CN116781287A - DNS traffic processing method, system, equipment and storage medium - Google Patents

DNS traffic processing method, system, equipment and storage medium Download PDF

Info

Publication number
CN116781287A
CN116781287A CN202210223215.4A CN202210223215A CN116781287A CN 116781287 A CN116781287 A CN 116781287A CN 202210223215 A CN202210223215 A CN 202210223215A CN 116781287 A CN116781287 A CN 116781287A
Authority
CN
China
Prior art keywords
dns
dns traffic
traffic
client
preset rule
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210223215.4A
Other languages
Chinese (zh)
Inventor
王琪琛
胡金涌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Yundun Information Technology Co ltd
Original Assignee
Shanghai Yundun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Yundun Information Technology Co ltd filed Critical Shanghai Yundun Information Technology Co ltd
Priority to CN202210223215.4A priority Critical patent/CN116781287A/en
Publication of CN116781287A publication Critical patent/CN116781287A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application aims to provide a method, a system, equipment and a storage medium for processing DNS traffic, wherein the method, the system, the equipment and the storage medium are used for hijacking local DNS traffic through a client, analyzing the DNS traffic, correspondingly processing the DNS traffic based on a preset rule, when the DNS traffic is matched with the preset rule, rewriting a destination address of the DNS traffic into an address of a designated DNS server, carrying out encryption processing on the DNS traffic, and sending the DNS traffic after encryption processing to an edge node, so that the edge node carries out security check on the DNS traffic after encryption processing, and sends the DNS traffic passing the security check to the designated DNS server according to the address of the designated DNS server. Thereby improving processing efficiency and reducing risk of data leakage.

Description

DNS traffic processing method, system, equipment and storage medium
Technical Field
The present application relates to the field of computers, and in particular, to a method, a system, an apparatus, and a storage medium for DNS traffic processing.
Background
In the current network environment, the traditional DNS (domain name resolution system) is easy to suffer from various attacks in the resolution process, and possibly generates a data leakage risk, so that the security and performance of the traditional DNS resolution server cannot be ensured.
In the prior art, data is often encrypted by a protocol such as DOH (DNS over HTTPS) or DOT (DNS over TLS) and DNS data is sent to a secure DNS resolution server.
However, neither the DOH protocol nor the DOT protocol relies on the security of the TLS protocol (secure transport layer protocol), which relies mainly on third party CA providers. Once an operation accident or security accident occurs to a third-party CA service provider, the authentication service of the CA service provider cannot be used, and the end user using the enterprise IT service is directly affected. Meanwhile, some countries cannot be excluded from having the control right of the third party CA service provider, so there is a possibility of being attacked.
Disclosure of Invention
An object of the present application is to provide a method, a system, a device and a storage medium for DNS traffic processing, so as to solve the problem that DNS resolution and encryption are limited by a third party CA server and are easy to be attacked in the prior art.
According to one aspect of the present application, there is provided a method for DNS traffic processing, applied to a client, the method including:
local DNS traffic is hijacked to the client;
the client analyzes the DNS traffic and carries out corresponding processing on the DNS traffic based on a preset rule, and the method comprises the following steps: when the DNS traffic is matched with the preset rule, the destination address of the DNS traffic is rewritten into the address of the appointed DNS server, encryption processing is carried out on the DNS traffic, the encrypted DNS traffic is sent to an edge node, so that the edge node carries out security check on the DNS traffic after encryption processing, and the DNS traffic passing the security check is sent to the appointed DNS server according to the address of the appointed DNS server.
Optionally, encrypting the DNS traffic includes:
and encrypting the DNS traffic by using a private protocol.
Optionally, the preset rule includes a first set of domain names that need to enable a specified DNS, and the method further includes:
and when a matching item exists between the domain name corresponding to the DNS traffic and the first domain name set needing to enable the appointed DNS, determining that the DNS traffic is matched with the preset rule.
Optionally, the method further comprises:
and when the domain name corresponding to the DNS traffic and the first domain name set needing to enable the appointed DNS do not have a matching item, determining that the DNS traffic is not matched with a preset rule.
Optionally, the client analyzes the DNS traffic, and performs corresponding processing on the DNS traffic based on a preset rule, and further includes:
when the DNS traffic is not matched with the preset rule, the client does not rewrite the destination address of the DNS traffic, wherein the destination address of the DNS traffic is the address of a default DNS server;
and encrypting the DNS traffic, transmitting the encrypted DNS traffic to an edge node, so that the edge node performs security check on the encrypted DNS traffic, and transmitting the DNS traffic passing the security check to a default DNS server according to the address of the default DNS server.
Optionally, the method comprises:
the client receives the preset rule from the management platform.
The embodiment of the application also provides a DNS traffic processing method which is applied to the edge node, and the method comprises the following steps:
acquiring the DNS traffic after encryption processing sent by a client;
and carrying out security check on the DNS traffic after encryption processing sent by the client, and sending the DNS traffic passing the security check to an address of a designated DNS server or a default DNS server according to a destination address of the DNS traffic.
Optionally, security checking is performed on the DNS traffic after encryption processing sent by the client, including:
decrypting the data packet corresponding to the DNS traffic to obtain decrypted DNS traffic;
and carrying out security check on the message corresponding to the decrypted DNS traffic.
The embodiment of the application also provides a DNS traffic processing method which is applied to the management platform and comprises the following steps:
acquiring a preset rule;
and sending the preset rule to the client so that the client can correspondingly process the local DNS traffic hijacked to the client based on the preset rule.
Optionally, the preset rule includes a first domain name set that needs to enable the specified DNS, so that when a matching item exists between a domain name corresponding to the DNS traffic and the first domain name set that needs to enable the specified DNS, the client rewrites a destination address of the local DNS traffic hijacked to the client into an address of a specified DNS server, encrypts the DNS traffic, and sends the encrypted DNS traffic to an edge node for security check.
The embodiment of the application also provides a system for processing the DNS traffic, which comprises a client, a management platform, an edge node and a designated DNS server, wherein,
the client is used for hijacking local DNS traffic, analyzing the DNS traffic and correspondingly processing the DNS traffic based on a preset rule, and comprises the following steps: when the DNS traffic is matched with the preset rule, rewriting a destination address of the DNS traffic into an address of a designated DNS server, carrying out encryption processing on the DNS traffic, and sending the DNS traffic after the encryption processing to an edge node;
the management platform is used for acquiring preset rules and sending the preset rules to the client;
the edge node is used for acquiring the DNS traffic after encryption processing sent by the client, carrying out security check on the DNS traffic after encryption processing sent by the client, and sending the DNS traffic passing the security check to the address of a designated DNS server or a default DNS server according to the destination address of the DNS traffic;
the appointed DNS server is used for acquiring DNS traffic passing the security check sent by the edge node and responding to the DNS traffic passing the security check.
The embodiment of the application also provides a device for DNS traffic processing, which comprises:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform operations of the method for DNS traffic processing.
Embodiments of the present application also provide a computer readable medium having stored thereon computer readable instructions executable by a processor to implement the method of DNS traffic processing.
Compared with the prior art, in the scheme for processing the DNS traffic, the client hives the local DNS traffic, analyzes the DNS traffic, carries out corresponding processing on the DNS traffic based on the preset rule, rewrites the destination address of the DNS traffic into the address of the appointed DNS server when the DNS traffic is matched with the preset rule, carries out encryption processing on the DNS traffic, and sends the encrypted DNS traffic to the edge node, so that the edge node carries out security check on the encrypted DNS traffic, and sends the DNS traffic passing the security check to the appointed DNS server according to the address of the appointed DNS server. Compared with the traditional scheme based on the TLS protocol, which needs the process of algorithm negotiation for adapting various browsers, in the scheme of the embodiment of the application, the algorithm negotiation can be omitted, and the key negotiation can be directly carried out, so that the negotiation speed is higher, and the negotiation efficiency is improved; because DNS drainage is carried out on the local client, the risk of data leakage can be reduced, and the safety of data is improved.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the accompanying drawings in which:
fig. 1 shows a process flow of a DNS traffic processing method according to an embodiment of the present application;
fig. 2 shows a process flow of a DNS traffic processing method according to an embodiment of the present application;
fig. 3 shows a method processing flow of DNS traffic processing provided by an embodiment of the present application;
FIG. 4 illustrates a system framework for DNS traffic handling provided in accordance with an aspect of the present application;
fig. 5 shows a structure of an apparatus for DNS traffic processing according to an embodiment of the present application;
fig. 6 shows a method flow of DNS traffic processing in an embodiment of the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present application more apparent, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments of the present application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
In one exemplary configuration of the application, the terminal, the devices of the services network each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer-readable media include both permanent and non-permanent, removable and non-removable media, and information storage may be implemented by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape storage or other magnetic storage devices, or any other non-transmission medium which can be used to store information that can be accessed by a computing device.
The technical solutions on the market at present mainly encrypt data through protocols such as DOH (DNS over HTTPS) or DOT (DNS over TLS) and send DNS data to a secure DNS resolution server. While those skilled in the art will appreciate that either the DOH or DOT protocols rely on the security of the TLS protocol, TLS security is primarily dependent on third party CA service providers (i.e., certificate authority service providers). Once an operation or security incident occurs to a third party CA service provider, authentication services of the CA service provider are not available, and an end user using the enterprise IT service is directly affected. And does not exclude that the third party CA service provider has control in some countries and thus there is a possibility of being attacked.
The encryption processing of the DNS traffic is realized through the local client, the encryption processing is independent of a third-party CA server, and the security is higher. Compared with the traditional TLS scheme, the method and the device have the advantages that the algorithm negotiation process is needed to be adapted to various browsers, algorithm negotiation is omitted, key negotiation is directly carried out, and the speed is higher.
In the scheme for processing the DNS traffic, provided by the embodiment of the application, a client hives the local DNS traffic, analyzes the DNS traffic, carries out corresponding processing on the DNS traffic based on the preset rule, rewrites the destination address of the DNS traffic into the address of the appointed DNS server when the DNS traffic is matched with the preset rule, carries out encryption processing on the DNS traffic, and sends the encrypted DNS traffic to an edge node so that the edge node carries out security check on the encrypted DNS traffic, and sends the DNS traffic passing the security check to the appointed DNS server according to the address of the appointed DNS server. Compared with the traditional scheme based on the TLS protocol, which needs the process of algorithm negotiation for adapting various browsers, in the scheme of the embodiment of the application, the algorithm negotiation can be omitted, and the key negotiation can be directly carried out, so that the negotiation speed is higher, and the negotiation efficiency is improved; because DNS drainage is carried out on the local client, the risk of data leakage can be reduced, and the safety of data is improved.
Fig. 1 shows a process flow of a DNS traffic processing method according to an embodiment of the present application, where the method is applied to a client, and at least includes the following processing steps:
in step S101, local DNS traffic is hijacked to the client.
In the actual application scenario, the local DNS traffic may be hijacked into the client by modifying the routing table, for example, by reading a default DNS destination address, and the client adds the default DNS destination address to the routing table to hijack the local DNS traffic resolution logic into the client, where the virtual network card may be used to hijack the local DNS traffic into the client by modifying the routing table. It should be noted that, the client is installed in the local system, so that the processing procedure of DNS traffic is local, and the client does not relate to the network environment, does not depend on a third party CA service provider, and effectively improves the security.
Step S102, the client analyzes the DNS traffic and performs corresponding processing on the DNS traffic based on a preset rule, including: when the DNS traffic is matched with the preset rule, the destination address of the DNS traffic is rewritten into the address of the appointed DNS server, encryption processing is carried out on the DNS traffic, the encrypted DNS traffic is sent to an edge node, so that the edge node carries out security check on the DNS traffic after encryption processing, and the DNS traffic passing the security check is sent to the appointed DNS server according to the address of the appointed DNS server. By performing DNS drainage in the local client, the risk of data leakage is reduced.
In the above embodiment, the client analyzes the DNS traffic, confirms a domain name corresponding to the DNS traffic, and then determines whether the domain name is one of a set of domain names specified in a preset rule, if yes, it may be determined that the DNS traffic is matched with the preset rule, and modifies a destination address in an IP data packet of the DNS traffic to an address of a specified DNS server, where the specified DNS server may be a secure DNS server, and the secure DNS server is a specified trusted server, and is configured to analyze the DNS data packet. And then encrypting the DNS traffic in the client, in some embodiments, the encrypted DNS traffic can be drained to an edge node by adding edge node position information to a data packet header corresponding to the DNS traffic, so that the edge node carries out security check on the encrypted DNS traffic, and the DNS traffic passing the security check is sent to a specified DNS server according to the address of the specified DNS server.
The encryption method of the encryption process in the present application may be any encryption method, and the present embodiment is not particularly limited thereto.
In an alternative embodiment of the present application, in step S102, the DNS traffic may be encrypted using a proprietary protocol. The private protocol used can be a private network protocol customized by a user, and the security is higher without depending on a third-party CA server. Compared with the traditional secure DNS resolution mode relying on TLS, the private encryption protocol predefines an algorithm, only key negotiation is needed, and the process of algorithm negotiation is not needed, so that only one handshake is needed in the negotiation process, the handshake speed is higher, and the negotiation efficiency can be improved.
It will be appreciated by those skilled in the art that the encryption of DNS traffic using proprietary protocols described above is by way of example only, and that other forms based on similar principles, whether existing or hereafter developed, are intended to be encompassed within the scope of the present application if applicable thereto and are incorporated herein by reference.
In some embodiments of the present application, the preset rule may include a first domain name set that needs to enable the specified DNS, where when a matching item exists between a domain name corresponding to the DNS traffic and the first domain name set that needs to enable the specified DNS, it is determined that the DNS traffic matches the preset rule.
In the embodiment, the preset rule may be set by a user in a user-defined manner based on requirements, a first domain name set that needs to enable the specified DNS is set in the preset rule, a domain name corresponding to the first domain name set that needs to enable the specified DNS and DNS traffic is obtained, whether a matching item exists between the first domain name set and the DNS traffic is judged, and if the matching item exists between the first domain name set and the DNS traffic, it is determined that the DNS traffic is matched with the preset rule.
In an alternative embodiment of the application, the enterprise can freely configure the domain name needing to be resolved by the secure DNS resolution server, so that when staff of the enterprise accesses the domain name needing to enable the secure DNS, all DNS traffic is hijacked to the client and then encrypted to be sent to the secure DNS server, and the secure DNS server performs data resolution processing, thereby ensuring the security of the data and avoiding the risk of data leakage.
In an optional embodiment of the present application, when there is no matching item between the domain name corresponding to the DNS traffic and the first domain name set that needs to enable the specified DNS, it is determined that the DNS traffic does not match with a preset rule. When the DNS traffic does not match the preset rule, it may not be necessary to enable a specified DNS server.
In an alternative embodiment of the present application, the domain name corresponding to the current DNS traffic is a domain name a, where the domain name is a domain name that needs to enable a secure DNS, and the domain name default accesses to the DNS server X to perform resolution, but because of the configuration of the routing table, the DNS resolution traffic enters the client through the virtual network card, and the destination address of the DNS resolution traffic is X. A first domain name set needing to enable the appointed DNS is set in a preset rule, a domain name corresponding to the first domain name set needing to enable the appointed DNS and DNS traffic is obtained, whether a matching item exists between the first domain name set needing to enable the appointed DNS and the DNS traffic is judged, and if the matching item exists between the first domain name set needing to enable the appointed DNS and the DNS traffic, the DNS traffic is determined to be matched with the preset rule. When the DNS traffic does not match the preset rule, it may not be necessary to enable a specified DNS server. And determining that the DNS traffic is a domain name requiring to enable the appointed DNS by matching with a preset rule stored in the client, replacing the destination address of the data packet with the address Y of the appointed DNS server, and carrying out encryption processing on the data packet.
With the above embodiment, the client may record the processed data in the form of log information, so that it is convenient to view all DNS traffic records hijacked by the client in the later period, including DNS traffic sent by the client to the default DNS server and DNS traffic sent by the client to the specified DNS server.
In an optional embodiment of the present application, in step S102, when the DNS traffic does not match the preset rule, the client does not rewrite the destination address of the DNS traffic, where the destination address of the DNS traffic is the address of the default DNS server, and then encrypts the DNS traffic, and sends the encrypted DNS traffic to an edge node, so that the edge node performs security check on the encrypted DNS traffic, and sends the DNS traffic that passes the security check to the default DNS server according to the address of the default DNS server.
In the above embodiment, when the DNS traffic and the domain name set of the specified DNS server to be started in the preset rule have no matching item, the client does not rewrite the destination address of the DNS traffic, and the destination address of the DNS traffic is the address of the default DNS server. Then, encryption processing can be performed on the DNS traffic, wherein an encryption mode corresponding to the encryption processing can be any mode; and sending the encrypted DNS traffic to an edge node so that the edge node carries out security check on the encrypted DNS traffic, and sending the DNS traffic passing the security check to a default DNS server according to the address of the default DNS server. The client determines that the DNS traffic does not need to enable a designated DNS server through domain name resolution of the hijacked DNS traffic, so that the DNS traffic is directly drained to a default DNS server, and the default DNS server completes default DNS traffic resolution processing, wherein the default DNS server is a local default DNS resolution server.
Optionally, the client is installed locally on the terminal, after receiving the preset rule from the management platform, the terminal can control the data path from the initiating terminal to the receiving terminal of the DNS traffic, and because the local DNS traffic is hijacked at the client, the DNS is convenient to perform various analyses and modifications, and further is in butt joint with other DNS acceleration schemes, and functions of encrypting, analyzing, attack detecting or accelerating DNS traffic data can be easily completed. Specifically, the subsequent access address can be specified for all DNS traffic data related to the application program, and encryption, resolution, attack detection, acceleration, etc. can be conveniently performed on the data, for example, the resolved address of DNS is replaced, and the address accessed by the application program can be controlled by the client.
It should be noted that the terminal includes, but is not limited to, a mobile terminal, a PC, and the like.
In an alternative embodiment of the present application, the client may receive the preset rule from a management platform. The client acquires a preset rule sent by the management platform, and stores a first domain name set needing to enable the appointed DNS and an appointed DNS server address in a local memory, wherein the preset rule is used for matching whether the DNS traffic should be drained to the appointed DNS server after intercepting the DNS traffic to the client. Here, the DNS traffic data using the preset rule may be determined by checking the configuration of the management platform, and recording the domain name using the specified DNS.
Fig. 2 shows a process flow of a DNS traffic processing method according to an embodiment of the present application, where the method is applied to an edge node, and includes at least the following processing steps:
step S201, obtain the DNS traffic after encryption processing sent by the client.
In the above embodiment, the client adds the IP address corresponding to the edge node to the header of the DNS traffic packet, and sends the encrypted DNS traffic packet to the edge node, so that the edge node may obtain the encrypted DNS traffic sent by the client through the physical network card.
Optionally, the user may grab a data packet of the physical network card, and view all DNS data clear text passing through the physical network card through the data packet, so as to determine all domain names corresponding to DNS traffic passing through the physical network card and all related data of DNS traffic passing through the physical network card, for example, access time of DNS traffic, sending time of DNS traffic, and data size of DNS traffic.
Step S202, performing security check on the encrypted DNS traffic sent by the client, and sending the DNS traffic passing the security check to the address of the specified DNS server or the default DNS server according to the destination address of the DNS traffic. In order to ensure the security of DNS resolution, the client sends DNS traffic to the edge node, which may be, but not limited to, a POP point, with encrypted data, and the edge node may perform security check on the DNS packet.
With the above embodiment, after removing the IP address of the edge node added to the encrypted DNS traffic packet header by the client, security check is performed on the encrypted DNS traffic sent by the client, where the security check includes, but is not limited to, message check. And sending the DNS traffic passing the security check to the address of a designated DNS server or a default DNS server according to the destination address of the DNS traffic.
In an alternative embodiment of the present application, the destination address of the DNS traffic defaults to the address of the local default DNS server, and when the destination address of the DNS traffic is changed to the specified DNS server address by the client, the DNS traffic is drained to the specified DNS server to ensure data security.
In an optional embodiment of the present application, in step S202, a decryption process is performed on a data packet corresponding to the DNS traffic, so as to obtain a decrypted DNS traffic; and carrying out security check on the message corresponding to the decrypted DNS traffic.
For example, the edge node may be a POP point, where the POP point decrypts the data packet corresponding to the DNS traffic based on the corresponding private protocol to obtain decrypted DNS traffic, and performs security check such as verification on the packet corresponding to the decrypted DNS traffic. Optionally, the edge node may grab a packet corresponding to the DNS traffic, and the user may subsequently check whether any DNS data packet forwarded by the client passes through the edge node to determine all DNS traffic passing through the edge node.
Fig. 3 shows a processing flow of a method for DNS traffic processing, which is provided by an embodiment of the present application, and the method is applied to a management platform, and at least includes the following processing steps:
step S301, obtaining a preset rule.
In the embodiment, the management platform acquires configuration strategy information preset by a user, and determines a corresponding preset rule based on the configuration strategy information; the management platform may also obtain the preset rules from any other source.
Step S302, the preset rule is sent to the client, so that the client performs corresponding processing on the local DNS traffic hijacked to the client based on the preset rule.
In the above embodiment, the preset rule is sent to the client, so that the client obtains the preset rule of the management platform and stores the domain name to be started with the specified DNS and the address of the specified DNS server in the memory, and then, based on the preset rule, the local DNS traffic hijacked to the client is processed correspondingly.
In an optional embodiment of the present application, the preset rule includes a first domain name set that needs to enable the specified DNS, so that when a matching item exists between a domain name corresponding to the DNS traffic and the first domain name set that needs to enable the specified DNS, the client rewrites a destination address of the local DNS traffic hijacked to the client into an address of the specified DNS server, encrypts the DNS traffic, and sends the encrypted DNS traffic to an edge node for security check.
Fig. 4 illustrates a system framework for DNS traffic processing provided according to an aspect of the present application, where the system includes a client 401, a management platform 402, an edge node 403, and a specified DNS server 404, where the client 401 is configured to hijack local DNS traffic, parse the DNS traffic, and perform corresponding processing on the DNS traffic based on preset rules, and includes: when the DNS traffic matches the preset rule, rewriting the destination address of the DNS traffic to be the address of the specified DNS server 404, performing encryption processing on the DNS traffic, and sending the DNS traffic after the encryption processing to the edge node 403; the management platform 402 is configured to obtain a preset rule, and send the preset rule to the client 401; the edge node 403 is configured to obtain the DNS traffic after encryption sent by the client 401, perform security check on the DNS traffic after encryption sent by the client 401, and send the DNS traffic passing the security check to the designated DNS server 404 or the address of the default DNS server according to the destination address of the DNS traffic; the specified DNS server 404 is configured to obtain DNS traffic passing the security check sent by the edge node 403, and respond to the DNS traffic passing the security check.
It should be noted that, the client is installed in the local system, so that the processing process of the hijacked DNS traffic is local and does not depend on the third party CA service provider, thereby effectively improving the security; meanwhile, after the DNS traffic is sent to the edge node 403 by the encryption processing of the client 401, the edge node 403 sends the DNS traffic packet passing the security check to the designated DNS server or the address of the default DNS server, and after the edge node 403 removes the IP address of the edge node added to the header of the packet, the DNS traffic packet passing the security check is sent to the designated DNS server 404 completely under the encryption condition. After the specified DNS server 404 obtains the DNS traffic passing the security check sent by the edge node 403, the DNS traffic passing the security check is responded, for example, the encrypted DNS traffic packet is returned according to the original path, so that the DNS traffic is returned to the application program applying the DNS traffic under the condition of full encryption, and the data security is ensured. The system and/or embodiments of the present embodiments may be implemented in conjunction with any of the method embodiments described above.
In addition, an embodiment of the present application further provides an apparatus for DNS traffic processing, as shown in fig. 5, including one or more processors 502 for DNS traffic processing and a memory 501 storing computer readable instructions, where the computer readable instructions when executed cause the processor 502 to perform the method for DNS traffic processing.
Fig. 6 shows a flow of a DNS traffic processing method according to an embodiment of the present application, including at least the following steps:
in step S601, the client installed in the terminal obtains the preset rule of the management platform, and stores the domain name to be started for the specified DNS and the address of the specified DNS server included in the specified rule in the local memory of the terminal, so that the user can freely configure the domain name to be started for the specified DNS in the preset rule, for example, when the enterprise employee accesses the domain name to be started for the specified DNS set by the enterprise, all DNS traffic is hijacked into the client, and the encrypted data is drained to the specified DNS server. After hijacking DNS traffic into a client, it is matched whether the DNS data traffic should be drained to a specified DNS server, such as a secure DNS server. By conducting DNS drainage in the local client, the risk of data leakage is effectively reduced.
In step S602, the client detects the default DNS resolution server address of the terminal, and hives the default DNS resolution logic of the terminal to the client through the virtual network card in a manner of changing the routing table, so that the path from the initiator to the receiver in the DNS traffic resolution process is controlled by the client, the subsequent DNS resolution address can be freely controlled through the routing table, and the subsequent access address can be specified for the DNS data traffic of the application program, thereby facilitating the encryption, resolution, attack detection or acceleration of the DNS traffic data.
In step S603, the client analyzes the introduced DNS traffic, determines whether the domain name of the specified DNS needs to be enabled based on a preset rule, if the domain name of the specified DNS needs to be enabled, modifies the destination address of the IP packet corresponding to the DNS traffic to be a specified DNS server, encrypts the DNS packet through a private protocol, adds a new IP address to the edge node in the packet header, and streams the data to the edge node, such as a POP point. The subsequent process can determine whether there is a DNS data message forwarded by the client by capturing the message of the POP point, and also can observe log information of the POP point to determine all DNS traffic data passing through the POP point.
The above-mentioned new IP address may be randomly allocated by the management platform, which is not specifically limited in this embodiment.
In step S604, the POP point removes the newly added IP address of the packet header, decrypts the encrypted DNS packet based on the private protocol, recovers the original DNS packet, and performs security check, such as data check, on the packet corresponding to the DNS packet. The POP point sends the encrypted DNS data packet to a designated DNS server, the designated DNS server analyzes the encrypted DNS data packet to obtain an IP address in the DNS flow data packet, the IP address is recorded in a log mode, and the data packet corresponding to the DNS flow is returned to an application program applying the DNS flow in an encrypted state through an original path.
Compared with the traditional TLS scheme, the method and the device have the advantages that the algorithm negotiation process is needed to be adapted to various browsers, algorithm negotiation is omitted, key negotiation is directly carried out, and therefore negotiation speed is higher, and the risk of data leakage is reduced.
The system, method and/or embodiments of the present embodiments may be implemented in conjunction with any of the method embodiments described above and any of the system embodiments described above.
It should be noted that, the above step reference signs are only used to identify different steps, and do not represent the execution sequence of the steps.
The methods and/or embodiments of the present application may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. The above-described functions defined in the method of the application are performed when the computer program is executed by a processing unit.
The computer readable medium according to the present application may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
In the present application, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computer (for example, through the Internet using an Internet service provider).
The flowchart or block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of devices, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
As another aspect, the embodiment of the present application also provides a computer-readable medium that may be contained in the apparatus described in the above embodiment; or may be present alone without being fitted into the device. The computer readable medium carries one or more computer readable instructions executable by a processor to perform the steps of the methods and/or aspects of the various embodiments of the application described above.
In addition, the embodiment of the application also provides a computer program which is stored in the computer equipment, so that the computer equipment executes the DNS traffic processing method.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, e.g., using Application Specific Integrated Circuits (ASIC), a general purpose computer or any other similar hardware device. In some embodiments, the software program of the present application may be executed by a processor to implement the above steps or functions. Likewise, the software programs of the present application (including associated data structures) may be stored on a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. In addition, some steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
It will be evident to those skilled in the art that the application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The present embodiments are, therefore, to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is evident that the word "comprising" does not exclude other elements or steps, and that the singular does not exclude a plurality. The terms first, second, etc. are used to denote a name, but not any particular order.

Claims (13)

1. A method for DNS traffic handling, applied to a client, the method comprising:
local DNS traffic is hijacked to the client;
the client analyzes the DNS traffic and carries out corresponding processing on the DNS traffic based on a preset rule, and the method comprises the following steps: when the DNS traffic is matched with the preset rule, the destination address of the DNS traffic is rewritten into the address of the appointed DNS server, encryption processing is carried out on the DNS traffic, the encrypted DNS traffic is sent to an edge node, so that the edge node carries out security check on the DNS traffic after encryption processing, and the DNS traffic passing the security check is sent to the appointed DNS server according to the address of the appointed DNS server.
2. The method of claim 1, wherein encrypting the DNS traffic comprises:
and encrypting the DNS traffic by using a private protocol.
3. The method of claim 1, wherein the preset rule comprises a first set of domain names for which a specified DNS needs to be enabled, the method further comprising:
and when a matching item exists between the domain name corresponding to the DNS traffic and the first domain name set needing to enable the appointed DNS, determining that the DNS traffic is matched with the preset rule.
4. A method according to claim 3, characterized in that the method further comprises:
and when the domain name corresponding to the DNS traffic and the first domain name set needing to enable the appointed DNS do not have a matching item, determining that the DNS traffic is not matched with a preset rule.
5. The method of claim 4, wherein the client parses the DNS traffic and processes the DNS traffic accordingly based on a preset rule, further comprising:
when the DNS traffic is not matched with the preset rule, the client does not rewrite the destination address of the DNS traffic, wherein the destination address of the DNS traffic is the address of a default DNS server;
and encrypting the DNS traffic, transmitting the encrypted DNS traffic to an edge node, so that the edge node performs security check on the encrypted DNS traffic, and transmitting the DNS traffic passing the security check to a default DNS server according to the address of the default DNS server.
6. The method according to any one of claims 1-4, characterized in that the method comprises:
the client receives the preset rule from the management platform.
7. A method of DNS traffic handling, for application to an edge node, the method comprising:
acquiring the DNS traffic after encryption processing sent by a client;
and carrying out security check on the DNS traffic after encryption processing sent by the client, and sending the DNS traffic passing the security check to an address of a designated DNS server or a default DNS server according to a destination address of the DNS traffic.
8. The method of claim 7, wherein security checking the encrypted DNS traffic sent by the client comprises:
decrypting the data packet corresponding to the DNS traffic to obtain decrypted DNS traffic;
and carrying out security check on the message corresponding to the decrypted DNS traffic.
9. A method for DNS traffic handling, applied to a management platform, the method comprising:
acquiring a preset rule;
and sending the preset rule to the client so that the client can correspondingly process the local DNS traffic hijacked to the client based on the preset rule.
10. The method according to claim 9, wherein the preset rule includes a first domain name set requiring the activation of the specified DNS, so that when there is a match between a domain name corresponding to the DNS traffic and the first domain name set requiring the activation of the specified DNS, the client rewrites a destination address of the DNS traffic hijacked to the client's local location to an address of the specified DNS server, encrypts the DNS traffic, and sends the encrypted DNS traffic to an edge node for security check.
11. A system for DNS traffic handling, the system comprising a client, a management platform, an edge node, and a specified DNS server, wherein,
the client is used for hijacking local DNS traffic, analyzing the DNS traffic and correspondingly processing the DNS traffic based on a preset rule, and comprises the following steps: when the DNS traffic is matched with the preset rule, rewriting a destination address of the DNS traffic into an address of a designated DNS server, carrying out encryption processing on the DNS traffic, and sending the DNS traffic after the encryption processing to an edge node;
the management platform is used for acquiring preset rules and sending the preset rules to the client;
the edge node is used for acquiring the DNS traffic after encryption processing sent by the client, carrying out security check on the DNS traffic after encryption processing sent by the client, and sending the DNS traffic passing the security check to the address of a designated DNS server or a default DNS server according to the destination address of the DNS traffic;
the appointed DNS server is used for acquiring DNS traffic passing the security check sent by the edge node and responding to the DNS traffic passing the security check.
12. A computer readable medium having stored thereon computer readable instructions executable by a processor to implement the method of any of claims 1 to 10.
13. An apparatus for DNS traffic processing, wherein the apparatus comprises:
one or more processors; and
a memory storing computer readable instructions that, when executed, cause the processor to perform the operations of the method of any one of claims 1 to 10.
CN202210223215.4A 2022-03-07 2022-03-07 DNS traffic processing method, system, equipment and storage medium Pending CN116781287A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210223215.4A CN116781287A (en) 2022-03-07 2022-03-07 DNS traffic processing method, system, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210223215.4A CN116781287A (en) 2022-03-07 2022-03-07 DNS traffic processing method, system, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN116781287A true CN116781287A (en) 2023-09-19

Family

ID=88012122

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210223215.4A Pending CN116781287A (en) 2022-03-07 2022-03-07 DNS traffic processing method, system, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN116781287A (en)

Similar Documents

Publication Publication Date Title
CN106713320B (en) Terminal data transmission method and device
US10911491B2 (en) Encryption with sealed keys
US9774631B2 (en) TLS connection abandoning
US11303431B2 (en) Method and system for performing SSL handshake
US20160373414A1 (en) Handshake offload
CN111835774B (en) Data processing method, device, equipment and storage medium
US6738909B1 (en) Method and apparatus for automatic configuration for internet protocol security tunnels in a distributed data processing system
US10257171B2 (en) Server public key pinning by URL
US20120167196A1 (en) Automatic Virtual Private Network
US20180124025A1 (en) Providing visibility into encrypted traffic without requiring access to the private key
US20180145837A1 (en) Establishing a secure connection across secured environments
CN110622482A (en) No cache session ticket support in TLS inspection
CN114338844A (en) Cross-protocol communication method and device between client servers
CN107124385B (en) Mirror flow-based SSL/TLS protocol plaintext data acquisition method
CN116633582A (en) Secure communication method, apparatus, electronic device and storage medium
CN114586316A (en) Method and system for managing secure IoT device applications
CN114125027B (en) Communication establishment method and device, electronic equipment and storage medium
US10158610B2 (en) Secure application communication system
US10326588B2 (en) Ensuring information security in data transfers by dividing and encrypting data blocks
US10613777B2 (en) Ensuring information security in data transfers by utilizing decoy data
US9800568B1 (en) Methods for client certificate delegation and devices thereof
CN112995119A (en) Data monitoring method and device
CN112995120A (en) Data monitoring method and device
CN116781287A (en) DNS traffic processing method, system, equipment and storage medium
US11283768B1 (en) Systems and methods for managing connections

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination