accessed.
003. A DNS proxy module in RAN equipment analyzes an IP message related to UE packaged in a transmission bearer through a deep message detection technology, and identifies and captures an original DNS analysis request message sent by the UE. The identification is based on the known transport layer protocol port number 53 of the DNS protocol, where the known transport layer protocol includes TCP and UDP, or a specified port value is configured. After identifying and capturing a DNS request message sent by the UE, the DNS proxy module needs to store context information of an original resolution transaction, that is, a six-element group consisting of a source IP address + a destination IP address + a transport layer protocol type + a source port number + a destination port number + a transaction identification field of a message, for identifying a domain name resolution transaction.
004. The DNS proxy module acquires trusted DNS server information supporting a DNS Over IPSec protection mechanism according to configuration, redirects an original DNS request message to the trusted server, namely modifies a target IP address and a target port number in the original request message into a service IP address and a service port number of the trusted DNS server to construct a corresponding second analysis request message, and sends the second analysis request message to an opposite-end security gateway through IPSec channel encapsulation established between the DNS proxy module and the trusted DNS server. DNS request messages rely on the confidentiality and integrity protection mechanisms inherent to IPSec tunnels to ensure transport security.
005. And a security gateway deployed at the trusted DNS server side receives the second DNS analysis request message from the IPSec channel and forwards the second DNS analysis request message to the trusted DNS server.
006. And the credible DNS server receives the second DNS analysis request message, inquires the second DNS analysis request message to obtain domain name analysis result data, constructs a second DNS analysis response message and sends the second DNS analysis response message back to the security gateway.
007. The security gateway forwards the second DNS resolution reply message to the RAN network device over the established IPSec tunnel. The DNS reply messages rely on the confidentiality and integrity protection mechanisms inherent to IPSec tunnels to ensure transport security. And a DNS proxy module in the RAN equipment receives the message from the security gateway from the IPSec channel, identifies a second analysis response message originated from the credible DNS server, and obtains analysis result data in the second analysis response message. The authenticity and integrity of the analysis result data are proved by relying on the inherent confidentiality and integrity protection mechanism of the IPSec channel. Furthermore, the verified resolution data can be cached in the RAN device in addition to being directly fed back to the UE, so as to be used for subsequent fast matching of the DNS resolution request from the UE, thereby reducing the burden of the DNS server.
Further, on the basis of the above application embodiment, in addition to the IPSec self-contained security authentication mechanism, the second analysis response message transmitted in the IPSec channel may also be authenticated using the pre-stored authentication information, and the integrity and authenticity of the analysis data are further improved by a double authentication method.
008. The DNS proxy module matches the second DNS resolution reply message to the original DNS resolution transaction and constructs therefrom an original resolution reply message that matches the original domain name resolution request message.
009. And the DNS proxy module sends the second DNS analysis response message to the UE through a downlink (indicating the direction from the Internet to the UE) transmission bearer channel inherent to the RAN equipment. So far, the UE successfully receives and acquires a real domain name resolution result.
Fig. 9 is a schematic structural diagram of a domain name resolution device according to an embodiment of the present application, which is capable of executing a domain name proxy resolution method according to any embodiment of the present application, and functional modules and beneficial effects corresponding to a specific execution method. The device can be implemented by software and/or hardware, and specifically comprises: the system comprises an information analysis module 501, an analysis recording module 502 and an information feedback module 503.
The information analysis module 501 is configured to obtain a domain name analysis request of a terminal in a digital cellular network, and extract domain name analysis information in the domain name analysis request based on a deep packet inspection technology.
The resolution record module 502 is configured to send the domain name resolution information to a trusted domain name system DNS server, and receive a resolution record fed back by the trusted DNS server.
An information feedback module 503, configured to send the analysis record to the terminal.
According to the method and the device, the domain name resolution request is obtained in the digital cellular network through the information resolution module, the domain name resolution information in the domain name resolution request is extracted based on the deep packet inspection technology, the domain name resolution information is sent to the credible DNS server through the resolution recording module, the resolution record fed back by the credible DNS server is received, the resolution record is sent to the terminal through the information feedback module, the safe resolution of the domain name resolution request of the terminal is achieved, and the safety of the wireless communication network is improved.
Further, on the basis of the above application embodiment, the trusted DNS server in the device is located on the internet.
Further, on the basis of the above application embodiment, the parsing record module 502 includes:
and the first transmission unit is used for sending the domain name resolution information to the DNS through a security transport layer TLS protocol channel which is pre-established with the credible DNS.
A first receiving unit, configured to monitor the TLS protocol channel to obtain a resolution record fed back by the DNS server.
Further, on the basis of the above application embodiment, the parsing record module 502 further includes:
and the second transmission unit is used for sending the domain name resolution information to the security gateway through an internet security protocol IPsec channel pre-established with the security gateway of the credible DNS server so that the security gateway forwards the domain name resolution information to the credible DNS server.
And the second receiving unit is used for monitoring the IPsec channel to acquire an analysis record forwarded by the security gateway, wherein the analysis record is fed back by the credible DNS server.
Further, on the basis of the embodiment of the above application, the information feedback module 503 includes:
and the verification unit is used for extracting verification information related to the analysis record and verifying the verification information by using pre-stored verification information.
And the safety sending unit is used for sending the analysis record to the terminal if the verification information passes the verification.
And the exception handling unit is used for determining to discard the analysis record if the verification information is not verified.
Further, on the basis of the embodiment of the above application, the apparatus further includes:
and the context storage module is used for storing the transaction context in the domain name resolution request.
Further, on the basis of the embodiment of the above application, the secure sending unit is specifically configured to: generating a domain name resolution response matching the domain name resolution request based on the transaction context and the resolution record; and sending the domain name resolution response to the terminal.
Fig. 10 is a schematic structural diagram of an electronic device provided in an embodiment of the present application, where the electronic device includes a processor 60, a memory 61, an input device 62, and an output device 63; the number of the processors 60 in the electronic device may be one or more, and one processor 60 is taken as an example in fig. 10; the processor 60, the memory 61, the input device 62 and the output device 63 in the electronic apparatus may be connected by a bus or other means, and fig. 10 illustrates the example of connection by a bus.
The memory 61 is a computer-readable storage medium, and can be used for storing software programs, computer-executable programs, and modules, such as the modules (the information analysis module 501, the analysis recording module 502, and the information feedback module 503) corresponding to the domain name agent analysis device in the embodiment of the present application. The processor 60 executes various functional applications and data processing of the electronic device by executing software programs, instructions and modules stored in the memory 61, that is, implements the domain name proxy resolution method described above.
The memory 61 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function; the storage data area may store data created according to use of the electronic device, and the like. Further, the memory 61 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 61 may further include memory located remotely from the processor 60, which may be connected to the electronic device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 62 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function controls of the electronic apparatus. The output device 63 may include a display device such as a display screen.
Embodiments of the present application also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, are configured to perform a method for domain name resolution, the method including:
acquiring a domain name resolution request of a terminal in a digital cellular network, and extracting domain name resolution information in the domain name resolution request based on a deep packet inspection technology;
sending the domain name resolution information to a credible Domain Name System (DNS) server, and receiving a resolution record fed back by the credible DNS server;
and sending the analysis record to the terminal.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which may be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods described in the embodiments of the present application.
It should be noted that, in the embodiment of the domain name resolution apparatus, each included unit and module are only divided according to functional logic, but are not limited to the above division, as long as the corresponding function can be implemented; in addition, specific names of the functional units are only used for distinguishing one functional unit from another, and are not used for limiting the protection scope of the application.
One of ordinary skill in the art will appreciate that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof.
In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
The preferred embodiments of the present invention have been described above with reference to the accompanying drawings, and are not to be construed as limiting the scope of the invention. Any modifications, equivalents and improvements which may occur to those skilled in the art without departing from the scope and spirit of the present invention are intended to be within the scope of the claims.
Claims (10)
1. A domain name resolution method, the method comprising:
acquiring a domain name resolution request of a terminal in a digital cellular network, and extracting domain name resolution information in the domain name resolution request based on a deep packet inspection technology;
sending the domain name resolution information to a credible Domain Name System (DNS) server, and receiving a resolution record fed back by the credible DNS server;
and sending the analysis record to the terminal.
2. The method of claim 1, wherein the trusted Domain Name System (DNS) server is located on the Internet.
3. The method according to claim 1, wherein the sending the domain name resolution information to a trusted domain name system DNS server and receiving a resolution record fed back by the trusted domain name system DNS server comprises:
sending the domain name resolution information to the credible domain name system DNS server through a security transport layer TLS protocol channel pre-established with the credible domain name system DNS server;
and monitoring the TLS protocol channel to obtain an analysis record fed back by the DNS server of the credible domain name system.
4. The method according to claim 1, wherein the sending the domain name resolution information to a trusted domain name system DNS server and receiving a resolution record fed back by the trusted domain name system DNS server comprises:
sending the domain name resolution information to a security gateway through an internet security protocol (IPsec) channel pre-established with the security gateway of the credible Domain Name System (DNS) server, so that the security gateway forwards the domain name resolution information to the credible DNS server;
and monitoring the IPsec channel to obtain an analysis record forwarded by the security gateway, wherein the analysis record is fed back by the DNS server.
5. The method of claim 1, wherein the sending the parsed record to the terminal comprises:
extracting verification information related to the analysis record, and verifying the verification information by using pre-stored verification information;
if the verification information passes the verification, sending the analysis record to the terminal;
and if the verification information is not verified, determining to discard the analysis record.
6. The method of claim 1, further comprising:
storing the transaction context in the domain name resolution request.
7. The method of claim 6, wherein the sending the parsed record to the terminal comprises:
generating a domain name resolution response matching the domain name resolution request based on the transaction context and the resolution record;
and sending the domain name resolution response to the terminal.
8. A domain name resolution apparatus, the apparatus comprising:
the information analysis module is used for acquiring a domain name analysis request of a terminal in a digital cellular network and extracting domain name analysis information in the domain name analysis request based on a deep packet inspection technology;
the resolution record module is used for sending the domain name resolution information to a credible domain name system DNS server and receiving a resolution record fed back by the credible domain name system DNS server;
and the information feedback module is used for sending the analysis record to the terminal.
9. An electronic device, characterized in that the electronic device comprises:
one or more processors;
a memory for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement a domain name resolution method as recited in any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out a domain name resolution method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110520001.9A CN112954683B (en) | 2021-05-13 | 2021-05-13 | Domain name resolution method, domain name resolution device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110520001.9A CN112954683B (en) | 2021-05-13 | 2021-05-13 | Domain name resolution method, domain name resolution device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112954683A true CN112954683A (en) | 2021-06-11 |
| CN112954683B CN112954683B (en) | 2021-08-17 |
Family
ID=76233797
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110520001.9A Active CN112954683B (en) | 2021-05-13 | 2021-05-13 | Domain name resolution method, domain name resolution device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112954683B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114006724A (en) * | 2021-09-18 | 2022-02-01 | 中国互联网络信息中心 | Method and system for discovering and authenticating encrypted DNS (Domain name Server) resolver |
| CN114745356A (en) * | 2022-03-29 | 2022-07-12 | 深信服科技股份有限公司 | Domain name resolution method, device and equipment and readable storage medium |
| CN115378907A (en) * | 2022-08-18 | 2022-11-22 | 北京视界云天科技有限公司 | MSP domain name resolution configuration management method, system, device and medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100269174A1 (en) * | 2009-04-20 | 2010-10-21 | Art Shelest | Systems and methods for generating a dns query to improve resistance against a dns attack |
| CN104135471A (en) * | 2014-07-14 | 2014-11-05 | 嘉兴市辰翔信息科技有限公司 | Anti-hijack communication method of DNS (Domain Name System) |
| CN104518968A (en) * | 2014-12-04 | 2015-04-15 | 华为技术有限公司 | Message processing method and transparent proxy server |
| CN105978697A (en) * | 2016-07-25 | 2016-09-28 | 宁圣金融信息服务(上海)有限公司 | Block chain domain name resolution method |
| CN106534141A (en) * | 2016-11-22 | 2017-03-22 | 汉柏科技有限公司 | Method and system for preventing domain name server from being attacked and firewall |
| CN106992906A (en) * | 2016-01-21 | 2017-07-28 | 中国联合网络通信集团有限公司 | The method of adjustment and system of a kind of access rate |
| CN108881515A (en) * | 2018-07-09 | 2018-11-23 | 迈普通信技术股份有限公司 | Domain name analytic method, device and the network equipment |
| CN109769043A (en) * | 2019-03-14 | 2019-05-17 | 中国工商银行股份有限公司 | Domain name analytic method, apparatus and system |
| US10505985B1 (en) * | 2016-04-13 | 2019-12-10 | Palo Alto Networks, Inc. | Hostname validation and policy evasion prevention |
-
2021
- 2021-05-13 CN CN202110520001.9A patent/CN112954683B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100269174A1 (en) * | 2009-04-20 | 2010-10-21 | Art Shelest | Systems and methods for generating a dns query to improve resistance against a dns attack |
| CN104135471A (en) * | 2014-07-14 | 2014-11-05 | 嘉兴市辰翔信息科技有限公司 | Anti-hijack communication method of DNS (Domain Name System) |
| CN104518968A (en) * | 2014-12-04 | 2015-04-15 | 华为技术有限公司 | Message processing method and transparent proxy server |
| CN106992906A (en) * | 2016-01-21 | 2017-07-28 | 中国联合网络通信集团有限公司 | The method of adjustment and system of a kind of access rate |
| US10505985B1 (en) * | 2016-04-13 | 2019-12-10 | Palo Alto Networks, Inc. | Hostname validation and policy evasion prevention |
| CN105978697A (en) * | 2016-07-25 | 2016-09-28 | 宁圣金融信息服务(上海)有限公司 | Block chain domain name resolution method |
| CN106534141A (en) * | 2016-11-22 | 2017-03-22 | 汉柏科技有限公司 | Method and system for preventing domain name server from being attacked and firewall |
| CN108881515A (en) * | 2018-07-09 | 2018-11-23 | 迈普通信技术股份有限公司 | Domain name analytic method, device and the network equipment |
| CN109769043A (en) * | 2019-03-14 | 2019-05-17 | 中国工商银行股份有限公司 | Domain name analytic method, apparatus and system |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114006724A (en) * | 2021-09-18 | 2022-02-01 | 中国互联网络信息中心 | Method and system for discovering and authenticating encrypted DNS (Domain name Server) resolver |
| CN114006724B (en) * | 2021-09-18 | 2023-08-29 | 中国互联网络信息中心 | Method and system for discovering and authenticating encryption DNS resolver |
| CN114745356A (en) * | 2022-03-29 | 2022-07-12 | 深信服科技股份有限公司 | Domain name resolution method, device and equipment and readable storage medium |
| CN114745356B (en) * | 2022-03-29 | 2024-02-23 | 深信服科技股份有限公司 | Domain name resolution method, device, equipment and readable storage medium |
| CN115378907A (en) * | 2022-08-18 | 2022-11-22 | 北京视界云天科技有限公司 | MSP domain name resolution configuration management method, system, device and medium |
| CN115378907B (en) * | 2022-08-18 | 2024-03-15 | 北京视界云天科技有限公司 | MSP domain name resolution configuration management method, system, equipment and medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112954683B (en) | 2021-08-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11870809B2 (en) | Systems and methods for reducing the number of open ports on a host computer | |
| CN112954683B (en) | Domain name resolution method, domain name resolution device, electronic equipment and storage medium | |
| US11082403B2 (en) | Intermediate network entity | |
| CN107666383B (en) | Message processing method and device based on HTTPS (hypertext transfer protocol secure protocol) | |
| EP2850770B1 (en) | Transport layer security traffic control using service name identification | |
| US8068414B2 (en) | Arrangement for tracking IP address usage based on authenticated link identifier | |
| US8468347B2 (en) | Secure network communications | |
| US8074264B2 (en) | Secure key distribution to internet clients | |
| AU2016351458A1 (en) | Methods and systems for PKI-based authentication | |
| Chordiya et al. | Man-in-the-middle (mitm) attack based hijacking of http traffic using open source tools | |
| US20120102546A1 (en) | Method And System For Authenticating Network Device | |
| CN110198297B (en) | Flow data monitoring method and device, electronic equipment and computer readable medium | |
| US11539695B2 (en) | Secure controlled access to protected resources | |
| CN112615866B (en) | Pre-authentication method, device and system for TCP connection | |
| Hossain et al. | Survey of the Protection Mechanisms to the SSL-based Session Hijacking Attacks. | |
| Younes | Securing ARP and DHCP for mitigating link layer attacks | |
| CN113904826B (en) | Data transmission method, device, equipment and storage medium | |
| CN112839062B (en) | Port hiding method, device and equipment with mixed authentication signals | |
| CN113055357B (en) | Method and device for verifying credibility of communication link by single packet, computing equipment and storage medium | |
| Sathyadevan et al. | Portguard-an authentication tool for securing ports in an IoT gateway | |
| EP1836559B1 (en) | Apparatus and method for traversing gateway device using a plurality of batons | |
| CN113612790B (en) | Data security transmission method and device based on equipment identity pre-authentication | |
| US10079857B2 (en) | Method of slowing down a communication in a network | |
| Vondráček et al. | Automation of MitM attack on Wi-Fi networks | |
| Yoganguina et al. | Proposition of a model for securing the neighbor discovery protocol (NDP) in IPv6 environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |