WO2018113727A1 - Method and apparatus for reducing the risk of dns hijacking - Google Patents

Method and apparatus for reducing the risk of dns hijacking Download PDF

Info

Publication number
WO2018113727A1
WO2018113727A1 PCT/CN2017/117689 CN2017117689W WO2018113727A1 WO 2018113727 A1 WO2018113727 A1 WO 2018113727A1 CN 2017117689 W CN2017117689 W CN 2017117689W WO 2018113727 A1 WO2018113727 A1 WO 2018113727A1
Authority
WO
WIPO (PCT)
Prior art keywords
dns server
configuration information
address
server address
dynamic configuration
Prior art date
Application number
PCT/CN2017/117689
Other languages
French (fr)
Chinese (zh)
Inventor
刘天
张建新
高永岗
Original Assignee
北京奇虎科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 北京奇虎科技有限公司 filed Critical 北京奇虎科技有限公司
Publication of WO2018113727A1 publication Critical patent/WO2018113727A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Definitions

  • the present disclosure relates to the field of electronic technologies, and in particular, to a method and apparatus for reducing the risk of DNS hijacking.
  • a common LAN DNS (Domain Name System) hijacking is a pseudo-DNS server where an attacker builds a malicious behavior in a local area network and invades the LAN's DHCP (Dynamic Host Configuration Protocol).
  • the device modifies the DNS server address assigned by the DHCP device to the UE (User Equipment) to a pseudo DNS server address. Then, when the UE connects to the pseudo DNS server based on the DHCP dynamically allocated network configuration, there is a risk of hijacking.
  • the present disclosure has been made in order to provide a method and apparatus for reducing the risk of DNS hijacking that overcomes the above problems or at least partially solves the above problems.
  • the present disclosure provides a method of reducing the risk of DNS hijacking, including:
  • the state of the dynamic configuration is switched to the static Internet access state.
  • the dynamic configuration of the Internet access state is to receive the dynamic configuration information sent by the DHCP device, and the status of the static network access is based on the static security configuration information. Status; the primary DNS server address of the security configuration information is the target WAN DNS server address;
  • Access the network based on security configuration information.
  • the present disclosure provides an apparatus for reducing the risk of DNS hijacking, including:
  • a dynamic configuration requesting module configured to send a dynamic configuration request to a dynamic host configuration protocol DHCP device in the local area network
  • a receiving module configured to receive dynamic configuration information returned by the DHCP, where the dynamic configuration information includes a DNS address of the primary domain name resolution system;
  • the switching module is configured to switch from the dynamic configuration to the static Internet access state, and dynamically configure the online state to receive the dynamic configuration information sent by the DHCP device, and access the network state based on the dynamic configuration information, and the static Internet access state is in accordance with the static security configuration.
  • the status of the information access network; the primary DNS server address of the security configuration information is the target WAN DNS server address;
  • An access module configured to access the network based on security configuration information.
  • the present disclosure provides a computer program comprising:
  • Computer readable code when the computer readable code is run on a computing device, causes the computing device to perform the above described method of reducing the risk of DNS hijacking.
  • the present disclosure provides a computer readable medium, comprising:
  • a computer program for performing the above-described method of reducing the risk of DNS hijacking is stored.
  • a dynamic configuration request is first sent to a DHCP device in a local area network, and dynamic configuration information returned by the DHCP is received, where the dynamic configuration information includes a primary DNS server address, and then dynamically switched to a static state.
  • the static Internet access status is the state of accessing the network according to the static security configuration information
  • the primary DNS server address of the security configuration information is the target WAN DNS server address.
  • 1 is a flow chart of a method for reducing the risk of DNS hijacking in an embodiment of the present disclosure
  • FIG. 2 is a schematic structural diagram of an apparatus for reducing a risk of DNS hijacking according to an embodiment of the present disclosure
  • FIG. 3 schematically illustrates a block diagram of a computing device for performing a method of reducing DNS hijacking risk in accordance with an embodiment of the present disclosure
  • FIG. 4 schematically illustrates a storage unit for maintaining or carrying program code that implements a method of reducing DNS hijacking risk in accordance with an embodiment of the present disclosure.
  • Embodiments of the present disclosure provide a method and apparatus for reducing the risk of DNS hijacking to reduce the risk of DNS hijacking. Please refer to FIG. 1 , which is a flowchart of a method for reducing the risk of DNS hijacking according to an embodiment of the present disclosure, where the method includes:
  • S101 Send a dynamic configuration request to a dynamic host configuration protocol DHCP device in the local area network.
  • S102 Receive dynamic configuration information returned by DHCP.
  • S103 Switching from the dynamic configuration to the static Internet access state, dynamically configuring the online state to receive the dynamic configuration information sent by the DHCP device, and accessing the network based on the dynamic configuration information, and the static Internet access state is accessed according to the static security configuration information.
  • the status of the network; the primary DNS server address of the security configuration information is the target WAN DNS server address;
  • S104 Access the network based on the security configuration information.
  • a dynamic configuration request is sent to a DHCP (Dynamic Host Configuration Protocol) device in the local area network to request the DHCP device to configure dynamic configuration information for the UE. Then, after receiving the dynamic configuration request sent by the UE, the DHCP device configures dynamic configuration information for the UE according to the dynamic configuration policy, and returns the configured dynamic configuration information to the UE. Further, the UE receives the dynamic configuration information transmitted by the DHCP device in S102.
  • DHCP Dynamic Host Configuration Protocol
  • the dynamic configuration information includes a primary DNS server address.
  • the dynamic configuration information further includes a gateway address, an IP (Internet Protocol) address, a subnet mask, and a standby DNS server address.
  • the UE switches the online state from the dynamically configured online state to the static online state.
  • the UE in the embodiment of the present disclosure has two online access states, specifically a dynamically configured online state and a static online state.
  • the dynamic configuration of the online state is to receive the dynamic configuration information sent by the DHCP, and access the state of the network based on the dynamic configuration information.
  • the UE accesses the gateway indicated by the gateway address in the dynamic configuration information and the primary DNS server indicated by the primary DNS server address in the dynamic configuration information according to the IP address and the subnet mask in the dynamic configuration information. (or the standby DNS server indicated by the DNS server address).
  • the static Internet access state is the state of accessing the network according to static security configuration information.
  • the security configuration information in the implementation of the disclosure includes at least a primary DNS server address, and the primary DNS server address in the security configuration information is a known secure target wide area network DNS server address.
  • the security configuration information may further include an IP address, a subnet mask, a gateway address, and a backup DNS server address, and the disclosure does not specifically limit the disclosure.
  • the network is accessed based on the security configuration information, and when accessing the DNS server, the WAN DNS server is accessed instead of the LAN DNS server.
  • the present disclosure achieves the risk of reducing DNS hijacking.
  • the method further includes:
  • the address of the primary DNS server in the dynamic configuration information is a local area network address, it is determined whether the gateway address in the dynamic configuration information and the primary DNS server address in the dynamic configuration information are consistent;
  • the gateway address and the primary DNS server address in the dynamic configuration information are inconsistent, it is determined that there is a risk of the local area network DNS hijacking, and the step of switching from the dynamically configured online state to the static online state is performed.
  • the UE obtains the primary DNS server address in the dynamic configuration information, and then determines whether the primary DNS server address is a local area network address.
  • the determining whether the primary DNS server address in the dynamic configuration information is a local area network address is specifically determining whether the primary DNS address in the dynamic configuration information is an interval in Class A, Class B, or Class C.
  • the address range of the ClassA interval is 10.0.0.0 ⁇ 10.255.255.255
  • the address range of the ClassB interval is 172.16.0.0-172.31.255.255
  • the address range of the ClassC interval is 192.168.0.0-192.168.255.255.
  • the primary DNS server address in the dynamic configuration information is the local area network address; otherwise, if the primary DNS server address in the dynamic configuration information is not In the ClassA, ClassB, and ClassC intervals, the primary DNS server address in the dynamic configuration information is not the LAN address.
  • the gateway address configured by the DHCP device is consistent with the address of the primary DNS server, for example, both are 192.168.1.1, and therefore, when the dynamic configuration information is The address of the primary DNS server is the local area network address, and the gateway address in the dynamic configuration information is the same as the address of the primary DNS server, indicating that the current local area network DNS server is normal and is less likely to be hijacked. Conversely, when the primary DNS server address in the dynamic configuration information is a local area network address, and the gateway address in the dynamic configuration information is inconsistent with the primary DNS server address, it indicates that the primary DNS server in the local area network is abnormal and may be hijacked. Therefore, in the embodiment S104 of the present disclosure, when the gateway address in the dynamic configuration information and the primary DNS server address in the dynamic configuration information are inconsistent, it is determined that the local area network DNS hijacking risk exists.
  • the user may output prompt information, such as text information indicating that the current local area network is at risk, or playing a warning tone, to prompt the user to timely handle the local area network DNS hijacking risk.
  • prompt information such as text information indicating that the current local area network is at risk, or playing a warning tone
  • the UE After determining the risk of DNS hazard in the LAN, if you continue to access the network in a dynamically configured state, the user may lose the property and steal the hidden information. Therefore, the UE performs S103 and switches from the dynamic configuration to the static state. And access the network according to the security configuration information.
  • the LAN security is detected by determining whether the gateway address in the dynamic configuration information is consistent with the primary DNS server address, and the gateway address and the primary DNS server are detected.
  • the inconsistency determines the existence of the local area network DNS hijacking risk
  • the technical effect of detecting the DNS hijacking risk in the local area network is realized.
  • the network is accessed according to the static Internet access state, thereby avoiding the problems of high power consumption and slow Internet access caused by frequent access of the UE to the WAN DNS server.
  • the security configuration information may be pre-stored default information.
  • the default secure IP address, subnet mask, gateway address, primary DNS server address (ie, target WAN DNS server address), and standby DNS server address are stored as security configuration information in advance, and then read again after switching to the static Internet access state.
  • the security configuration information can also be generated based on user input. For example, when the user knows that the current local area network has a DNS hijacking risk according to the prompt information, the user inputs a secure IP address, a subnet mask, a gateway address, a primary DNS server address (ie, a target WAN DNS server address), and a standby DNS server address, and then the UE.
  • Generate security configuration information based on the IP address, subnet mask, gateway address, primary DNS server address, and standby DNS server address entered by the user.
  • the security configuration information may also be generated according to the actual situation after switching to the static Internet access state.
  • the method further includes:
  • the UE acquires the target WAN DNS server address.
  • the target wide area network DNS server may be any one of the one or more wide area network DNS servers currently accessible, and the UE obtains the address of any one of the wide area network DNS servers as the target wide area network DNS server address.
  • the address of the WAN DNS server closest to the UE may be obtained as the address of the target WAN DNS server according to the geographic location of each WAN DNS server.
  • the address of the WAN DNS server that optimizes network connectivity is determined as the address of the target WAN DNS server.
  • the UE detects network connectivity of one or more WAN DNS servers.
  • the network connectivity in the embodiment of the present disclosure indicates the connection performance of the WAN DNS server to the UE.
  • the network connectivity may include the time required for the WAN DNS server to access and access the WAN DNS server, and the bandwidth of the WAN DNS server.
  • the load and geographical location of the WAN DNS server, etc., are not specifically limited in this disclosure.
  • the UE measures whether each WAN DNS server can access, access time, bandwidth, load, and geographic location, and thus obtains network connectivity of each WAN DNS server.
  • the weights of the parameter types of the WAN DNS servers are set in advance, and then the weight of each WAN DNS server is calculated according to the parameters of each WAN DNS server, and then the weight of the WAN DNS server is used as the network connection of the WAN server of the WAN. Sex. For example, if the UE needs to measure whether the parameter type of the WAN DNS server is access, access time, and geographic distance, then a weight of 0.5 can be set for the parameter type that can be accessed, which is a parameter for time-consuming access. The type sets a weight of -0.3, which sets the weight of -0.2 for the parameter type of the geographic distance. The first WAN DNS server is measured, and the first WAN DNS server cannot be accessed.
  • the access time expires (assuming the timeout period is 3 minutes, the timeout is calculated according to the timeout period), and the geographic distance is 10 km.
  • the UE determines the address of the measured wide area network connectivity WAN server as the address of the target WAN DNS server.
  • the address of the WAN DNS server that optimizes network connectivity in one or more WAN DNS servers is used as the address of the target WAN DNS server, so that the UE can access the WAN DNS server with the best network connectivity, thereby reducing The chances of not being able to connect to a WAN DNS server or slow connection.
  • the UE uses the address of the target WAN DNS server as the primary DNS server address in the security configuration information, and then the UE accesses the WAN DNS server when accessing the primary DNS server based on the security configuration information. Instead of accessing a local area network DNS server with a risk of hijacking.
  • the present disclosure achieves the risk of reducing DNS hijacking.
  • the security configuration information in the embodiment of the present disclosure further includes a backup DNS server address.
  • the standby DNS server address for security configuration information.
  • the standby DNS server address can also be pre-stored default information or an address entered by the user.
  • the UE determines the address of the WAN DNS server with the best network connectivity as the primary DNS server address of the security configuration information, and then connects the network connectivity to another WAN of the target WAN DNS server.
  • the address of the DNS server is determined as the standby DNS server address in the security configuration information.
  • the method further includes:
  • the primary DNS server address or the standby DNS server address in the dynamic configuration information is determined as the standby DNS server address in the security configuration information.
  • another implementation manner of determining the address of the standby DNS server in the security configuration information is that after the UE switches to the static Internet access state, the primary DNS server address or the standby DNS server address in the dynamic configuration information is extracted, and then the UE extracts The primary DNS server address or the standby DNS server address of the dynamic configuration information to be determined is determined as the standby DNS server address of the security configuration information.
  • the primary DNS server in the local area network is generally more reliable than the standby DNS server, and is more easily found to be faulty and modified in time, so the primary DNS server address in the dynamic configuration information is determined as the security configuration information.
  • the standby DNS server address is a preferred choice.
  • the IP address, the subnet mask, and the gateway address in the security configuration information may be directly used, and the disclosure does not specifically limit the disclosure.
  • the second aspect of the present disclosure further provides an apparatus for reducing the risk of DNS hijacking, as shown in FIG. 2, including:
  • the dynamic configuration requesting module 101 is configured to send a dynamic configuration request to a dynamic host configuration protocol DHCP device in the local area network;
  • the receiving module 102 is configured to receive dynamic configuration information returned by the DHCP, where the dynamic configuration information includes a DNS address of the primary domain name resolution system;
  • the switching module 103 is configured to switch from the dynamically configured online state to the static Internet access state, dynamically configure the online state to receive dynamic configuration information sent by the DHCP device, and access the network state based on the dynamic configuration information, and the static Internet access state is static security.
  • the access module 104 is configured to access the network based on the security configuration information.
  • the device in the embodiment of the present disclosure further includes:
  • the judging module is configured to determine the gateway address in the dynamic configuration information and the primary DNS server in the dynamic configuration information when the primary DNS server address in the dynamic configuration information is a local area network address before the dynamic configuration of the online state is switched to the static Internet access state. Whether the addresses are consistent;
  • the first determining module is configured to determine that a local area network DNS hijacking risk exists when the gateway address and the primary DNS server address in the dynamic configuration information are inconsistent, and notify the switching module to switch from the dynamically configured online state to the static online state.
  • the device in the embodiment of the present disclosure further includes:
  • the obtaining module is configured to obtain a target WAN DNS server address after switching from a dynamically configured online state to a static online state;
  • the second determining module is configured to determine the target WAN DNS server address as the primary DNS server address in the security configuration information.
  • the obtaining module is configured to detect network connectivity of one or more wide area network DNS servers; and determine an address of the wide area network DNS server with optimal network connectivity as the target wide area network DNS server address.
  • the device in the embodiment of the present disclosure further includes:
  • the extracting module is configured to extract a primary DNS server address or a standby DNS server address in the dynamic configuration information after switching from the dynamically configured online state to the static online state;
  • the third determining module is configured to determine the primary DNS server address or the standby DNS server address in the dynamic configuration information as the standby DNS server address in the security configuration information.
  • FIG. 3 illustrates a computing device that can implement a method of reducing DNS hijacking risk in accordance with the present disclosure.
  • the computing device traditionally includes a processor 310 and a computer program product or computer readable medium in the form of a storage device 320.
  • the storage device 320 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM.
  • Storage device 320 has a storage space 330 that stores program code 331 for performing any of the method steps described above.
  • storage space 330 storing program code may include various program code 331 for implementing various steps in the above methods, respectively.
  • the program code can be read from or written to one or more computer program products.
  • These computer program products include program code carriers such as a hard disk, a compact disk (CD), a memory card, or a floppy disk.
  • Such computer program products are typically portable or fixed storage units such as those shown in FIG.
  • the storage unit may have storage segments, storage spaces, and the like that are similarly arranged to storage device 320 in the computing device of FIG.
  • the program code can be compressed, for example, in an appropriate form.
  • the storage unit includes computer readable code 331' for performing the method steps in accordance with the present disclosure, ie, code that can be read by a processor, such as 310, which when executed by the computing device causes the computing device Perform the various steps in the method described above.
  • a dynamic configuration request is first sent to a DHCP device in a local area network, and dynamic configuration information returned by the DHCP is received, where the dynamic configuration information includes a primary DNS server address, and then dynamically switched to a static state.
  • the static Internet access status is the status of accessing the network according to the static security configuration information
  • the primary DNS server address of the security configuration information is the target WAN DNS server address.
  • modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment.
  • the modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components.
  • any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined.
  • Each feature disclosed in the specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or equivalent purpose.
  • Various component embodiments of the present disclosure may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof.
  • a microprocessor or digital signal processor may be used in practice to implement some or all of the functionality of a gateway, proxy server, some or all of the components in accordance with embodiments of the present disclosure.
  • the present disclosure may also be implemented as a device or device program (eg, a computer program and a computer program product) for performing some or all of the methods described herein.
  • Such a program implementing the present disclosure may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.

Abstract

Provided is a method and apparatus for reducing the risk of DNS hijacking. The method comprises: sending a dynamic configuration request to a Dynamic Host Configuration Protocol (DHCP) device in the local area network; receiving dynamic configuration information returned by the DHCP, wherein the dynamic configuration information comprises a main Domain Name System (DNS) server address; switching a dynamically configured on-line state to a static on-line state, wherein the dynamically configured on-line state is a state of receiving the dynamic configuration information sent by the DHCP device and accessing a network based on the dynamic configuration information, and the static on-line state is a state of accessing the network according to static security configuration information; the main DNS server address of the security configuration information being a DNS server address of a target wide area network; and accessing the network based on the security configuration information.

Description

降低DNS劫持风险的方法和装置Method and apparatus for reducing the risk of DNS hijacking
相关申请的交叉参考Cross-reference to related applications
本申请要求于2016年12月21日提交中国专利局、申请号为201611192329.8、名称为“一种降低DNS劫持风险的方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese Patent Application No. 201611192329.8, entitled "A Method and Apparatus for Reducing the Risk of DNS Hijacking", filed on December 21, 2016, the entire contents of which are incorporated herein by reference. In the application.
技术领域Technical field
本公开涉及电子技术领域,尤其涉及一种降低DNS劫持风险的方法和装置。The present disclosure relates to the field of electronic technologies, and in particular, to a method and apparatus for reducing the risk of DNS hijacking.
背景技术Background technique
一种常见的局域网DNS(域名解析系统,Domain Name System)劫持是攻击者在局域网络中搭建一台恶意行为的伪DNS服务器,并入侵该局域网的DHCP(动态主机配置协议,Dynamic Host Configuration Protocol)设备,将DHCP设备为UE(用户设备,User Equipment)分配的DNS服务器地址修改为伪DNS服务器地址。那么,UE基于DHCP动态分配的网络配置连接到伪DNS服务器时,就存在劫持风险。A common LAN DNS (Domain Name System) hijacking is a pseudo-DNS server where an attacker builds a malicious behavior in a local area network and invades the LAN's DHCP (Dynamic Host Configuration Protocol). The device modifies the DNS server address assigned by the DHCP device to the UE (User Equipment) to a pseudo DNS server address. Then, when the UE connects to the pseudo DNS server based on the DHCP dynamically allocated network configuration, there is a risk of hijacking.
发明内容Summary of the invention
鉴于上述问题,提出了本公开以便提供一种克服上述问题或者至少部分地解决上述问题的降低DNS劫持风险的方法和装置。In view of the above problems, the present disclosure has been made in order to provide a method and apparatus for reducing the risk of DNS hijacking that overcomes the above problems or at least partially solves the above problems.
第一方面,本公开提供了一种降低DNS劫持风险的方法,包括:In a first aspect, the present disclosure provides a method of reducing the risk of DNS hijacking, including:
向局域网中的动态主机配置协议DHCP设备发送动态配置请求;Sending a dynamic configuration request to a dynamic host configuration protocol DHCP device in the local area network;
接收DHCP返回的动态配置信息,动态配置信息中包括主域名解析系统DNS服务器地址;Receiving the dynamic configuration information returned by the DHCP, where the dynamic configuration information includes the DNS address of the primary domain name resolution system;
由动态配置上网状态切换至静态上网状态,动态配置上网状态为接收DHCP设备发送的动态配置信息,并基于动态配置信息接入网络的状态,静 态上网状态为按照静态的安全配置信息接入网络的状态;安全配置信息的主DNS服务器地址为目标广域网DNS服务器地址;The state of the dynamic configuration is switched to the static Internet access state. The dynamic configuration of the Internet access state is to receive the dynamic configuration information sent by the DHCP device, and the status of the static network access is based on the static security configuration information. Status; the primary DNS server address of the security configuration information is the target WAN DNS server address;
基于安全配置信息接入网络。Access the network based on security configuration information.
第二方面,本公开提供了一种降低DNS劫持风险的装置,包括:In a second aspect, the present disclosure provides an apparatus for reducing the risk of DNS hijacking, including:
动态配置请求模块,用于向局域网中的动态主机配置协议DHCP设备发送动态配置请求;a dynamic configuration requesting module, configured to send a dynamic configuration request to a dynamic host configuration protocol DHCP device in the local area network;
接收模块,用于接收DHCP返回的动态配置信息,动态配置信息中包括主域名解析系统DNS服务器地址;a receiving module, configured to receive dynamic configuration information returned by the DHCP, where the dynamic configuration information includes a DNS address of the primary domain name resolution system;
切换模块,用于由动态配置上网状态切换至静态上网状态,动态配置上网状态为接收DHCP设备发送的动态配置信息,并基于动态配置信息接入网络的状态,静态上网状态为按照静态的安全配置信息接入网络的状态;安全配置信息的主DNS服务器地址为目标广域网DNS服务器地址;The switching module is configured to switch from the dynamic configuration to the static Internet access state, and dynamically configure the online state to receive the dynamic configuration information sent by the DHCP device, and access the network state based on the dynamic configuration information, and the static Internet access state is in accordance with the static security configuration. The status of the information access network; the primary DNS server address of the security configuration information is the target WAN DNS server address;
接入模块,用于基于安全配置信息接入网络。An access module, configured to access the network based on security configuration information.
第三方面,本公开提供了一种计算机程序,包括:In a third aspect, the present disclosure provides a computer program comprising:
计算机可读代码,当计算机可读代码在计算设备上运行时,导致计算设备执行上述降低DNS劫持风险的方法。Computer readable code, when the computer readable code is run on a computing device, causes the computing device to perform the above described method of reducing the risk of DNS hijacking.
第四方面,本公开提供了一种计算机可读介质,包括:In a fourth aspect, the present disclosure provides a computer readable medium, comprising:
存储了上述执行上述降低DNS劫持风险的方法的计算机程序。A computer program for performing the above-described method of reducing the risk of DNS hijacking is stored.
本公开实施例中提供的技术方案,至少具有如下技术效果或优点:The technical solution provided in the embodiments of the present disclosure has at least the following technical effects or advantages:
在本公开实施例的技术方案中,首先向局域网中的DHCP设备发送动态配置请求,并接收DHCP返回的动态配置信息,动态配置信息中包括主DNS服务器地址,然后由动态配置上网状态切换至静态上网状态。静态上网状态为按照静态的安全配置信息接入网络的状态,而安全配置信息的主DNS服务器地址为目标广域网DNS服务器地址。由于劫持广域网DNS服务器的难度通常很大,并且在劫持发生后,广域网DNS服务器的维护人员能够及时发现异常且迅速修复,所以相对接入局域网DNS服务器,接入广域网DNS服务器被劫持的风险更低,安全性更高。所以,本公开实现了降低DNS劫持的风险。In the technical solution of the embodiment of the present disclosure, a dynamic configuration request is first sent to a DHCP device in a local area network, and dynamic configuration information returned by the DHCP is received, where the dynamic configuration information includes a primary DNS server address, and then dynamically switched to a static state. Internet status. The static Internet access status is the state of accessing the network according to the static security configuration information, and the primary DNS server address of the security configuration information is the target WAN DNS server address. Because the difficulty of hijacking a WAN DNS server is usually very large, and after the hijacking occurs, the maintenance personnel of the WAN DNS server can detect abnormalities and fix them quickly, so the risk of being hijacked by the WAN server is relatively lower when accessing the LAN DNS server. , more secure. Therefore, the present disclosure achieves the risk of reducing DNS hijacking.
上述说明仅是本公开技术方案的概述,为了能够更清楚了解本公开的技术手段,而可依照说明书的内容予以实施,并且为了让本公开的上述和其它 目的、特征和优点能够更明显易懂,以下特举本公开的具体实施方式。The above description is only an overview of the technical solutions of the present disclosure, and the above-described and other objects, features and advantages of the present disclosure can be more clearly understood. Specific embodiments of the present disclosure are specifically described below.
附图概述BRIEF abstract
通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本公开的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those skilled in the art from a The drawings are only for the purpose of illustrating the preferred embodiments and are not to be considered as limiting. Throughout the drawings, the same reference numerals are used to refer to the same parts. In the drawing:
图1为本公开实施例中降低DNS劫持风险的方法流程图;1 is a flow chart of a method for reducing the risk of DNS hijacking in an embodiment of the present disclosure;
图2为本公开实施例中降低DNS劫持风险的装置结构示意图;2 is a schematic structural diagram of an apparatus for reducing a risk of DNS hijacking according to an embodiment of the present disclosure;
图3示意性地示出了用于执行根据本公开实施例的降低DNS劫持风险的方法的计算设备的框图;以及FIG. 3 schematically illustrates a block diagram of a computing device for performing a method of reducing DNS hijacking risk in accordance with an embodiment of the present disclosure;
图4示意性地示出了用于保持或者携带实现根据本公开实施例的降低DNS劫持风险的方法的程序代码的存储单元。FIG. 4 schematically illustrates a storage unit for maintaining or carrying program code that implements a method of reducing DNS hijacking risk in accordance with an embodiment of the present disclosure.
本发明的较佳实施方式Preferred embodiment of the invention
下面将参照附图更详细地描述本公开的示例性实施例。虽然附图中显示了本公开的示例性实施例,然而应当理解,可以以各种形式实现本公开而不应被这里阐述的实施例所限制。相反,提供这些实施例是为了能够更透彻地理解本公开,并且能够将本公开的范围完整的传达给本领域的技术人员。Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While the embodiments of the present invention have been shown in the drawings, the embodiments Rather, these embodiments are provided so that this disclosure will be more fully understood and the scope of the disclosure will be fully disclosed.
本公开实施例提供了一种降低DNS劫持风险的方法和装置,用以降低DNS劫持风险。请参考图1,为本公开实施例中降低DNS劫持风险的方法流程图,该方法包括:Embodiments of the present disclosure provide a method and apparatus for reducing the risk of DNS hijacking to reduce the risk of DNS hijacking. Please refer to FIG. 1 , which is a flowchart of a method for reducing the risk of DNS hijacking according to an embodiment of the present disclosure, where the method includes:
S101:向局域网中的动态主机配置协议DHCP设备发送动态配置请求;S101: Send a dynamic configuration request to a dynamic host configuration protocol DHCP device in the local area network.
S102:接收DHCP返回的动态配置信息;S102: Receive dynamic configuration information returned by DHCP.
S103:由动态配置上网状态切换至静态上网状态,动态配置上网状态为接收DHCP设备发送的动态配置信息,并基于动态配置信息接入网络的状态,静态上网状态为按照静态的安全配置信息接入网络的状态;安全配置信息的主DNS服务器地址为目标广域网DNS服务器地址;S103: Switching from the dynamic configuration to the static Internet access state, dynamically configuring the online state to receive the dynamic configuration information sent by the DHCP device, and accessing the network based on the dynamic configuration information, and the static Internet access state is accessed according to the static security configuration information. The status of the network; the primary DNS server address of the security configuration information is the target WAN DNS server address;
S104:基于安全配置信息接入网络。S104: Access the network based on the security configuration information.
具体来讲,在UE需要接入一局域网时,会向该局域网中的DHCP(动态主机配置协议,Dynamic Host Configuration Protocol)设备发送动态配置请求,以请求DHCP设备为UE配置动态配置信息。然后,DHCP设备在接收到UE发送的动态配置请求后,根据动态配置策略,为UE配置动态配置信息,并将配置出的动态配置信息返回UE。进而,UE在S102中接收DHCP设备发送的动态配置信息。Specifically, when the UE needs to access a local area network, a dynamic configuration request is sent to a DHCP (Dynamic Host Configuration Protocol) device in the local area network to request the DHCP device to configure dynamic configuration information for the UE. Then, after receiving the dynamic configuration request sent by the UE, the DHCP device configures dynamic configuration information for the UE according to the dynamic configuration policy, and returns the configured dynamic configuration information to the UE. Further, the UE receives the dynamic configuration information transmitted by the DHCP device in S102.
在本公开实施例中,动态配置信息包括主DNS服务器地址。在具体实现过程中,动态配置信息还进一步包括网关地址、IP(互联网协议,Internet Protocol)地址、子网掩码和备DNS服务器地址。In an embodiment of the present disclosure, the dynamic configuration information includes a primary DNS server address. In the specific implementation process, the dynamic configuration information further includes a gateway address, an IP (Internet Protocol) address, a subnet mask, and a standby DNS server address.
接下来,由于无法确认此时局域网是否发生DNS劫持,所以S103中,UE将上网状态由动态配置上网状态切换至静态上网状态。Next, since it is impossible to confirm whether the DNS is hijacked at the time of the local area network, in S103, the UE switches the online state from the dynamically configured online state to the static online state.
具体来讲,本公开实施例中的UE具有两种上网状态,具体为动态配置上网状态和静态上网状态。在具体实现过程中,还可以包括其他上网状态,本公开不做具体限制。其中,动态配置上网状态为接收DHCP发送的动态配置信息,并基于动态配置信息接入网络的状态。换言之,在动态配置上网状态下,UE将按照动态配置信息中的IP地址和子网掩码接入动态配置信息中网关地址所指示的网关和动态配置信息中主DNS服务器地址所指示的主DNS服务器(或备DNS服务器地址所指示的备DNS服务器)。而静态上网状态则为按照静态的安全配置信息接入网络的状态。其中,本公开实施中的安全配置信息至少包括主DNS服务器地址,且安全配置信息中的主DNS服务器地址为已知的安全的目标广域网DNS服务器地址。当然,安全配置信息还可以进一步包括IP地址、子网掩码、网关地址和备DNS服务器地址,本公开不做具体限制。Specifically, the UE in the embodiment of the present disclosure has two online access states, specifically a dynamically configured online state and a static online state. In the specific implementation process, other online access states may also be included, and the disclosure does not specifically limit the disclosure. The dynamic configuration of the online state is to receive the dynamic configuration information sent by the DHCP, and access the state of the network based on the dynamic configuration information. In other words, in the dynamic configuration of the Internet access state, the UE accesses the gateway indicated by the gateway address in the dynamic configuration information and the primary DNS server indicated by the primary DNS server address in the dynamic configuration information according to the IP address and the subnet mask in the dynamic configuration information. (or the standby DNS server indicated by the DNS server address). The static Internet access state is the state of accessing the network according to static security configuration information. The security configuration information in the implementation of the disclosure includes at least a primary DNS server address, and the primary DNS server address in the security configuration information is a known secure target wide area network DNS server address. Certainly, the security configuration information may further include an IP address, a subnet mask, a gateway address, and a backup DNS server address, and the disclosure does not specifically limit the disclosure.
接下来,在S104中,基于安全配置信息接入网络,进而在接入DNS服务器时,将接入广域网DNS服务器,而不是接入局域网DNS服务器。Next, in S104, the network is accessed based on the security configuration information, and when accessing the DNS server, the WAN DNS server is accessed instead of the LAN DNS server.
由于劫持广域网DNS服务器的难度通常很大,并且在劫持发生后,广域网DNS服务器的维护人员能够及时发现异常且迅速修复,所以相对接入局域网DNS服务器,接入广域网DNS服务器被劫持的风险更低,安全性更高。所以,本公开实现了降低DNS劫持的风险。Because the difficulty of hijacking a WAN DNS server is usually very large, and after the hijacking occurs, the maintenance personnel of the WAN DNS server can detect abnormalities and fix them quickly, so the risk of being hijacked by the WAN server is relatively lower when accessing the LAN DNS server. , more secure. Therefore, the present disclosure achieves the risk of reducing DNS hijacking.
作为一种可选的实施,在本公开实施例的S103之前,还可以进一步包 括:As an optional implementation, before S103 of the embodiment of the present disclosure, the method further includes:
当动态配置信息中的主DNS服务器地址为局域网地址时,判断动态配置信息中的网关地址和动态配置信息中的主DNS服务器地址是否一致;When the address of the primary DNS server in the dynamic configuration information is a local area network address, it is determined whether the gateway address in the dynamic configuration information and the primary DNS server address in the dynamic configuration information are consistent;
当网关地址和动态配置信息中的主DNS服务器地址不一致时,确定存在局域网DNS劫持风险,执行由动态配置上网状态切换至静态上网状态的步骤。When the gateway address and the primary DNS server address in the dynamic configuration information are inconsistent, it is determined that there is a risk of the local area network DNS hijacking, and the step of switching from the dynamically configured online state to the static online state is performed.
具体来讲,UE获取动态配置信息中的主DNS服务器地址,然后判断该主DNS服务器地址是否为局域网地址。其中,判断动态配置信息中的主DNS服务器地址是否为局域网地址,具体为通过判断动态配置信息中的主DNS地址是否为ClassA、ClassB或ClassC中的一个区间。其中,ClassA区间的地址范围为10.0.0.0~10.255.255.255,ClassB区间的地址范围为172.16.0.0-172.31.255.255,ClassC区间的地址范围为192.168.0.0-192.168.255.255。如果动态配置信息的主DNS服务器地址位于ClassA、ClassB或ClassC中的任意一个区间中,则表示动态配置信息中的主DNS服务器地址为局域网地址;反之,如果动态配置信息中的主DNS服务器地址不在ClassA、ClassB和ClassC区间中,则表示动态配置信息中的主DNS服务器地址不为局域网地址。Specifically, the UE obtains the primary DNS server address in the dynamic configuration information, and then determines whether the primary DNS server address is a local area network address. The determining whether the primary DNS server address in the dynamic configuration information is a local area network address is specifically determining whether the primary DNS address in the dynamic configuration information is an interval in Class A, Class B, or Class C. The address range of the ClassA interval is 10.0.0.0~10.255.255.255, the address range of the ClassB interval is 172.16.0.0-172.31.255.255, and the address range of the ClassC interval is 192.168.0.0-192.168.255.255. If the primary DNS server address of the dynamic configuration information is in any of the ClassA, ClassB, or ClassC, the primary DNS server address in the dynamic configuration information is the local area network address; otherwise, if the primary DNS server address in the dynamic configuration information is not In the ClassA, ClassB, and ClassC intervals, the primary DNS server address in the dynamic configuration information is not the LAN address.
进一步,如果DHCP设备所配置的主DNS服务器地址为局域网地址,则通常请求下,DHCP设备所配置的网关地址与主DNS服务器地址是一致的,例如都是192.168.1.1,因此,当动态配置信息中的主DNS服务器地址为局域网地址,且动态配置信息中的网关地址和主DNS服务器地址一致,表示目前局域网DNS服务器正常,被劫持的可能性较低。反之,当动态配置信息中的主DNS服务器地址为局域网地址,而动态配置信息中的网关地址和主DNS服务器地址不一致,则表示局域网中的主DNS服务器异常,可能被劫持。所以,在本公开实施例S104中,当动态配置信息中的网关地址和动态配置信息中的主DNS服务器地址不一致时,将确定当前存在局域网DNS劫持风险。Further, if the address of the primary DNS server configured by the DHCP device is a local area network address, the gateway address configured by the DHCP device is consistent with the address of the primary DNS server, for example, both are 192.168.1.1, and therefore, when the dynamic configuration information is The address of the primary DNS server is the local area network address, and the gateway address in the dynamic configuration information is the same as the address of the primary DNS server, indicating that the current local area network DNS server is normal and is less likely to be hijacked. Conversely, when the primary DNS server address in the dynamic configuration information is a local area network address, and the gateway address in the dynamic configuration information is inconsistent with the primary DNS server address, it indicates that the primary DNS server in the local area network is abnormal and may be hijacked. Therefore, in the embodiment S104 of the present disclosure, when the gateway address in the dynamic configuration information and the primary DNS server address in the dynamic configuration information are inconsistent, it is determined that the local area network DNS hijacking risk exists.
进一步,当UE确定存在局域网DNS劫持风险时,可以向用户输出提示信息,例如显示“当前局域网存在风险”的文字信息、或者播放警告音等,以提示用户及时对局域网DNS劫持风险进行处理。Further, when the UE determines that the local area network DNS hijacking risk exists, the user may output prompt information, such as text information indicating that the current local area network is at risk, or playing a warning tone, to prompt the user to timely handle the local area network DNS hijacking risk.
在确定存在局域网DNS劫持风险后,如果继续以动态配置上网状态接入网络,可能导致用户财产损失、隐身信息被盗等危险,所以此时UE执行S103,由动态配置上网状态切换至静态上网状态,并且按照安全配置信息接入网络。After determining the risk of DNS hazard in the LAN, if you continue to access the network in a dynamically configured state, the user may lose the property and steal the hidden information. Therefore, the UE performs S103 and switches from the dynamic configuration to the static state. And access the network according to the security configuration information.
由上述描述可以看出,在动态配置信息的主DNS服务器地址为局域网地址时,通过判断动态配置信息中的网关地址是否与主DNS服务器地址一致来检测局域网安全,并在网关地址与主DNS服务器不一致时确定存在局域网DNS劫持风险,就实现了在局域网中检测DNS劫持风险的技术效果。同时,在确定存在局域网DNS风险时再按照静态上网状态接入网络,避免了UE频繁接入广域网DNS服务器而带来的功耗高和上网速度慢等问题。As can be seen from the above description, when the primary DNS server address of the dynamic configuration information is a local area network address, the LAN security is detected by determining whether the gateway address in the dynamic configuration information is consistent with the primary DNS server address, and the gateway address and the primary DNS server are detected. When the inconsistency determines the existence of the local area network DNS hijacking risk, the technical effect of detecting the DNS hijacking risk in the local area network is realized. At the same time, when it is determined that there is a local area network DNS risk, the network is accessed according to the static Internet access state, thereby avoiding the problems of high power consumption and slow Internet access caused by frequent access of the UE to the WAN DNS server.
在本公开实施例中,安全配置信息可以为预先存储的缺省信息。例如预先将默认安全的IP地址、子网掩码、网关地址、主DNS服务器地址(即目标广域网DNS服务器地址)和备DNS服务器地址存储为安全配置信息,在切换到静态上网状态后,再读取预先存储的安全配置信息。或者,安全配置信息也可以基于用户输入而生成。例如,用户根据提示信息获知当前局域网存在DNS劫持风险时,自行输入安全的IP地址、子网掩码、网关地址、主DNS服务器地址(即目标广域网DNS服务器地址)和备DNS服务器地址,进而UE根据用户输入的IP地址、子网掩码、网关地址、主DNS服务器地址和备DNS服务器地址生成安全配置信息。或者,安全配置信息也可以是切换到静态上网状态后根据实际情况而生成的。In the embodiment of the present disclosure, the security configuration information may be pre-stored default information. For example, the default secure IP address, subnet mask, gateway address, primary DNS server address (ie, target WAN DNS server address), and standby DNS server address are stored as security configuration information in advance, and then read again after switching to the static Internet access state. Take pre-stored security configuration information. Alternatively, the security configuration information can also be generated based on user input. For example, when the user knows that the current local area network has a DNS hijacking risk according to the prompt information, the user inputs a secure IP address, a subnet mask, a gateway address, a primary DNS server address (ie, a target WAN DNS server address), and a standby DNS server address, and then the UE. Generate security configuration information based on the IP address, subnet mask, gateway address, primary DNS server address, and standby DNS server address entered by the user. Alternatively, the security configuration information may also be generated according to the actual situation after switching to the static Internet access state.
进而,结合上述任一实施例,作为一种可选的实施例,在由动态配置上网状态切换到静态上网状态之后,还可以进一步包括:Further, in combination with any of the foregoing embodiments, as an optional embodiment, after the dynamic configuration of the online state is switched to the static Internet access state, the method further includes:
获取目标广域网DNS服务器地址;Obtain the target WAN DNS server address;
将目标广域网DNS服务器地址作为安全配置信息中的主DNS服务器地址。Use the target WAN DNS server address as the primary DNS server address in the security configuration information.
具体来讲,在切换到静态上网状态后,UE获取目标广域网DNS服务器地址。其中,目标广域网DNS服务器可以为当前能够接入的一个或多个广域网DNS服务器中的任意一个,进而UE获取任意一个广域网DNS服务器的地址作为目标广域网DNS服务器地址。或者,为了避免连接不上广域网DNS服务器或连接速度慢,还可以根据每个广域网DNS服务器的地理位置,获取 距离UE最近的广域网DNS服务器的地址为目标广域网DNS服务器的地址。或者,也可以通过如下过程获取目标广域网DNS服务器地址:Specifically, after switching to the static Internet access state, the UE acquires the target WAN DNS server address. The target wide area network DNS server may be any one of the one or more wide area network DNS servers currently accessible, and the UE obtains the address of any one of the wide area network DNS servers as the target wide area network DNS server address. Alternatively, in order to avoid connection to the WAN DNS server or the connection speed is slow, the address of the WAN DNS server closest to the UE may be obtained as the address of the target WAN DNS server according to the geographic location of each WAN DNS server. Alternatively, you can obtain the target WAN DNS server address by the following process:
检测一个或多个广域网DNS服务器的网络连通性;Detecting network connectivity of one or more WAN DNS servers;
将网络连通性最优的广域网DNS服务器的地址确定为目标广域网DNS服务器的地址。The address of the WAN DNS server that optimizes network connectivity is determined as the address of the target WAN DNS server.
具体来讲,UE对一个或多个广域网DNS服务器的网络连通性进行检测。其中,本公开实施例中的网络连通性表示广域网DNS服务器对于UE的连接性能,网络连通性可以包括广域网DNS服务器是否能够接入、接入该广域网DNS服务器的耗时、该广域网DNS服务器的带宽、该广域网DNS服务器的负载量和地理位置等,本公开不做具体限制。Specifically, the UE detects network connectivity of one or more WAN DNS servers. The network connectivity in the embodiment of the present disclosure indicates the connection performance of the WAN DNS server to the UE. The network connectivity may include the time required for the WAN DNS server to access and access the WAN DNS server, and the bandwidth of the WAN DNS server. The load and geographical location of the WAN DNS server, etc., are not specifically limited in this disclosure.
UE测量得到每个广域网DNS服务器是否能够接入、接入耗时、带宽、负载量和地理位置等,进而得到每个广域网DNS服务器的网络连通性。The UE measures whether each WAN DNS server can access, access time, bandwidth, load, and geographic location, and thus obtains network connectivity of each WAN DNS server.
在具体实现过程中,获得每个广域网DNS服务器的网络连通性的方法有多种,本公开所属领域的普通技术人员可以根据实际进行选择,本公开不做具体限制。In the specific implementation process, there are various methods for obtaining network connectivity of each WAN DNS server, and those skilled in the art can select according to actual conditions, and the disclosure does not specifically limit the disclosure.
例如,预先为各个广域网DNS服务器的参数类型设置权重,然后根据每个广域网DNS服务器的参数计算出每个广域网DNS服务器的权值,进而将广域网DNS服务器的权值作为该广域网DNS服务器的网络连通性。举例来说,假设UE需要测量广域网DNS服务器的参数类型为是否能够接入、接入耗时和地理距离,则可以为是否能够接入的参数类型设置0.5的权重,为接入耗时的参数类型设置-0.3的权重,为地理距离的参数类型设置-0.2的权重。对第一个广域网DNS服务器进行测量,测量得到第一个广域网DNS服务器不能接入,接入时间超时(假设超时时间为3分钟,超时按超时时间计算),地理距离10km。对第二个广域网DNS服务器进行测量,测量得到第二个广域网DNS服务器能接入,接入时间0.5分钟,地理距离8km。所以,第一个广域网DNS服务器的权值为0*0.5-0.3*3-0.2*10=-2.9,第二个广域网DNS服务器的权值为1*0.5-0.3*0.5-0.2*8=-1.25。由此可见,第二个广域网DNS服务器的权值大于第一个广域网DNS服务器的权值,所以第二个广域网DNS服务器的网络连通性优于第一个广域网DNS服务器的网络连通性。For example, the weights of the parameter types of the WAN DNS servers are set in advance, and then the weight of each WAN DNS server is calculated according to the parameters of each WAN DNS server, and then the weight of the WAN DNS server is used as the network connection of the WAN server of the WAN. Sex. For example, if the UE needs to measure whether the parameter type of the WAN DNS server is access, access time, and geographic distance, then a weight of 0.5 can be set for the parameter type that can be accessed, which is a parameter for time-consuming access. The type sets a weight of -0.3, which sets the weight of -0.2 for the parameter type of the geographic distance. The first WAN DNS server is measured, and the first WAN DNS server cannot be accessed. The access time expires (assuming the timeout period is 3 minutes, the timeout is calculated according to the timeout period), and the geographic distance is 10 km. The second WAN DNS server is measured, and the second WAN DNS server can be accessed, with an access time of 0.5 minutes and a geographic distance of 8 km. Therefore, the weight of the first WAN DNS server is 0*0.5-0.3*3-0.2*10=-2.9, and the weight of the second WAN DNS server is 1*0.5-0.3*0.5-0.2*8=- 1.25. It can be seen that the weight of the second WAN DNS server is greater than the weight of the first WAN DNS server, so the network connectivity of the second WAN DNS server is better than the network connectivity of the first WAN DNS server.
接下来,在本公开实施例中,UE将测量出的网络连通性最优的广域网 DNS服务器的地址确定为目标广域网DNS服务器的地址。Next, in the embodiment of the present disclosure, the UE determines the address of the measured wide area network connectivity WAN server as the address of the target WAN DNS server.
由上述描述可知,将一个或多个广域网DNS服务器中网络连通性最优的广域网DNS服务器的地址作为目标广域网DNS服务器的地址,使UE能够接入网络连通性最佳的广域网DNS服务器,进而降低了连接不上广域网DNS服务器或连接速度慢的几率。It can be seen from the above description that the address of the WAN DNS server that optimizes network connectivity in one or more WAN DNS servers is used as the address of the target WAN DNS server, so that the UE can access the WAN DNS server with the best network connectivity, thereby reducing The chances of not being able to connect to a WAN DNS server or slow connection.
进一步,在获得目标广域网DNS服务器地址后,UE将目标广域网DNS服务器的地址作为安全配置信息中的主DNS服务器地址,进而UE在基于安全配置信息接入主DNS服务器时,将接入广域网DNS服务器,而不是接入存在劫持风险的局域网DNS服务器。Further, after obtaining the target WAN DNS server address, the UE uses the address of the target WAN DNS server as the primary DNS server address in the security configuration information, and then the UE accesses the WAN DNS server when accessing the primary DNS server based on the security configuration information. Instead of accessing a local area network DNS server with a risk of hijacking.
由于劫持广域网DNS服务器的难度通常很大,并且在劫持发生后,广域网DNS服务器的维护人员能够及时发现异常且迅速修复,所以相对接入局域网DNS服务器,接入广域网DNS服务器被劫持的风险更低,安全性更高。所以,本公开实现了降低DNS劫持的风险。Because the difficulty of hijacking a WAN DNS server is usually very large, and after the hijacking occurs, the maintenance personnel of the WAN DNS server can detect abnormalities and fix them quickly, so the risk of being hijacked by the WAN server is relatively lower when accessing the LAN DNS server. , more secure. Therefore, the present disclosure achieves the risk of reducing DNS hijacking.
进一步,本公开实施例中的安全配置信息还包括备DNS服务器地址。对于安全配置信息的备DNS服务器地址,也有多种可能。具体来讲,与主DNS服务器地址类似,备DNS服务器地址也可以为预先存储的缺省信息,或者用户输入的地址。或者,在切换到静态上网状态之后,UE将网络连通性最佳的广域网DNS服务器的地址确定为安全配置信息的主DNS服务器地址,然后将网络连通性仅次于目标广域网DNS服务器的另一个广域网DNS服务器的地址确定为安全配置信息中的备DNS服务器地址。或者,由动态配置上网状态切换至静态上网之后,还可以进一步包括:Further, the security configuration information in the embodiment of the present disclosure further includes a backup DNS server address. There are also many possibilities for the standby DNS server address for security configuration information. Specifically, similar to the primary DNS server address, the standby DNS server address can also be pre-stored default information or an address entered by the user. Or, after switching to the static Internet access state, the UE determines the address of the WAN DNS server with the best network connectivity as the primary DNS server address of the security configuration information, and then connects the network connectivity to another WAN of the target WAN DNS server. The address of the DNS server is determined as the standby DNS server address in the security configuration information. Alternatively, after the dynamic configuration of the online state is switched to the static Internet access, the method further includes:
提取动态配置信息中的主DNS服务器地址或者备DNS服务器地址;Extract the primary DNS server address or the standby DNS server address in the dynamic configuration information;
将动态配置信息中的主DNS服务器地址或者备DNS服务器地址确定为安全配置信息中的备DNS服务器地址。The primary DNS server address or the standby DNS server address in the dynamic configuration information is determined as the standby DNS server address in the security configuration information.
具体来讲,确定安全配置信息中的备DNS服务器地址的另一种实现方式为,UE在切换到静态上网状态后,提取动态配置信息中的主DNS服务器地址或备DNS服务器地址,然后将提取到的动态配置信息的主DNS服务器地址或备DNS服务器地址确定为安全配置信息的备DNS服务器地址。Specifically, another implementation manner of determining the address of the standby DNS server in the security configuration information is that after the UE switches to the static Internet access state, the primary DNS server address or the standby DNS server address in the dynamic configuration information is extracted, and then the UE extracts The primary DNS server address or the standby DNS server address of the dynamic configuration information to be determined is determined as the standby DNS server address of the security configuration information.
进一步,在具体实现过程中,局域网中的主DNS服务器比备DNS服务器通常更可靠,且更容易发现故障而被及时进行修改,所以将动态配置信息 中的主DNS服务器地址确定为安全配置信息中的备DNS服务器地址为较佳选择。Further, in the specific implementation process, the primary DNS server in the local area network is generally more reliable than the standby DNS server, and is more easily found to be faulty and modified in time, so the primary DNS server address in the dynamic configuration information is determined as the security configuration information. The standby DNS server address is a preferred choice.
另外,对于安全配置信息中的IP地址、子网掩码和网关地址等,也可以直接使用动态配置信息中的IP地址、子网掩码和网关地址,本公开不做具体限制。In addition, for the IP address, the subnet mask, and the gateway address in the security configuration information, the IP address, the subnet mask, and the gateway address in the dynamic configuration information may be directly used, and the disclosure does not specifically limit the disclosure.
基于与前述实施例中降低DNS劫持风险的方法同样的公开构思,本公开第二方面还提供一种降低DNS劫持风险的装置,如图2所示,包括:Based on the same disclosure concept as the method for reducing the risk of DNS hijacking in the foregoing embodiment, the second aspect of the present disclosure further provides an apparatus for reducing the risk of DNS hijacking, as shown in FIG. 2, including:
动态配置请求模块101,用于向局域网中的动态主机配置协议DHCP设备发送动态配置请求;The dynamic configuration requesting module 101 is configured to send a dynamic configuration request to a dynamic host configuration protocol DHCP device in the local area network;
接收模块102,用于接收DHCP返回的动态配置信息,动态配置信息中包括主域名解析系统DNS服务器地址;The receiving module 102 is configured to receive dynamic configuration information returned by the DHCP, where the dynamic configuration information includes a DNS address of the primary domain name resolution system;
切换模块103,用于由动态配置上网状态切换至静态上网状态,动态配置上网状态为接收DHCP设备发送的动态配置信息,并基于动态配置信息接入网络的状态,静态上网状态为按照静态的安全配置信息接入网络的状态;安全配置信息的主DNS服务器地址为目标广域网DNS服务器地址;The switching module 103 is configured to switch from the dynamically configured online state to the static Internet access state, dynamically configure the online state to receive dynamic configuration information sent by the DHCP device, and access the network state based on the dynamic configuration information, and the static Internet access state is static security. Configure the status of the information access network; the primary DNS server address of the security configuration information is the target WAN DNS server address;
接入模块104,用于基于安全配置信息接入网络。The access module 104 is configured to access the network based on the security configuration information.
进一步,本公开实施例中的装置还包括:Further, the device in the embodiment of the present disclosure further includes:
判断模块,用于在由动态配置上网状态切换至静态上网状态之前,当动态配置信息中的主DNS服务器地址为局域网地址时,判断动态配置信息中的网关地址和动态配置信息中的主DNS服务器地址是否一致;The judging module is configured to determine the gateway address in the dynamic configuration information and the primary DNS server in the dynamic configuration information when the primary DNS server address in the dynamic configuration information is a local area network address before the dynamic configuration of the online state is switched to the static Internet access state. Whether the addresses are consistent;
第一确定模块,用于当网关地址和动态配置信息中的主DNS服务器地址不一致时,确定存在局域网DNS劫持风险,并通知切换模块由动态配置上网状态切换至静态上网状态。The first determining module is configured to determine that a local area network DNS hijacking risk exists when the gateway address and the primary DNS server address in the dynamic configuration information are inconsistent, and notify the switching module to switch from the dynamically configured online state to the static online state.
更进一步,本公开实施例中的装置还包括:Further, the device in the embodiment of the present disclosure further includes:
获取模块,用于在由动态配置上网状态切换至静态上网状态之后,获取目标广域网DNS服务器地址;The obtaining module is configured to obtain a target WAN DNS server address after switching from a dynamically configured online state to a static online state;
第二确定模块,用于将目标广域网DNS服务器地址确定为安全配置信息中的主DNS服务器地址。The second determining module is configured to determine the target WAN DNS server address as the primary DNS server address in the security configuration information.
其中,获取模块用于检测一个或多个广域网DNS服务器的网络连通性;将网络连通性最优的广域网DNS服务器的地址确定为目标广域网DNS服务 器地址。The obtaining module is configured to detect network connectivity of one or more wide area network DNS servers; and determine an address of the wide area network DNS server with optimal network connectivity as the target wide area network DNS server address.
更进一步,本公开实施例中的装置还包括:Further, the device in the embodiment of the present disclosure further includes:
提取模块,用于在由动态配置上网状态切换至静态上网状态之后,提取动态配置信息中的主DNS服务器地址或者备DNS服务器地址;The extracting module is configured to extract a primary DNS server address or a standby DNS server address in the dynamic configuration information after switching from the dynamically configured online state to the static online state;
第三确定模块,用于将动态配置信息中的主DNS服务器地址或者备DNS服务器地址确定为安全配置信息中的备DNS服务器地址。The third determining module is configured to determine the primary DNS server address or the standby DNS server address in the dynamic configuration information as the standby DNS server address in the security configuration information.
前述图1实施例中的降低DNS劫持风险的方法的各种变化方式和具体实例同样适用于本实施例的降低DNS劫持风险的装置,通过前述对降低DNS劫持风险的方法的详细描述,本领域技术人员可以清楚的知道本实施例中降低DNS劫持风险的装置的实施方法,所以为了说明书的简洁,在此不再详述。The various changes and specific examples of the method for reducing the risk of DNS hijacking in the foregoing embodiment of FIG. 1 are also applicable to the apparatus for reducing the risk of DNS hijacking in this embodiment, and the foregoing detailed description of the method for reducing the risk of DNS hijacking is in the field. The method for implementing the device for reducing the risk of DNS hijacking in this embodiment can be clearly understood by the skilled person. Therefore, for the sake of brevity of the description, details are not described herein.
本公开第三方面提供了一种计算机程序,图3示出了可以实现根据本公开的降低DNS劫持风险的方法的计算设备。该计算设备传统上包括处理器310和以存储设备320形式的计算机程序产品或者计算机可读介质。存储设备320可以是诸如闪存、EEPROM(电可擦除可编程只读存储器)、EPROM、硬盘或者ROM之类的电子存储器。存储设备320具有存储用于执行上述方法中的任何方法步骤的程序代码331的存储空间330。例如,存储程序代码的存储空间330可以包括分别用于实现上面的方法中的各种步骤的各个程序代码331。这些程序代码可以从一个或者多个计算机程序产品中读出或者写入到这一个或者多个计算机程序产品中。这些计算机程序产品包括诸如硬盘、紧致盘(CD)、存储卡或者软盘之类的程序代码载体。这样的计算机程序产品通常为例如图4所示的便携式或者固定存储单元。该存储单元可以具有与图3的计算设备中的存储设备320类似布置的存储段、存储空间等。程序代码可以例如以适当形式进行压缩。通常,存储单元包括用于执行根据本公开的方法步骤的计算机可读代码331',即可以由诸如310之类的处理器读取的代码,当这些代码由计算设备运行时,导致该计算设备执行上面所描述的方法中的各个步骤。A third aspect of the present disclosure provides a computer program, and FIG. 3 illustrates a computing device that can implement a method of reducing DNS hijacking risk in accordance with the present disclosure. The computing device traditionally includes a processor 310 and a computer program product or computer readable medium in the form of a storage device 320. The storage device 320 may be an electronic memory such as a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), an EPROM, a hard disk, or a ROM. Storage device 320 has a storage space 330 that stores program code 331 for performing any of the method steps described above. For example, storage space 330 storing program code may include various program code 331 for implementing various steps in the above methods, respectively. The program code can be read from or written to one or more computer program products. These computer program products include program code carriers such as a hard disk, a compact disk (CD), a memory card, or a floppy disk. Such computer program products are typically portable or fixed storage units such as those shown in FIG. The storage unit may have storage segments, storage spaces, and the like that are similarly arranged to storage device 320 in the computing device of FIG. The program code can be compressed, for example, in an appropriate form. Typically, the storage unit includes computer readable code 331' for performing the method steps in accordance with the present disclosure, ie, code that can be read by a processor, such as 310, which when executed by the computing device causes the computing device Perform the various steps in the method described above.
本公开实施例中提供的技术方案,至少具有如下技术效果或优点:The technical solution provided in the embodiments of the present disclosure has at least the following technical effects or advantages:
在本公开实施例的技术方案中,首先向局域网中的DHCP设备发送动态配置请求,并接收DHCP返回的动态配置信息,动态配置信息中包括主DNS服务器地址,然后由动态配置上网状态切换至静态上网状态。静态上网状态 为按照静态的安全配置信息接入网络的状态,而安全配置信息的主DNS服务器地址为目标广域网DNS服务器地址。由于劫持广域网DNS服务器的难度通常很大,并且在劫持发生后,广域网DNS服务器的维护人员能够及时发现异常且迅速修复,所以相对接入局域网DNS服务器,接入广域网DNS服务器被劫持的风险更低,安全性更高。所以,本公开实现了降低DNS劫持的风险。In the technical solution of the embodiment of the present disclosure, a dynamic configuration request is first sent to a DHCP device in a local area network, and dynamic configuration information returned by the DHCP is received, where the dynamic configuration information includes a primary DNS server address, and then dynamically switched to a static state. Internet status. The static Internet access status is the status of accessing the network according to the static security configuration information, and the primary DNS server address of the security configuration information is the target WAN DNS server address. Because the difficulty of hijacking a WAN DNS server is usually very large, and after the hijacking occurs, the maintenance personnel of the WAN DNS server can detect abnormalities and fix them quickly, so the risk of being hijacked by the WAN server is relatively lower when accessing the LAN DNS server. , more secure. Therefore, the present disclosure achieves the risk of reducing DNS hijacking.
在此提供的算法和显示不与任何特定计算机、虚拟系统或者其它设备固有相关。各种通用系统也可以与基于在此的示教一起使用。根据上面的描述,构造这类系统所要求的结构是显而易见的。此外,本公开也不针对任何特定编程语言。应当明白,可以利用各种编程语言实现在此描述的本公开的内容,并且上面对特定语言所做的描述是为了披露本公开的最佳实施方式。The algorithms and displays provided herein are not inherently related to any particular computer, virtual system, or other device. Various general purpose systems can also be used with the teaching based on the teachings herein. The structure required to construct such a system is apparent from the above description. Moreover, the present disclosure is not directed to any particular programming language. It is to be understood that the subject matter of the present disclosure, which is described herein, may be described in a particular language.
在此处所提供的说明书中,说明了大量具体细节。然而,能够理解,本公开的实施例可以在没有这些具体细节的情况下实践。在一些实例中,并未详细示出公知的方法、结构和技术,以便不模糊对本说明书的理解。In the description provided herein, numerous specific details are set forth. However, it is understood that the embodiments of the present disclosure may be practiced without these specific details. In some instances, well-known methods, structures, and techniques are not shown in detail so as not to obscure the understanding of the description.
类似地,应当理解,为了精简本公开并帮助理解各个公开方面中的一个或多个,在上面对本公开的示例性实施例的描述中,本公开的各个特征有时被一起分组到单个实施例、图、或者对其的描述中。然而,并不应将该公开的方法解释成反映如下意图:即所要求保护的本公开要求比在每个权利要求中所明确记载的特征更多的特征。更确切地说,如下面的权利要求书所反映的那样,公开方面在于少于前面公开的单个实施例的所有特征。因此,遵循具体实施方式的权利要求书由此明确地并入该具体实施方式,其中每个权利要求本身都作为本公开的单独实施例。In the description of the exemplary embodiments of the present disclosure, the various features of the present disclosure are sometimes grouped together into a single embodiment, Figure, or a description of it. However, the method disclosed is not to be interpreted as reflecting the intention that the claimed invention requires more features than those recited in the claims. Rather, as disclosed in the following claims, the disclosed aspects are less than all features of the single embodiments disclosed herein. Therefore, the claims following the specific embodiments are hereby explicitly incorporated into the specific embodiments, and each of the claims as a separate embodiment of the present disclosure.
本领域那些技术人员可以理解,可以对实施例中的设备中的模块进行自适应性地改变并且把它们设置在与该实施例不同的一个或多个设备中。可以把实施例中的模块或单元或组件组合成一个模块或单元或组件,以及此外可以把它们分成多个子模块或子单元或子组件。除了这样的特征和/或过程或者单元中的至少一些是相互排斥之外,可以采用任何组合对本说明书(包括伴随的权利要求、摘要和附图)中公开的所有特征以及如此公开的任何方法或者设备的所有过程或单元进行组合。除非另外明确陈述,本说明书(包括伴随的权利要求、摘要和附图)中公开的每个特征可以由提供相同、等同或相 似目的的替代特征来代替。Those skilled in the art will appreciate that the modules in the devices of the embodiments can be adaptively changed and placed in one or more devices different from the embodiment. The modules or units or components of the embodiments may be combined into one module or unit or component, and further they may be divided into a plurality of sub-modules or sub-units or sub-components. In addition to such features and/or at least some of the processes or units being mutually exclusive, any combination of the features disclosed in the specification, including the accompanying claims, the abstract and the drawings, and any methods so disclosed, or All processes or units of the device are combined. Each feature disclosed in the specification (including the accompanying claims, the abstract and the drawings) may be replaced by alternative features that provide the same, equivalent or equivalent purpose.
此外,本领域的技术人员能够理解,尽管在此的一些实施例包括其它实施例中所包括的某些特征而不是其它特征,但是不同实施例的特征的组合意味着处于本公开的范围之内并且形成不同的实施例。例如,在下面的权利要求书中,所要求保护的实施例的任意之一都可以以任意的组合方式来使用。In addition, those skilled in the art will appreciate that, although some embodiments herein include certain features that are included in other embodiments and not in other features, combinations of features of different embodiments are intended to be within the scope of the present disclosure. And different embodiments are formed. For example, in the following claims, any one of the claimed embodiments can be used in any combination.
本公开的各个部件实施例可以以硬件实现,或者以在一个或者多个处理器上运行的软件模块实现,或者以它们的组合实现。本领域的技术人员应当理解,可以在实践中使用微处理器或者数字信号处理器(DSP)来实现根据本公开实施例的网关、代理服务器、系统中的一些或者全部部件的一些或者全部功能。本公开还可以实现为用于执行这里所描述的方法的一部分或者全部的设备或者装置程序(例如,计算机程序和计算机程序产品)。这样的实现本公开的程序可以存储在计算机可读介质上,或者可以具有一个或者多个信号的形式。这样的信号可以从因特网网站上下载得到,或者在载体信号上提供,或者以任何其他形式提供。Various component embodiments of the present disclosure may be implemented in hardware, or in a software module running on one or more processors, or in a combination thereof. Those skilled in the art will appreciate that a microprocessor or digital signal processor (DSP) may be used in practice to implement some or all of the functionality of a gateway, proxy server, some or all of the components in accordance with embodiments of the present disclosure. The present disclosure may also be implemented as a device or device program (eg, a computer program and a computer program product) for performing some or all of the methods described herein. Such a program implementing the present disclosure may be stored on a computer readable medium or may be in the form of one or more signals. Such signals may be downloaded from an Internet website, provided on a carrier signal, or provided in any other form.
应该注意的是上述实施例对本公开进行说明而不是对本公开进行限制,并且本领域技术人员在不脱离所附权利要求的范围的情况下可设计出替换实施例。在权利要求中,不应将位于括号之间的任何参考符号构造成对权利要求的限制。单词“包含”不排除存在未列在权利要求中的元件或步骤。位于元件之前的单词“一”或“一个”不排除存在多个这样的元件。本公开可以借助于包括有若干不同元件的硬件以及借助于适当编程的计算机来实现。在列举了若干装置的单元权利要求中,这些装置中的若干个可以是通过同一个硬件项来具体体现。单词第一、第二、以及第三等的使用不表示任何顺序。可将这些单词解释为名称。It should be noted that the above-described embodiments are illustrative of the present disclosure and are not intended to limit the scope of the disclosure, and those skilled in the art can devise alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as a limitation. The word "comprising" does not exclude the presence of the elements or steps that are not recited in the claims. The word "a" or "an" The present disclosure can be implemented by means of hardware comprising several distinct elements and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means can be embodied by the same hardware item. The use of the words first, second, and third does not indicate any order. These words can be interpreted as names.

Claims (12)

  1. 一种降低DNS劫持风险的方法,其特征在于,包括:A method for reducing the risk of DNS hijacking, characterized by comprising:
    向局域网中的动态主机配置协议DHCP设备发送动态配置请求;Sending a dynamic configuration request to a dynamic host configuration protocol DHCP device in the local area network;
    接收所述DHCP返回的动态配置信息,所述动态配置信息中包括主域名解析系统DNS服务器地址;Receiving the dynamic configuration information returned by the DHCP, where the dynamic configuration information includes a DNS address of the primary domain name resolution system;
    由动态配置上网状态切换至静态上网状态,所述动态配置上网状态为接收所述DHCP设备发送的所述动态配置信息,并基于所述动态配置信息接入网络的状态,所述静态上网状态为按照静态的安全配置信息接入网络的状态;所述安全配置信息的主DNS服务器地址为目标广域网DNS服务器地址;The dynamic configuration of the Internet access state is switched to the static Internet access state, and the dynamic configuration Internet access state is to receive the dynamic configuration information sent by the DHCP device, and based on the state of the dynamic configuration information accessing the network, the static Internet access state is The state of accessing the network according to the static security configuration information; the primary DNS server address of the security configuration information is the target WAN DNS server address;
    基于所述安全配置信息接入网络。Accessing the network based on the security configuration information.
  2. 如权利要求1所述的方法,其特征在于,在由动态配置上网状态切换至静态上网状态之前,还包括:The method of claim 1, further comprising: before switching from the dynamically configured online state to the static Internet access state, further comprising:
    当所述动态配置信息中的主DNS服务器地址为局域网地址时,判断所述动态配置信息中的网关地址和所述动态配置信息中的主DNS服务器地址是否一致;When the primary DNS server address in the dynamic configuration information is a local area network address, determining whether the gateway address in the dynamic configuration information and the primary DNS server address in the dynamic configuration information are consistent;
    当所述网关地址和所述动态配置信息中的主DNS服务器地址不一致时,确定存在局域网DNS劫持风险,执行所述由动态配置上网状态切换至静态上网状态的步骤。When the gateway address and the primary DNS server address in the dynamic configuration information are inconsistent, it is determined that there is a risk of the local area network DNS hijacking, and the step of switching from the dynamically configured online state to the static online state is performed.
  3. 如权利要求1或2所述的方法,其特征在于,在由动态配置上网状态切换至静态上网状态之后,还包括:The method according to claim 1 or 2, further comprising: after switching from the dynamically configured online state to the static Internet access state, further comprising:
    获取所述目标广域网DNS服务器地址;Obtaining the target WAN DNS server address;
    将所述目标广域网DNS服务器地址确定为所述安全配置信息中的主DNS服务器地址。The target wide area network DNS server address is determined as the primary DNS server address in the security configuration information.
  4. 如权利要求3所述的方法,其特征在于,获取所述目标广域网DNS服务器地址,包括:The method of claim 3, wherein obtaining the target WAN DNS server address comprises:
    检测一个或多个广域网DNS服务器的网络连通性;Detecting network connectivity of one or more WAN DNS servers;
    将所述网络连通性最优的广域网DNS服务器的地址确定为所述目标广域网DNS服务器地址。The address of the wide area network DNS server that optimizes the network connectivity is determined as the target wide area network DNS server address.
  5. 如权利要求1或2所述的方法,其特征在于,在由动态配置上网状态 切换至静态上网状态之后,还包括:The method according to claim 1 or 2, further comprising: after switching from the dynamically configured online state to the static Internet access state, further comprising:
    提取所述动态配置信息中的主DNS服务器地址或者备DNS服务器地址;Extracting a primary DNS server address or a standby DNS server address in the dynamic configuration information;
    将所述动态配置信息中的主DNS服务器地址或者备DNS服务器地址确定为所述安全配置信息中的备DNS服务器地址。The primary DNS server address or the standby DNS server address in the dynamic configuration information is determined as the standby DNS server address in the security configuration information.
  6. 一种降低DNS劫持风险的装置,其特征在于,包括:A device for reducing the risk of DNS hijacking, comprising:
    动态配置请求模块,用于向局域网中的动态主机配置协议DHCP设备发送动态配置请求;a dynamic configuration requesting module, configured to send a dynamic configuration request to a dynamic host configuration protocol DHCP device in the local area network;
    接收模块,用于接收所述DHCP返回的动态配置信息,所述动态配置信息中包括主域名解析系统DNS服务器地址;a receiving module, configured to receive dynamic configuration information returned by the DHCP, where the dynamic configuration information includes a DNS address of a primary domain name resolution system;
    切换模块,用于由动态配置上网状态切换至静态上网状态,所述动态配置上网状态为接收所述DHCP设备发送的所述动态配置信息,并基于所述动态配置信息接入网络的状态,所述静态上网状态为按照静态的安全配置信息接入网络的状态;所述安全配置信息的主DNS服务器地址为目标广域网DNS服务器地址;a switching module, configured to switch from a dynamically configured online state to a static online state, where the dynamically configured online state is to receive the dynamic configuration information sent by the DHCP device, and access the network based on the dynamic configuration information, The static Internet access state is a state of accessing the network according to the static security configuration information; the primary DNS server address of the security configuration information is the target WAN DNS server address;
    接入模块,用于基于所述安全配置信息接入网络。An access module, configured to access the network based on the security configuration information.
  7. 如权利要求6所述的装置,其特征在于,所述装置还包括:The device of claim 6 wherein said device further comprises:
    判断模块,用于在由动态配置上网状态切换至静态上网状态之前,当所述动态配置信息中的主DNS服务器地址为局域网地址时,判断所述动态配置信息中的网关地址和所述动态配置信息中的主DNS服务器地址是否一致;a judging module, configured to determine a gateway address and the dynamic configuration in the dynamic configuration information, when the primary DNS server address in the dynamic configuration information is a local area network address, before the dynamic configuration of the online state is switched to the static Internet access state Whether the address of the primary DNS server in the information is consistent;
    第一确定模块,用于当所述网关地址和所述动态配置信息中的主DNS服务器地址不一致时,确定存在局域网DNS劫持风险,并通知所述切换模块由动态配置上网状态切换至静态上网状态。a first determining module, configured to determine that a local area network DNS hijacking risk exists when the gateway address and the primary DNS server address in the dynamic configuration information are inconsistent, and notify the switching module to switch from a dynamically configured online state to a static online state. .
  8. 如权利要求6或7所述的装置,其特征在于,所述装置还包括:The device according to claim 6 or 7, wherein the device further comprises:
    获取模块,用于在由动态配置上网状态切换至静态上网状态之后,获取所述目标广域网DNS服务器地址;An obtaining module, configured to acquire the target WAN DNS server address after switching from a dynamically configured online state to a static online state;
    第二确定模块,用于将所述目标广域网DNS服务器地址确定为所述安全配置信息中的主DNS服务器地址。And a second determining module, configured to determine the target wide area network DNS server address as a primary DNS server address in the security configuration information.
  9. 如权利要求8所述的装置,其特征在于,所述获取模块用于检测一个或多个广域网DNS服务器的网络连通性;将所述网络连通性最优的广域网DNS服务器的地址确定为所述目标广域网DNS服务器地址。The apparatus according to claim 8, wherein said obtaining module is configured to detect network connectivity of one or more wide area network DNS servers; determining an address of said wide area network DNS server having said network connectivity as said Target WAN DNS server address.
  10. 如权利要求6或7所述的装置,其特征在于,所述装置还包括:The device according to claim 6 or 7, wherein the device further comprises:
    提取模块,用于在由动态配置上网状态切换至静态上网状态之后,提取所述动态配置信息中的主DNS服务器地址或者备DNS服务器地址;An extraction module, configured to extract a primary DNS server address or a standby DNS server address in the dynamic configuration information after switching from a dynamically configured online state to a static online state;
    第三确定模块,用于将所述动态配置信息中的主DNS服务器地址或者备DNS服务器地址确定为所述安全配置信息中的备DNS服务器地址。And a third determining module, configured to determine a primary DNS server address or a standby DNS server address in the dynamic configuration information as a standby DNS server address in the security configuration information.
  11. 一种计算机程序,包括计算机可读代码,当所述计算机可读代码在计算设备上运行时,导致所述计算设备执行根据权利要求1-5中的任一项所述的降低DNS劫持风险的方法。A computer program comprising computer readable code, when the computer readable code is run on a computing device, causing the computing device to perform the risk of reducing DNS hijacking according to any one of claims 1-5 method.
  12. 一种计算机可读介质,其中存储了如权利要求11所述的计算机程序。A computer readable medium storing the computer program of claim 11.
PCT/CN2017/117689 2016-12-21 2017-12-21 Method and apparatus for reducing the risk of dns hijacking WO2018113727A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201611192329.8A CN106713309A (en) 2016-12-21 2016-12-21 Method and apparatus for reducing DNS hijacking risk
CN201611192329.8 2016-12-21

Publications (1)

Publication Number Publication Date
WO2018113727A1 true WO2018113727A1 (en) 2018-06-28

Family

ID=58938530

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/117689 WO2018113727A1 (en) 2016-12-21 2017-12-21 Method and apparatus for reducing the risk of dns hijacking

Country Status (2)

Country Link
CN (1) CN106713309A (en)
WO (1) WO2018113727A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106506544B (en) * 2016-12-21 2019-07-05 北京奇虎科技有限公司 A kind of method and apparatus that local area network DNS kidnaps detection
CN106713311B (en) * 2016-12-21 2021-01-15 北京奇虎科技有限公司 Method and device for reducing DNS hijacking risk
CN106713309A (en) * 2016-12-21 2017-05-24 北京奇虎科技有限公司 Method and apparatus for reducing DNS hijacking risk

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103561121A (en) * 2013-10-11 2014-02-05 北京奇虎科技有限公司 Method and device for analyzing DNS and browser
CN105262858A (en) * 2015-11-06 2016-01-20 北京金山安全软件有限公司 Method and device for detecting safety of Domain Name System (DNS) server
CN106713311A (en) * 2016-12-21 2017-05-24 北京奇虎科技有限公司 Method and apparatus for reducing DNS hijacking risk
CN106713309A (en) * 2016-12-21 2017-05-24 北京奇虎科技有限公司 Method and apparatus for reducing DNS hijacking risk

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7734745B2 (en) * 2002-10-24 2010-06-08 International Business Machines Corporation Method and apparatus for maintaining internet domain name data
CN103916490B (en) * 2014-04-03 2017-05-24 深信服网络科技(深圳)有限公司 DNS tamper-proof method and device
CN104468866B (en) * 2014-12-26 2017-11-21 陈晨 A kind of multiple gateway terminal fast roaming method in WLAN
CN105142243A (en) * 2015-08-14 2015-12-09 江苏轩博电子科技有限公司 Intelligent double-channel broadband gateway and working method of intelligent broadband gateway

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103561121A (en) * 2013-10-11 2014-02-05 北京奇虎科技有限公司 Method and device for analyzing DNS and browser
CN105262858A (en) * 2015-11-06 2016-01-20 北京金山安全软件有限公司 Method and device for detecting safety of Domain Name System (DNS) server
CN106713311A (en) * 2016-12-21 2017-05-24 北京奇虎科技有限公司 Method and apparatus for reducing DNS hijacking risk
CN106713309A (en) * 2016-12-21 2017-05-24 北京奇虎科技有限公司 Method and apparatus for reducing DNS hijacking risk

Also Published As

Publication number Publication date
CN106713309A (en) 2017-05-24

Similar Documents

Publication Publication Date Title
WO2018113731A1 (en) Method and device for reducing risk of dns hijacking
US8612579B2 (en) Method and system for detecting and reducing botnet activity
US9648033B2 (en) System for detecting the presence of rogue domain name service providers through passive monitoring
CN101827136B (en) Defense method for domain name system server buffer infection and network outlet equipment
WO2015051720A1 (en) Method and device for detecting suspicious dns, and method and system for processing suspicious dns
CN108270778B (en) DNS domain name abnormal access detection method and device
WO2017041666A1 (en) Processing method and device directed at access request
WO2018113727A1 (en) Method and apparatus for reducing the risk of dns hijacking
WO2018113730A1 (en) Method and apparatus for detecting network security
US9769186B2 (en) Determining a reputation through network characteristics
JP6483819B2 (en) Apparatus and method for identifying resource exhaustion attack of domain name system
WO2015156974A1 (en) Relay proxy providing secure connectivity in a controlled network environment
US20230024475A1 (en) Security aware load balancing for a global server load balancing system
US20150026806A1 (en) Mitigating a Cyber-Security Attack By Changing a Network Address of a System Under Attack
US20160269380A1 (en) Vpn communication terminal compatible with captive portals, and communication control method and program therefor
WO2018113732A1 (en) Method and apparatus for detecting dns full traffic hijack risk
WO2018113729A1 (en) Method and apparatus for detecting local area network dns hijacking
US10432646B2 (en) Protection against malicious attacks
KR101541244B1 (en) System and method for pharming attack prevention through dns modulation such as the pc and access point
US20120180125A1 (en) Method and system for preventing domain name system cache poisoning attacks
CN105515882B (en) Website security detection method and device
CN106790071B (en) Method and device for detecting DNS full-flow hijacking risk
WO2022046598A1 (en) Techniques for bypassing the domain name system
CN105516053B (en) Website security detection method and device
JP2011199507A (en) Attack detecting apparatus, attack detection method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17883655

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17883655

Country of ref document: EP

Kind code of ref document: A1