CN117061247B

CN117061247B - DNS-based traceability positioning method and device, electronic equipment and storage medium

Info

Publication number: CN117061247B
Application number: CN202311312903.9A
Authority: CN
Inventors: 李广恺; 李艺涛; 贾东征; 李建强; 赵宁; 吕青; 赵悦楷; 刘科栋; 石光; 张慧琳
Original assignee: National Computer Network and Information Security Management Center
Current assignee: National Computer Network and Information Security Management Center
Priority date: 2023-10-11
Filing date: 2023-10-11
Publication date: 2024-01-05
Anticipated expiration: 2043-10-11
Also published as: CN117061247A

Abstract

The application relates to a DNS-based traceability positioning method, a device, electronic equipment and a storage medium, wherein the method comprises the following steps: acquiring a DNS response log of a DNS authoritative server; determining a first request address from the DNS response log, wherein the first request address is a request address for inquiring the DNS authoritative server about the own detection domain name in the DNS response log; when the first request address is inconsistent with the local server address, determining that the first request address is a first suspicious address; determining a second suspicious address corresponding to the first request address by using a DNS response log; and determining the address of the DNS hijack according to the second suspicious address, tracing the step-by-step request source by utilizing the DNS response log of the DNS authoritative server, accurately positioning the address of the hijack, finding out all relevant devices on the hijack path in the specific hijack network, and facilitating the positioning operation and analysis of the hijack.

Description

DNS-based traceability positioning method and device, electronic equipment and storage medium

Technical Field

The present application relates to the field of network technologies, and in particular, to a DNS-based tracing positioning method, apparatus, electronic device, and storage medium.

Background

DNS hijacking is also known as domain name hijacking or DNS redirection, etc. An attacker intercepts a DNS request message of a user or falsifies a DNS record of the domain name server through two modes of forging the domain name server and attacking the domain name server, so that the user cannot receive an analysis result or receives an error analysis result, and the effect is that a fake website cannot be reflected or accessed to a specific network.

However, the currently disclosed hijacking positioning method can only position the attack to the nodes of the terminal, the local DNS server, the top-level domain name server and the application server, or discover the router node hijacked on the routing link from the client to the local recursion server, and still cannot identify the relevant hijacker information on the hijacked path.

Accordingly, there is a need to develop a DNS-based traceability positioning method, apparatus, electronic device, and storage medium, which solve one or more of the above problems.

Disclosure of Invention

In view of the above, in order to solve the above technical problems or part of the technical problems, embodiments of the present invention provide a DNS-based tracing positioning method, apparatus, electronic device, and storage medium.

In a first aspect, the present application provides a DNS-based tracing positioning method, where the method includes:

Acquiring a DNS response log of a DNS authoritative server;

determining a first request address from the DNS response log, wherein the first request address is a request address for inquiring a DNS authoritative server about a self-detection domain name in the DNS response log;

when the first request address is inconsistent with the local server address, determining that the first request address is a first suspicious address;

when the first request address is a first suspicious address, determining a second suspicious address corresponding to the first request address by using a DNS response log;

and determining the address of the DNS hijack according to the second suspicious address.

In one possible embodiment, the method further comprises:

the method comprises the steps that an acquisition testing machine sends an analysis request carrying an own detection domain name to a local server, wherein the own detection domain name is a test domain name responded by a DNS authoritative server;

and generating a DNS response log in a DNS authoritative server according to the resolution request, wherein authoritative domain name resolution software is deployed on the DNS authoritative server.

In one possible implementation manner, the determining, using the DNS response log, the second suspicious address corresponding to the first request address includes:

acquiring a log record with a searching source address being a first suspicious address in a DNS response log as a suspicious record;

And determining a second suspicious address from the address information of the suspicious records, wherein the self-detected domain name of the second suspicious address is the same as the self-detected domain name of the first suspicious address.

In one possible implementation, the determining a DNS hijack address according to the second suspicious address includes:

acquiring an address of a tester;

and determining the DNS hijack address based on the tester address and the second suspicious address.

In one possible implementation, the determining a DNS hijack address based on the tester address and a second suspicious address includes:

when the second suspicious address is consistent with the address of the testing machine, determining that a first suspicious address corresponding to the second suspicious address in a DNS response log is a DNS hijack address;

and when the second suspicious address is inconsistent with the address of the testing machine, determining that a first suspicious address corresponding to the second suspicious address in a DNS response log is a DNS hijack correlator address, and re-executing the step of determining the second suspicious address corresponding to the first request address by using the DNS response log by taking the second suspicious address as a new first suspicious address.

In one possible embodiment, the method further comprises:

Adding the DNS hijack address and the DNS hijack related address to a DNS hijack blacklist;

when a first request address is determined from the DNS response log, matching the first request address with the DNS hijacking blacklist;

when the first request address is matched from the DNS hijacking blacklist, determining a DNS hijack address according to the first request address;

when the first request address is not matched from the DNS hijacking blacklist, the step of comparing the first request address with the local server address is executed.

In one possible implementation manner, the determining the DNS hijacking address according to the first request address includes:

when the first request address is matched with the DNS hijack address in the DNS hijack blacklist, determining the first request address as the DNS hijack address;

and when the first request address is matched with the address of the DNS hijack relator in the DNS hijacking blacklist, executing the step of obtaining a second suspicious address by using the first suspicious address based on the DNS response log.

In a second aspect, the present application provides a DNS-based tracing positioning apparatus, including:

the system comprises a first acquisition module, a second acquisition module and a second acquisition module, wherein the first acquisition module is used for acquiring a DNS response log of a DNS authoritative server;

The first determining module is used for determining a first request address from the DNS response log, wherein the first request address is a request address for inquiring the DNS authoritative server about the self-detection domain name in the DNS response log;

the comparison module is used for determining the first request address as a first suspicious address when the first request address is inconsistent with the local server address;

the second determining module is used for determining a second suspicious address corresponding to the first request address by using a DNS response log when the first request address is the first suspicious address;

and the positioning module is used for determining the address of the DNS hijack according to the second suspicious address.

In a third aspect, the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the steps of the DNS-based traceability positioning method according to any of the embodiments of the first aspect when the computer program is executed.

In a fourth aspect, the present application provides a storage medium having stored thereon a computer program which, when executed by a processor, implements the DNS-based traceability positioning step according to any of the embodiments of the first aspect.

According to the DNS-based tracing positioning method, the set self-detected domain name has uniqueness, and the result cannot be cached by hijacking equipment in the network, so that a complete hijacking path is generated by a responsive test request, a step-by-step request source is traced according to a DNS response log of a DNS authoritative server, the address of a hijack can be accurately positioned, all relevant equipment on the hijacking path in a specific hijacking network is found, and the positioning operation and analysis of the hijack are easy.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the invention and together with the description, serve to explain the principles of the invention.

In order to more clearly illustrate the embodiments of the invention or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, and it will be obvious to a person skilled in the art that other drawings can be obtained from these drawings without inventive effort.

One or more embodiments are illustrated by way of example and not limitation in the figures of the accompanying drawings, in which like references indicate similar elements, and in which the figures of the drawings are not to be taken in a limiting sense, unless otherwise indicated.

Fig. 1 is a diagram of a DNS-based traceability positioning test environment provided in an embodiment of the present application;

fig. 2 is a schematic flow chart of a DNS-based tracing positioning method according to an embodiment of the present application;

fig. 3 is a schematic flow chart of another DNS-based tracing positioning method according to an embodiment of the present application;

fig. 4 is a schematic step flow diagram of a DNS-based tracing positioning method according to an alternative embodiment of the present application;

fig. 5 is a structural block diagram of a DNS-based tracing positioning device according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.

Detailed Description

For the purposes of making the objects, technical solutions and advantages of the embodiments of the present application more clear, the technical solutions of the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is apparent that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present application based on the embodiments herein.

The following disclosure provides many different embodiments, or examples, for implementing different structures of the invention. In order to simplify the present disclosure, components and arrangements of specific examples are described below. They are, of course, merely examples and are not intended to limit the invention. Furthermore, the present invention may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed.

The existing hijacking positioning research is mainly focused on discovering and identifying DNS hijacking events, and shortens event discovery time, improves event discovery accuracy, predicts event occurrence probability and the like by improving a DNS hijacking discovery means. Because the positioning difficulty is high due to the privacy of the DNS hijacking equipment, the research is focused on the identification and positioning of the hijacking equipment at present, and certain defects still exist in the field of DNS hijacking research. For example, patent CN104052755B proposes a system and a method for detecting and locating DNS spoofing attacks based on a cloud platform, by which DNS hijacking attacks can be found and specific locations where the attacks occur can be analyzed and located. However, the method can only locate the attack to the nodes of the terminal, the local DNS server, the top-level domain name server and the application server, and can not find the information of the hijack actually launching the attack. For another example, patent CN113055405a provides a method for identifying and tracing a DNS bypass answering device, which calculates the difference between the actual distance from the terminal host to the DNS server and the theoretical distance to determine whether the bypass answering device exists, and further traces to a certain hop router where abnormal traffic hijacking occurs. The existing scheme can find out the router node hijacked on the route link from the client to the local recursion server, but can not identify the relevant hijack information on the hijacked path.

The existing scheme can only locate the DNS hijacking event to the hijacked nodes such as the client, the local recursion server and the like in the DNS resolution flow, or the hijacked router nodes on the routing link from the client to the local recursion server, and cannot further trace back the complete hijacking path, the address or the geographic position of the hijacking attacker, and cannot directly prevent the continuous occurrence of the hijacking event.

Fig. 1 is a schematic diagram of a DNS-based traceability positioning test environment provided in an embodiment of the present application, where the schematic diagram specifically includes:

the system comprises a tester, hijacking equipment, hijacking related equipment, a DNS authoritative server and a local server.

In the current hijacking network, a query message sent by a client to a local recursion server is hijacked and forwarded to a designated recursion server when passing through a certain hop router, and the recursion server sequentially carries out query analysis to all levels of authoritative servers. After the hijacking equipment obtains the analysis result, the address of the local recursion server is forged to answer the client.

Specifically, a plurality of cold test domain names are applied for in any domain name registration mechanism, the tester initiates an own detection domain name resolution request to the local recursion server, waits for a response result of the local recursion server, and if no response is made, another own detection domain name is replaced from the applied plurality of cold test domain names, and the tester continuously initiates an own detection domain name resolution request to the local recursion server. Because the intermediate path hijacking exists, the testing machine must receive the DNS response message forged by the hijacking equipment, the response result in the message is consistent with the domain name resolution result set in the DNS authoritative server, and the result is from the DNS authoritative server.

Further, the method of DNS hijacking from the tester to a certain hop router on the physical link of the local server can be a bypass answering method or a policy routing drainage method, and the application has traceability to both hijacking methods.

In this embodiment, in the DNS-based tracing positioning test environment for the owned domain name, the adopted cold gate test domain name has uniqueness, and the result thereof is not cached by the hijacking devices in the network, so that each time a test request with response is required to generate a complete hijacking path, including a tester-hijacking device-hijacking related devices (the number can be 0) -a DNS authoritative server carrying the owned domain name, and the test request path contains all the hijacking devices and the hijacking related devices, thereby laying a foundation for tracing positioning based on DNS.

Fig. 2 is a schematic flow chart of a DNS-based tracing positioning method according to an embodiment of the present application, as shown in fig. 2, where the method specifically includes:

s101, acquiring a DNS response log of a DNS authoritative server;

in this embodiment, in the self-probing domain name resolution environment, the DNS authoritative server is an owned domain name authoritative server, and the owned domain name is a certain cold test domain name applied in the registry. Such as testdns.com domain names.

Further, modifying the default ns record result of the DNS authoritative server domain name to the address of the DNS authoritative server on the registry management website, for example, directing the ns record ns1.Testdns. Com to the DNS authoritative server 1.1.1.1, all subsequent requests to the top-level domain. When the hijacking equipment finds that the detected domain name is not cached, forwarding recursion is started, a DNS authority server receives a DNS request from a hijacking path, and a corresponding DNS response log is generated according to the analysis request.

S102, determining a first request address from the DNS response log, wherein the first request address is a request address for inquiring a DNS authoritative server about a self-detection domain name in the DNS response log;

in this embodiment, the first request address is all request addresses in the DNS response log that query the DNS authoritative server for the self-probing domain name.

Further, a DNS response log of the DNS authoritative server is queried to find out a request source for querying the DNS authoritative server for the self-detected domain name. Namely, the domain name field in the search response log is the log record of the own detection domain name corresponding to the DNS response message forged by the hijacking equipment, which is necessarily received by the testing machine, the destination address field information in the log record is obtained, the first request address is extracted from the destination address field information, and all the request addresses of the hijacking path are obtained through the own detection domain name.

S103, when the first request address is inconsistent with the local server address, determining that the first request address is a first suspicious address;

in this embodiment, the first request address represents a plurality of request addresses, the local server is a recursive server, and the first request address and the local server address are compared, so that the same addresses of the local server in the first request address are discharged, and the rest of request addresses are used as the first suspicious addresses.

S104, when the first request address is a first suspicious address, determining a second suspicious address corresponding to the first request address by using a DNS response log;

in this embodiment, when the first request address is determined to be the first suspicious address, the first suspicious address and the device on the hijacking path thereof send a DNS request to the DNS authoritative server, the testing machine receives a DNS response message of the hijacking path, the hijacking device obtains the same own probe domain name as the DNS authoritative server, the probe domain name obtaining process is recorded in a DNS response log, and the content of the DNS response log record is utilized to find out the second suspicious address corresponding to the first request address.

S105, determining the address of the DNS hijack according to the second suspicious address.

In this embodiment, after determining the second suspicious address, a device-DNS authoritative server link corresponding to the device-first suspicious address corresponding to the second suspicious address is initially formed, whether the first suspicious address is a DNS hijack address or not can be determined through the second suspicious address, if the first suspicious address is not the DNS hijack address, it is indicated that other device addresses exist in the link, at this time, the link is a device-DNS authoritative server corresponding to the device-first suspicious address corresponding to the other device-second suspicious address, at this time, the second suspicious address is used for querying the other device addresses, and then whether the second suspicious address is the DNS hijack address is determined according to the other device addresses, so that the loop is performed until the DNS hijack address is found.

According to the DNS-based tracing positioning method provided by the embodiment of the invention, the DNS response log of the DNS authoritative server is obtained; determining a first request address from the DNS response log, wherein the first request address is a request address for inquiring the DNS authoritative server about the own detection domain name in the DNS response log; when the first request address is inconsistent with the local server address, determining that the first request address is a first suspicious address; when the first request address is a first suspicious address, a DNS response log is utilized to determine a second suspicious address corresponding to the first request address, and a DNS hijack address is determined according to the second suspicious address, so that the address of the hijack can be accurately positioned, and all relevant devices on a hijack path in a specific hijacking network can be found out.

In an alternative aspect of the embodiment of the present invention, before obtaining the DNS response log of the DNS authority server, the method further includes:

and generating a corresponding DNS response log in a DNS authoritative server according to the analysis request, wherein authoritative domain name analysis software is deployed on the DNS authoritative server.

In this embodiment, the DNS authoritative server carries an own detected domain name, a set of authoritative domain name resolution software is deployed on the own authoritative domain name server, and a plurality of own detected domain name a records are configured, so that uniqueness of the tested domain name on the internet needs to be ensured, and therefore, the hijacking device in the hijacking path finds that the detected domain name does not forward recursion, and sends a resolution request carrying the own detected domain name carried by the DNS authoritative server to the local server by the testing machine, so as to ensure that the hijacking device is consistent with the domain name of the DNS authoritative server.

Further, when the testing machine sends an analysis request to the local server, the testing machine and the DNS authoritative server form a hijacking path, equipment in the hijacking path sends the DNS request to the DNS authoritative server, a set of authoritative domain name analysis software is deployed on the DNS authoritative server, and after the DNS request is received, the request is analyzed to generate a corresponding DNS response log.

In an alternative aspect of the embodiment of the present invention, determining, using a DNS response log, a second suspicious address corresponding to the first request address includes:

In this embodiment, the source of the request to query the first suspicious address for the owned probe domain name is found from the DNS response log. Searching a DNS response log record with a source address being a first suspicious address and a domain name being the self-detection domain name of the first suspicious address in the DNS response log, acquiring the information of a destination address field in the log record, and preliminarily positioning the address as a second suspicious address to realize the step-by-step investigation of the hijacking path.

It should be noted that, because the composition search source addresses of the hijacking paths also have a step-by-step search relationship, for example, the hijacking paths include a hijacking address, a first hijacking correlator address, and a second hijacking correlator address, the search source address of the hijacking address in the DNS response log is the first hijacking correlator address, and the search source address of the first hijacking correlator address is the second hijacking correlator address.

In an alternative aspect of the embodiment of the present invention, determining a DNS hijack address according to the second suspicious address includes:

acquiring an address of a tester;

In this embodiment, the address of the testing machine is compared with the second suspicious address, so as to determine whether the first suspicious address is a DNS hijack address, for example, the second suspicious address is the same as the address of the testing machine, which indicates that the device corresponding to the second suspicious address in the hijack path is the testing machine, and it is inferred that the first suspicious address between the testing machine and the DNS authoritative server is the DNS hijack address, and the device corresponding to the first suspicious address is the only hijack device in the hijack path.

In an alternative aspect of the embodiment of the present invention, determining a DNS hijack address based on the tester address and the second suspicious address includes:

In this embodiment, the hijacking path has two cases, the first case is a tester-hijacking device-DNS authoritative server, in which the DNS authoritative server receives a DNS request from the hijacking device, then the tester receives a DNS reply message from the hijacking device, the second case is a tester-hijacking device-hijacking related device 1-hijacking related device 2- … -DNS authoritative server, in which the DNS authoritative server receives a step-by-step DNS request from the hijacking device and the hijacking related device in the hijacking path, and then the tester receives a step-by-step DNS reply message from the hijacking device and the hijacking related device in the hijacking path.

Further, judging whether a second suspicious address of the first suspicious address serving as a search source of the probe domain name request is a tester address, if the second suspicious address is the tester address, indicating that the first suspicious address is a unique hijacking address of the whole hijacking path, if not, the hijacking path has a hijacking correlator address besides the hijacking address, and if the first suspicious address is the hijacking correlator address, the first suspicious address needs to continuously search the hijacking address according to the search source according to a DNS response log.

For example, if the second suspicious address is the address of the testing machine, the tracing is finished, and the first suspicious address is determined as the address of the DNS hijacking attacker. For another example, if the second suspicious address is not the address of the testing machine, the second suspicious address is indicated to forward the own detection domain name request to the first suspicious address, the process of obtaining the second suspicious address by the first suspicious address is repeated, and the second suspicious address is continuously traced back to answer the destination address in the own detection domain name record. And the method can find out the address of the attacker which initiates the DNS hijacking initially and the related information on the hijacking path by the address tracing method, and is easy to operate and analyze.

Fig. 3 is a flow chart of another DNS-based tracing positioning method according to an embodiment of the present application, as shown in fig. 3, where the method specifically includes:

s201, adding a DNS hijack address and a DNS hijack related address to a DNS hijack blacklist;

s202, when a first request address is determined from the DNS response log, matching the first request address with the DNS hijacking blacklist;

s203, when the first request address is matched from the DNS hijacking blacklist, determining a DNS hijack address according to the first request address;

s204, when the first request address is not matched from the DNS hijacking blacklist, the step of comparing the first request address with the local server address is executed.

In this embodiment, after the DNS hijacking address is located based on the tracing of the DNS, the located DNS hijacking address and the DNS hijacking related address are added to the DNS hijacking blacklist, and the DNS hijacking blacklist can be used to quickly locate the DNS hijacking address and the DNS hijacking related address during the subsequent tracing of the DNS based on the tracing, which specifically includes: and when the first request address is acquired again, matching the first request address with a DNS hijacking blacklist, if the first request address is matched, indicating that the equipment corresponding to the first request address is already identified as hijacking equipment or hijacking related equipment, and if the first request address is not matched, only identifying that the request address is not recorded in the DNS hijacking blacklist at the moment, and further, executing the step of comparing the first request address with the local server address, and judging whether the first request address is a DNS hijacking address or a DNS hijacking related address. The setting of the DNS hijacking blacklist effectively avoids the secondary attack of hijacking equipment in the process of tracing and positioning the hijacking address based on the DNS.

In an alternative aspect of the embodiment of the present invention, determining a DNS hijacking address according to the first request address includes:

In this embodiment, when the first request address is matched in the DNS hijacking blacklist, there are two cases of the first request address, where the first request address is a DNS hijack address; or the first request address is a DNS hijack relator address; when the first request address is a DNS hijack related address, a DNS hijack device exists in a hijacking path where the first request address is located, a second suspicious address corresponding to the first suspicious address can be determined by using a DNS response log generated by the path DNS authoritative server, and then the DNS hijack address is obtained by using the second suspicious address, so that the tracing efficiency of the hijack device is improved.

Fig. 4 is a schematic step flow diagram of a DNS-based tracing positioning method according to an embodiment of the present application, as shown in fig. 4, specifically including the following steps:

The testing machine initiates an own detection domain name resolution request to the DNS authoritative server through a hijacking path, judges whether the DNS authoritative server has a response, if not, changes other self-owned detection domain names applied by any domain name registration mechanism to continuously initiate the own detection domain name resolution request, if so, queries a DNS response log, finds out that the request address of the request address non-local recursion server is primarily determined as a first suspicious address, searches the DNS response log, and primarily determines that the request address requesting the self detection domain name from the first suspicious address is a second suspicious address, further judges whether the second suspicious address is a testing machine address, if not, the current first suspicious address is a DNS hijacking attacker address, if not, the testing machine address needs to continuously find out a new second suspicious address corresponding to the new first suspicious address by using the second suspicious address as the new first suspicious address, and continues the operation until the hijack address is determined, and the historical first suspicious address is the hijack address on the hijack chain in the process. The DNS hijacking tracing positioning method based on DNS combined with the DNS analysis log step by step search can find out all relevant devices on the hijacking path in the specific hijacking network and accurately position the address of the hijacking attack initiator.

Fig. 5 is a schematic structural diagram of a DNS-based tracing positioning device according to an embodiment of the present application, where, as shown in fig. 5, the method specifically includes:

a first obtaining module 301, configured to obtain a DNS response log of a DNS authoritative server;

a first determining module 302, configured to determine a first request address from the DNS response log, where the first request address is a request address that queries a DNS authoritative server for a probe domain name in the DNS response log;

a comparing module 303, configured to determine that the first request address is a first suspicious address when the first request address is inconsistent with a local server address;

a second determining module 304, configured to determine, when the first request address is a first suspicious address, a second suspicious address corresponding to the first request address using a DNS response log;

a positioning module 305, configured to determine a DNS hijack address according to the second suspicious address.

In one possible embodiment, the DNS-based traceability positioning apparatus further includes (not shown in the figure):

a second obtaining module 306, configured to obtain that the testing machine sends an resolution request carrying an own probing domain name to the local server, where the own probing domain name is a testing domain name responded by the DNS authoritative server;

The log generating module 307 is configured to generate a corresponding DNS response log in the DNS authoritative server according to the resolution request.

In a possible implementation manner, the second determining module 304 is specifically configured to obtain, as the suspicious record, a log record in the DNS response log, where the search source address is the first suspicious address; and determining a second suspicious address from the address information of the suspicious records, wherein the self-detected domain name of the second suspicious address is the same as the self-detected domain name of the first suspicious address.

In one possible implementation, the positioning module 305 is specifically configured to obtain a tester address; and determining the DNS hijack address based on the tester address and the second suspicious address.

In a possible implementation manner, the positioning module 305 is further configured to determine that, when the second suspicious address is consistent with the address of the tester, a first suspicious address corresponding to the second suspicious address in the DNS response log is a DNS hijack address;

an adding module 308, configured to add the DNS hijack address and the DNS hijack related address to a DNS hijack blacklist;

a matching module 309, configured to, when determining a first request address from the DNS response log, match the first request address with the DNS hijacking blacklist;

a first execution module 310, configured to determine a DNS hijack address according to the first request address when the first request address is matched from the DNS hijack blacklist;

the second execution module 311 performs a step of comparing the first request address with the local server address when the first request address is not matched from the DNS hijacking blacklist.

The DNS-based tracing positioning device provided in this embodiment may be a DNS-based tracing positioning device as shown in fig. 5, and may perform all steps of the DNS-based tracing positioning method as shown in fig. 1-4, so as to achieve the technical effects of DNS-based tracing positioning as shown in fig. 1-4, and the description is specifically referred to in fig. 1-4, and is omitted herein for brevity.

The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

Fig. 6 is a schematic structural diagram of an electronic device provided in an embodiment of the present application, and as shown in fig. 6, the embodiment of the present application provides an electronic device including a processor 401, a communication interface 402, a memory 403, and a communication bus 404, where the processor 401, the communication interface 402, and the memory 403 complete communication with each other through the communication bus 404; a memory 403 for storing a computer program; the processor 401 is configured to implement the steps of the DNS-based tracing positioning method provided by any one of the foregoing method embodiments when executing the program stored in the memory 403:

acquiring a DNS response log of a DNS authoritative server; determining a first request address from the DNS response log, wherein the first request address is a request address for inquiring a DNS authoritative server about a self-detection domain name in the DNS response log; when the first request address is inconsistent with the local server address, determining that the first request address is a first suspicious address; when the first request address is a first suspicious address, determining a second suspicious address corresponding to the first request address by using a DNS response log; and determining the address of the DNS hijack according to the second suspicious address.

In one possible implementation manner, the acquisition tester sends an analysis request carrying an own detection domain name to the local server, wherein the own detection domain name is a test domain name responded by the DNS authoritative server; and generating a DNS response log in the DNS authoritative server according to the resolution request.

In one possible implementation manner, a log record with a first suspicious address searched for a source address in a DNS response log is obtained as a suspicious record; and determining a second suspicious address from the address information of the suspicious records, wherein the self-detected domain name of the second suspicious address is the same as the self-detected domain name of the first suspicious address.

In one possible implementation, a tester address is obtained; and determining the DNS hijack address based on the tester address and the second suspicious address.

In one possible implementation manner, when the second suspicious address is consistent with the address of the testing machine, determining that a first suspicious address corresponding to the second suspicious address in a DNS response log is a DNS hijacking address; and when the second suspicious address is inconsistent with the address of the testing machine, determining that a first suspicious address corresponding to the second suspicious address in a DNS response log is a DNS hijack correlator address, and re-executing the step of determining the second suspicious address corresponding to the first request address by using the DNS response log by taking the second suspicious address as a new first suspicious address.

In one possible implementation, the DNS hijack address and the DNS hijack-related address are added to a DNS hijack blacklist; when a first request address is determined from the DNS response log, matching the first request address with the DNS hijacking blacklist; when the first request address is matched from the DNS hijacking blacklist, determining a DNS hijack address according to the first request address; when the first request address is not matched from the DNS hijacking blacklist, the step of comparing the first request address with the local server address is executed.

In one possible implementation, when the first request address matches a DNS hijack address in the DNS hijack blacklist, determining the first request address as a DNS hijack address; and when the first request address is matched with the address of the DNS hijack relator in the DNS hijacking blacklist, executing the step of obtaining a second suspicious address by using the first suspicious address based on the DNS response log.

The embodiment of the invention also provides a storage medium (computer readable storage medium). The storage medium here stores one or more programs. Wherein the storage medium may comprise volatile memory, such as random access memory; the memory may also include non-volatile memory, such as read-only memory, flash memory, hard disk, or solid state disk; the memory may also comprise a combination of the above types of memories.

When one or more programs are executed by one or more processors in the storage medium, the automatic printing method executed on the control device side of the display device is realized.

The processor is configured to execute a control program of the display device stored in the memory to implement the following steps of a control method of the display device executed on a control device side of the display device:

From the above description of embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus a general purpose hardware platform, or may be implemented by hardware. Based on such understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the related art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform the method described in the respective embodiments or some parts of the embodiments.

It is to be understood that the terminology used herein is for the purpose of describing particular example embodiments only, and is not intended to be limiting. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. The terms "comprises," "comprising," "includes," "including," and "having" are inclusive and therefore specify the presence of stated features, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, elements, components, and/or groups thereof. The method steps, processes, and operations described herein are not to be construed as necessarily requiring their performance in the particular order described or illustrated, unless an order of performance is explicitly stated. It should also be appreciated that additional or alternative steps may be used.

The foregoing is only a specific embodiment of the invention to enable those skilled in the art to understand or practice the invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims

1. The DNS-based traceability positioning method is characterized by comprising the following steps:

acquiring a DNS response log of a DNS authoritative server;

when the first request address is a first suspicious address, determining a second suspicious address corresponding to the first request address by using a DNS response log, wherein the method comprises the following steps: acquiring a log record with a searching source address being a first suspicious address in a DNS response log as a suspicious record; determining a second suspicious address from the address information of the suspicious records, wherein the self-detected domain name of the second suspicious address is the same as the self-detected domain name of the first suspicious address;

Determining a DNS hijack address from the second suspicious address, including: acquiring an address of a tester; determining a DNS hijack address based on the tester address and a second suspicious address;

wherein the determining a DNS hijack address based on the tester address and the second suspicious address includes: when the second suspicious address is consistent with the address of the testing machine, determining that a first suspicious address corresponding to the second suspicious address in a DNS response log is a DNS hijack address; and when the second suspicious address is inconsistent with the address of the testing machine, determining that a first suspicious address corresponding to the second suspicious address in a DNS response log is a DNS hijack correlator address, and re-executing the step of determining the second suspicious address corresponding to the first request address by using the DNS response log by taking the second suspicious address as a new first suspicious address.

2. The method according to claim 1, wherein the method further comprises:

3. The method according to claim 1, wherein the method further comprises:

4. A method according to claim 3, wherein said determining a DNS hijack address from the first request address comprises:

and when the first request address is matched with the address of the DNS hijack relator in the DNS hijacking blacklist, executing the step of determining a second suspicious address corresponding to the first request address by utilizing a DNS response log.

5. DNS-based traceability positioning device, characterized by comprising:

the second determining module is configured to determine, when the first request address is a first suspicious address, a second suspicious address corresponding to the first request address by using a DNS response log, where the second determining module includes: acquiring a log record with a searching source address being a first suspicious address in a DNS response log as a suspicious record; determining a second suspicious address from the address information of the suspicious records, wherein the self-detected domain name of the second suspicious address is the same as the self-detected domain name of the first suspicious address;

the positioning module is configured to determine a DNS hijack address according to the second suspicious address, and includes: acquiring an address of a tester; determining a DNS hijack address based on the tester address and a second suspicious address;

6. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the DNS-based traceability positioning method according to any of the claims 1-4 when the computer program is executed by the processor.

7. A storage medium having stored thereon a computer program, which when executed by a processor implements the DNS-based tracing positioning method steps of any one of claims 1-4.