CN116938875A - Domain name detection method, domain name resolver, electronic device, and storage medium - Google Patents

Domain name detection method, domain name resolver, electronic device, and storage medium Download PDF

Info

Publication number
CN116938875A
CN116938875A CN202310973974.7A CN202310973974A CN116938875A CN 116938875 A CN116938875 A CN 116938875A CN 202310973974 A CN202310973974 A CN 202310973974A CN 116938875 A CN116938875 A CN 116938875A
Authority
CN
China
Prior art keywords
domain name
cache
record
resource record
resolver
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310973974.7A
Other languages
Chinese (zh)
Inventor
李想
刘保君
张明明
段海新
李琦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Original Assignee
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University filed Critical Tsinghua University
Priority to CN202310973974.7A priority Critical patent/CN116938875A/en
Publication of CN116938875A publication Critical patent/CN116938875A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A domain name detection method, a domain name resolver, an electronic device, and a storage medium. The domain name detection method comprises the following steps: acquiring a cache validity period of a target domain name in a cache of a domain name resolver; when the cache effective period of the target domain name expires, obtaining a cache resource record of the target domain name in a cache of a domain name resolver, and inquiring an authoritative resource record of the target domain name from an upper domain name server for managing the target domain name; and comparing whether the cache resource record is consistent with the authority resource record. The domain name detection method can verify whether the authority states of the domain names are consistent in real time, solves the problem of confusion affecting inconsistent domain name authority for a long time, and can promote the realization of consistent domain name authority.

Description

Domain name detection method, domain name resolver, electronic device, and storage medium
Technical Field
Embodiments of the present disclosure relate to a domain name detection method, a domain name resolver, an electronic device, and a storage medium.
Background
The domain name is a name which is convenient for people to memorize and is used for identifying the positioning of the computer during network data transmission, so that people can access the Internet more conveniently. The domain name has a certain corresponding relation with the IP address of the computer, and after the domain name system resolves the domain name, the IP address corresponding to the domain name can be found, so that the domain name is converted into the machine-readable IP address.
Domain names are key underlying applications in today's internet that decisively impact numerous other network applications and protocols, including web site access, content distribution, mailing, certificate application, blacklist deployment, etc. The reliability and security of the domain name are the weight of the whole domain name system, leaving the domain name, and the Internet is hardly operable.
Domain names are authorized in the web space by hierarchical namespaces. The upper domain name region authorizes the sub domain name to the lower domain name region, the lower domain name region is led out by means of an authoritative server stored in the upper domain name region, and the successful resolution of the domain name is completed by means of a recursion resolution mechanism. Thus, the consistency of domain name authorization status between upper and lower layers becomes critical. Inconsistent states indicate potential security risks or incorrect management configurations, which in turn can affect overall domain name resolution and reliability and security of the application.
Disclosure of Invention
At least one embodiment of the present disclosure provides a domain name detection method, including: acquiring a cache validity period of a target domain name in a cache of a domain name resolver; when the cache validity period of the target domain name expires, obtaining a cache resource record of the target domain name in a cache of the domain name resolver, and inquiring an authoritative resource record of the target domain name from an upper domain name server for managing the target domain name; and comparing whether the cache resource record is consistent with the authority resource record.
For example, the domain name detection method provided in at least one embodiment of the present disclosure further includes: determining that the authorization status of the target domain name is abnormal in response to the upper domain name server not having the authoritative resource record; or determining that the authorization status of the target domain name is abnormal in response to the cached resource record being different from the authoritative resource record.
For example, the domain name detection method provided in at least one embodiment of the present disclosure further includes: and deleting the cache information about the target domain name in the domain name resolver in response to the authorization status of the target domain name being abnormal.
For example, in the domain name detection method provided in at least one embodiment of the present disclosure, the type of the resource record includes a domain name server record, an address record, a mail record, a canonical name record, or a reverse query record.
The domain name resolver comprises an acquisition module, a cache module and a control module which are coupled, wherein the acquisition module is configured to acquire a cache validity period of a target domain name from the cache module, acquire a cache resource record of the target domain name in the cache module when the cache validity period expires, and provide the cache validity period and the cache resource record to the control module; the control module is configured to query an upper domain name server managing a target domain name for an authoritative resource record of the target domain name when the cache validity period of the target domain name expires, and compare whether the cache resource record is identical to the authoritative resource record.
For example, in a domain name resolver provided in at least one embodiment of the present disclosure, the control module is further configured to: determining that the authorization status of the target domain name is abnormal in response to the upper domain name server not having the authoritative resource record; or determining that the authorization status of the target domain name is abnormal in response to the cached resource record being different from the authoritative resource record.
For example, in a domain name resolver provided in at least one embodiment of the present disclosure, the control module is further configured to: and deleting the cache information about the target domain name in the cache module in response to the authorization state of the target domain name being abnormal.
For example, in a domain name resolver provided in at least one embodiment of the present disclosure, the type of resource record includes a domain name server record, an address record, a mail record, a canonical name record, or a reverse query record.
At least one embodiment of the present disclosure also provides an electronic device, including: a memory non-transitory storing computer-executable instructions; and a processor configured to execute the computer-executable instructions, wherein the computer-executable instructions, when executed by the processor, implement the domain name detection method provided by any of the embodiments of the present disclosure.
At least one embodiment of the present disclosure further provides a non-transitory computer readable storage medium, where the non-transitory computer readable storage medium stores computer executable instructions that, when executed by a processor, implement the domain name detection method provided by any embodiment of the present disclosure.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present disclosure, the drawings of the embodiments will be briefly described below, and it is apparent that the drawings in the following description relate only to some embodiments of the present disclosure, not to limit the present disclosure.
FIG. 1 is a schematic diagram of a recursive resolution process for a domain name system;
FIG. 2 is a schematic diagram of an exemplary resource record;
FIG. 3 is a schematic diagram of a domain name detection method according to at least one embodiment of the present disclosure;
FIG. 4 is a schematic diagram of a domain name detection process provided in at least one embodiment of the present disclosure;
FIG. 5 is a schematic diagram of a domain name resolver according to at least one embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of an electronic device according to at least one embodiment of the present disclosure; and
fig. 7 is a schematic diagram of a non-transitory computer readable storage medium provided by at least one embodiment of the present disclosure.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, the technical solutions of the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings of the embodiments of the present disclosure. It will be apparent that the described embodiments are some, but not all, of the embodiments of the present disclosure. All other embodiments, which can be made by one of ordinary skill in the art without the need for inventive faculty, are within the scope of the present disclosure, based on the described embodiments of the present disclosure.
Unless defined otherwise, technical or scientific terms used in this disclosure should be given the ordinary meaning as understood by one of ordinary skill in the art to which this disclosure belongs. The terms "first," "second," and the like, as used in this disclosure, do not denote any order, quantity, or importance, but rather are used to distinguish one element from another. The word "comprising" or "comprises", and the like, means that elements or items preceding the word are included in the element or item listed after the word and equivalents thereof, but does not exclude other elements or items. The terms "connected" or "connected," and the like, are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. "upper", "lower", "left", "right", etc. are used merely to indicate relative positional relationships, which may also be changed when the absolute position of the object to be described is changed.
The present disclosure is illustrated by the following several specific examples. Detailed descriptions of known functions and known parts (elements) may be omitted for the sake of clarity and conciseness in the following description of the embodiments of the present disclosure. When any part (element) of an embodiment of the present disclosure appears in more than one drawing, the part (element) is denoted by the same or similar reference numeral in each drawing.
The domain name consists of a string of character strings separated by dots, including a domain name body part and a domain name suffix, e.g., the domain name body part of the domain name example. The domain name body portion typically contains an organization name or website name for specifying the domain name owner or website content; domain name suffixes are typically used to indicate the type of organization or country or region in which the domain is located.
The domain name space is a hierarchical structure, and is divided into a root domain name, a top-level domain name (a primary domain name), a secondary domain name, a tertiary domain name, or more domain names from top to bottom. For example, ".com" is a root domain name, "example. Com" is a primary domain name, "example. Com" is a secondary domain name, and "a1.Example. Com" is a tertiary domain name. It should be noted that the last point in the domain name "," will normally ignore "so" example.com "should be actually expressed as" example.com "," a1.Example.com "should be actually expressed as" a1.Example.com ". In embodiments of the present disclosure, the last point ".", in the domain name is omitted for simplicity of illustration.
Adding a prefix to a domain name may generate a subdomain name for the domain name, e.g., a1.example.com is a subdomain name for example.com, a2.a1.example.com is a subdomain name for a1.example.com. Multiple levels of domain names may exist when a web site is relatively large. The domain name can be used after the registration and recording, a general user can register the secondary domain name, and the tertiary domain name is taken as a subdomain name of the secondary domain name and is not required to be registered again, because the subdomain name can be directly authorized and resolved by the parent domain name server after the parent domain name is registered.
The domain name server (Domain Name Server, DNS) is a server for converting a domain name and an IP address corresponding thereto, and a table for resolving the domain name and the IP address corresponding thereto is stored in the domain name server, so that a user can obtain the IP address corresponding to the domain name by looking up the mapping relationship between the domain name and the IP address recorded in the table.
As shown in fig. 1, the domain name servers can be classified into a root domain name server, a top domain name server, and an authoritative domain name server according to domain name information mainly stored in the domain name servers, roles thereof in a domain name resolution process, and the like, corresponding to the hierarchy of the domain name space.
The root domain name server is the most important domain name server. Currently, 13 root domain name servers are deployed in total in the global internet, and each root domain name server knows the domain names and IP addresses of all top-level domain name servers.
The top level domain name server manages all secondary domain names authorized at the top level domain name server. The name of the top-level domain name server corresponds to the last suffix portion of a domain name, typically the naming of an industry, e.g., com, net, org, etc., or of an area, e.g., cn, us, etc.
Authoritative domain name servers are domain name servers responsible for one domain name area, i.e., each level of domain name area is owned and managed by the corresponding authoritative domain name server. The authoritative domain name server stores the mapping from the domain names of all hosts in the domain name area of the level to the IP addresses, and any host with the domain name has the mapping relation between the domain name and the IP address and other information stored on the authoritative domain name server of the network where the host is located. In other words, the authoritative domain name server is a domain name server that directly provides the resolution result, and for example, when performing domain name resolution, the IP address information corresponding to the domain name can be obtained as long as the authoritative domain name server corresponding to the queried domain name host is queried.
When the domain name is resolved, the domain name resolver can search and corresponding locally cached domain name information preferentially, namely if the information of the queried domain name is stored in the domain name resolver, the domain name resolver directly responds and sends the information of the queried domain name to the query host. For example, as shown in fig. 1, when a client initiates a query (11) to a domain name resolver to query the domain name resolver for the IP address of the domain name example.
If the cache of the domain name resolver does not store the information of the queried domain name, the domain name resolver queries whether other domain name servers have the information of the queried domain name or not through a recursion resolution flow until a query result is obtained, and finally sends the query result to a query host.
The recursive resolution flow corresponds to the hierarchical domain name space and follows the hierarchical domain name resolution from top to bottom. For example, when the domain name resolver receives a query from a client, it starts its own recursive resolution flow, starting from the root domain name server according to the longest suffix matching principle until accessing the authoritative domain name server of the domain name queried by the user. That is, the authority server located at the upper layer replies to the position of the domain name server at the next layer, the domain name resolver iteratively initiates a query to the new domain name server, and finally obtains the authority reply result, that is, the information such as the IP address of the domain name queried by the user.
As shown in fig. 1, the client initiates a query request (11) to the domain name resolver to query the IP address of the domain name example.
After acquiring the IP address of the top-level domain name server, the domain name resolver re-initiates a query request (14) to the top-level domain name server to query the IP address of the domain name sample.
Because the secondary domain name server is an authoritative domain name server for managing the domain name example, when the domain name server initiates a query request (16) again to the authoritative domain name server to query the IP address of the domain name example, the authoritative domain name server can reply (17) the IP address of the domain name example to the domain name server, and the reply result of the authoritative domain name server is the final authoritative reply result. Thus, the domain name resolver may finally reply (18) to the client with the IP address of the domain name example.
In the above-mentioned resolution process, the domain name resolver will store the authoritative reply result and the domain name server result obtained in the resolution process as a cache to the local for subsequent use. Therefore, when the domain name resolver encounters the query of the same domain name (e.g. example. Com) again, whether the authoritative reply result of the domain name example. Com exists in the cache can be checked first, and if the authoritative reply result of the domain name example. Com exists in the cache, the client can reply faster without going through the recursion resolution process. Or, the domain name resolver may first check whether there is an authoritative server result for managing the domain name sample.com in the cache, for example, if there is an IP address of the authoritative server for the domain name sample.com in the cache, the domain name resolver may directly query the authoritative server for the IP address of the domain name sample.com, and after receiving the query request of the domain name resolver for the domain name sample.com, the authoritative server replies the IP address of the domain name sample.com to the domain name resolver, thereby eliminating the need of performing a recursive resolving process from the root top to the bottom, so as to effectively reduce the time required for querying and improve the querying efficiency.
The authoritative reply result and the domain name server result have limited storage time in the cache, and the domain name resolver can reply the locally cached result to the client only if the query is received within the cache validity period of the domain name. After the period of validity of the cache is exceeded, the data in the cache is cleared, and if the domain name is to be queried again, the domain name servers of all levels need to be queried iteratively through a recursive resolution flow. In some cases, the user may obtain a resource record of the domain name through a query operation, where the resource record includes a cache validity period of related information of the domain name in a domain name resolver.
FIG. 2 is a schematic diagram of an exemplary resource record. For example, a resource record may include a Time To Live (TTL) of a domain name, a network/protocol type, a resource record type, and resource record data. In the embodiment of the disclosure, the life cycle of the domain name may also be referred to as a cache validity period, where the cache validity period refers to the maximum duration that a resource record can be saved in a cache of the domain name resolver, and no recursively resolved query is required to query the domain name within the cache validity period. The network/protocol type refers to a protocol supported by the system, such as IN. The resource record types include address record (abbreviated as A record), domain name server record (abbreviated as NS record), mail record (abbreviated as MX record), canonical name record (abbreviated as CNAME record), reverse query record (abbreviated as PTR record) and the like. The user may specify the type of resource record queried when querying a domain name, for example, as shown in fig. 2, when the user queries an a record for the domain name s.example.com, the domain name resolver returns the IP address (e.g., 1.2.3.4) of the domain name s.example.com, and when the user queries an NS record for the domain name s.example.com, the domain name resolver returns the domain name (e.g., ns.example.com) of the authoritative server for the domain name s.example.com. Note that NS records can only be set to domain names, and cannot be set to IP addresses.
If the authoritative reply results and the domain name server results for the domain name are cached in the domain name resolver, then when the user queries the domain name and wants to view the resolution process, the domain name resolver can present the cached information related to the domain name to the user, including an output reply portion (ANSECTION), an authoritative portion (AUTHORITY SECTION), an additional portion (ADDITIONAL SECTION), and the like. The reply part is the answer of the user inquiry operation, namely the IP address corresponding to the inquired domain name; the authority part shows a domain name server directly providing the resolution result of the domain name, such as an NS record of the authority domain name server; the additional section shows the address of the domain name server that directly provides the domain name resolution result, e.g., the a record of the authoritative domain name server.
For example, as shown in fig. 2, when a user inquires about an a record of a domain name s.example.com, the domain name resolver may output not only reply contents ANS but also authority information AUS and additional information ADS. For example, the ANS shows an a record of the domain name s.example.com of 1.2.3.4 and a cache validity period of 600 seconds for this resource record. AUS shows NS record of domain name example. Com as ns.example. Com, and the cache validity period of the resource record is 302400 seconds. ADS shows a record of 1.1.1.1 for the domain name ns.example.com, and the resource record has a buffer validity period of 604800 seconds.
For example, resource records for domain names cached in the domain name resolver include NS records and Glue (Glue) records. The Glue records can be returned together with the DNS query results, so that the number of times of recursive query can be greatly reduced, and the DNS recursive query is quickened.
For example, in one example, the NS record of the example. Com domain name is:
example.com NS ns.example.com
the Glue record for the example. Com domain name is:
ns.example.com A1.1.1.1
the domain name servers can be further divided into resolution domain name servers and authority domain name servers (authoritative domain name servers) according to functions. Similar to hierarchical resolution of domain names, the domain name authority is also hierarchical, and the upper domain name server is responsible for controlling and distributing all sub-domain names of itself and under the domain name, i.e. by means of the authority server stored in the upper domain name area, the lower domain name area can be led out, and the upper domain name area can authorize the sub-domain names to the lower domain name area. The authorization data of the upper domain name area includes NS records of the domain name and a record (IP address of domain name server) corresponding to the domain name server. The authorization data also has a particular cache validity period, which is used to indicate when the authorization data will enter the cache.
The layered domain name authorization mechanism provides sub domain name allocation capability from top to bottom, so that the domain name servers of each layer can perform sub domain name authorization step by step, and convenient management and efficient expansion of domain names can be realized. When the recursive domain name server queries the authoritative domain name server for a domain name, the authoritative domain name server may reply to the full IP address for the domain name and direct the authoritative domain name server to another authoritative domain name server if the authoritative domain name server does not store the IP address.
Domain name revocation is the reverse process of domain name authorization, which can cancel or alter ownership of a domain name. For example, when a registered domain name expires and is not renewed, the registered domain name will be revoked, or when a domain name is abused against a malicious attack, the detected malicious domain name will be revoked. The IP address or domain name server of the revoked domain name may be changed to point to the server of the legal authority, or the related information of the revoked domain name may be deleted from the domain name space. In other words, when a domain name is revoked, an executor needs to modify the authorization data for the domain name in the parent domain name area of the revoked domain name, so that the domain name cannot be successfully resolved after being revoked.
However, the failure of a domain name to be revoked to be successfully resolved requires not only deletion of the authorization data in its parent domain name region, but also waiting for the cache validity period for that domain name in the domain name resolver to expire entirely. That is, the domain name resolver may delete the cache information of the domain name only after the cache validity period of the domain name expires, and before the cache validity period of the domain name expires, unless the domain name resolver acquires the updated authorization information again through the recursive resolution query flow, the domain name resolver cannot learn that the domain name has been revoked, and may not actively delete the cache information of the domain name. This gives the attacker the opportunity to get it hot.
Because some domain name resolvers can preferentially inquire authority reply results or domain name server results of domain names from local caches after receiving inquiry requests of the domain names, once an attacker maliciously uses the domain names for ghost domain names or dead domain names before the cache validity period of the domain names expires, for example, refreshes or replaces domain name authorization information in the domain name resolvers, the domain name resolvers can directly resolve the domain names by using wrong information in the caches, and then guide users to IP addresses with safety risks, so that huge risks and economic losses are brought to users or domain name owners.
Inconsistencies in the domain name authorization status would seriously affect the accuracy of domain name resolution, so that the domain name resolver and the user cannot obtain effective results. Therefore, how to detect the authority status of the domain name and ensure the consistency of the authority status of the domain name is a urgent issue to be resolved.
At least one embodiment of the present disclosure provides a domain name detection method, including: acquiring a cache validity period of a target domain name in a cache of a domain name resolver; when the cache effective period of the target domain name expires, obtaining a cache resource record of the target domain name in a cache of a domain name resolver, and inquiring an authoritative resource record of the target domain name from an upper domain name server for managing the target domain name; and comparing whether the cache resource record is consistent with the authority resource record.
The method for detecting the domain name realizes consistency detection of the domain name authorization state by re-inquiring the verification resource record, can enable the domain name analyzer to judge the consistency of the domain name authorization state by comparing whether the locally cached domain name resource record and the domain name resource record obtained from the upper layer domain name server are the same, and provides a detection result to further judge whether the target domain name is valid, whether a ghost domain name exists or potential attack or utilization of an dead domain name exists, whether hidden security risks exist, wrong management configuration and the like.
Fig. 3 is a schematic diagram of a domain name detection method according to at least one embodiment of the present disclosure. As shown in fig. 3, the domain name detection method includes steps S100 to S300.
Step S100: and obtaining the cache validity period of the target domain name in the cache of the domain name resolver.
Step S200: when the caching validity period of the target domain name expires, acquiring a caching resource record of the target domain name in a cache of the domain name resolver, and inquiring an authoritative resource record of the target domain name from an upper domain name server for managing the target domain name.
Step S300: and comparing whether the cache resource record is consistent with the authority resource record.
For example, step S100 may be performed when the target domain name is cached in the domain name resolver, or may be performed after the target domain name is cached in the domain name resolver, or may be a time-to-live (TTL) of any one resource for obtaining the target domain name recorded in the cache of the domain name resolver, or may be a TTL of a specific resource for obtaining the target domain name recorded in the cache of the domain name resolver, which is not limited in the manner of obtaining the cache validity period according to the embodiments of the present disclosure.
Because an attacker can attack at any time within the cache validity period of the target domain name, for example, related information of a subdomain name of the target domain name is maliciously injected when the cache validity period of the target domain name expires, or correct resource records in the original cache are maliciously covered when the cache validity period is about to expire, the verification opportunity of authorization consistency of the target domain name needs to be accurately grasped.
For example, in step S200, "when the cache validity period of the target domain name expires" means when the TTL of the target domain name is equal to 0 (or close to 0). For example, in one example, when the target domain name is cached in the domain name resolver, the TTL obtained in step S100 is 86400 seconds, and the execution timing of step S200 is 86400 seconds after step S100 is performed, that is, ttl=0. The cache resource record of the target domain name in the cache of the domain name resolver is obtained when the cache effective period of the target domain name expires, and the cache resource record which is maliciously injected or maliciously refreshed and covered by an attacker can be obtained to the greatest extent, so that the hit rate of domain name authorization verification is improved.
As previously described, the security hole of the domain name resolver is due to the priority setting in the native framework of the domain name resolver. In order to reduce the number of inquiry times and improve the inquiry efficiency, the domain name resolver can search and utilize the domain name information in the local cache to finish resolution preferentially, and the domain name resolver cannot actively start the recursion resolution flow on the premise that the local cache can be searched. That is, even if the related information of the domain name has been deleted in the parent domain name area, the domain name resolver does not immediately know that the state of the domain name has been changed, and since the domain name resolver does not complete resolution each time through the recursive resolution query flow, the related information of the domain name in the cache cannot be immediately deleted. Some solutions prevent security vulnerabilities from occurring by changing the query framework of the domain name resolver, but reduce query efficiency.
The domain name detection method provided by at least one embodiment of the present disclosure targets a domain name resolver, and can solve a chaotic state affecting inconsistent domain name authority without changing a well-established domain name basic application mechanism by using a resolution mechanism and a cache processing strategy of the domain name system, thereby promoting realization of consistent domain name authority, and simultaneously relieving security threat caused by attacks such as ghost domain names or dead domain names, and not affecting query efficiency.
For example, in step S200, when the cache validity period of the target domain name expires, the upper domain name server managing the target domain name is queried for the authoritative resource record of the target domain name, which conforms to the query mechanism in the original architecture of the domain name resolver, that is, after the cache validity period expires, the cache of the domain name resolver is emptied, and after searching the cache and determining that there is no related information of the target domain name in the cache, the domain name resolver starts a recursive resolution query flow to query the upper domain name server managing the target domain name for the authoritative resource record of the target domain name. Therefore, when the cache effective period of the target domain name expires, recursive query is performed to acquire the authoritative resource record of the target domain name, the domain name resolution framework is not required to be changed, the original domain name resolution mechanism is not changed, and any novel role or attribute is not introduced, so that the method has extremely high applicability and integration. And when the cache effective period of the target domain name expires, query verification is performed once, the original resolution performance of the domain name is not affected, the extra load is extremely small, and the cost of domain name authorization consistency detection can be reduced.
For example, in step S300, the domain name resolver should compare the authoritative resource record of the target domain name obtained from the upper layer domain name server with the locally cached resource record. If the results are consistent, it indicates that the target domain name is valid and the domain name authority is consistent, and if the relevant record of the target domain name in the upper layer domain name server does not exist (for example, the target domain name has expired or been revoked) or is inconsistent with the results in the cache (for example, the relevant information of the target domain name at the authoritative server has been modified), it indicates that the cache in the domain name resolver may have been tampered with maliciously, and the target domain name may be in a maliciously authorized state.
For example, the domain name detection method provided in at least one embodiment of the present disclosure further includes: determining that the authorization status of the target domain name is abnormal in response to the fact that the upper domain name server does not have the authoritative resource record; or determining that the authorization status of the target domain name is abnormal in response to the cached resource record being different from the authoritative resource record.
For example, the domain name detection method provided in at least one embodiment of the present disclosure further includes: and deleting the cache information about the target domain name in the domain name resolver in response to the authorization status of the target domain name being abnormal.
For example, the domain name resolver may cache information about various resource records for the target domain name, such as a domain name server record, an address record, a mail record, a canonical name record, or a reverse query record. The cache validity period of different resource records of the target domain name may be different. For example, in one example, the NS record of the domain name example. Com has a buffer validity period of 3 days and the a record of 7 days.
In at least one embodiment of the present disclosure, step S100 may obtain a life cycle of a certain resource record (e.g., NS record) of the target domain name in the cache of the domain name resolver, and in step S300, after an abnormality occurs in response to the authorization status of the target domain name, all the cache resource records related to the target domain name in the domain name resolver may be deleted, for example, deleting the NS record, the a record and other resource records of the target domain name, so as to ensure that all the cache information related to the target domain name is cleared, and prevent the remaining cache records from being reused by an attacker.
In at least one embodiment of the present disclosure, step S300 may delete the cache information of the domain name related to the target domain name, for example, delete the cache information of all the subdomains generated based on the target domain name, in addition to the cache information of the target domain name in the domain name resolver. For example, in one example, the target domain name is example, the cache of the domain name resolver further stores sub domain names s1.Example. Com and s2.Example. Com of the target domain name, and the domain name resolver may delete all cache information of the target domain name example. Com and all cache information of sub domain names s1.Example. Com and s2.Example. Com of the target domain name example. Com in the domain name resolver after there is an abnormality in response to the authorization status of the target domain name example. Com.
The domain name detection method will be described in detail below taking a domain name server record for acquiring a domain name as an example.
Fig. 4 is a schematic diagram of a domain name detection process according to at least one embodiment of the present disclosure. As shown in fig. 4, the client first queries (21) the domain name resolver for NS records of the domain name s.example.com. After receiving the query (21) request, the domain name resolver takes the domain name example.com as a target domain name, acquires the NS record of the target domain name example.com through recursion resolution query, caches the NS record of the target domain name example.com, and acquires the cache validity period TTL1 of the NS record of the target domain name example.com. For example, the target domain name example.com is authorized by the top-level domain name server, and authorization data of the target domain name example.com is stored in the top-level domain.
The domain name resolver may then query (22) the secondary domain name server for NS records of the domain name s.example.com and reply (23) the NS records of the domain name s.example.com to the client after querying the NS records of the domain name s.example.com.
For example, assuming that the top-level domain deletes the authorization data for the target domain name example.com before TTL1 expires, although the domain name resolver does not know that the state information for the target domain name example.com has changed before ttl1=0, the domain name resolver may actively initiate a query (24) request to the top-level domain name server to obtain NS records for the target domain name example.com when ttl1=0 and compare them with NS records for the target domain name example.com in the local cache of the previous domain name resolver.
For example, in the example shown in fig. 4, since the top-level domain has deleted the NS record of the target domain name example.
The domain name resolver determines that the authorization status of the target domain name example.com is abnormal in response to the NS record of the target domain name example.com not being present in the top-level domain name server, and then deletes cache information in the cache regarding the target domain name example.com and the subdomain name s.example.com (also cached in the domain name resolver in the previous recursive query), such as NS records and Glue records of the target domain name example.com and the subdomain name s.example.com.
The domain name detection method may be implemented by a domain name resolver, or by a domain name owner, registrar, or supervisor, and the subject of execution of the domain name detection method is not limited by the present disclosure. It should be noted that, the domain name detection method provided in at least one embodiment of the present disclosure may be performed by the domain name resolver, and does not need to rely on the indication of the domain name owner and the registry to perform the checking and correction of domain name authority.
The domain name detection method provided by at least one embodiment of the present disclosure can indicate the inconsistency of the domain name authority states between the parent domain name region and the child domain name region and suggest that the domain name owner check and correct the domain name authority states thereof, and in at least one embodiment, the domain name detection method can also actively end the disagreeable state of authority inconsistency and directly discard the inconsistent results, so as to avoid being utilized by ghost domain names or dead domain name attacks. Meanwhile, the realization of the detection of the consistency of the domain name authorization is promoted, and the reliability and the safety of a domain name resolution system are improved.
At least one embodiment of the present disclosure also provides a domain name resolver. Fig. 5 is a schematic diagram of a domain name resolver according to at least one embodiment of the present disclosure. As shown in fig. 5, the domain name resolver 30 includes a retrieval module 32, a caching module 31, and a control module 33 coupled.
Wherein the obtaining module 32 is configured to obtain the cache validity period of the target domain name from the cache module 31, obtain the cache resource record of the target domain name in the cache module 31 when the cache validity period expires, and provide the cache validity period and the cache resource record to the control module 33;
the control module 33 is configured to query the upper domain name server managing the target domain name for an authoritative resource record of the target domain name when the caching validity period of the target domain name expires, and to compare whether the caching resource record is identical to the authoritative resource record.
For example, in at least one embodiment of the present disclosure, the control module 33 is further configured to: determining that the authorization status of the target domain name is abnormal in response to the fact that the upper domain name server does not have the authoritative resource record; or determining that the authorization status of the target domain name is abnormal in response to the cached resource record being different from the authoritative resource record.
For example, in at least one embodiment of the present disclosure, the control module 33 is further configured to: and deleting the cache information about the target domain name in the cache module in response to the authorization status of the target domain name being abnormal.
For example, in at least one embodiment of the present disclosure, the types of resource records include a domain name server record, an address record, a mail record, a canonical name record, or a reverse query record.
For the specific description of the obtaining module 32 and the control module 33, reference may be made to the description related to the embodiment of the domain name detection method, which is not repeated here. The domain name resolver may achieve similar technical effects as the domain name detection method described above, and will not be described again here.
At least one embodiment of the present disclosure further provides an electronic device, and fig. 6 is a schematic block diagram of an electronic device provided by at least one embodiment of the present disclosure.
For example, as shown in fig. 6, the electronic device includes a processor 1001, a communication interface 1002, a memory 1003, and a communication bus 1004. The processor 1001, the communication interface 1002, and the memory 1003 communicate with each other via the communication bus 1004, and the components of the processor 1001, the communication interface 1002, and the memory 1003 may communicate with each other via a network connection.
For example, the memory 1003 is used to store computer-executable instructions non-transitory. The processor 1001 is configured to execute computer-executable instructions that, when executed by the processor 1001, implement a domain name generation method or a domain name detection method provided according to any of the embodiments described above. For specific implementation of each step of the domain name generating method or domain name detecting method and related explanation content, reference may be made to the above, and details are not repeated herein.
For example, the processor 1001 may control other components in the electronic device to perform desired functions. The processor 1001 may be a Central Processing Unit (CPU), a Network Processor (NP), etc., and may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. The Central Processing Unit (CPU) can be an X86 or ARM architecture, etc. For example, the processor 1001 executes a program stored in the memory 1003 to implement a domain name generating method or a domain name detecting method, which is the same as the above embodiment, and will not be described here again.
For example, communication bus 1004 may be a peripheral component interconnect standard (PCI) bus, or an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus. For example, the communication interface 1002 is used to enable communication between an electronic device and other devices.
For example, memory 1003 may include any combination of one or more computer program products, which may include various forms of computer-readable storage media, such as volatile memory and/or non-volatile memory. Volatile memory can include, for example, random Access Memory (RAM) and/or cache memory (cache) and the like. The non-volatile memory may include, for example, read-only memory (ROM), hard disk, erasable programmable read-only memory (EPROM), portable compact disc read-only memory (CD-ROM), USB memory, flash memory, and the like. One or more computer-executable instructions may be stored on the computer-readable storage medium and the processor 1001 may execute the computer-executable instructions to implement various functions of the electronic device. Various applications and various data, etc. may also be stored in the storage medium. The detailed description of the process of the electronic device performing the domain name generating method or the domain name detecting method may refer to the related description in the embodiments of the domain name generating method or the domain name detecting method, and the repetition is not repeated.
Fig. 7 is a schematic diagram of a non-transitory computer readable storage medium according to at least one embodiment of the present disclosure. For example, as shown in FIG. 7, one or more computer-executable instructions 1101 may be stored non-transitory on the storage medium 1100. For example, the computer-executable instructions 1101, when executed by a processor, may perform one or more steps in accordance with the domain name generation method or domain name detection method described above.
For example, the storage medium 1100 may be applied to the electronic device 800 described above. For example, storage medium 1100 may include memory 1003 in an electronic device. The description of the storage medium 1100 may refer to the description of the memory 1003 in the embodiment of the electronic device, and the repetition is omitted.
While the disclosure has been described in detail with respect to the general description and the specific embodiments thereof, it will be apparent to those skilled in the art that certain modifications and improvements may be made thereto based on the embodiments of the disclosure. Accordingly, such modifications or improvements may be made without departing from the spirit of the disclosure and are intended to be within the scope of the disclosure as claimed.
For the purposes of this disclosure, the following points are also noted:
(1) The drawings of the embodiments of the present disclosure relate only to the structures related to the embodiments of the present disclosure, and other structures may refer to the general design.
(2) In the drawings for describing embodiments of the present disclosure, the thickness of layers or regions is exaggerated or reduced for clarity, i.e., the drawings are not drawn to actual scale.
(3) The embodiments of the present disclosure and features in the embodiments may be combined with each other to arrive at a new embodiment without conflict.
The foregoing is merely specific embodiments of the disclosure, but the scope of the disclosure is not limited thereto, and the scope of the disclosure should be determined by the claims.

Claims (10)

1. A domain name detection method, comprising:
acquiring a cache validity period of a target domain name in a cache of a domain name resolver;
when the cache validity period of the target domain name expires, obtaining a cache resource record of the target domain name in a cache of the domain name resolver, and inquiring an authoritative resource record of the target domain name from an upper domain name server for managing the target domain name;
and comparing whether the cache resource record is consistent with the authority resource record.
2. The domain name detection method according to claim 1, further comprising:
determining that the authorization status of the target domain name is abnormal in response to the upper domain name server not having the authoritative resource record; or alternatively
And determining that the authorization status of the target domain name is abnormal in response to the cached resource record being different from the authoritative resource record.
3. The domain name detection method according to claim 2, further comprising:
and deleting the cache information about the target domain name in the domain name resolver in response to the authorization status of the target domain name being abnormal.
4. A domain name detection method according to any of claims 1-3, wherein the type of resource record comprises a domain name server record, an address record, a mail record, a canonical name record or a reverse query record.
5. A domain name resolver comprises a coupled acquisition module, a cache module and a control module,
the acquisition module is configured to acquire a cache validity period of a target domain name from the cache module, acquire a cache resource record of the target domain name in the cache module when the cache validity period expires, and provide the cache validity period and the cache resource record to the control module;
the control module is configured to query an upper domain name server managing a target domain name for an authoritative resource record of the target domain name when the cache validity period of the target domain name expires, and compare whether the cache resource record is identical to the authoritative resource record.
6. The domain name resolver according to claim 5, wherein the control module is further configured to:
determining that the authorization status of the target domain name is abnormal in response to the upper domain name server not having the authoritative resource record; or alternatively
And determining that the authorization status of the target domain name is abnormal in response to the cached resource record being different from the authoritative resource record.
7. The domain name resolver according to claim 6, wherein the control module is further configured to:
and deleting the cache information about the target domain name in the cache module in response to the authorization state of the target domain name being abnormal.
8. The domain name resolver according to any of claims 5-7, wherein the type of resource record includes a domain name server record, an address record, a mail record, a canonical name record, or a reverse query record.
9. An electronic device, comprising:
a memory non-transitory storing computer-executable instructions;
a processor configured to execute the computer-executable instructions,
wherein the computer executable instructions, when executed by the processor, implement a domain name detection method according to any of claims 1-4.
10. A non-transitory computer readable storage medium storing computer executable instructions which when executed by a processor implement a domain name detection method according to any of claims 1-4.
CN202310973974.7A 2023-08-03 2023-08-03 Domain name detection method, domain name resolver, electronic device, and storage medium Pending CN116938875A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310973974.7A CN116938875A (en) 2023-08-03 2023-08-03 Domain name detection method, domain name resolver, electronic device, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310973974.7A CN116938875A (en) 2023-08-03 2023-08-03 Domain name detection method, domain name resolver, electronic device, and storage medium

Publications (1)

Publication Number Publication Date
CN116938875A true CN116938875A (en) 2023-10-24

Family

ID=88382554

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310973974.7A Pending CN116938875A (en) 2023-08-03 2023-08-03 Domain name detection method, domain name resolver, electronic device, and storage medium

Country Status (1)

Country Link
CN (1) CN116938875A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118055095A (en) * 2024-04-16 2024-05-17 中国电子信息产业集团有限公司第六研究所 Authoritative domain name server determination method and device, electronic equipment and storage medium

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118055095A (en) * 2024-04-16 2024-05-17 中国电子信息产业集团有限公司第六研究所 Authoritative domain name server determination method and device, electronic equipment and storage medium
CN118055095B (en) * 2024-04-16 2024-06-07 中国电子信息产业集团有限公司第六研究所 Authoritative domain name server determination method and device, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
US11792079B2 (en) DNS package in a network
US11606388B2 (en) Method for minimizing the risk and exposure duration of improper or hijacked DNS records
CN109495604B (en) Method for analyzing generic root domain name
US9742730B2 (en) Systems and methods for automatically providing Whois service to top level domains
WO2018233312A1 (en) Dns attack defense method, apparatus and system
US11750401B2 (en) Proving top level domain name control on a blockchain
CN114205330B (en) Domain name resolution method, domain name resolution device, server, and storage medium
CN116938875A (en) Domain name detection method, domain name resolver, electronic device, and storage medium
CN111726428B (en) Authoritative server selection method, device, equipment and storage medium
CN116319113B (en) Domain name resolution abnormality detection method and electronic equipment
WO2017124883A1 (en) Novel authoritative domain name resolution service method and device
WO2023040070A1 (en) Method and apparatus for detecting domain name takeover vulnerability
CN112769769B (en) DNS alias resolution method and system
US8117439B2 (en) Issuing secure certificate using domain zone control validation
US20090193070A1 (en) Validating control of domain zone
CN112671943A (en) Method and device for detecting real domain name and storage medium
CN116827902A (en) Domain name generation method, domain name detection method, electronic device, and storage medium
CN118055095B (en) Authoritative domain name server determination method and device, electronic equipment and storage medium
CN116866306A (en) Domain name resolution method and device and related equipment
CN116743698A (en) Domain name cache injection detection method and device and electronic equipment
CN113742783A (en) Domain name data processing method and device, server and storage medium
CN116708361A (en) Domain name resolver identification method and device and electronic equipment
CN117692253A (en) Domain name security method, system and storage medium
CN116489127A (en) DNS analysis method and device electronic device and storage medium
Nesbitt DNS and BIND Primer

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination