WO2015158193A1 - 提供根域名解析服务的方法和系统 - Google Patents

提供根域名解析服务的方法和系统 Download PDF

Info

Publication number
WO2015158193A1
WO2015158193A1 PCT/CN2015/074613 CN2015074613W WO2015158193A1 WO 2015158193 A1 WO2015158193 A1 WO 2015158193A1 CN 2015074613 W CN2015074613 W CN 2015074613W WO 2015158193 A1 WO2015158193 A1 WO 2015158193A1
Authority
WO
WIPO (PCT)
Prior art keywords
dns
domain name
resolution
root
name resolution
Prior art date
Application number
PCT/CN2015/074613
Other languages
English (en)
French (fr)
Inventor
谭晓生
齐向东
濮灿
Original Assignee
北京奇虎科技有限公司
奇智软件(北京)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司, 奇智软件(北京)有限公司 filed Critical 北京奇虎科技有限公司
Priority to US15/305,094 priority Critical patent/US20170041321A1/en
Publication of WO2015158193A1 publication Critical patent/WO2015158193A1/zh

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4552Lookup mechanisms between a plurality of directories; Synchronisation of directories, e.g. metadirectories
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method and system for providing a root domain name resolution service.
  • DNS is the abbreviation of Domain Name System. It is a core service of the Internet. It is a distributed database that can map domain names and IP addresses to each other, which makes it easier for people to access the Internet without using it. Remember the IP number string that can be read directly by the machine.
  • an Internet host domain name is: host name, third-level domain name, second-level domain name, top-level domain name.
  • the top-level domain name of the Internet is registered and managed by the Internet Network Association domain name registration query committee responsible for network address allocation, and each host of the Internet is assigned a unique IP address.
  • FIG. 1 is a hierarchical diagram of a DNS in the prior art.
  • the existing DNS architecture is a hierarchical tree structure. This tree structure is called a DNS domain name space, and the uppermost domain name space is called a “root node”.
  • the path from the top-level domain to a sub-domain constitutes a domain name, for example, from the top-level domain .com to its second-level domain Microsoft, and then to Microsoft's sub-domain departmentA, which constitutes a domain name, departmentA.microsoft.com.
  • FIG. 2 is a flowchart of a domain name resolution of a DNS in the prior art, and an analysis process of accessing the Netease portal address www.163.com is taken as an example. The process is:
  • step 1 the user computer sends a request to resolve the www.163.com to the local DNS server set up on the system.
  • the so-called local DNS server refers to a DNS service IP address, which can be obtained automatically from the operator or manually.
  • Step 2 The local DNS server will check whether there is a cache of the domain name in its own space. If not, it will send a domain name resolution request of www.163.com to the root server.
  • Step 3 After receiving the resolution request of the local DNS server for the domain name, the root server analyzes the requested domain name and returns the IP address of the server of the domain name node of the local server .com.
  • Step 4 After receiving the IP address of the server of the .com top-level domain, the local DNS server sends a request for parsing the www.163.com to the .com top-level domain.
  • Step 5 After receiving the resolution request for www.163.com, the .com top-level domain server returns to the local DNS server the IP address of the DNS server of the secondary domain 163.
  • step 6 the local DNS server continues to initiate a resolution request for www.163.com to the DNS server of the secondary domain 163.
  • Step 7,163 The management server of this domain manages all subdomains under 163.com. Its domain name space has the subdomain of www, and its corresponding IP address is 111.1.53.220, so the DNS server of the 163.com domain will return the IP address 111.1.53.220 corresponding to www.163.com to the local DNS server.
  • Step 8 After receiving the parsing result of the domain server 163.com about www.163.com, the local DNS server returns the corresponding IP address 111.1.53.220 to the user, and the result is retained for a period of time for other users to query. .
  • Step 9 After obtaining the IP address 111.1.53.220 corresponding to the domain name of www.163.com, the user computer starts to request the content of the webpage to the IP address 111.1.53.220. At this point, a complete request resolution process for DNS ends.
  • the DNS root server is the "root" of the DNS tree name space. It is responsible for the resolution of the TLD (top level domain) and plays a key role in domain name resolution. In theory, any form of standard domain name to be analyzed, in accordance with the technical process, must be completed through the work of the global "hierarchical" domain name resolution system.
  • the first layer of the "hierarchical" domain name resolution system is the root server, which is responsible for managing domain name information of countries all over the world.
  • a top-level domain name server that is, a database of relevant national domain name management institutions, such as China.
  • CNNIC then go to the next level of the domain name database and ISP (Internet Service Provider, Internet Service Provider) cache server query.
  • ISP Internet Service Provider, Internet Service Provider
  • a domain name must first be parsed by the root database before it can be redirected to the top-level domain name server. If the DNS root node is not accessible, then all domain name resolution will fail.
  • the present invention has been made in order to provide a system for providing a root domain name resolution service that overcomes the above problems or at least partially solves or alleviates the above problems, and a corresponding method for providing a root domain name resolution service.
  • a method for providing a root domain name resolution service includes: obtaining a DNS resolution record of a plurality of domain names in a predetermined area; establishing an authorization information database of each level of nodes of the DNS according to the analysis record; and starting to provide a root domain name
  • the virtual root node of the service is parsed, and the virtual root node responds to the root domain name resolution request in the predetermined area according to the data in the authorization information database.
  • a system for providing a root domain name resolution service comprising: data acquisition means configured to acquire a DNS resolution record of a plurality of domain names in a predetermined area; a virtual root node server configured to be configured according to the analysis The database for establishing the authorization information of the nodes at all levels of the DNS is recorded, and the virtual root node providing the root domain name resolution service is run to respond to the root domain name resolution request in the predetermined area according to the data in the authorization information database.
  • a computer program comprising computer readable code, when the computer readable code is run on a computing device, causing the computing device to perform according to any of the above Provides a method for root domain name resolution services.
  • a computer readable medium wherein the computer program described above is stored.
  • the method and system for providing a root domain name resolution service utilizes a DNS resolution record in a predetermined area to establish a DNS authorization information database as a data foundation of a virtual root node providing a root domain name resolution service, and automatically provides a DNS root resolution in the area.
  • the service reduces the Internet risk caused by the failure of domain name resolution in the region when relying on the existing DNS system for root domain name resolution.
  • the virtual root node adopts distributed deployment, and provides services through the anycast mode, which can effectively reduce DNS single point failure and improve defense against DNS attacks, and can be used for virtual roots.
  • 1 is a hierarchical architecture diagram of a DNS in the prior art
  • FIG. 3 is an architectural diagram of a system for providing a root domain name resolution service according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of a system for providing a root domain name resolution service to fetch data packets at a backbone network outlet to obtain data according to an embodiment of the present invention
  • FIG. 5 is a schematic diagram of data acquisition by a local DNS server of a system for providing a root domain name resolution service according to an embodiment of the present invention
  • FIG. 6 is a schematic diagram of a system for providing a root domain name resolution service providing a root domain name resolution service according to an embodiment of the present invention
  • FIG. 7 is a schematic diagram of a method for providing a root domain name resolution service according to an embodiment of the present invention.
  • Figure 8 is a schematic block diagram of a computing device for performing a method of providing a root domain name resolution service in accordance with the present invention
  • Fig. 9 schematically shows a storage unit for holding or carrying program code implementing a method of providing a root domain name resolution service according to the present invention.
  • FIG. 3 is an architectural diagram of a system 100 for providing a root domain name resolution service, which may generally include: a number of systems 100 that provide root domain name resolution services, in accordance with one embodiment of the present invention.
  • a DNS verification device 130 may be further provided.
  • the data acquisition device 110 is configured to obtain DNS resolution records for a plurality of domain names within a predetermined area.
  • the virtual root node server 120 is configured to establish an authorization information database of the DNS level nodes according to the parsing record, and run a virtual root node that provides the root domain name resolution service to respond to the root domain name in the predetermined area according to the data in the authorization information database. Parse the request.
  • the DNS verification device 130 is configured to determine whether the DNS resolution result is correct; the virtual root node server 120 starts the virtual root node that provides the root domain name resolution service if the determination result of the DNS verification device is negative.
  • the system 100 of the root domain name resolution service of the present embodiment uses the DNS resolution record in the predetermined area to establish a DNS authorization information database, which serves as a data foundation for providing a virtual root node of the root domain name resolution service, and automatically provides a DNS root resolution service for the area. It reduces the Internet risk caused by the failure of domain name resolution in the region when relying on the existing DNS system for root domain name resolution. For example, in the process of parsing all cn domain names in China, the DNS resolution record of all cn domain names can be obtained, and the authorization information database of the cn domain name can be established, so that the existing DNS system refuses to provide the root resolution service of the cn domain name. When the root resolution service of the cn domain name is in error, the virtual root node of the system 100 of the root domain name resolution service of the present embodiment provides the cn domain name resolution service by using the backed up data.
  • the data obtaining device 110 can obtain the DNS resolution record in multiple manners. For example, an optional method is to capture a DNS parsing data packet at a backbone network outlet of a predetermined area; and analyze the DNS parsing data packet to obtain a parsed domain name. DNS resolution record. Another alternative is to obtain the information of the authorized servers at all levels of the resolved domain name in the process of domain recursive resolution of the local recursive DNS; and save the information of the authorized servers of the domain name to be the DNS resolution record of the domain name.
  • the DNS resolution data packet can be obtained at the backbone network exit to obtain the DNS resolution record.
  • FIG. 4 is a schematic diagram of a system 100 for providing a root domain name resolution service that fetches data packets at a backbone network outlet to obtain data according to an embodiment of the present invention.
  • the root domain name resolution server can use anycast technology to set up a mirror station in a certain area, but it needs to rely on the root domain name resolution server.
  • the packet analysis can be performed through the layer-by-layer resolution process of the DNS protocol itself or at the exit of the backbone network, and the required information can also be collected.
  • the DNS resolves the authorization information, establishes a corresponding complete DNS hierarchical relationship, and then establishes the data required for the complete virtual root node.
  • the user host sends a DNS resolution request to the local DNS, which is generally used for recursive query.
  • the local DNS server does not cache the address of the queried domain name
  • the local DNS server continues to send query requests to other root domain name servers.
  • the data obtaining apparatus 110 can obtain the information of the authorization server of the next level in each level of the DNS authorization server by using the recursive domain name resolving process in the local recursive DNS, thereby obtaining the information of the authorization server at each level.
  • FIG. 5 is a schematic diagram of data acquisition by a local DNS server of a system 100 for providing a root domain name resolution service according to an embodiment of the present invention.
  • each level node in the hierarchical space stores the authorization information record of the relevant node of the next level.
  • the local DNS accesses all the nodes in the domain name space. This can use the recursive process of the local DNS server to save the authorization records of these node information, and form a backup according to the mutual relationship of the records.
  • Domain name hierarchy space establish a database of authorization information.
  • the authorization database corresponds to each level of the domain name space, and the data information is updated in real time, so that the authorization information database forms an image of the Internet domain name hierarchy. Since the database has all the authorization information records, when the root node or even the domain name node server of any level fails, the data of the database can be used to implement the authorization resolution service of the level DNS server.
  • the local recursive DNS server (into the DNS and public DNS provided by the operator) obtains the authorization server information of the domain name corresponding to the domain name during the recursion. Therefore, in the process of recursing the local DNS, all domain names in the area can be parsed. Record the image and perform the corresponding backup storage.
  • the virtual root node server 120 may be arranged in a distributed manner, and is configured to store an authorization information database according to the type of the domain name and provide a data service by a Border Gateway Protocol (BGP).
  • Border Gateway Protocol (BGP) is a routing protocol for an autonomous system running on TCP.
  • BGP is a protocol used to handle networks like the size of the Internet, and it can also properly handle protocols for multiple connections between unrelated routing domains.
  • Multiple virtual root node servers 120 can share the same address and provide data services in the form of Anycast. When Anycast is assigned to more than one interface, the message sent to the interface is routed by the network to the "nearest" target interface measured by the routing protocol.
  • Anycast allows DNS resolution requests to multiple virtual root node servers 120 A node in the node sends a packet, and this node is selected by the routing system to be transparent to the requesting node, thereby providing a better service for the source node in a certain program and reducing the network load.
  • multiple virtual root node servers 120 can obtain corresponding response results by querying the distributed database, and can realize multi-machine simultaneous work through Open Shortest Path First (OSPF). Improve your responsiveness.
  • the OSPF protocol is an Interior Gateway Protocol (IGP), which is used to determine routes in autonomous systems (AS). It is an implementation of the link state routing protocol, which is part of the Internal Gateway Protocol (IGP) and operates inside the autonomous system.
  • IGP Interior Gateway Protocol
  • AS autonomous systems
  • link state routing protocol which is part of the Internal Gateway Protocol (IGP) and operates inside the autonomous system.
  • arranging the virtual root node server 120 in a distributed manner can not only speed up the DNS parsing process, but also utilize the Internet resources more reasonably, and provide services through the anycast mode, which can reduce the DNS single point failure and improve the defense against DNS attacks. You can also configure access control on the virtual root node to block DNS attack data. When a parsing exception occurs, the local DNS server in the area is preferentially guaranteed.
  • An operation flow of the DNS verification device 130 is: listening for DNS resolution packets at the backbone network exit of the predetermined area; determining whether the DNS resolution message and the DNS resolution message are pre-stored are matched; if any of the judgment results If the entry is No, it is determined that the DNS resolution result is incorrect.
  • the virtual root node server 120 provides the virtual root node of the root domain name resolution service, and completes the root domain name resolution work in the area.
  • the result of the root domain name resolution is generally not easily modified. If the currently returned parsing result does not match the pre-stored result in the history record, it proves that the parsing is falsified, and an alarm or manual intervention is required. In addition, if the authorization of a top-level domain is not working properly or the returned one is "SERVFAIL", it can be judged directly that the analysis result is wrong.
  • a method for correcting the DNS result is: after the analytic result is falsified, the judgment is performed according to the alarm information, and the interface operation is clicked, and the system automatically switches to the DNS resolution of the virtual root node in batches.
  • the foregoing alarm information may be determined by combining the pre-collected illegal DNS IP and the legal DNS IP address whitelist list address.
  • the pre-collected malicious DNS IP address list may be a set of illegal DNS IP addresses pre-collected by the security vendor, and the pre-collection
  • the list of malicious DNS IP addresses can be a list of malicious DNS IP addresses pre-collected in the client database, or it can be downloaded from the website to a malicious DNS IP address in the client database. List of addresses.
  • the pre-set legal DNS IP address whitelist may be pre-stored in the client database or downloaded from a website server (for example, a cloud security server).
  • the main security levels include “danger”, “warning” and “security”.
  • the security level is “dangerous”, which means the most threat to the user, the second is “warning”, and “safe”. The weakest.
  • the prompts on the interface can also be performed accordingly. After the interface alarm information is displayed, the virtual root node can be started automatically or manually to avoid the security risk caused by the illegal DNS resolution.
  • FIG. 6 is a schematic diagram of a system 100 for providing a root domain name resolution service providing a root domain name resolution service according to an embodiment of the present invention.
  • the virtual root node server 120 can start a virtual root node service on the basis of the data, and provide the same root node resolution service and other top-level domain authorization disaster recovery services.
  • the backbone network is started to listen to DNS data packets at the exit of the area, and the correctness of the DNS resolution record is monitored. Once the root node and other uncontrollable domain name resolution abnormalities are found, the corresponding request packet can be sent at the exit.
  • the virtual root node server 120 When the existing root domain name resolution server or the corresponding other domain name resolution is abnormal, the virtual root node server 120 provides the DNS rooting service to the virtual root node constructed by the BGP (anycast mode) by using the authorization information database.
  • Other recursive DNS can be directed to the virtual root service IP by modifying the root node IP, or forwarding all domain name resolutions to the virtual root node, and the virtual root node provides domain name resolution services according to the authorization information database.
  • the user host that issues the DNS resolution request can urgently repair the user's DNS to the public DNS that can be resolved to ensure that the network user can use the network normally.
  • the above virtual root node server 120 can also determine whether the DNS resolution request is malicious or not by determining the information of the DNS resolution request to defend against the denial of service attack against the DNS.
  • the virtual root node server 120 uses a cache, uses cache access optimization, pre-update, and the like to minimize the parsing delay, and implements high-speed security parsing of DNS requests.
  • the analysis and security linkage measures limit the rate of the DNS resolution request source.
  • the virtual root node server 120 in the present embodiment performs domain name resolution on the DNS resolution request issued by the local DNS, and the virtual root node server 120 is provided with a defense device for the DNS attack.
  • the defense device obtains the IP address of the request source of the DNS query request and the DNS query request; queries the request record information of the request source according to the IP address in the access record database; and determines whether the number of requests in the predetermined record period in the request record information exceeds The preset threshold; if so, the request source is determined to perform a DNS attack and defend.
  • the defense method can use the direct filtering of the overspeed DNS request, or combine the software such as the security guard installed in the user client to perform security protection and prompting.
  • the user client outputs the prompt information in the security suggestion display area or changes the DNS server address to the pre-prefix.
  • the secure address is set, thereby improving the security of the virtual root node server 120.
  • the embodiment of the present invention further provides a method for providing a root domain name resolution service.
  • the method for providing a root domain name resolution service may be implemented by any system that provides a root domain name resolution service introduced in the foregoing embodiment, and implements a method in a predetermined area. DNS root domain name resolution.
  • FIG. 7 is a schematic diagram of a method for providing a root domain name resolution service according to an embodiment of the present invention, where the method for providing a root domain name resolution service includes:
  • Step S702 Obtain a DNS resolution record of multiple domain names in a predetermined area.
  • Step S704 establishing an authorization information database of each node of the DNS according to the parsing record
  • Step S706 starting a virtual root node that provides a root domain name resolution service
  • Step S708 the virtual root node responds to the root domain name resolution request in the predetermined area according to the data in the authorization information database.
  • An optional process of step S702 is: extracting a DNS parsing data packet at a backbone network exit of a predetermined area; and analyzing the DNS parsing data packet to obtain a DNS resolution record of the parsed domain name.
  • step S702 Another optional process of step S702 is: obtaining the information of the next-level authorization server in each level of the DNS authorization server in the recursive domain name resolving process of the local recursive DNS; and storing the obtained information of the authorization servers at each level DNS resolution record for the domain name.
  • An optional process of step S704 is: storing the parsed record as a distributed information form in a distributed storage form according to the type of the domain name, and the authorization information database provides the data service by using a border gateway protocol.
  • step S708 it may also be determined whether the parsing result of the DNS is correct; if the result of the determination is no, step S708 is started. Provide the virtual root node of the root domain name resolution service. If the result of the DNS analysis is correct, it can be implemented by: listening to the DNS resolution packet at the backbone network exit of the predetermined area; determining whether the DNS resolution packet and the DNS resolution packet are pre-stored are matched; If any of them is negative, it is determined that the DNS resolution result is incorrect.
  • the solution in this embodiment uses the DNS resolution record in the predetermined area to establish a DNS authorization information database, which serves as the data foundation of the virtual root node that provides the root domain name resolution service, and automatically provides the DNS root resolution service in the area, thereby reducing the dependence on the existing Internet risk caused by the failure of domain name resolution in the local area when the DNS system performs root domain name resolution.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in this specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or similar purpose.
  • the various component embodiments of the present invention may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some or all of the functionality of some or all of the components of the system providing root domain name resolution services in accordance with embodiments of the present invention.
  • the invention can also be implemented as a device or device program (e.g., a computer program and a computer program product) for performing some or all of the methods described herein.
  • a program implementing the invention may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
  • Figure 8 illustrates a computing device that can implement a method of providing a root domain name resolution service in accordance with the present invention.
  • the computing device conventionally includes a processor 810 and a computer program product or computer readable medium in the form of a memory 820.
  • the memory 820 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • Memory 820 has a memory space 830 for program code 831 for performing any of the method steps described above.
  • storage space 830 for program code may include various program code 831 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • Such computer program products include program code carriers such as hard disks, compact disks (CDs), memory cards or floppy disks.
  • Such a computer program product is typically a portable or fixed storage unit as described with reference to FIG.
  • the storage unit may have storage segments, storage spaces, and the like that are similar to the storage 820 in the computing device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 831', ie, code readable by a processor, such as 810, that when executed by a computing device causes the computing device to perform each of the methods described above step.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供了一种提供根域名解析服务的方法和系统。其中该提供根域名解析服务的方法包括:获取预定区域内多个域名的DNS解析记录;按照解析记录建立DNS各级节点的授权信息数据库;启动提供根域名解析服务的虚拟根节点,并由虚拟根节点根据授权信息数据库中的数据应答预定区域内的根域名解析请求。利用本发明的技术方案,利用预定区域内的DNS解析记录,建立DNS授权信息数据库,作为提供根域名解析服务的虚拟根节点的数据基础,自动为区域内提供DNS根解析服务,降低了依靠现有DNS系统进行根域名解析时区域内域名解析失败导致的互联网风险。

Description

提供根域名解析服务的方法和系统 技术领域
本发明涉及通信技术领域,尤其涉及提供根域名解析服务的方法和系统。
背景技术
DNS是域名系统(Domain Name System)的缩写,是因特网(Internet)的一项核心服务,它作为可以将域名和IP地址相互映射的一个分布式数据库,能够使人更方便的访问互联网,而不用去记住能够被机器直接读取的IP数串。
通常Internet主机域名的一般结构为:主机名.三级域名.二级域名.顶级域名。Internet的顶级域名由Internet网络协会域名注册查询负责网络地址分配的委员会进行登记和管理,并且为Internet的每一台主机分配唯一的IP地址。
图1是现有技术中DNS的层次架构图,现有的DNS架构是一个层次树状结构,这个树状结构称为DNS域名空间,最上面的域名空间被称为“根节点”。从顶级域到某一个子域的路径就构成了一个域名,例如从顶级域.com到它的二级域Microsoft,再到Microsoft的子域departmentA就构成了一个域名departmentA.microsoft.com。
图2是现有技术中DNS的一个域名解析流程图,以访问网易门户地址www.163.com的解析过程为例进行介绍。其流程为:
步骤1,用户电脑向其系统上设置的本地DNS服务器发送解析www.163.com的请求。所谓本地DNS服务器是指一个DNS服务IP地址,可以是从运营商自动获取的,也可以是手动设置的。
步骤2,本地DNS服务器会在自己的空间里查看是否有这个域名的缓存,如果没有,就会向根服务器发送www.163.com的域名解析请求。
步骤3,根服务器接收到本地DNS服务器关于域名的解析请求后,分析请求的域名,返回给本地服务器.com这个域名节点的服务器的IP地址。
步骤4,本地DNS服务器在接到.com顶级域的服务器IP地址后,向.com顶级域发出查询www.163.com的解析请求。
步骤5,.com顶级域服务器在接收到关于www.163.com的解析请求后,返回给本地DNS服务器关于163这个二级域的DNS服务器的IP地址。
步骤6,本地DNS服务器继续向163这个二级域的DNS服务器发起关于www.163.com的解析请求。
步骤7,163这个域的管理服务器管理163.com下的所有的子域名。它的域名空间中有www这个子域名,其对应的IP地址为111.1.53.220,因此163.com域的DNS服务器会返回www.163.com对应的IP地址111.1.53.220给本地DNS服务器。
步骤8,本地DNS服务器接收到163.com这个域服务器关于www.163.com解析结果后,返回给用户对应的IP地址111.1.53.220,同时会将这个结果保留一段时间,以备其他用户的查询。
步骤9,用户电脑在获得www.163.com域名对应的IP地址111.1.53.220后,就开始向111.1.53.220这个IP请求网页内容。到此,DNS的一个完整请求解析流程结束。
DNS根服务器是DNS树型域名空间的“根”,负责TLD(top Level Domain,顶级域名)的解析,对于域名解析起着极其关键的作用。从理论上说,任何形式的标准域名要想被实现解析,按照技术流程,都必须经过全球“层级式”域名解析体系的工作才能完成。
通过以上介绍可以看出:“层级式”域名解析体系第一层就是根服务器,负责管理世界各国的域名信息,在根服务器下面是顶级域名服务器,即相关国家域名管理机构的数据库,如中国的CNNIC,然后再到下一级的域名数据库和ISP(Internet Service Provider,互联网服务提供商)的缓存服务器查询。一个域名必须首先经过根数据库的解析后,才能转到顶级域名服务器进行解析。如果DNS根节点不能访问,那么一切的域名解析都会失败。
然而,全球仅有13台根服务器。目前的分布情况为:主根服务器(A)美国1个;辅根服务器(B至M)美国9个,瑞典、荷兰、日本各1个。在现有技术中如果出现解析系统中屏蔽某个区域的域名,那么它们的IP地址将无法解析出来,这些域名所指向的网站就会从互联 网中消失了。因此现有技术缺乏应对区域内应对根域名解析失败的解决方案。
发明内容
鉴于上述问题,提出了本发明以便提供一种克服上述问题或者至少部分地解决或者减缓上述问题的提供根域名解析服务的系统及其相应的提供根域名解析服务的方法。
根据本发明的一个方面,提供了一种提供根域名解析服务的方法,包括:获取预定区域内多个域名的DNS解析记录;按照解析记录建立DNS各级节点的授权信息数据库;启动提供根域名解析服务的虚拟根节点,并由虚拟根节点根据授权信息数据库中的数据应答预定区域内的根域名解析请求。
根据本发明的另一个方面,提供了一种提供根域名解析服务的系统,包括数据获取装置,被配置为获取预定区域内多个域名的DNS解析记录;虚拟根节点服务器,被配置为按照解析记录建立DNS各级节点的授权信息数据库,并运行有提供根域名解析服务的虚拟根节点,以根据授权信息数据库中的数据应答预定区域内的根域名解析请求。
根据本发明的又一个方面,提供了一种计算机程序,其包括计算机可读代码,当所述计算机可读代码在计算设备上运行时,导致所述计算设备执行根据上文任一个所述的提供根域名解析服务的方法。
根据本发明的再一个方面,提供了一种计算机可读介质,其中存储了上述的计算机程序。
本发明的有益效果为:
本发明的提供根域名解析服务的方法和系统,利用预定区域内的DNS解析记录,建立DNS授权信息数据库,作为提供根域名解析服务的虚拟根节点的数据基础,自动为区域内提供DNS根解析服务,降低了依靠现有DNS系统进行根域名解析时区域内域名解析失败导致的互联网风险。
进一步地,本发明的提供根域名解析服务的方法及系统中虚拟根节点采用分布式部署,通过anycast模式对外提供服务,能有效降低DNS单点故障和提高防御DNS攻击能力,并可以对虚拟根节点配置访问权限控制,屏蔽DNS的攻击数据,优先保证区域内的本地DNS正 常应答。
上述说明仅是本发明技术方案的概述,为了能够更清楚了解本发明的技术手段,而可依照说明书的内容予以实施,并且为了让本发明的上述和其它目的、特征和优点能够更明显易懂,以下特举本发明的具体实施方式。
附图说明
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:
图1是现有技术中DNS的层次架构图;
图2是现有技术中DNS的一个域名解析流程;
图3是根据本发明一个实施例的提供根域名解析服务的系统的架构图;
图4是根据本发明一个实施例的提供根域名解析服务的系统在骨干网出口处抓取数据包以获取数据的示意图;
图5是根据本发明一个实施例的提供根域名解析服务的系统的利用本地DNS服务器进行数据获取的示意图;
图6是根据本发明一个实施例的提供根域名解析服务的系统提供根域名解析服务的示意图;
图7是根据本发明一个实施例的提供根域名解析服务的方法的示意图;
图8示意性地示出了用于执行根据本发明的提供根域名解析服务的方法的计算设备的框图;以及
图9示意性地示出了用于保持或者携带实现根据本发明的提供根域名解析服务的方法的程序代码的存储单元。
具体实施方式
下面结合附图和具体的实施方式对本发明作进一步的描述。
图3是根据本发明一个实施例的提供根域名解析服务的系统100的架构图,该提供根域名解析服务的系统100一般性地可以包括:数 据获取装置110、虚拟根节点服务器120,进一步地可以设置有DNS验证装置130。
在本发明的一个实施例中,数据获取装置110被配置为获取预定区域内多个域名的DNS解析记录。虚拟根节点服务器120,被配置为按照解析记录建立DNS各级节点的授权信息数据库,并运行有提供根域名解析服务的虚拟根节点,以根据授权信息数据库中的数据应答预定区域内的根域名解析请求。DNS验证装置130被配置为判断DNS的解析结果是否正确;虚拟根节点服务器120在DNS验证装置的判断结果为否的情况下,启动提供根域名解析服务的虚拟根节点。
本实施例的根域名解析服务的系统100利用预定区域内的DNS解析记录,建立DNS授权信息数据库,作为提供根域名解析服务的虚拟根节点的数据基础,自动为区域内提供DNS根解析服务,降低了依靠现有DNS系统进行根域名解析时区域内域名解析失败导致的互联网风险。例如可以将中国境内作为上述预定区域,在对所有cn域名解析的过程中,获取所有cn域名的DNS解析记录,建立cn域名的授权信息数据库,从而现有DNS系统拒绝提供cn域名的根解析服务时,或者cn域名的根解析服务出现错误时,由本实施例的根域名解析服务的系统100的虚拟根节点利用备份的数据提供cn域名解析服务。
数据获取装置110可以通过多种方式获取DNS解析记录,例如一种可选方式为在预定区域的骨干网出口处抓取DNS解析数据包;对DNS解析数据包进行分析得到被解析域名的各级DNS解析记录。另一种可选方式为在本地递归DNS进行域名递归解析过程中,获取被解析域名的各级授权服务器的信息;将被解析域名的各级授权服务器的信息保存为域名的DNS解析记录。
在以上第一种方式中,向区域外的根域名解析服务器进行DNS解析请求时,均需要经过本区域的骨干网路由,因此可以在骨干网出口处抓取DNS解析数据包,得到DNS解析记录。
图4是根据本发明一个实施例的提供根域名解析服务的系统100在骨干网出口处抓取数据包以获取数据的示意图。根域名解析服务器可以采用任播(anycast)技术在一定区域内设立镜像站,但是需要依赖于根域名解析服务器。本实施例中可以通过DNS协议本身的逐层解析的过程中或者在骨干网的出口处抓包分析,也能够收集到需要的 DNS解析的授权信息,建立相应完整的DNS层次关系,进而建立完备的虚拟根节点所需的数据。
在以上第二种方式中,用户主机向本地DNS发送DNS解析请求一般均采用递归查询,本地DNS服务器中没有缓存被查询域名的地址时,本地DNS服务器会向其他根域名服务器继续发出查询请求报文,并获取结果,数据获取装置110可以利用在本地递归DNS进行域名递归解析过程中,获取各级DNS授权服务器中的下一级的授权服务器的信息,从而得到各级授权服务器的信息。
图5是根据本发明一个实施例的提供根域名解析服务的系统100的利用本地DNS服务器进行数据获取的示意图。在DNS域名系统的层次关系和分布式结构中,层次空间中每一级节点都存储着下一级的相关节点的授权信息记录。本地DNS在逐层解析的过程中,会访问到域名空间所有因层次的节点,此可以利用本地DNS服务器的递归过程将这些节点信息的授权记录进行保存,根据记录的相互关系,组成一个备份的域名层次空间,建立授权信息数据库。授权数据库对应域名空间的每一级,并且数据信息是实时更新,从而授权信息数据库形成了一个互联网域名层次的镜像。由于数据库拥有全部的授权信息记录,因此可以在根节点甚至是任何一级的域名节点服务器出现故障时,利用该数据库的数据可以实现该级DNS服务器进行授权解析服务。
本地递归DNS服务器(流入运营商提供的DNS和公共DNS)在进行递归时,会获取域名对应的各级授权服务器信息,所以可以在本地DNS递归的过程中,可以将区域内所有域名对应的解析记录镜像出来进行相应备份存储。
虚拟根节点服务器120可以为多个,以分布式形式布置,还被配置为按照域名的类型保存授权信息数据库,并以边界网关协议(Border Gateway Protocol,简称BGP)提供数据服务。边界网关协议(BGP)是运行于TCP上的一种自治系统的路由协议。BGP是用来处理像因特网大小的网络的协议,也能够妥善处理好不相关路由域间的多路连接的协议。多个虚拟根节点服务器120可以共用同一地址,以Anycast形式提供数据服务。Anycast在一个单播地址被分配到多于一个的接口上时,发到该接口的报文被网络路由到由路由协议度量的“最近”的目标接口上。Anycast允许DNS解析请求向多个虚拟根节点服务器120 中的一个结点发送数据包,而这个结点由路由系统选择,对请求方结点透明,从而在一定程序上为源结点提供了更好的服务也减轻了网络负载。
利用在分布式数据库系统的架构,多个虚拟根节点服务器120通过查询分布式数据库获取对应的应答结果,通过开放式最短路径优先协议(Open Shortest Path First,简称OSPF)能实现多机同时工作,提高应答能力。OSPF协议是一个内部网关协议(Interior Gateway Protocol,简称IGP),用于在单一自治系统(autonomous system,简称AS)内决策路由。是对链路状态路由协议的一种实现,隶属内部网关协议(IGP),运作于自治系统内部。
另外采用分布式形式布置虚拟根节点服务器120不仅可以加快DNS的解析过程,也更加合理地利用了因特网资源,而且通过anycast模式对外提供服务,能降低DNS单点故障和提高防御DNS攻击能力,同时还可以对虚拟根节点配置访问权限控制,屏蔽DNS的攻击数据,当出现解析异常时,优先保证区域内的本地DNS服务器的正常应答。
DNS验证装置130的一种运行流程为:在预定区域的骨干网出口处监听DNS解析报文;判断是否收到DNS解析报文以及DNS解析报文是否预存的结果匹配;若判断结果中任一项为否,确定DNS的解析结果不正确。在根域名解析错误的情况下,由虚拟根节点服务器120提供根域名解析服务的虚拟根节点,完成区域内的根域名解析工作。
根域名解析的结果一般是不会轻易修改,如果当前返回的解析结果与历史记录中预存的结果不匹配,则证明解析出现篡改,需要告警或采取人工干预。另外,如果当某个顶级域的授权无法正常工作或者返回的都为“SERVFAIL”也直接可以判断为解析结果错误。DNS的解析结果不正确的一种处理方法为:解析结果出现篡改后,根据告警信息进行判断,对界面操作点击,系统自动批量切换至虚拟根节点的DNS解析。
以上告警信息可以结合预先采集的非法DNS IP和合法的DNS IP地址白名单列表地址确定,例如预先收集的恶意DNS IP地址列表可以是由安全厂商预先收集的一组非法DNS IP地址,该预先收集的恶意DNS IP地址列表可以为客户端数据库中预先收集的恶意DNS IP地址列表,或者也可以为从网站上下载至客户端数据库中的恶意DNS IP地 址列表。该预先设置的合法的DNS IP地址白名单列表可以预先存储在客户端数据库中,也可以从网站的服务器(例如:云安全服务器)上下载。
在具体实现中,主要的安全等级包括“危险”、“警告”和“安全”,其中,安全等级为“危险”的表示对用户的威胁最大,为“警告”的次之,为“安全”的最弱。界面上提示也可以据此进行。在出现界面告警信息后,可以采用自动或手动的方式启动虚拟根节点,避免非法DNS的解析结果造成的安全风险。
图6是根据本发明一个实施例的提供根域名解析服务的系统100提供根域名解析服务的示意图。当数据获取装置110建立好域名授权信息数据库后,虚拟根节点服务器120可以在数据的基础上启动一个虚拟根节点服务,对外提供根节点一样的解析服务和其他顶级域授权灾备服务。同时在骨干网对区域外的出口处启动监听DNS数据报文,对DNS解析记录的正确性进行监控,一旦发现根节点和其他不可控的域名解析异常情况,在出口处可以将对应的请求包传送到虚拟根节点进行解析应答,防止数据继续到国外服务器而导致被篡改。获取任何域名都需要从根节点开始,如果根节点返回错误,会导致所有域名都解析异常,直接导致整个互联网异常。利用本实施例的提供根域名解析服务的系统100可以有效避免类似的安全风险。
当现有的根域名解析服务器或者对应的其他域名解析出现异常的情况下,虚拟根节点服务器120利用授权信息数据库通过BGP的方式(anycast模式)构建出的虚拟根节点对外提供DNS解析服务。
其他的递归DNS可以通过修改根节点IP指向虚拟根服务IP,或者将所有域名解析转发到虚拟根节点,虚拟根节点根据授权信息数据库提供域名解析服务。其他DNS服务商无法快速修复时,发出DNS解析请求的用户主机可以紧急将用户的DNS修复到能解析的公共DNS上,以保证网络用户能正常使用网络。
以上虚拟根节点服务器120还可以通过判断DNS的解析请求的信息对DNS的解析请求是否恶意进行判断和处理,以防御针对DNS的拒绝服务攻击。例如虚拟根节点服务器120通过使用一个高速缓存,采用缓存存取优化、预更新等各种手段尽量降低了解析时延,实现了DNS请求的高速安全解析。当某一个请求源的流量异常突增时,自动 分析和安全联动措施,对该DNS解析请求源限速。
例如在本实施例中的虚拟根节点服务器120,对本地DNS的发出的DNS解析请求进行域名解析,在虚拟根节点服务器120中设置有DNS攻击的防御装置。该防御装置获取DNS查询请求以及DNS查询请求的请求源的IP地址;按照IP地址在访问记录数据库中查询得出请求源的请求记录信息;判断请求记录信息中在预定周期内的请求次数是否超出了预设阈值;若是,判定请求源进行DNS攻击,并进行防御。防御方法可以使用直接过滤超速的DNS请求,或者结合用户客户端中安装的安全卫士等软件,进行安全防护和提示,例如用户客户端在安全建议显示区域输出提示信息或将DNS服务器地址修改为预设的安全地址,从而提高了虚拟根节点服务器120的安全性。
本发明实施例还提供了一种提供根域名解析服务的方法,该提供根域名解析服务的方法可以由以上实施例介绍的任意一种提供根域名解析服务的系统来执行,实现预定区域内的DNS根域名解析。图7是根据本发明一个实施例的提供根域名解析服务的方法的示意图,该提供根域名解析服务的方法包括:
步骤S702,获取预定区域内多个域名的DNS解析记录;
步骤S704,按照解析记录建立DNS各级节点的授权信息数据库;
步骤S706,启动提供根域名解析服务的虚拟根节点;
步骤S708,由虚拟根节点根据授权信息数据库中的数据应答预定区域内的根域名解析请求。
其中步骤S702的一种可选流程为:在预定区域的骨干网出口处抓取DNS解析数据包;对DNS解析数据包进行分析得到被解析域名的各级DNS解析记录。
步骤S702的另一种可选流程为:在本地递归DNS进行域名递归解析过程中,获取各级DNS授权服务器中的下一级的授权服务器的信息;将获取到的各级授权服务器的信息保存为域名的DNS解析记录。
步骤S704的一种可选流程为:按照域名的类型将解析记录以分布式存储形式保存为授权信息数据库,授权信息数据库以边界网关协议提供数据服务。
在本实施例的一个可选实施例中,在步骤S708之前,还可以判断DNS的解析结果是否正确;如果判断结果为否,则执行步骤S708启动 提供根域名解析服务的虚拟根节点。判断DNS的解析结果是否正确可以通过以下方式实现:在预定区域的骨干网出口处监听DNS解析报文;判断是否收到DNS解析报文以及DNS解析报文是否预存的结果匹配;若判断结果中任一项为否,确定DNS的解析结果不正确。
本实施例中的方案利用预定区域内的DNS解析记录,建立DNS授权信息数据库,作为提供根域名解析服务的虚拟根节点的数据基础,自动为区域内提供DNS根解析服务,降低了依靠现有DNS系统进行根域名解析时区域内域名解析失败导致的互联网风险。
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本发明的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。
类似地,应当理解,为了精简本公开并帮助理解各个发明方面中的一个或多个,在上面对本发明的示例性实施例的描述中,本发明的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本发明要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,发明方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本发明的单独实施例。
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相似目的的替代特征来代替。
此外,本领域的技术人员能够理解,尽管在此所述的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本发明的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。
本发明的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本发明实施例的提供根域名解析服务的系统中的一些或者全部部件的一些或者全部功能。本发明还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本发明的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。
例如,图8示出了可以实现根据本发明的提供根域名解析服务的方法的计算设备。该计算设备传统上包括处理器810和以存储器820形式的计算机程序产品或者计算机可读介质。存储器820可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储器820具有用于执行上述方法中的任何方法步骤的程序代码831的存储空间830。例如,用于程序代码的存储空间830可以包括分别用于实现上面的方法中的各种步骤的各个程序代码831。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘,紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为如参考图9所述的便携式或者固定存储单元。该存储单元可以具有与图8的计算设备中的存储器820类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常,存储单元包括计算机可读代码831’,即可以由例如诸如810之类的处理器读取的代码,这些代码当由计算设备运行时,导致该计算设备执行上面所描述的方法中的各个步骤。
本文中所称的“一个实施例”、“实施例”或者“一个或者多个 实施例”意味着,结合实施例描述的特定特征、结构或者特性包括在本发明的至少一个实施例中。此外,请注意,这里“在一个实施例中”的词语例子不一定全指同一个实施例。
应该注意的是上述实施例对本发明进行说明而不是对本发明进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本发明可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。
此外,还应当注意,本说明书中使用的语言主要是为了可读性和教导的目的而选择的,而不是为了解释或者限定本发明的主题而选择的。因此,在不偏离所附权利要求书的范围和精神的情况下,对于本技术领域的普通技术人员来说许多修改和变更都是显而易见的。对于本发明的范围,对本发明所做的公开是说明性的,而非限制性的,本发明的范围由所附权利要求书限定。

Claims (14)

  1. 一种提供根域名解析服务的方法,包括:
    获取预定区域内多个域名的DNS解析记录;
    按照所述解析记录建立DNS各级节点的授权信息数据库;
    启动提供根域名解析服务的虚拟根节点,并由所述虚拟根节点根据所述授权信息数据库中的数据应答所述预定区域内的根域名解析请求。
  2. 根据权利要求1所述的方法,其中,获取预定区域内多个域名的DNS解析记录包括:
    在所述预定区域的骨干网出口处抓取DNS解析数据包;
    对所述DNS解析数据包进行分析得到被解析域名的各级DNS解析记录。
  3. 根据权利要求1所述的方法,其中,获取预定区域内多个域名的DNS解析记录包括:
    在本地递归DNS进行域名递归解析过程中,获取各级DNS授权服务器中的下一级的授权服务器的信息;
    将获取到的各级授权服务器的信息保存为所述域名的DNS解析记录。
  4. 根据权利要求1至3中任一项所述的方法,其中,按照所述解析记录建立DNS各级节点的授权信息数据库还包括:
    按照域名的类型将所述解析记录以分布式存储形式保存为所述授权信息数据库,所述授权信息数据库以边界网关协议提供数据服务。
  5. 根据权利要求1至4中任一项所述的方法,其中,在启动提供根域名解析服务的虚拟根节点之前还包括:
    判断DNS的解析结果是否正确;
    若否,启动提供根域名解析服务的虚拟根节点。
  6. 根据权利要求5所述的方法,其中,判断DNS的解析结果是否正确包括:
    在所述预定区域的骨干网出口处监听DNS解析报文;
    判断是否收到DNS解析报文以及所述DNS解析报文是否预存的结果匹配;
    若判断结果中任一项为否,确定所述DNS的解析结果不正确。
  7. 一种提供根域名解析服务的系统,包括:
    数据获取装置,被配置为获取预定区域内多个域名的DNS解析记录;
    虚拟根节点服务器,被配置为按照所述解析记录建立DNS各级节点的授权信息数据库,并运行有提供根域名解析服务的虚拟根节点,以根据所述授权信息数据库中的数据应答所述预定区域内的根域名解析请求。
  8. 根据权利要求7所述的系统,其中,
    所述数据获取装置,还被配置为在所述预定区域的骨干网出口处抓取DNS解析数据包;对所述DNS解析数据包进行分析得到被解析域名的各级DNS解析记录。
  9. 根据权利要求7所述的系统,其中,
    所述数据获取装置,还被配置为在本地递归DNS进行域名递归解析过程中,获取各级DNS授权服务器中的下一级的授权服务器的信息;将获取到的各级授权服务器的信息保存为所述域名的DNS解析记录。
  10. 根据权利要求7至9中任一项所述的系统,其中,
    所述虚拟根节点服务器为多个,以分布式形式布置,还被配置为按照域名的类型保存所述授权信息数据库,并以边界网关协议提供数据服务。
  11. 根据权利要求7至10中任一项所述的系统,还包括:
    DNS验证装置,被配置为判断DNS的解析结果是否正确;
    所述虚拟根节点服务器,还被配置为在所述DNS验证装置的判断结果为否的情况下,启动提供根域名解析服务的虚拟根节点。
  12. 根据权利要求11所述的系统,所述DNS验证装置还被配置为:
    在所述预定区域的骨干网出口处监听DNS解析报文;
    判断是否收到DNS解析报文以及所述DNS解析报文是否预存的结果匹配;
    若判断结果中任一项为否,确定所述DNS的解析结果不正确。
  13. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算设备上运行时,导致所述计算设备执行根据权利要求1至6中的任一项所述的提供根域名解析服务的方法。
  14. 一种计算机可读介质,其中存储了如权利要求13所述的计算机程序。
PCT/CN2015/074613 2014-04-18 2015-03-19 提供根域名解析服务的方法和系统 WO2015158193A1 (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/305,094 US20170041321A1 (en) 2014-04-18 2015-03-19 Method and system for providing root domain name resolution service

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201410158694.1 2014-04-18
CN201410158694.1A CN103957285B (zh) 2014-04-18 2014-04-18 提供根域名解析服务的方法和系统

Publications (1)

Publication Number Publication Date
WO2015158193A1 true WO2015158193A1 (zh) 2015-10-22

Family

ID=51334508

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2015/074613 WO2015158193A1 (zh) 2014-04-18 2015-03-19 提供根域名解析服务的方法和系统

Country Status (3)

Country Link
US (1) US20170041321A1 (zh)
CN (1) CN103957285B (zh)
WO (1) WO2015158193A1 (zh)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106302862A (zh) * 2016-09-28 2017-01-04 大唐软件技术股份有限公司 一种dns递归服务器的收集方法和系统
CN113556342A (zh) * 2021-07-21 2021-10-26 江南信安(北京)科技有限公司 一种dns缓存服务器前缀变化攻击防护方法及装置
CN113590909A (zh) * 2021-07-28 2021-11-02 哈尔滨工业大学(威海) 一种基于多源信息定位域名根镜像节点地理位置的方法

Families Citing this family (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103957286B (zh) * 2014-04-18 2016-04-06 北京奇虎科技有限公司 Dns安全系统及其故障处理方法
CN103957285B (zh) * 2014-04-18 2015-09-09 北京奇虎科技有限公司 提供根域名解析服务的方法和系统
CN104468244B (zh) * 2014-12-31 2018-04-20 北京奇虎科技有限公司 域名解析系统灾备建构方法及装置
CN106210159B (zh) * 2015-05-07 2019-12-13 阿里巴巴集团控股有限公司 一种域名解析方法和设备
CN105245626B (zh) * 2015-07-02 2018-01-16 中国人民武装警察部队司令部信息化部 在专网中使用快捷域名实现网站寻址的方法
CN106470251B (zh) * 2015-08-19 2019-12-17 互联网域名系统北京市工程研究中心有限公司 域名解析方法及虚拟dns权威服务器
CN105245631B (zh) * 2015-09-25 2018-10-26 中国互联网络信息中心 一种优化dns根服务访问的方法与系统
CN105245633A (zh) * 2015-10-19 2016-01-13 北京奇虎科技有限公司 一种安全域名系统及其故障处理方法
CN105282269B (zh) * 2015-11-03 2018-07-06 中国互联网络信息中心 一种本地dns根服务器的配置方法和服务方法
CN105391818B (zh) * 2015-11-26 2019-02-05 中国互联网络信息中心 一种基于递归服务器的权威域名应急解析系统及方法
CN106899423A (zh) * 2015-12-21 2017-06-27 北京奇虎科技有限公司 域名系统的处理方法、装置及域名系统
CN106973122A (zh) * 2016-01-14 2017-07-21 中国移动通信集团浙江有限公司 一种基于云存储的域名系统及其应急解决方法
CN107623751B (zh) * 2016-07-14 2021-02-12 网宿科技股份有限公司 Dns网络系统、域名解析方法及系统
CN106790747A (zh) * 2016-12-13 2017-05-31 北京网瑞达科技有限公司 一种域名系统dns二次递归解析的方法
CN108206814B (zh) * 2016-12-20 2021-03-16 腾讯科技(深圳)有限公司 一种防御dns攻击的方法、装置及系统
CN108064444B (zh) * 2017-04-19 2020-05-19 北京大学深圳研究生院 一种基于区块链的域名解析系统
CN107222492A (zh) * 2017-06-23 2017-09-29 网宿科技股份有限公司 一种dns防攻击方法、设备和系统
CN109995885B (zh) * 2017-12-30 2022-06-03 中国移动通信集团辽宁有限公司 域名空间结构呈现方法、装置、设备及介质
CN108900650A (zh) * 2018-06-21 2018-11-27 广州大学 一种国家根节点之间的根区解析方法
US11206265B2 (en) * 2019-04-30 2021-12-21 Infoblox Inc. Smart whitelisting for DNS security
CN110166581B (zh) * 2019-04-30 2022-03-29 大唐软件技术股份有限公司 一种域名解析服务器访问频次占比获取方法及装置
CN111191156B (zh) * 2019-12-20 2023-09-05 中移(杭州)信息技术有限公司 网络请求资源调度方法、装置及计算机可读存储介质
CN111953802A (zh) * 2020-07-06 2020-11-17 网宿科技股份有限公司 一种域名的解析方法、系统、设备及存储介质
CN114143288B (zh) * 2020-08-14 2024-05-28 中国移动通信集团山东有限公司 一种解析路径的确定方法、装置、存储介质和计算机设备
CN115150358B (zh) * 2021-03-31 2024-02-13 贵州白山云科技股份有限公司 域名获取的方法、电子装置以及系统
CN113553520B (zh) * 2021-07-20 2024-03-26 中国工商银行股份有限公司 一种多技术栈融合的域名自动化运维方法、系统及设备
CN113660359B (zh) * 2021-08-25 2024-01-19 北京搜房科技发展有限公司 域名解析记录的管理方法及装置、存储介质及电子设备
CN114205330B (zh) * 2021-11-09 2024-08-13 北京快乐茄信息技术有限公司 域名解析方法、域名解析装置、服务器以及存储介质
CN117221276B (zh) * 2023-09-26 2024-05-14 福州大学 一种地球空间网格域名的网络架构与服务器层结构

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101431539A (zh) * 2008-12-11 2009-05-13 华为技术有限公司 一种域名解析方法、系统及装置
CN101436981A (zh) * 2007-11-13 2009-05-20 中国电信股份有限公司 在扩展的IPv4网络中的域名服务器系统
CN101815105A (zh) * 2010-03-25 2010-08-25 上海交通大学 带智能缓存的域名解析服务系统及其服务方法
CN101917494A (zh) * 2010-09-09 2010-12-15 刁永平 自治互联网的实现
CN102497457A (zh) * 2011-12-18 2012-06-13 刁玉平 自治可扩展互联网的网络地址复用法实现
CN103957285A (zh) * 2014-04-18 2014-07-30 上海聚流软件科技有限公司 提供根域名解析服务的方法和系统

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436981A (zh) * 2007-11-13 2009-05-20 中国电信股份有限公司 在扩展的IPv4网络中的域名服务器系统
CN101431539A (zh) * 2008-12-11 2009-05-13 华为技术有限公司 一种域名解析方法、系统及装置
CN101815105A (zh) * 2010-03-25 2010-08-25 上海交通大学 带智能缓存的域名解析服务系统及其服务方法
CN101917494A (zh) * 2010-09-09 2010-12-15 刁永平 自治互联网的实现
CN102497457A (zh) * 2011-12-18 2012-06-13 刁玉平 自治可扩展互联网的网络地址复用法实现
CN103957285A (zh) * 2014-04-18 2014-07-30 上海聚流软件科技有限公司 提供根域名解析服务的方法和系统

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106302862A (zh) * 2016-09-28 2017-01-04 大唐软件技术股份有限公司 一种dns递归服务器的收集方法和系统
CN106302862B (zh) * 2016-09-28 2019-07-05 大唐软件技术股份有限公司 一种dns递归服务器的收集方法和系统
CN113556342A (zh) * 2021-07-21 2021-10-26 江南信安(北京)科技有限公司 一种dns缓存服务器前缀变化攻击防护方法及装置
CN113590909A (zh) * 2021-07-28 2021-11-02 哈尔滨工业大学(威海) 一种基于多源信息定位域名根镜像节点地理位置的方法
CN113590909B (zh) * 2021-07-28 2023-09-19 哈尔滨工业大学(威海) 一种基于多源信息定位域名根镜像节点地理位置的方法

Also Published As

Publication number Publication date
CN103957285A (zh) 2014-07-30
CN103957285B (zh) 2015-09-09
US20170041321A1 (en) 2017-02-09

Similar Documents

Publication Publication Date Title
WO2015158193A1 (zh) 提供根域名解析服务的方法和系统
WO2015158194A1 (zh) Dns安全系统及其故障处理方法
US10904277B1 (en) Threat intelligence system measuring network threat levels
WO2017067443A1 (zh) 一种安全域名系统及其故障处理方法
CN103634786B (zh) 一种无线网络的安全检测和修复的方法与系统
CN109474575B (zh) 一种dns隧道的检测方法及装置
US8904524B1 (en) Detection of fast flux networks
CN107124434B (zh) 一种dns恶意攻击流量的发现方法及系统
US10469532B2 (en) Preventing DNS cache poisoning
CN110324295B (zh) 一种域名系统泛洪攻击的防御方法和装置
US20120297478A1 (en) Method and system for preventing dns cache poisoning
JP6483819B2 (ja) ドメイン名システムのリソース枯渇攻撃を識別する装置及び方法
JP2017534198A (ja) ドメイン名システムのトンネリング、流出及び侵入を識別する装置及び方法
WO2017041666A1 (zh) 一种针对访问请求的处理方法和装置
CN103269389A (zh) 检查和修复恶意dns设置的方法和装置
CN105025025A (zh) 一种基于云平台的域名主动检测方法和系统
TW201002008A (en) Method and system for preventing from communication by hackers
US20150026806A1 (en) Mitigating a Cyber-Security Attack By Changing a Network Address of a System Under Attack
US10719523B2 (en) NXD query monitor
CN110401644A (zh) 一种攻击防护方法及装置
CN106790073B (zh) 一种Web服务器恶意攻击的阻断方法、装置及防火墙
US11122004B1 (en) Externally applying internal network domain name system (DNS) policies
US20180295142A1 (en) Extracted data classification to determine if a dns packet is malicious
CN107786539A (zh) 一种基于dns进行防cc攻击的方法
US10462180B1 (en) System and method for mitigating phishing attacks against a secured computing device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15779235

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 15305094

Country of ref document: US

122 Ep: pct application non-entry in european phase

Ref document number: 15779235

Country of ref document: EP

Kind code of ref document: A1