CN116094780A - DNS response IP blacklist filtering method and system - Google Patents
DNS response IP blacklist filtering method and system Download PDFInfo
- Publication number
- CN116094780A CN116094780A CN202211702654.XA CN202211702654A CN116094780A CN 116094780 A CN116094780 A CN 116094780A CN 202211702654 A CN202211702654 A CN 202211702654A CN 116094780 A CN116094780 A CN 116094780A
- Authority
- CN
- China
- Prior art keywords
- domain name
- blacklist
- localdns
- dns
- cache
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 230000004044 response Effects 0.000 title claims abstract description 70
- 238000001914 filtration Methods 0.000 title claims abstract description 60
- 238000000034 method Methods 0.000 title claims abstract description 36
- 230000008569 process Effects 0.000 description 7
- 238000004458 analytical method Methods 0.000 description 4
- 230000000977 initiatory effect Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 238000007792 addition Methods 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003321 amplification Effects 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 238000012966 insertion method Methods 0.000 description 1
- 238000003199 nucleic acid amplification method Methods 0.000 description 1
- 230000008707 rearrangement Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000004083 survival effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
- G06F16/2228—Indexing structures
- G06F16/2246—Trees, e.g. B+trees
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24552—Database cache management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
According to the DNS response IP blacklist filtering method and system, the DNS response IP addresses are filtered through the blacklist library, the malicious addresses IP are removed, so that the safety problems of privacy leakage and the like caused by access of a malicious website by a user are avoided, in addition, the domain name resolution server performs accurate blacklist filtering before storing the domain name resolution server in a cache, and then stores the domain name resolution server in the cache, so that the cache response speed is improved, normal IP is guaranteed not to be removed by mistake, and the use experience of the user is improved.
Description
Technical Field
The invention belongs to the fields of cloud computing and domain name resolution, and particularly relates to a DNS response IP blacklist filtering method.
Background
In recent years, with the rapid development of internet and cloud computing technologies, the relationship between users and the internet is becoming more and more compact, and a domain name system (Domain Name System, DNS) is one of basic services of the internet, is an essential ring of network interconnection, is designed into a hierarchical tree-like distributed database system, and stores the mapping relationship between domain names and internet protocol (Internet Protocol, IP) addresses. Due to the characteristics of openness, bulkiness, distribution, UDP (User Datagram Protocol) protocol usage, tree structure and the like of the domain name system, the DNS system faces very serious security threat, single-point failure and other security problems, such as DNS amplification attack, DNS tunnel, DNS hijacking/redirection and the like. In the DNS system, the roles of the domain name servers can be classified into three types, an authoritative domain name resolver (Autoritatvie Name Server) is used for resolving a domain name under an authorized domain, a local domain name server (local name server, localdns) is used for recursively resolving the result of a DNS request domain name and providing a caching service, and a forwarding domain name server is used for forwarding a DNS request without providing a caching service. The local domain name resolution server Localdns plays a vital role in a domain name system, is mainly used for providing a user with a mapping relation and a caching service for recursively inquiring domain names and Internet Protocol (IP) in the domain name system, and because the domain name system faces serious security threat, a domain name result recursively resolved by the Localdns can have a malicious network address, and if the domain name result is directly returned to the user without security examination and blacklist filtering, the user can suffer privacy leakage, property loss and the like.
At present, local domain name resolution servers (local domain name resolution servers) perform blacklist filtering on DNS responses mostly after recursive query is finished and stored in a cache, and the blacklist filtering mode is performed when responding to a user DNS request, which means that the local domain name resolution servers still need to perform blacklist filtering once when responding to a user client request from the cache, that is, each user's DNS request response is filtered once, which increases the working pressure of the local domain name servers and the response receiving time of the user.
Disclosure of Invention
In view of this, the present invention designs a method and a system for filtering a DNS response IP blacklist, which reduces the security risk caused by a malicious IP address of the DNS response by blacklist filtering, and in addition, the method proposes that before storing the response result in a cache, the domain name resolution server accurately filters the response result according to the blacklist, only eliminates the IP existing in the blacklist, retains the normal IP address, and stores the filtered result in the cache, thereby avoiding the local domain name server from repeating the blacklist filtering operation, improving the cache response speed, and improving the user experience on the premise of ensuring the security.
The invention provides a DNS response IP blacklist filtering method, which comprises the following steps:
1) The client initiates an access request to Localdns;
2) Localdns checks whether the local cache can respond to the request, and if so, directly responds to IP;
3) If the cache does not exist, localdns enter a recursive query;
4) Firstly, inquiring whether a cache of the top domain name exists locally, and if not, inquiring the top domain name from a root server;
5) Then inquiring the second-level domain name and the third-level domain name …, if CNAME records exist, returning to the step 4 until the domain name IP inquired by the client is analyzed;
6) And carrying out blacklist filtering, carrying out matching search on the resolved domain name IP and a blacklist configured in Localdns, wherein the blacklist in Localdns is stored in the form of a radix tree, and can quickly judge whether the current resolved IP exists in the blacklist, if so, clearing the IP address and then recombining a response packet.
7) After the blacklist filtering is completed, the response packet information is stored in a cache, and then the response packet is sent to the client. The purpose of storing in the buffer memory is to facilitate the next quick response, avoid recursion iteration and blacklist rejection process, improve the response performance of Localdns query, and promote the user access experience on the internet.
The invention also provides a DNS response IP blacklist filtering system, which comprises a client, a Localdns server and a DNS authoritative server, wherein:
client side: a user initiating a domain name query. Localdns server: and providing recursive resolution service for domain name query initiated by the client and caching the query result to the local. DNS authoritative server: a DNS server provided at the domain name registrar for management (addition, deletion, modification, etc.) of the specific domain name itself.
1) The client initiates an access request to Localdns;
2) Localdns checks whether the local cache can respond to the request, and if so, directly responds to IP;
3) If the cache does not exist, localdns enter a recursive query;
4) Firstly, inquiring whether a cache of the top domain name exists locally, and if not, inquiring the top domain name from a root server;
5) Then inquiring the second-level domain name and the third-level domain name …, if CNAME records exist, returning to the step 4 until the domain name IP inquired by the client is analyzed;
6) And carrying out blacklist filtering, carrying out matching search on the resolved domain name IP and a blacklist configured in Localdns, wherein the blacklist in Localdns is stored in the form of a radix tree, and can quickly judge whether the current resolved IP exists in the blacklist, if so, clearing the IP address and then recombining a response packet.
7) After the blacklist filtering is completed, the response packet information is stored in a cache, and then the response packet is sent to the client. The purpose of storing in the buffer memory is to facilitate the next quick response, avoid recursion iteration and blacklist rejection process, improve the response performance of Localdns query, and promote the user access experience on the internet.
Compared with the prior art, the DNS response IP blacklist filtering method and system provided by the invention have the following advantages:
1. the working pressure of Localdns is reduced, and the cache response speed is improved. When the local domain name resolution server localldns responds to the DNS request from the local cache, one-time blacklist filtering operation is still needed to be carried out on the DNS response result, and the mode can increase the working pressure of the localldns and the time for a user to receive the DNS request response.
2. The accuracy of DNS response is improved, and accurate blacklist filtering is achieved. The method for filtering the black list of the local domain name resolution server Localdns is that all the IPs of the DNS response are matched with the local black list library, so that all the IPs are filtered out as long as one IP is in the black list library, the DNS response state is set as SERVAIL, the normal IPs are filtered out by the filtering method, and therefore the normal network access of a client is affected.
3. And reducing blacklist filtering operation in the parsing process. When the Localdns performs domain name resolution, generally, multiple queries are performed on a root domain name, a top domain name, a second domain name authoritative server, and the like, and in consideration of accuracy, comprehensiveness, and the like of a DNS response IP result, the blacklist filtering operation is performed only when the resolution ends and queries the IP of a requested domain name, and the blacklist filtering operation is not performed on the queried IP result such as NS in the recursion process.
Drawings
In order to more clearly illustrate the invention or the technical solutions of the prior art, the drawings used in the description of the invention or the prior art will be briefly described, it being obvious that the drawings in the description below are some embodiments of the invention, and that other drawings can be obtained from these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a block diagram of a DNS response IP blacklist filtering method;
FIG. 2 is a comparison of the method of the present invention with a prior art method;
FIG. 3 is a flow chart of DNS response IP blacklist filtering;
fig. 4IP blacklist address tree structure.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The terminology used in the embodiments of the invention is for the purpose of describing particular embodiments only and is not intended to be limiting of the invention. As used in this application and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise, the "plurality" generally includes at least two.
It should be understood that the term "and/or" as used herein is merely one relationship describing the association of the associated objects, meaning that there may be three relationships, e.g., a and/or B, may represent: a exists alone, A and B exist together, and B exists alone. In addition, the character "/" herein generally indicates that the front and rear associated objects are an "or" relationship.
The words "if", as used herein, may be interpreted as "at … …" or "at … …" or "in response to a determination" or "in response to a detection", depending on the context. Similarly, the phrase "if determined" or "if detected (stated condition or event)" may be interpreted as "when determined" or "in response to determination" or "when detected (stated condition or event)" or "in response to detection (stated condition or event), depending on the context.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a product or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such product or system. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of additional identical elements in a commodity or system comprising such elements.
In addition, the sequence of steps in the method embodiments described below is only an example and is not strictly limited.
The invention provides a DNS response IP blacklist filtering method, which comprises the following steps:
s100, the client initiates an access request to Localdns. Localdns, also known as recursive DNS, proxies the process by which a user obtains domain name resolution results from an authoritative DNS.
S200, localdns checks whether the local cache can respond to the request, if the local cache has the corresponding domain name record, the local cache directly responds to the domain name IP, and if the local cache has no corresponding domain name record, the step S300 is entered.
And a caching module is arranged on the Localdns, when a caching analysis result exists in the target domain name and the TTL is not expired (each domain name has TTL time, namely effective survival time, if the time for caching the domain name analysis result exceeds the TTL, the analysis result needs to be obtained from the authoritative DNS again), the recursive DNS can return the caching result, otherwise, the recursive DNS can query the authoritative DNS of each layer of domain name in a level-to-level manner until the analysis result of the final complete domain name is obtained.
S300, localdns enter into recursive query to obtain domain name IP of client query.
The recursive query referred to in this embodiment is a query pattern of DNS servers in which DNS servers receive client requests and must reply to clients with an accurate query result. If the DNS server does not store query DNS information locally, the server will query other servers and submit the returned query results to the client.
The specific implementation procedure of the recursive query in this embodiment is further described below.
Referring to fig. 3, fig. 3 shows a flowchart of a DNS response IP blacklist filtering method according to the present invention, when performing a recursive query, first checking whether a top domain exists locally, if not, querying a root server for the top domain name, if so, initiating a query for the top domain name, determining whether an NS record needs to be returned based on the query result, if not, storing the query result in a cache, and responding to a client. The query is traversed over the NS record if needed until an a record of the NS is obtained. And inquiring the domain name from the address of the record A based on the inquired record A, judging whether the domain name is CAME, if so, carrying out recursion inquiry on the CNAME again, if not, carrying out blacklist filtration on the IP address obtained by inquiry, storing the filtered IP address into a cache, and responding to the client.
S400, carrying out blacklist filtering by Localdns.
Preferably, matching and searching the resolved domain name IP and a blacklist configured in Localdns, wherein the blacklist in Localdns is stored in the form of a radix tree, so that whether the current resolved IP exists in the blacklist can be rapidly judged, if so, the IP address is cleared, and then the response packet is recombined.
S500, after the blacklist filtering is completed, the response packet information is stored in a cache, and then the response packet is sent to the client. The aim of storing the response packet information into the cache is to facilitate the next quick response, avoid the recursion iteration and blacklist rejection process, improve the Localdns query response performance and improve the user Internet access experience.
To protect clients from malicious IP attacks, localdns should configure corresponding policies to filter out malicious IP, configure blacklists in Localdns according to network segment configuration, e.g., 123.123.123.0/24, or configure IP addresses, e.g., 123.123.123.123/32.
The IP blacklist is stored in the form of a base tree in Localdns, the base tree is a multi-way search tree, and compared with other dictionary trees and other structures, the space is saved. The concrete implementation of the node structure is as follows:
illustrating:
the following two blacklist IP address segments:
in order to avoid the too high height of the radix tree, a plurality of bits are generally used as the judgment of the data node, 4 bits are selected as the judgment, and the structure of the IP blacklist address tree is shown in fig. 4.
The following describes an exemplary process of searching for an IP blacklist matching insertion in Localdns in this embodiment:
the IP insertion method comprises the following steps:
1) When inserting a node, firstly judging whether root.next [ X ] exists from the root of the root node, and if not, creating a node;
2) If the root.next [ X ] node exists, comparing the IP to be inserted with the root.next [ X ] node according to 4 bits, and if the value addr stored by the root.next [ X ] node is not the same as the 4 bits of the IP to be inserted, returning the root.next [ X ] = root.next [ X+1] to 1);
3) If the stored value addr of the root. Next [ X ] node is the same as 4 bits of the IP to be inserted, judging whether the effective address length len is-1, if not-1, representing that the root. Next [ X ] node is a blacklist address network segment and contains the IP to be inserted, and returning to the existing state;
4) If yes, the root.next [ X ] node is a path node, then judging whether the bit of the IP to be inserted reaches the effective length, if so, modifying the len of the root.next [ X ] node into the effective length of the IP to be inserted;
5) If the bit to be inserted into the IP does not reach the effective length, root=root.next [ X ], returning to 1) and continuing to judge.
The IP searching method comprises the following steps:
1) When searching, starting from root node root, firstly judging whether root.next [ X ] exists, if not, returning that IP is not in the blacklist;
2) If the root.next [ X ] node exists, comparing the IP to be queried with the root.next [ X ] according to 4 bits, and if the value addr stored by the root.next [ X ] node is not the same as the 4 bits to be inserted into the IP, returning the root.next [ X ] = root.next [ X+1] to 1);
3) If the value addr stored by the root. Next [ X ] node is the same as 4 bits of the IP to be queried, judging whether the effective address length len is-1, if not-1, the representative root. Next [ X ] node is a blacklist address network segment and contains the IP to be queried, and returning the IP to be in a blacklist;
4) If yes, the representative root.next [ X ] node is a path node, then judging whether the bit of the IP to be inserted reaches the effective length, if so, returning that the IP is not in the blacklist.
5) If the bit to be inserted into the IP does not reach the effective length, root=root.next [ X ], returning to 1) and continuing to judge.
As shown in fig. 2, in the conventional blacklist filtering method, after the local server finishes resolving and stores in a cache, the blacklist filtering is performed, and then the client is responded, and this filtering mode means that the local server still needs to perform a blacklist filtering operation to respond to the DNS request of the client although responding to the DNS request from the cache, so that the working pressure of the local server and the time for receiving the DNS response of the client are increased. The method provided by the invention is that after the domain name is resolved by the Localdns, blacklist filtering operation is carried out, and filtered IP is reconstructed into DNS response and stored in the cache, so that when the Localdns server responds to the inquiry of the client from the cache, the blacklist operation is not needed, the response speed is improved, and the user experience is improved.
The invention also provides a DNS response IP blacklist filtering system, which comprises a client, a Localdns server and a DNS authoritative server, wherein the client is provided with: a user initiating a domain name query. Localdns server: and providing recursive resolution service for domain name query initiated by the client and caching the query result to the local. DNS authoritative server: a DNS server provided at the domain name registrar for management (addition, deletion, modification, etc.) of the specific domain name itself.
The client initiates an access request to Localdns; the Localdns checks whether the local cache can respond to the request, and if the local cache has a corresponding domain name record, the local cache directly responds to the domain name IP;
if the corresponding domain name record does not exist in the cache, the Localdns enters into recursive query until a domain name IP queried by the client is obtained from the DNS authoritative server;
carrying out blacklist filtering by Localdns; after the blacklist filtering is completed, the response packet information is stored in a cache, and then the response packet is sent to the client.
It can be appreciated that the DNS response IP blacklist filtering system provided in this embodiment may also be used to implement the steps in the method provided in other embodiments of the present invention.
The invention also provides computer equipment. The computer device is in the form of a general purpose computing device. Components of a computer device may include, but are not limited to: one or more processors or processing units, system memory, and buses connecting the different system components.
Computer devices typically include a variety of computer system readable media. Such media can be any available media that can be accessed by the computer device and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory may include a computer system readable medium in the form of volatile memory and the memory may include at least one program product having a set (e.g., at least one) of program modules configured to carry out the functions of the embodiments of the invention.
The processing unit executes various functional applications and data processing by running programs stored in the system memory, such as the methods provided by other embodiments of the present invention.
The present invention also provides a storage medium containing computer-executable instructions, on which a computer program is stored which, when executed by a processor, implements methods provided by other embodiments of the present invention.
Note that the above is only a preferred embodiment of the present invention and the technical principle applied. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, while the invention has been described in connection with the above embodiments, the invention is not limited to the embodiments, but may be embodied in many other equivalent forms without departing from the spirit or scope of the invention, which is set forth in the following claims.
Claims (10)
1. A DNS-responsive IP blacklist filtering method, the method comprising the steps of:
s100, a client initiates an access request to Localdns;
s200, checking whether a local cache can respond to a request or not by Localdns, directly responding to a domain name IP if a corresponding domain name record exists in the local cache, and entering step S300 if the corresponding domain name record does not exist in the cache;
s300, localdns enters into recursive query until obtaining a domain name IP queried by a client from a DNS authoritative server;
s400, carrying out blacklist filtration by Localdns;
s500, after the blacklist filtering is completed, the response packet information is stored in a cache, and then the response packet is sent to the client.
2. The DNS response IP blacklist filtering method according to claim 1, wherein the entering the recursive query includes:
firstly, inquiring whether the cache of the top domain name exists locally, if not, inquiring the top domain name from a root server, then inquiring the second domain name and the third domain name … N domain name, and if the CNAME record of the corresponding domain name exists, returning to the step S301 until the domain name IP inquired by the client is acquired; and N is an integer greater than 1.
3. The DNS response IP blacklist filtering method according to claim 1, wherein the blacklist filtering includes:
and carrying out matching search on the resolved domain name IP and a blacklist configured in Localdns, judging whether the domain name IP resolved currently exists in the blacklist, if so, removing the domain name IP, and then recombining a response packet.
4. A DNS response IP blacklist filtering method according to claim 3, wherein the blacklist in Localdns is stored in the form of a radix tree.
5. The DNS response IP blacklist filtering method according to claim 4, wherein inserting I P addresses in advance in the radix tree generates the I P blacklist, and searches the radix tree for I P addresses to be matched when performing I P blacklist filtering.
6. The DNS response IP blacklist filtering system comprises a client, a Localdns server and a DNS authoritative server, and is characterized in that:
the client initiates an access request to Localdns; the Localdns checks whether the local cache can respond to the request, and if the local cache has a corresponding domain name record, the local cache directly responds to the domain name IP;
if the corresponding domain name record does not exist in the cache, the Localdns enters into recursive query until a domain name IP queried by the client is obtained from the DNS authoritative server;
carrying out blacklist filtering by Localdns; after the blacklist filtering is completed, the response packet information is stored in a cache, and then the response packet is sent to the client.
7. The DNS response IP blacklist filtering system of claim 6, wherein the entering the recursive query includes:
firstly, inquiring whether the cache of the top domain name exists locally, if not, inquiring the top domain name from a root server, then inquiring the second domain name and the third domain name … N domain name, and if the CNAME record of the corresponding domain name exists, returning to the step S301 until the domain name IP inquired by the client is acquired; and N is an integer greater than 1.
8. The DNS response IP blacklist filtering system of claim 7, wherein the blacklist filtering includes:
and carrying out matching search on the resolved domain name IP and a blacklist configured in Localdns, judging whether the domain name IP resolved currently exists in the blacklist, if so, removing the domain name IP, and then recombining a response packet.
9. The DNS response IP blacklist filtering system of claim 8, wherein the blacklist in Localdns is stored in the form of a radix tree.
10. The DNS response IP blacklist filtering system of claim 9, wherein pre-inserting I P addresses in the radix tree generates the I P blacklist and searches the radix tree for I P addresses to be matched when performing I P blacklist filtering.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211702654.XA CN116094780A (en) | 2022-12-29 | 2022-12-29 | DNS response IP blacklist filtering method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211702654.XA CN116094780A (en) | 2022-12-29 | 2022-12-29 | DNS response IP blacklist filtering method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116094780A true CN116094780A (en) | 2023-05-09 |
Family
ID=86187753
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211702654.XA Pending CN116094780A (en) | 2022-12-29 | 2022-12-29 | DNS response IP blacklist filtering method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116094780A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100146415A1 (en) * | 2007-07-12 | 2010-06-10 | Viasat, Inc. | Dns prefetch |
| CN104092792A (en) * | 2014-07-15 | 2014-10-08 | 北京奇虎科技有限公司 | Method, system and client-side for achieving flow optimization based on domain name resolution request |
| CN104917851A (en) * | 2015-05-08 | 2015-09-16 | 亚信科技(南京)有限公司 | Information processing method and DNS buffer server |
| CN105338123A (en) * | 2014-05-28 | 2016-02-17 | 国际商业机器公司 | Method, apparatus and system for parsing domain name in network |
| CN111277570A (en) * | 2020-01-10 | 2020-06-12 | 中电长城网际系统应用有限公司 | Data security monitoring method and device, electronic equipment and readable medium |
-
2022
- 2022-12-29 CN CN202211702654.XA patent/CN116094780A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100146415A1 (en) * | 2007-07-12 | 2010-06-10 | Viasat, Inc. | Dns prefetch |
| CN105338123A (en) * | 2014-05-28 | 2016-02-17 | 国际商业机器公司 | Method, apparatus and system for parsing domain name in network |
| CN104092792A (en) * | 2014-07-15 | 2014-10-08 | 北京奇虎科技有限公司 | Method, system and client-side for achieving flow optimization based on domain name resolution request |
| CN104917851A (en) * | 2015-05-08 | 2015-09-16 | 亚信科技(南京)有限公司 | Information processing method and DNS buffer server |
| CN111277570A (en) * | 2020-01-10 | 2020-06-12 | 中电长城网际系统应用有限公司 | Data security monitoring method and device, electronic equipment and readable medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2018176874A1 (en) | Dns evaluation method and apparatus | |
| US10185761B2 (en) | Domain classification based on domain name system (DNS) traffic | |
| US9450840B2 (en) | Domain classification using domain co-occurrence information | |
| US9191402B2 (en) | Domain classification based on client request behavior | |
| CN108574742B (en) | Domain name information collection method and domain name information collection device | |
| US20100064047A1 (en) | Internet lookup engine | |
| CN111935136A (en) | Domain name query and analysis abnormity detection system and method based on DNS data analysis | |
| US20150288711A1 (en) | Network analysis apparatus and method | |
| CN112600868B (en) | Domain name resolution method, domain name resolution device and electronic equipment | |
| CN112468474A (en) | Active detection method for resolution abnormity of recursive domain name server | |
| CN113992626A (en) | Method, device and storage medium for realizing DNS | |
| CN111988447A (en) | Network security protection method and DNS recursive server | |
| US20230362207A1 (en) | System and method for dns misuse detection | |
| CN112817983A (en) | Handle identifier analysis caching method, query method and handle identifier analysis system | |
| CN116319113B (en) | Domain name resolution abnormality detection method and electronic equipment | |
| CN116094780A (en) | DNS response IP blacklist filtering method and system | |
| CN109688236B (en) | Sinkhole domain name processing method and server | |
| CN111885220B (en) | Active acquisition and verification method for target unit IP assets | |
| KR101645222B1 (en) | Advanced domain name system and management method | |
| Dolberg et al. | Multi-dimensional aggregation for dns monitoring | |
| Voronov et al. | Determining OS and applications by DNS traffic analysis | |
| Zulkarneev et al. | New Approaches of Multi-agent Vulnerability Scanning Process | |
| CN114051015B (en) | Domain name traffic map construction method, device, equipment and storage medium | |
| CN113660095B (en) | Method, system, storage medium and terminal device for searching real IP address | |
| Huang et al. | SFDS: A Self-Feedback Detection System for DNS Hijacking Based on Multi-Protocol Cross Validation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |