CN114726625A - Detection method and device, server and storage medium - Google Patents
Detection method and device, server and storage medium Download PDFInfo
- Publication number
- CN114726625A CN114726625A CN202210369783.5A CN202210369783A CN114726625A CN 114726625 A CN114726625 A CN 114726625A CN 202210369783 A CN202210369783 A CN 202210369783A CN 114726625 A CN114726625 A CN 114726625A
- Authority
- CN
- China
- Prior art keywords
- query
- domain name
- server
- names
- query request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 45
- 230000002159 abnormal effect Effects 0.000 claims abstract description 73
- 238000000034 method Methods 0.000 claims abstract description 16
- 230000004044 response Effects 0.000 claims description 32
- 238000004458 analytical method Methods 0.000 claims description 16
- 238000004590 computer program Methods 0.000 claims description 12
- 230000008569 process Effects 0.000 abstract description 13
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 3
- 238000004364 calculation method Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 108020001568 subdomains Proteins 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
Abstract
In a detection method, a detection apparatus, a server, and a non-volatile computer-readable storage medium according to the present application, the method includes: acquiring a query request, wherein the query request comprises a random sub-domain name, and the random sub-domain name comprises a multi-level domain name; when the query results corresponding to a plurality of query requests containing the same continuous N-level domain names in a preset time length are all empty, determining that the random subdomain names containing the continuous N-level domain names are abnormal domain names; a query request containing a random sub-domain name of the normal domain name is processed to generate a query result. By accurately determining that all the query results are empty random subdomain names containing continuous N-level domain names as abnormal domain names, the server only processes the normal domain names to generate the query results, the computing power is not wasted for processing the query requests containing the abnormal domain names, the computing power of the server is not influenced, and the server can normally provide services.
Description
Technical Field
The present application relates to the field of network technologies, and in particular, to a detection method, a detection apparatus, a server, and a non-volatile computer-readable storage medium.
Background
At present, a server is possibly attacked by random sub-domain names, and a large amount of computing power is occupied by the server due to the fact that a zombie host is controlled to send query requests of a large number of different random sub-domain names to the server, so that the server cannot normally provide services.
Disclosure of Invention
The embodiment of the application provides a detection method, a detection device, a server and a non-volatile computer readable storage medium.
The embodiment of the application provides a detection method. The detection method comprises the following steps: acquiring a query request, wherein the query request comprises a random sub-domain name, and the random sub-domain name comprises a multi-level domain name; when the query results corresponding to a plurality of query requests containing the same continuous N-level domain names in a preset time length are all empty, determining that the random subdomain names containing the continuous N-level domain names are abnormal domain names, wherein N is a positive integer; processing the query request for the random sub-domain name including a normal domain name to generate a query result.
The embodiment of the application provides a detection device. The detection device comprises an analysis module and a response module. The analysis module is used for acquiring a query request, wherein the query request comprises a random sub-domain name, and the random sub-domain name comprises a multi-level domain name; when the query results corresponding to a plurality of query requests containing the same continuous N-level domain names in a preset time length are all empty, determining that the random subdomain names containing the continuous N-level domain names are abnormal domain names, wherein N is a positive integer; the module is configured to process the query request including the random sub-domain name of the normal domain name to generate a query result.
The embodiment of the application provides a server. The server comprises a processor for executing the detection method. The detection method comprises the following steps: acquiring a query request, wherein the query request comprises a random sub-domain name, and the random sub-domain name comprises a multi-level domain name; when the query results corresponding to a plurality of query requests containing the same continuous N-level domain names in a preset time length are all empty, determining that the random subdomain names containing the continuous N-level domain names are abnormal domain names, wherein N is a positive integer; processing the query request for the random sub-domain name including a normal domain name to generate a query result.
The present embodiments provide a non-transitory computer-readable storage medium having a computer program stored thereon. The computer program, when executed by a processor, implements a detection method. The detection method comprises the following steps: acquiring a query request, wherein the query request comprises a random sub-domain name, and the random sub-domain name comprises a multi-level domain name; when the query results corresponding to a plurality of query requests containing the same continuous N-level domain names in a preset time length are all empty, determining that the random subdomain names containing the continuous N-level domain names are abnormal domain names, wherein N is a positive integer; processing the query request for the random sub-domain name including a normal domain name to generate a query result.
In the detection method, the detection device, the server and the nonvolatile computer readable storage medium in the application, by acquiring the query result corresponding to the query request, when the query results of a plurality of query requests containing the same continuous N-level domain name are all empty, the query requests are proved to be attacked by the random sub-domain name at a high probability, so that the random sub-domain name containing the continuous N-level domain name can be determined as an abnormal domain name, the server only processes the normal domain name to generate the query result, the computing power is not wasted to process the query request containing the abnormal domain name, the computing power of the server is not influenced, and the service can be normally provided.
Additional aspects and advantages of embodiments of the present application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the present application.
Drawings
The above and/or additional aspects and advantages of the present application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
FIG. 1 is a schematic flow diagram of a detection method according to certain embodiments of the present application;
FIG. 2 is a block schematic diagram of a detection device according to certain embodiments of the present application;
FIG. 3 is a schematic diagram of a server and terminal interaction in accordance with certain embodiments of the present application;
FIG. 4 is a schematic flow chart of a detection method according to certain embodiments of the present application;
FIG. 5 is a schematic flow chart of a detection method according to certain embodiments of the present application;
FIG. 6 is a schematic flow chart of a detection method according to certain embodiments of the present application; and
FIG. 7 is a schematic diagram of the interaction of a non-volatile computer readable storage medium and a processor of certain embodiments of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below by referring to the drawings are exemplary only for the purpose of explaining the embodiments of the present application, and are not to be construed as limiting the embodiments of the present application.
The zombie host may be controlled by a person to send a large number of query requests of different random sub-domains to a Recursive Resolver (i.e., a Server for implementing domain name resolution), and a Resource Record (Resource Record) of a local non-random sub-domain of the Recursive Resolver may send a query request of a random sub-domain to an Authoritative Server (i.e., a Server for querying an Internet Protocol (IP) address corresponding to the query request) of a victim service domain name. The authoritative server of the victim service domain name receives a large number of random sub-domain name requests. The larger the scale of the zombie host is, the more random sub-domain name requests for attack are, which may cause that a recursive resolver and an authority Server (authority Server) of a victim service domain name cannot normally serve, and influence a user to normally access a network.
Referring to fig. 1 to 3, a detection method according to an embodiment of the present disclosure includes:
011: acquiring a query request, wherein the query request comprises a random sub-domain name, and the random sub-domain name comprises a multi-level domain name;
012: when query results corresponding to a plurality of query requests containing the same continuous N-level domain names in a preset time length are all empty, determining that random subdomain names containing the continuous N-level domain names are abnormal domain names, wherein N is a positive integer;
013: a query request containing a random sub-domain name of the normal domain name is processed to generate a query result.
The detection device 10 according to the embodiment of the present application includes an analysis module 11 and a response module 12. The analysis module 11 obtains a query request, wherein the query request comprises a random sub-domain name, and the random sub-domain name comprises a multi-level domain name; when the query results corresponding to a plurality of query requests containing the same continuous N-level domain names in a preset time length are all empty, determining that the random subdomain names containing the continuous N-level domain names are abnormal domain names, and N is a positive integer. The answer module 12 is used to process a query request containing a random sub-domain name of the normal domain name to generate a query result. That is, step 011 and step 012 can be executed by the parsing module 11, and step 013 can be executed by the response module 12.
The server 100 according to the embodiment of the present application includes a processor 20, where the processor 20 is configured to obtain a query request, where the query request includes a random sub-domain name, and the random sub-domain name includes a multi-level domain name; when query results corresponding to a plurality of query requests containing the same continuous N-level domain names in a preset time length are all empty, determining that random subdomain names containing the continuous N-level domain names are abnormal domain names, wherein N is a positive integer; a query request containing a random sub-domain name of the normal domain name is processed to generate a query result. That is, step 011, step 012, and step 013 can be performed by processor 20.
The number of the servers 100 may be one or more, in the embodiment of the present application, the number of the servers 100 is two, the two servers 100 are respectively an analysis server 101 and a response server 102, the analysis server 101 (such as the aforementioned recursive analyzer) is configured to analyze the query request and forward the query request to the corresponding response server 102, and the response server 102 (such as the aforementioned authoritative server 100) may process the query request to return a query result. The number of the processors 20 may be plural, and two processors 20 are exemplified, and the two processors 20 may be respectively provided in the resolution server 101 and the response server 102.
It is to be understood that the parsing module 11 may be disposed in the parsing server 101 and the answering module 12 may be disposed in the answering server 102, or the parsing module 11 is the parsing server 101 and the answering module 12 is the answering server 102.
Specifically, referring to fig. 3, when accessing a web page, a terminal 200 (e.g., a mobile phone, a computer, etc.) sends a query request including a domain name (e.g., a random sub-domain name) to an analysis server 101, where the analysis server 101 may be a recursive analysis server 101, or an iterative analysis server 101, etc., the analysis server 101 does not have a resource record of the domain name, the analysis server 101 is configured to find a corresponding response server 102 for different query requests, and forward the query request to the response server 102, and the response server 102 has the resource record, and by querying the resource record, a query result corresponding to the domain name can be found, where the query result may include an IP address to be accessed by the domain name, and then the query result is returned to the analysis server 101 and finally returned to the terminal 200, thereby implementing access to the web page.
The domain name generally includes multiple levels, such as a top level domain name, a first level domain name, a second level domain name, and the like, for example, the levels of the web page are distinguished by ". multidot.. For example, for the domain names go.
When being attacked by a large number of query requests containing random sub-domain names, the query requests of the random sub-domain names generally have no resource record in the response server 102, that is, no corresponding IP address exists, and the query result is generally empty. And random sub-domain name attacks are also typically directed to a particular target server 100, the domain names of the target servers 100 are typically regular, e.g., consecutive N-level domain names (e.g., consecutive N-levels from the top-level domain name) are all the same, e.g., the domain name of the target server 100 is a wildcard, which may be any character, and all consecutive 2-level (i.e., top-level and one-level) domain names that access the target server 100 are all the same. Com is taken as an example to illustrate that N is 2, and the successive N-level domain names are respectively, N may also be 3, and may be determined according to the domain name rule of the target server 100.
The resolution server 101 may count query results of a plurality of query requests including the home name and the com processed by the response server 102 within a preset time duration (e.g., an hour, a day, a week, etc.), and if the query results of a plurality of query requests (e.g., a preset number of 100, 200, etc.) are all empty, the query results including the home name and the com are most likely to be a random sub-domain attack, and therefore, the resolution server 101 may determine all the random sub-domain names including the home name and the com as abnormal domain names, so as to forward only the query requests including normal domain names (i.e., domain names not including abnormal domain names) to the response server 102, thereby preventing the random sub-domain name attack, and enabling the response server 102 to maintain sufficient computing power to process the query requests including the random sub-domain names including the normal domain names and return the query results, thereby providing services to the client.
According to the detection method, the detection device 10 and the server 100, by obtaining the query result corresponding to the query request, when the query results of a plurality of query requests containing the same continuous N-level domain name are all empty, it is indicated that the query requests are under random sub-domain name attack with a high probability, and therefore, the random sub-domain name containing the continuous N-level domain name can be determined as an abnormal domain name, so that the server 100 only processes the normal domain name to generate the query result, the query request containing the abnormal domain name can not be processed by wasting the computing power, the computing power of the server 100 is guaranteed not to be affected, and the server 100 can normally provide services.
Referring to fig. 2, fig. 3 and fig. 4, in some embodiments, the detection method further includes:
014: and determining that all query results of the query requests containing the current abnormal domain name are the query results corresponding to the current abnormal domain name within the cache validity period of the query results corresponding to the current abnormal domain name.
In some embodiments, the parsing module 11 is further configured to determine that query results of all query requests including the current abnormal domain name are query results corresponding to the current abnormal domain name within a cache validity period of the query results corresponding to the current abnormal domain name. That is, step 014 may be performed by parsing module 11.
In some embodiments, the processor 20 is further configured to determine that all query results of the query request including the current abnormal domain name are the query result corresponding to the current abnormal domain name within the validity period of the cache of the query result corresponding to the current abnormal domain name. That is, step 014 may be performed by processor 20.
Specifically, after the response server 102 processes the query request to generate a query result, the query result is returned to the resolution server 101, where the query result includes the domain name, the cache validity period, and the IP address. For example, the query result of the domain name go.some.com includes go.some.com, 86400 and IP _ a, where go.some.com is the domain name, 86400 is the cache validity period (e.g., 86400 seconds), IP _ a is the IP address, the cache validity period is the storage time of the query result in the resolution server 101, and after the cache validity period exceeds, the query result is deleted from the resolution server 101, so as to ensure that the storage space of the resolution server 101 is always sufficient.
Therefore, after the abnormal domain name is determined, if the query result of any query request including the current abnormal domain name is not in the caching validity period (that is, the resolution server 101 does not have the query result including the current abnormal domain name), the query request including the current abnormal domain name is still forwarded to the response server 102 for normal processing, so as to obtain the query result corresponding to the current abnormal domain name, and then all subsequent query results including the current abnormal domain name are the query result in the caching validity period of the query result, so that only one query request including the current abnormal domain name needs to be processed in each caching validity period, the number of query requests processed by the response server 102 is greatly reduced, and the calculation power is saved.
For example, the abnormal domain name is "home.com", the random subdomain name included in the current query request is abc.home.com, after receiving the query request, the resolution server 101 will query whether the query result including "home" exists locally, if not, the current query request will be sent to the response server 102, the response server 102 processes the current query request and then returns the current query request to the resolution server 101, and the resolution server 101 can always query the query result including "home.com" within the cache validity period of the query result, so that after receiving the subsequent query request including "home.com", the query result is directly returned to the terminal 200, thereby reducing the number of times of query requests.
Referring to fig. 2, fig. 3 and fig. 5, in some embodiments, the detection method further includes:
015: and recording the query results of all query requests within a preset time length to generate a historical query record.
016: inquiring the inquiry result of the inquiry request containing the abnormal domain name in the historical inquiry record;
017: re-determining the random subdomain name of the query request with the query result of successful query in the historical query record as a normal domain name; and
018: and re-determining the random subdomain name of the query request with no query result or null query results in the historical query records as the abnormal domain name.
In some embodiments, the response module 12 is further configured to record query results for all query requests within a predetermined time period to generate a historical query record. The analysis module is also used for inquiring the inquiry result of the current abnormal domain name in the historical inquiry record; re-determining the current abnormal domain name with the query result of successful query in the historical query record as a normal domain name; and re-determining the current abnormal domain name with no query result or null query result in the historical query record as the abnormal domain name. That is, step 015 may be performed by the answer module 12, and steps 016, 017 and 018 may be performed by the parsing module 11.
In some embodiments, the processor 20 is further configured to record query results for all query requests within a predetermined time period to generate a historical query record; inquiring the inquiry result of the current abnormal domain name in the historical inquiry record; re-determining the current abnormal domain name with the query result of successful query in the historical query record as a normal domain name; and re-determining the current abnormal domain name with no query result or null query result in the historical query record as the abnormal domain name. That is, step 015 may be performed by processor 20.
Specifically, in the query request including the abnormal domain name, there may be a normal query request, that is, there is a corresponding resource record (i.e., IP address) in the query request. In order to prevent the normal query request including the abnormal domain name from being blocked, the response server 102 may record query results of all query requests within a predetermined time period (e.g., one day, one week, etc.), so as to generate a history query record, where the history query record includes the query result of each query request, and for a random sub-domain name whose query result is always empty, the random sub-domain name is likely to be the abnormal domain name subjected to the random sub-domain name attack, and for a random sub-domain name whose query result includes a query result that is successful (i.e., an IP address exists) in the history query result, the random sub-domain name may be the normal domain name, so as to determine whether the random sub-domain name is the abnormal domain name again according to the history query record.
More specifically, after receiving the query request including the abnormal domain name, the resolution server 101 may query the query result of the abnormal domain name in the historical query record, and if the abnormal domain name is the abnormal domain name, may find all the query results including the abnormal domain name in the historical query record, thereby determining whether there is a query result, whether the query result is empty, or whether the query result includes a query result that the query is successful, and in the case that the query result that the query request including the abnormal domain name has a query result that the query is successful in the historical query record, re-determining that the random subdomain name of the query request is the normal domain name; and under the condition that the query request containing the abnormal domain name has no query result or all query results are empty in the historical query records, the random subdomain name of the query request is determined as the abnormal domain name again. In this way, it is prevented that the normal query request for the random sub domain name is also blocked, which affects the service effect of the response server 102.
Referring to fig. 2, fig. 3 and fig. 6, in some embodiments, the detection method further includes:
019: judging whether the server 100 is configured with the domain name, wherein the query results of random sub-domain names containing the same domain name are the same and are not null;
020: if yes, determining that all the query results of the query requests containing the domain names are the query results of the current query request in the cache validity period of the query results of the current query request containing the domain names.
In some embodiments, the parsing module 11 is further configured to determine whether the server 100 configures a domain name, where query results of random sub-domain names including the same domain name are the same and are not null; if yes, determining that all the query results of the query requests containing the domain names are the query results of the current query request in the cache validity period of the query results of the current query request containing the domain names. That is, step 019 and step 020 may be performed by the parsing module 11.
In some embodiments, the processor 20 is further configured to determine whether the server 100 configures the domain name, and the query result of the random sub-domain name including the same domain name is the same and not null; if yes, determining that all the query results of the query requests containing the domain names are the query results of the current query request in the cache validity period of the query results of the current query request containing the domain names. That is, step 019 and step 020 may be performed by processor 20.
Some response servers 102 may further set resource records corresponding to a domain name, where the domain name is a domain name including the same consecutive N-level domain names, for example, a home.
Thus, the domain name resource record is set to identify the same IP address corresponding to all sub domain names under each domain name. Therefore, the response server 102 can synchronize the domain name configuration information to the resolution server 101 in time according to the domain name configuration of the response server, and invalid random sub-domain name queries from the resolution server 101 are reduced.
Therefore, after the resolution server 101 receives the current query request, it is first determined whether the response server 102 corresponding to the current query request is configured with the domain name and whether the domain name is included in the random sub-domain name of the current query request, if the response server 102 is configured with the domain name and the domain name is included in the random sub-domain name of the current query request, it is determined whether the resolution server 101 has any query result including the domain name at the time (i.e. whether the query result including the domain name is within the cache validity period), if the resolution server 101 has the query result including the domain name (i.e. the query result including the domain name is within the cache validity period), the query result may be directly used as the query result of the current query request, and if the resolution server 101 does not have the query result including the domain name at the time (i.e. the query result including the domain name is outside the cache validity period), the current query request is forwarded to the response server 102 for normal processing to obtain a query result corresponding to the current query request including the domain name, and then all subsequent query results including the query request including the domain name are the query result within the cache validity period of the query result, so that only one query request including the domain name needs to be processed within the cache validity period of the query request including each domain name, thereby greatly reducing the number of the query requests processed by the response server 102 and saving the calculation power.
For example, the domain name is "home.com", the random subdomain name included in the current query request is abc.home.com, after receiving the query request, the resolution server 101 will query whether the query result including "home" exists locally, if not, the current query request will be sent to the response server 102, the response server 102 processes the current query request and then returns the current query request to the resolution server 101, and the resolution server 101 can always query the query result including "home.com" within the cache validity period of the query result, so that after receiving the subsequent query request including "home.com", the query result is directly returned to the terminal 200, thereby reducing the number of times of query requests.
Referring to fig. 7, the present embodiment further provides a computer-readable storage medium 300, on which a computer program 310 is stored, and when the computer program 310 is executed by the processor 20, the steps of the detection method according to any one of the above embodiments are implemented.
For example, referring to fig. 1 and fig. 3, when the computer program 310 is executed by the processor 20, the following steps of the detection method are implemented:
011: acquiring a query request, wherein the query request comprises a random sub-domain name, and the random sub-domain name comprises a multi-level domain name;
012: when query results corresponding to a plurality of query requests containing the same continuous N-level domain name in a preset time length are all empty, determining that a random subdomain name containing the continuous N-level domain name is an abnormal domain name, and N is a positive integer;
013: a query request containing a random sub-domain name of the normal domain name is processed to generate a query result.
For another example, referring to fig. 4, when the computer program 310 is executed by the processor 20, the following steps of the detection method are implemented:
014: and determining that all query results of the query requests containing the current abnormal domain name are the query results corresponding to the current abnormal domain name within the cache validity period of the query results corresponding to the current abnormal domain name.
It will be appreciated that the computer program 310 comprises computer program code. The computer program code may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable storage medium may include: any entity or device capable of carrying computer program code, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), software distribution medium, and the like.
In the description herein, reference to the description of the terms "one embodiment," "some embodiments," "an illustrative embodiment," "an example," "a specific example" or "some examples" or the like means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the application. In this specification, schematic representations of the above terms do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, various embodiments or examples and features of different embodiments or examples described in this specification can be combined and combined by one skilled in the art without contradiction.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and the scope of the preferred embodiments of the present application includes other implementations in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present application.
Although embodiments of the present application have been shown and described above, it is to be understood that the above embodiments are exemplary and not to be construed as limiting the present application, and that changes, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present application.
Claims (12)
1. A method of detection, comprising:
acquiring a query request, wherein the query request comprises a random sub-domain name, and the random sub-domain name comprises a multi-level domain name;
when the query results corresponding to a plurality of query requests containing the same continuous N-level domain names in a preset time length are all empty, determining that the random subdomain names containing the continuous N-level domain names are abnormal domain names, wherein N is a positive integer;
processing the query request for the random sub-domain name including a normal domain name to generate a query result.
2. The detection method according to claim 1, further comprising:
and determining that all the query results of the query request containing the current abnormal domain name are the query results corresponding to the current abnormal domain name within the cache validity period of the query results corresponding to the current abnormal domain name.
3. The detection method according to claim 1, further comprising:
recording the query results of all the query requests within a preset time length to generate a historical query record.
4. The detection method according to claim 3, further comprising:
querying the query result of the query request containing the abnormal domain name in the historical query record;
re-determining the random subdomain name of the query request with the query result which is successfully queried in the historical query record as a normal domain name; and
and re-determining that the random subdomain name of the query request without the query result or with the query result being empty in the historical query record is an abnormal domain name.
5. The detection method according to claim 1, further comprising:
judging whether a server is configured with a general domain name, wherein the query results of the random sub-domain names containing the same general domain name are the same and are not null;
if yes, determining that all the query results of the query request containing the domain name are the query results of the current query request in the cache validity period of the query results of the current query request containing the domain name.
6. A detection device, comprising:
the system comprises an analysis module, a query module and a query module, wherein the analysis module is used for acquiring a query request which comprises a random sub-domain name, and the random sub-domain name comprises a multi-level domain name; when the query results corresponding to a plurality of query requests containing the same continuous N-level domain names in a preset time length are all empty, determining that the random subdomain names containing the continuous N-level domain names are abnormal domain names, wherein N is a positive integer;
and the response module is used for processing the query request of the random sub-domain name containing the normal domain name to generate a query result.
7. The detection apparatus according to claim 6, wherein the parsing module is further configured to determine that the query results of all the query requests that include the current abnormal domain name are the query results corresponding to the current abnormal domain name within a cache validity period of the query results corresponding to the current abnormal domain name.
8. The detection device of claim 6, wherein the reply module is further configured to:
recording the query results of all the query requests within a preset time length to generate a historical query record.
9. The detection apparatus according to claim 8, wherein the parsing module is further configured to:
inquiring the inquiry result of the current abnormal domain name in the historical inquiry record;
re-determining the current abnormal domain name with the query result of successful query in the historical query record as a normal domain name; and
and re-determining that the current abnormal domain name without the query result or with the query result being empty in the historical query record is the abnormal domain name.
10. The detection apparatus according to claim 6, wherein the parsing module is further configured to:
judging whether a server is configured with a domain name, wherein the query results of the random sub-domain names containing the same domain name are the same and are not null;
if yes, determining that all the query results of the query request containing the domain name are the query results of the current query request in the cache validity period of the query results of the current query request containing the domain name.
11. A server, comprising a processor configured to perform the detection method of any one of claims 1-5.
12. A non-transitory computer-readable storage medium of a computer program, wherein the computer program, when executed by one or more processors, implements the detection method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210369783.5A CN114726625A (en) | 2022-04-08 | 2022-04-08 | Detection method and device, server and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210369783.5A CN114726625A (en) | 2022-04-08 | 2022-04-08 | Detection method and device, server and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114726625A true CN114726625A (en) | 2022-07-08 |
Family
ID=82240924
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210369783.5A Pending CN114726625A (en) | 2022-04-08 | 2022-04-08 | Detection method and device, server and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114726625A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011113239A1 (en) * | 2010-03-19 | 2011-09-22 | 中国科学院计算机网络信息中心 | Flow detection method for domain name system and domain name server thereof |
| CN106803824A (en) * | 2016-12-19 | 2017-06-06 | 互联网域名系统北京市工程研究中心有限公司 | A kind of means of defence attacked for random domain name inquiry |
| CN111131285A (en) * | 2019-12-30 | 2020-05-08 | 互联网域名系统北京市工程研究中心有限公司 | Active protection method for random domain name attack |
| CN111698345A (en) * | 2020-06-10 | 2020-09-22 | 山东伏羲智库互联网研究院 | Domain name query method, recursive server and storage medium |
| CN113938461A (en) * | 2020-07-10 | 2022-01-14 | 中国移动通信集团浙江有限公司 | Domain name cache resolution query method, device, equipment and storage medium |
-
2022
- 2022-04-08 CN CN202210369783.5A patent/CN114726625A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011113239A1 (en) * | 2010-03-19 | 2011-09-22 | 中国科学院计算机网络信息中心 | Flow detection method for domain name system and domain name server thereof |
| CN106803824A (en) * | 2016-12-19 | 2017-06-06 | 互联网域名系统北京市工程研究中心有限公司 | A kind of means of defence attacked for random domain name inquiry |
| CN111131285A (en) * | 2019-12-30 | 2020-05-08 | 互联网域名系统北京市工程研究中心有限公司 | Active protection method for random domain name attack |
| CN111698345A (en) * | 2020-06-10 | 2020-09-22 | 山东伏羲智库互联网研究院 | Domain name query method, recursive server and storage medium |
| CN113938461A (en) * | 2020-07-10 | 2022-01-14 | 中国移动通信集团浙江有限公司 | Domain name cache resolution query method, device, equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10911399B2 (en) | Robust domain name resolution | |
| US20190081922A1 (en) | Method and system for increasing speed of domain name system resolution within a computing device | |
| CN111245972B (en) | Domain name resolution method, device, medium and equipment | |
| US11044262B2 (en) | Method, apparatus and system for anti-attacking in domain name system (DNS) | |
| US11606388B2 (en) | Method for minimizing the risk and exposure duration of improper or hijacked DNS records | |
| US8606926B2 (en) | Recursive DNS nameserver | |
| US10805190B2 (en) | Name collision risk manager | |
| CN112532766B (en) | DNS response result caching method, DNS server and computer readable storage medium | |
| US20230362207A1 (en) | System and method for dns misuse detection | |
| Fujiwara et al. | Aggressive use of dnssec-validated cache | |
| CN114726625A (en) | Detection method and device, server and storage medium | |
| CN112118325A (en) | DNS analysis processing method, device, analysis server and storage medium | |
| CN115297085A (en) | Domain name resolution updating method and device, electronic equipment and storage medium | |
| CN114866508B (en) | Domain name resolution method, and domain name-based data processing method and device | |
| US20230130115A1 (en) | Inline identify and block dangling dns records | |
| Fujiwara et al. | RFC 8198: Aggressive Use of DNSSEC-Validated Cache | |
| CN116827902A (en) | Domain name generation method, domain name detection method, electronic device, and storage medium | |
| CN116723171A (en) | Domain name resolution method, system, device, equipment and medium | |
| CN118118459A (en) | Domain name server response method, device, equipment and storage medium | |
| CN116389596A (en) | Multi-dimensional domain name service perception method, device, equipment and storage medium | |
| CN118018516A (en) | Domain name mapping acquisition method, acquisition device and domain name resolution system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |