CN116743698A - Domain name cache injection detection method and device and electronic equipment - Google Patents

Domain name cache injection detection method and device and electronic equipment Download PDF

Info

Publication number
CN116743698A
CN116743698A CN202310760698.6A CN202310760698A CN116743698A CN 116743698 A CN116743698 A CN 116743698A CN 202310760698 A CN202310760698 A CN 202310760698A CN 116743698 A CN116743698 A CN 116743698A
Authority
CN
China
Prior art keywords
domain name
resolver
query
conditional
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310760698.6A
Other languages
Chinese (zh)
Inventor
李想
陆超逸
刘保君
段海新
李琦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202310760698.6A priority Critical patent/CN116743698A/en
Publication of CN116743698A publication Critical patent/CN116743698A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application relates to a detection method and device for domain name cache injection and electronic equipment. The method comprises the following steps: sending a first query request for the target domain name to a target domain name resolver; acquiring a first query result corresponding to the first query request from a target domain name resolver; sending a second query request for the target domain name to a domain name server, wherein the domain name server is an authoritative domain name server or a recursion domain name resolver without forwarding query function; obtaining a second query result corresponding to the second query request from the domain name server; if the second query result is different from the Internet protocol IP address of the target domain name indicated by the first query result, determining that the target domain name resolver is cached for injection. By the method, the cache injection of the target domain name resolver can be detected, so that precautionary measures are taken for the cache injection behavior on the basis, and the security of accessing the Internet is improved.

Description

Domain name cache injection detection method and device and electronic equipment
Technical Field
The present application relates to the field of computer technologies, and in particular, to a method and an apparatus for detecting domain name cache injection, and an electronic device.
Background
When a user accesses the internet through a domain name, the internet protocol (internet protocol, IP) address corresponding to the domain name is first queried through a domain name resolver. With the popularization of the internet, the demand for domain name query is getting huge, and in order to improve the domain name query efficiency, reduce the load of the domain name resolver and reduce the number of domain name query messages on the internet, a local cache is widely used in the domain name resolver to store the related information of the recently queried domain name. When the user queries the same domain name again, the domain name resolver returns domain name related information in the local cache.
Currently, domain name security issues are increasingly prominent, particularly the threat of domain name cache injection techniques. Through the domain name cache injection technology, an attacker can send a specially-made malicious domain name query response to the domain name resolver, and the local cache of the domain name resolver is tampered with, so that a user is redirected to a malicious server when accessing a target website. Such an attack method may lead to user data leakage and may also be used to launch phishing attacks, denial of service attacks, and other network attacks.
Disclosure of Invention
The application provides a method and a device for detecting domain name cache injection and electronic equipment, which can detect cache injection behavior of a conditional domain name resolver, so that counter measures are taken on the basis, and the security of accessing the Internet is improved.
According to a first aspect of the present application, a method for detecting domain name cache injection is provided. The method includes sending a first query request for a target domain name to a target domain name resolver, wherein the target domain name resolver is a conditional domain name resolver having both a forwarding query function and a recursive query function. The method also includes obtaining a first query result from the target domain name resolver corresponding to the first query request. The method further includes sending a second query request for the target domain name to a domain name server, wherein the domain name server is an authoritative domain name server or a recursive domain name resolver without forwarding the query function. The method further includes obtaining a second query result from the domain name server corresponding to the second query request. The method further includes determining that the target domain name resolver is cache injected if the second query result is different from the IP address of the target domain name indicated by the first query result.
According to a second aspect of the present application, a method for detecting domain name cache injection is provided. The method includes receiving a domain name query request for querying a first domain name. The method also includes querying a domain name server for the first domain name. The method also includes receiving a domain name query response that includes a record indicating the second domain name. The method further includes determining that the domain name resolver is cache injected if the second domain name is not associated with the first domain name.
According to a third aspect of the present application, there is provided a detection apparatus for domain name cache injection, the apparatus comprising a first sending module configured to send a first query request for a target domain name to a target domain name resolver, wherein the target domain name resolver is a conditional domain name resolver having both a forwarding query function and a recursive query function. The apparatus also includes a first receiving module configured to obtain a first query result corresponding to the first query request from the target domain name resolver. The device also comprises a second sending module configured to send a second query request for the target domain name to a domain name server, wherein the domain name server is an authoritative domain name server or a recursive domain name resolver without forwarding query function. The apparatus also includes a second receiving module configured to obtain a second query result corresponding to the second query request from the domain name server. The apparatus further includes a determination module configured to determine that the target domain name resolver is cache injected if the second query result is different from the IP address of the target domain name indicated by the first query result.
According to a fourth aspect of the present application, there is provided a detection apparatus for domain name cache injection, the apparatus comprising a first receiving module configured to receive a domain name query request for querying a first domain name. The apparatus also includes a query module configured to query the domain name server for the first domain name. The apparatus also includes a second receiving module configured to receive a domain name query response including a record indicating a second domain name. The apparatus also includes a determination module configured to determine that the domain name resolver is cache injected if the second domain name is not associated with the first domain name.
According to a fifth aspect of the present application, an electronic device is provided. The electronic device includes at least one processor; and a memory coupled to the at least one processor and having instructions stored thereon that, when executed by the at least one processor, cause the device to perform actions comprising: sending a first query request for a target domain name to a target domain name resolver, wherein the target domain name resolver is a conditional domain name resolver with both a forwarding query function and a recursion query function; acquiring a first query result corresponding to the first query request from a target domain name resolver; sending a second query request for the target domain name to a domain name server, wherein the domain name server is an authoritative domain name server or a recursion domain name resolver without forwarding query function; obtaining a second query result corresponding to the second query request from the domain name server; if the second query result is different from the Internet protocol IP address of the target domain name indicated by the first query result, determining that the target domain name resolver is cached for injection.
According to a sixth aspect of the present application, an electronic device is provided. The electronic device includes at least one processor; and a memory coupled to the at least one processor and having instructions stored thereon that, when executed by the at least one processor, cause the device to perform actions comprising: receiving a domain name query request, wherein the domain name query request is used for querying a first domain name; inquiring a first domain name from a domain name server; receiving a domain name query response, the domain name query response including a record indicating a second domain name; in the event that the second domain name is not associated with the first domain name, it is determined that the domain name resolver is cache injected.
According to a seventh aspect of the present application there is provided a computer readable storage medium having stored thereon a computer program product comprising machine executable instructions which when executed cause a machine to perform the steps of the method of the first or second aspect of the present application.
According to an eighth aspect of the present application there is provided a computer program product tangibly stored on a non-volatile computer-readable medium and comprising machine executable instructions which, when executed, cause a machine to perform the steps of the method in the first or second aspect of the present application.
Drawings
The foregoing and other objects, features and advantages of the application will be apparent from the following more particular descriptions of exemplary embodiments of the application as illustrated in the accompanying drawings wherein like reference numbers generally represent like parts throughout the exemplary embodiments of the application.
FIG. 1A illustrates a schematic diagram of one example scenario in which devices and/or methods may be implemented according to embodiments of the present application;
FIG. 1B illustrates a schematic diagram of another example scenario in which an apparatus and/or method may be implemented according to an embodiment of the present application;
FIG. 2 illustrates a schematic flow diagram of a link-based domain name cache injection process in an embodiment of the application;
FIG. 3 illustrates a schematic flow diagram of a bypass-based domain name cache injection process in an embodiment of the application;
FIG. 4 illustrates a schematic flow diagram of a recursive query process after a conditional domain name resolver is cache injected in an embodiment of the present application;
FIG. 5 illustrates a schematic flow chart of a method for detecting domain name cache injection provided by an embodiment of the application;
FIG. 6 illustrates a schematic flow chart of another domain name cache injection detection method provided by an embodiment of the present application;
FIG. 7 illustrates a schematic block diagram of a detection apparatus for domain name cache injection provided by an embodiment of the present application;
FIG. 8 illustrates a schematic block diagram of another domain name cache injection detection apparatus provided by an embodiment of the present application; and
fig. 9 illustrates a schematic block diagram of an example device suitable for use in practicing embodiments of the application.
Like or corresponding reference characters indicate like or corresponding parts throughout the several views.
Detailed Description
Embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While the application is susceptible of embodiment in the drawings, it is to be understood that the application may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided to provide a more thorough and complete understanding of the application. It should be understood that the drawings and embodiments of the application are for illustration purposes only and are not intended to limit the scope of the present application.
In describing embodiments of the present application, the term "comprising" and its like should be taken to be open-ended, i.e., including, but not limited to. The term "based on" should be understood as "based at least in part on". The term "one embodiment" or "the embodiment" should be understood as "at least one embodiment". The terms "first," "second," and the like, may refer to different or the same object. Other explicit and implicit definitions are also possible below.
When a user accesses the internet by using a domain name through a client, the IP address corresponding to the domain name needs to be queried through a domain name resolver. The domain name resolver can further query the domain name by means of recursive query or forwarding query, acquire the IP address of the domain name and reply the IP address to the client. The domain name resolver can store the query result in the local cache in the process of querying the domain name, and can directly query based on the content in the local cache when the domain name resolver recursively queries the same domain name next time, without completing the whole recursion query process, thereby reducing the number of domain name query messages on the Internet.
However, this caching mechanism of the domain name resolver faces the threat of domain name cache injection technology, and the content in the local cache of the domain name resolver may be tampered with by the domain name cache injection technology or be injected with false domain names, so that the user is redirected to a malicious server when accessing a target website, and the user faces the risk of data leakage. Thus, protection against domain name cache injection techniques is important.
To address at least the above and other potential problems, embodiments of the present application provide an identification method for domain name cache injection for conditional domain name resolvers. In the method, a client queries a target domain name from a conditional domain name resolver, acquires a first query result, queries the target domain name from another recursive domain name resolver or an authoritative domain name server, acquires a second query result, and determines that the first domain name resolver is cached and injected under the condition that the second query result is different from the first query result. By the method, whether the conditional domain name resolver is cached and injected can be identified, so that a user is reminded of taking precautionary measures, and the safety of accessing the Internet by the user is improved.
Embodiments of the present application will be described in further detail below with reference to the accompanying drawings.
First, a domain name query scenario to which an embodiment of the present application is applied is described with reference to fig. 1A and 1B. In the scenario shown in fig. 1A and 1B, a conditional domain name resolver is illustrated as an example. The conditional domain name resolver is a domain name resolver with both forwarding query function and recursive query function provided in the embodiment of the present application. Based on the predefined configuration, the conditional domain name resolver may forward and recursively query the domain name, and illustratively, the conditional domain name resolver may be configured with a forwarding area and a recursion area, and if the domain name to be queried belongs to the forwarding area, the conditional domain name resolver will forward and query the domain name, and if the domain name to be queried belongs to the recursion area, the conditional domain name resolver will recursively query the domain name. The forwarding query process and the recursive query process of the conditional domain name resolver share the same local cache, that is, the result stored in the cache during the forwarding query process is used by the conditional domain name resolver during the recursive query process.
Fig. 1A illustrates a forwarding query scenario 100A. Illustratively, the forwarding query scenario 100A shown in fig. 1A may include a client 101, a conditional domain name resolver 102, and a domain name server 103, where the conditional domain name resolver 102 queries a domain name by forwarding a query.
In the scenario shown in fig. 1A, the client 101 queries the conditional domain name resolver 102, the conditional domain name resolver 102 determines to forward the domain name query to the domain name server 103, and the domain name server 103 may be a recursive domain name resolver or an authoritative domain name server for the queried domain name, where the authoritative domain name server is a domain name server responsible for managing and analyzing a specific domain name, for example, when performing the recursive query on a domain name, the root domain name server queried by the domain name resolver, the top domain name server, the second domain name server, and the like are all authoritative domain name servers for the domain name to be queried. After the domain name server 103 finishes the query for the domain name, the record indicating the IP address corresponding to the domain name is returned to the conditional domain name resolver 102. The conditional domain name resolver thus completes forwarding the query, returning the query result to the client 101.
In some embodiments, the domain name server 103 may be an authoritative domain name server corresponding to the queried domain name, and the authoritative domain name server may cache the conditional domain name resolver 102 in the course of querying the domain name by the conditional domain name resolver 102. Illustratively, after the authoritative domain name server receives a query request from the conditional domain name resolver 102, an authoritative record or a record of another domain name may be returned to the conditional domain name resolver 102, or a record indicating a wrong IP address may be returned to the conditional domain name resolver 102. The conditional domain name resolver 102, upon receiving these records, stores the records in a local cache.
In FIG. 1B, a recursive query scenario 100B is shown. Illustratively, the recursive query scenario 100B shown in fig. 1B may include a client 101, a conditional domain name resolver 102, a root domain name server 104, a top-level domain name server 105, and a second-level domain name server 106, wherein the conditional domain name resolver 102 queries for domain names by way of a recursive query.
In the scenario shown in fig. 1B, the client 101 queries the conditional domain name resolver 102 for a domain name, where the conditional domain name resolver 102 may start from the root domain name server 104 and query down step by step, and queries the top domain name server 105, the second domain name server 106, and other domain name servers until obtaining an IP address corresponding to the domain name.
In the recursive query, if the local cache of the conditional domain name resolver 102 stores a authorization record of the domain name to be queried, the conditional domain name resolver 102 queries the domain name server indicated by the authorization record for the domain name to be queried based on the authorization record. Illustratively, after receiving a domain name query request for a domain name from the client 101, if the local cache of the conditional domain name resolver 102 stores a authorization record of the domain name, where the authorization record indicates that the authoritative domain name server corresponding to the domain name is the secondary domain name server 106, the conditional domain name resolver 102 does not need to query down step by step from the root domain name server 104, but may query the secondary domain name server 106 directly, so as to obtain an IP address corresponding to the domain name. The authorization record in the local cache of the conditional domain name resolver 102 may be obtained during the last recursive query on the domain name, or may be obtained during the process of forwarding the query, for example, in the scenario shown in fig. 1A.
It should be understood that the scenarios shown in fig. 1A and 1B are merely examples of the present application and are not to be construed as limiting the present application. The application does not limit the number and types of domain name servers involved in the domain name resolution process, and a domain name resolution scenario suitable for the embodiment of the application can also include more or fewer domain name servers. It should also be appreciated that the clients in the embodiments of the present application are merely illustrative, and that the clients may be any suitable devices and may be implemented in software and/or hardware.
An example scenario in which the apparatus and/or methods of embodiments of the present application may be implemented is described above in connection with fig. 1. The domain name cache injection process according to the embodiment of the present application is described below with reference to fig. 2 and 3.
Fig. 2 schematically illustrates a link-based domain name cache injection process 200 in an embodiment of the application. In process 200, domain name server 2003 performs cache injection for conditional domain name resolver 2002 as conditional domain name resolver 2002 forwards queries for domain names. It should be understood that the client 2001, conditional domain name resolver 2002, and domain name server 2003 in fig. 2 are given only by way of illustration and are not limiting of the present application. Referring to fig. 2, process 200 may include steps 201 through 206, and the steps involved in process 200 will be described in detail.
In step 201, the client 2001 transmits a domain name query request to the conditional domain name resolver 2002, querying the domain name. For ease of understanding, in the examples that follow, the domain name "sample.com" is taken as an example, and illustratively, the correct IP address corresponding to the domain name "sample.com" is "192.0.2.1" and the correct authoritative domain name server is "ns.sample.com".
In step 202, conditional domain name resolver 2002 determines that the domain name belongs to a forwarding region. In an embodiment of the present application, the conditional domain name resolver 2002 local cache may be configured with a forwarding area, in which domain names that need forwarding queries are stored. After receiving the domain name query request, the conditional domain name resolver 2002 may first match the domain name requested to be queried by the domain name query request with the domain name in the forwarding area. The domain name "example. Com" belongs to the forwarding area of the conditional domain name resolver 2002, and the conditional domain name resolver 2002 will forward the query for the domain name "example. Com".
In step 203, the conditional domain name resolver 2002 forwards a domain name query request from the client 2001 to other domain name servers 2003 preconfigured in the conditional domain name resolver 2002. The domain name server 2003 may be illustratively a recursive domain name resolver, or an authoritative domain name server for the domain name "example.
In step 204, domain name server 2003 replies to conditional domain name resolver 2002 with query results, including false information for any domain name. The spurious information includes a resource record of domain names. As one example, domain name server 2003 may reply to conditional domain name resolver 2002 with an a record indicating the wrong IP address. For example, the domain name server 2003 may reply a with an "example. Com. A192.0.1.1", i.e. return information indicating a false IP address to the conditional domain name resolver 2002. As yet another example, the domain name server 2003 may reply to the conditional domain name resolver 2002 with an erroneous NS record, e.g., the domain name server 2003 may reply to the NS record "example.
In some embodiments, the domain name server 2003 may also reply to the conditional domain name resolver 2002 with resource records of other domain names than the domain name "example. Com", such as an A record or an NS record of the domain name "ex. Com", which may point to a pre-configured false server.
In step 205, conditional domain name resolver 2002 stores the query result from domain name server 2003 in a local cache. After the domain name is configured in the recursive region, if the conditional domain name resolver 2002 receives a domain name query request for the same domain name next time, the conditional domain name resolver 2002 may query according to the content in the local cache.
In step 206, the conditional domain name resolver 2002 sends the query result to the client 2001. If the query result obtained by conditional domain name resolver 2002 from domain name server 2003 indicates a false IP address for the queried domain name, the false IP address will also be indicated in the result sent by conditional domain name resolver 2002 to client 2001.
Through the above process 200, the domain name server 2003 enables domain name cache injection to the conditional domain name resolver 2002, i.e., false information for domain names is stored in the local cache of the conditional domain name resolver 2002.
When any client (including client 2001) next queries the conditional domain name resolver 2002 for a domain name related to the content of the cache injection, if the domain name is configured as a recursive region of the conditional domain name resolver, the conditional domain name resolver 2002 may return the injected false information in the local cache to the client, or query and obtain false results based on the injected false information, thereby enabling the client to access the wrong server.
For example, the content of the conditional domain name resolver 2002 cached and injected is "example. Com.a 192.0.1.1", if the client recursively queries the conditional domain name resolver 2002 for the domain name "example. Com" next time, the query result obtained by the client from the conditional domain name resolver 2002 may indicate the IP address "192.0.1.1", but not the correct IP address "192.0.2.1", so that the client will access the wrong server based on the wrong IP address.
For another example, when the conditional domain name resolver 2002 is injected with a false NS record "ex.com.ns.wrong.com" when querying the domain name "example.com", and when any subsequent client queries the conditional domain name resolver 2002 for the domain name "ex.com" after the domain name "ex.com" is configured as a recursive region, the conditional domain name resolver 2002 may query the false authoritative domain name server for the domain name based on the false NS record in the local cache, thereby obtaining an erroneous query result.
The link-based domain name cache injection process according to the embodiment of the present application is described above with reference to fig. 2, and the bypass-based domain name cache injection process according to the embodiment of the present application is described below with reference to fig. 3. In the domain name cache injection process 300 shown in fig. 3, the client 3001 falsifies a domain name query response of the authoritative domain name server, and performs cache injection to the conditional domain name resolver 3002. It should be understood that the client 3001, conditional domain name resolver 3002, upper layer domain name server 3003, and authoritative domain name server 3004 in fig. 3 are given by way of illustration only and are not to be construed as limiting the present application. In fig. 3, process 300 may include steps 301 through 309. The steps involved in process 300 will be described in detail.
In step 301, the client 3001 sends a domain name query request to the conditional domain name resolver 3002, querying the domain name.
In step 302, conditional domain name resolver 3002 determines that the domain name belongs to the forwarding area.
Steps 301 to 301 are the same as steps 201 to 202 described above, and will not be described again here.
In step 303, the conditional domain name resolver 3002 forwards the domain name query request to an upper layer domain name resolver 3003, which upper layer domain name resolver 3003 may be, for example, a recursive domain name resolver.
In step 304, the upper layer domain name resolver 3003 receives the domain name query request forwarded by the conditional domain name resolver 3002, queries the domain name, for example, sends a domain name query request to the authoritative domain name server 3004, requesting a query for the domain name. Authoritative domain name server 3004 may be locally configured with information related to the queried domain name, and may complete the querying of the domain name.
In step 305, the authoritative domain name server 3004 responds to the domain name query request of the upper layer domain name server 3003, obtains the IP address corresponding to the queried domain name from the local configuration file, and replies a correct query result to the upper layer domain name resolver, indicating the correct IP address of the domain name.
In step 306, the upper layer domain name resolver 3003 obtains the correct query result from the authoritative domain name server 3004, and returns the correct result to the conditional domain name resolver 3002.
The above steps 303-306 are given by way of example only, and in some embodiments, the conditional domain name resolver 3002 may forward the domain name query request from the client 3001 directly to the authoritative domain name server 3004 and obtain the correct query results from the authority server 3004.
In step 307, the client 3001 falsifies a reply from the authoritative domain name server of the queried domain name, sending false information to the conditional domain name resolver 3002. In the embodiment of the present application, the conditional domain name resolver identifies the reply from the authoritative domain name server by the request serial number and the port number in the received data packet, so the client 3001 may change the request serial number and the port number in the data packet sent to the conditional domain name resolver 3002 to the request serial number and the port number corresponding to the domain authoritative domain name server, thereby masquerading as the authoritative domain name server, and send false information to the conditional domain name resolver 3002.
After the conditional domain name resolver receives the reply from the upper layer domain name resolver 3003 or the authoritative domain name server 3004, the result is stored in the local cache for a predefined time, the query for the domain name is completed, and the query response related to the domain name arrived later is not accepted by the conditional domain name resolver 3002, so the client 3001 needs to send false information to the conditional domain name resolver 3002 before the conditional domain name resolver stores the result in the local cache. That is, step 307 is performed before step 308.
In step 308, the conditional domain name resolver 3002 stores the query result in a local cache.
In some embodiments, the spurious information from the client 3001 is spurious records of other domain names that the conditional domain name resolver 3002 will store in a local cache. In some embodiments, the false information from the client 3001 is a false record of the queried domain name, if the conditional domain name resolver 3002 receives the false record first and then receives the correct result from the upper layer domain name resolver 3003 or the authoritative domain name server 3004, the conditional domain name resolver will store the correct result received later in the local cache, if the conditional domain name resolver 3002 receives the correct result from the upper layer domain name resolver 3003 or the authoritative domain name server 3004 first and then receives the false record, the conditional domain name resolver 3002 will store the false record received later in the local cache.
In step 309, the conditional domain name resolver 3002 sends the acquired query result to the client 3001. The query result sent to the client by the conditional domain name resolver 3002 is a record of the IP address indicating the queried domain name that is received later.
Based on the above steps, the client 3001 may implement the domain name cache injection for the conditional domain name resolver 3002 during the forwarding query for the domain name by the conditional domain name resolver 3002. Unlike the domain name cache injection behavior performed by the authoritative domain name server in process 200, the domain name cache injection behavior in process 300 is performed by the client, i.e., any device (including client 3001) can perform domain name cache injection to the conditional domain name resolver by forging a response from the authoritative server.
The false information cached and injected in the forwarding query process of the conditional domain name resolver can be used in the recursion query process of the conditional domain name resolver. Next, a recursive query process after the conditional domain name resolver 4002 is cache-injected will be described with reference to fig. 4, taking the client 4001 and the conditional domain name resolver 4002 as an example. Illustratively, in process 400 shown in FIG. 4, conditional domain name resolver 4002 is cache injected by the domain name server through process 200 shown in FIG. 2, or by other clients through process 300 shown in FIG. 3, the content of the cache injection comprising a spurious resource record of the domain name "ex.com". In fig. 4, the domain name query process 400 may include steps 401 to 404, and the steps included in the process 400 will be described in detail.
In step 401, the client 4001 queries the conditional domain name resolver 4002 for a domain name. As an example, the description will be given next taking the case where the client 4001 inquires the domain name "ex.com". .
In step 402, upon receiving a query request for the domain name "ex.com" from the client 4001, the conditional domain name resolver 4002 determines that recursive query of the domain name "ex.com" is required. Conditional domain name resolver 4002 first searches the local cache for a resource record for the domain name, e.g., a false resource record for "ex.com" that matches to the local cache according to the longest suffix match principle. In some embodiments, the false record may be, for example, an a record indicating a false IP address, which the conditional domain name resolver 4002 will reply to the client 4001 after matching to an a record of "ex. In some embodiments, the false record may be an authoritative record indicating a false authoritative domain name server for the domain name, and after the conditional domain name resolver 4002 matches the authoritative record of "ex.com", the false authoritative domain name server may be queried for the domain name "ex.com" according to the authoritative record, thereby obtaining an erroneous query result.
In step 403, conditional domain name resolver 4002 returns to client 4001 a query result based on the cached injected false record, indicating the wrong IP address.
In step 404, the client 4001 accesses a server corresponding to the IP address based on the IP address indicated in the received query result. Since the IP address in the query result is the wrong IP address, the access of the client 4001 to the domain name will be directed to the wrong server, resulting in failure of the access of the client 4001 to the domain name and even data leakage of the client 4001.
Aiming at the domain name cache injection behavior in the above-mentioned fig. 2 to 4, the embodiment of the application provides a method for detecting domain name cache injection. Next, a method for detecting domain name cache injection in an embodiment of the present application will be described with reference to fig. 5 and 6.
Fig. 5 is a schematic flowchart of a detection method for domain name cache injection according to an embodiment of the present application. In method 500, domain name cache injection detection for a conditional domain name resolver is performed by a client. In fig. 5, method 500 may include steps 501-505, and the steps are described below using client 5001, conditional domain name resolver 5002, and domain name server 5003 as examples.
In step 501, the client 5001 queries the conditional domain name resolver 5002 for the target domain name. For example, the client 5001 can send a domain name query request to the conditional domain name resolver 5002 requesting that the conditional domain name resolver 5002 query for the target domain name.
In step 502, in response to the client querying the target domain name, the conditional domain name resolver 502 completes querying the target domain name, and sends a first query result to the client 5001. The conditional domain name resolver 5002 may complete the query for the target domain name by recursively querying or forwarding the query.
In step 503, the client 5001 queries the domain name server 5003 for the target domain name. The domain name server 5003 is an authoritative domain name server or a recursive domain name resolver without forwarding query functionality. That is, the domain name server queried by client 5001 does not forward queries for domain names. If the client 5001 queries the recursive domain name resolver, the recursive domain name resolver intercepts false reply content during the recursive query by the recursive domain name resolver, so that the client obtains a correct result; if the client queries the authoritative domain name server directly, the authoritative server replies the correct result based on the local configuration file. That is, the client 5001 can obtain the correct query results from the domain name server 5003.
In step 504, domain name server 5003 sends the second query result to client 5001, as described above, with the IP address indicated in the second result being the correct IP address for the target domain name.
In step 505, the client 5001 determines whether the conditional domain name resolver is cache injected based on the first result and the second result. Because the IP address indicated in the second result is the correct IP address, if the IP address indicated in the first result is different from the IP address indicated in the second result, the query result representing that the conditional domain name resolver 5002 queries the target domain name indicates the wrong IP address, that is, the conditional domain name resolver 5002 is cached and injected in the process of querying the target domain name. Accordingly, if the IP address indicated by the first result is the same as the IP address indicated in the second result, then the false IP address of the target domain name is not injected into the conditional domain name resolver 5002 in the process of querying the target domain name.
Based on the technical content, the client can compare the query result obtained from the conditional domain name resolver with the correct query result, so as to determine whether the conditional domain name resolver is cached and injected, and further remind the user to process the conditional domain name resolver or avoid using the conditional domain name resolver to query the domain name, thus improving the security of accessing the Internet by the user.
In some embodiments, the domain name security extension function of the conditional domain name resolver 5002 in the method 500 is off. The domain name security extension function is a function for detecting the integrity and legitimacy of data in a domain name query response, based on which a domain name resolver can recognize and reject cache injection of false domain names. The method 500 is a detection method based on the query result, so that in the case that the conditional domain name resolver does not open the domain name security extension function, the client can also detect whether the conditional domain name resolver is cached for injection through the method 500.
In some embodiments, prior to the foregoing step 501, the client 5001 can first determine that the queried domain name resolver is a conditional domain name resolver. For example, the client 5001 can send at least two queries for multiple domain names to a domain name resolver to determine that the domain name resolver is a conditional domain name resolver having a forwarding query function and a recursive query function. The client 5001 initiates two queries to the domain name resolver for a domain name, where the first query may cause the domain name resolver to obtain a resource record for the domain name, and the second query may request to obtain an authorization record for the domain name in the local cache of the domain name resolver. When the second query fails to acquire the authorized records of the domain name, the first query of the domain name resolver on the domain name can be determined to be forwarding query, the domain name resolver has forwarding query function, and when the second query successfully acquires the authorized records of the domain name, the first query of the domain name resolver on the domain name can be determined to be recursive query, and the domain name resolver has recursive query function. When a plurality of domain names are queried, if the query result indicates that the domain name resolver has a recursion function and the query result indicates that the domain name resolver has a forwarding function, the domain name resolver can be determined to be a conditional domain name resolver.
In some embodiments, a domain name may correspond to only one correct IP address. In the foregoing step 504, the second result obtained by the client 5001 from the domain name server 5003 may indicate a correct IP address corresponding to the target domain name, which is referred to as a second IP address for convenience of description. Accordingly, the IP address indicated in the first result obtained by the client 5001 from the conditional domain name resolver 5002 in the aforementioned step 502 is referred to as a first IP address. In the foregoing step 505, the client 5001 may determine whether the first IP address is the same as the second IP address, for example, compare a field in the first result for indicating the first IP address with a field in the second result for indicating the second IP address, and when the contents of the two fields are different, determine that the first IP address is different from the second IP address, and then the client 5001 may determine that the conditional domain name resolver 5002 is cache injected. When the contents of the two fields are the same, it may be determined that the first IP address is the same as the second IP address, and the client 5001 may further determine that the conditional domain name resolver 5002 is not cache injected.
In some embodiments, a domain name may correspond to multiple correct IP addresses, e.g., a network service corresponding to a domain name may be provided by multiple servers in different geographic locations, each server providing the same service, the multiple servers corresponding to different IP addresses, respectively, so that the multiple IP addresses are correct IP addresses. When inquiring the domain name from the domain name resolver, the client acquires all IP addresses corresponding to the domain name. In the foregoing step 504, the second result obtained by the client 5001 from the domain name server 5003 may include a second set of IP addresses, including all the correct IP addresses corresponding to the target domain name. In the foregoing step 504, the first result obtained by the client 5001 from the conditional domain name resolver 5002 may also include a first set of IP addresses, and the first set of IP addresses may also include a plurality of IP addresses. In the foregoing step 505, the client 5001 can determine whether the first set of IP addresses and the second set of IP addresses are the same. If the number of IP addresses in the first set of IP addresses is different from the number of IP addresses in the second set of IP addresses, or at least one IP address is different between the plurality of IP addresses in the first set of IP addresses and the plurality of IP addresses in the second set of IP addresses, it may be determined that the conditional domain name resolver 5002 is cache injected. If the IP addresses in the first set of IP addresses are identical to the IP addresses in the second set of IP addresses, it may be determined that the conditional domain name resolver 5002 is not cache injected.
Through the method 500 described above, it can be identified by the client whether the domain name resolver is cache injected. Fig. 6 is a schematic diagram of another method for detecting domain name cache injection according to an embodiment of the present application, in which the detection of domain name cache injection is performed by a domain name resolver in a method 600 shown in fig. 6. In fig. 6, method 600 may include blocks 601-606, and method 600 will be described in detail below.
In block 601, a domain name resolver receives a domain name query request from a client for querying a first domain name. In some embodiments, the domain name query request includes information indicating the first domain name, and the domain name resolver may temporarily store the information indicating the first domain name in a local cache.
In block 602, the domain name resolver queries a domain name server for a first domain name. In some embodiments, the domain name resolver is a domain name resolver with a forwarding query function that forwards a domain name query request from a client to other domain name servers, such as a recursive domain name resolver or an authoritative domain name server, to complete a forwarding query for the first domain name with the domain name server. In some embodiments, the domain name resolver is a domain name resolver with recursive query functionality that queries the root domain name server, top domain name server, secondary domain name server, etc., step by step until a query result is obtained from the authoritative domain name server.
In block 603, the domain name resolver receives a domain name query response that includes a record indicating the second domain name. The record indicating the second domain name may include, for example, but is not limited to, one or more of the following: an a record of the second domain name, an AAAA record of the second domain name, an NS record of the second domain name, etc.
In some embodiments, the domain name query response is from an authoritative domain name server; in some embodiments, the domain name query response is sent by any device masquerading as an authoritative domain name server. The application is not limited in this regard.
In block 604, the domain name resolver determines whether a second domain name indicated by the domain name query response is associated with a first domain name indicated in the domain name query request from the client. Illustratively, the domain name resolver temporarily stores the first domain name in the local cache in the foregoing block 601, and the domain name resolver may compare the second domain name indicated by the domain name query response received in the block 603 with the first domain name, and determine whether the first domain name corresponds to the second domain name based on a predefined rule. In some embodiments, the first domain name corresponds to the second domain name and the domain name resolver performs block 605. In some embodiments, the first domain name does not correspond to the second domain name, and the domain name resolver performs block 606.
In block 605, the domain name resolver determines that itself is not cache injected. Optionally, after the domain name resolver determines itself not to be cache injected, the information in the domain name query response received in block 603 may be stored in a local cache. In some embodiments, for one domain name query, after the domain name resolver determines itself is not cached, it may continue to receive the query request for the next domain name and query for that domain name, while the actions in the blocks included in method 600 may be performed again.
In step 606, the domain name resolver determines itself to be cache injected. Optionally, after determining that the domain name resolver is cached and injected, the domain name resolver may intercept the received domain name query response, and not store the record indicating the second domain name contained in the response in the local cache.
Based on the technical scheme, the domain name resolver can recognize the cache injection behavior for injecting false domain names in the process of inquiring the domain names, so that the domain name cache injection behavior can be prevented on the basis, for example, a domain name inquiry response for domain name cache injection is intercepted. Therefore, the subsequent incorrect query result provided when the user queries the domain name can be avoided, and the reliability of accessing the Internet by the user can be improved.
In some embodiments, the domain name resolver in method 600 is a conditional domain name resolver having both a forwarding query function and a recursive query function, i.e., identification of domain name cache injection for the conditional domain name resolver may be achieved by method 600. If the conditional domain name resolver is cached and injected in the process of forwarding the query on the domain name, the subsequent recursive query on the domain name will be affected, so that the conditional domain name resolver can identify and avoid being cached and injected in the process of forwarding the query through the method 600, and thus the security of the conditional domain name resolver can be greatly improved.
In some embodiments, the domain name security extension function of the domain name resolver in the method 600 is in a closed state, that is, after the domain name security extension function is closed, the domain name resolver can also implement detection of the domain name cache injection behavior through the method 600, so that the reliability and the security of the domain name resolver are improved.
In some embodiments, in step 604 above, the first domain name corresponds to a second domain name, including the first domain name being the same as the second domain name, or the second domain name is a subdomain name of the first domain name. Accordingly, the first domain name does not correspond to the second domain name, including the first domain name being different from the second domain name, and the first domain name is not a sub-domain name of the second domain name. The sub-domain is typically generated and managed by the parent domain, and if the domain in the received domain query response is the sub-domain of the domain indicated in the domain query request from the client, the domain resolver may not consider this as a domain cache injection, so that false recognition of domain cache injection behavior may be avoided.
It should be understood that the method of fig. 5 and the method of fig. 6 may be implemented in combination, i.e., for a network system in which the domain name resolver may detect whether it is cached for injection, or the client may detect whether the domain name resolver is cached for injection. Thereby, the accuracy of detecting the domain name cache injection behavior of the domain name resolver can be improved.
The domain name cache injection behavior that can be detected by the detection method of domain name cache injection shown in fig. 5 or fig. 6 includes the domain name cache injection behavior shown in fig. 2 and the domain name cache injection behavior shown in fig. 3 described above.
The above description describes a domain name cache injection detection method performed by the client and a domain name cache injection detection method performed by the domain name resolver, respectively, in conjunction with fig. 5 and 6. Next, an apparatus provided by an embodiment of the present application will be described with reference to fig. 7 to 9.
Fig. 7 is a schematic diagram of a domain name cache injection detection apparatus 700 according to an embodiment of the present application. As shown in fig. 7, the apparatus 700 may include a first transmitting module 701, a first receiving module 702, a second transmitting module 703, a second receiving module 704, and a determining module 705.
The first sending module 701 is configured to send a first query request for a target domain name to a target domain name resolver, where the target domain name resolver is a conditional domain name resolver having both a forwarding query function and a recursive query function; the first receiving module 702 is configured to obtain a first query result corresponding to the first query request from the target domain name resolver; the second sending module 703 is configured to send a second query request for the target domain name to a domain name server, where the domain name server is an authoritative domain name server or a recursive domain name resolver that does not have a forwarding query function; the second receiving module 704 is configured to obtain a second query result corresponding to the second query request from the domain name server; the determining module 705 is configured to determine that the target domain name resolver is cached and injected when the second query result is different from the IP address of the target domain name indicated by the first query result.
In some embodiments, the domain name security extension function of the target domain name resolver is off.
In some embodiments, the determining module 705 further includes a first sub-module for determining, before the first sending module 701 sends the first query for the target domain name to the target domain name resolver, that the target domain name resolver is a conditional domain name resolver based on at least two queries for the plurality of domain names initiated to the target domain name resolver.
In some embodiments, the first query result indicates a first IP address, and the second query result indicates a second IP address. The determining module 705 further includes a second sub-module configured to determine whether the first IP address is the same as the second IP address after the second receiving module 704 obtains a second query result corresponding to the second query request from the domain name server. The determining module 705 is specifically configured to determine that the target domain name resolver is cached and injected when the first IP address is different from the second IP address.
In some embodiments, the first query result includes a first set of IP addresses, where the first set of IP addresses includes a plurality of IP addresses corresponding to the target domain name, and the second query result includes a second set of IP addresses, where the second set of IP addresses includes a plurality of IP addresses corresponding to the target domain name. The determining module 705 further includes a third sub-module configured to determine whether the first IP address set is the same as the second IP address set after the second receiving module 704 obtains a second query result corresponding to the second query request from the domain name server. The determining module 705 is specifically configured to determine that the target domain name resolver is cached and injected when at least one IP address is different between the plurality of IP addresses in the first set of IP addresses and the plurality of IP addresses in the second set of IP addresses.
Fig. 8 is a schematic diagram of another domain name cache injection detection apparatus 800 according to an embodiment of the present application, as shown in fig. 8, the apparatus 800 may include a first receiving module 801, a query module 802, a second receiving module 803, and a determining module 804. The apparatus 800 may be a domain name resolver or be configured within a domain name resolver.
Wherein, the first receiving module 801 is configured to receive a domain name query request, where the domain name query request is used to query a first domain name; the query module 802 is configured to query a domain name server for a first domain name; the second receiving module 803 is configured to receive a domain name query response, where the domain name query response includes a record indicating a second domain name; the determining module 804 is configured to determine that the domain name resolver is cached for injection in a case where the second domain name is not associated with the first domain name.
In some embodiments, the domain name resolver is a conditional domain name resolver, and the conditional domain name resolver is a domain name resolver having both a forwarding query function and a recursive query function.
In some embodiments, the domain name security extension function of the domain name resolver is in an off state.
In some embodiments, the determining module 804 is specifically configured to determine that the domain name resolver is cache injected in a case where the first domain name of the second domain name is different and the second domain name is not a sub-domain name of the first domain name.
In some embodiments, the apparatus 800 further includes an interception module configured to intercept the domain name query response.
It should be understood that the division of modules in the embodiments of the present application is merely illustrative, and in some embodiments, the apparatus 700 or the apparatus 800 may further include more or fewer modules, and these modules may be combined into larger modules, or may be configured separately, and each module may be implemented by using hardware and/or software.
Fig. 9 shows a schematic block diagram of an example device 900 that may be used to implement an embodiment of the application. The client or domain name resolver in the above method embodiments may be implemented using the device 900. As shown, the device 900 includes a Central Processing Unit (CPU) 901, which can perform various suitable actions and processes in accordance with computer program instructions stored in a Read Only Memory (ROM) 902 or loaded from a storage unit 908 into a Random Access Memory (RAM) 903. In the RAM 903, various programs and data required for the operation of the device 900 can also be stored. The CPU 901, ROM 902, and RAM 903 are connected to each other through a bus 904. An input/output (I/O) interface 905 is also connected to the bus 904.
Various components in device 900 are connected to I/O interface 905, including: an input unit 906 such as a keyboard, a mouse, or the like; an output unit 907 such as various types of displays, speakers, and the like; storage page 908, e.g., magnetic disk, optical disk, etc.; and a communication unit 909 such as a network card, modem, wireless communication transceiver, or the like. The communication unit 909 allows the device 900 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunications networks.
The various processes and treatments described above, such as processes 200, 300, and 400 and methods 500 and 600, may be performed by processing unit 901. For example, in some embodiments, processes 200, 300, and 400 and methods 500 and 600 may be implemented as computer software programs tangibly embodied on a machine-readable medium, such as storage unit 908. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 900 via the ROM 902 and/or the communication unit 909. When the computer program is loaded into RAM 903 and executed by CPU 901, one or more of the acts of processes 200, 300, and 400 and methods 500 and 600 described above may be performed.
The present application may be a method, apparatus, system, and/or computer program product. The computer program product may include a computer readable storage medium having computer readable program instructions embodied thereon for performing various aspects of the present application.
The computer readable storage medium may be a tangible device that can hold and store instructions for use by an instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic storage device, a magnetic storage device, an optical storage device, an electromagnetic storage device, a semiconductor storage device, or any suitable combination of the foregoing. More specific examples (a non-exhaustive list) of the computer-readable storage medium would include the following: portable computer disks, hard disks, random Access Memory (RAM), read-only memory (ROM), erasable programmable read-only memory (EPROM or flash memory), static Random Access Memory (SRAM), portable compact disk read-only memory (CD-ROM), digital Versatile Disks (DVD), memory sticks, floppy disks, mechanical coding devices, punch cards or in-groove structures such as punch cards or grooves having instructions stored thereon, and any suitable combination of the foregoing. Computer-readable storage media, as used herein, are not to be construed as transitory signals per se, such as radio waves or other freely propagating electromagnetic waves, electromagnetic waves propagating through waveguides or other transmission media (e.g., optical pulses through fiber optic cables), or electrical signals transmitted through wires.
The computer readable program instructions described herein may be downloaded from a computer readable storage medium to a respective computing/processing device or to an external computer or external storage device over a network, such as the internet, a local area network, a wide area network, and/or a wireless network. The network may include copper transmission cables, fiber optic transmissions, wireless transmissions, routers, firewalls, switches, gateway computers and/or edge servers. The network interface card or network interface in each computing/processing device receives computer readable program instructions from the network and forwards the computer readable program instructions for storage in a computer readable storage medium in the respective computing/processing device.
Computer program instructions for carrying out operations of the present application may be assembly instructions, instruction Set Architecture (ISA) instructions, machine-related instructions, microcode, firmware instructions, state setting data, or source or object code written in any combination of one or more programming languages, including an object oriented programming language such as Smalltalk, c++ or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The computer readable program instructions may be executed entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider). In some embodiments, aspects of the present application are implemented by personalizing electronic circuitry, such as programmable logic circuitry, field Programmable Gate Arrays (FPGAs), or Programmable Logic Arrays (PLAs), with state information for computer readable program instructions, which can execute the computer readable program instructions.
Various aspects of the present application are described herein with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each block of the flowchart illustrations and/or block diagrams, and combinations of blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer-readable program instructions.
These computer readable program instructions may be provided to a processing unit of a general purpose computer, special purpose computer, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processing unit of the computer or other programmable data processing apparatus, create means for implementing the functions/acts specified in the flowchart and/or block diagram block or blocks. These computer readable program instructions may also be stored in a computer readable storage medium that can direct a computer, programmable data processing apparatus, and/or other devices to function in a particular manner, such that the computer readable medium having the instructions stored therein includes an article of manufacture including instructions which implement the function/act specified in the flowchart and/or block diagram block or blocks.
The computer readable program instructions may also be loaded onto a computer, other programmable data processing apparatus, or other devices to cause a series of operational steps to be performed on the computer, other programmable apparatus or other devices to produce a computer implemented process such that the instructions which execute on the computer, other programmable apparatus or other devices implement the functions/acts specified in the flowchart and/or block diagram block or blocks.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The foregoing description of embodiments of the application has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the various embodiments described. The terminology used herein was chosen in order to best explain the principles of the embodiments, the practical application, or the technical improvement of the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.

Claims (15)

1. The method for detecting domain name cache injection is characterized by comprising the following steps:
sending a first query request for a target domain name to a target domain name resolver, wherein the target domain name resolver is a conditional domain name resolver with both forwarding query function and recursive query function;
acquiring a first query result corresponding to the first query request from the target domain name resolver;
sending a second query request for the target domain name to a domain name server, wherein the domain name server is an authoritative domain name server or a recursion domain name resolver without forwarding query function;
Obtaining a second query result corresponding to the second query request from the domain name server;
and if the second query result is different from the Internet Protocol (IP) address of the target domain name indicated by the first query result, determining that the target domain name resolver is cached and injected.
2. The method of claim 1, wherein the domain name security extension function of the conditional domain name resolver is off.
3. The method of claim 1, wherein prior to the sending the first query request for the target domain name to the target domain name resolver, the method further comprises:
and determining the target domain name resolver as the conditional domain name resolver according to at least two queries of a plurality of domain names initiated to the target domain name resolver.
4. A method according to any one of claims 1 to 3, wherein the first query result indicates a first IP address and the second query result indicates a second IP address; the method further includes, after the obtaining, from the domain name server, a second query result corresponding to the second query request:
judging whether the first IP address is the same as the second IP address, and
Wherein the second query result is different from the IP address of the target domain name indicated by the first query result, including:
the first IP address is different from the second IP address.
5. A method according to any one of claims 1 to 3, wherein the first query result comprises a first set of IP addresses, the first set of IP addresses comprising a plurality of IP addresses corresponding to the target domain name, and the second query result comprises a second set of IP addresses, the second set of IP addresses comprising a plurality of IP addresses corresponding to the target domain name; the method further includes, after the obtaining, from the domain name server, a second query result corresponding to the second query request:
judging whether the first IP address set is the same as the second IP address set, and
wherein the second query result is different from the IP address of the target domain name indicated by the first query result, including:
at least one IP address differs between the plurality of IP addresses in the first set of IP addresses and the plurality of IP addresses in the second set of IP addresses.
6. A method for detecting domain name cache injection, wherein the method is applied to a domain name resolver, the method comprising:
Receiving a domain name query request, wherein the domain name query request is used for querying a first domain name;
querying a domain name server for the first domain name;
receiving a domain name query response, the domain name query response comprising a record indicating a second domain name;
if the second domain name is not associated with the first domain name, determining that the domain name resolver is cache injected.
7. The method of claim 6, wherein the domain name resolver is a conditional domain name resolver, the conditional domain name resolver being a domain name resolver having both a forwarding query function and a recursive query function.
8. The method of claim 7, wherein the domain name security extension function of the conditional domain name resolver is off.
9. The method according to any one of claims 6 to 8, wherein the second domain name does not correspond to the first domain name, comprising:
the second domain name is different from the first domain name, and the second domain name is not a sub-domain name of the first domain name.
10. The method according to any one of claims 6 to 8, further comprising:
intercepting the domain name query response.
11. The utility model provides a detection device that domain name buffer injected which characterized in that includes:
the first sending module is used for sending a first query request for a target domain name to a target domain name resolver, wherein the target domain name resolver is a conditional domain name resolver with a forwarding query function and a recursion query function;
the first receiving module is used for acquiring a first query result corresponding to the first query request from the target domain name resolver;
the second sending module is used for sending a second query request for the target domain name to a domain name server, wherein the domain name server is an authoritative domain name server or a recursion domain name resolver without forwarding query function;
the second receiving module is used for acquiring a second query result corresponding to the second query request from the domain name server;
and the determining module is used for determining that the target domain name resolver is cached and injected under the condition that the second query result is different from the IP address of the target domain name indicated by the first query result.
12. The utility model provides a detection device that domain name buffer injected which characterized in that includes:
the first receiving module is used for receiving a domain name query request, wherein the domain name query request is used for querying a first domain name;
The inquiring module is used for inquiring the first domain name from the domain name server;
a second receiving module configured to receive a domain name query response, where the domain name query response includes a record indicating a second domain name;
and the determining module is used for determining that the domain name resolver is cached and injected under the condition that the second domain name is not associated with the first domain name.
13. An electronic device, comprising:
at least one processor; and
a memory coupled to the at least one processor and having instructions stored thereon that, when executed by the at least one processor, cause the apparatus to perform the method of any of claims 1-5 or perform the method of any of claims 6-10.
14. A computer readable storage medium, characterized in that the computer readable storage medium has stored thereon a computer program product comprising machine executable instructions which, when executed, cause the method according to any of claims 1 to 5 to be implemented or the method according to any of claims 6 to 10 to be implemented.
15. A computer program product tangibly stored on a non-volatile computer readable medium and comprising machine executable instructions that when executed cause the method according to any one of claims 1 to 5 to be implemented or cause the method according to any one of claims 6 to 10 to be implemented.
CN202310760698.6A 2023-06-26 2023-06-26 Domain name cache injection detection method and device and electronic equipment Pending CN116743698A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310760698.6A CN116743698A (en) 2023-06-26 2023-06-26 Domain name cache injection detection method and device and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310760698.6A CN116743698A (en) 2023-06-26 2023-06-26 Domain name cache injection detection method and device and electronic equipment

Publications (1)

Publication Number Publication Date
CN116743698A true CN116743698A (en) 2023-09-12

Family

ID=87904329

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310760698.6A Pending CN116743698A (en) 2023-06-26 2023-06-26 Domain name cache injection detection method and device and electronic equipment

Country Status (1)

Country Link
CN (1) CN116743698A (en)

Similar Documents

Publication Publication Date Title
US9544278B2 (en) Using domain name system security extensions in a mixed-mode environment
US8533581B2 (en) Optimizing security seals on web pages
US10230760B2 (en) Real-time cloud-based detection and mitigation of DNS data exfiltration and DNS tunneling
US9300623B1 (en) Domain name system cache integrity check
US10652271B2 (en) Detecting and remediating highly vulnerable domain names using passive DNS measurements
US20070055749A1 (en) Identifying a network address source for authentication
US10735461B2 (en) Method for minimizing the risk and exposure duration of improper or hijacked DNS records
CN110830458A (en) Domain name access method, system and equipment
CN108353083B (en) System and method for detecting Domain Generation Algorithm (DGA) malware
US8656490B1 (en) Safe and secure access to dynamic domain name systems
EP3200434A2 (en) Domain name resolution
US20190081952A1 (en) System and Method for Blocking of DNS Tunnels
US10440059B1 (en) Embedding contexts for on-line threats into response policy zones
US12081512B2 (en) Collecting passive DNS traffic to generate a virtual authoritative DNS server
US11943196B2 (en) Detection of domain hijacking during DNS lookup
US8407802B2 (en) Method and system for providing security seals on web pages
US20190014083A1 (en) Url filtering method and device
CN102223422A (en) Domain name system (DNS) message processing method and network safety equipment
WO2022046598A1 (en) Techniques for bypassing the domain name system
US12041095B2 (en) System and method for DNS misuse detection
CN116743698A (en) Domain name cache injection detection method and device and electronic equipment
CN113839938B (en) Method and device for detecting domain name takeover vulnerability
CN113329035B (en) Method and device for detecting attack domain name, electronic equipment and storage medium
CN112235437A (en) Method, device and equipment for preventing malicious addition of resolved domain name and storage medium
US11985106B2 (en) Method for managing a request to access an internet site from an access device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination