CN118413449A - Method and system for evaluating user scale of recursion resolver from outside - Google Patents

Method and system for evaluating user scale of recursion resolver from outside Download PDF

Info

Publication number
CN118413449A
CN118413449A CN202410496284.1A CN202410496284A CN118413449A CN 118413449 A CN118413449 A CN 118413449A CN 202410496284 A CN202410496284 A CN 202410496284A CN 118413449 A CN118413449 A CN 118413449A
Authority
CN
China
Prior art keywords
recursion
resolver
dns
response
user
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410496284.1A
Other languages
Chinese (zh)
Inventor
韩晗
刘美辰
赵芸伟
王鲁华
李艺涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN202410496284.1A priority Critical patent/CN118413449A/en
Publication of CN118413449A publication Critical patent/CN118413449A/en
Pending legal-status Critical Current

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a method and a system for evaluating the user scale of a recursion resolver from the outside, which relate to the technical field of data processing, and the method comprises the following steps: measuring and analyzing attribute characteristics of recursion resolvers of different user scale grades according to the divided user quantity grades to obtain a measurement result; analyzing attribute characteristics of the recursion resolvers of different user grades according to the measurement result to obtain response time delay and response IP quantity of the recursion resolvers; acquiring response time delay, response IP quantity and configuration attribute of the recursion resolver through an attribute configuration module; acquiring and analyzing passive data; and constructing a multi-attribute evaluation model according to the response time delay, the response IP number, the configuration attribute and the passive data of the recursion resolver, and evaluating the user scale level of the DNS recursion resolver. The present invention can evaluate the user scale of a recursive resolver from multidimensional data.

Description

Method and system for evaluating user scale of recursion resolver from outside
Technical Field
The invention relates to the technical field of data processing, in particular to a method and a system for evaluating the user scale of a recursion resolver from the outside.
Background
The domain name system DNS is a key stone of internet operation, and is one of the most important infrastructures of the internet. DNS recursion resolvers play an important role in the domain name system, which can cache resolved domain name records to improve query performance and reduce DNS server load. In addition, the recursion resolver can also handle various types of DNS queries, such as a records, AAAA records, CNAME records, etc., and support related DNS protocol functions, such as DNS security extensions (DNSSEC), etc. Assessing the user size of the recursion resolver helps the regulatory authorities to grasp the service condition of the DNS recursion server, further optimizing network resource allocation to provide more efficient and reliable domain name resolution service, while providing important data source data references for researchers.
For measuring the user size of a recursive resolver, most research has focused on DNS passive traffic-based methods, using supervised/unsupervised learning methods to generate user fingerprints from DNS requests, which are used to identify users. However, such methods have problems of difficult acquisition of the flow data of the recursion resolver, inaccurate and incomplete results, and can only measure the user scale of the individual recursion resolver.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a method and a system for evaluating the user scale of a recursion resolver from the outside, wherein the user scale of the recursion resolver is evaluated from multidimensional data by combining active data and passive data.
In order to solve the technical problems, the technical scheme of the invention is as follows:
In a first aspect, a method of assessing recursive resolver user size from outside, the method comprising:
Analyzing the local user quantity of the known recursion resolver through a regional user request quantity module, and classifying the local user quantity according to the grades to obtain the classified user quantity grades;
measuring and analyzing attribute characteristics of recursion resolvers of different user scale grades according to the divided user quantity grades to obtain a measurement result;
analyzing attribute characteristics of the recursion resolvers of different user grades according to the measurement result to obtain response time delay and response IP quantity of the recursion resolvers;
Acquiring response time delay, response IP quantity and configuration attribute of the recursion resolver through an attribute configuration module;
Acquiring and analyzing passive data;
And constructing a multi-attribute evaluation model according to the response time delay, the response IP number, the configuration attribute and the passive data of the recursion resolver, and evaluating the user scale level of the DNS recursion resolver.
Further, the attribute features include response delay, number of response IPs, PTR record status, software version, and EDNS, doH, doT support status of encryption protocol.
Further, the passive data includes DNS public data source and DNS service provider information.
Further, obtaining the response delay of the recursion resolver includes:
requesting the recursion resolver to query the A record of the domain name by using the domain name resolution module;
acquiring time T1 from a domain name sending request to a response packet of a user;
calculating a network consumption time T2 from the user to the DNS recursion server by utilizing the ping command;
The time T1 of the response packet is subtracted by the network consumption time T2 to obtain the response delay of the recursive server.
Further, obtaining the number of response IPs of the recursive resolver includes:
Using a domain name resolution module, a plurality of detection points request the recursion resolver for inquiring the A record of the domain name, and analyzing a response message returned by the recursion resolver;
extracting source IP information from the response message by grabbing the packet;
the number of different IPs, i.e. the number of responding IPs of the DNS recursion resolver, is recorded.
Further, acquiring and analyzing passive data includes:
acquiring recursive DNS information based on the passive data module;
Analyzing whether each DNS recursion resolver is a DNS public data source or not from the acquired recursion DNS information;
from the acquired recursive DNS information, it is analyzed whether a service provider of the DNS recursive resolver can be acquired.
Further, constructing a multi-attribute evaluation model according to the response delay, the response IP number, the configuration attribute and the passive data of the recursion resolver, and evaluating the user scale level of the DNS recursion resolver, including:
Acquiring response time delay, response IP quantity, configuration attribute, DNS public data source and DNS service provider information of the recursion resolver;
Normalizing response time delay and response IP quantity of the recursion resolver from the domain name resolution angle, and evaluating domain name resolution condition of the recursion resolver by using an entropy weight method in an objective weighting method;
normalizing PTR records, EDNS protocols, software versions and vulnerabilities of the recursion resolver from the aspect of server attribute configuration;
The method comprises the steps of (1) carrying out normalization processing on a DNS public data source and a DNS service provider from the aspect of passive data, and evaluating passive data of a recursion resolver by utilizing CRITIC method in an objective weighting method;
Determining subjective weights according to domain name resolution, attribute configuration and passive data by using a hierarchical analysis method, determining objective weights according to CRITIC method, and determining comprehensive weights by using a linear weighting method to construct a multi-attribute evaluation model;
calculating the user scale of each DNS recursion resolver according to the multi-attribute evaluation model;
And grading the user scale of the DNS recursion resolvers to obtain the user scale grade of each recursion resolvers.
In a second aspect, a system for evaluating the user size of a recursive resolver from outside, comprising:
The acquisition module is used for analyzing the local user quantity of the known recursion resolver through the regional user request quantity module and classifying the local user quantity according to the grades so as to obtain the classified user quantity grades; measuring and analyzing attribute characteristics of recursion resolvers of different user scale grades according to the divided user quantity grades to obtain a measurement result;
the processing module is used for analyzing the attribute characteristics of the recursion resolvers of different user grades according to the measurement result so as to acquire the response time delay and the response IP number of the recursion resolvers; acquiring response time delay, response IP quantity and configuration attribute of the recursion resolver through an attribute configuration module; acquiring and analyzing passive data; and constructing a multi-attribute evaluation model according to the response time delay, the response IP number, the configuration attribute and the passive data of the recursion resolver, and evaluating the user scale level of the DNS recursion resolver.
In a third aspect, a computing device includes:
one or more processors;
And a storage means for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the method.
In a fourth aspect, a computer readable storage medium has a program stored therein, which when executed by a processor, implements the method.
The scheme of the invention at least comprises the following beneficial effects:
Based on multidimensional data such as domain name resolution, server attribute configuration, passive data and the like, the user scale of the DNS recursion resolver can be comprehensively estimated through various data, so that a supervisor can master the service condition of the recursion resolver, and network resource allocation is further optimized.
Drawings
FIG. 1 is a flow chart of a method for assessing the user scale of a recursive resolver from the outside, provided by an embodiment of the present invention.
FIG. 2 is a schematic diagram of a system for assessing the user size of a recursive parser from the outside, provided by an embodiment of the present invention.
Fig. 3 is a schematic structural diagram corresponding to embodiment 1 of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As shown in fig. 1, an embodiment of the present invention proposes a method of evaluating a user scale of a recursive resolver from outside, the method comprising the steps of:
step 11, analyzing the local user quantity of the known recursion resolver through a regional user request quantity module, and classifying the local user quantity according to the grades to obtain the classified user quantity grades;
Step 12, measuring and analyzing attribute characteristics of recursion resolvers of different user scale grades according to the divided user quantity grades to obtain a measurement result;
step 13, analyzing attribute characteristics of the recursion resolvers of different user grades according to the measurement result to obtain response time delay and response IP number of the recursion resolvers;
step 14, obtaining response time delay, response IP quantity and configuration attribute of the recursion resolver through an attribute configuration module;
step 15, passive data are acquired and analyzed;
And step 16, constructing a multi-attribute evaluation model according to the response time delay, the response IP number, the configuration attribute and the passive data of the recursion resolver, and evaluating the user scale level of the DNS recursion resolver.
In the embodiment of the present invention, step 11 can accurately understand the number of users currently served by the recursive resolver and divide the number into different levels. In step 12, by measuring attribute characteristics of the recursive resolvers of different user scale levels, the performance of the resolvers under different loads can be known in depth. This helps to find potential performance bottlenecks and optimization points. These two indicators are key parameters for evaluating the performance of the recursive resolver, step 13. The response time delay reflects the processing speed of the resolver, and the number of response IPs reflects the concurrent processing capacity of the resolver. Acquiring such data facilitates accurate assessment of the performance level of the resolver. In step 14, the attribute configuration module is utilized to analyze the response time delay and the response IP number, so that the data can be processed and analyzed more efficiently and accurately. This helps to find anomalies in time and make adjustments and optimizations accordingly. The passive data is usually derived from the actual network environment and user behavior, and thus has high authenticity and reference value, step 15. By analyzing these passive data, the performance and existing problems of the recursive parser in actual use can be more fully understood. And step 16, comprehensively considering the response time delay, the response IP number, the passive data and the multi-attribute evaluation model of the recursive resolver, and more scientifically and comprehensively evaluating the user scale level of the DNS recursive resolver. This helps provide accurate user scale information to network service providers for more efficient resource allocation and service optimization.
In a preferred embodiment of the present invention, the attribute features include response delay, number of response IPs, PTR record status, software version, and EDNS, doH, doT support status of encryption protocol; passive data includes DNS public data sources and DNS service provider information.
In the embodiment of the invention, the response time delay is an important index for measuring the performance of the recursion resolver. A lower response delay means that the parser can respond to user requests faster, providing a better user experience. The capability of the parser to process concurrent requests can be known by analyzing the number of response IPs, and the higher number of response IPs indicates that the parser can support more users to access simultaneously, reflecting its good expandability and service capability. The validity of PTR records (reverse DNS lookup) may reflect the resolver's configuration integrity and data consistency. The correct PTR record helps to improve network diagnostics and security, and may also affect the trustworthiness of certain network services (e.g., mail servers). Knowing the software version of the recursive resolver helps to evaluate its security and functionality. The updated software version typically contains the latest security patches and functional enhancements, which are critical to protecting user data and providing stable services. The support of encryption protocols reflects the ability of the recursive resolvers to protect user privacy and to improve data transmission security. Extensive information about recursive resolver usage and performance can be obtained using DNS public data sources. Such data is typically sourced from multiple network environments and user groups and thus has high representative and reference value. Knowing information about DNS service provider operation, quality of service, user feedback, etc., the user size and quality of service of the recursive resolver can be evaluated from another perspective. This information helps to discover potential service problems and provides more reliable network services to the user.
In a preferred embodiment of the present invention, the step 13 may include:
step 131, using a domain name resolution module to request the recursion resolver for querying the a record of the domain name;
Step 132, obtaining time T1 from sending domain name request to receiving response packet;
step 133, calculating the network consumption time T2 from the user to the DNS recursion server by utilizing the ping command;
Step 134, subtracting the network consumption time T2 from the time T1 of the response packet to obtain the response delay of the recursive server.
In the embodiment of the present invention, in step 131, the domain name resolution module sends a standard DNS query request, so as to ensure the accuracy and consistency of measurement. Request a records are a common type of DNS query used to resolve domain names to corresponding IPv4 addresses, which helps evaluate the performance of a recursive resolver in processing a typical query. This time T1 represents the total time from the user initiation of the query to receipt of the resolution response, which includes the network transmission time and the processing time of the recursive resolver, step 132. In step 133, a relatively accurate network transmission time T2 is obtained by measuring the network delay of the user to the DNS recursion server by means of the ping command. The time is mainly used for eliminating the influence of network transmission factors on response time delay of the recursion resolver in subsequent calculation. In step 134, by subtracting T2 from T1, a purer response delay of the recursive parser can be obtained. This delay reflects the time required for the recursion resolver to internally process and return results after receiving a query request.
In a preferred embodiment of the present invention, the step 13 may include:
step 131, using domain name resolution module, multiple detection points request the recursion resolver to inquire the A record of domain name, analyze the response message returned by recursion resolver;
step 132, extracting source IP information from the response message by grabbing packets;
Step 133, record the number of different IPs, i.e. the number of responding IPs of the DNS recursion resolver.
In the embodiment of the present invention, in step 131, by using multiple probe points to initiate the query request at the same time, the situation of concurrent access of users in the actual network environment can be simulated, and analysis of the returned response message helps to understand the behavior and performance of the recursion resolver when processing these concurrent requests. In step 132, the packet-grabbing technique allows us to capture the original data packet in the network transmission, so that the source IP information in the response message can be accurately extracted. By recording and analyzing the number of different IPs, we can get the IP ranges that the recursive parser involves in the concurrent processing, step 133.
In a preferred embodiment of the present invention, the step 15 may include:
step 151, acquiring recursive DNS information based on the passive data module;
step 152, analyzing whether each DNS recursion resolver is a DNS public data source from the acquired recursion DNS information;
step 153, from the obtained recursive DNS information, analyzes whether the service provider of the DNS recursive resolver can be obtained.
In the embodiment of the present invention, in step 151, a large amount of recursive DNS information can be efficiently collected by the passive data module. Such information is naturally generated in the actual network environment, and thus has high authenticity and practical value. By analyzing the acquired recursive DNS information, it can be identified which recursive resolvers are public data sources, step 152. Disclosing the data source generally means that the data is accessible and usable by the public, knowing which aids in assessing the data transparency and trustworthiness of the recursive resolver. Step 153 identifies the service provider behind the recursive resolver by analyzing the recursive DNS information. Knowledge of the service provider's information helps to evaluate the quality of service, reliability, and security of the recursive resolver.
In a preferred embodiment of the present invention, the step 16 may include:
Step 161, obtaining response time delay, response IP number, configuration attribute, DNS public data source and DNS service provider information of the recursion resolver;
step 162, normalizing the response time delay and the response IP number of the recursion resolver from the domain name resolution perspective, and evaluating the domain name resolution condition of the recursion resolver by using an entropy weight method in the objective weighting method;
step 163, from the perspective of server attribute configuration, normalizing the PTR record, EDNS protocol, software version and vulnerability of the recursion resolver;
step 164, the passive data angle, the DNS public data source and the DNS service provider are normalized, and the passive data of the recursion resolver is evaluated by CRITIC method in the objective weighting method;
step 165, determining subjective weights according to domain name resolution, attribute configuration and passive data by using a hierarchical analysis method, determining objective weights according to CRITIC method, and determining comprehensive weights by using a linear weighting method so as to construct a multi-attribute evaluation model;
step 166, calculating the user scale of each DNS recursion resolver according to the multi-attribute assessment model;
step 167, the user scale of the DNS recursion resolver is ranked to obtain the user scale ranking of each recursion resolver.
In an embodiment of the invention, step 161, this step is a data collection phase, ensuring that all relevant evaluation indicators are taken into account. And 162, performing normalization processing on the response time delay and the response IP number, and evaluating by using an entropy weight method, so that the performance of the recursion resolver in terms of domain name resolution can be objectively reflected, and the recursion resolver with high resolution speed and high concurrency processing capability can be identified. And 163, normalizing the PTR records, EDNS protocol support, software version, vulnerability and other attributes, so that the safety and the functionality of the recursion resolver can be comprehensively evaluated from the configuration angle, and the potential safety risk can be found and the opportunity for configuration optimization can be improved. In step 164, reliability and data transparency of the recursive resolver may be revealed from the passive data perspective by normalizing the DNS public data source and DNS service provider information and evaluating using CRITIC method. In step 165, a comprehensive and objective multi-attribute evaluation model can be constructed by combining subjective weights (determined by analytic hierarchy process) and objective weights (determined by CRITIC process) and determining the comprehensive weights by linear weighting method. The model can comprehensively consider a plurality of evaluation dimensions, and ensure the accuracy and fairness of the evaluation result. In step 166, the user scale of each recursion resolver is calculated according to the multi-attribute assessment model, and a quantized assessment result can be obtained. This facilitates direct comparison and ordering of the user sizes of the different recursion resolvers. In step 167, the user scale is divided into different levels, which can more intuitively demonstrate the user scale level of each recursion resolver.
As shown in fig. 2, an embodiment of the present invention further provides a system 20 for assessing the size of a recursive parser user from the outside, comprising:
An obtaining module 21, configured to analyze the local user quantity of the known recursion resolver by using the regional user request quantity module, and divide the local user quantity by a level to obtain a divided user quantity level; measuring and analyzing attribute characteristics of recursion resolvers of different user scale grades according to the divided user quantity grades to obtain a measurement result;
A processing module 22, configured to analyze attribute features of the recursion resolvers of different user levels according to the measurement result, so as to obtain a response delay and a response IP number of the recursion resolvers; acquiring response time delay, response IP quantity and configuration attribute of the recursion resolver through an attribute configuration module; acquiring and analyzing passive data; and constructing a multi-attribute evaluation model according to the response time delay, the response IP number, the configuration attribute and the passive data of the recursion resolver, and evaluating the user scale level of the DNS recursion resolver.
Optionally, the attribute features include response delay, number of response IPs, PTR record status, software version, and EDNS, doH, doT support status of encryption protocol.
Optionally, the passive data includes DNS public data source and DNS service provider information.
Optionally, obtaining the response delay of the recursive resolver includes:
requesting the recursion resolver to query the A record of the domain name by using the domain name resolution module;
acquiring time T1 from a domain name sending request to a response packet of a user;
calculating a network consumption time T2 from the user to the DNS recursion server by utilizing the ping command;
The time T1 of the response packet is subtracted by the network consumption time T2 to obtain the response delay of the recursive server.
Optionally, obtaining the number of response IPs of the recursive resolver includes:
Using a domain name resolution module, a plurality of detection points request the recursion resolver for inquiring the A record of the domain name, and analyzing a response message returned by the recursion resolver;
extracting source IP information from the response message by grabbing the packet;
the number of different IPs, i.e. the number of responding IPs of the DNS recursion resolver, is recorded.
Optionally, acquiring and analyzing the passive data includes:
acquiring recursive DNS information based on the passive data module;
Analyzing whether each DNS recursion resolver is a DNS public data source or not from the acquired recursion DNS information;
from the acquired recursive DNS information, it is analyzed whether a service provider of the DNS recursive resolver can be acquired.
Optionally, constructing a multi-attribute evaluation model according to the response delay, the response IP number, the configuration attribute and the passive data of the recursive resolver, and evaluating the user scale level of the DNS recursive resolver, including:
Acquiring response time delay, response IP quantity, configuration attribute, DNS public data source and DNS service provider information of the recursion resolver;
Normalizing response time delay and response IP quantity of the recursion resolver from the domain name resolution angle, and evaluating domain name resolution condition of the recursion resolver by using an entropy weight method in an objective weighting method;
normalizing PTR records, EDNS protocols, software versions and vulnerabilities of the recursion resolver from the aspect of server attribute configuration;
The method comprises the steps of (1) carrying out normalization processing on a DNS public data source and a DNS service provider from the aspect of passive data, and evaluating passive data of a recursion resolver by utilizing CRITIC method in an objective weighting method;
Determining subjective weights according to domain name resolution, attribute configuration and passive data by using a hierarchical analysis method, determining objective weights according to CRITIC method, and determining comprehensive weights by using a linear weighting method to construct a multi-attribute evaluation model;
calculating the user scale of each DNS recursion resolver according to the multi-attribute evaluation model;
And grading the user scale of the DNS recursion resolvers to obtain the user scale grade of each recursion resolvers.
Example 1
As shown in fig. 3, a system for evaluating a user scale of a recursive resolver from outside includes:
The regional user request quantity module acquires the regional user request quantity from a campus network of a certain college, a local area network of a certain area, an operator or a national network outlet;
a DNS recursion resolver local user quantity module which analyzes the local user quantity of the recursion resolver from the collected regional user request quantity and classifies the local user quantity according to grades;
The attribute feature module is used for analyzing the attribute features of the servers with different user grades according to the local user quantity of the recursion resolver, and grading the user scale of the global recursion resolver by taking the attribute features as priori knowledge;
a DNS recursion resolver set, namely a DNS recursion resolver set to be evaluated is acquired so as to measure attribute characteristics of the recursion resolver;
the active data module is used for acquiring domain name resolution and attribute configuration conditions of the DNS recursion resolver in an active measurement mode;
The passive data module mainly comprises five aspects of collecting passive data, capturing DNS traffic, preprocessing data, extracting recursion resolver information and evaluating the user quantity of the recursion resolver:
firstly, passive data are collected, and information is acquired by monitoring network traffic or analyzing an existing data set under the condition that a request is not actively sent to a network;
Secondly, capturing DNS traffic, deploying data packet capturing devices or software at key points of the network (such as ISP outlets, data center boundaries and the like) to capture the passing DNS query and response traffic;
Thirdly, preprocessing the captured data, removing data packets irrelevant to DNS through data cleaning and format standardization, only reserving DNS query and response records, and converting the captured data packets into a uniform format for subsequent analysis;
Fourth, recursive parser information is extracted therefrom. By analyzing the source IP address and port of DNS query records, it is identified which queries are from the recursive resolver. Meanwhile, extracting and recording information such as the IP address, the port, the queried domain name and the like of each identified recursion resolver;
Finally, the recursive resolver user volume is evaluated. The user quantity of the recursion resolver is obtained by counting the query quantity of each recursion resolver in a certain time window, removing repeated query records, and observing and recording time series data of the query quantity of the recursion resolver.
In an embodiment of the present invention, a system for evaluating a user scale of a recursive resolver from outside further includes:
the domain name resolution module is used for realizing domain name resolution by mainly determining a target domain name and a DNS recursion resolver, sending a resolution request, receiving a response message, resolving the response message and processing results;
First, a target domain name and a DNS recursion resolver are determined, that is, the target domain name and DNS recursion server that need to be resolved are determined. The domain name is typically user input or obtained from other sources, such as resolution www.baidu.com of the domain name. Recursive resolvers are typically provided by ISPs, or public DNS services such as Google DNS, cloudflare DNS, etc.;
Secondly, sending an analysis request, which specifically comprises constructing a DNS query message, sending the message and waiting for a response. And constructing a DNS query message according to the DNS protocol specification. The message typically includes a request header (identification, flag bit, number of queries, etc.) and a query question section (specifying the domain name and query type, e.g., an a record). After constructing the query message, send the DNS message, and send the constructed DNS query message to the IP address and port (typically 53 ports) of the selected DNS recursion resolver. Thereafter, the DNS recursion resolver waits to process the request and return a response. Processing time may vary due to network delay, resolver load, etc.;
Thirdly, receiving a response message. Namely, receiving a response message returned from the DNS recursion resolver, and simultaneously verifying the integrity and the validity of the response message to ensure that the response message is a correct response to the original query;
Fourth, the response message is analyzed, including analyzing the response message structure, extracting the domain name A recording result, processing the additional information, etc. The structure of the response message is parsed according to the DNS protocol specification, including identifying a response header and various Resource Records (RRs). Then, an a record (IPv 4 address) of the domain name is extracted from the response message, the a record being a record type that directly maps the domain name to the IPv4 address. In addition, if the response message contains other related information (such as AAAA record, CNAME record, etc.), the response message can also be processed as required;
Fifth, the processing results, including result storage and error processing. The result is stored, i.e. the parsed a record (IPv 4 address) is stored in a suitable data structure for subsequent use. In addition, if an error (e.g., timeout, invalid response, etc.) is encountered during parsing, appropriate error handling such as retries, logging of errors, etc. is required.
In an embodiment of the present invention, a system for evaluating a user scale of a recursive resolver from outside further includes:
The attribute configuration module reflects the user quantity of the DNS recursion resolver by measuring the static attribute of the DNS recursion resolver;
The recursion resolver responds to the time delay module, sends a domain name resolution request to the recursion resolver, and obtains the time for the resolver to resolve the domain name. The smaller the response time delay is, the better the service performance of the recursion resolver is;
The recursion analyzer responds to the IP number module, sends a domain name resolution request to the recursion analyzer, acquires the source IP from the response message, and counts the IP number. The recursive resolver has a plurality of response IPs, and the response IPs are distributed in different geographic positions, so that the server is likely to be a huge distributed DNS architecture (such as google, cloudfare and other DNS public service providers), and the geographic positions and the number of users served by the recursive DNS server are indirectly huge;
The domain name PTR records are obtained and based on a priori knowledge, it is found that large recursive resolvers are typically configured with PTR records. Therefore, the PTR record for resolving the domain name is requested from the recursion resolver, whether resolution can be successfully performed is analyzed, and if resolution can be successfully performed, whether the answer field of the response message contains geographical position information is analyzed. For example, requesting 61.55.212.69 PTR records from 1.202.140.166 Beijing DNS recursion resolver, the result returned hebei.55.61.In-addr.arpa, indicating that the recursion resolver can serve Hebei province users, reflecting the amount of users of the recursion resolver;
Acquiring EDNS protocol support conditions, namely verifying whether the recursion resolver supports EDNS protocol; DNS recursion resolver support EDNS protocols can provide better performance, stability, IPv6 support, and security, especially for large-scale users' network environments. The method can accelerate query processing, reduce transmission requirements based on TCP, and provide DNS service with higher quality for users;
Acquiring a software version and vulnerability information, namely acquiring the software version of the recursion resolver, analyzing whether the software vulnerability exists, and if the software version is updated frequently and the software vulnerability situation does not exist, indicating that a user frequently uses the software vulnerability, maintaining the software version for a long time by a manager, and indirectly reflecting the user scale of the recursion resolver;
The DoH protocol support condition is acquired, i.e. it is verified whether the recursive parser supports the DoH protocol. Because of the high cost of the DoH protocol deployment, it is currently supported by only a few large public service providers. The supporting condition of the DoH protocol is measured, and the user scale of the DNS recursion resolver can be reflected;
The support condition of the DoT protocol is obtained, namely whether the recursion parser supports the DoT protocol is verified. Because of the high cost of deploying and maintaining DNS servers that support DoT, similar to the DoH protocol, are supported by only a few large public service providers. Therefore, the supporting condition of the DOT protocol is measured, and the user scale of the DNS recursion resolver can be reflected;
Acquiring NSID information, requesting the DNS recursion resolver for resolving the A record of the domain name, and enabling NSID options in an extended DNS mechanism (EDNS) in the request message to acquire mirror image identification information of the recursion resolver. If NSID information can be obtained, the fact that the recursion resolver has a plurality of mirror nodes is indicated, and the user scale is large;
The DNS public data source module analyzes whether the DNS recursion resolver is a public data source from the passive data. DNS public data sources typically collect and aggregate data from different sources, including data provided by large ISPs, cloud service providers, security companies, and the like. These public data sources can embody the user scale of the server, such as 8.8.8.8 serving global users. Therefore, analyzing whether the DNS recursion resolver is a public data source can reflect the user size of the server;
The DNS service provider module obtains service provider information for the recursive resolver from the passive data. The larger the service provider size, the larger the user size of the illustrative recursive resolver. For example, the server of 8.8.8.8 recursion parser is google;
the multi-attribute evaluation model module integrates all the acquired data, and constructs a user scale evaluation model by utilizing an objective weighting method (such as an entropy weighting method, a TOPSIS method and a CRITIC method) and a subjective weighting method (such as an analytic hierarchy process) from three aspects of domain name resolution, attribute configuration and passive data;
and a user scale module for evaluating the DNS recursion resolver, which applies a multi-attribute evaluation model to calculate the user scale of the DNS recursion resolver. Based on the calculation result, the user scale of the recursive resolver is classified by level.
In a specific embodiment, the present invention is a method for evaluating the user scale of a recursive parser from the outside, comprising:
1. the attribute characteristics of the recursion resolver are analyzed, and the specific steps are as follows:
step 1, a number module is requested from regional users, the local user quantity of a known recursion resolver is analyzed, and the local user quantity is classified according to grades;
Step 2, measuring attribute characteristics of recursion resolvers with different user scale levels, such as response time delay, response IP quantity, PTR record condition, software version, EDNS protocol, supporting condition of encryption protocols such as DoH, doT and the like;
And 3, analyzing attribute characteristics of the recursion resolvers of different user grades according to the measurement result, wherein, for example, the DoH protocol is only supported by a large-scale recursion resolver. Then taking the attribute characteristics as priori knowledge for the subsequent user scale measurement of the global recursion resolver;
2. the response time delay of the recursion resolver is obtained, and the specific steps are as follows:
Step 1, using a domain name resolution module to request a recursion resolver to inquire an A record of a domain name;
step 2, obtaining time T1 from a domain name sending request to a response packet of a user;
step 3, calculating network consumption time T2 from the user to the DNS recursion server by utilizing the ping command;
and 4, T1-T2 is the response time delay of the recursion server.
3. The response IP number of the recursion resolver is obtained, and the specific steps are as follows:
Step 1, using a domain name resolution module, a plurality of detection points request the recursion resolver to inquire the A record of the domain name, and analyzing a response message returned by the recursion resolver;
step 2, extracting source IP information from the response message by grabbing the packet;
and step 3, recording different IP numbers, namely the response IP numbers of the DNS recursion resolvers.
4. The PTR record of the domain name is obtained by the following specific steps:
Step 1, requesting a PTR record for resolving a domain name from a recursion resolver, and acquiring a resolving result;
and 2, analyzing whether the PTR record can be successfully analyzed, and if so, analyzing whether the result returned by the answer field of the response message contains information such as geographic position and the like.
5. The method for acquiring EDNS protocol support conditions comprises the following specific steps:
Step 1, sending DNS inquiry with the name of any domain name and the type A to a recursion resolver, and adding an OPT record in the additional part of a request packet, wherein the class field is 4096 bytes of the maximum load value of a DNS data packet under UDP suggested by RFC6891, so as to obtain response message information;
And 2, analyzing whether the response message contains an OPT record, wherein a class field is not less than 512 bytes, and if the response message contains the OPT record, indicating that the recursion parser supports EDNS protocols.
6. The method comprises the following specific steps of:
step 1, a DNS query with the name of VERSION. BIND, the class of CH and the type of TXT is sent to a recursion resolver to acquire response message information;
and 2, analyzing whether a response part of the response message contains a resource record with NAME being VERSION/BIND, and if so, obtaining the corresponding RDATA part as DNS software version information of the recursion resolver.
And 3, analyzing whether a vulnerability exists in the current software version from the CVE website according to the software version, for example, reporting that the ISC BIND 9 has a security vulnerability by the CVE website, and using the vulnerability by an attacker can cause naming unexpected termination.
7. The method for acquiring the supporting condition of the DoH protocol comprises the following specific steps:
Step 1, an HTTPS request message related to DNS query is sent to a recursion resolver, A records of domain names are resolved, and URL suffixes are common "/DNS-query" to obtain response message information;
and 2, analyzing whether a result is returned in the answer part of the response message, and if the result is returned, supporting the DoH protocol by the recursion resolver.
8. The method for acquiring the support condition of the DOT protocol comprises the following specific steps:
step 1, a TLS request message about DNS inquiry is sent to a recursion resolver, an A record of a domain name is resolved, and response message information is obtained;
and 2, analyzing whether a result is returned in the answer part of the response message, and if the result is returned, supporting the DOT protocol by the recursion resolver.
9. The method for acquiring NSID information comprises the following specific steps:
Step 1, request to resolve the a record of the domain name from the DNS recursion resolver, and enable the NSID option in the extended DNS mechanism (EDNS) in the request message to obtain the mirror identification information of the recursion resolver.
And step 2, analyzing whether NSID information can be returned, and if the NSID information is returned normally, indicating that the DNS recursion resolver has mirror nodes.
10. Analyzing DNS public data sources and DNS service providers, wherein the method comprises the following specific steps:
Step 1, acquiring recursive DNS information based on a passive data module;
Step 2, analyzing whether each DNS recursion resolver is a DNS public data source or not from the acquired recursion DNS information;
and step 3, analyzing whether the service provider of the DNS recursion resolver can be acquired from the acquired recursion DNS information.
11. The construction and application of the multi-attribute evaluation model comprises the following specific steps:
Step 1, obtaining information such as response time delay, response IP number, configuration attribute, DNS public data source, DNS service provider and the like of a recursion resolver from the modules;
Step 2, from the domain name resolution angle, firstly, normalizing the response time delay and the response IP number of the recursion resolver, and then evaluating the domain name resolution condition of the recursion resolver by utilizing an entropy weight method in an objective weighting method;
And 3, from the aspect of server attribute configuration, carrying out normalization processing on 6 aspects of PTR records, EDNS protocols, software versions, vulnerabilities and the like of the recursion resolver. Wherein PTR records are divided into 3 cases: no PTR record, with but without geographic information, with and with geographic information; software versions and vulnerabilities fall into 4 cases: no software version, low software version, high software version and software vulnerability; the remaining 4 attributes are divided into yes/no cases. After normalization processing, evaluating attribute configuration of the recursion resolver by using an analytic hierarchy process in a subjective weighting method;
step 4, from the passive data perspective, firstly, carrying out normalization processing on a DNS public data source and a DNS service provider, wherein the DNS public data source is divided into a public data source or a non-public data source; DNS service providers are classified into 4 cases of no service provider, large service provider, medium service provider, and small service provider. Then evaluating the passive data of the recursion analyzer by utilizing CRITIC method in the objective weighting method;
And 5, merging the obtained results, and evaluating the user scale of the recursion resolver from the domain name resolution, attribute configuration and passive data. Firstly, carrying out normalization processing, then combining a subjective weighting method and an objective weighting method, namely determining subjective weights by using a hierarchical analysis method, determining objective weights by using a CRITIC method, and determining comprehensive weights by using a linear weighting method so as to construct a multi-attribute evaluation model;
and 6, calculating the user scale of each DNS recursion resolver based on the multi-attribute evaluation model. And then, classifying the user scale of the DNS recursion resolver to obtain the user scale of each recursion resolver.
It should be noted that, the system is a system corresponding to the above method, and all implementation manners in the above method embodiment are applicable to the embodiment, so that the same technical effects can be achieved.
Embodiments of the present invention also provide a computing device comprising: a processor, a memory storing a computer program which, when executed by the processor, performs the method as described above. All the implementation manners in the method embodiment are applicable to the embodiment, and the same technical effect can be achieved.
Embodiments of the present invention also provide a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform a method as described above. All the implementation manners in the method embodiment are applicable to the embodiment, and the same technical effect can be achieved.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a usb disk, a removable hard disk, a ROM, a RAM, a magnetic disk, or an optical disk, etc.
Furthermore, it should be noted that in the apparatus and method of the present invention, it is apparent that the components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present invention. Also, the steps of performing the series of processes described above may naturally be performed in chronological order in the order of description, but are not necessarily performed in chronological order, and some steps may be performed in parallel or independently of each other. It will be appreciated by those of ordinary skill in the art that all or any of the steps or components of the methods and apparatus of the present invention may be implemented in hardware, firmware, software, or any combination thereof in any computing device (including processors, storage media, etc.) or network of computing devices, as would be apparent to one of ordinary skill in the art upon reading the present specification.
The object of the invention can thus also be achieved by running a program or a set of programs on any computing device. The computing device may be a well-known general purpose device. The object of the invention can thus also be achieved by merely providing a program product containing program code for implementing said method or apparatus. That is, such a program product also constitutes the present invention, and a storage medium storing such a program product also constitutes the present invention. It is apparent that the storage medium may be any known storage medium or any storage medium developed in the future. It should also be noted that in the apparatus and method of the present invention, it is apparent that the components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present invention. The steps of executing the series of processes may naturally be executed in chronological order in the order described, but are not necessarily executed in chronological order. Some steps may be performed in parallel or independently of each other.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.

Claims (10)

1. A method of assessing the size of a recursive parser user from the outside, the method comprising:
Analyzing the local user quantity of the known recursion resolver through a regional user request quantity module, and classifying the local user quantity according to the grades to obtain the classified user quantity grades;
measuring and analyzing attribute characteristics of recursion resolvers of different user scale grades according to the divided user quantity grades to obtain a measurement result;
analyzing attribute characteristics of the recursion resolvers of different user grades according to the measurement result to obtain response time delay and response IP quantity of the recursion resolvers;
Acquiring response time delay, response IP quantity and configuration attribute of the recursion resolver through an attribute configuration module;
Acquiring and analyzing passive data;
And constructing a multi-attribute evaluation model according to the response time delay, the response IP number, the configuration attribute and the passive data of the recursion resolver, and evaluating the user scale level of the DNS recursion resolver.
2. The method of claim 1, wherein the attribute features include response delay, number of response IPs, PTR record status, software version, and EDNS, doH, doT encryption protocol support status.
3. The method of assessing the size of a recursive resolver user from the outside of claim 2, wherein the passive data includes DNS public data sources and DNS service provider information.
4. A method of assessing a user's size of a recursive resolver from the outside as claimed in claim 3, wherein obtaining the response delay of the recursive resolver comprises:
requesting the recursion resolver to query the A record of the domain name by using the domain name resolution module;
acquiring time T1 from a domain name sending request to a response packet of a user;
calculating a network consumption time T2 from the user to the DNS recursion server by utilizing the ping command;
The time T1 of the response packet is subtracted by the network consumption time T2 to obtain the response delay of the recursive server.
5. The method for evaluating the user scale of a recursive resolver from the outside according to claim 4, wherein obtaining the number of response IPs of the recursive resolver includes:
Using a domain name resolution module, a plurality of detection points request the recursion resolver for inquiring the A record of the domain name, and analyzing a response message returned by the recursion resolver;
extracting source IP information from the response message by grabbing the packet;
the number of different IPs, i.e. the number of responding IPs of the DNS recursion resolver, is recorded.
6. The method of assessing the size of a user of a recursive resolver from the outside of claim 5, wherein obtaining and analyzing passive data comprises:
acquiring recursive DNS information based on the passive data module;
Analyzing whether each DNS recursion resolver is a DNS public data source or not from the acquired recursion DNS information;
from the acquired recursive DNS information, it is analyzed whether a service provider of the DNS recursive resolver can be acquired.
7. The method of claim 6, wherein constructing a multi-attribute assessment model based on response delay, number of response IPs, configuration attributes, and passive data of the recursive resolver, and assessing the user scale level of the DNS recursive resolver comprises:
Acquiring response time delay, response IP quantity, configuration attribute, DNS public data source and DNS service provider information of the recursion resolver;
Normalizing response time delay and response IP quantity of the recursion resolver from the domain name resolution angle, and evaluating domain name resolution condition of the recursion resolver by using an entropy weight method in an objective weighting method;
normalizing PTR records, EDNS protocols, software versions and vulnerabilities of the recursion resolver from the aspect of server attribute configuration;
The method comprises the steps of (1) carrying out normalization processing on a DNS public data source and a DNS service provider from the aspect of passive data, and evaluating passive data of a recursion resolver by utilizing CRITIC method in an objective weighting method;
Determining subjective weights according to domain name resolution, attribute configuration and passive data by using a hierarchical analysis method, determining objective weights according to CRITIC method, and determining comprehensive weights by using a linear weighting method to construct a multi-attribute evaluation model;
calculating the user scale of each DNS recursion resolver according to the multi-attribute evaluation model;
And grading the user scale of the DNS recursion resolvers to obtain the user scale grade of each recursion resolvers.
8. A system for evaluating the size of a recursive parser user from the outside, comprising:
The acquisition module is used for analyzing the local user quantity of the known recursion resolver through the regional user request quantity module and classifying the local user quantity according to the grades so as to obtain the classified user quantity grades; measuring and analyzing attribute characteristics of recursion resolvers of different user scale grades according to the divided user quantity grades to obtain a measurement result;
the processing module is used for analyzing the attribute characteristics of the recursion resolvers of different user grades according to the measurement result so as to acquire the response time delay and the response IP number of the recursion resolvers; acquiring response time delay, response IP quantity and configuration attribute of the recursion resolver through an attribute configuration module; acquiring and analyzing passive data; and constructing a multi-attribute evaluation model according to the response time delay, the response IP number, the configuration attribute and the passive data of the recursion resolver, and evaluating the user scale level of the DNS recursion resolver.
9. A computing device, comprising:
one or more processors;
Storage means for storing one or more programs which when executed by the one or more processors cause the one or more processors to implement the method of any of claims 1 to 7.
10. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a program which, when executed by a processor, implements the method according to any of claims 1 to 7.
CN202410496284.1A 2024-04-24 2024-04-24 Method and system for evaluating user scale of recursion resolver from outside Pending CN118413449A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410496284.1A CN118413449A (en) 2024-04-24 2024-04-24 Method and system for evaluating user scale of recursion resolver from outside

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410496284.1A CN118413449A (en) 2024-04-24 2024-04-24 Method and system for evaluating user scale of recursion resolver from outside

Publications (1)

Publication Number Publication Date
CN118413449A true CN118413449A (en) 2024-07-30

Family

ID=92032239

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410496284.1A Pending CN118413449A (en) 2024-04-24 2024-04-24 Method and system for evaluating user scale of recursion resolver from outside

Country Status (1)

Country Link
CN (1) CN118413449A (en)

Similar Documents

Publication Publication Date Title
US8321551B2 (en) Using aggregated DNS information originating from multiple sources to detect anomalous DNS name resolutions
US10374961B2 (en) System and method for management of cloud-based systems
Pang et al. Availability, usage, and deployment characteristics of the domain name system
US9769035B2 (en) Domain popularity scoring
Tajalizadehkhoob et al. Apples, oranges and hosting providers: Heterogeneity and security in the hosting market
Zirngibl et al. Rusty clusters? Dusting an IPv6 research foundation
Liang et al. Measuring query latency of top level DNS servers
Fiebig et al. In rDNS we trust: revisiting a common data-source’s reliability
EP2692119A1 (en) Non-existent domain names traffic analysis
EP3913888A1 (en) Detection method for malicious domain name in domain name system and detection device
CN113347286A (en) Method, device and equipment for determining domain name server and storage medium
Gouel et al. IP geolocation database stability and implications for network research
CN114430382A (en) Method and device for reducing and detecting redundancy of authoritative domain name server based on passive DNS traffic
Magnusson et al. A second look at dns qname minimization
CN116708028B (en) External attack surface management method and system based on attacker view angle
CN118413449A (en) Method and system for evaluating user scale of recursion resolver from outside
CN115296891B (en) Data detection system and data detection method
CN117118711A (en) Method, device, equipment and storage medium for detecting illegal users
CN114567501B (en) Automatic asset identification method, system and equipment based on label scoring
Campbell et al. Detection of fast flux service networks
CN106027516B (en) A kind of domain name service security incident evaluation method and system
CN110661677B (en) DNS (Domain name System) testing method, device and system
Shukla et al. Identification and counting of hosts behind nat using machine learning
CN113765843B (en) Method, device and equipment for detecting identification detection capability and readable storage medium
CN115883513B (en) DNS watermark technology-based resolver detection method and classification method thereof

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination