CN114285821A - Domain name resolution method, device, electronic equipment, storage medium and product - Google Patents
Domain name resolution method, device, electronic equipment, storage medium and product Download PDFInfo
- Publication number
- CN114285821A CN114285821A CN202111364551.2A CN202111364551A CN114285821A CN 114285821 A CN114285821 A CN 114285821A CN 202111364551 A CN202111364551 A CN 202111364551A CN 114285821 A CN114285821 A CN 114285821A
- Authority
- CN
- China
- Prior art keywords
- domain name
- address
- name resolution
- resolution request
- application list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 238000013507 mapping Methods 0.000 claims description 17
- 238000004590 computer program Methods 0.000 claims description 6
- 238000012545 processing Methods 0.000 abstract description 11
- 238000012544 monitoring process Methods 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 5
- 230000008859 change Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a domain name resolution method, a domain name resolution device, electronic equipment, a storage medium and a product, which are applied to terminal equipment, wherein the method comprises the following steps: acquiring a domain name resolution request input by a user, and performing domain name query in a preset domain name application list according to the domain name resolution request; the domain name application list comprises domain names corresponding to authorized applications, and when the domain names contained in the domain name resolution request exist in the domain name application list, a target IP address corresponding to the domain names is determined, and the target IP address is used as a resolution result of the domain name resolution request. The method provided by the invention is applied to the user terminal, and plays a role in carrying out application diversion on the trusted application by providing a local DNS service for monitoring the local port at the user terminal, thereby improving the processing speed of application access, realizing dynamic control on the application access and ensuring the safety of the application access.
Description
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a method and an apparatus for domain name resolution, an electronic device, a storage medium, and a product.
Background
With the rapid development of the mobile internet, people have higher and higher requirements on application security access, and it is particularly important to realize the security access of a service system.
In the prior art, a trusted agent is a data plane component of a zero trust architecture, is a first gateway for ensuring safe access to services, and is a policy execution point with dynamic access control capability. According to different scenes, the specific product forms of the trusted agents have great differences.
At present, a precondition for acting application access by a trusted application agent is that all applications needing agents are required to point respective domain name resolutions to a trusted application agent server, and a common implementation scheme has two modes, wherein the first mode is to modify the respective DNS domain name resolutions of the applications, so that all application domain names needing agents are resolved into IP addresses of the trusted application agent server, and the mode is difficult to maintain when more applications are used, and after domain name resolution addresses are modified, long time is needed for effectiveness according to different refreshing times of the DNS servers in various places; the second is to configure a wildcard domain name to point to the trusted application proxy server, which is only suitable for the situation that all application domain names needing to be proxied have the same suffix, and in this scheme, all domain names with the same suffix point to the trusted application proxy server after the domain names take effect, which cannot realize finer control of application access, resulting in poor user experience.
Disclosure of Invention
The invention provides a domain name resolution method, a domain name resolution device, electronic equipment, a storage medium and a domain name resolution product, which are used for solving the technical problems that the application access real-time performance is low and the application access cannot be controlled more finely in the prior art, so that the purposes of improving the processing speed of the application access and ensuring the timeliness and the safety of the application access are achieved.
In a first aspect, the present invention provides a domain name resolution method, applied to a terminal device, including:
acquiring a domain name resolution request input by a user;
according to the domain name resolution request, domain name query is carried out in a preset domain name application list; the domain name application list comprises domain names corresponding to authorized applications;
and under the condition that the domain name included in the domain name resolution request exists in the domain name application list, determining a target IP address corresponding to the domain name, and taking the target IP address as a resolution result of the domain name resolution request.
Further, according to the domain name resolution method provided by the present invention, the determining the target IP address corresponding to the domain name includes:
and determining the IP address of the zero-trust credible application proxy server as a target IP address corresponding to the domain name.
Further, according to the domain name resolution method provided by the present invention, the determining the target IP address corresponding to the domain name includes:
determining a first IP address of the domain name according to the domain name; wherein the first IP address of the domain name is a different IP address than the second IP address of the domain name stored in the DNS server;
and determining the first IP address of the domain name as a target IP address corresponding to the domain name.
Further, according to the domain name resolution method provided by the present invention, the method further comprises:
acquiring identification information of a user;
correspondingly, the determining a target IP address corresponding to the domain name when the domain name included in the domain name resolution request exists in the domain name application list includes:
and under the condition that the domain name included in the domain name resolution request exists in the domain name application list, determining a target IP address corresponding to the domain name based on the identification information of the user.
Further, according to the domain name resolution method provided by the present invention, after the domain name is queried in a preset domain name application list according to the domain name resolution request, the method further includes:
and forwarding the domain name resolution request to a DNS (domain name server) under the condition that the domain name included in the domain name resolution request does not exist in the domain name application list so as to obtain a second IP (Internet protocol) address of the domain name included in the domain name resolution request.
Further, according to the domain name resolution method provided by the present invention, before the obtaining of the domain name resolution request input by the user, the method includes:
receiving the domain name application list;
the domain name application list is obtained by performing domain name mapping on the IP address of each application of the user in a zero-trust trusted access console.
In a second aspect, the present invention further provides a domain name resolution apparatus, including:
the acquisition module is used for acquiring a domain name resolution request input by a user;
the query module is used for performing domain name query in a preset domain name application list according to the domain name resolution request; the domain name application list comprises domain names corresponding to authorized applications;
a determining module, configured to determine a target IP address corresponding to the domain name when the domain name included in the domain name resolution request exists in the domain name application list, and use the target IP address as a resolution result of the domain name resolution request.
In a third aspect, the present invention also provides an electronic device, including:
a processor, a memory, and a bus, wherein,
the processor and the memory are communicated with each other through the bus;
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the steps of the domain name resolution method as described in any one of the above.
In a fourth aspect, the present invention also provides a non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the steps of the domain name resolution method as described above.
In a fifth aspect, the present invention also provides a computer program product comprising a computer program which, when executed by a processor, performs the steps of the domain name resolution method according to any of the above.
The invention provides a domain name resolution method, a domain name resolution device, electronic equipment, a storage medium and a product, which are applied to terminal equipment. The domain name resolution method provided by the invention is applied to terminal equipment, and plays a role in carrying out application diversion on a trusted application agent by providing a local DNS service for monitoring a local port at a user terminal, so that the processing speed of application access is improved, the dynamic control on the application access is realized, and the timeliness and the safety of the application access are ensured.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
FIG. 1 is a schematic flow diagram of a domain name resolution process in the prior art;
FIG. 2 is a schematic flow chart of a domain name resolution method according to the present invention;
FIG. 3 is an exemplary diagram of a domain name resolution method according to the present invention;
FIG. 4 is a schematic structural diagram of a domain name resolution apparatus according to the present invention;
fig. 5 is a schematic structural diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flow chart of domain name resolution processing in the prior art. As shown in fig. 1, in the prior art, DNS server resolution is often used for performing domain name resolution, and the DNS servers include a regional DNS server, a global root DNS server, a top-level DNS server, and an authoritative DNS server. And the DNS used on the client computer is a regional DNS server, and the regional DNS server can acquire an analysis result from the authoritative DNS server and return the analysis result to the user after receiving the domain name analysis request, and caches the TTL value of the analysis result in the server of the regional DNS server. It should be noted that the regional DNS server is generally provided by a network service provider, and may also be modified to a common public DNS according to actual needs.
In the prior art, to resolve a domain name into an IP address corresponding to the domain name, the following steps are approximately required:
1. the user terminal initiates a domain name resolution request to a regional DNS server.
2. The regional DNS server firstly initiates a domain name resolution request to the global root DNS server, and the global root DNS server returns the top level DNS server address of the requested domain name.
3. And the regional DNS server initiates a domain name resolution request to the top level DNS server according to the obtained top level DNS server address, and the top level DNS server returns an authoritative DNS server address of the requested domain name.
4. And the regional DNS server initiates a domain name resolution request to the authoritative DNS server according to the authoritative DNS server address, and the authoritative DNS server returns the IP address of the requested domain name.
For example, if a resolved address of a domain name (a.com) is requested, the following steps are performed:
(1) what the IP of the area DNS server a.com is asked by the user terminal;
(2) the regional DNS asks the global root DNS server what the IP of a.com is, and the global root DNS server answers: the top level DNS server that manages the com domain name is xxx;
(3) the regional DNS server asks the top level DNS server what the IP of a.com is, and the top level DNS server answers: com the authoritative DNS that manages a.com is xxx;
(4) the regional DNS server asks the authoritative DNS server what the IP of a.com is, and the authoritative DNS server answers: the IP address is XXXX.
The whole processing process can only carry out interaction between the regional DNS server and the DNS servers, and dynamic control on application access is not realized, so that timeliness of the user for acquiring the IP address corresponding to the domain name is low.
Fig. 2 is a schematic flow chart of a domain name resolution method provided by the present invention, and as shown in fig. 2, the domain name resolution method provided by the present invention is applied to a terminal device, and includes the following steps:
step 201: and acquiring a domain name resolution request input by a user.
In this embodiment, a domain name resolution request initiated on a user terminal device is obtained, where the domain name resolution request includes domain name information to be requested, and the domain name information may be a.com or b.com, and may be specifically set according to an actual need of a user, and is not specifically limited herein.
It should be noted that, before acquiring the Domain Name resolution request input by the user, a local DNS (local DNS) needs to be installed on the terminal device for processing the steps of the Domain Name resolution method provided by the present invention, where a DNS Domain Name System (Domain Name System) is a service of the internet, and is used as a distributed database for mapping Domain names and target IP addresses to each other, so as to enable the user to access the internet more conveniently and quickly, and the DNS service generally uses 53 ports of TCP and UDP to provide services.
Step 202: according to the domain name resolution request, domain name query is carried out in a preset domain name application list; the domain name application list comprises domain names corresponding to authorized applications.
In this embodiment, according to the obtained domain name resolution request, a domain name to be queried is obtained from the obtained domain name resolution request, and then domain name query is performed in a preset domain name application list, it should be noted that the domain name application list exists in the local DNS service, and the domain name application list includes domain name information corresponding to each authorized application, that is, domain names corresponding to all applications for which a user has access authority, and these domain name information may be domain name information that is not supported by a conventional DNS server in this embodiment.
Step 203: and under the condition that the domain name included in the domain name resolution request exists in the domain name application list, determining a target IP address corresponding to the domain name, and taking the target IP address as a resolution result of the domain name resolution request.
In this embodiment, if the domain name obtained from the domain name resolution request obtained in step 201 exists in a domain name application list in the local DNS service on the terminal device, a target IP address corresponding to the domain name is determined from the domain name resolution application list, and the target IP address is used as a resolution result of the domain name resolution request. It should be noted that the target IP address determined in the domain name application list may be an IP address of an intranet corresponding to the domain name or an IP address of a zero-trust trusted application proxy server corresponding to the domain name, and the application access flow guide processing of the application access is implemented by guiding the application access corresponding to the domain name to the intranet or the zero-trust trusted application proxy server according to the corresponding IP address. The target IP address may be set according to actual needs, and is not specifically limited herein.
For example, if the domain name a.com obtained from the domain name resolution request is in a domain name application list in the local DNS service, according to the mapping relationship between the domain name and the IP address, the IP address 12.12.12.12 corresponding to the domain name is determined in the preset domain name application list as the resolution result of the domain name resolution request, and the application access flow corresponding to the domain name is guided to the corresponding intranet or zero trust trusted proxy server.
It should be noted that the reverse proxy technology is used for providing the virtual native DNS service on the user terminal. In the embodiment of the present invention, the virtual local DNS service provided on the terminal device belongs to the reverse proxy server, and although the local DNS service is a virtual server located between the user and the target server, the local DNS service is equivalent to the target server for the user, that is, the user can obtain the resource of the target server by directly accessing the local DNS service. Furthermore, the reverse proxy server is usually used as a firewall at the application layer to provide a certain protection against Web-based attacks on websites.
It should be noted that, when the virtual local DNS service is used for application diversion, different methods are used for different platforms for diversion, for example, a linux system and a mac system use a change/etc/reset.conf manner, a windows system is a DNS server that changes the attribute of a network card, and the essence is to change a regional DNS server originally configured by a user into the local DNS service provided by the present invention. The local DNS service is used as a man-in-the-middle mode, a domain name resolution request input by a user terminal is firstly sent to the local DNS service, and if a target IP address corresponding to the domain name exists in a domain name application list in the local DNS service, the target IP address is directly returned; if not, the local DNS service transmits the domain name resolution request to the regional DNS server, and the regional DNS server continues to inquire.
The domain name resolution method provided by the invention is applied to terminal equipment, and is used for performing domain name query on a domain name obtained from an obtained domain name resolution request in a preset domain name application list, determining a target IP address corresponding to the domain name under the condition that the domain name included in the domain name resolution request exists in the domain name application list, and taking the target IP address as a resolution result of the domain name resolution request. The domain name resolution method provided by the invention is applied to terminal equipment, and plays a role in carrying out application diversion on a trusted application agent by installing a local DNS service for monitoring a local port in a user terminal, thereby improving the processing speed of application access, realizing dynamic control on the application access and simultaneously ensuring the timeliness and the safety of the application access.
In another embodiment of the present invention, the determining the target IP address corresponding to the domain name includes:
and determining the IP address of the zero-trust credible application proxy server as a target IP address corresponding to the domain name.
In this embodiment, when a target IP address corresponding to a domain name exists in a domain name application list, an IP address of a zero-trust trusted application proxy server is determined as the target IP address corresponding to the domain name.
In this embodiment, a user needs to obtain a domain name application list after login authentication succeeds, where a mapping relationship existing in the domain name application list includes a mapping relationship between a domain name and an IP address of a zero-trust trusted application proxy server, and in this embodiment, when a plurality of domain names exist in the domain name application list and map the IP address of the same zero-trust trusted application proxy server, if the IP address of the zero-trust trusted application proxy server is 2.2.2.2, 3 application domain name lists are obtained after user authentication succeeds, which are respectively: a, COM:2.2.2.2, b.com:2.2.2, c.com:192.168.2.2, wherein a and B are authorized trusted agent applications, the IP addresses corresponding to the domain names are the IP addresses of the zero trust trusted application proxy server, C is an intranet application, and the mapped intranet addresses are intranet addresses.
It should be noted that zero trust is a new generation of network security protection concept, and the key point is to break the default "trust", which is essentially "continuous verification, never trust", and defaults to trust anyone, equipment and system inside and outside the enterprise network, and reconstruct the trust basis of access control based on identity authentication and authorization, thereby ensuring identity trust, equipment trust, application trust and link trust. The trusted agent is a data plane component of a zero trust architecture, is a first gateway for ensuring the safe access of the service, and is a policy execution point of dynamic access control capability.
A precondition for a zero trust trusted application proxy server to proxy application access is to require that all applications requiring proxying point their respective domain name resolutions to the IP address of the trusted application proxy server. Therefore, in this embodiment, the IP address of the zero-trust trusted proxy server is determined as the target IP address corresponding to the domain name, so that application access is guided to the zero-trust trusted application proxy server, and all requests are subjected to access control through the zero-trust trusted application proxy server.
For example, the domain name obtained from the domain name resolution request is a.com, the IP address of the zero-trust trusted proxy server is 2.2.2.2, and since the original IP corresponding to the domain name is 1.1.1.1, a certain timeliness exists according to the query mode in the prior art, in the domain name application list in the local DNS service in the embodiment of the present invention, a certain mapping relationship is established between the IP address 2.2.2.2 of the zero-trust trusted proxy server and the domain name a.com, the IP address 2.2.2.2 of the zero-trust trusted proxy server is returned as the target IP address of the domain name, and the application corresponding to the domain name is directly guided to the gateway, so as to implement fast query of the domain name.
According to the domain name resolution method provided by the invention, the time effectiveness and the safety of application access processing are ensured and the user experience is improved by determining the IP address of the zero-trust credible application proxy server as the target IP address corresponding to the domain name.
In another embodiment of the present invention, the determining the target IP address corresponding to the domain name includes:
determining a first IP address of the domain name according to the domain name; wherein the first IP address of the domain name is a different IP address than the second IP address of the domain name stored in the DNS server;
and determining the first IP address of the domain name as a target IP address corresponding to the domain name.
In this embodiment, the first IP address refers to an IP address of an intranet corresponding to the domain name, and the second IP address refers to an IP address of a public network corresponding to the domain name stored in the DNS server. In this embodiment, a first IP address of the domain name is determined from a domain name application list in the local DNS service according to the domain name information, and the first IP address is determined as a target IP address corresponding to the domain name. The first IP address is different from the second IP address stored in the DNS server, and the first IP address and the second IP address are IP addresses corresponding to different network types. The specific configuration may be set according to actual needs, and is not particularly limited herein.
It should be noted that each terminal, in addition to having a network card IP address, may also have a virtual local loopback address, where the local loopback address is 127, for 127, the type of local loopback address at the beginning belongs to the user terminal equipment, and the local DNS service in the embodiment of the present invention monitors that 53 ports of the local loopback address at the beginning of 127 provide DNS resolution service to the terminal.
In this embodiment, the domain name resolution is generally an intranet domain name, and the domain name resolution is performed by using a local DNS service, and corresponds to the first IP address. In internet applications, if a user does not log in the zero-trust trusted client in the present invention, these intranet domain names cannot be resolved.
According to the domain name resolution method provided by the embodiment of the invention, the first IP address determined according to the domain name in the domain name application list in the local DNS service is used as the target IP address corresponding to the domain name, so that the user can quickly acquire the IP address for accessing according to the mapping relation between the domain name and the IP address when accessing the intranet, the timeliness of application access is improved, and hijacking attack of the domain name of the user is avoided.
In another embodiment of the invention, the method further comprises:
acquiring identification information of a user;
correspondingly, the determining a target IP address corresponding to the domain name when the domain name included in the domain name resolution request exists in the domain name application list includes:
and under the condition that the domain name included in the domain name resolution request exists in the domain name application list, determining a target IP address corresponding to the domain name based on the identification information of the user.
In this embodiment, different domain name resolution policies also need to be determined for different users. In this embodiment, identification information of a user is obtained, where the identification information refers to a mark for distinguishing different user information, for example, a user 1 is represented by a, and a user 2 is represented by B. When a domain name included in a domain name resolution request exists in a domain name application list in the local DNS service, a target IP address corresponding to the domain name is determined based on the identification information of the user.
It should be noted that the domain name application list in the local DNS service includes each domain name information and IP address information corresponding to each domain name, and the domain name application list information to which the user has been authorized can be determined based on the identification information of the user, and then the target IP address corresponding to the domain name is determined according to the mapping relationship in the domain name application list. If the identification information of the user 1 is set as a and the identification information of the user 2 is set as B, judging and determining a domain name application list 1 of the user 1 corresponding to the identification a in the gateway: a, com:2.2.2.2, B, com:2.2.2 and c, com:192.168.2.2, and the domain name application list 2 for the user 2 corresponding to the identifier B is: com:2.2.2.2 and c.com: 192.168.2.2. Com, if the domain name b.is to be accessed after the identification information of the user 2 is determined, obtaining that the domain name does not have a corresponding IP address according to the mapping relation in the domain name application list, and the user 2 cannot access the application; com, if the domain name c.is to be accessed, the corresponding IP address 192.168.2.2 is determined to be the target IP address corresponding to the domain name.
It should be noted that, the same domain name may also resolve different IP addresses, each domain name corresponds to at least one IP address, and each IP address corresponds to only one domain name, that is, the IP addresses corresponding to the same domain name 1 are different, for example, in the gateway, based on the identification information of the user, it is determined that the domain name application list of the user 1 includes the domain name 1, and the domain name application list of the user 2 also includes the domain name 1, but the IP address of the domain name 1 in the domain name application list of the user 1 is the IP address 1, and the IP address of the domain name 1 in the domain name application list of the user 2 is the IP address 2, and the IP addresses corresponding to the same domain name are different. The mapping relationship between the domain name and the IP address may be specifically set according to actual needs, and is not specifically limited herein.
For example, as scenario one: determining that the domain name application lists 1 obtained by the user 1 are a.com:2.2.2.2, b.com:2.2.2 and c.com:192.168.2.2, and the domain name application lists 1 obtained by the user 2 are a.com:3.3.3.3 and c.com:192.168.2.2, so that the user 1 and the user 2 can play a role in load balancing by using different trusted application agents; scene two: the gateway judges that the domain name application list 1 obtained by the user 1 is c.com:192.168.2.2, the domain name application list 2 obtained by the user 2 is c.com:192.168.2.3, and different users obtain different IP addresses of the same application, so that the DNS load balancing capability can be provided for the application.
According to the domain name resolution method provided by the embodiment of the invention, the identification information of the user is acquired, and then the target IP address corresponding to the domain name is determined based on the identification information of the user under the condition that the domain name included in the domain name resolution request exists in the domain name application list, so that the purpose of load balancing and sensitive application hiding can be realized, and the diversified demand scene of an enterprise can be met.
In another embodiment of the present invention, after the performing domain name query in a preset domain name application list according to the domain name resolution request, the method further includes:
and forwarding the domain name resolution request to a DNS (domain name server) under the condition that the domain name included in the domain name resolution request does not exist in the domain name application list so as to obtain a second IP (Internet protocol) address of the domain name included in the domain name resolution request.
In this embodiment, if the domain name to be queried does not exist in the domain name application list authorized by the user, the local DNS service needs to forward the domain name resolution request to the regional DNS server, and obtain the second IP address of the domain name included in the domain name resolution request. It should be noted that, as shown in fig. 3, the local DNS service initiates a domain name resolution request to the regional DNS server, the regional DNS server first initiates a domain name resolution request to the bulbous DNS server, and the bulbous DNS server returns the top-level DNS server address of the requested domain name. The regional DNS server initiates a domain name resolution request to the top level DNS server, the top level DNS server returns an authoritative DNS server address of the requested domain name, the regional DNS server initiates a domain name resolution request to the authoritative DNS server, and the authoritative DNS server returns a second IP address of the requested domain name. And the second IP address belongs to an IP address corresponding to the access public network.
It should be noted that, a domain name requiring application of diversion returns an IP address corresponding to the domain name in a domain name application list authorized by the user, and if diversion is not required, a domain name resolution mode in this embodiment is adopted to request the original DNS server to obtain a corresponding IP address result, and the local DNS service returns a second IP address returned by the received DNS server to the user.
According to the domain name resolution method provided by the embodiment of the invention, when the domain name included in the domain name resolution request does not exist in the domain name application list in the local DNS service, the domain name resolution request is forwarded to the DNS server so as to obtain the second IP address of the domain name included in the domain name resolution request, and the task requirement of domain name resolution can be ensured to be completed under the condition that the domain name to be requested does not exist in the domain name application list.
In another embodiment of the present invention, before the obtaining the domain name resolution request input by the user, the method includes:
receiving the domain name application list;
the domain name application list is obtained by performing domain name mapping on the IP address of each application of the user in a zero-trust trusted access console.
In this embodiment, the local DNS service needs to receive a domain name application list before acquiring a domain name resolution request input by a user, where the domain name application list is obtained by performing domain name mapping on an IP address of each application having an access right of the user in a zero-trust trusted access console, and according to authorized user account information, after the user successfully logs in, the domain name application list including the IP address of the authorized application is acquired. Then, the zero trust trusted access console passes the generated domain name application list to the local DNS service for subsequent domain name resolution. It should be noted that the domain name application list includes mapping relationships between IP addresses of applications of a certain user and domain names, and in other embodiments, the domain name application list may further include other mapping relationships. The specific configuration may be set according to actual needs, and is not particularly limited herein.
According to the domain name resolution method provided by the invention, the local DNS service needs to receive the domain name application list, is used for a domain name resolution request input by a subsequent user after logging in through a zero-trust credible terminal, acquires all application lists with authority access of the user, and ensures the timeliness and the safety of domain name resolution.
Fig. 4 is a domain name resolution apparatus according to an embodiment of the present invention, and as shown in fig. 4, the domain name resolution apparatus according to the embodiment of the present invention includes:
an obtaining module 401, configured to obtain a domain name resolution request input by a user;
a query module 402, configured to perform domain name query in a preset domain name application list according to the domain name resolution request; the domain name application list comprises domain names corresponding to authorized applications;
a determining module 403, configured to determine a target IP address corresponding to the domain name when the domain name included in the domain name resolution request exists in the domain name application list, and use the target IP address as a resolution result of the domain name resolution request.
The domain name resolution device provided by the invention is applied to terminal equipment, and is used for performing domain name query on a domain name obtained from an obtained domain name resolution request in a preset domain name application list, determining a target IP address corresponding to the domain name under the condition that the domain name included in the domain name resolution request exists in the domain name application list, and taking the target IP address as a resolution result of the domain name resolution request. The domain name resolution method provided by the invention is applied to terminal equipment, and plays a role in carrying out application diversion on a trusted application agent by installing a local DNS service for monitoring a local port in a user terminal, thereby improving the processing speed of application access, realizing dynamic control on the application access and simultaneously ensuring the timeliness and the safety of the application access.
Further, the determining module 403 is further configured to:
and determining the IP address of the zero-trust credible application proxy server as a target IP address corresponding to the domain name.
According to the domain name resolution device provided by the invention, the time effectiveness and the safety of application access processing are ensured and the user experience is improved by determining the IP address of the zero-trust credible application proxy server as the target IP address corresponding to the domain name.
Further, the determining module 403 is further configured to:
determining a first IP address of the domain name according to the domain name; wherein the first IP address of the domain name is a different IP address than the second IP address of the domain name stored in the DNS server;
and determining the first IP address of the domain name as a target IP address corresponding to the domain name.
According to the domain name resolution device provided by the embodiment of the invention, the first IP address determined according to the domain name in the domain name application list in the local DNS service is used as the target IP address corresponding to the domain name, so that the user can quickly acquire the IP address for accessing according to the mapping relation between the domain name and the IP address when accessing the intranet, the timeliness of application access is improved, and hijacking attack of the domain name of the user is avoided.
Further, the apparatus further comprises an obtaining module, wherein the obtaining module is configured to:
acquiring identification information of a user;
correspondingly, the determining a target IP address corresponding to the domain name when the domain name included in the domain name resolution request exists in the domain name application list includes:
and under the condition that the domain name included in the domain name resolution request exists in the domain name application list, determining a target IP address corresponding to the domain name based on the identification information of the user.
According to the domain name resolution device provided by the embodiment of the invention, the identification information of the user is acquired, and then the target IP address corresponding to the domain name is determined based on the identification information of the user under the condition that the domain name included in the domain name resolution request exists in the domain name application list, so that the IP addresses of different users corresponding to the same domain name can be realized, and the diversified demand scene of an enterprise is met.
Further, the query module 402 is further configured to:
and forwarding the domain name resolution request to a DNS (domain name server) under the condition that the domain name included in the domain name resolution request does not exist in the domain name application list so as to obtain a second IP (Internet protocol) address of the domain name included in the domain name resolution request.
According to the domain name resolution device provided by the embodiment of the invention, when the domain name included in the domain name resolution request does not exist in the domain name application list in the local DNS service, the domain name resolution request is forwarded to the DNS server so as to obtain the second IP address of the domain name included in the domain name resolution request, and the task requirement of domain name resolution can be met under the condition that the domain name to be requested does not exist in the domain name application list.
Further, the apparatus further comprises a receiving module, where the receiving module is configured to:
receiving the domain name application list;
the domain name application list is obtained by performing domain name mapping on the IP address of each application of the user in a zero-trust trusted access console.
According to the domain name resolution method provided by the invention, the local DNS service needs to receive the domain name application list, is used for a domain name resolution request input by a subsequent user after logging in through a zero-trust credible terminal, acquires all application lists with authority access of the user, and ensures the timeliness and the safety of domain name resolution.
Since the principle of the apparatus according to the embodiment of the present invention is the same as that of the method according to the above embodiment, further details are not described herein for further explanation.
Fig. 5 is a schematic structural diagram of an electronic device provided in an embodiment of the present invention, and as shown in fig. 5, the present invention provides an electronic device, including: a processor (processor)501, a memory (memory)502, and a bus 503;
the processor 501 and the memory 502 complete communication with each other through the bus 503;
the processor 501 is configured to call program instructions in the memory 502 to execute the methods provided in the above-described method embodiments, including, for example: the method comprises the steps of obtaining a domain name resolution request input by a user, carrying out domain name query in a preset domain name application list according to the domain name resolution request, wherein the domain name application list comprises domain names corresponding to authorized applications, determining a target IP address corresponding to the domain name under the condition that the domain name included in the domain name resolution request exists in the domain name application list, and taking the target IP address as a resolution result of the domain name resolution request.
Embodiments of the present invention provide a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform the methods provided in the above-described method embodiments, for example, including: the method comprises the steps of obtaining a domain name resolution request input by a user, carrying out domain name query in a preset domain name application list according to the domain name resolution request, wherein the domain name application list comprises domain names corresponding to authorized applications, determining a target IP address corresponding to the domain name under the condition that the domain name included in the domain name resolution request exists in the domain name application list, and taking the target IP address as a resolution result of the domain name resolution request.
The present invention also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method provided by the embodiments described above, the method comprising: the method comprises the steps of obtaining a domain name resolution request input by a user, carrying out domain name query in a preset domain name application list according to the domain name resolution request, wherein the domain name application list comprises domain names corresponding to authorized applications, determining a target IP address corresponding to the domain name under the condition that the domain name included in the domain name resolution request exists in the domain name application list, and taking the target IP address as a resolution result of the domain name resolution request.
Those of ordinary skill in the art will understand that: all or part of the steps for implementing the method embodiments may be implemented by hardware related to program instructions, and the program may be stored in a computer readable storage medium, and when executed, the program performs the steps including the method embodiments; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.
Claims (10)
1. A domain name resolution method is applied to terminal equipment and comprises the following steps:
acquiring a domain name resolution request input by a user;
according to the domain name resolution request, domain name query is carried out in a preset domain name application list; the domain name application list comprises domain names corresponding to authorized applications;
and under the condition that the domain name included in the domain name resolution request exists in the domain name application list, determining a target IP address corresponding to the domain name, and taking the target IP address as a resolution result of the domain name resolution request.
2. The domain name resolution method according to claim 1, wherein the determining the target IP address corresponding to the domain name includes:
and determining the IP address of the zero-trust credible application proxy server as a target IP address corresponding to the domain name.
3. The domain name resolution method according to claim 1, wherein the determining the target IP address corresponding to the domain name includes:
determining a first IP address of the domain name according to the domain name; wherein the first IP address of the domain name is a different IP address than the second IP address of the domain name stored in the DNS server;
and determining the first IP address of the domain name as a target IP address corresponding to the domain name.
4. The domain name resolution method according to claim 1, characterized in that the method further comprises:
acquiring identification information of a user;
correspondingly, the determining a target IP address corresponding to the domain name when the domain name included in the domain name resolution request exists in the domain name application list includes:
and under the condition that the domain name included in the domain name resolution request exists in the domain name application list, determining a target IP address corresponding to the domain name based on the identification information of the user.
5. The domain name resolution method according to any one of claims 1 to 4, wherein after the domain name query is performed in a preset domain name application list according to the domain name resolution request, the method further comprises:
and forwarding the domain name resolution request to a DNS (domain name server) under the condition that the domain name included in the domain name resolution request does not exist in the domain name application list so as to obtain a second IP (Internet protocol) address of the domain name included in the domain name resolution request.
6. The domain name resolution method according to claim 1, before the obtaining of the domain name resolution request input by the user, comprising:
receiving the domain name application list;
the domain name application list is obtained by performing domain name mapping on the IP address of each application of the user in a zero-trust trusted access console.
7. A domain name resolution apparatus, comprising:
the acquisition module is used for acquiring a domain name resolution request input by a user;
the query module is used for performing domain name query in a preset domain name application list according to the domain name resolution request; the domain name application list comprises domain names corresponding to authorized applications;
a determining module, configured to determine a target IP address corresponding to the domain name when the domain name included in the domain name resolution request exists in the domain name application list, and use the target IP address as a resolution result of the domain name resolution request.
8. An electronic device, comprising:
a processor, a memory, and a bus, wherein,
the processor and the memory are communicated with each other through the bus;
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the steps of the domain name resolution method according to any of claims 1 to 6.
9. A computer program product comprising computer executable instructions for performing the steps of the domain name resolution method according to any one of claims 1 to 6 when executed.
10. A non-transitory computer readable storage medium storing computer instructions for causing a computer to perform the steps of the domain name resolution method according to any one of claims 1 to 6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111364551.2A CN114285821A (en) | 2021-11-17 | 2021-11-17 | Domain name resolution method, device, electronic equipment, storage medium and product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111364551.2A CN114285821A (en) | 2021-11-17 | 2021-11-17 | Domain name resolution method, device, electronic equipment, storage medium and product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114285821A true CN114285821A (en) | 2022-04-05 |
Family
ID=80869362
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111364551.2A Pending CN114285821A (en) | 2021-11-17 | 2021-11-17 | Domain name resolution method, device, electronic equipment, storage medium and product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114285821A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115002072A (en) * | 2022-05-31 | 2022-09-02 | 济南浪潮数据技术有限公司 | JMX-based data acquisition method, device and medium |
| CN115174248A (en) * | 2022-07-18 | 2022-10-11 | 天翼云科技有限公司 | Network access control method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102790807A (en) * | 2011-05-16 | 2012-11-21 | 奇智软件(北京)有限公司 | Domain name resolution agent method and system, and domain name resolution agent server |
| WO2017004947A1 (en) * | 2015-07-07 | 2017-01-12 | 安一恒通(北京)科技有限公司 | Method and apparatus for preventing domain name hijacking |
| CN110086895A (en) * | 2019-04-11 | 2019-08-02 | 天津字节跳动科技有限公司 | Domain name analytic method, device, medium and electronic equipment |
| CN110113447A (en) * | 2019-06-27 | 2019-08-09 | 网易(杭州)网络有限公司 | Domain name analytic method and device |
| CN111010460A (en) * | 2019-12-16 | 2020-04-14 | 南京亚信智网科技有限公司 | Domain name resolution method and device |
| CN112600868A (en) * | 2020-11-10 | 2021-04-02 | 清华大学 | Domain name resolution method, domain name resolution device and electronic equipment |
| WO2021120969A1 (en) * | 2020-02-21 | 2021-06-24 | 聚好看科技股份有限公司 | Domain name resolution method, domain name resolution server, and terminal device |
-
2021
- 2021-11-17 CN CN202111364551.2A patent/CN114285821A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102790807A (en) * | 2011-05-16 | 2012-11-21 | 奇智软件(北京)有限公司 | Domain name resolution agent method and system, and domain name resolution agent server |
| WO2017004947A1 (en) * | 2015-07-07 | 2017-01-12 | 安一恒通(北京)科技有限公司 | Method and apparatus for preventing domain name hijacking |
| CN110086895A (en) * | 2019-04-11 | 2019-08-02 | 天津字节跳动科技有限公司 | Domain name analytic method, device, medium and electronic equipment |
| CN110113447A (en) * | 2019-06-27 | 2019-08-09 | 网易(杭州)网络有限公司 | Domain name analytic method and device |
| CN111010460A (en) * | 2019-12-16 | 2020-04-14 | 南京亚信智网科技有限公司 | Domain name resolution method and device |
| WO2021120969A1 (en) * | 2020-02-21 | 2021-06-24 | 聚好看科技股份有限公司 | Domain name resolution method, domain name resolution server, and terminal device |
| CN112600868A (en) * | 2020-11-10 | 2021-04-02 | 清华大学 | Domain name resolution method, domain name resolution device and electronic equipment |
Non-Patent Citations (1)
| Title |
|---|
| 时长江;孟晓青;胡炜;张萍;刘国梁;徐君;郭曙超;: "域名解析系统生存时间值的研究", 检验检疫学刊, no. 01, pages 21 - 24 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115002072A (en) * | 2022-05-31 | 2022-09-02 | 济南浪潮数据技术有限公司 | JMX-based data acquisition method, device and medium |
| CN115174248A (en) * | 2022-07-18 | 2022-10-11 | 天翼云科技有限公司 | Network access control method and device |
| CN115174248B (en) * | 2022-07-18 | 2023-08-04 | 天翼云科技有限公司 | Control method and device for network access |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3202117B1 (en) | Using credentials stored in different directories to access a common endpoint | |
| US9756019B2 (en) | DNS-based captive portal with integrated transparent proxy to protect against user device caching incorrect IP address | |
| JP5357246B2 (en) | System, method and program product for integrated authentication | |
| CN111314499B (en) | Domain name proxy method, device, equipment and readable storage medium | |
| WO2022247751A1 (en) | Method, system and apparatus for remotely accessing application, device, and storage medium | |
| US9973590B2 (en) | User identity differentiated DNS resolution | |
| CN114902612A (en) | Edge network based account protection service | |
| US11438309B2 (en) | Preventing a network protocol over an encrypted channel, and applications thereof | |
| CN114285821A (en) | Domain name resolution method, device, electronic equipment, storage medium and product | |
| US20100031317A1 (en) | Secure access | |
| EP3306900A1 (en) | Dns routing for improved network security | |
| US11900138B2 (en) | Remote access control of VM console located in cloud from on-premises computer device | |
| CN112039873A (en) | Method for accessing business system by single sign-on | |
| US8713088B2 (en) | Identifying users of remote sessions | |
| CN103634111B (en) | Single-point logging method and system and single sign-on client-side | |
| CN114338597B (en) | Network access method and device | |
| CN110730189A (en) | Communication authentication method, device, equipment and storage medium | |
| CN113872933A (en) | Method, system, device, equipment and storage medium for hiding source station | |
| US20210203674A1 (en) | Inline anomaly detection for multi-request operations | |
| Naaz et al. | Investigating DHCP and DNS Protocols Using Wireshark | |
| US9680871B2 (en) | Adopting policy objects for host-based access control | |
| CN114969730A (en) | Page display method and device, electronic equipment and computer storage medium | |
| CN112260991B (en) | Authentication management method and device | |
| CN114189376B (en) | Cloud host state information security monitoring method based on CDN service platform | |
| CN117294698A (en) | Remote access method, device, system, equipment and storage medium for application |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |