CN116743698A - Detection methods, devices and electronic equipment for domain name cache injection - Google Patents

Abstract

The application relates to a detection method and device for domain name cache injection and electronic equipment. The method comprises the following steps: sending a first query request for the target domain name to a target domain name resolver; acquiring a first query result corresponding to the first query request from a target domain name resolver; sending a second query request for the target domain name to a domain name server, wherein the domain name server is an authoritative domain name server or a recursion domain name resolver without forwarding query function; obtaining a second query result corresponding to the second query request from the domain name server; if the second query result is different from the Internet protocol IP address of the target domain name indicated by the first query result, determining that the target domain name resolver is cached for injection. By the method, the cache injection of the target domain name resolver can be detected, so that precautionary measures are taken for the cache injection behavior on the basis, and the security of accessing the Internet is improved.

Description

Detection methods, devices and electronic equipment for domain name cache injection

Technical field

The present application relates to the field of computer technology, and in particular to detection methods, devices and electronic equipment for domain name cache injection.

Background technique

When a user accesses the Internet through a domain name, he must first query the Internet Protocol (IP) address corresponding to the domain name through a domain name resolver. With the popularization of the Internet, the demand for domain name queries is becoming increasingly large. In order to improve the efficiency of domain name queries, reduce the load of the domain name parser and reduce the number of domain name query messages on the Internet, local cache is widely used in the domain name parser. Stores information related to recently queried domain names. When the user queries the same domain name again, the domain name resolver will return the domain name related information in the local cache.

Currently, domain name security issues are becoming increasingly prominent, especially the threat of domain name cache injection technology. Through domain name cache injection technology, attackers can send specially crafted malicious domain name query responses to the domain name resolver and tamper with the local cache of the domain name resolver, causing users to be redirected to the malicious server when accessing the target website. This attack method may lead to user data leakage, and may also be used to launch phishing attacks, denial of service attacks and other network attacks.

Contents of the invention

This application provides a detection method, device and electronic equipment for domain name cache injection, which can detect the cache injection behavior of conditional domain name parsers, so as to take preventive measures on this basis to improve the security of access to the Internet.

According to a first aspect of this application, a detection method for domain name cache injection is provided. The method includes sending a first query request for the target domain name to a target domain name resolver, where the target domain name resolver is a conditional domain name resolver having both a forward query function and a recursive query function. The method also includes obtaining a first query result corresponding to the first query request from the target domain name resolver. The method also includes sending a second query request for the target domain name to a domain name server, where the domain name server is an authoritative domain name server or a recursive domain name parser that does not have a query forwarding function. The method also includes obtaining a second query result corresponding to the second query request from the domain name server. The method also includes determining that the target domain name resolver is cache-injected when the second query result is different from the IP address of the target domain name indicated by the first query result.

According to the second aspect of this application, a detection method for domain name cache injection is provided. The method includes receiving a domain name query request, the domain name query request being used to query the first domain name. The method also includes querying the domain name server for the first domain name. The method also includes receiving a domain name query response, the domain name query response including a record indicating the second domain name. The method also includes determining that the domain name resolver is cache injected when the second domain name is not associated with the first domain name.

According to a third aspect of the present application, a device for detecting domain name cache injection is provided. The device includes a first sending module configured to send a first query request for the target domain name to the target domain name parser, wherein the target domain name parsing It is a conditional domain name parser with both forwarding query function and recursive query function. The device also includes a first receiving module configured to obtain a first query result corresponding to the first query request from the target domain name resolver. The device also includes a second sending module configured to send a second query request for the target domain name to a domain name server, where the domain name server is an authoritative domain name server or a recursive domain name parser that does not have the query forwarding function. The device also includes a second receiving module configured to obtain a second query result corresponding to the second query request from the domain name server. The device further includes a determining module configured to determine that the target domain name resolver is cache injected when the second query result is different from the IP address of the target domain name indicated by the first query result.

According to a fourth aspect of the present application, a device for detecting domain name cache injection is provided. The device includes a first receiving module configured to receive a domain name query request, and the domain name query request is used to query the first domain name. The device also includes a query module configured to query the domain name server for the first domain name. The device also includes a second receiving module configured to receive a domain name query response, where the domain name query response includes a record indicating the second domain name. The device further includes a determining module configured to determine that the domain name resolver is cache injected when the second domain name is not associated with the first domain name.

According to a fifth aspect of the present application, an electronic device is provided. The electronic device includes at least one processor; and a memory coupled to the at least one processor and having instructions stored thereon that, when executed by the at least one processor, cause the device to perform actions, the actions including: resolving to a target domain name The server sends a first query request for the target domain name, wherein the target domain name parser is a conditional domain name parser with both forwarding query function and recursive query function; and obtains the first query result corresponding to the first query request from the target domain name parser. ; Send a second query request for the target domain name to the domain name server, which is an authoritative domain name server or a recursive domain name resolver that does not have the forwarding query function; obtain the second query result corresponding to the second query request from the domain name server; if If the second query result is different from the Internet Protocol IP address of the target domain name indicated by the first query result, it is determined that the target domain name resolver is cache injected.

According to a sixth aspect of the present application, an electronic device is provided. The electronic device includes at least one processor; and a memory coupled to the at least one processor and having instructions stored thereon that, when executed by the at least one processor, cause the device to perform actions, the actions including: receiving a domain name query request , the domain name query request is used to query the first domain name; query the domain name server for the first domain name; receive a domain name query response, the domain name query response includes a record indicating the second domain name; when the second domain name is not associated with the first domain name , confirm that the domain name resolver is cache injected.

According to a seventh aspect of the present application, there is provided a computer-readable storage medium on which a computer program product is stored. The computer program product includes machine-executable instructions that, when executed, cause the machine to execute the present application. The steps of the method in the first aspect or the second aspect.

According to an eighth aspect of the present application, a computer program product is provided, which computer program product is tangibly stored on a non-volatile computer-readable medium and includes machine-executable instructions that, when executed, The machine is caused to perform the steps of the method in the first or second aspect of the application.

Description of drawings

The above and other objects, features and advantages of the present application will become more apparent through a more detailed description of the exemplary embodiments of the present application in conjunction with the accompanying drawings, wherein, in the exemplary embodiments of the present application, the same reference numerals generally represent Same parts.

1A illustrates a schematic diagram of an example scenario in which devices and/or methods according to embodiments of the present application may be implemented;

Figure 1B illustrates a schematic diagram of another example scenario in which devices and/or methods according to embodiments of the present application may be implemented;

Figure 2 illustrates a schematic flow chart of the link-based domain name cache injection process in the embodiment of the present application;

Figure 3 illustrates a schematic flow chart of the bypass-based domain name cache injection process in the embodiment of the present application;

Figure 4 illustrates a schematic flow chart of the recursive query process after the conditional domain name resolver is cache-injected in the embodiment of the present application;

Figure 5 illustrates a schematic flow chart of a domain name cache injection detection method provided by an embodiment of the present application;

Figure 6 illustrates a schematic flow chart of another domain name cache injection detection method provided by an embodiment of the present application;

Figure 7 illustrates a schematic block diagram of a domain name cache injection detection device provided by an embodiment of the present application;

Figure 8 illustrates a schematic block diagram of another domain name cache injection detection device provided by an embodiment of the present application; and

Figure 9 illustrates a schematic block diagram of an example device suitable for implementing embodiments of the present application.

In the various drawings, the same or corresponding reference numerals represent the same or corresponding parts.

Detailed ways

Embodiments of the present application will be described in more detail below with reference to the accompanying drawings. Although certain embodiments of the present application are shown in the drawings, it should be understood that the present application may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather these embodiments are provided for Understand this application more thoroughly and completely. It should be understood that the drawings and embodiments of the present application are for illustrative purposes only and are not intended to limit the scope of protection of the present application.

In the description of the embodiments of the present application, the term "including" and its similar expressions should be understood as an open inclusion, that is, "including but not limited to." The term "based on" should be understood to mean "based at least in part on." The terms "one embodiment" or "the embodiment" should be understood to mean "at least one embodiment". The terms "first," "second," etc. may refer to different or the same object. Other explicit and implicit definitions may be included below.

When users use a domain name to access the Internet through a client, they need to query the IP address corresponding to the domain name through a domain name resolver. The domain name resolver can further query the domain name through recursive query or forward query, obtain the IP address of the domain name and reply it to the client. The domain name parser can store the query results in the local cache during the process of querying the domain name. The next time the domain name parser performs a recursive query for the same domain name, it can directly query based on the content in the local cache without having to complete the entire query. The recursive query process can reduce the number of domain name query messages on the Internet.

However, this caching mechanism of the domain name resolver faces the threat of domain name cache injection technology. The content in the local cache of the domain name resolver may be tampered with due to the domain name cache injection technology, or a false domain name may be injected, causing the user to access the target website. When redirected to a malicious server, users are exposed to the risk of data leakage. Therefore, it is very important to prevent domain name cache injection technology.

At least to solve the above and other potential problems, embodiments of the present application provide a method for identifying domain name cache injection for conditional domain name resolvers. In this method, the client queries the conditional domain name resolver for the target domain name and obtains the first query result, queries another recursive domain name resolver or authoritative domain name server for the target domain name, and obtains the second query result. When the query results are different, it is determined that the first domain name resolver is cache injected. Through this method, it can be identified whether the conditional domain name resolver has been cache-injected, thereby reminding the user to take preventive measures to improve the security of users accessing the Internet.

The embodiments of the present application will be further described in detail below with reference to the accompanying drawings.

First, the domain name query scenario applicable to the embodiment of the present application is described with reference to FIG. 1A and FIG. 1B. In the scenarios shown in Figures 1A and 1B, the conditional domain name resolver is used as an example for explanation. The conditional domain name parser is a domain name parser provided in the embodiment of the present application that has both a forwarding query function and a recursive query function. Based on the predefined configuration, the conditional domain name resolver can perform forwarding queries on domain names, and can also perform recursive queries on domain names. For example, the conditional domain name resolver can be configured with a forwarding area and a recursive area. If the domain name to be queried belongs to the forwarding area , the conditional domain name resolver will forward the query to it. If the domain name to be queried belongs to the recursive area, the conditional domain name resolver will perform a recursive query on it. The forwarding query process and the recursive query process of the conditional domain name resolver share the same local cache. That is to say, the results stored in the cache during the forwarding query process will be used by the conditional domain name resolver in the recursive query process.

Figure 1A illustrates a forward query scenario 100A. For example, the query forwarding scenario 100A shown in FIG. 1A may include a client 101, a conditional domain name resolver 102, and a domain name server 103, where the conditional domain name resolver 102 queries the domain name by forwarding the query.

In the scenario shown in Figure 1A, the client 101 queries the conditional domain name resolver 102 for a domain name. The conditional domain name resolver 102 determines to forward the query for the domain name and forwards the domain name query request to the domain name server 103. The domain name server 103 can be A recursive domain name resolver or an authoritative domain name server for the queried domain name. An authoritative domain name server is a domain name server responsible for managing and resolving a specific domain name. For example, when performing a recursive query on a domain name, the root domain name server queried by the domain name resolver, Top-level domain name servers, second-level domain name servers, etc. are all authoritative domain name servers for the domain name to be queried. After completing the query for the domain name, the domain name server 103 returns a record indicating the IP address corresponding to the domain name to the conditional domain name parser 102 . Thus, the conditional domain name resolver completes the forwarding query and returns the query result to the client 101.

In some embodiments, the domain name server 103 may be an authoritative domain name server corresponding to the queried domain name, and the authoritative domain name server may perform cache injection on the conditional domain name resolver 102 when the conditional domain name resolver 102 queries the domain name. For example, after the authoritative domain name server receives a query request from the conditional domain name resolver 102, it may return an authorization record or an A record of another domain name to the conditional domain name resolver 102, or return an IP indicating an error to the conditional domain name resolver 102. Record of address. After receiving these records, the conditional domain name resolver 102 will store these records in the local cache.

In Figure IB, a recursive query scenario 100B is shown. Exemplarily, the recursive query scenario 100B shown in FIG. 1B may include a client 101, a conditional domain name resolver 102, a root domain name server 104, a top-level domain name server 105, and a second-level domain name server 106, where the conditional domain name resolver 102 recursively Query the domain name by querying.

In the scenario shown in Figure 1B, the client 101 queries the conditional domain name resolver 102 for a domain name. The conditional domain name resolver 102 will start from the root domain name server 104 and query downwards step by step to the top-level domain name server 105 and the second-level domain name server. 106 and other domain name servers until the IP address corresponding to the domain name is obtained.

During recursive query, if the local cache of the conditional domain name resolver 102 stores an authorization record for the domain name to be queried, the conditional domain name resolver 102 will query the domain name server indicated by the authorization record for the domain name to be queried based on the authorization record. For example, after receiving a domain name query request for a certain domain name from the client 101, if the local cache of the conditional domain name resolver 102 stores an authorization record for the domain name, the authorization record indicates the authoritative domain name server corresponding to the domain name. As the second-level domain name server 106, the conditional domain name resolver 102 does not need to query downwards from the root domain name server 104, but can directly query the second-level domain name server 106 to obtain the IP address corresponding to the domain name. Among them, the authorization record in the local cache of the conditional domain name resolver 102 can be obtained during the last recursive query for the domain name, or can be obtained during the process of forwarding the query, for example, obtained in the scenario shown in Figure 1A .

It should be understood that the scenarios shown in FIG. 1A and FIG. 1B are only examples of the present application and cannot be used to limit the present application. This application does not limit the number and type of domain name servers involved in the domain name resolution process. Domain name resolution scenarios applicable to the embodiments of this application may also include more or fewer domain name servers. It should also be understood that the client in the embodiment of this application is only illustrative, and the client can be any suitable device and can be implemented in software and/or hardware.

Example scenarios in which devices and/or methods of embodiments of the present application may be implemented are described above in conjunction with FIG. 1 . The following describes the domain name cache injection process involved in the embodiment of this application with reference to Figures 2 and 3.

Figure 2 exemplarily shows the link-based domain name cache injection process 200 in the embodiment of the present application. In process 200, when the conditional domain name resolver 2002 performs forwarding query on the domain name, the domain name server 2003 performs cache injection on the conditional domain name resolver 2002. It should be understood that the client 2001, the conditional domain name resolver 2002 and the domain name server 2003 in Figure 2 are only schematically provided and cannot be used to limit the present application. Referring to FIG. 2 , the process 200 may include steps 201 to 206 , and the steps included in the process 200 will be described in detail next.

In step 201, the client 2001 sends a domain name query request to the conditional domain name parser 2002 to query the domain name. For ease of understanding, in the following example, the domain name "example.com" is used as an example. For example, the correct IP address corresponding to the domain name "example.com" is "192.0.2.1", and the correct authoritative domain name The server is "ns.example.com".

In step 202, the conditional domain name resolver 2002 determines that the domain name belongs to the forwarding zone. In the embodiment of the present application, the local cache of the conditional domain name resolver 2002 may be configured with a forwarding area, which stores domain names that need to be forwarded and queried. After receiving the domain name query request, the conditional domain name resolver 2002 may first match the domain name requested by the domain name query request with the domain name in the forwarding zone. The domain name "example.com" belongs to the forwarding area of the conditional domain name resolver 2002, and the conditional domain name resolver 2002 will forward the query for the domain name "example.com".

In step 203, the conditional domain name resolver 2002 forwards the domain name query request from the client 2001 to other domain name servers 2003 pre-configured in the conditional domain name resolver 2002. For example, the domain name server 2003 may be a recursive domain name resolver, or an authoritative domain name server for the domain name "example.com".

In step 204, the domain name server 2003 returns the query results to the conditional domain name resolver 2002, including false information of any domain name. The false information included resource records for domain names. As an example, the domain name server 2003 may reply to the conditional domain name resolver 2002 with an A record indicating an incorrect IP address. For example, the domain name server 2003 may reply with the A record "example.com.A 192.0.1.1", that is, return information indicating a false IP address to the conditional domain name resolver 2002. As another example, the domain name server 2003 may reply to the conditional domain name resolver 2002 with an incorrect NS record. For example, the domain name server 2003 may reply with the NS record "example.com.NS ns.wrong.com", which will indicate a false authoritative server. The information is returned to the conditional domain name resolver 2002.

In some embodiments, the domain name server 2003 can also reply to the conditional domain name resolver 2002 with resource records of other domain names other than the domain name "example.com", such as the A record or NS record of the domain name "ex.com". The A record Records or NS records can point to pre-configured fake servers.

In step 205, the conditional domain name resolver 2002 stores the query results from the domain name server 2003 into the local cache. After the domain name is configured in the recursive zone, if the conditional domain name resolver 2002 receives a domain name query request for the same domain name next time, the conditional domain name resolver 2002 can query based on the content in the local cache.

In step 206, the conditional domain name resolver 2002 sends the query result to the client 2001. If the query result obtained by the conditional domain name resolver 2002 from the domain name server 2003 indicates a false IP address of the queried domain name, the result sent by the conditional domain name resolver 2002 to the client 2001 will also indicate the false IP address.

Through the above process 200, the domain name server 2003 implements the domain name cache injection into the conditional domain name parser 2002, that is, the false information of the domain name is stored in the local cache of the conditional domain name parser 2002.

The next time any client (including client 2001) queries the conditional domain name resolver 2002 for a domain name related to the cached injected content, if the domain name is configured as a recursive region of the conditional domain name resolver, the conditional domain name resolver 2002 may The injected false information in the local cache is returned to the client, or a query based on the injected false information gets false results, causing the client to access the wrong server.

For example, the content injected by the cache of the conditional domain name resolver 2002 is "example.com.A 192.0.1.1". If the client queries the conditional domain name resolver 2002 for the domain name "example.com" next time, the conditional domain name resolver 2002 will query the domain name for the domain name. Performing a recursive query, the query results obtained by the client from the conditional domain name resolver 2002 may indicate the IP address "192.0.1.1" instead of the correct IP address "192.0.2.1", so the client will access the error based on the wrong IP address. server.

For another example, the conditional domain name resolver 2002 was injected with a false NS record "ex.com.NS ns.wrong.com" when querying the domain name "example.com". After the domain name "ex.com" was configured as a recursive zone , when any subsequent client queries the conditional domain name resolver 2002 for the domain name "ex.com", the conditional domain name resolver 2002 may query the domain name from the false authoritative domain name server based on the false NS record in the local cache, thereby obtaining an incorrect query. result.

The link-based domain name cache injection process involved in the embodiment of the present application is described above with reference to Figure 2. Next, the bypass-based domain name cache injection process involved in the embodiment of the present application is described with reference to Figure 3. In the domain name cache injection process 300 shown in Figure 3, the client 3001 forges the domain name query response of the authoritative domain name server and performs cache injection into the conditional domain name resolver 3002. It should be understood that the client 3001, the conditional domain name resolver 3002, the upper-layer domain name server 3003 and the authoritative domain name server 3004 in Figure 3 are only provided schematically and cannot be used to limit the present application. In FIG. 3 , process 300 may include steps 301 to 309 . Next, the steps included in the process 300 will be described in detail.

In step 301, the client 3001 sends a domain name query request to the conditional domain name parser 3002 to query the domain name.

In step 302, the conditional domain name resolver 3002 determines that the domain name belongs to the forwarding zone.

Steps 301 to 301 are the same as the aforementioned steps 201 to 202, and will not be described again here.

In step 303, the conditional domain name resolver 3002 forwards the domain name query request to the upper-level domain name resolver 3003. The upper-level domain name resolver 3003 may be, for example, a recursive domain name resolver.

In step 304, the upper-layer domain name resolver 3003 receives the domain name query request forwarded by the conditional domain name resolver 3002, and queries the domain name, for example, sends a domain name query request to the authoritative domain name server 3004 to request the domain name query. The authoritative domain name server 3004 can be locally configured with information related to the queried domain name, and can complete the query of the domain name.

In step 305, the authoritative domain name server 3004 responds to the domain name query request of the upper-layer domain name server 3003, obtains the IP address corresponding to the queried domain name from the local configuration file, and replies the correct query result to the upper-layer domain name resolver, indicating the domain name the correct IP address.

In step 306, after obtaining the correct query result from the authoritative domain name server 3004, the upper-layer domain name parser 3003 replies the correct result to the conditional domain name parser 3002.

The above steps 303 to 306 are only illustrative. In some embodiments, the conditional domain name resolver 3002 can directly forward the domain name query request from the client 3001 to the authoritative domain name server 3004, and obtain the domain name from the authoritative server 3004. Correct query results.

In step 307, the client 3001 forges a reply from the authoritative domain name server of the queried domain name and sends false information to the conditional domain name resolver 3002. In the embodiment of this application, the conditional domain name resolver identifies the reply from the authoritative domain name server through the request sequence number and port number in the received data packet. Therefore, the client 3001 can send the request sequence number and port number to the conditional domain name resolver 3002. The request sequence number and port number in the data packet are changed to the request sequence number and port number corresponding to the domain authoritative domain name server, thus pretending to be the authoritative domain name server and sending false information to the conditional domain name resolver 3002.

After the conditional domain name resolver receives the reply from the upper-level domain name resolver 3003 or the authoritative domain name server 3004, it will store the result in the local cache within a predefined time and complete the query for the domain name. The relevant query response will not be accepted by the conditional domain name resolver 3002. Therefore, the client 3001 needs to send false information to the conditional domain name resolver 3002 before the conditional domain name resolver stores the results in the local cache. That is, step 307 is performed before step 308.

In step 308, the conditional domain name resolver 3002 stores the query results in the local cache.

In some embodiments, the false information from the client 3001 is false records of other domain names, and the conditional domain name resolver 3002 will store the false records in the local cache. In some embodiments, the false information from the client 3001 is a false record of the queried domain name. If the conditional domain name resolver 3002 first receives the false record, and then receives the false record from the upper-level domain name resolver 3003 or the authoritative domain name server 3004 If the conditional domain name resolver 3002 first receives the correct result from the upper-layer domain name resolver 3003 or the authoritative domain name server 3004, and then receives the false record, the conditional domain name resolver 3002 will store the false record received later in the local cache.

In step 309, the conditional domain name resolver 3002 sends the obtained query results to the client 3001. The query result sent by the conditional domain name resolver 3002 to the client is the subsequently received record indicating the IP address of the queried domain name.

Based on the above steps, the client 3001 can implement domain name cache injection into the conditional domain name parser 3002 during the process of forwarding the domain name query by the conditional domain name parser 3002. Different from the domain name cache injection behavior performed by the authoritative domain name server in the process 200, the domain name cache injection behavior in the process 300 is performed by the client, that is, any device (including the client 3001) can forge the response from the authoritative server. , perform domain name cache injection into the conditional domain name resolver.

The false information injected by the cache during the forwarding query process of the conditional domain name resolver will be used by the conditional domain name resolver during the recursive query process. Next, with reference to Figure 4, taking the client 4001 and the conditional domain name resolver 4002 as an example, the recursive query process after the conditional domain name resolver 4002 is cache-injected will be described. Exemplarily, in the process 400 shown in Figure 4, the conditional domain name resolver 4002 is cache injected by the domain name server through the process 200 shown in Figure 2, or is performed by other clients through the process 300 shown in Figure 3 Cache injection. The content of cache injection includes false resource records for the domain name "ex.com". In Figure 4, the domain name query process 400 may include steps 401 to 404. Next, the steps included in the process 400 will be described in detail.

In step 401, the client 4001 queries the conditional domain name resolver 4002 for the domain name. As an example, let's take the client 4001 to query the domain name "ex.com" as an example. .

In step 402, after receiving a query request for the domain name "ex.com" from the client 4001, the conditional domain name resolver 4002 determines that a recursive query for the domain name "ex.com" needs to be performed. The conditional domain name resolver 4002 first searches the local cache for the resource record of the domain name. For example, according to the longest suffix matching principle, it matches the false resource record of "ex.com" in the local cache. In some embodiments, the false record may be, for example, an A record indicating a false IP address. After the conditional domain name resolver 4002 matches the A record of "ex.com", it will reply to the client 4001. In some embodiments, the false record may be an authorization record indicating a false authoritative domain name server of the domain name. After the conditional domain name resolver 4002 matches the authorization record of "ex.com", it may query the false authoritative domain name server based on the authorization record. Domain name "ex.com", thereby obtaining incorrect query results.

In step 403, the conditional domain name resolver 4002 returns the query result to the client 4001. The query result is obtained based on the false record injected by the cache, indicating the wrong IP address.

In step 404, the client 4001 accesses the server corresponding to the IP address based on the IP address indicated in the received query result. Since the IP address in the query result is a wrong IP address, client 4001's access to the domain name will be directed to the wrong server, causing client 4001's access to the domain name to fail, and even causing client 4001's data to be leaked.

In view of the above-mentioned domain name cache injection behavior in Figures 2 to 4, embodiments of the present application provide a detection method for domain name cache injection. Next, the detection method of domain name cache injection in the embodiment of the present application will be described with reference to Figures 5 and 6.

Figure 5 is a schematic flow chart of a domain name cache injection detection method provided by an embodiment of the present application. In method 500, the client performs domain name cache injection detection on the conditional domain name resolver. In Figure 5, the method 500 may include steps 501 to 505. Next, each step will be described by taking the client 5001, the conditional domain name resolver 5002, and the domain name server 5003 as examples.

In step 501, the client 5001 queries the conditional domain name resolver 5002 for the target domain name. For example, the client 5001 may send a domain name query request to the conditional domain name resolver 5002, where the request is used to request the conditional domain name resolver 5002 to query the target domain name.

In step 502, in response to the client's query for the target domain name, the conditional domain name resolver 502 completes the query for the target domain name and sends the first query result to the client 5001. The conditional domain name resolver 5002 can complete the query for the target domain name through recursive query or forward query.

In step 503, the client 5001 queries the domain name server 5003 for the target domain name. The domain name server 5003 is an authoritative domain name server or a recursive domain name resolver without forwarding query function. In other words, the domain name server queried by client 5001 will not forward the domain name query. If the client 5001 queries the recursive domain name resolver, during the recursive query process of the recursive domain name resolver, the recursive domain name resolver will intercept the false reply content, so that the client can obtain the correct result; For queries performed directly by the authoritative domain name server, the authoritative server will reply with correct results based on the local configuration file. In other words, client 5001 can obtain correct query results from domain name server 5003.

In step 504, the domain name server 5003 sends the second query result to the client 5001. As mentioned above, the IP address indicated in the second result is the correct IP address of the target domain name.

In step 505, the client 5001 determines whether the conditional domain name resolver is cache injected based on the first result and the second result. Since the IP address indicated in the second result is a correct IP address, if the IP address indicated in the first result is different from the IP address indicated in the second result, it means that the conditional domain name parser 5002 queries the query result indication of the target domain name. The wrong IP address, that is, conditional domain name resolver 5002, was injected into the cache during the query of the target domain name. Correspondingly, if the IP address indicated in the first result is the same as the IP address indicated in the second result, it means that the conditional domain name resolver 5002 did not inject a false IP address of the target domain name during the process of querying the target domain name.

Based on the above technical content, the client can compare the query results obtained from the conditional domain name resolver with the correct query results to determine whether the conditional domain name resolver has been cache-injected, and then remind the user to process the conditional domain name resolver. Or avoid using this conditional domain name resolver to perform domain name queries. This can improve the security of users accessing the Internet.

In some embodiments, the domain name security extension function of the conditional domain name resolver 5002 in method 500 is turned off. The domain name security extension function is a function used to detect the integrity and legality of data in domain name query responses. Based on this function, the domain name resolver can identify and reject cache injection of false domain names. Method 500 is a detection method based on query results. Therefore, when the conditional domain name resolver does not enable the domain name security extension function, the client can also use method 500 to detect whether the conditional domain name resolver is cache injected.

In some embodiments, before the aforementioned step 501, the client 5001 may first determine that the queried domain name resolver is a conditional domain name resolver. For example, the client 5001 may send at least two queries for multiple domain names to the domain name resolver to determine that the domain name resolver is a conditional domain name resolver with a forward query function and a recursive query function. Client 5001 initiates two queries for a domain name to the domain name resolver. The first query allows the domain name resolver to obtain the resource record of the domain name, and the second query allows the domain name resolver to obtain the authorization record of the domain name in the local cache. When the authorization record of the domain name cannot be obtained in the second query, it can be determined that the first query of the domain name by the domain name resolver is a forward query. The domain name resolver has a forward query function and the authorization record of the domain name is successfully obtained in the second query. When , it can be determined that the domain name parser's first query for the domain name is a recursive query, and the domain name parser has a recursive query function. When querying multiple domain names, if both the query results indicate that the domain name parser has a recursive function and the query results indicate that the domain name parser has a forwarding function, the domain name parser can be determined to be a conditional domain name parser.

In some embodiments, a domain name may correspond to only one correct IP address. In the aforementioned step 504, the second result obtained by the client 5001 from the domain name server 5003 may indicate a correct IP address corresponding to the target domain name. For convenience of description, it is called the second IP address. Correspondingly, the IP address indicated in the first result obtained by the client 5001 from the conditional domain name resolver 5002 in the aforementioned step 502 is called the first IP address. In the aforementioned step 505, the client 5001 can determine whether the first IP address and the second IP address are the same, for example, compare the field used to indicate the first IP address in the first result with the field used to indicate the second IP address in the second result. Comparing the fields, when the contents of the two fields are different, it can be determined that the first IP address and the second IP address are different, and the client 5001 can further determine that the conditional domain name parser 5002 has been cache-injected. When the contents of the two fields are the same, it can be determined that the first IP address and the second IP address are the same, and the client 5001 can further determine that the conditional domain name resolver 5002 has not been cached and injected.

In some embodiments, a domain name can correspond to multiple correct IP addresses. For example, a certain network service corresponding to a domain name can be provided by multiple servers located in different geographical locations, and each server can provide the same service. , these multiple servers correspond to different IP addresses respectively, therefore, these multiple IP addresses are all correct IP addresses. When the client queries the domain name resolver for a domain name, it will obtain all IP addresses corresponding to the domain name. In the aforementioned step 504, the second result obtained by the client 5001 from the domain name server 5003 may include a second set of IP addresses, which set includes all correct IP addresses corresponding to the target domain name. In the aforementioned step 504, the first result obtained by the client 5001 from the conditional domain name resolver 5002 may also include a first IP address set, and the first IP address set may also include multiple IP addresses. In the aforementioned step 505, the client 5001 can determine whether the first IP address set and the second IP address set are the same. If the number of IP addresses in the first IP address set is different from the number of IP addresses in the second IP address set, or between multiple IP addresses in the first IP address set and multiple IP addresses in the second IP address set, If at least one IP address is different, it can be determined that the conditional domain name resolver 5002 is cache-injected. If the IP addresses in the first IP address set are exactly the same as the IP addresses in the second IP address set, it can be determined that the conditional domain name resolver 5002 has not been cache injected.

Through the above method 500, the client can identify whether the domain name resolver is cache-injected. Figure 6 is another domain name cache injection detection method provided by an embodiment of the present application. In the method 600 shown in Figure 6, the domain name parser performs detection of domain name cache injection. In FIG. 6 , the method 600 may include blocks 601 to 606 , and the method 600 will be described in detail next.

In block 601, the domain name resolver receives a domain name query request from the client, and the domain name query request is used to query the first domain name. In some embodiments, the domain name query request includes information indicating the first domain name, and the domain name resolver may temporarily store the information indicating the first domain name in a local cache.

In block 602, the domain name resolver queries the domain name server for the first domain name. In some embodiments, the domain name resolver is a domain name resolver with a forwarding query function. The domain name resolver forwards the domain name query request from the client to other domain name servers, such as a recursive domain name resolver or an authoritative domain name server, thereby using the domain name server Complete the forwarding query for the first domain name. In some embodiments, the domain name resolver is a domain name resolver with a recursive query function. The domain name resolver queries root domain name servers, top-level domain name servers, second-level domain name servers and other domain name servers hierarchically until the query results are obtained from the authoritative domain name server. .

In block 603, the domain name resolver receives a domain name query response, the response including a record indicating the second domain name. The record indicating the second domain name may include, for example, but is not limited to one or more of the following: A record of the second domain name, AAAA record of the second domain name, NS record of the second domain name, etc.

In some embodiments, the domain name query response comes from an authoritative domain name server; in some embodiments, the domain name query response is sent by any device pretending to be an authoritative domain name server. This application does not limit this.

In block 604, the domain name resolver determines whether the second domain name indicated in the domain name query response is associated with the first domain name indicated in the domain name query request from the client. For example, the domain name resolver temporarily stores the first domain name in the local cache in the aforementioned block 601, and the domain name resolver can compare the second domain name indicated by the domain name query response received in block 603 with the first domain name. , based on predefined rules, determine whether the first domain name corresponds to the second domain name. In some embodiments, the first domain name corresponds to the second domain name, and the domain name resolver performs block 605. In some embodiments, the first domain name does not correspond to the second domain name, and the domain name resolver performs block 606.

In block 605, the domain name resolver determines that it is not cache-injected. Optionally, after the domain name resolver determines that it has not been cache-injected, it may store the information in the domain name query response received in block 603 into the local cache. In some embodiments, for a domain name query, after the domain name resolver determines that it has not been cached and injected, it can continue to receive a query request for the next domain name and query the domain name, and at the same time, it can execute each step included in method 600 again. action in the box.

In step 606, the domain name resolver determines that it is cache injected. Optionally, after the domain name resolver determines that it has been injected into the cache, it can intercept the received domain name query response and not store the record indicating the second domain name contained in the response into the local cache.

Based on the above technical solution, the domain name parser can recognize the cache injection behavior used to inject false domain names during the process of querying the domain name, and then can prevent the domain name cache injection behavior on this basis, such as intercepting the cache injection behavior of the domain name. Domain name query response. In this way, it can avoid providing incorrect query results when users query domain names later, and can improve the reliability of users' access to the Internet.

In some embodiments, the domain name resolver in method 600 is a conditional domain name resolver that has both a forward query function and a recursive query function. That is, the recognition of domain name cache injection of the conditional domain name resolver can be implemented through method 600. If the conditional domain name resolver is cache-injected during the forwarding process of querying the domain name, it will affect its subsequent recursive query of the domain name. Therefore, through method 600, the conditional domain name resolver can identify and avoid being cache-injected during the forwarding query process. , which can greatly improve the security of the conditional domain name resolver.

In some embodiments, the domain name security extension function of the domain name resolver in method 600 is turned off. That is to say, after the domain name security extension function is turned off, the domain name resolver can also detect the domain name cache injection behavior through method 600. , the reliability and security of the domain name resolver are improved.

In some embodiments, in the aforementioned step 604, the first domain name corresponds to the second domain name, including the first domain name and the second domain name being the same, or the second domain name is a sub-domain name of the first domain name. Correspondingly, the first domain name does not correspond to the second domain name, including the first domain name and the second domain name being different, and the first domain name is not a subdomain name of the second domain name. Subdomain names are usually generated and managed by the parent domain name. If the domain name in the received domain name query response is a subdomain name of the domain name indicated in the domain name query request from the client, the domain name resolver does not need to consider this to be a domain name cache injection. In this way, misidentification of domain name cache injection behavior can be avoided.

It should be understood that the method in Figure 5 and the method in Figure 6 can be implemented in combination, that is, for a network system, the domain name parser can detect whether it has been injected by the cache, and the client can also detect whether the domain name parser has been injected by the cache. . This can improve the accuracy of detecting the domain name cache injection behavior of the domain name parser.

The domain name cache injection detection method shown in Figure 5 or Figure 6 can detect the domain name cache injection behavior including the domain name cache injection behavior shown in Figure 2 and the domain name cache injection behavior shown in Figure 3.

The above content is combined with Figure 5 and Figure 6 to introduce the domain name cache injection detection method executed by the client and the domain name cache injection detection method executed by the domain name parser respectively. Next, the device provided by the embodiment of the present application will be introduced with reference to FIGS. 7 to 9 .

Figure 7 is a schematic diagram of a domain name cache injection detection device 700 provided by an embodiment of the present application. As shown in Figure 7, the device 700 may include a first sending module 701, a first receiving module 702, a second sending module 703, a second receiving module 704, and a determining module 705.

Among them, the first sending module 701 is used to send a first query request for the target domain name to the target domain name resolver, where the target domain name resolver is a conditional domain name resolver with both forwarding query function and recursive query function; the first receiving module 702 is used to obtain the first query result corresponding to the first query request from the target domain name resolver; the second sending module 703 is used to send the second query request for the target domain name to the domain name server, wherein the domain name server is an authoritative domain name server or A recursive domain name parser that does not have the function of forwarding queries; the second receiving module 704 is used to obtain the second query result corresponding to the second query request from the domain name server; the determining module 705 is used to select between the second query result and the first query result. In the case where the IP address of the indicated target domain name is different, it is determined that the target domain name resolver is cache injected.

In some embodiments, the domain name security extension function of the target domain name resolver is turned off.

In some embodiments, the determining module 705 also includes a first sub-module, configured to determine the query request for the target domain name according to the query request initiated to the target domain name resolver before the first sending module 701 sends the first query request to the target domain name resolver. Query at least two domain names to determine that the target domain name resolver is a conditional domain name resolver.

In some embodiments, the first query result indicates a first IP address, and the second query result indicates a second IP address. The determining module 705 also includes a second sub-module for determining whether the first IP address and the second IP address are the same after the second receiving module 704 obtains the second query result corresponding to the second query request from the domain name server. The determining module 705 is specifically configured to determine that the target domain name resolver is cache injected when the first IP address and the second IP address are different.

In some embodiments, the first query result includes a first IP address set, the first IP address set includes multiple IP addresses corresponding to the target domain name, and the second query result includes a second IP address set, The second set of IP addresses includes a plurality of IP addresses corresponding to the target domain name. The determining module 705 also includes a third sub-module for determining whether the first IP address set and the second IP address set are the same after the second receiving module 704 obtains the second query result corresponding to the second query request from the domain name server. The determining module 705 is specifically configured to determine that the target domain name resolver is cached when at least one IP address is different between the multiple IP addresses in the first IP address set and the multiple IP addresses in the second IP address set. injection.

Figure 8 is a schematic diagram of another domain name cache injection detection device 800 provided by an embodiment of the present application. As shown in Figure 8, the device 800 may include a first receiving module 801, a query module 802, a second receiving module 803, and a determination module 804 . Device 800 may be a domain name resolver, or may be configured within a domain name resolver.

Among them, the first receiving module 801 is used to receive a domain name query request, and the domain name query request is used to query the first domain name; the query module 802 is used to query the domain name server for the first domain name; the second receiving module 803 is used to receive a domain name query response, The domain name query response includes a record indicating the second domain name; the determining module 804 is configured to determine that the domain name resolver is cache injected when the second domain name is not associated with the first domain name.

In some embodiments, the above-mentioned domain name parser is a conditional domain name parser, and the conditional domain name parser is a domain name parser that has both a forward query function and a recursive query function.

In some embodiments, the domain name security extension function of the domain name resolver is turned off.

In some embodiments, the determining module 804 is specifically configured to determine that the domain name resolver is cache injected when the second domain name is different from the first domain name and the second domain name is not a subdomain name of the first domain name.

In some embodiments, the device 800 further includes an interception module for intercepting the above domain name query response.

It should be understood that the division of modules in the embodiments of this application is only illustrative. In some embodiments, the device 700 or the device 800 may also include more or fewer modules, and these modules may be combined into larger modules. It can also be configured individually, and each module can be implemented by hardware and/or software.

Figure 9 shows a schematic block diagram of an example device 900 that may be used to implement embodiments of the present application. The client or domain name resolver in the above method embodiment can be implemented using the device 900. As shown, the device 900 includes a central processing unit (CPU) 901 that can operate according to computer program instructions stored in a read-only memory (ROM) 902 or loaded from a storage unit 908 into a random access memory (RAM) 903 of a computer. Program instructions to perform various appropriate actions and processes. In the RAM 903, various programs and data required for the operation of the device 900 can also be stored. The CPU 901, ROM 902, and RAM 903 are connected to each other through a bus 904. An input/output (I/O) interface 905 is also connected to bus 904.

Multiple components in the device 900 are connected to the I/O interface 905, including: an input unit 906, such as a keyboard, a mouse, etc.; an output unit 907, such as various types of displays, speakers, etc.; and a storage page 908, such as a disk, optical disk, etc. ; and communication unit 909, such as a network card, modem, wireless communication transceiver, etc. The communication unit 909 allows the device 900 to exchange information/data with other devices through computer networks such as the Internet and/or various telecommunications networks.

The various processes and processes described above, such as processes 200, 300, and 400 and methods 500 and 600, may be performed by the processing unit 901. For example, in some embodiments, processes 200, 300, and 400 and methods 500 and 600 may be implemented as computer software programs tangibly embodied in a machine-readable medium, such as storage unit 908. In some embodiments, part or all of the computer program may be loaded and/or installed onto device 900 via ROM 902 and/or communication unit 909 . When the computer program is loaded into RAM 903 and executed by CPU 901, one or more actions of processes 200, 300, and 400 and methods 500 and 600 described above may be performed.

The application may be a method, apparatus, system and/or computer program product. A computer program product may include a computer-readable storage medium having thereon computer-readable program instructions for performing various aspects of the present application.

Computer-readable storage media may be tangible devices that can retain and store instructions for use by an instruction execution device. The computer-readable storage medium may be, for example, but not limited to, an electrical storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the above. More specific examples (non-exhaustive list) of computer-readable storage media include: portable computer disks, hard disks, random access memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM) or Flash memory), Static Random Access Memory (SRAM), Compact Disk Read Only Memory (CD-ROM), Digital Versatile Disk (DVD), Memory Stick, Floppy Disk, Mechanical Coding Device, such as a printer with instructions stored on it. Protruding structures in hole cards or grooves, and any suitable combination of the above. As used herein, computer-readable storage media are not to be construed as transient signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., light pulses through fiber optic cables), or through electrical wires transmitted electrical signals.

Computer-readable program instructions described herein may be downloaded from a computer-readable storage medium to various computing/processing devices, or to an external computer or external storage device over a network, such as the Internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmission, wireless transmission, routers, firewalls, switches, gateway computers, and/or edge servers. A network adapter card or network interface in each computing/processing device receives computer-readable program instructions from the network and forwards the computer-readable program instructions for storage on a computer-readable storage medium in the respective computing/processing device .

Computer program instructions for performing the operations of this application may be assembly instructions, instruction set architecture (ISA) instructions, machine instructions, machine-related instructions, microcode, firmware instructions, state setting data, or instructions in one or more programming languages. Source code or object code written in any combination of object-oriented programming languages - such as Smalltalk, C++, etc., and conventional procedural programming languages - such as the "C" language or similar programming languages. The computer-readable program instructions may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server implement. In situations involving remote computers, the remote computer can be connected to the user's computer through any kind of network, including a local area network (LAN) or a wide area network (WAN), or it can be connected to an external computer (such as an Internet service provider through the Internet). connect). In some embodiments, by utilizing state information of computer-readable program instructions to personalize an electronic circuit, such as a programmable logic circuit, a field programmable gate array (FPGA), or a programmable logic array (PLA), the electronic circuit can Computer readable program instructions are executed to implement various aspects of the application.

Various aspects of the present application are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.

These computer-readable program instructions may be provided to a processing unit of a general-purpose computer, a special-purpose computer, or other programmable data processing apparatus, thereby producing a machine such that the instructions, when executed by a processing unit of the computer or other programmable data processing apparatus, , resulting in an apparatus that implements the functions/actions specified in one or more blocks in the flowchart and/or block diagram. These computer-readable program instructions can also be stored in a computer-readable storage medium. These instructions cause the computer, programmable data processing device and/or other equipment to work in a specific manner. Therefore, the computer-readable medium storing the instructions includes An article of manufacture that includes instructions that implement aspects of the functions/acts specified in one or more blocks of the flowcharts and/or block diagrams.

Computer-readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other equipment, causing a series of operating steps to be performed on the computer, other programmable data processing apparatus, or other equipment to produce a computer-implemented process , thereby causing instructions executed on a computer, other programmable data processing apparatus, or other equipment to implement the functions/actions specified in one or more blocks in the flowcharts and/or block diagrams.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods, and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions that embody one or more elements for implementing the specified logical function(s). Executable instructions. In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two consecutive blocks may actually execute substantially in parallel, or they may sometimes execute in the reverse order, depending on the functionality involved. It will also be noted that each block of the block diagram and/or flowchart illustration, and combinations of blocks in the block diagram and/or flowchart illustration, can be implemented by special purpose hardware-based systems that perform the specified functions or acts. , or can be implemented using a combination of specialized hardware and computer instructions.

The embodiments of the present application have been described above. The above description is illustrative, not exhaustive, and is not limited to the disclosed embodiments. Many modifications and variations will be apparent to those skilled in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen to best explain the principles of the embodiments, practical applications, or technical improvements to the technology in the market, or to enable other persons of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (15)

1. The method for detecting domain name cache injection is characterized by comprising the following steps:

sending a first query request for a target domain name to a target domain name resolver, wherein the target domain name resolver is a conditional domain name resolver with both forwarding query function and recursive query function;

acquiring a first query result corresponding to the first query request from the target domain name resolver;

sending a second query request for the target domain name to a domain name server, wherein the domain name server is an authoritative domain name server or a recursion domain name resolver without forwarding query function;

Obtaining a second query result corresponding to the second query request from the domain name server;

and if the second query result is different from the Internet Protocol (IP) address of the target domain name indicated by the first query result, determining that the target domain name resolver is cached and injected.

2. The method of claim 1, wherein the domain name security extension function of the conditional domain name resolver is off.

3. The method of claim 1, wherein prior to the sending the first query request for the target domain name to the target domain name resolver, the method further comprises:

and determining the target domain name resolver as the conditional domain name resolver according to at least two queries of a plurality of domain names initiated to the target domain name resolver.

4. A method according to any one of claims 1 to 3, wherein the first query result indicates a first IP address and the second query result indicates a second IP address; the method further includes, after the obtaining, from the domain name server, a second query result corresponding to the second query request:

judging whether the first IP address is the same as the second IP address, and

Wherein the second query result is different from the IP address of the target domain name indicated by the first query result, including:

the first IP address is different from the second IP address.

5. A method according to any one of claims 1 to 3, wherein the first query result comprises a first set of IP addresses, the first set of IP addresses comprising a plurality of IP addresses corresponding to the target domain name, and the second query result comprises a second set of IP addresses, the second set of IP addresses comprising a plurality of IP addresses corresponding to the target domain name; the method further includes, after the obtaining, from the domain name server, a second query result corresponding to the second query request:

judging whether the first IP address set is the same as the second IP address set, and

wherein the second query result is different from the IP address of the target domain name indicated by the first query result, including:

at least one IP address differs between the plurality of IP addresses in the first set of IP addresses and the plurality of IP addresses in the second set of IP addresses.

6. A method for detecting domain name cache injection, wherein the method is applied to a domain name resolver, the method comprising:

Receiving a domain name query request, wherein the domain name query request is used for querying a first domain name;

querying a domain name server for the first domain name;

receiving a domain name query response, the domain name query response comprising a record indicating a second domain name;

if the second domain name is not associated with the first domain name, determining that the domain name resolver is cache injected.

7. The method of claim 6, wherein the domain name resolver is a conditional domain name resolver, the conditional domain name resolver being a domain name resolver having both a forwarding query function and a recursive query function.

8. The method of claim 7, wherein the domain name security extension function of the conditional domain name resolver is off.

9. The method according to any one of claims 6 to 8, wherein the second domain name does not correspond to the first domain name, comprising:

the second domain name is different from the first domain name, and the second domain name is not a sub-domain name of the first domain name.

10. The method according to any one of claims 6 to 8, further comprising:

intercepting the domain name query response.

11. The utility model provides a detection device that domain name buffer injected which characterized in that includes:

the first sending module is used for sending a first query request for a target domain name to a target domain name resolver, wherein the target domain name resolver is a conditional domain name resolver with a forwarding query function and a recursion query function;

the first receiving module is used for acquiring a first query result corresponding to the first query request from the target domain name resolver;

the second sending module is used for sending a second query request for the target domain name to a domain name server, wherein the domain name server is an authoritative domain name server or a recursion domain name resolver without forwarding query function;

the second receiving module is used for acquiring a second query result corresponding to the second query request from the domain name server;

and the determining module is used for determining that the target domain name resolver is cached and injected under the condition that the second query result is different from the IP address of the target domain name indicated by the first query result.

12. The utility model provides a detection device that domain name buffer injected which characterized in that includes:

the first receiving module is used for receiving a domain name query request, wherein the domain name query request is used for querying a first domain name;

The inquiring module is used for inquiring the first domain name from the domain name server;

a second receiving module configured to receive a domain name query response, where the domain name query response includes a record indicating a second domain name;

and the determining module is used for determining that the domain name resolver is cached and injected under the condition that the second domain name is not associated with the first domain name.

13. An electronic device, comprising:

at least one processor; and

a memory coupled to the at least one processor and having instructions stored thereon that, when executed by the at least one processor, cause the apparatus to perform the method of any of claims 1-5 or perform the method of any of claims 6-10.

14. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program product comprising machine executable instructions which, when executed, cause the method according to any of claims 1 to 5 to be implemented or the method according to any of claims 6 to 10 to be implemented.

15. A computer program product tangibly stored on a non-volatile computer readable medium and comprising machine executable instructions that when executed cause the method according to any one of claims 1 to 5 to be implemented or cause the method according to any one of claims 6 to 10 to be implemented.