CN114301614A - Method and system for detecting illegal monitoring of domain name in network - Google Patents
Method and system for detecting illegal monitoring of domain name in network Download PDFInfo
- Publication number
- CN114301614A CN114301614A CN202011011434.3A CN202011011434A CN114301614A CN 114301614 A CN114301614 A CN 114301614A CN 202011011434 A CN202011011434 A CN 202011011434A CN 114301614 A CN114301614 A CN 114301614A
- Authority
- CN
- China
- Prior art keywords
- domain name
- network
- client
- detection
- resolution request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 38
- 238000012544 monitoring process Methods 0.000 title claims abstract description 13
- 238000001514 detection method Methods 0.000 claims abstract description 111
- 238000004458 analytical method Methods 0.000 claims abstract description 22
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 12
- 230000004044 response Effects 0.000 claims abstract description 11
- 230000008569 process Effects 0.000 description 17
- 238000012360 testing method Methods 0.000 description 15
- 238000010586 diagram Methods 0.000 description 7
- 241000789558 Itoa Species 0.000 description 5
- 238000013475 authorization Methods 0.000 description 5
- 238000004590 computer program Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 210000003169 central nervous system Anatomy 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000007689 inspection Methods 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method and a system for detecting illegal monitoring of a domain name in a network. The method for detecting illegal monitoring of the domain name in the network comprises the following steps: generating, at a central controller of a network, a base domain name prefix that detects a dedicated domain name using a pseudo-random algorithm based on identifiers of clients in the network, wherein the base domain name prefix is unique to all clients in the network; sending a detection task instruction to the client, wherein the detection task instruction comprises a basic domain name prefix and domain name resolution times; in response to receiving the detection task instruction, generating a domain name resolution request at the client, the domain name resolution request including a domain name generated based on a base domain name prefix and a number of domain name resolutions included in the detection task instruction, and the generated domain name being unique to the network; in response to receiving a domain name resolution request from a client, the received domain name resolution request is analyzed at a detection DNS server of the network and the analysis result is stored.
Description
Technical Field
The present disclosure relates generally to the field of data communications, and more particularly, to a method and system for detecting illegal monitoring of domain names in a network.
Background
The internet uses domain names to identify site addresses in place of IP addresses (IPv4 or IPv6 addresses). For example, www.baidu.com is used instead of the hundred degree IP address 202.108.22.5. Domain name resources are the fundamental resources of the internet. The domain name resolution is the conversion process from the domain name to the IP address, thereby being convenient for memory and use. The Domain Name System (DNS) is a key component of the Internet, provides basic services for most Internet applications, is one of the core services of the Internet, and plays a role in central nervous system. Generally, the DNS service is provided by a network operator, and when a user accesses a network, the user terminal is configured by the network with an IPv4 or IPv6 address that automatically configures a DNS server (i.e., a recursive cache server). When a user accesses a website or an application platform, the IPv4/IPv6 address of the domain name of a destination server is generally resolved through DNS first. Due to the importance and sensitivity of DNS information, it often happens that DNS resolution of a user requires a third party to monitor and replay attacks without authorization, thereby causing damage to the information privacy security of the user and also threatening the network security of an operator. A network operator usually adopts a Deep Packet Inspection (DPI) mode in order to inspect a third-party monitoring service, but the DPI mode needs to analyze and analyze a large number of data packets one by one, so that the processing cost is high; secondly, the analytic data monitored by the third party is usually encrypted, and the DPI cannot separate the analytic data from the normal data stream, nor identify the IP address of the third party server.
Since the domain name represents a destination of an internet resource accessed by a user, and the domain name system itself has vulnerability, in the resolution process, it often happens that a DNS resolution request of the user is intercepted and replayed (Replay) by a third party without authorization. Replay attack is a means commonly used by a third party, and the third party illegally monitors the analysis request of a legal user and then retransmits the analysis request to the authorization server. This causes harm to the information security of the user and also poses a challenge to the network information security of the operator, so that it is urgently needed to detect the location of these third parties monitoring the domain name resolution of the user in the network.
Therefore, there is a need in the art for techniques that can detect illegitimate interception of domain names in a network.
Disclosure of Invention
An object of the present disclosure is to provide a method and system for detecting illegal monitoring of domain names in a network, so as to improve the security of network access of users and ensure that users and business parties are not easily damaged.
Under the condition of not adopting a DPI method, the distributed monitoring nodes are distributed, whether the user DNS analysis process in the network is monitored and replayed in an end-to-end mode is detected, the IP address of a third-party server monitored in an unauthorized mode is found, and support is provided for follow-up responsibility tracing.
The invention simulates DNS analysis process of user, sends serial special domain name analysis from multiple detection client distributed in network, and induces third party to track and analyze test domain name, thereby leaving behavior trace on detection receiving server.
In order to achieve the above object, according to an aspect of the present invention, there is provided a method for detecting illegal interception of a domain name in a network, including: generating, at a central controller of a network, a base domain name prefix that detects a dedicated domain name using a pseudo-random algorithm based on identifiers of clients in the network, wherein the base domain name prefix is unique to all clients in the network; sending a detection task instruction to the client, wherein the detection task instruction comprises a basic domain name prefix and domain name resolution times; generating, at the client, a domain name resolution request in response to receiving the detection task instruction, wherein the domain name resolution request includes a domain name generated based on a base domain name prefix and a number of domain name resolutions included in the detection task instruction, and wherein the generated domain name is unique to the network; in response to receiving a domain name resolution request from a client, the received domain name resolution request is analyzed at a detection DNS server of the network and the analysis result is stored.
In order to achieve the above object, according to still another aspect of the present invention, there is provided a system for detecting illegal interception of a domain name in a network, including: a central controller configured to generate a base domain name prefix of a detection-dedicated domain name using a pseudo-random algorithm based on an identifier of a client in a network, wherein the base domain name prefix is unique to all clients in the network, and to send a detection task instruction to the client, the detection task instruction including the base domain name prefix and domain name resolution times; a client configured to generate a domain name resolution request in response to receiving a detection task instruction, wherein the domain name resolution request includes a domain name generated based on a base domain name prefix and a number of domain name resolutions included in the detection task instruction, and wherein the generated domain name is unique to a network; and the detection DNS server is configured to respond to the received domain name resolution request from the client, analyze the received domain name resolution request and store the analysis result.
Drawings
Hereinafter, preferred embodiments of the present disclosure will be described in detail with reference to the accompanying drawings. Note that in the present specification and the drawings, structural elements having substantially the same function and structure are denoted by the same reference numerals, and repeated description of these structural elements is omitted.
FIG. 1 is a block diagram illustrating an example system that detects domain name spoofing in a network according to one embodiment of this disclosure;
fig. 2 is a flow diagram illustrating an example method of detecting domain name spoofing in a network according to one embodiment of the present disclosure.
Figure 3 is a flow diagram illustrating an example process of provisioning a recursive cache server according to one embodiment of the present disclosure.
FIG. 4 is a flow diagram illustrating an example detection process according to one embodiment of the present disclosure.
FIG. 5 is a flow diagram illustrating an example result analysis process according to one embodiment of the present disclosure.
Detailed Description
The following detailed description of exemplary embodiments refers to the accompanying drawings. The same reference numbers in different drawings identify the same or similar elements. Furthermore, the drawings are not necessarily drawn to scale. Also, the following detailed description does not limit the invention. Rather, the scope of the invention is defined by the appended claims.
Reference throughout the specification to "one embodiment" or "an embodiment" or "some embodiments" means that a particular feature, structure, or characteristic described in connection with the embodiment is included in at least one embodiment of the subject matter disclosed. Thus, the appearances of the phrases "in one embodiment" or "in an embodiment" or "in some embodiments" in various places throughout this specification are not necessarily referring to the same embodiment(s). Furthermore, the particular features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
The technology simulates the DNS analysis process of a user, sends a series of special domain name analyses for detection from a plurality of detection clients distributed in a network, and induces a third party to track and analyze a test domain name, thereby leaving behavior traces on a detection receiving server. Org is an example of detecting a dedicated domain name in the present invention, and other forms of XX domain names are possible. According to the present invention, each domain name is used once by the client and thus is not cached. The resolution request may also include a class a (this type of resolution request resolves the domain name to an IPv4 address) and AAAA (this type of resolution request resolves the domain name to an IPv6 address) resolution, each of which queries the authorization server.
The system for detecting illegal interception of domain names in a network comprises: a central controller configured to generate a base domain name prefix of a detection-dedicated domain name using a pseudo-random algorithm based on an identifier of a client in a network, wherein the base domain name prefix is unique to all clients in the network, and to send a detection task instruction to the client, the detection task instruction including the base domain name prefix and domain name resolution times; a client configured to generate a domain name resolution request in response to receiving a detection task instruction, wherein the domain name resolution request includes a domain name generated based on a base domain name prefix and a number of domain name resolutions included in the detection task instruction, and wherein the generated domain name is unique to a network; and the detection DNS server is configured to respond to the received domain name resolution request from the client, analyze the received domain name resolution request and store the analysis result.
Fig. 1 is a block diagram illustrating an example system for detecting domain name spoofing in a network according to one embodiment of the present disclosure. It is noted that the following description includes numerous unnecessary details that may be substituted as desired by one skilled in the art.
In order to detect the phenomenon of detecting DNS snooping in an IPv4/IPv6 network, an example system according to the present embodiment may include: a central controller, a detection client (simply referred to as "client"), a detection receiver (i.e., a detection DNS server), and the like. An example system according to this embodiment may include the following modules and sub-modules:
1) central controller C
And managing related units responsible for detection and scheduling tasks. When the domain name is required to be detected, the detection client is instructed to initiate an end-to-end domain name resolution process through issuing instructions and related parameters, resolution requests in the detection receiver are analyzed and compared, and whether an illegal domain name resolution user of the DNS server exists or not is judged. It includes the following sub-modules:
c1: a client manager managing client states distributed on a network, each client having a different ID;
c2: the detection domain name generator is used for generating a basic domain name prefix BasePrefix of the detection special domain name, the basic domain name prefix is used for generating a series of test domain names by a client list, the basic domain name prefix has uniqueness for each user, and the basic domain name prefix is different in each test task, so that each detection domain name of each client side is ensured to have uniqueness;
each client has a k-bit identification ID, the ID is subjected to character string Itoa (ID) to generate an identification ID in a character string format, the length of the identification ID is still k bits, a hash algorithm is performed on the identification ID to generate a random character string sequence with p length, the character string sequence generated by each client is ensured not to be repeated, the k-bit ID and the random character string with p bits are spliced together to generate a basic prefix BasePrefix of the detection domain name of the client, namely the BasePrefix is exact (itoa (ID) and hash ()).
C3: the DNS server database stores information of all recursive cache servers of the operator, such as: location, home network, IPv4/IPv6 address, etc.;
c4: and the detection scheduler issues a test task and parameters thereof (a detection task TID, a domain to which a detection domain name belongs, BasePrefix, domain name resolution times N, resolution interval T and the like) to a specific client according to the detection requirement and schedules the detection process. N can be set by itself, and is recommended to be generally not less than 100 and less than 999.
C5: and the detection result analyzer is used for analyzing the detected detection domain name resolution result data, and detecting and separating the IP address information of the third-party server of the non-operator from the detection result data by combining the existing DNS data of the cloud operator.
2) Detecting a client S
The detection client side is used for issuing script codes which can run in a terminal browser by a central controller, the detection client side simulates an APP client side in a user terminal to send a domain name resolution request for detecting a domain name, a series of detection domain names are generated according to instructions and parameters sent by the central controller, and the resolution request for detecting the domain name is sent in a circulating mode.
According to the detection times N of the task provided by the central controller, N test domain names of the client in the detection are generated in a circulating mode. When each domain name is generated, firstly, a character string itoa (k) corresponding to a domain name serial number k is generated, a prefix of the domain name is generated by splicing a basic prefix BasePrefix, and then a test domain name is generated by splicing a dntest. During testing, the client continuously sends out resolution requests for detecting the domain name, the interval time is not less than 1 second, and the resolution types comprise A and AAAA type resolution.
3) Detection receiver R
Running on the receiving server, the log data of the detected domain name is extracted and resolved from the power server. And the result is sent to a detection center controller for analysis.
Fig. 2 is a flow diagram illustrating an example process 200 for detecting domain name spoofing in a network according to the present embodiment.
At step 201, the process begins. At this step, a base domain name prefix is generated at a central controller of the network that detects the dedicated domain name using a pseudo-random algorithm based on the identifiers of the clients in the network. The base domain name prefix is unique to all clients in the network.
At step 202, a detection task instruction is sent to the client, where the detection task instruction includes a base domain name prefix and a domain name resolution number.
At step 203, a domain name resolution request is generated at the client in response to receiving the detection task instruction. The domain name resolution request comprises a domain name generated based on a basic domain name prefix and domain name resolution times included in the detection task instruction. The domain name generated is unique to the network.
At step 204, in response to receiving a domain name resolution request from a client, the received domain name resolution request is analyzed at a detecting DNS server of the network and the analysis results are stored.
In order to illustrate the present invention in more detail, a method of detecting illegal interception of a domain name in a network according to the present invention is described below in three parts with reference to fig. 3 to 5. It is noted that the following description includes numerous unnecessary details that may be substituted as desired by one skilled in the art.
Figure 3 is a flow chart illustrating an example process of provisioning a recursive cache server according to the present embodiment.
1) Attribute information such as IPv4/IPv6 addresses of the own DNS server of the operator is registered in advance in the DNS server database of the central controller.
2) The detection server is used as the identity of the authorization server and added into a global DNS resolution system to provide domain name resolution service for a domain of dntest.
3) And detecting that the client logs on the central controller, and mastering the client state by the client manager of the central controller.
Fig. 4 is a flowchart illustrating an example detection process according to the present embodiment.
4) When detection needs to be started, a detection scheduler in the central controller instructs the detection domain name generator to generate a detection-specific domain name base prefix.
5) The detection domain name generator generates a base prefix of the detection special domain name for the client, and generates an automatic detection script for each client.
6) The detection scheduler issues the script and parameters of the detection task to the detection client (for example: detecting a task TID, detecting a domain to which a domain name belongs, BasePrefix, domain name resolution times N, resolution interval T and the like), and simultaneously issuing a test receiving instruction to a detection receiver.
7) The client starts a detection task, generates a detection domain name series of the client, runs a test script, and circularly sends out xxxxxyyy.dnnstest.org domain name resolution requests according to the sequence from 1 to N, wherein the request types comprise A and AAAA type resolution. (at this time, the third party inspector also generally issues a domain name resolution request in order to monitor and track the access content of the user.)
8) And (4) receiving the resolution request for detecting the domain name sent by each client by the authoritative server (dntest. org), and recording a resolution log while resolving.
Fig. 5 is a flowchart showing an example result analysis process according to the present embodiment.
9) And the detection receiver acquires domain name access resolution logs of detection series domain names from all clients in the test task from the power server.
10) The detection result analyzer analyzes the domain name access analysis log record one by one.
11) The recursive server address of the record is extracted. Compare it with the server address in the server database one by one, find out if there is a record in the database matching with the address? If yes, the address is a legal address, and the analysis of the record is finished; if not, the address is an unauthorized third party IP address and is recorded on the record. That is, if there is an address in the server data that is the same as the address of the recursive server in the record, it is a legitimate address, and if there is no address in this server address data, it is an illegitimate address. If necessary, the times of occurrence of each illegal IP address in the current times can be counted.
According to one embodiment, a system for detecting a third party for domain name monitoring may include a central controller, a detection client, and a detection receiver. According to one embodiment, the method for detecting the domain name monitoring by the third party can comprise the steps of detecting the generation mode and result analysis of the special domain name. An application example according to the present embodiment is specifically described below.
1. The central controller is deployed in a centralized manner for a network operator and is responsible for management of relevant units for detection and scheduling of detection tasks, when detection is needed, the central controller instructs a detection client to initiate an end-to-end domain name resolution process through an instruction, a domain name for detection can be generated, resolution log data in a detection receiver is analyzed and compared, and an IP address of a third-party server for monitoring a user domain name is detected.
2. Automatic generation of domain names for detection purposes, domain name generation is mainly the generation of domain name prefixes, since domains are invariant in a test task, e.g., dntest. Each client has a k-bit identification ID, the ID is subjected to character string Itoa (ID) to generate an identification ID in a character string format, the length of the identification ID is still k bits, a Hash algorithm is carried out on the identification ID to generate a random character string sequence with p length, the character string sequence generated by each client is ensured not to be repeated, the k-bit ID and the random character string with p bits are spliced together, and a basic prefix BasePrefix of the detection domain name of the client is generated.
For example, a client has an identifier of "123456789 xcf" of 12 bits, which is changed to the string sequence "123456789 xcf" using the itoa function. A random string sequence of 8 bits "abcfwfxk" is calculated for the identifier using a hashing algorithm. The string function is then used to generate a BasePrefix of "123456789 xcfabfwfxk". Then, the BasePrefix and the number of times of parsing 100 are sent to the client as a part of the detection task instruction.
3. A client is a detection unit running in a user terminal (such as a cell phone, personal digital assistant, etc.), which is multiple and distributed at different locations in the network. After receiving a detection task instruction and a detection domain name prefix of a central controller, starting a detection task, generating a detection domain name series of a cost client according to parameters provided by the controller, running a test script, and circularly sending out xxxxxxxyyy.dntest.org domain name resolution requests according to the sequence of 1-N, wherein the request types comprise A and AAAA type resolution.
For example, the client receives BasePrefix "123456789 xcfabwffxk", when the test script is run for the first time, the test count value is 01, the client generates a sub-domain name of "123456789 xcfabwffxk 01", generates a sub-domain name of "123456789 xcfabbffxk 02" at the second time, and so on until 100 times. Finally, the resolution request includes the domain name "123456789 xcfabfwfk01. dntest. org" requesting resolution.
If a resolution request type is also included, the first sub-domain name is "123456789 xcfabwffxk 01A" if the type is a, and "123456789 xcfabwffxk 01 AAAA" if the type is AAAA. In this case, the resolution request includes a domain name of "123456789 xcfabfwfk01a. dntest.org" or "123456789 xcfabfwfkfk01aaaa. dntest.org" requesting resolution.
4. The detection receiver runs on the receiving server, under the scheduling of the central controller, the detection receiver extracts and analyzes the log data of the detection domain name from the authoritative server unit in the receiving server, and sends the result to the detection central controller for analysis.
The following is log data that is parsed and recorded given as an example:
| serial number | Time of inquiry | Domain name | Type of query | IPv4/IPv6 addresses for recursive servers |
| 1 | 20190618153344 | xxxxx001.dnstest.org | A | 139.162.21.135 |
| 2 | 20190618151807 | xxxxx002.dnstest.org | AAAA | 240e:8901:ae6:878::909 |
| 3 | 20190619003044 | xxxxx003.dnstest.org | AAAA | 202.99.9.45 |
| 4 | 20190618111334 | xxxxx004.dnstest.org | A | 211e:100:123:345::450 |
| … | …… | …… | …… | …… |
The receiving server compares the IPv4/IPv6 addresses of the recursive server in the log data with the server addresses recorded in the DNS server database of the central controller. If the two match, then the IPv4/IPv6 addresses of the recursive server in the log data are the addresses of legitimate servers. If the two are not matched, the IPv4/IPv6 address of the recursive server in the log data is not the address of a legal server but an unknown third-party server address, and the log data is marked as 'untrusted' and reported to the central controller.
Compared with the prior art, the patent has the following advantages:
1. the method adopts the idea of 'anti-tracking' for the first time, and sends a batch of domain name resolution requests for detection by scheduling a plurality of distributed measurement clients to 'attract' a third party to monitor and resolve the detected domain name, so that the third party reserves information such as an IP address in a detection system, and the coverage and degree of malicious resolution of the third party are effectively mastered.
2. The method adopts an end-to-end mode of sending resolution from the client to the authoritative server to detect the resolution process of the domain name, the special domain name for detection is not repeated in design, the detection domain name is ensured not to be cached locally, and thus performance indexes such as packet loss of the domain name resolution in the network can be effectively measured.
Although the central controller, the client and the receiving server according to the invention are described herein as one single device in the system, it may also be implemented by a person skilled in the art as one single device in the operator network or as one software module in the DNS server or the mobile terminal, depending on the requirements of the specific implementation.
As will be appreciated based on the foregoing specification, the above-described embodiments of the disclosure may be implemented using computer programming or engineering techniques including computer software, firmware, hardware or any combination or subset thereof, wherein the technical effect is to create and operate a file system based application network. Any such resulting program, having computer-readable code means, may be embodied or provided within one or more computer-readable media, thereby making a computer program product (i.e., an article of manufacture) according to the discussed embodiments of the disclosure. The computer readable media may be, for example, but is not limited to, a fixed (hard) drive, diskette, optical disk, magnetic tape, semiconductor memory such as read-only memory (ROM), and/or any transmitting/receiving medium such as the Internet or other communication network or link. The article of manufacture containing the computer code may be made and/or used by executing the code directly from one medium, by copying the code from one medium to another medium, or by transmitting the code over a network.
These computer programs (also known as programs, software applications, "or code) include machine instructions for a programmable processor, and may be implemented in a high-level procedural and/or object-oriented programming language, and/or in assembly/machine language. As used herein, the terms "machine-readable medium," "computer-readable medium" refers to any computer program product, apparatus and/or device (e.g., magnetic discs, optical disks, memory, Programmable Logic Devices (PLDs)) used to provide machine instructions and/or data to a programmable processor, including a machine-readable medium that receives machine instructions as a machine-readable signal. However, "machine-readable medium" and "computer-readable medium" do not include transitory signals. The term "machine-readable signal" refers to any signal used to provide machine instructions and/or data to a programmable processor.
Although the present disclosure has been described in connection with specific exemplary embodiments, it should be understood that various changes, substitutions, and alterations apparent to those skilled in the art may be made to the disclosed embodiments without departing from the spirit and scope of the present disclosure as set forth in the following claims.
Claims (12)
1. A method for detecting illegal monitoring of domain names in a network comprises the following steps:
generating, at a central controller of a network, a base domain name prefix that detects a dedicated domain name using a pseudo-random algorithm based on identifiers of clients in the network, wherein the base domain name prefix is unique to all clients in the network;
sending a detection task instruction to the client, wherein the detection task instruction comprises a basic domain name prefix and domain name resolution times;
generating, at the client, a domain name resolution request in response to receiving the detection task instruction, wherein the domain name resolution request includes a domain name generated based on a base domain name prefix and a number of domain name resolutions included in the detection task instruction, and wherein the generated domain name is unique to the network;
in response to receiving a domain name resolution request from a client, the received domain name resolution request is analyzed at a detection DNS server of the network and the analysis result is stored.
2. The method of claim 1, wherein the base domain name prefix is a concatenated string of the client identifier and a random string of the client identifier generated using a pseudo-random algorithm.
3. The method of claim 1, wherein the domain name generated at the client comprises as sub-domain names a string of characters concatenated by a base domain name prefix with a current count of domain name resolution times.
4. The method of claim 1, wherein the detection task instruction comprises a resolution interval at which the client generates and sends a domain name resolution request, and wherein the domain name resolution request comprises a resolution request type to indicate whether the domain name resolution request resolves a domain name to an IPv4 address or an IPv6 address.
5. The method of claim 1, further comprising:
the attribute information of the detection DNS server is pre-entered in a DNS server database of the central controller so that the detection DNS server can provide domain name resolution service for the detection domain name.
6. The method of claim 1, wherein analyzing the received domain name resolution request at a detecting DNS server of the network and storing the analysis results comprises:
extracting a recursive cache server address from the received domain name resolution request;
comparing the extracted recursive cache server address with server addresses in a DNS server database of the central controller; and
if the two do not match, the extracted recursive cache server address is stored as an unauthorized third party IP address.
7. A system for detecting illegitimate interception of domain names in a network, comprising:
a central controller configured to generate a base domain name prefix of a detection-dedicated domain name using a pseudo-random algorithm based on an identifier of a client in a network, wherein the base domain name prefix is unique to all clients in the network, and to send a detection task instruction to the client, the detection task instruction including the base domain name prefix and domain name resolution times;
a client configured to generate a domain name resolution request in response to receiving a detection task instruction, wherein the domain name resolution request includes a domain name generated based on a base domain name prefix and a number of domain name resolutions included in the detection task instruction, and wherein the generated domain name is unique to a network;
and the detection DNS server is configured to respond to the received domain name resolution request from the client, analyze the received domain name resolution request and store the analysis result.
8. The system of claim 7, wherein the base domain name prefix is a concatenated string of the client identifier and a random string of the client identifier generated using a pseudo-random algorithm.
9. The system of claim 7, wherein the domain name generated at the client comprises as sub-domain names a string of characters concatenated by a base domain name prefix with a current count of domain name resolution times.
10. The system of claim 7, wherein the detection task instruction includes a resolution interval at which the client generates and sends a domain name resolution request, and wherein the domain name resolution request includes a resolution request type to indicate whether the domain name resolution request resolves a domain name to an IPv4 address or an IPv6 address.
11. The system of claim 7, wherein the central controller is further configured to pre-enter attribute information of the detecting DNS server in a DNS server database of the central controller to enable the detecting DNS server to provide domain name resolution services for detecting domain names.
12. The system of claim 7, wherein the detecting DNS server is further configured to analyze and store by:
extracting a recursive cache server address from the received domain name resolution request;
comparing the extracted recursive cache server address with server addresses in a DNS server database of the central controller; and
if the two do not match, the extracted recursive cache server address is stored as an unauthorized third party IP address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011011434.3A CN114301614A (en) | 2020-09-23 | 2020-09-23 | Method and system for detecting illegal monitoring of domain name in network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202011011434.3A CN114301614A (en) | 2020-09-23 | 2020-09-23 | Method and system for detecting illegal monitoring of domain name in network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114301614A true CN114301614A (en) | 2022-04-08 |
Family
ID=80964299
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202011011434.3A Pending CN114301614A (en) | 2020-09-23 | 2020-09-23 | Method and system for detecting illegal monitoring of domain name in network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114301614A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060112176A1 (en) * | 2000-07-19 | 2006-05-25 | Liu Zaide E | Domain name resolution using a distributed DNS network |
| US20070294419A1 (en) * | 2006-06-14 | 2007-12-20 | David Ulevitch | Recursive dns nameserver |
| CN102082836A (en) * | 2009-11-30 | 2011-06-01 | 中国移动通信集团四川有限公司 | DNS (Domain Name Server) safety monitoring system and method |
| CN105827599A (en) * | 2016-03-11 | 2016-08-03 | 中国互联网络信息中心 | Cache infection detection method and apparatus based on deep analysis on DNS message |
| CN106550056A (en) * | 2015-09-18 | 2017-03-29 | 中国移动通信集团江苏有限公司 | A kind of domain name analytic method and device |
| CN108886540A (en) * | 2018-06-13 | 2018-11-23 | 深圳前海达闼云端智能科技有限公司 | Domain name resolution method, device and computer readable storage medium |
| CN111294415A (en) * | 2018-12-10 | 2020-06-16 | 北京京东金融科技控股有限公司 | Domain name resolution method and device |
-
2020
- 2020-09-23 CN CN202011011434.3A patent/CN114301614A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060112176A1 (en) * | 2000-07-19 | 2006-05-25 | Liu Zaide E | Domain name resolution using a distributed DNS network |
| US20070294419A1 (en) * | 2006-06-14 | 2007-12-20 | David Ulevitch | Recursive dns nameserver |
| CN102082836A (en) * | 2009-11-30 | 2011-06-01 | 中国移动通信集团四川有限公司 | DNS (Domain Name Server) safety monitoring system and method |
| CN106550056A (en) * | 2015-09-18 | 2017-03-29 | 中国移动通信集团江苏有限公司 | A kind of domain name analytic method and device |
| CN105827599A (en) * | 2016-03-11 | 2016-08-03 | 中国互联网络信息中心 | Cache infection detection method and apparatus based on deep analysis on DNS message |
| CN108886540A (en) * | 2018-06-13 | 2018-11-23 | 深圳前海达闼云端智能科技有限公司 | Domain name resolution method, device and computer readable storage medium |
| CN111294415A (en) * | 2018-12-10 | 2020-06-16 | 北京京东金融科技控股有限公司 | Domain name resolution method and device |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10740363B2 (en) | Domain classification based on domain name system (DNS) traffic | |
| Liu et al. | Who is answering my queries: Understanding and characterizing interception of the {DNS} resolution path | |
| US8495742B2 (en) | Identifying malicious queries | |
| US20090265786A1 (en) | Automatic botnet spam signature generation | |
| Kondracki et al. | Catching transparent phish: Analyzing and detecting mitm phishing toolkits | |
| US20160142432A1 (en) | Resource classification using resource requests | |
| Husák et al. | Security monitoring of http traffic using extended flows | |
| US11818160B2 (en) | Predicting cyber risk for assets with limited scan information using machine learning | |
| CN104301180A (en) | Service message processing method and device | |
| CN109660552A (en) | A kind of Web defence method combining address jump and WAF technology | |
| Sakurai et al. | Discovering HTTPSified phishing websites using the TLS certificates footprints | |
| Sharma et al. | BotMAD: Botnet malicious activity detector based on DNS traffic analysis | |
| Tatang et al. | Large-scale analysis of infrastructure-leaking DNS servers | |
| McGregor et al. | Cache me outside: A new look at DNS cache probing | |
| US11811806B2 (en) | System and apparatus for internet traffic inspection via localized DNS caching | |
| Kondracki et al. | The droid is in the details: Environment-aware evasion of android sandboxes | |
| Prieto et al. | Botnet detection based on DNS records and active probing | |
| Zhang et al. | Detecting and measuring security risks of hosting-based dangling domains | |
| CN114301614A (en) | Method and system for detecting illegal monitoring of domain name in network | |
| CN113904843B (en) | Analysis method and device for abnormal DNS behaviors of terminal | |
| EP3311555A1 (en) | Advanced security for domain names | |
| Soliman et al. | Web application API blind denial of service attacks | |
| Liao et al. | A comprehensive study of dns operational issues by mining dns forums | |
| CN111371917B (en) | Domain name detection method and system | |
| US11683337B2 (en) | Harvesting fully qualified domain names from malicious data packets |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |