CN201717899U - System for improving safety and performance of domain name system - Google Patents

System for improving safety and performance of domain name system Download PDF

Info

Publication number
CN201717899U
CN201717899U CN2010201283448U CN201020128344U CN201717899U CN 201717899 U CN201717899 U CN 201717899U CN 2010201283448 U CN2010201283448 U CN 2010201283448U CN 201020128344 U CN201020128344 U CN 201020128344U CN 201717899 U CN201717899 U CN 201717899U
Authority
CN
China
Prior art keywords
dns
node
record
group
domain name
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN2010201283448U
Other languages
Chinese (zh)
Inventor
赵家祥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN2010201283448U priority Critical patent/CN201717899U/en
Application granted granted Critical
Publication of CN201717899U publication Critical patent/CN201717899U/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Computer And Data Communications (AREA)

Abstract

The utility model provides a system for improving safety and performance of a domain name system (DNS), which is characterized in that the system comprises an IP address outwardly presented as a DNS, a load balancer used for transmitting a DNS resolution request from the Internet to individual nodes for sharing the whole current capacity, and an equivalent work group formed by a group of members, wherein the work group comprises member node 1, member node 2, etc. and member node K; and the communication coordinator election, the DNS record updating and the consistency arbitration are performed within the group.

Description

A kind of system that improves domain name system safety and performance
Technical field
The utility model relates to the network security technology field, relates in particular to a kind of method and system that improves domain name system safety and performance.
Background technology
Content and application on several hundred million user capture Internet are all arranged every day, have the data of magnanimity to transmit on Internet simultaneously, domain name system (Domain Name System, the DNS) service and support that is provided all are provided for all these.
For each user, a significant domain name (or being called host name), such as Www.example.comBe that easily note is easy-to-use, it is necessary also to be that they visit Internet; And on the other hand, for the computer on the Internet, actual use is an IP address during communication, such as 208.77.188.166.
On Internet, finish from domain name to the IP address transition, be exactly domain name system DNS; Can safeguard that in the server of DNS domain name arrives the record of IP address mapping relation, when dns server is received inquiry of the domain name request from client, dns server is searched corresponding record, and the IP address is returned to client in response, and this process generally is also referred to as " domain name mapping ".User on the Internet and application are not being used service and the ability that DNS provided all the time.
Yet at present commonplace at the attack of DNS, common attack pattern has two kinds: a kind ofly be called distributed denial of service attack (Distributed Deny of Service, DDoS), another kind is called Domain Hijacking.(Deny of Service, mechanism DoS) is Denial of Service attack, produces a large amount of service requests, increases the operating load of server, makes server can't respond the request of normal users or application, even makes servers go down, stops service fully.In order further to improve the extent of injury of Denial of Service attack, the assailant usually controls many computers (such as buying " Botnet " or " fryer ") that are distributed on the Internet and attacks simultaneously, the mode that this multiple spot is attacked is commonly referred to distributed denial of service attack, i.e. DDoS.One of case of the DDoS relevant with domain name system took place in 2009, for the ddos attack of certain DNS system of telecom operators, had caused normally accesses network of large-scale user, had produced enormous economic loss and abominable social influence.
Domain Hijacking is another attack pattern at DNS, and the assailant can revise the record in the dns server, makes it correspond to wrong IP address.Such as, the assailant distorts the pairing IP of www.example.com address and is to work as user capture so by 111.222.33.44 Www.example.comThe time, can remove to visit 111.222.33.44; Thereby can't visit the service that provides at 208.77.188.166 originally.One of case of Domain Hijacking is exactly the attack that took place at certain famous network search engines in 2010, makes global user can't use its search service reaching in more than 10 hour; Huge direct economic loss and indirect economic loss have been produced.
Can predict, it no matter is ddos attack at the DNS system, still Domain Hijacking, if occur in e-commerce website, other important portal websites such as perhaps Web bank, and government, operator, and e-mail server, to cause incalculable damage, consequence is more hardly imaginable.Therefore need effective method and system to improve the fail safe of DNS system.
In the prior art, exactly flow is filtered at the common method of ddos attack; Its limitation is: how distinguishing which flow and be normal legal which and be illegal (attack purpose) is the unusual thing of difficulty.Such as, because at present Internet goes up the shortage (IPv4) of IP address, a lot of users are that (Network Address Translation NAT) connects online by network address translation apparatus, the flow that these users produced be it seems from the outside so, all is from identical source IP address; Therefore can't distinguish normal discharge and abnormal flow by the source IP address of judging flow simply; On the other hand, distributed service-denial is attacked the viewpoint of measures from source IP, more approach the flow that normal users produces, thereby can only handle by methods such as behavioural analyses at present, the complexity height, poor accuracy and for Domain Hijacking except by the artificial measures such as reinforcement supervision that get involved of keeper, lacks effective precautionary technology.And these manual interventions often all are afterwards, generally be to receive a large number of users complaint service just to find when unavailable and begin to handle, and serious harm has at that time taken place, and loss has caused and constantly increased, and recovers and remedy also to spend bigger cost.
Can see in recent years, at the attack of DNS ever-increasing trend being arranged from historical data, prior art lacks effective DNS system safety means.
The utility model content
For this reason, the utility model has designed a kind of method and system that improves domain name system safety and performance, and promptly a kind of domain name system is characterized in that comprising: have the IP address that externally presents a DNS; Load equalizer is used for the dns resolution request from Internet is distributed to each node, shares whole flow by each node; The reciprocity working group that one group membership constitutes, this working group comprises member node 1, node 2 ..., node K mainly communicates coordinator's election and upgrades DNS record, consistency arbitration in group.
In addition, it is further characterized in that: each member sends " verification " order in group, and sends own whole records or the part DNS record of being stored to other members; The communication-cooperation person is after other dns servers obtain the renewal of DNS record, and by " update command ", the record that makes other member node carry out corresponding D NS upgrades, and reaches an agreement thereby make in the group; Receive from other members and send the DNS record, this member compares itself and the record self grasped, if find differences, then starts the consistency arbitrated procedure at this record difference, sends the arbitration order and triggers the relative recording of arbitration to other members; According to different system strategies or configuration, adopt " the minority is subordinate to the majority " or " veto by one vote " or " must keeper's intervention " mode to form consensus for difference.And this system can adopt mode of extension or primary pattern and dns server to dispose.
Description of drawings
Below in conjunction with the drawings and specific embodiments the utility model is described in further detail.
Fig. 1 system architecture;
Fig. 2 communication-cooperation person elects flow process;
Fig. 3 DNS writes down more new technological process;
Fig. 4 member sends the flow process of check command;
Fig. 5 consistency arbitration process;
Fig. 6 monitors the flow process of arbitration frequency.
Embodiment
Method and system of the present utility model is intended to improve the fail safe and the performance of DNS system, thereby can effectively resist Domain Hijacking and ddos attack.Shown in the Organization Chart of the system of Fig. 1.DNS of the present utility model system comprise the reciprocity working group that a load equalizer (Load Balancer) and a group membership constitute (node 1, node 2 ..., node K).
Whole system externally presents the IP address of a DNS, that is to say, the user visits native system by the IP address of a DNS as usual, and the software of user side does not need to carry out any modification.
The effect of load equalizer is that the dns resolution request from Internet is distributed on each node, shares whole flow by each node.Because each parsing of DNS all is " request " mode (Request/Response), the utility model makes full use of the irrelevance between each time domain name mapping, make load equalizer with very simply, mode realizes efficiently, reach very high throughput, such as the linear speed that reaches network, if the network bandwidth between load equalizer and the Internet is 1Gpbs, then load equalizer also can reach this speed, and can not become the bottleneck of systematic function.
DNS of the present utility model system focuses on, and each node is as the member, and these members constitute a working group in the mode of equity, and carries out following main flow process and processing in group.
1, election communication-cooperation person and renewal DNS record
In whole group, each has only a communication-cooperation person (Communication Coordinator) constantly.Communication-cooperation person function is other dns server node communications in responsible and the DNS system, such as communicating by letter with upper level authority's dns server (authoritative name server), obtains the renewal of DNS record.What members are arranged in so no matter organizing, all have only a node to communicate by letter, thereby avoid causing burden to other dns servers with other dns servers.
When being on a grand scale of working group, reach tens, individual time marquis up to a hundred such as the member, in the group a plurality of communication-cooperation persons can be arranged, but its number still is far smaller than member's number, and purpose remains in order to reduce and the expense of other DNS node communications and the fail safe that improves system by dynamic characteristic.In the following discussion, be that example is set forth operation principle of the present utility model still with a communication-cooperation person, simultaneously, described method and flow process also can expand to the scene that a plurality of communication-cooperation persons are arranged in the system, to support more massive application.
The communication-cooperation person is after other DNS (normally upper level dns server) have obtained the renewal of DNS record, and by " update command ", the record that makes other member node carry out corresponding D NS upgrades, and reaches an agreement thereby make in the group.
According to electing, the following requirement satisfied in election to the communication-cooperation person by the group member:
● through single election, as communication-cooperation person's node be bound to change (having not repeated);
● election results are irregular (having unpredictability) each time.
The average frequency that election takes place requires to set according to security of system and performance etc. as adjustable parameter, in Fig. 2, has described election communication-cooperation person's schematic flow.
In Fig. 3, the schematic flow that the DNS record upgrades has been described.
Fig. 3 (3a) is the schematic flow of communication-cooperation person when the DNS record upgrades, and that is to say, is removed need to obtain the DNS record of renewal by the communication-cooperation person; Fig. 3 (3b) is the schematic flow of non-communication-cooperation person when the DNS record upgrades.
2, consistency arbitration
Each member sends " verification " order in group, and sends the own DNS record of being stored to other members.From the angle of system function optimization, the member can select to send whole records or the partial record of oneself storing; " partial record " can be the frequent recently record that uses, the perhaps record of the record of " important " (such as the domain name and the e-mail server of bank, e-commerce platform, government etc.); These variations are also contained among the utility model.Fig. 4 has provided the schematic flow that sends check command.
Receive from other members and send the DNS record, this member compares itself and the record self grasped, if find differences, then starts the consistency arbitrated procedure at this record difference, sends the arbitration order and triggers the relative recording of arbitration to other members.
Arbitrated procedure can be taked the mode of " ballot ", and promptly each member is according to separately comparative result expression of opinion.According to different system strategies or configuration, can adopt " the minority is subordinate to the majority ", " veto by one vote ", modes such as " must keeper get involved " forms consensus for difference.
With " the minority is subordinate to the majority " is example, and the information of record is unified according to most members' suggestion.Such as, if having 3 members to think that corresponding record should not change among 5 members, then all the member is made as original information (3 records that the member grasped) with the respective record unification.In Fig. 5, the schematic flow of consistency arbitration has been described.
When arbitrated procedure taking place, the member all carries out necessary daily record (Log) and handles at every turn; (surpass threshold value) when frequent generation is arbitrated, then, require the keeper to get involved as early as possible, take precautions against possible problem to keeper's warning such as the consistency arbitration number of times that produces within a certain period of time.Provided the schematic flow of monitoring and handling for the arbitration occurrence frequency among Fig. 6.
3, deployment way
This method and system support deployment way flexibly, with protection existing investment of DNS network operator and satisfied demand of carrying out aspects such as smooth upgrade, provide the mode of two kinds of deployment here.
Mode 1: mode of extension
In mode of extension, native system is deployed between original dns server and the user; For original dns server, native system is equivalent to its user, obtains corresponding record from original dns server, upgrade in group with synchronously, and the operating load that former dns server is produced is very low; Under this pattern, native system is with the server of original dns server as upper level; When ddos attack takes place, can bear by native system, make ddos attack can not involve original dns server.For the user, high performance and safe and reliable dns resolution service then is provided, user side software need not carry out any modification.
The benefit of this deployment mode is a smooth upgrade, does not need original system is made amendment, and protects network operator's investment effectively.
Mode 2: primary pattern
In primary pattern, replace original dns server with native system; Also can conditionally original dns server be added native system as a group membership.
The benefit of this deployment mode is farthest to bring into play the safety of native system and the advantage and the characteristics of aspect of performance.
By the elaboration of above-mentioned embodiment, visible this method and system can solve the safety problem that the DNS system suffers distributed denial of service attack or Domain Hijacking well.Obtained following beneficial technical effects:
Owing in system, adopted unique arbitration mechanism, can reduce the possibility that the record among the DNS is illegally distorted greatly.The group that constitutes with 5 nodes is an example, even adopt the mode of " the minority is subordinate to the majority ", the assailant will capture 3 nodes simultaneously just may revise record among the DNS, makes difficulty and intensity that the assailant faced be exponential increase; Daily record of being optimized again and alarm mechanism make the keeper notice the threat of systems face sooner and in time take measures, and prevent trouble before it happens.
Because the mechanism of the responsible equalizer of front end in the native system, connection request from the outside can't be rested on the node, making needs just can the launch a offensive success rate of (such as long-range Connection Service device, make storehouse overflow etc.) of multistep operation significantly to reduce, thus the fail safe that has further improved native system.
In addition, the framework that this method and system adopted makes the capacity of system and performance linearity to increase along with the growth of node number, that is to say, two nodes can be realized the disposal ability of twice, three nodes can be realized three times disposal ability, thereby can handle the dns resolution request of big flow; Even comprise part in these requests from ddos attack.Like this, make and start the required cost of assailant of DDoS to significantly improve, be difficult to keep effective DDos and attack (for example, making server failing can't continue to provide domain name service) and have to stop malicious act.
Except these benefits for DNS network operator, vast user and a large amount of application need not to revise the DNS service that software just can use native system to provide, and are transparent for user's application; Being easy to dispose and promote, also is the considerable advantage of native system.

Claims (1)

1. a domain name system is characterized in that comprising: have the IP address that externally presents a DNS; Load equalizer is used for the dns resolution request from Internet is distributed to each node, shares whole flow by each node; The reciprocity working group that one group membership constitutes, this working group comprises member node 1, node 2 ..., node K mainly communicates coordinator's election and upgrades DNS record, consistency arbitration in group.
CN2010201283448U 2010-03-11 2010-03-11 System for improving safety and performance of domain name system Expired - Fee Related CN201717899U (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2010201283448U CN201717899U (en) 2010-03-11 2010-03-11 System for improving safety and performance of domain name system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2010201283448U CN201717899U (en) 2010-03-11 2010-03-11 System for improving safety and performance of domain name system

Publications (1)

Publication Number Publication Date
CN201717899U true CN201717899U (en) 2011-01-19

Family

ID=43463907

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2010201283448U Expired - Fee Related CN201717899U (en) 2010-03-11 2010-03-11 System for improving safety and performance of domain name system

Country Status (1)

Country Link
CN (1) CN201717899U (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101800752A (en) * 2010-03-11 2010-08-11 赵家祥 Method and system for improving safety and performance of domain name system (DNS)
CN107770222A (en) * 2016-08-19 2018-03-06 阿里巴巴集团控股有限公司 Web information processing method, equipment and system

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101800752A (en) * 2010-03-11 2010-08-11 赵家祥 Method and system for improving safety and performance of domain name system (DNS)
CN101800752B (en) * 2010-03-11 2013-06-26 赵家祥 Method and system for improving safety and performance of domain name system (DNS)
CN107770222A (en) * 2016-08-19 2018-03-06 阿里巴巴集团控股有限公司 Web information processing method, equipment and system
CN107770222B (en) * 2016-08-19 2021-03-23 阿里巴巴集团控股有限公司 Network information processing method, equipment and system

Similar Documents

Publication Publication Date Title
US10333971B2 (en) Systems and methods for detecting and preventing cyber-threats
RU2417417C2 (en) Real-time identification of resource model and resource categorisation for assistance in protecting computer network
CN102082836B (en) DNS (Domain Name Server) safety monitoring system and method
CN104917779B (en) A kind of means of defence, the apparatus and system of CC attacks based on cloud
JP6315640B2 (en) Communication destination correspondence collection apparatus, communication destination correspondence collection method, and communication destination correspondence collection program
CN105024969B (en) A kind of method and device for realizing the identification of malice domain name
EP2715522B1 (en) Using dns communications to filter domain names
US8595847B2 (en) Systems and methods to control web scraping
WO2016025081A1 (en) Collaborative and adaptive threat intelligence for computer security
WO2015200308A1 (en) Entity group behavior profiling
CN112600868B (en) Domain name resolution method, domain name resolution device and electronic equipment
US11223602B2 (en) IP address access based on security level and access history
CN104509034A (en) Pattern consolidation to identify malicious activity
US10367787B2 (en) Intelligent firewall access rules
CN104579773A (en) Domain name system analysis method and device
CN112532598B (en) Filtering method for real-time intrusion detection system
IL211823A (en) Methods and systems for securing and protecting repositories and directories
CN101800752B (en) Method and system for improving safety and performance of domain name system (DNS)
CN101488965A (en) Domain name filtering system and method
CN110247932A (en) A kind of detection system and method for realizing DNS service defence
CN102624750A (en) Method and system for resisting domain name system (DNS) recursion attack
US11983220B2 (en) Key-value storage for URL categorization
US20230350966A1 (en) Communicating url categorization information
CN201717899U (en) System for improving safety and performance of domain name system
US10462180B1 (en) System and method for mitigating phishing attacks against a secured computing device

Legal Events

Date Code Title Description
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20110119

Termination date: 20140311