CN114553820A - DNS analysis method, system and storage medium for refined analysis control - Google Patents

DNS analysis method, system and storage medium for refined analysis control Download PDF

Info

Publication number
CN114553820A
CN114553820A CN202210130600.4A CN202210130600A CN114553820A CN 114553820 A CN114553820 A CN 114553820A CN 202210130600 A CN202210130600 A CN 202210130600A CN 114553820 A CN114553820 A CN 114553820A
Authority
CN
China
Prior art keywords
dns
analysis
resolution
request
client
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210130600.4A
Other languages
Chinese (zh)
Inventor
胡凯旋
吕亚霖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Yunsizhixue Technology Co ltd
Original Assignee
Beijing Yunsizhixue Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Yunsizhixue Technology Co ltd filed Critical Beijing Yunsizhixue Technology Co ltd
Priority to CN202210130600.4A priority Critical patent/CN114553820A/en
Publication of CN114553820A publication Critical patent/CN114553820A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • General Physics & Mathematics (AREA)
  • Mathematical Physics (AREA)
  • Evolutionary Computation (AREA)
  • Data Mining & Analysis (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Artificial Intelligence (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a DNS analysis method, a system and a storage medium for refining analysis control, wherein the DNS analysis method comprises the following steps: a central DNS receives a DNS analysis request sent by a client through a network; the central DNS authenticates the client side which sends the DNS analysis request; when the DNS analysis request comes from a legal and credible client, the central DNS analyzes the DNS analysis request through a personalized analysis strategy matched and configured. The DNS analysis method for refined analysis control is dedicated to directly establishing a reliable and controllable DNS analysis link between a user terminal and an enterprise service to ensure that a user can be reliably accessed to the enterprise service, an analysis strategy is formulated through a strategy configuration module according to user characteristics and service history index data automatically collected and analyzed, a differentiated analysis result is returned, or the analysis result is manually and quickly interfered in a special scene, and the enterprise can have fine and efficient control capability on the analysis strategy of a domain name.

Description

DNS analysis method, system and storage medium for refined analysis control
Technical Field
The invention relates to the technical field of DNS analysis, in particular to a DNS analysis method, a system and a storage medium for refined analysis control.
Background
DNS Domain Name System (abbreviated DNS) is a service of the Internet. It acts as a distributed database that maps domain names and IP addresses to each other, enabling people to more conveniently access the internet.
When a user enters www.xxxx.com in the address bar, DNS resolution has roughly the following process:
the browser firstly checks whether the ip address corresponding to the domain name is resolved in the cache of the browser, and if the ip address is resolved, the resolution is finished. Meanwhile, the time for caching the domain name can also be set through the TTL attribute.
If there is no browser cache (the professional click call has not been hit), the browser will check that there is no corresponding resolved result in the operating system cache. The operating system also has a domain name resolution process. In windows, the setting can be performed by a file called hosts in the c-disc, and if you specify an ip address corresponding to a domain name, the browser will use the ip address first.
But this os-level domain name resolution procedure is also used by many hackers to resolve a specific domain name to his designated ip address by modifying the content in your hosts file, resulting in a so-called domain hijacking. The hosts file is set to readonly in windows7 to prevent malicious tampering.
If the domain name is not hit, a Local Domain Name Server (LDNS) is really requested to resolve the domain name, the server is generally located at a certain corner of your city and is not far away from you, the performance of the server is good, the domain name resolving result is generally cached, and about 80% of the domain name resolving is completed.
If the LDNS still has no hit, directly jumping to a Root Server domain name Server to request resolution.
The root domain name Server returns to the LDNS a primary domain name Server (gTLD Server, international top domain name Server, e.g., com.
At which time the LDNS resends the request to the gTLD returned in the previous step.
And receiving the required gTLD to search and return the address of the Name Server corresponding to the domain Name, wherein the Name Server is the domain Name Server registered by the website.
And the Name Server finds the target ip according to the mapping relation table and returns the target ip to the LDNS.
LDNS caches this domain name and the corresponding ip.
The LDNS returns the analysis result to the user, the user caches the result in the local system cache according to the TTL value, and the domain name analysis process is ended.
According to the process, when a user accesses enterprise services, a service IP list needs to be obtained through a DNS mode, the existing traditional DNS resolution scheme generally performs resolution through a local DNS or a public DNS, the difference of different user network environments and configuration is large, and an intermediate link is not credible, so that the resolution result is not credible; meanwhile, the cache strategy of the DNS analysis server of the intermediate link is not controlled by an enterprise, and the enterprise cannot rapidly and finely control the analysis strategy and result of the own domain name, so that the flexible and reliable provision of enterprise services is influenced.
The invention mainly solves the problems that the credible access between the user client and the enterprise service is difficult, the enterprise has insufficient control capability on the self domain name resolution, and the domain name configuration of the authoritative DNS server is slow to take effect and difficult to take effect in total.
In view of this, the present invention is specifically disclosed.
Disclosure of Invention
In order to solve the above problems, the present invention provides a DNS resolution method, system and storage medium for refining resolution control, and specifically, the following technical solution is adopted:
a DNS resolution method for refining resolution control comprises the following steps:
a central DNS receives a DNS analysis request sent by a client through a network;
the central DNS authenticates the client side which sends the DNS analysis request;
when the DNS analysis request comes from a legal and credible client, the central DNS analyzes the DNS analysis request through a personalized analysis strategy matched and configured.
As an optional implementation manner of the present invention, in the DNS resolution method for refining resolution control, the performing, by the central DNS, resolution on the DNS resolution request by matching a configured personalized resolution policy includes:
configuring an individualized analysis strategy of the service characteristics through a background, and storing the individualized analysis strategy into a characteristic strategy library;
the feature policy library asynchronously and periodically loads feature policies to a central DNS for matching DNS analysis requests;
optionally, the service characteristics include a client region, a user ID, and a user class.
As an optional implementation manner of the present invention, in the DNS resolution method for refining resolution control, the performing, by the central DNS, resolution on the DNS resolution request by matching the configured personalized resolution policy includes:
collecting health degree and capacity index data of the service corresponding to the domain name, generating a service index strategy through self-learning, and storing the service index strategy into a service index library;
and the service index library asynchronously and periodically loads a service index strategy to the central DNS, automatically updates an analysis strategy, carries out load according to the service health degree and the capacity index, and realizes automatic fault transfer by only returning to the health service.
As an optional embodiment of the present invention, in the DNS resolution method for refining resolution control, when the DNS resolution request is from a legitimate and trusted client:
firstly, matching is carried out according to a DNS analysis request and a result returned by a previous analysis request cached by a central DNS;
if the user characteristics of the DNS analysis request hit the cache of the central DNS, directly responding to the user analysis result;
and if the user characteristics of the DNS analysis request do not hit the cache of the central DNS, the central DNS analyzes the DNS analysis request through a personalized analysis strategy matched and configured.
As an optional implementation manner of the present invention, in the DNS resolution method for refining resolution control, the central DNS resolves the DNS resolution request according to a cache hit by the DNS resolution request or a matched personalized resolution policy;
and if the DNS analysis does not hit any cache and the personalized analysis strategy, forwarding the DNS analysis request to an authoritative DNS for analysis.
As an optional implementation manner of the present invention, in the DNS resolution method for refining resolution control, the central DNS encrypts a resolution result of the DNS resolution request, and returns the encrypted resolution result to the client;
and the client receives the response and decrypts the response to obtain an analysis result.
As an optional implementation manner of the present invention, in the DNS resolution method for refining resolution control, the performing, by the central DNS, client authentication for a client sending a DNS resolution request includes:
the client side encrypts a DNS analysis request by adopting an encryption algorithm agreed with a central DNS;
the central DNS receives a DNS analysis request of a client and decrypts the DNS analysis request according to a decryption algorithm corresponding to an encryption algorithm agreed by the client;
if the decryption is successful, the DNS analysis request comes from a legal and credible client, and if the decryption is failed, the subsequent flow is terminated, and the response is rejected.
The invention also provides a DNS analysis system for refined analysis control, which comprises:
the authentication encryption module receives a DNS analysis request sent by a client through a network and performs client authentication aiming at the client sending the DNS analysis request;
and the strategy module is used for analyzing the DNS analysis request by the central DNS according to the matched and configured personalized analysis strategy when the DNS analysis request is from a legal and credible client.
As an optional embodiment of the present invention, the DNS resolution system for refining resolution control includes:
the cache module caches the returned result of the previous resolution request according to regions and customized strategies, matches the returned result of the previous resolution request of the DNS resolution request with the returned result of the previous resolution request of the central DNS cache, directly responds to the resolution result of the user if the user characteristic of the DNS resolution request hits the cache of the cache module, and resolves the DNS resolution request by the strategy module through a personalized resolution strategy matched and configured if the user characteristic of the DNS resolution request does not hit the cache of the cache module;
and the forwarding module is used for forwarding the DNS analysis request to an authoritative DNS for analysis if the DNS analysis does not hit any cache and any personalized analysis strategy.
The invention also provides a storage medium which stores a computer executable program, and when the computer executable program is executed, the DNS analysis method for refining analysis control is realized.
Compared with the prior art, the invention has the beneficial effects that:
according to the DNS analysis method for refining analysis control, when a client of a user uses enterprise service, an initiated DNS analysis request does not pass through traditional local DNS analysis or public DNS analysis any more, but directly initiates an analysis request to a central DNS of the enterprise service through a DNS analysis module preset in a client network library. In addition, the enterprise server and the user client encrypt the DNS analysis request and response through an agreed encryption algorithm, so that the user can perform safe and credible interaction with the DNS analysis system of the enterprise.
According to the DNS analysis method for refined analysis control, the user client is directly accessed to the central DNS, the intermediate transmission link is encrypted, the user is credible when accessing enterprise resources, and the user is guaranteed to be flexibly and credibly accessed to services provided by enterprises.
The invention relates to a DNS analysis method for refined analysis control.A central DNS analyzes a DNS analysis request by configuring a personalized analysis strategy; and based on the domain name, the client characteristics and the domain name corresponding to the back-end service index, the analysis result is automatically and intelligently interfered and manually interfered, so that the strong and flexible control capability of the self-service domain name is provided for enterprises.
The DNS analysis method for refined analysis control is dedicated to directly establishing a reliable and controllable DNS analysis link between a user terminal and an enterprise service to ensure that a user can be reliably accessed to the enterprise service, an analysis strategy is formulated through a strategy configuration module according to user characteristics and service history index data automatically collected and analyzed, a differentiated analysis result is returned, or the analysis result is manually and quickly interfered in a special scene, and the enterprise can have fine and efficient control capability on the analysis strategy of a domain name.
Description of the drawings:
fig. 1 is a flowchart of a DNS resolution method for refining resolution control according to an embodiment of the present invention;
fig. 2 is a schematic diagram of a DNS resolution system for refining resolution control according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be described clearly and completely with reference to the accompanying drawings. It is to be understood that the embodiments described are only a few embodiments of the present invention, and not all embodiments.
Thus, the following detailed description of the embodiments of the invention is not intended to limit the scope of the invention as claimed, but is merely representative of some embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the embodiments of the present invention and the features and technical solutions thereof may be combined with each other without conflict.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
In the description of the present invention, it should be noted that the terms "upper", "lower", and the like refer to orientations or positional relationships based on those shown in the drawings, or orientations or positional relationships that are conventionally arranged when the products of the present invention are used, or orientations or positional relationships that are conventionally understood by those skilled in the art, and such terms are used for convenience of description and simplification of the description, and do not refer to or imply that the devices or elements referred to must have a specific orientation, be constructed and operated in a specific orientation, and thus, should not be construed as limiting the present invention. Furthermore, the terms "first," "second," and the like are used merely to distinguish one description from another, and are not to be construed as indicating or implying relative importance.
Referring to fig. 1, a DNS resolution method for refining resolution control in this embodiment includes:
a central DNS of the enterprise service receives a DNS analysis request sent by a client through a network;
the central DNS performs client authentication for the client sending the DNS analysis request;
when the DNS analysis request comes from a legal and credible client, the central DNS analyzes the DNS analysis request through a personalized analysis strategy matched and configured.
In the DNS resolution method for refining resolution control according to this embodiment, when a client of a user uses an enterprise service, an initiated DNS resolution request does not pass through a conventional local DNS resolution or public DNS resolution, but directly initiates a resolution request to a central DNS of the enterprise service through a DNS resolution module preset in a client network library. In addition, the enterprise server and the user client encrypt the DNS analysis request and response through an agreed encryption algorithm, so that the user can perform safe and credible interaction with the DNS analysis system of the enterprise.
In the DNS resolution method for refining resolution control according to the embodiment, the user client directly accesses the central DNS, the intermediate transmission link is encrypted, and the user is trusted when accessing the enterprise resources, thereby ensuring that the user flexibly and truthfully accesses the services provided by the enterprise.
In the DNS resolution method for refining resolution control according to this embodiment, a central DNS resolves a DNS resolution request by configuring a personalized resolution policy; based on the domain name, the client characteristics and the back-end service index corresponding to the domain name, the analysis result is automatically and intelligently interfered and manually interfered, and strong and flexible control capability of the self-service domain name is provided for enterprises.
The DNS analysis method for refined analysis control aims to establish a reliable and controllable DNS analysis link between a user terminal and an enterprise service directly, guarantee that a user can access the enterprise service reliably, formulate an analysis strategy according to user characteristics and service history index data automatically collected and analyzed through a strategy configuration module, return a differentiated analysis result, or manually and quickly intervene the analysis result in a special scene, and enable the enterprise to have precise and efficient control capability on the analysis strategy of a domain name.
As an optional implementation manner of this embodiment, in the DNS resolution method for refining resolution control according to this embodiment, the performing, by the central DNS, resolution on the DNS resolution request by using a personalized resolution policy configured in a matching manner includes:
configuring an individualized analysis strategy of the service characteristics through a background, and storing the individualized analysis strategy into a characteristic strategy library;
and the feature policy library asynchronously and periodically loads the feature policies to a central DNS for matching DNS analysis requests.
The central DNS of this embodiment may manually add an individualized analysis policy for a service feature through a background, perform policy matching in the feature policy library for a DNS analysis request of the client, and find whether there is a user configured individualized analysis policy for the feature.
Optionally, the service characteristics include a client region, a user ID, and a user class.
As an optional implementation manner of this embodiment, in the DNS resolution method for refining resolution control according to this embodiment, the performing, by the central DNS, resolution on the DNS resolution request by using a personalized resolution policy configured in a matching manner includes:
collecting health degree and capacity index data of the service corresponding to the domain name, generating a service index strategy through self-learning, and storing the service index strategy into a service index library;
and the service index library asynchronously and periodically loads a service index strategy to the central DNS, automatically updates an analysis strategy, carries out load according to the service health degree and the capacity index, and realizes automatic fault transfer by only returning to the health service.
Meanwhile, the central DNS of this embodiment analyzes the DNS analysis request by matching a configured personalized analysis policy, collects index data of service resources corresponding to its own domain name, automatically updates the analysis policy by learning historical data, performs load according to indexes such as service health degree and capacity, and realizes automatic fault transfer by returning only a health service.
Asynchronous loading is also called non-blocking mode loading, and the browser can execute subsequent page processing while downloading js. In the script tag, a script element is created by js and inserted into document, and the method is to load the js file asynchronously.
According to the DNS analysis method for refined analysis control, all user requests are forwarded through the client network library, DNS analysis of the network library is conducted through central DNS analysis, and personalized analysis can be conducted on all DNS analysis requests based on the feature library and the index library, so that accurate and timely scheduling of flow is achieved.
As an optional implementation manner of this embodiment, in the DNS resolution method for refining resolution control according to this embodiment, when the DNS resolution request is from a legitimate and trusted client:
firstly, matching is carried out according to a DNS analysis request and a result returned by a previous analysis request cached by a central DNS;
if the user characteristics of the DNS analysis request hit the cache of the central DNS, directly responding to the user analysis result;
and if the user characteristics of the DNS analysis request do not hit the cache of the central DNS, the central DNS analyzes the DNS analysis request through a personalized analysis strategy matched and configured.
According to the DNS analysis method for refining analysis control, after the client authentication is passed, the client firstly passes through the cache of the central DNS, the cache of the central DNS caches the result returned by the previous analysis request according to regions and other customized strategies, and if the user characteristics hit the cache, the user analysis result is directly responded, so that the response speed and the throughput of the system are improved. And if the cache is not hit, analyzing the DNS analysis request by matching a configured personalized analysis strategy.
Further, in the DNS resolution method for refining resolution control according to this embodiment, the central DNS resolves the DNS resolution request according to the cache hit by the DNS resolution request or the matched personalized resolution policy; and if the DNS analysis does not hit any cache and the personalized analysis strategy, forwarding the DNS analysis request to an authoritative DNS for analysis. The authoritative DNS is positioned in a set of system of the DNS server side, and the system stores authoritative information of corresponding domain names. Authoritative DNS is a server colloquially "this domain name i say it" and "the DNS server.
In the DNS resolution method for refining resolution control according to this embodiment, the authoritative DNS returns a resolution result of the DNS resolution request to the central DNS of the enterprise service, the central DNS updates the resolution policy according to the resolution result returned by the authoritative DNS, and the cache of the central DNS is updated according to the resolution result returned by the authoritative DNS or the resolution policy resolution result.
As an optional implementation manner of this embodiment, in the DNS resolution method for refining resolution control according to this embodiment, the central DNS encrypts a resolution result of the DNS resolution request, and returns the encrypted resolution result to the client; and the client receives the response and decrypts the response to obtain an analysis result.
As an optional implementation manner of this embodiment, in the DNS resolution method for refining resolution control according to this embodiment, the performing, by the central DNS, client authentication for a client that sends a DNS resolution request includes:
the client side encrypts a DNS analysis request by adopting an encryption algorithm agreed with a central DNS;
the central DNS receives a DNS analysis request of a client and decrypts the DNS analysis request according to a decryption algorithm corresponding to an encryption algorithm agreed by the client;
if the decryption is successful, the DNS analysis request comes from a legal and credible client, and if the decryption is failed, the subsequent flow is terminated, and the response is rejected.
In the DNS resolution method for refining resolution control described in this embodiment, the user client directly accesses the central DNS of the enterprise service, the intermediate transmission link is encrypted, and the user access to the enterprise resource is trusted.
This embodiment also provides a DNS resolution system for refining resolution control, including:
the authentication encryption module receives a DNS analysis request sent by a client through a network and performs client authentication aiming at the client sending the DNS analysis request;
and the strategy module is used for analyzing the DNS analysis request by matching the configured personalized analysis strategy when the DNS analysis request is from a legal and credible client.
The authentication encryption module of the embodiment is not only used for realizing the decryption of the received DNS analysis request, carrying out client authentication and confirming that the DNS analysis request is from a legal and credible client; the authentication encryption module encrypts the analysis result of the DNS analysis request and returns the encrypted analysis result to the client; the user can be ensured to perform safe and credible interaction with a DNS resolution system of the enterprise service.
In the DNS resolution system for refining resolution control according to this embodiment, when a client of a user uses an enterprise service, an initiated DNS resolution request does not pass through a conventional local DNS resolution or public DNS resolution, but directly initiates a resolution request to a central DNS of the enterprise service through a DNS resolution module preset in a client network library. In addition, the enterprise server and the user client encrypt the DNS analysis request and response through an agreed encryption algorithm, so that the user can perform safe and credible interaction with the DNS analysis system of the enterprise.
In the DNS resolution system for refining resolution control of the embodiment, the user client directly accesses the central DNS, the intermediate transmission link is encrypted, and the user is trusted when accessing the enterprise resources, thereby ensuring that the user flexibly and truthfully accesses the services provided by the enterprise.
In the DNS resolution system for refining resolution control according to this embodiment, a policy module of a central DNS resolves the DNS resolution request by configuring a personalized resolution policy; and based on the domain name, the client characteristics and the domain name corresponding to the back-end service index, the analysis result is automatically and intelligently interfered and manually interfered, so that the strong and flexible control capability of the self-service domain name is provided for enterprises.
The DNS analysis system for refined analysis control is dedicated to directly establishing a reliable and controllable DNS analysis link between a user terminal and an enterprise service, so that the user can be guaranteed to be credibly accessed into the enterprise service, an analysis strategy is formulated through a strategy module according to user characteristics and service history index data automatically collected and analyzed, a differentiated analysis result is returned, or the analysis result is manually and quickly intervened in a special scene, so that the enterprise can have fine and efficient control capability on the analysis strategy of a domain name.
As an optional implementation manner of this embodiment, in the DNS resolution system for refining resolution control according to this embodiment, the performing, by the policy module, a resolution on the DNS resolution request by matching the configured personalized resolution policy includes:
configuring an individualized analysis strategy of the service characteristics through a background, and storing the individualized analysis strategy into a characteristic strategy library;
and the characteristic strategy library asynchronously and periodically loads the characteristic strategies to the strategy module for matching the DNS analysis request.
The policy module of the central DNS in this embodiment may manually add an individualized analysis policy for a service feature through a background, perform policy matching in the feature policy library for a DNS analysis request of the client, and find out whether there is an individualized analysis policy configured for a user with the feature.
Optionally, the service characteristics include a client region, a user ID, and a user class.
As an optional implementation manner of this embodiment, in the DNS resolution system for refining resolution control according to this embodiment, the performing, by the policy module, a resolution on the DNS resolution request by matching the configured personalized resolution policy includes:
collecting health degree and capacity index data of the service corresponding to the domain name, generating a service index strategy through self-learning, and storing the service index strategy into a service index library;
and the service index library asynchronously and periodically loads a service index strategy to the strategy module, automatically updates an analysis strategy, carries out load according to the service health degree and the capacity index, and realizes automatic fault transfer by only returning to the health service.
Meanwhile, the policy module of the central DNS of this embodiment analyzes the DNS analysis request by matching the configured personalized analysis policy, collects index data of service resources corresponding to the own domain name, automatically updates the analysis policy by learning historical data, performs loading according to indexes such as service health degree and capacity, and realizes automatic failover by returning only the health service.
In the DNS resolution system for refined resolution control of this embodiment, because all user requests are forwarded through the client network library, the DNS resolution of the network library is centralized DNS resolution, and all DNS resolution requests can be individually resolved based on the feature library and the index library, so that accurate and timely scheduling of traffic is achieved.
As an optional implementation manner of this embodiment, the DNS resolution system for refining resolution control in this embodiment includes:
the cache module caches the returned result of the previous resolution request according to regions and customized strategies, matches the returned result of the previous resolution request of the DNS resolution request with the returned result of the previous resolution request of the central DNS cache, directly responds to the resolution result of the user if the user characteristic of the DNS resolution request hits the cache of the cache module, and resolves the DNS resolution request through a personalized resolution strategy configured by matching if the user characteristic of the DNS resolution request does not hit the cache of the cache module.
In the DNS resolution system for refining resolution control according to this embodiment, when the DNS resolution request is from a legitimate and trusted client: firstly, matching is carried out according to a DNS analysis request and a result returned by a previous analysis request cached by a cache module; if the user characteristics of the DNS analysis request hit the cache of the cache module, directly responding to the user analysis result; and if the user characteristics of the DNS analysis request do not hit the cache of the cache module, the central DNS analyzes the DNS analysis request through a personalized analysis strategy matched and configured.
According to the DNS analysis system for refined analysis control, after the authentication of the client passes, the client firstly passes through the cache module, the cache of the cache module caches the result returned by the previous analysis request according to regions and other customized strategies, if the user characteristics hit the cache, the user analysis result is directly responded, and the response speed and the throughput of the system are improved. And if the cache is not hit, analyzing the DNS analysis request by matching a configured personalized analysis strategy.
Further, in the DNS resolution system for refining resolution control according to this embodiment, the forwarding module forwards the DNS resolution request to an authoritative DNS for resolution if the DNS resolution does not hit any cache and any personalized resolution policy.
The central DNS of this embodiment resolves the DNS resolution request according to a cache hit by the DNS resolution request or a matched personalized resolution policy; and if the DNS analysis does not hit any cache and the personalized analysis strategy, forwarding the DNS analysis request to an authoritative DNS for analysis. The authoritative DNS is positioned in a set of system of the DNS server side, and the system stores authoritative information of corresponding domain names. Authoritative DNS is a server colloquially "this domain name i say it" and "the DNS server.
In the DNS resolution system for refining resolution control according to this embodiment, the authoritative DNS returns a resolution result of the DNS resolution request to the policy module, the policy module updates the resolution policy according to the resolution result returned by the authoritative DNS, and the cache of the cache module updates according to the resolution result returned by the authoritative DNS or the resolution policy resolution result.
As an optional implementation manner of this embodiment, in the DNS resolution system for refining resolution control according to this embodiment, the authentication encryption module encrypts a resolution result of the DNS resolution request, and returns the encrypted resolution result to the client; and the client receives the response and decrypts the response to obtain an analysis result.
As an optional implementation manner of this embodiment, in the DNS resolution system for refining resolution control in this embodiment, the performing, by the authentication and encryption module, client authentication for the client that sends the DNS resolution request includes:
the client side encrypts a DNS analysis request by adopting an encryption algorithm agreed with a central DNS;
the central DNS receives a DNS analysis request of a client, and the authentication encryption module decrypts the DNS analysis request according to a decryption algorithm corresponding to an encryption algorithm agreed by the client;
if the decryption is successful, the DNS analysis request comes from a legal and credible client, and if the decryption is failed, the subsequent flow is terminated, and the response is rejected.
In the DNS resolution system for refining resolution control described in this embodiment, the user client directly accesses the central DNS of the enterprise service, the intermediate transmission link is encrypted, and the user access to the enterprise resource is trusted.
In the scheme, when the user terminal uses enterprise service, the initiated request does not pass through the traditional local DNS analysis or public DNS analysis any more, but directly initiates an analysis request to a DNS analysis system of an enterprise through a DNS analysis module preset in a terminal network library, and the request and the response of the DNS analysis are encrypted by an agreed encryption algorithm at two ends, so that the user can be ensured to perform safe and reliable interaction with the DNS analysis system of the enterprise.
Referring to fig. 2, when an analysis request initiated by a user terminal reaches the DNS analysis system, the DNS analysis system first performs terminal authentication to confirm that the analysis request is from a legitimate and trusted terminal. Otherwise, the subsequent flow is terminated and the response is refused.
After the authentication is passed, the result returned by the previous analysis request can be cached by the cache module according to regions and other customized strategies, if the user characteristics hit the cache, the user analysis result is directly responded, and the response speed and the throughput of the system are improved.
If the cache is not hit, the strategy matching is carried out through a strategy module of the system, and the strategy module can inquire a user characteristic strategy library and find out whether a user configured personalized analysis strategy for the characteristics exists or not; meanwhile, the strategy module collects index data of service resources corresponding to the domain name, automatically updates the analysis strategy by learning historical data, carries out load according to indexes such as service health degree and capacity, and realizes automatic fault transfer by only returning to the health service.
And executing a corresponding analysis strategy according to the system analysis cache and the matching result, and if any strategy is not hit, forwarding to the authoritative domain name server for analysis.
And after the logic execution is finished, encrypting the analysis result, returning the encrypted analysis result to the terminal, and decrypting the analysis result after the terminal receives the response to obtain the analysis result.
The DNS analysis system for refined analysis control aims at directly establishing a reliable and controllable DNS analysis link between a user terminal and an enterprise service to ensure that a user can access the enterprise service in a credible mode, an analysis strategy is formulated through a strategy configuration module according to user characteristics and service history index data automatically collected and analyzed, a differentiated analysis result is returned, or the analysis result is manually and quickly intervened in a special scene, and the enterprise can have precise and efficient control capacity on the analysis strategy of a domain name.
The embodiment also provides a storage medium, which stores a computer executable program, and when the computer executable program is executed, the DNS resolution method for refining resolution control is realized.
The storage medium of this embodiment may comprise a propagated data signal with readable program code embodied therein, either in baseband or as part of a carrier wave. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable storage medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a readable storage medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
The embodiment also provides an electronic device, which comprises a processor and a memory, wherein the memory is used for storing a computer executable program, and when the computer program is executed by the processor, the processor executes the DNS resolution method for refining the resolution control.
The electronic device is in the form of a general purpose computing device. The processor can be one or more and can work together. The invention also does not exclude that distributed processing is performed, i.e. the processors may be distributed over different physical devices. The electronic device of the present invention is not limited to a single entity, and may be a sum of a plurality of entity devices.
The memory stores a computer executable program, typically machine readable code. The computer readable program may be executed by the processor to enable an electronic device to perform the method of the invention, or at least some of the steps of the method.
The memory may include volatile memory, such as Random Access Memory (RAM) and/or cache memory, and may also be non-volatile memory, such as read-only memory (ROM).
It should be understood that elements or components not shown in the above examples may also be included in the electronic device of the present invention. For example, some electronic devices further include a display unit such as a display screen, and some electronic devices further include a human-computer interaction element such as a button, a keyboard, and the like. Electronic devices are considered to be covered by the present invention as long as the electronic devices are capable of executing a computer-readable program in a memory to implement the method of the present invention or at least a part of the steps of the method.
From the above description of the embodiments, those skilled in the art will readily appreciate that the present invention can be implemented by hardware capable of executing a specific computer program, such as the system of the present invention, and electronic processing units, servers, clients, mobile phones, control units, processors, etc. included in the system. The invention may also be implemented by computer software for performing the method of the invention, e.g. control software executed by a microprocessor, an electronic control unit, a client, a server, etc. It should be noted that the computer software for executing the method of the present invention is not limited to be executed by one or a specific hardware entity, and can also be realized in a distributed manner by non-specific hardware. For computer software, the software product may be stored in a computer readable storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or may be distributed over a network, as long as it enables the electronic device to perform the method according to the present invention.
The above embodiments are only used to illustrate the present invention and not to limit the technical solutions described in the present invention, and although the present invention has been described in detail in the present specification with reference to the above embodiments, the present invention is not limited to the above specific embodiments, and therefore, any modifications or equivalents of the present invention may be made; all such modifications and variations are intended to be included herein within the scope of this disclosure and the appended claims.

Claims (10)

1. A DNS analysis method for refining analysis control is characterized by comprising the following steps:
a central DNS receives a DNS analysis request sent by a client through a network;
the central DNS authenticates the client side which sends the DNS analysis request;
when the DNS analysis request comes from a legal and credible client, the central DNS analyzes the DNS analysis request through a personalized analysis strategy matched and configured.
2. The method for DNS resolution for refining resolution control according to claim 1, wherein the central DNS resolving the DNS resolution request by matching the configured personalized resolution policy includes:
configuring an individualized analysis strategy of the service characteristics through a background, and storing the individualized analysis strategy into a characteristic strategy library;
the feature policy library asynchronously and periodically loads feature policies to a central DNS for matching DNS analysis requests;
optionally, the service characteristics include a client region, a user ID, and a user class.
3. The DNS resolution method for refining resolution control according to claim 2, wherein the central DNS resolving the DNS resolution request by matching the configured personalized resolution policy includes:
collecting health degree and capacity index data of the service corresponding to the domain name, generating a service index strategy through self-learning, and storing the service index strategy into a service index library;
and the service index library asynchronously and periodically loads a service index strategy to the central DNS, automatically updates an analysis strategy, carries out load according to the service health degree and the capacity index, and realizes automatic fault transfer by only returning to the health service.
4. The DNS resolution method for refining resolution control according to claim 3, wherein when the DNS resolution request is from a legitimate and trusted client:
firstly, matching is carried out according to a DNS analysis request and a result returned by a previous analysis request cached by a central DNS;
if the user characteristics of the DNS analysis request hit the cache of the central DNS, directly responding to the user analysis result;
and if the user characteristics of the DNS analysis request do not hit the cache of the central DNS, the central DNS analyzes the DNS analysis request through a personalized analysis strategy matched and configured.
5. The DNS resolution method for refining resolution control of claim 4, wherein a central DNS resolves the DNS resolution request according to a cache hit by the DNS resolution request or a matched personalized resolution policy;
and if the DNS analysis does not hit any cache and the personalized analysis strategy, forwarding the DNS analysis request to an authoritative DNS for analysis.
6. The DNS analysis method for refining analysis control according to claim 5, wherein the central DNS encrypts the analysis result of the DNS analysis request and returns the encrypted analysis result to the client;
and the client receives the response and decrypts the response to obtain an analysis result.
7. The DNS resolution method for refining resolution control according to claim 1, wherein the performing, by the central DNS, client authentication for the client sending the DNS resolution request includes:
the client side encrypts a DNS analysis request by adopting an encryption algorithm agreed with a central DNS;
the central DNS receives a DNS analysis request of a client and decrypts the DNS analysis request according to a decryption algorithm corresponding to an encryption algorithm agreed by the client;
if the decryption is successful, the DNS analysis request comes from a legal and credible client, and if the decryption is failed, the subsequent flow is terminated, and the response is rejected.
8. A DNS resolution system for refining resolution control is characterized by comprising:
the authentication encryption module is used for receiving a DNS analysis request sent by a client through a network and authenticating the client aiming at the client sending the DNS analysis request;
and the strategy module is used for analyzing the DNS analysis request by matching the configured personalized analysis strategy when the DNS analysis request is from a legal and credible client.
9. The DNS resolution system for refining resolution control according to claim 8, comprising:
the cache module caches the returned result of the previous resolution request according to regions and customized strategies, matches the returned result of the previous resolution request of the DNS resolution request with the returned result of the previous resolution request of the central DNS cache, directly responds to the resolution result of the user if the user characteristic of the DNS resolution request hits the cache of the cache module, and resolves the DNS resolution request by the strategy module through a personalized resolution strategy matched and configured if the user characteristic of the DNS resolution request does not hit the cache of the cache module;
and the forwarding module is used for forwarding the DNS analysis request to an authoritative DNS for analysis if the DNS analysis does not hit any cache and any personalized analysis strategy.
10. A storage medium storing a computer-executable program, wherein the computer-executable program, when executed, implements a DNS resolution method for refining resolution control according to any one of claims 1 to 7.
CN202210130600.4A 2022-02-11 2022-02-11 DNS analysis method, system and storage medium for refined analysis control Pending CN114553820A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210130600.4A CN114553820A (en) 2022-02-11 2022-02-11 DNS analysis method, system and storage medium for refined analysis control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210130600.4A CN114553820A (en) 2022-02-11 2022-02-11 DNS analysis method, system and storage medium for refined analysis control

Publications (1)

Publication Number Publication Date
CN114553820A true CN114553820A (en) 2022-05-27

Family

ID=81674104

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210130600.4A Pending CN114553820A (en) 2022-02-11 2022-02-11 DNS analysis method, system and storage medium for refined analysis control

Country Status (1)

Country Link
CN (1) CN114553820A (en)

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102316172A (en) * 2010-07-05 2012-01-11 中国电信股份有限公司 Method, system and SAG (service access gateway) equipment for analyzing DNS (domain name system)
CN102480529A (en) * 2010-11-24 2012-05-30 北京无线恒远科技有限公司 Domain name analysis method and domain name analysis server for realizing load balance of wide area network
US20130085914A1 (en) * 2011-10-03 2013-04-04 Verisign, Inc. Authenticated name resolution
US20130198065A1 (en) * 2011-10-03 2013-08-01 Verisign, Inc. Adaptive name resolution
CN103634315A (en) * 2013-11-29 2014-03-12 杜跃进 Front end control method and system of domain name server (DNS)
CN104052829A (en) * 2013-03-14 2014-09-17 弗里塞恩公司 Adaptive name resolution
CN105376096A (en) * 2015-11-26 2016-03-02 中国互联网络信息中心 Method and system for analyzing domain name, evaluating and feeding back data quality and optimizing data
CN106067890A (en) * 2016-03-29 2016-11-02 北京肇煜宏泰信息科技有限公司 A kind of domain name analytic method, Apparatus and system
CN106506726A (en) * 2016-12-12 2017-03-15 北京云端智度科技有限公司 A kind of method of verification DNS real users
CN106790744A (en) * 2016-12-01 2017-05-31 上海云盾信息技术有限公司 IP dispatching methods and system
CN109756584A (en) * 2017-11-07 2019-05-14 中国电信股份有限公司 Domain name analytic method, domain name mapping device and computer readable storage medium
CN113037680A (en) * 2019-12-09 2021-06-25 中盈优创资讯科技有限公司 Application server access method and device based on domain name resolution result

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102316172A (en) * 2010-07-05 2012-01-11 中国电信股份有限公司 Method, system and SAG (service access gateway) equipment for analyzing DNS (domain name system)
CN102480529A (en) * 2010-11-24 2012-05-30 北京无线恒远科技有限公司 Domain name analysis method and domain name analysis server for realizing load balance of wide area network
US20130085914A1 (en) * 2011-10-03 2013-04-04 Verisign, Inc. Authenticated name resolution
US20130198065A1 (en) * 2011-10-03 2013-08-01 Verisign, Inc. Adaptive name resolution
CN104052829A (en) * 2013-03-14 2014-09-17 弗里塞恩公司 Adaptive name resolution
CN103634315A (en) * 2013-11-29 2014-03-12 杜跃进 Front end control method and system of domain name server (DNS)
CN105376096A (en) * 2015-11-26 2016-03-02 中国互联网络信息中心 Method and system for analyzing domain name, evaluating and feeding back data quality and optimizing data
CN106067890A (en) * 2016-03-29 2016-11-02 北京肇煜宏泰信息科技有限公司 A kind of domain name analytic method, Apparatus and system
CN106790744A (en) * 2016-12-01 2017-05-31 上海云盾信息技术有限公司 IP dispatching methods and system
CN106506726A (en) * 2016-12-12 2017-03-15 北京云端智度科技有限公司 A kind of method of verification DNS real users
CN109756584A (en) * 2017-11-07 2019-05-14 中国电信股份有限公司 Domain name analytic method, domain name mapping device and computer readable storage medium
CN113037680A (en) * 2019-12-09 2021-06-25 中盈优创资讯科技有限公司 Application server access method and device based on domain name resolution result

Similar Documents

Publication Publication Date Title
US11695744B2 (en) Using credentials stored in different directories to access a common endpoint
JP5357246B2 (en) System, method and program product for integrated authentication
US7260836B2 (en) System and method for distributed authentication service
US9674180B2 (en) Using identity/resource profile and directory enablers to support identity management
US8732815B2 (en) System, method of authenticating information management, and computer-readable medium storing program
US20050154887A1 (en) System and method for secure network state management and single sign-on
US7246230B2 (en) Single sign-on over the internet using public-key cryptography
US8281381B2 (en) Techniques for environment single sign on
US6751654B2 (en) Simulating web cookies for non-cookie capable browsers
US7984186B2 (en) Method, system, and apparatus for discovering user agent DNS settings
US20100049790A1 (en) Virtual Identity System and Method for Web Services
US20090013063A1 (en) Method for enabling internet access to information hosted on csd
US20030163737A1 (en) Simple secure login with multiple-authentication providers
EP3306900B1 (en) Dns routing for improved network security
CN102710621B (en) A kind of user authentication method and system
US20170250978A1 (en) Method and system for managing secure custom domains
CN110224824A (en) Digital certificate processing method, device, computer equipment and storage medium
US9692761B2 (en) System and method for controlling a DNS request
JP2000106552A (en) Authentication method
CN114553820A (en) DNS analysis method, system and storage medium for refined analysis control
KR20010091016A (en) Method and system for domain-server management using a personal computer with dynamic IP
JP3564435B2 (en) Access guidance device and method
JP2000172645A (en) Server computer and certificate information managing method for the same
CN112260991B (en) Authentication management method and device
US20190379636A1 (en) Method for a losing registrar to tranfer a domain name from the losing registrat to a gaining registrar

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination