CN113542292A - Intranet safety protection method and system based on DNS and IP credit data - Google Patents

Intranet safety protection method and system based on DNS and IP credit data Download PDF

Info

Publication number
CN113542292A
CN113542292A CN202110827024.4A CN202110827024A CN113542292A CN 113542292 A CN113542292 A CN 113542292A CN 202110827024 A CN202110827024 A CN 202110827024A CN 113542292 A CN113542292 A CN 113542292A
Authority
CN
China
Prior art keywords
dns
intranet
server
address
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110827024.4A
Other languages
Chinese (zh)
Inventor
白锦龙
蔡朋力
李海亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiang Nan Information Security Beijing Technology Co ltd
Original Assignee
Jiang Nan Information Security Beijing Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiang Nan Information Security Beijing Technology Co ltd filed Critical Jiang Nan Information Security Beijing Technology Co ltd
Priority to CN202110827024.4A priority Critical patent/CN113542292A/en
Publication of CN113542292A publication Critical patent/CN113542292A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

According to the intranet safety protection method and system based on DNS and IP reputation data, when a DNS request reaches intranet protection equipment, a DNS cache integrated in the intranet protection equipment is queried: if the requested DNS record is inquired in a DNS cache of the intranet protective equipment, the intranet protective equipment carries out DNS response on the terminal user; if the DNS cache of the internal network protection equipment does not inquire the DNS record of the request, the DNS request is forwarded to a DNS server; and receiving domain name resolution and DNS response of the DNS server to the DNS request through the intranet protective equipment, and deleting or reserving the corresponding server IP address according to the IP reputation value query result for each server IP address resource record in the DNS response message when the DNS response passes through the intranet protective equipment. The invention solves the problems of low safety protection accuracy, poor performance and poor robustness of the traditional intranet.

Description

Intranet safety protection method and system based on DNS and IP credit data
Technical Field
The invention relates to the technical field of network security, in particular to an intranet security protection method and system based on DNS and IP reputation data.
Background
Currently, when an intranet user surfs the internet, the security of an accessed server and an application is always one of the core problems of network security. In the face of new application scenarios represented by virtualization and mobile interconnection technologies, the traditional firewall technology based on the state detection packet filtering is increasingly inattentive in terms of security protection capability. Next Generation Firewalls (NGFWs), are proposed as upgraded versions of traditional firewall technologies. In the concept of NGFW, application identification is emphasized as a core concept, but no recognized method has been found in solving the core problem of "which applications are secure".
In the prior art, there is an application control method based on application identification, which controls unsafe applications by defining in advance which applications are safe and which applications are unsafe, by means of an application identification technology. However, the current content-based application identification technology is not accurate, and therefore, the problem of false alarm or missing report is easily caused by the application control of the identification result. The control granularity is too coarse to be safe in itself even though there are applications in fact, but more often, the applications are safe in themselves, only on some servers or for some period of time, and the application control based on application identification cannot give a definition on both granularities.
In the prior art, an IP address on a network is also identified by an "IP reputation database" to indicate which IPs (hosts) are secure and which hosts are not. However, this approach has low performance because each session requires a query of the IP reputation database based on the IP address. The method has poor robustness, and assumes that an application P uses three servers and uses three different IP addresses A, B and C externally to finish service in parallel. Suppose an attacker attacks and takes control of the a-server, but just the a-server will be provided by the DNS server to users in the S-zone as the preferred server for the S-zone. If A is identified by the IP reputation database as "dangerous, not allowed to access," then the IP reputation database-based protection system may actually prohibit users in the S district from using the P service (because users in the S district all select the preferred IP address A provided by the DNS system when accessing the P service).
In summary, a new technical solution for intranet security protection is needed.
Disclosure of Invention
Therefore, the invention provides an intranet safety protection method and system based on DNS and IP credit data, and solves the problems of low accuracy and poor performance and robustness of the traditional intranet safety protection.
In order to achieve the above purpose, the invention provides the following technical scheme: an intranet safety protection method based on DNS and IP reputation data comprises the following steps:
receiving a DNS request of a given domain name initiated by a terminal user through an intranet protective device, and inquiring a DNS cache integrated in the intranet protective device when the DNS request reaches the intranet protective device: a) if the requested DNS record is inquired in the DNS cache of the intranet protective equipment, the intranet protective equipment carries out DNS response on the terminal user; b) if the DNS record of the request is not inquired in the DNS cache of the intranet protective equipment, forwarding the DNS request to a DNS server;
receiving domain name resolution and DNS response of a DNS server to the DNS request through an intranet protective device, and when the DNS response passes through the intranet protective device, c) inquiring an IP credit value of each server IP address in an IP credit database for each server IP address resource record in the DNS response message, and deleting or reserving the corresponding server IP address according to an IP credit value inquiry result.
As a preferred scheme of the intranet security protection method based on the DNS and the IP reputation data, d) if all the server IP addresses in the DNS response message are deleted according to the IP reputation value query result, the intranet protection device directly returns a DNS negative response to the end user.
As a preferred scheme of the intranet security protection method based on DNS and IP reputation data, e) sorting server IP address resource records in the reserved DNS reply message from high to low according to the IP reputation value of the reserved server IP address.
As a preferred scheme of the intranet security protection method based on the DNS and IP reputation data, the retained DNS reply message is updated to the DNS cache of the intranet protection device.
As a preferred scheme of the intranet safety protection method based on DNS and IP reputation data, the server IP address with high IP reputation value is preferentially forwarded to the terminal user, and the terminal user accesses the application server according to the received server IP address.
The invention also provides an intranet safety protection system based on DNS and IP credit data, comprising:
the system comprises an intranet protective device and a terminal user, wherein the intranet protective device is used for receiving a DNS request of a given domain name initiated by the terminal user, and inquiring a DNS cache integrated in the intranet protective device when the DNS request reaches the intranet protective device; if the requested DNS record is inquired in the DNS cache of the intranet protective equipment, the intranet protective equipment carries out DNS response on the terminal user;
the DNS server is used for receiving a DNS request forwarded by the intranet protective equipment if a DNS record of the request is not inquired in a DNS cache of the intranet protective equipment; the DNS server resolves the domain name of the DNS request and responds to the DNS;
and the intranet protection equipment receives the DNS response, inquires an IP credit value of each server IP address in an IP credit database for each server IP address resource record in the DNS response message, and deletes or retains the corresponding server IP address according to an IP credit value inquiry result.
As a preferred scheme of the intranet safety protection system based on the DNS and the IP reputation data, if all the server IP addresses in the DNS response message are deleted according to the IP reputation value query result, the intranet protection device directly returns a DNS negative response to the terminal user.
As a preferred scheme of the intranet security protection system based on DNS and IP reputation data, the intranet protection device sorts the server IP address resource records in the retained DNS reply message according to the IP reputation values of the retained server IP addresses from high to low.
As a preferred scheme of the intranet security protection system based on DNS and IP reputation data, the DNS cache of the intranet protection device updates the retained DNS response packet.
As a preferred scheme of an intranet safety protection system based on DNS and IP credit data, the intranet protection equipment preferentially forwards a server IP address with a high IP credit value to an end user, and the end user accesses an application server according to the received server IP address.
The invention has the following advantages: receiving a DNS request of a given domain name initiated by a terminal user through the intranet protective equipment, and inquiring the DNS cache integrated in the intranet protective equipment when the DNS request reaches the intranet protective equipment: a) if the requested DNS record is inquired in a DNS cache of the intranet protective equipment, the intranet protective equipment carries out DNS response on the terminal user; b) if the DNS cache of the internal network protection equipment does not inquire the DNS record of the request, the DNS request is forwarded to a DNS server; receiving domain name resolution and DNS response of a DNS server to a DNS request through the intranet protective equipment, and when the DNS response passes through the intranet protective equipment, c) inquiring an IP credit value of each server IP address in an IP credit database for each server IP address resource record in a DNS response message, and deleting or reserving the corresponding server IP address according to an IP credit value inquiry result. In the DNS resolution stage, the malicious IP addresses are prevented from being sensed by the terminal user, so that the overall efficiency of the intranet protection system is improved; if some servers are attacked, the attacked servers can be removed, and the server which is kept the most safe all the time is used as the first choice of the terminal user; by utilizing the characteristics of updating, overtime and the like of the DNS system, the change of the IP address of the server can be sensed in real time, and the self-adaption of protection is realized.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below. It should be apparent that the drawings in the following description are merely exemplary, and that other embodiments can be derived from the drawings provided by those of ordinary skill in the art without inventive effort.
The structures, ratios, sizes, and the like shown in the present specification are only used for matching with the contents disclosed in the specification, so that those skilled in the art can understand and read the present invention, and do not limit the conditions for implementing the present invention, so that the present invention has no technical significance, and any structural modifications, changes in the ratio relationship, or adjustments of the sizes, without affecting the functions and purposes of the present invention, should still fall within the scope of the present invention.
Fig. 1 is a schematic flow chart of an intranet security protection method based on DNS and IP reputation data according to embodiment 1 of the present invention;
fig. 2 is a schematic diagram of an intranet security protection system based on DNS and IP reputation data according to embodiment 2 of the present invention.
Detailed Description
The present invention is described in terms of particular embodiments, other advantages and features of the invention will become apparent to those skilled in the art from the following disclosure, and it is to be understood that the described embodiments are merely exemplary of the invention and that it is not intended to limit the invention to the particular embodiments disclosed. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Comparative example
By contrast with the DNS-based application model, assume that service a fixedly uses domain name service. aaa. com to find the address of the application server, and its service port is 80. The service model is as follows:
(1) the terminal user only knows that the domain name of the service is service.
(2) The DNS server requests DNS resolution of the end user, assuming that there are currently two servers serving the application, the IP addresses of the servers are 1.2.3.4 and 1.2.3.5, respectively. The DNS servers are sorted according to the access speed, and 1.2.3.4 is ranked before 1.2.3.5, namely 1.2.3.4 is taken as a preferred server.
(3) After the terminal user obtains the DNS response, the preferred IP address 1.2.3.4 is selected for service request. Other IP addresses are selected for service requests only if the service of the preferred IP address is not available, but this process is application dependent and not necessarily handled in accordance with this principle.
Example 1
Referring to fig. 1, embodiment 1 of the present invention provides an intranet security protection method based on DNS and IP reputation data, which is used in a classic gateway firewall deployment manner, and requires that internet traffic and DNS traffic of an end user pass through a gateway at the same time, and includes the following steps:
s1, receiving a DNS request of a given domain name initiated by a terminal user through the intranet protective equipment, and querying a DNS cache integrated in the intranet protective equipment when the DNS request reaches the intranet protective equipment: a) if the requested DNS record is inquired in the DNS cache of the intranet protective equipment, the intranet protective equipment carries out DNS response on the terminal user; b) if the DNS record of the request is not inquired in the DNS cache of the intranet protective equipment, forwarding the DNS request to a DNS server;
s2, receiving domain name resolution and DNS response of the DNS server to the DNS request through the internal network protective equipment, c) inquiring the IP credit value of each server IP address in the IP credit database for each server IP address resource record in the DNS response message when the DNS response passes through the internal network protective equipment, and deleting or reserving the corresponding server IP address according to the IP credit value inquiry result.
In this embodiment, S2 further includes that d) if all the server IP addresses in the DNS reply message are deleted according to the IP reputation value query result, the internal network protection device directly returns a DNS negative reply to the terminal user. S2 further includes e) sorting the resource records of the server IP addresses in the retained DNS reply message from high to low according to the IP reputation value of the retained server IP addresses.
In this embodiment, the method further includes step S3 of updating the retained DNS reply message to the DNS cache of the intranet protection device. And S4, the server IP address with high IP reputation value is forwarded to the terminal user in priority, and the terminal user accesses the application server according to the received server IP address.
In contrast to the application model based on DNS, specifically, according to the present technical solution, a terminal user first initiates a DNS request for service. When the request reaches the intranet protection equipment, the intranet protection equipment inquires the integrated DNS cache, and two results are obtained:
the result is as follows: if the relevant records of the DNS are found, the internal network protection equipment directly replaces the DNS server to perform DNS response, and the DNS request is not sent to the DNS server;
and a second result: if no relevant record is found, the internal network protection equipment forwards the DNS request to a DNS server.
The DNS server performs domain name resolution and replies, giving a DNS reply of 1.2.3.4/1.2.3.5, assuming that the DNS server considers 1.2.3.4 to be the preferred IP address. The DNS reply also goes through the intranet guard. At this time, the protection equipment needs to complete the following operations:
the DNS server performs domain name resolution and replies, giving a DNS reply of 1.2.3.4/1.2.3.5, assuming that the DNS server considers 1.2.3.4 to be the preferred IP address. The DNS reply also goes through the intranet guard.
At this time, the protection equipment needs to complete the following operations:
firstly, for each server IP address resource record in the DNS reply message, taking 1.2.3.4 and 1.2.3.5 as examples, the IP reputation database is queried in turn. If the query result is 'high-risk IP', directly deleting the DNS resource record corresponding to the IP address from the DNS response message; otherwise, the IP address is reserved.
Secondly, if all IP addresses are deleted after the first IP address deletion, the internal network protection equipment directly returns a DNS negative response; otherwise, turning to the third;
and thirdly, after the second processing, sorting the IP address resource records in the reserved DNS response packet according to the IP reputation values from high to low, and if the IP reputation values are equal, arranging the IP address resource records in the original DNS response packet according to the sequence of the IP address resource records in the original DNS response packet. In the above example, when the original DNS reply packet passes through the intranet guard, if "reputation (1.2.3.4)" < "reputation (1.2.3.5)", the order of occurrence of the two in the new DNS reply packet will be exchanged according to the above principle, and 1.2.3.5 is provided to the end user as the preferred IP address.
Then, updating the processed DNS response message to a DNS cache integrated in the intranet protection equipment; and meanwhile, forwarding the processed DNS response message to the terminal user. After the end user obtains the resolution result of the DNS, the application server 1.2.3.5 is accessed: 80.
in summary, the present invention receives, through the intranet protective device, a DNS request of a given domain name initiated by a terminal user, and when the DNS request reaches the intranet protective device, queries a DNS cache integrated in the intranet protective device: a) if the requested DNS record is inquired in a DNS cache of the intranet protective equipment, the intranet protective equipment carries out DNS response on the terminal user; b) if the DNS cache of the internal network protection equipment does not inquire the DNS record of the request, the DNS request is forwarded to a DNS server; receiving domain name resolution and DNS response of a DNS server to a DNS request through the intranet protective equipment, and when the DNS response passes through the intranet protective equipment, c) inquiring an IP credit value of each server IP address in an IP credit database for each server IP address resource record in a DNS response message, and deleting or reserving the corresponding server IP address according to an IP credit value inquiry result. In the DNS resolution stage, the malicious IP addresses are prevented from being sensed by the terminal user, so that the overall efficiency of the intranet protection system is improved; if some servers are attacked, the attacked servers can be removed, and the server which is kept the most safe all the time is used as the first choice of the terminal user; by utilizing the characteristics of updating, overtime and the like of the DNS system, the change of the IP address of the server can be sensed in real time, and the self-adaption of protection is realized.
Example 2
Referring to fig. 2, embodiment 2 of the present invention further provides an intranet security protection system based on DNS and IP reputation data, including:
the system comprises an intranet protective device 1, a DNS cache and a DNS server, wherein the intranet protective device 1 is used for receiving a DNS request of a given domain name initiated by a terminal user 2, and inquiring the DNS cache integrated in the intranet protective device 1 when the DNS request reaches the intranet protective device 1; if the requested DNS record is queried in the DNS cache of the intranet protective device 1, the intranet protective device 1 performs DNS response to the terminal user 2;
a DNS server 3, configured to receive a DNS request forwarded by the intranet protection device 1 if a DNS record of the request is not queried in a DNS cache of the intranet protection device 1; the DNS server 3 resolves the domain name of the DNS request and responds to the DNS;
the intranet protective equipment 1 receives the DNS response, the intranet protective equipment 1 inquires an IP reputation value of each server IP address in an IP reputation database for each server IP address resource record in the DNS response message, and deletes or retains the corresponding server IP address according to an IP reputation value inquiry result.
In this embodiment, if all the server IP addresses in the DNS reply message are deleted according to the IP reputation value query result, the intranet protection device 1 directly returns a DNS negative reply to the terminal user 2.
In this embodiment, the intranet protection device 1 sorts the server IP address resource records in the reserved DNS reply message from high to low according to the IP reputation value of the reserved server IP address.
In this embodiment, the DNS cache of the intranet protection device 1 updates the retained DNS reply message.
In this embodiment, the intranet protection device 1 preferentially forwards the server IP address with a high IP reputation value to the end user 2, and the end user 2 accesses the application server according to the received server IP address.
The specific implementation of the intranet security protection system based on DNS and IP reputation data is the same as the intranet security protection method based on DNS and IP reputation data in embodiment 1.
Example 3
Embodiment 3 of the present invention provides a computer-readable storage medium, where a program code of an intranet security protection method based on DNS and IP reputation data is stored in the computer-readable storage medium, where the program code includes an instruction for executing the intranet security protection method based on DNS and IP reputation data in embodiment 1 or any possible implementation manner of the intranet security protection method.
The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., Solid State Disk (SSD)), among others.
Example 4
Embodiment 4 of the present invention provides an electronic device, where the electronic device includes a processor, the processor is coupled to a storage medium, and when the processor executes an instruction in the storage medium, the electronic device is enabled to execute the intranet security protection method based on DNS and IP reputation data according to embodiment 1 or any possible implementation manner thereof.
Specifically, the processor may be implemented by hardware or software, and when implemented by hardware, the processor may be a logic circuit, an integrated circuit, or the like; when implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory, which may be integrated in the processor, located external to the processor, or stand-alone.
In the above embodiments, the implementation may be wholly or partially realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the invention to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, from one website site, computer, server, or data center to another website site, computer, server, or data center via wired (e.g., coaxial cable, fiber optic, Digital Subscriber Line (DSL)) or wireless (e.g., infrared, wireless, microwave, etc.).
It will be apparent to those skilled in the art that the modules or steps of the present invention described above may be implemented by a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and alternatively, they may be implemented by program code executable by a computing device, such that they may be stored in a storage device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple ones of them may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
Although the invention has been described in detail above with reference to a general description and specific examples, it will be apparent to one skilled in the art that modifications or improvements may be made thereto based on the invention. Accordingly, such modifications and improvements are intended to be within the scope of the invention as claimed.

Claims (10)

1. An intranet safety protection method based on DNS and IP reputation data is characterized by comprising the following steps:
receiving a DNS request of a given domain name initiated by a terminal user through an intranet protective device, and inquiring a DNS cache integrated in the intranet protective device when the DNS request reaches the intranet protective device: a) if the requested DNS record is inquired in the DNS cache of the intranet protective equipment, the intranet protective equipment carries out DNS response on the terminal user; b) if the DNS record of the request is not inquired in the DNS cache of the intranet protective equipment, forwarding the DNS request to a DNS server;
receiving domain name resolution and DNS response of a DNS server to the DNS request through an intranet protective device, and when the DNS response passes through the intranet protective device, c) inquiring an IP credit value of each server IP address in an IP credit database for each server IP address resource record in the DNS response message, and deleting or reserving the corresponding server IP address according to an IP credit value inquiry result.
2. The intranet safety protection method based on the DNS and the IP reputation data according to claim 1, further comprising d) if all the server IP addresses in the DNS reply message are deleted according to the IP reputation value query result, directly returning a DNS negative reply to the end user by the intranet protection device.
3. The intranet security protection method based on DNS and IP reputation data of claim 2, further comprising e) sorting the resource records of the server IP addresses in the reserved DNS reply message from high to low according to the IP reputation value of the reserved server IP addresses.
4. The intranet security protection method based on DNS and IP reputation data of claim 3, wherein the reserved DNS response message is updated to a DNS cache of the intranet protection device.
5. The intranet safety protection method based on DNS and IP reputation data of claim 3, wherein the server IP address with high IP reputation value is forwarded preferentially to the end user, and the end user accesses the application server according to the received server IP address.
6. An intranet safety protection system based on DNS and IP reputation data is characterized by comprising:
the system comprises an intranet protective device and a terminal user, wherein the intranet protective device is used for receiving a DNS request of a given domain name initiated by the terminal user, and inquiring a DNS cache integrated in the intranet protective device when the DNS request reaches the intranet protective device; if the requested DNS record is inquired in the DNS cache of the intranet protective equipment, the intranet protective equipment carries out DNS response on the terminal user;
the DNS server is used for receiving a DNS request forwarded by the intranet protective equipment if a DNS record of the request is not inquired in a DNS cache of the intranet protective equipment; the DNS server resolves the domain name of the DNS request and responds to the DNS;
and the intranet protection equipment receives the DNS response, inquires an IP credit value of each server IP address in an IP credit database for each server IP address resource record in the DNS response message, and deletes or retains the corresponding server IP address according to an IP credit value inquiry result.
7. The intranet safety protection system based on the DNS and the IP reputation data of claim 6, wherein if all the server IP addresses in the DNS reply message are deleted according to the IP reputation value query result, the intranet protection device directly returns a DNS negative reply to the end user.
8. The intranet security protection system based on DNS and IP reputation data of claim 7, wherein the intranet protection device sorts the server IP address resource records in the retained DNS reply message from high to low according to the IP reputation value of the retained server IP address.
9. The intranet security protection system based on DNS and IP reputation data according to claim 8, wherein the DNS cache of the intranet protection device updates the retained DNS reply messages.
10. The intranet safety protection system based on DNS and IP reputation data according to claim 9, wherein the intranet protection device preferentially forwards a server IP address with a high IP reputation value to an end user, and the end user accesses an application server according to the received server IP address.
CN202110827024.4A 2021-07-21 2021-07-21 Intranet safety protection method and system based on DNS and IP credit data Pending CN113542292A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110827024.4A CN113542292A (en) 2021-07-21 2021-07-21 Intranet safety protection method and system based on DNS and IP credit data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110827024.4A CN113542292A (en) 2021-07-21 2021-07-21 Intranet safety protection method and system based on DNS and IP credit data

Publications (1)

Publication Number Publication Date
CN113542292A true CN113542292A (en) 2021-10-22

Family

ID=78088567

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110827024.4A Pending CN113542292A (en) 2021-07-21 2021-07-21 Intranet safety protection method and system based on DNS and IP credit data

Country Status (1)

Country Link
CN (1) CN113542292A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285835A (en) * 2021-12-30 2022-04-05 北京天融信网络安全技术有限公司 HTTP request data processing method and system
CN115297088A (en) * 2022-08-03 2022-11-04 中电云数智科技有限公司 Domain name resolution system and method in cloud computing environment
CN117201092A (en) * 2023-08-29 2023-12-08 江南信安(北京)科技有限公司 Intranet DNS (Domain name System) safety protection method and device, storage medium and electronic equipment

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101257450A (en) * 2008-03-28 2008-09-03 华为技术有限公司 Network safety protection method, gateway equipment, client terminal as well as network system
CN103685318A (en) * 2013-12-31 2014-03-26 山石网科通信技术有限公司 Data processing method and device for protecting network security
US20160072847A1 (en) * 2010-03-18 2016-03-10 Nominum, Inc. Internet mediation
CN108512813A (en) * 2017-02-27 2018-09-07 百度在线网络技术(北京)有限公司 For preventing the shielded device and method of information

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101257450A (en) * 2008-03-28 2008-09-03 华为技术有限公司 Network safety protection method, gateway equipment, client terminal as well as network system
US20160072847A1 (en) * 2010-03-18 2016-03-10 Nominum, Inc. Internet mediation
CN103685318A (en) * 2013-12-31 2014-03-26 山石网科通信技术有限公司 Data processing method and device for protecting network security
CN108512813A (en) * 2017-02-27 2018-09-07 百度在线网络技术(北京)有限公司 For preventing the shielded device and method of information

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114285835A (en) * 2021-12-30 2022-04-05 北京天融信网络安全技术有限公司 HTTP request data processing method and system
CN114285835B (en) * 2021-12-30 2024-04-19 北京天融信网络安全技术有限公司 HTTP request data processing method and system
CN115297088A (en) * 2022-08-03 2022-11-04 中电云数智科技有限公司 Domain name resolution system and method in cloud computing environment
CN117201092A (en) * 2023-08-29 2023-12-08 江南信安(北京)科技有限公司 Intranet DNS (Domain name System) safety protection method and device, storage medium and electronic equipment

Similar Documents

Publication Publication Date Title
US12010096B2 (en) Dynamic firewall configuration
CN113542292A (en) Intranet safety protection method and system based on DNS and IP credit data
JP6599906B2 (en) Login account prompt
CN111737696A (en) Method, system and equipment for detecting malicious file and readable storage medium
US20160373409A1 (en) Dns snooping to create ip address-based trust database used to select deep packet inspection and storage of ip packets
CN108616544B (en) Method, system, and medium for detecting updates to a domain name system recording system
US9009782B2 (en) Steering traffic among multiple network services using a centralized dispatcher
CN110968848B (en) User-based rights management method and device and computing equipment
US20190334936A1 (en) Malicious website discovery using web analytics identifiers
US10897483B2 (en) Intrusion detection system for automated determination of IP addresses
CN114466054A (en) Data processing method, device, equipment and computer readable storage medium
KR101846778B1 (en) Method for ID Resolution Service and M2M System applying the same
CN111865876B (en) Network access control method and equipment
US10320784B1 (en) Methods for utilizing fingerprinting to manage network security and devices thereof
CN113839938B (en) Method and device for detecting domain name takeover vulnerability
CN114338809B (en) Access control method, device, electronic equipment and storage medium
CN114244555A (en) Method for adjusting security policy
CN115913583A (en) Business data access method, device and equipment and computer storage medium
US8955096B1 (en) Systems and methods for filtering internet access
CN111865976A (en) Access control method, device and gateway
JP2017123040A (en) Server device, distribution file system, distribution file system control method, and program
US12041095B2 (en) System and method for DNS misuse detection
US11743301B2 (en) System and method for DNS misuse detection
CN112565414B (en) Data downloading method, device, equipment and medium
KR20190036662A (en) Network Securing Device and Securing method Using The Same

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20211022