CN113014573B - Monitoring method, system, electronic device and storage medium of DNS (Domain name Server) - Google Patents
Monitoring method, system, electronic device and storage medium of DNS (Domain name Server) Download PDFInfo
- Publication number
- CN113014573B CN113014573B CN202110199426.4A CN202110199426A CN113014573B CN 113014573 B CN113014573 B CN 113014573B CN 202110199426 A CN202110199426 A CN 202110199426A CN 113014573 B CN113014573 B CN 113014573B
- Authority
- CN
- China
- Prior art keywords
- log
- domain name
- dns server
- server
- dns
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Abstract
The application relates to a monitoring method, a monitoring system, an electronic device and a storage medium of a DNS (domain name system) server, wherein a first log of a first DNS server is collected, and the first log comprises a request log and a response log; collecting a first log by adopting a preset log server, and transmitting the first log to a preset data collection engine through a preset message system for analysis processing to obtain a second log; detecting preset first domain name information in a second log, wherein the first domain name information comprises a malicious IP address and a malicious domain name, and an analysis request carrying the first domain name information causes resource loss exceeding a preset degree to a first DNS server; the method comprises the steps of analyzing and processing first domain name information by utilizing a webpage front end page related to a first DNS server, and generating a configuration file for intercepting an analysis request carrying the first domain name information, so that the problem that the monitoring capability of the DNS server is weak is solved, and the monitoring capability of the DNS server is improved.
Description
Technical Field
The present application relates to the field of monitoring of DNS servers, and in particular, to a monitoring method of a DNS server, a monitoring system of a DNS server, an electronic device, and a storage medium.
Background
The DNS (Domain Name System) is an important basic service of the internet. Its main function is to create a one-to-one mapping distributed database of IP (binary protocol address) and domain names, providing a more easily remembered domain name for the user. On one hand, with the popularization of networks and the application of 5G and IPV6, the future domain name resolution requests will grow explosively, and therefore it is necessary to provide a healthy internet environment. On the other hand, in the current internet surfing environment, a large number of immature web surfing is performed, but unhealthy websites are flooded on the internet, and certain damage is caused to the growth of the immature web surfing. In addition, there may be a large number of hackers performing unhealthy domain name resolution requests, which may cause heavy pressure on the DNS server and affect domain name resolution requests of other normal users under the local DNS server. For the above illegal and bad information, the DNS server needs to be able to identify similar websites and illegal domain name resolution requests to ensure the healthy operation of the DNS server.
In order to ensure the healthy operation of the DNS server in the related art, a commonly used means is to analyze an analysis request by using a log carried by the system, and more specifically, to analyze an operation state file of the DNS server, an operation request log and a response log by manual operation, and to manually import a blacklist and modify a configuration file by a command line according to an analysis result, thereby realizing the performance optimization of the server. However, the DNS server in the related art does not have a data quantization capability, a threat discovery capability, and a capability of performing real-time regulation and control on the domain name after the threat discovery, and only analyzes the resolution request by means of the log of the system itself, or modifies the configuration file by manual operation, so that the healthy operation of the DNS server cannot be effectively ensured.
At present, no effective solution is provided for the problem of weak monitoring capability of a DNS server in the related art.
Disclosure of Invention
The embodiment of the application provides a monitoring method of a DNS server, a monitoring system of the DNS server, an electronic device and a storage medium, so as to at least solve the problem that the monitoring capability of the DNS server in the related art is weak.
In a first aspect, an embodiment of the present application provides a method for monitoring a DNS server, including:
collecting a first log of a first DNS server, wherein the first log comprises a request log and a response log;
collecting the first log by using a preset log server, and transmitting the first log to a preset data collection engine for analysis processing through a preset message system to obtain a second log, wherein the preset log server comprises an Rsyslog server, the message system comprises a Kafka message system, and the data collection engine comprises a Logstash data collection engine;
detecting preset first domain name information in the second log, wherein the first domain name information comprises a malicious IP address and a malicious domain name, and an analysis request carrying the first domain name information causes resource loss exceeding a preset degree to the first DNS server;
analyzing and processing the first domain name information by using a webpage front end page related to the first DNS server, and generating a configuration file for intercepting an analysis request carrying the first domain name information.
In some embodiments, collecting the log of the first DNS server comprises collecting the response log in at least one of:
the log of the first DNS server is encoded according to a Dnstap format to obtain data in the Dnstap format, and a listener is adopted to listen to capture the response log from the data in the Dnstap format, wherein the listener comprises Fstrm _ capture; and/or
And grabbing the response log from the first DNS server by adopting a data packet capturer, wherein the data packet capturer comprises Libpcap.
In some embodiments, before analyzing the first domain name information by using a front-end page of a web page associated with the first DNS server and generating a configuration file for intercepting a resolution request carrying the first domain name information, the method further includes:
scanning the second log by adopting a preset threat information system to obtain the first domain name information which accords with a preset rule, wherein the preset threat information system comprises prestored first domain name information; or
And acquiring an operation state file of the first DNS, and extracting the first domain name information which is obtained by the first DNS through learning by a machine learning method from the operation state file.
In some embodiments, after a preset log server is used to collect the first log, and the first log is transmitted to a preset data collection engine through a preset message system to be analyzed, so as to obtain a second log, the method further includes:
sending the second log to one of: the system comprises an Elasticissearch server, a Hive data platform and a Kibana visualization platform.
In some of these embodiments, the first DNS server is constructed using one of: the method comprises the following steps of Bind9 server erection software, bundy server erection software, dnsmasq server erection software and Unbound server erection software.
In some embodiments, after analyzing the first domain name information by using a front-end page of a web page associated with the first DNS server and generating a configuration file for intercepting a resolution request carrying the first domain name information, the method further includes:
when the front-end page of the webpage monitors a malicious IP address or a malicious domain name, the analysis request is processed according to one of the following modes: rejecting a domain name resolution request derived from the malicious IP address, redirecting the resolution request of the malicious domain name to a preset healthy page, and determining that the resolution request of the malicious domain name fails to be resolved.
In some of these embodiments, the method further comprises: and sending the configuration file to a second DNS server for backup, wherein the first DNS server and the second DNS server realize balanced scheduling based on an LVS mode of NAT.
In a second aspect, an embodiment of the present application provides a monitoring system for a DNS server, including: a first DNS server and a monitoring device of a DNS server connected to each other, the monitoring device of the DNS server being configured to execute the monitoring method of the DNS server according to the first aspect.
In a third aspect, an embodiment of the present application provides an electronic apparatus, which includes a memory and a processor, where the memory stores a computer program, and the processor is configured to execute the computer program to perform the monitoring method for a DNS server according to the first aspect.
In a fourth aspect, an embodiment of the present application provides a storage medium, in which a computer program is stored, where the computer program is configured to execute the monitoring method for a DNS server according to the first aspect when the computer program runs.
Compared with the related art, the monitoring method of the DNS server, the monitoring system of the DNS server, the electronic device, and the storage medium provided in the embodiment of the present application collect a first log of a first DNS server, where the first log includes a request log and a response log; collecting a first log by adopting a preset log server, and transmitting the first log to a preset data collection engine for analysis processing through a preset message system to obtain a second log, wherein the preset log server comprises an Rsyslog server, the message system comprises a Kafka message system, and the data collection engine comprises a Logstash data collection engine; detecting preset first domain name information in a second log, wherein the first domain name information comprises a malicious IP address and a malicious domain name, and an analysis request carrying the first domain name information causes resource loss exceeding a preset degree to a first DNS server; the method and the device have the advantages that the first domain name information is analyzed and processed by the webpage front end page related to the first DNS, the configuration file used for intercepting the analysis request carrying the first domain name information is generated, the problem that the monitoring capability of the DNS in the related technology is weak is solved, and the monitoring capability of the DNS is improved.
The details of one or more embodiments of the application are set forth in the accompanying drawings and the description below to provide a more concise and understandable description of the application, and features, objects, and advantages of the application.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a flowchart of a monitoring method of a DNS server according to an embodiment of the present application;
FIG. 2 is a diagram of a DNS server model in accordance with a preferred embodiment of the present application;
FIG. 3 is an architecture diagram of a monitoring system for a DNS server in accordance with a preferred embodiment of the present application;
fig. 4 is a hardware configuration block diagram of a terminal of a monitoring method of a DNS server according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. The use of the terms "a" and "an" and "the" and similar referents in the context of describing the invention (including a single reference) are to be construed in a non-limiting sense as indicating either the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. Reference herein to "a plurality" means greater than or equal to two. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
Fig. 1 is a flowchart of a monitoring method for a DNS server according to an embodiment of the present application, and as shown in fig. 1, the flowchart includes the following steps:
step S101, collecting a first log of a first DNS server, wherein the first log comprises a request log and a response log.
In this embodiment, the request log may be collected by a log configurator of the DNS server, and the response log may be collected by a listener or a packet capture device.
Step S102, collecting a first log by using a preset log server, and transmitting the first log to a preset data collection engine for analysis processing through a preset message system to obtain a second log, wherein the preset log server comprises an Rsyslog server, the message system comprises a Kafka message system, and the data collection engine comprises a Logstash data collection engine.
It should be noted that Syslog is a default log daemon of the Linux system, rsyslog is a multi-thread enhanced version of Syslog, and by adopting an Rsyslog server, data in various formats can be supported for transmission, the requirements of various scenes are met, and various data transfer storage and log filtering modes are supported; for example, if the client of the log system uses Rsyslog and the server uses Syslog, the Syslog cannot identify the data sent by the client if the server does not perform special processing; on the contrary, if the client of the logging system uses Syslog and the server uses Rsyslog, the Rsyslog can recognize the message sent by the Syslog.
In this embodiment, by using the Kafka message system, high throughput and low latency of the first log processing can be realized, and if a large number of hackers perform unhealthy domain name resolution requests, thousands of clients can be supported to read and write at the same time, and high concurrent processing of the first log can be realized.
In this embodiment, the Logstash data collection engine is adopted, so that data and conversion data can be received from multiple sources, and the first log can be analyzed according to a preset analysis rule to obtain the second log, wherein the data format of the second log can be a Json format.
Step S103, detecting preset first domain name information in the second log, where the first domain name information includes a malicious IP address and a malicious domain name, and an analysis request carrying the first domain name information will cause resource loss exceeding a preset degree to the first DNS server.
In this embodiment, there are various ways to detect the preset first domain name information in the second log, for example: and scanning the second log by adopting a preset threat information system to obtain first domain name information which accords with a preset rule, wherein the preset threat information system comprises prestored first domain name information. In some optional embodiments, the preset first domain name information is detected in the second log in the following manner: the method comprises the steps of collecting an operation state file of a first DNS, and extracting first domain name information obtained by the first DNS through learning of a machine learning method from the operation state file.
In this embodiment, it is preferable to detect the preset first domain name information in the second log by using the two manners, so as to expand the detection dimension of the first domain name information.
Step S104, analyzing the first domain name information by using a webpage at the front end of the webpage associated with the first DNS server, and generating a configuration file for intercepting an analysis request carrying the first domain name information.
In this embodiment, the first domain name information is imported into a front end page of a web page associated with the first DNS server, the front end page of the web page generates a Yaml file according to the imported first domain name information, the Yaml file carries the first domain name information, and the first DNS server generates the Yaml file into a configuration file required by its own process through the central Go module, where the configuration file includes a named. The name.conf file is used for setting a name parameter and pointing to an information source of a domain database used by the DNS server, and the Zone file is used for describing an authorized server domain of the DNS server. The Go module is a package-dependent management manner, and is defined by a root directory of a go.mod file formed by source files, and the directory containing the go.mod file is also called a module root.
In this embodiment, the log data of the first DNS is monitored and analyzed through a page integrated with the front end of the web page associated with the first DNS server to obtain an analysis result, and the analysis result and a blacklist newly monitored and scanned are imported into the page of the front end of the web page in real time, so that normal operation of the state of the first DNS server and healthy green internet access of the client are realized. Moreover, for a large number of unhealthy domain name resolution requests of the clients, the embodiment can support thousands of clients to read and write at the same time, realize high concurrency processing of the first log, and regulate and control the state of the first DNS server in real time.
Through the steps S101 to S104, a first log of the first DNS server is collected, where the first log includes a request log and a response log; collecting a first log by adopting a preset log server, and transmitting the first log to a preset data collection engine for analysis processing through a preset message system to obtain a second log, wherein the preset log server comprises an Rsyslog server, the message system comprises a Kafka message system, and the data collection engine comprises a Logstash data collection engine; detecting preset first domain name information in a second log, wherein the first domain name information comprises a malicious IP address and a malicious domain name, and an analysis request carrying the first domain name information causes resource loss exceeding a preset degree to a first DNS server; the method and the device have the advantages that the first domain name information is analyzed and processed by the webpage front end page related to the first DNS, the configuration file used for intercepting the analysis request carrying the first domain name information is generated, the problem that the monitoring capability of the DNS in the related technology is weak is solved, and the monitoring capability of the DNS is improved.
In some embodiments, logging the first DNS server may be performed by at least one of:
the first method is as follows: and encoding the log of the first DNS according to a Dnstap format to obtain data in the Dnstap format, and intercepting a response log from the data in the Dnstap format by adopting an interceptor, wherein the interceptor comprises Fstrm _ capture.
In this embodiment, the dnstat is a binary log format used for the DNS server, and this embodiment can obtain a more flexible and structured binary log format by encoding the log according to the dnstat format.
The second method comprises the following steps: and grabbing a response log from the first DNS server by using a data packet capturer, wherein the data packet capturer comprises Libpcap.
In the embodiment, libpcap is a network data packet capture function library under the Unix/Linux platform.
And a third mode is adopted, and the logs of the first DNS server are synchronously acquired by adopting the two modes.
In some embodiments, before analyzing the first domain name information by using a front-end page of a web page associated with the first DNS server and generating a configuration file for intercepting a resolution request carrying the first domain name information, at least one of the following steps is further performed:
step 1, scanning a second log by adopting a preset threat information system to obtain first domain name information which accords with a preset rule, wherein the preset threat information system comprises prestored first domain name information.
In this embodiment, the preset threat information system includes the first domain name information stored in advance, and the preset threat information system performs domain name hijacking control by scanning and monitoring malicious domain name importing of illegal and bad information contents.
And 2, acquiring an operation state file of the first DNS, and extracting first domain name information which is obtained by the first DNS through machine learning from the operation state file.
In this embodiment, the state of the first DNS server is monitored in real time by using the named.stats state file in combination with the Netdata, and the monitored parameters include one or more of IPV4 request, IPV6 request, response condition analysis, cache condition, and local domain name resolution request times. The Netdata is a Linux performance real-time monitoring tool.
It can be understood that, by the arrangement, the data quantification function and the threat discovery function of the DNS server and the function of real-time regulation and control of the domain name after threat discovery can be realized.
In some embodiments, after a preset log server is used to collect a first log and the first log is transmitted to a preset data collection engine through a preset message system for analysis processing, so as to obtain a second log, the following steps are further implemented: sending the second log to one of: the system comprises an Elasticissearch server, a Hive data platform and a Kibana visualization platform.
In some alternative embodiment modes, the Elasticsearch server generates a corresponding log query interface according to the second log by sending the second log to the Elasticsearch server.
In some optional embodiment modes, the second log can be stored, queried and analyzed by sending the second log to the Hive data platform.
In some alternative embodiments, the second log can be visually analyzed by sending the second log to a Kibana visualization platform. The analysis content comprises malicious communication IP of nodes, distribution of assets, IP address distribution and a non-rationalization domain name resolution request, and then an analysis result is displayed in a page.
In some of these embodiments, the first DNS server is constructed using one of: the method comprises the following steps of Bind9 server erection software, bundy server erection software, dnsmasq server erection software and Unbound server erection software.
The present embodiment preferably employs Bind9 server configuration software to implement a view function of the first DNS server that can segment the DNS server settings without having to run multiple DNS servers. For example, in a single DNS server, one view may be defined to answer queries from the internal network, while another view is defined to answer queries from the external network.
In some embodiments, after analyzing the first domain name information by using a front-end page of a web page associated with the first DNS server and generating a configuration file for intercepting an analysis request carrying the first domain name information, the following steps are further performed: when the front page of the webpage monitors a malicious IP address or a malicious domain name, the analysis request is processed according to one of the following modes: rejecting a domain name resolution request from a malicious IP address, redirecting the resolution request of the malicious domain name to a preset healthy page, and determining that the resolution request of the malicious domain name fails to be resolved.
In some embodiments, the following steps are also performed: the domain name resolution request is not performed for the client source being a malicious IP address request, and the redirection to a healthy page or the direct resolution is failed under the condition that the resolved domain name is an illegal domain name request.
In some of these embodiments, the following steps are also performed: and sending the configuration file to a second DNS server for backup, wherein the first DNS server and the second DNS server realize balanced scheduling based on the LVS mode of NAT.
It should be noted that the LVS is a Linux virtual server, and is a virtual server cluster system, which is composed of a load balancer/Director, a server pool/reader, and a shared storage (shared storage), and is a front-end outside the whole cluster, and is responsible for sending a request of a client to a group of servers for execution, and the client considers that a service comes from an IP address.
In this embodiment, a Network Address Translation (NAT) LVS mode is adopted to perform balanced scheduling, so as to modify a data header, so that an internal private IP Address can access an external Network, and an external user can access an internal private IP host.
In this embodiment, in the process of performing balanced scheduling in the LVS mode based on the NAT, all realservers only need to point their gateways to the Director. The client may be any operating system, usually a Director can drive a RealServer with a relatively limited capability, and in some embodiments, the Director may also serve as a RealServer.
The embodiment also provides a monitoring system of a DNS server, which includes a first DNS server and a monitoring device of the DNS server that are connected to each other, where the monitoring device of the DNS server is used to execute the monitoring method of the DNS server described in any of the above embodiments. The monitoring method of the DNS server has been introduced in the above embodiments, and is not described herein again.
The first DNS server may be a DNS server model including a plurality of DNS servers. Fig. 2 is a schematic diagram of a DNS server model according to a preferred embodiment of the present application, and as shown in fig. 2, the DNS server model includes a single DNS main server and a plurality of DNS sub-servers, wherein the DNS main server serves as a main server (recursive server) and the DNS sub-servers serve as auxiliary servers. In the embodiment, a public network IP is provided externally as an address of a DNS server, an internal network is provided with a plurality of DNS servers, the whole framework adopts an LVS mode based on NAT to realize the balanced scheduling of the DNS servers, and a plurality of DNS sub-servers are scheduled by the LVS according to a scheduling algorithm. And each DNS sub-server forwards the domain name which cannot be forwarded to the DNS main server by adopting a forwarding mode for analysis, if the domain name is judged to belong to a local blacklist of the DNS main server, the domain name is directly analyzed, and if the domain name is not analyzed by the DNS main server, the query analysis is carried out in a recursive mode. In order to avoid the phenomenon that the DNS master server is hung up (when a designated script is run on the server, numerous identical and ceaseless processes occur, which causes the system to be trapped in endless loops), and a domain name resolution function is abnormal, a plurality of sets of DNS server models are preset in this embodiment, so that the function abnormality of the DNS master server caused by the hanging up of the DNS master server is avoided.
Fig. 3 is an architecture diagram of a monitoring system of a DNS server according to a preferred embodiment of the present application, as shown in fig. 3, the system includes: the system comprises a Bind9 DNS server, a state operation monitor, a log collector, a log distributor, a log processor and a webpage front-end page monitor.
The state operation monitor is used for acquiring the Named.states state file from the Bind9 server erection software and monitoring the Named.states state file in real time by adopting Netdata so as to monitor the state of the Bind9 DNS server. The monitored parameters comprise an IPV4 request, an IPV6 request, response condition analysis, cache condition and local domain name resolution request times.
The log collector is used for collecting request logs and response logs. For the request log, a Bind9 DNS server can be adopted to collect log information from a self-contained log configurator, and then an Rsyslog server and a Kafka message system are adopted to carry out remote transmission. For the response log, the log of the first DNS server can be encoded according to a dnsta format to obtain data in the dnsta format, an fsrm _ capture listener is used for listening to capture the response log from the data in the dnsta format, then file transfer storage is performed through DNS-read, and then remote transmission is performed by using an Rsyslog server and a Kafka message system.
The log distributor consumes the remotely transmitted messages in the Kafka message system through the Logstash data collection engine, analyzes the logs into a Json data format, and inserts the analyzed data into a log processor for secondary analysis.
The log processor comprises one or more of an elastic search server, a Hive data platform or a Kibana visualization platform. Wherein, the Elasticissearch search server provides a log query interface; the Hive data platform or the Kibana visualization platform is used for analyzing malicious communication IP, asset distribution, IP address distribution, non-rationalization domain name resolution requests and the like of the node server, and then displaying the analysis result in a page.
The webpage front-end page monitor is used for importing malicious IP addresses, unhealthy domain names learned by a Bind9 DNS server, malicious domain names of illegal and unhealthy information contents through threat information scanning and monitoring, and performing domain hijacking control according to the imported information. The method comprises the steps that a webpage front-end page of a DNS main server generates imported information into a Yaml file, the Yaml file carries first domain name information, the DNS main server generates the Yaml file into a configuration file required by a process of the DNS main server through a central Go module, and the configuration file comprises a Named.conf file and a Zone file so that a DNS sub-server connected with the DNS main server can pull the configuration file for backup. And the illegal domain name is transmitted by a DNS main server in a regional file transmission mode. And then directly not performing domain name resolution request aiming at the malicious IP address request from the client, and redirecting the healthy page or directly failing to resolve the resolved domain name which is an illegal domain name request.
The operation flow of the monitoring system of the DNS server is as follows:
after a DNS client requests to reach a Bind9 DNS server, on one hand, a state operation monitor monitors the operation state of the Bind9 DNS server in real time to obtain monitoring parameters; on the other hand, the log collector collects the request log and the response log of the Bind9 DNS server, and the request log and the response log are remotely transmitted to the log processor through the log distributor for analysis processing. And the state operation monitor and the log processor lead the corresponding analysis result data into the webpage front-end page monitor, and the webpage front-end page monitor performs domain name hijacking control according to the lead-in analysis result, namely generates a configuration file required by the progress of the Bind9 DNS server. In addition, the DNS sub-server connected with the DNS main server performs backup by pulling the configuration file.
In this embodiment, a DNS server is built based on a Bind9 framework, and according to a series of running state files and log analysis of Bind9, state optimization of the Bind9 DNS server is realized by importing an ACL (access control list) control list (unhealthy client IP address) and a blacklist (illegal domain name) into a webpage at the front end in real time.
As used above, the terms "node," "device," and the like may refer to a combination of software and/or hardware that implements a predetermined function. Although the means described in the above embodiments are preferably implemented in software, an implementation in hardware or a combination of software and hardware is also possible and contemplated. It should be noted that the above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory having a computer program stored therein and a processor configured to execute the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, collecting a first log of a first DNS server, wherein the first log comprises a request log and a response log.
And S2, collecting the first log by adopting a preset log server, and transmitting the first log to a preset data collection engine for analysis processing through a preset message system to obtain a second log, wherein the preset log server comprises an Rsyslog server, the message system comprises a Kafka message system, and the data collection engine comprises a Logstash data collection engine.
And S3, detecting preset first domain name information in the second log, wherein the first domain name information comprises a malicious IP address and a malicious domain name, and the analysis request carrying the first domain name information causes resource loss exceeding a preset degree to the first DNS server.
And S4, analyzing the first domain name information by using a webpage at the front end of the webpage associated with the first DNS server, and generating a configuration file for intercepting an analysis request carrying the first domain name information.
It should be noted that, for specific examples in this embodiment, reference may be made to examples described in the foregoing embodiments and optional implementations, and details of this embodiment are not described herein again.
In some embodiments, the electronic device includes, but is not limited to, a terminal, a computer, or a similar computing device. Taking the operation on the terminal as an example, fig. 4 is a hardware structure block diagram of the terminal of the monitoring method of the DNS server according to the embodiment of the present application. As shown in fig. 4, the terminal may include one or more (only one shown in fig. 4) processors 402 (the processor 402 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 404 for storing data, and optionally, a transmission device 406 for communication functions and an input-output device 408. It will be understood by those skilled in the art that the structure shown in fig. 4 is only an illustration and is not intended to limit the structure of the terminal. For example, the terminal may also include more or fewer components than shown in FIG. 4, or have a different configuration than shown in FIG. 4.
The memory 404 may be used to store computer programs, for example, software programs and modules of application software, such as a computer program corresponding to the monitoring method of the DNS server in the embodiment of the present application, and the processor 402 executes the computer programs stored in the memory 404 to execute various functional applications and data processing, that is, to implement the method described above. The memory 404 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 404 may further include memory located remotely from the processor 402, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 406 is used to receive or transmit data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the terminal. In one example, the transmission device xx06 includes a Network adapter (NIC) that can be connected to other Network devices through a base station so as to communicate with the internet. In one example, the transmitting device xx06 can be a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In addition, in combination with the monitoring method of the DNS server in the foregoing embodiment, the embodiment of the present application may provide a storage medium to implement. The storage medium has a computer program stored thereon; the computer program, when executed by a processor, implements the monitoring method of the DNS server in any of the above embodiments.
It should be understood by those skilled in the art that various features of the above-described embodiments can be combined in any combination, and for the sake of brevity, all possible combinations of features in the above-described embodiments are not described in detail, but rather, all combinations of features which are not inconsistent with each other should be construed as being within the scope of the present disclosure.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A monitoring method of a DNS server is characterized by comprising the following steps:
collecting a first log of a first DNS server, wherein the first log comprises a request log and a response log;
collecting the first log by using a preset log server, and transmitting the first log to a preset data collection engine for analysis processing through a preset message system to obtain a second log, wherein the preset log server comprises an Rsyslog server, the message system comprises a Kafka message system, and the data collection engine comprises a Logstash data collection engine;
detecting preset first domain name information in the second log, wherein the first domain name information comprises a malicious IP address and a malicious domain name, and an analysis request carrying the first domain name information causes resource loss exceeding a preset degree to the first DNS server;
analyzing and processing the first domain name information by using a webpage front end page related to the first DNS server, and generating a configuration file for intercepting an analysis request carrying the first domain name information, wherein the configuration file comprises: importing the first domain name information into the webpage front-end page so that the webpage front-end page generates a Yaml file according to the first domain name information, wherein the Yaml file carries the first domain name information; the first DNS server generates a configuration file required by a self process from the Yaml file through a central Go module, so that a sub-server connected with the first DNS server pulls the configuration file for backup, wherein the Go module is a packet-dependent management mode, a root directory of a go.mod file formed by a source file is defined, a directory containing the go.mod file is also called a module root, the configuration file comprises a Named.conf file and a Zone file, the Named.conf file is used for setting a Named parameter, the Named parameter points to an information source of a domain database used by the DNS server, and the Zone file is used for describing an authorization server domain of the first DNS server.
2. The method of claim 1, wherein collecting a log of a first DNS server comprises collecting the response log in at least one of:
the log of the first DNS server is encoded according to a Dnstap format to obtain data in the Dnstap format, and a listener is adopted to listen to capture the response log from the data in the Dnstap format, wherein the listener comprises Fstrm _ capture; and/or
And grabbing the response log from the first DNS server by adopting a data packet capturer, wherein the data packet capturer comprises Libpcap.
3. The method for monitoring a DNS server according to claim 1, wherein before analyzing the first domain name information by using a front end page of a web page associated with the first DNS server and generating a configuration file for intercepting a resolution request carrying the first domain name information, the method further includes:
scanning the second log by adopting a preset threat information system to obtain the first domain name information which accords with a preset rule, wherein the preset threat information system comprises prestored first domain name information; or
And acquiring an operation state file of the first DNS, and extracting the first domain name information which is obtained by the first DNS through learning by a machine learning method from the operation state file.
4. The monitoring method of the DNS server according to claim 1, wherein after the first log is collected by using a preset log server and the first log is transmitted to a preset data collection engine through a preset message system to be analyzed, and a second log is obtained, the method further comprises:
sending the second log to one of: the system comprises an Elasticissearch server, a Hive data platform and a Kibana visualization platform.
5. The method for monitoring DNS servers according to claim 1, wherein the first DNS server is constructed using one of: the method comprises the following steps of Bind9 server erection software, bundy server erection software, dnsmasq server erection software and Unbound server erection software.
6. The method for monitoring a DNS server according to claim 1, wherein after analyzing the first domain name information by using a front end page of a web page associated with the first DNS server and generating a configuration file for intercepting a resolution request carrying the first domain name information, the method further includes:
when the front-end page of the webpage monitors a malicious IP address or a malicious domain name, the analysis request is processed according to one of the following modes: rejecting a domain name resolution request derived from the malicious IP address, redirecting the resolution request of the malicious domain name to a preset healthy page, and determining that the resolution request of the malicious domain name fails to be resolved.
7. The method for monitoring the DNS server according to claim 1, further comprising:
and sending the configuration file to a second DNS server for backup, wherein the first DNS server and the second DNS server realize balanced scheduling based on an LVS mode of NAT.
8. A monitoring system for a DNS server, comprising: a first DNS server and a monitoring device of a DNS server connected to each other, the monitoring device of the DNS server being configured to execute the monitoring method of the DNS server according to any one of claims 1 to 7.
9. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the computer program to perform the monitoring method of the DNS server according to any one of claims 1 to 7.
10. A storage medium, in which a computer program is stored, wherein the computer program is configured to execute the monitoring method of a DNS server according to any one of claims 1 to 7 when running.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110199426.4A CN113014573B (en) | 2021-02-23 | 2021-02-23 | Monitoring method, system, electronic device and storage medium of DNS (Domain name Server) |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110199426.4A CN113014573B (en) | 2021-02-23 | 2021-02-23 | Monitoring method, system, electronic device and storage medium of DNS (Domain name Server) |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113014573A CN113014573A (en) | 2021-06-22 |
| CN113014573B true CN113014573B (en) | 2023-04-07 |
Family
ID=76406810
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110199426.4A Active CN113014573B (en) | 2021-02-23 | 2021-02-23 | Monitoring method, system, electronic device and storage medium of DNS (Domain name Server) |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113014573B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113542066B (en) * | 2021-07-13 | 2022-06-07 | 杭州安恒信息技术股份有限公司 | Equipment performance testing method and device and related equipment |
| CN115001761A (en) * | 2022-05-20 | 2022-09-02 | 裴志宏 | Monitoring method for remotely controlling hacker by real-time perception computer based on DNS analysis |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018175551A1 (en) * | 2017-03-22 | 2018-09-27 | Circadence Corporation | Mission-based, game-implemented cyber training system and method |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102055818B (en) * | 2010-12-30 | 2013-09-18 | 北京世纪互联宽带数据中心有限公司 | Distributed intelligent DNS (domain name server) library system |
| US9270693B2 (en) * | 2013-09-19 | 2016-02-23 | The Boeing Company | Detection of infected network devices and fast-flux networks by tracking URL and DNS resolution changes |
| CN110807487B (en) * | 2019-10-31 | 2023-01-17 | 北京邮电大学 | Method and device for identifying user based on domain name system flow record data |
| CN111209011A (en) * | 2019-12-31 | 2020-05-29 | 烽火通信科技股份有限公司 | Cross-platform container cloud automatic deployment system |
| CN111352921A (en) * | 2020-02-19 | 2020-06-30 | 中国平安人寿保险股份有限公司 | ELK-based slow query monitoring method and device, computer equipment and storage medium |
| CN112165451B (en) * | 2020-08-31 | 2023-07-18 | 新浪技术(中国)有限公司 | APT attack analysis method, system and server |
-
2021
- 2021-02-23 CN CN202110199426.4A patent/CN113014573B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018175551A1 (en) * | 2017-03-22 | 2018-09-27 | Circadence Corporation | Mission-based, game-implemented cyber training system and method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113014573A (en) | 2021-06-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2020135575A1 (en) | System and method for obtaining network topology, and server | |
| CN110247784B (en) | Method and device for determining network topology structure | |
| CN111131379B (en) | Distributed flow acquisition system and edge calculation method | |
| CN113014573B (en) | Monitoring method, system, electronic device and storage medium of DNS (Domain name Server) | |
| US9742639B1 (en) | Intelligent network resource discovery and monitoring | |
| RU2634209C1 (en) | System and method of autogeneration of decision rules for intrusion detection systems with feedback | |
| CN103152352A (en) | Perfect information security and forensics monitoring method and system based on cloud computing environment | |
| WO2017066359A1 (en) | Determining direction of network sessions | |
| CN110659109B (en) | System and method for monitoring openstack virtual machine | |
| JP2016533594A (en) | WEB PAGE ACCESS METHOD, WEB PAGE ACCESS DEVICE, ROUTER, PROGRAM, AND RECORDING MEDIUM | |
| CN103597471A (en) | Methods and systems for caching data communications over computer networks | |
| CN104993953A (en) | Method for detecting network service state and device detecting network service state | |
| CN110635965B (en) | IPv6 network quality monitoring method, equipment and storage medium | |
| WO2017219873A1 (en) | Method and apparatus for locating domain names attacked by syn | |
| CN108924012A (en) | Method, equipment, system and the medium of IPv6 name server liveness detection | |
| CN113285926B (en) | Honey pot trapping method and device for power monitoring system and computer equipment | |
| CN108462598A (en) | A kind of daily record generation method, log analysis method and device | |
| CN111917900A (en) | Request processing method and device for domain name proxy | |
| US11936753B2 (en) | Graceful shutdown of supernodes in an internet proxy system | |
| US8572245B1 (en) | Using the TCP window size for identifying packets and debugging | |
| CN103581238A (en) | Unified service platform of ubiquitous network and service implementing method | |
| CN111600929B (en) | Transmission line detection method, routing strategy generation method and proxy server | |
| CN113098776B (en) | Method, device, equipment and storage medium for determining network topology | |
| CN108616594B (en) | HTTP bypass blocking method based on DPDK | |
| CN114389792B (en) | WEB log NAT (network Address translation) front-back association method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |