WO2020083288A1 - Safety defense method and apparatus for dns server, and communication device and storage medium - Google Patents

Safety defense method and apparatus for dns server, and communication device and storage medium Download PDF

Info

Publication number
WO2020083288A1
WO2020083288A1 PCT/CN2019/112547 CN2019112547W WO2020083288A1 WO 2020083288 A1 WO2020083288 A1 WO 2020083288A1 CN 2019112547 W CN2019112547 W CN 2019112547W WO 2020083288 A1 WO2020083288 A1 WO 2020083288A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
mdns
domain name
client
request
Prior art date
Application number
PCT/CN2019/112547
Other languages
French (fr)
Chinese (zh)
Inventor
郝振武
吴强
谢大雄
陆平
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2020083288A1 publication Critical patent/WO2020083288A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses

Definitions

  • the present disclosure relates to the field of network technology, and in particular to a domain name system DNS (Domain Name System, DNS for short) server security defense method and device, communication equipment, and storage medium.
  • DNS Domain Name System
  • a DNS server is a server that provides domain name services.
  • the requesting end provides a resolution request carrying the domain name.
  • the DNS server After receiving the resolution request, the DNS server returns the Internet protocol (Internet Protocol, IP for short) address of the service server corresponding to the domain name to the requesting end.
  • IP Internet Protocol
  • the access end uses the received IP address Access the business server to obtain the services provided by the business server.
  • IP address is a relatively boring and professional string for ordinary users
  • a user needs to access many business servers, so it is almost impossible to remember the IP address of each business server, so domain name resolution
  • the provision of services is very important.
  • the DNS server that provides the domain name resolution service is very vulnerable to hacker attacks, resulting in DNS server security problems, and may also be associated with the security issues of the business server due to information leakage of the DNS server.
  • the embodiments of the present disclosure are expected to provide a DNS server security defense method and device, a communication device, and a storage medium.
  • an embodiment of the present disclosure provides a DNS server security defense method, including:
  • mDNS Moving Domain Name System
  • IP Internet Protocol
  • the DNS server provides a second domain name service response to the client based on the first domain name service response provided by the second domain name service request.
  • an embodiment of the present disclosure provides a DNS server security defense method, including:
  • the implementation of the present disclosure provides a DNS server security defense device, including: a first allocation module configured to dynamically allocate a first mDNS IP address to the client according to the client's mDNS network protocol IP address request ;
  • a first receiving module configured to receive a first domain name service request initiated by the client, wherein the destination address of the first domain name service request is the mDNS IP address;
  • the first sending module is configured to send a second domain name service request to the corresponding DNS server by replacing the mDNS IP address with the corresponding DNS server based on the first domain name service request;
  • the providing module is configured to provide the DNS server with a second domain name service response based on the first domain name service response provided by the second domain name service request to the client.
  • an embodiment of the present disclosure provides a DNS server security defense device, including:
  • the fourth receiving module is configured to receive the configuration request of the client
  • a third allocation module configured to allocate a host IP address to the client based on the configuration request
  • the second sending module is configured to send a mobile domain name system mDNS IP address request to the domain name gateway based on the host IP address;
  • the fifth receiving module is configured to receive the mDNS IP address returned by the domain name gateway based on the mDNS IP address request;
  • the third sending module is configured to send a configuration response carrying the host IP address and the mDNS IP address to the client.
  • an embodiment of the present disclosure provides a communication device, including:
  • a processor respectively connected to the transceiver and the memory, is configured to control the transceiver of information by executing computer-executable instructions stored on the memory, and implement the first aspect and / or the second The security defense method of the DNS server provided by the aspect.
  • an embodiment of the present disclosure provides a computer storage medium that stores computer-executable instructions; after the computer-executable instructions are executed, the first aspect and / or the second aspect can be implemented DNS server security defense method.
  • the DNS server security defense method and apparatus, communication equipment, and storage medium provided by the embodiments of the present disclosure, when configuring the DNS server used by the client by the domain name gateway, the real IP address of the DNS server is hidden, but the client is assigned The DNS server cannot directly locate the mDNS IP address of the DNS server; on the one hand, the client can send a domain name service request through the mDNS IP address, and the domain name gateway sends a second domain name service request to the corresponding DNS server based on the first domain name service request.
  • FIG. 1 is a schematic structural diagram of a network system provided by an embodiment of the present disclosure
  • FIG. 2 is a schematic flowchart of a first DNS server security defense method provided by an embodiment of the present disclosure
  • FIG. 3 is a schematic flowchart of a second DNS server security defense method provided by an embodiment of the present disclosure
  • FIG. 4 is a schematic flowchart of a third DNS server security defense method provided by an embodiment of the present disclosure
  • FIG. 5 is a schematic structural diagram of a first type of DNS server security defense device provided by an embodiment of the present disclosure
  • FIG. 6 is a schematic structural diagram of a second type of DNS server security defense device provided by an embodiment of the present disclosure
  • FIG. 7 is a schematic flowchart of a fourth DNS server security defense method provided by an embodiment of the present disclosure.
  • FIG. 8 is a schematic flowchart of a fifth DNS server security defense method provided by an embodiment of the present disclosure.
  • FIG. 9 is a schematic flowchart of a sixth DNS server security defense method provided by an embodiment of the present disclosure.
  • FIG. 10 is a schematic flowchart of a seventh DNS server security defense method provided by an embodiment of the present disclosure
  • FIG. 11 is a schematic flowchart of an eighth DNS server security defense method provided by an embodiment of the present disclosure.
  • FIG. 12 is a schematic flowchart of a ninth DNS server security defense method provided by an embodiment of the present disclosure.
  • this embodiment provides a network system for a defense method of a DNS server, including:
  • DNG Added Domain Name Gateway
  • DNS Added Domain Name Gateway
  • the present disclosure has the characteristics of good compatibility with existing technologies and easy deployment.
  • Client establish a connection with the access gateway, receive the host IP address and mDNS IP address assigned by the access configuration function, where the mDNS IP address serves as the virtual IP address of the DNS server; access the Internet through the access gateway and initiate the domain Business requests, access to business applications.
  • Access gateway During the client access process, the client configuration parameters are obtained from the access configuration function and provided to the client, and the client access to the Internet function is realized, so that the client can access the DNS server and business server through the domain name gateway. .
  • Access configuration function According to the client's access information, assign the host IP address to the client, select the domain name gateway, request the mDNS IP address from the domain name gateway, configure the assigned host IP address and the obtained mDNS IP address to the client, and Maintain the validity of the host configuration.
  • Domain name gateway maintain the mDNS IP address pool, select mDNS IP addresses from the mDNS IP address pool for the client according to the request of the host configuration function, and in some embodiments, establish a binding between the client IP address and the mDNS IP address Define the relationship and maintain the validity of the mDNS IP address and binding relationship; when the client initiates a domain name request, check the validity of the request, if it is a normal request, send a business request to the DNS server, and return the result to the client, otherwise Reject the domain name service request, or use the DNS restricted function, or direct the domain name request to the honeypot system.
  • DNS server resolve to the corresponding IP address according to the requested service domain name and return.
  • Service server provides services to clients, and the correspondence between IP addresses and domain names is stored in the DNS server.
  • this embodiment provides a DNS server security defense method, including:
  • Step S110 dynamically assign an mDNS IP address to the client according to the client's mDNS IP address request; the assigned mDNS IP address may be the first mDNS IP address; for example, the step S110 may include: initiating according to the in-configuration function The client's mDNS IP address request dynamically allocates the mDNS IP address for the client; the assigned mDNS IP address may be the first mDNS IP address.
  • Step S120 Receive a first domain name service request initiated by the client, where the destination address of the first domain name service request is the mDNS IP address;
  • Step S130 Based on the first domain name service request, send a second domain name service request to the corresponding DNS server with the mDNS IP address replaced by the corresponding DNS server;
  • Step S140 The DNS server provides a second domain name service response to the client based on the first domain name service response provided by the second domain name service request.
  • the security defense method of the DNS server provided in this embodiment may be applied to a domain name gateway, which may correspond to a physical gateway.
  • the physical gateway may be: an access gateway for a client to access the network, a typical connection
  • the ingress gateway may include: a packet data gateway (Packet, data, GataWay, PGW for short), etc.
  • the domain name gateway may also be a specifically established gateway for maintaining the security of the DNS server.
  • the gateway may be directly or indirectly connected to the access gateway.
  • the client installation and / or Application programs, software development tools, components or plug-ins running in the terminal
  • the domain name gateway can be accessed to the domain name gateway through the access gateway.
  • the client can request to allocate the IP address of the DNS server through the access gateway.
  • the access gateway can pass the domain name gateway.
  • the mDNS IP address may be a virtual IP address of the DNS server, which is different from the real IP address of the DNS server (also referred to as DNS IP address in the embodiment of the present disclosure).
  • the real IP address of the DNS server will not be disclosed in the entire network, nor will it be disclosed to the client; thereby enhancing the security of the real IP address of the DNS server, reducing the use of DNS disclosed in public networks by hackers
  • the IP address of the server is aligned to launch an attack, thereby reducing the DNS server's own security problems, and at the same time reducing the security problems of the business server due to the IP address of the business server stored in the DNS server and other information, thereby improving the DNS server and Business server security.
  • the mDNS IP address may be: a part of the current IP address within the IP address range of the network.
  • a data packet carrying the destination address (for example, the first Domain name service request) can ensure routing to the domain name gateway that assigns the mDNS IP address.
  • the mDNS IP address is dynamically allocated to the client, and is not pre-allocated. Thus, compared with static allocation, the long-term consistency of the mDNS IP address due to static allocation can be avoided, resulting in illegal The client steals the mDNS IP address of the legitimate client and impersonates the legitimate client to access the corresponding DNS server to cause security problems.
  • the dynamic allocation may include: randomly selecting and assigning to all clients in all mDNS IP addresses; and randomly selecting and assigning to clients in some mDNS IP addresses.
  • the dynamic allocation may include not only random selection allocation, but also selection allocation according to a certain allocation rule. The dynamic allocation here emphasizes that each allocation is dynamic and is not determined in advance. Thus, due to the dynamic allocation, the mDNS IP address allocated each time may be different.
  • the mDNS IP address allocated to the client is returned to the client, for example, as one of the configuration parameters and the first host IP address is returned to the client, and subsequently, if the client needs a domain name
  • a domain name service request with a source address as the first host IP address and a destination address as the mDNS IP address is constructed, and the domain name service request is referred to as a first domain name service request in the embodiments of the present disclosure. Since the first domain name service request cannot substantially be routed to the DNS server request that the client wants to access, the first domain name service request is forwarded to the domain name gateway.
  • the domain name gateway After the domain name gateway receives the first domain name service request, for example, A pre-established binding relationship or a DNS server dynamically assigned to the client to construct a second domain name service request, the destination address of the second domain name service request is replaced, for example, the mDNS IP address is replaced with the real IP of the DNS server The address forwards the second domain name service request to the outside, so that the second domain name service request can be correctly routed to the DNS server.
  • the first domain name service request for example, A pre-established binding relationship or a DNS server dynamically assigned to the client to construct a second domain name service request
  • the destination address of the second domain name service request is replaced, for example, the mDNS IP address is replaced with the real IP of the DNS server
  • the address forwards the second domain name service request to the outside, so that the second domain name service request can be correctly routed to the DNS server.
  • the step S110 may include: dynamically assigning a first mDNS IP address to the client according to the client's mobile domain name system mDNS network protocol IP address request;
  • the method further includes:
  • Step S111 Establish a binding relationship between the first host IP address of the client and the first mDNS IP address;
  • Step S121 query the binding relationship according to the second mDNS IP address and the second host IP address of the DNS server corresponding to the client carried in the first domain name service request,
  • the step S130 may include a step S131; the step S131 may include: if the second mDNS IP address and the second host IP address are included in the binding relationship, correspond to the second mDNS IP address
  • the DNS server sends a second domain name service request.
  • the domain name service request initiates the domain name service, thereby once again improving the security provided by the DNS server and DNS service.
  • the DNS server sends a second domain name service request to the corresponding DNS, the second domain name service request and the second A domain name service request carries the same domain name to be resolved; in this way, after the corresponding DNS server receives the second domain name service request, the IP address of the business server corresponding to the domain name to be resolved is queried locally or remotely, and the domain name may be The domain name of the business server to obtain the domain name resolution result. Carry the IP address of the business server in the domain name service response and return it to the client or the client's access gateway, so that the client can access the business server according to the obtained IP address of the business server, thereby obtaining business services from the business server.
  • the business server here may include: social server, online shopping server, forum server, web server, video server, audio server, advertising server, content server, stock fund and other transaction providing server, education system server, medical system server, etc.
  • a server that provides specific application services may include: social server, online shopping server, forum server, web server, video server, audio server, advertising server, content server, stock fund and other transaction providing server, education system server, medical system server, etc.
  • the above is only an example, and the service server here is not limited to any one of the above.
  • the DNS server may also receive encrypted information of the client from the access gateway of the client.
  • the encrypted information may include: a key and an encryption algorithm, etc., so that the access gateway The encrypted information is used to encrypt the first host IP address and the first mDNS IP address with the domain name gateway.
  • the step S131 may include: replacing the second mDNS IP address in the first domain name service request with the DNS server's DNS IP address to form the second domain name service request; Sending the second domain name service request to the DNS server.
  • the DNS IP address here may be the real effective IP address of the DNS server, and is stored in the domain name gateway.
  • the source addresses of the second domain name service request and the first domain name service request are both the host IP of the client address.
  • the domain name gateway is located on the routing path between the client and the DNS server, the information sent by the client to the DNS server and the information sent by the DNS server to the client will pass through the DNS server, so that the DNS server can intercept the first
  • the domain name service request intercepts the domain name service response forwarded by the DNS server based on the second domain name service request, and may be forwarded to the corresponding client based on the first DNS server request sent by the client.
  • the method further includes: forming a request record according to the first domain name service request and the second domain name service request; the request record includes at least: the domain name to be resolved and the client's host IP address; The request record may further include: the domain name to be resolved, the client's host IP address, and the DNS IP address of the DNS server to which the second domain name service request is sent.
  • the current first domain name response is determined to be forwarded
  • the client or, determines the host IP address corresponding to the client based on the domain name to be resolved, the client's host IP address, and the DNS server's DNS IP address, and forwards it to the corresponding client.
  • the step S131 may include:
  • the domain name gateway is not necessarily set on the routing path of the message routing between the client and the DNS server.
  • the destination address in the first domain name service request is replaced by The DNS IP address of the DNS server, and the source address in the first domain name service request is replaced with the gateway IP address of the domain name gateway.
  • the destination address of the first domain name service response will be the gateway IP address of the domain name gateway.
  • the step SS140 may include:
  • the source address of the first domain name service response may be the DNS IP address of the DNS server.
  • the domain name gateway will delete the DNS IP address, for example, replace the DNS IP address with The first mDNS IP address assigned by the client mentioned above, in other embodiments, it is also possible to delete only the DNS IP address without replacing it.
  • it can also be directly replaced with the gateway IP address of the domain name gateway or other virtual IP addresses with no specific meaning. If the DNS IP address is replaced with the first mDNS IP address, it is convenient for the client to confirm the domain name service response corresponding to the domain name service request of the data packet that the client actually received according to the source address. In this way, the source address of the second domain name service response is different from the source address of the first domain name service response.
  • the second domain name service response may respond to the first domain name service response, so that the DNS server may directly
  • the first domain name service response is sent to the client as the second domain name service response.
  • the DNS server may provide the first domain name service response through operations such as DNS IP address replacement, DNS IP address deletion, and source address detection.
  • the domain name resolution result of is sent to the client as the second domain name service response.
  • the domain name resolution result may include: the IP address corresponding to the domain name requested for resolution.
  • the method further includes: constructing a second domain name service request carrying preset indication information, the preset indication The information indicates that the domain name service response hides the DNS IP address.
  • the first domain name service response may not carry the source address (for example, the source address in the data packet of the domain name service response is empty), or carry the wrong source address, etc., In this way, the DNS server does not need to replace the source address, and can directly forward the first domain name service request as a second domain name service request, or after replacing the destination address of the first domain name service request with the client's host IP address Just forward it.
  • the step S110 may include:
  • the mDNS IP address is dynamically selected from the mDNS IP address pool, for example, the dynamically selected mDNS IP address is used as the first mDNS IP address.
  • the domain name gateway is provided with an mDNS IP address pool, and multiple mDNS IP addresses are stored in the mDNS IP address pool, which can be allocated to different clients or clients at different time periods.
  • the dynamically selected mDNS IP address is the mDNS IP address pool from the domain name gateway.
  • the access gateway receives the first domain name service request carrying the mDNS IP address, and can easily determine the need to receive the first DNS address based on the mDNS IP address. Domain name gateway requested by the domain name service.
  • the mDNS IP address may include: an mDNS IP address segment, the mDNS IP addresses in these address segments are continuous, and the mDNS IP address may be identified in the access gateway by the start address and the end address of the mDNS IP address segment In this way, once the access gateway receives the first domain name service request, it can determine the domain name gateway that needs to receive the first domain name service request according to the mDNS IP address segment to which the mDNS IP address carried in the request belongs.
  • the step S110 may include one of the following:
  • the client's mDNS IP address request randomly select the mDNS IP address assigned to the client from the mDNS IP address pool; since different clients may correspond to different host IP addresses, the mDNS in the mDNS IP address pool The address can be assigned to different clients, or a unique binding relationship can be established; therefore, in this embodiment, the domain name gateway can be randomly selected from the mDNS IP address pool;
  • the currently idle mDNS IP address is randomly selected from the mDNS IP address pool; in some implementations, the domain name gateway will also record the use status of the mDNS IP address, preferentially selecting unused IP addresses (That is, idle) mDNS IP address is assigned to the client;
  • the mDNS IP address assigned to the client is randomly selected from the used mDNS IP address pool. If the idle mDNS IP address is preferentially selected, the first mDNS IP address can be selected from the used mDNS IP addresses.
  • the established binding relationship is preferably selected Less mDNS IP address is assigned to the client. For example, mDNS IP address A has participated in the establishment of the first number of binding relationships, and mDNS IP address B has participated in the establishment of the second number of binding relationships; if the first number is less than the second number, the mDNS IP is preferentially selected Address A participates in the establishment of the binding relationship of the host IP address corresponding to the current client. In this way, when providing the domain name service, the problem of large access delay caused by a large number of centralized and parallel access by the client to the same binding relationship is avoided.
  • the DNS server when it performs the legality verification, it may first query the binding relationship based on the second mDNS IP address carried in the first domain name service request, and then query When there is a first mDNS IP address corresponding to the second mDNS IP address, the first host IP address corresponding to the first mDNS IP address is extracted from one or more binding relationships corresponding to the first mDNS IP address. Matching the IP addresses of the two hosts can reduce unnecessary matching on the one hand and accelerate the verification efficiency on the other.
  • the step S110 may include: according to the mDNS IP address request of the client, selecting a plurality of mDNS IP addresses allocated to the client from an mDNS IP address pool.
  • an attacker attacks one of the mDNS IP addresses as the DNS server ’s DNS IP address
  • the domain name server after the domain name server ’s firewall attacks, it may block a certain mDNS IP address in order to allocate multiple mDNS IP addresses In this way, the client can also obtain the domain name service through the unblocked mDNS IP address.
  • N N mDNS IP addresses allocated to the client are selected from an mDNS IP address pool.
  • the access configuration function may explicitly indicate how many mDNS IP addresses are allocated.
  • the method further includes:
  • a DNS server corresponding to the domain name service system is allocated to the client; here, the DNS server may be allocated to the client according to the location information of the client, for example, based on the principle of geographic proximity A DNS server with a closer geographic location or a closer network location; in other embodiments, the DNS server can also be assigned to clients based on the current service of the DNS server, the corresponding number of clients, client online and offline status information, etc. .
  • the step S120 may include:
  • the binding relationship includes not only the first host IP address and the first mDNS IP address, but also the DNS IP address of the DNS server assigned to the client.
  • the second domain name service request will be constructed based on the DNS IP address recorded in the binding relationship.
  • sending a second domain name service request to the DNS server corresponding to the second mDNS IP address includes: If the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and the second mDNS IP address have a bound DNS IP address, bind to The DNS domain name IP address of the second domain name service request.
  • the second domain name is sent to the DNS server corresponding to the second mDNS IP address
  • the service request includes: if the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and the second mDNS IP address are not bound to DNS
  • the IP address sends the second domain name service request to the default DNS server.
  • DNS servers in different geographic locations and / or different network locations may be connected to different DNS servers.
  • the DNS server may set a DNS server that is closer to itself geographically or on the network as the default DNS server, or, depending on the DNS server Set the default DNS server for information such as the load status, or select a DNS server with strong domain name resolution capability as the default DNS server to ensure the rate and success rate of domain name service resolution.
  • the parameter that reflects the strong domain name resolution capability may include at least one of the following:
  • the default DNS server may be selected by combining location information, domain name resolution capabilities, and so on.
  • the method further includes at least one of the following:
  • the second mDNS IP address and the second host IP address are not in the binding relationship, provide a limited DNS service to the client; for example, only provide the client with some DNS with lower security performance requirements Services, for example, the first domain name service request will only be forwarded to the DNS server with lower security performance;
  • the predetermined system may be an attack location system, for example, using reverse tracking technology to locate the source client of the first domain name service request that may be attacked or the tampering terminal that transforms the domain name service request to form the first domain name service request;
  • the predetermined system may be: a honeypot system; the honeypot system may be a system that uses honeypot technology to enhance protection capabilities. Honeypot technology is a technique to deceive the attacker.
  • the domain name gateway will refuse to forward the domain name to be resolved in the first domain name service request.
  • the mDNS IP address request also carries address lease information
  • the method further includes: setting the validity period of the first mDNS IP address in the binding relationship according to the address lease period information.
  • the DNS server will set the first assigned to the client according to the lease indicated by the address lease information
  • the validity period of the mDNS IP address may be equal to the lease period. In other embodiments, the validity period may be slightly longer than the validity period. The start period of the lease period and the validity period are the same.
  • the renewal of the mDNS IP address is required when the lease period expires, or there is a certain delay in the renewal of the host IP address If the renewal of the corresponding mDNS IP address is extracted after the validity period, if the validity period is equal to the lease period, the validity period will also expire once the lease period expires. Even if it is renewed, a new mDNS IP address needs to be re-assigned to the client.
  • the validity period is slightly longer than the lease period, and the length of time that the optional validity period is longer than the lease period may be determined according to the delay time of the renewal of the host IP address, or may be random Set a fixed duration, for example, half a day, etc.
  • the method further includes: receiving a lease renewal request
  • the validity period of the first mDNS IP address is extended.
  • the lease renewal request may be a request to continue leasing the corresponding first mDNS IP address.
  • the lease renewal request may carry a lease renewal period, so the validity period may be extended according to the lease renewal period.
  • the lease renewal request may only carry the lease renewal instruction but not the instruction to extend the duration of the lease renewal period.
  • the domain name gateway may request to indicate the lease renewal period, or may extend a default period to re-determine Of validity.
  • the default period may be a fixed period of time for the lease renewal negotiated between the access gateway and the domain name gateway.
  • the extension of a default time limit forwards the updated validity period to the client or the client's access gateway to facilitate the client or the client's corresponding access gateway, before the updated validity period expires again Request a renewal or instruct to release the binding relationship, etc.
  • the method further includes:
  • the method further includes:
  • the method further includes sending a deletion prompt, which can be sent to the client or the client's access gateway, thereby triggering the client or the client's access gateway to update the client's Configuration parameters.
  • the method further includes: receiving a release request; deleting the binding relationship between the first host IP address and the first mDNS IP address according to the release request, and releasing the first mDNS IP address.
  • the release request may be an active request to delete the binding relationship to release the first mDNS IP address in the binding relationship.
  • the client may not need to request the domain name service through the domain name gateway, and can release the binding relationship, thereby improving the effective utilization rate of the mDNS IP address.
  • the client migrates from one network area to another network area, it may need to access DNS servers or DNS servers in different network locations, and at this time, it may also request to release the binding relationship in the original network area.
  • the network area is related to the location and / or affiliation of network nodes of the wireless network or the Internet.
  • the metropolitan area network covers a city's local area network, although some geographical areas are close to or belong to the same Large area, but the access network location belongs to a different network area.
  • clients of different operators ’networks connected to the network may belong to different network areas. For example, if they connect to the network through a mobile network and connect to the network through a Unicom network, the domain name gateway of the same operator is preferentially assigned.
  • the DNS server provides related services for the client, so that the two clients located in the same geographical location will belong to different network areas.
  • the method further includes: receiving an update request;
  • the first binding relationship is: the old first host IP address corresponding to the client and the first A binding relationship of an mDNS IP address
  • the second binding relationship is: a binding relationship between the new first host IP address corresponding to the client and the first mDNS IP address after the update; wherein, the Compared with the first binding relationship, at least the first host IP address is different in the second binding relationship.
  • the domain name gateway will also receive an update request.
  • the update request is to update the binding relationship. Since the host IP address bound by the client is changed, the binding relationship may need to be updated synchronously, so in some embodiments If an update request is received, it is necessary to delete the old first binding relationship and establish the second binding relationship.
  • the update request may carry the need to delete the first binding relationship, and also carry a new host IP address. In other embodiments, the update request may only carry the old host IP address in the first binding relationship that needs to be deleted, and the updated new host IP address; in short, the domain name gateway may The update request updates the first binding relationship and establishes a new second binding relationship corresponding to the client.
  • this embodiment provides a DNS server security defense method, including:
  • Step S210 Receive a configuration request from the client
  • Step S220 Assign a host IP address to the client based on the configuration request
  • Step S230 an mDNS IP address request sent to the domain name gateway based on the host IP address;
  • Step S240 Receive the mDNS IP address returned by the domain name gateway based on the mDNS IP address request;
  • Step S250 Send a configuration response carrying the host IP address and the mDNS IP address to the client.
  • the method provided in this embodiment can be applied to an access gateway.
  • the access gateway may be a user equipment (User Equipment, referred to as UE), an Internet of Things terminal, an in-vehicle device, or an intelligent electrical appliance.
  • the access equipment may include: base stations, wireless access hotspots (hotspot) and other equipment.
  • the configuration request of the client is received, for example, the configuration request may be: a configuration request based on Dynamic Host Configuration Protocol (Dynamic Host Configuration, referred to as DHCP), and the access gateway may send the configuration request to DHCP
  • the server configures the host IP address by the DHCP server, so that the access gateway can implement dynamic allocation of the client's host IP address.
  • the access configuration service function of the client may be directly set in the access gateway. In this way, the access gateway allocates the host IP address to the client by itself.
  • dynamically assigning the host IP address to the client includes at least two ways, one is to dynamically assign the host IP address to the client through information interaction with the configuration server, and the other is to access the gateway
  • the host IP address is dynamically allocated by itself.
  • the configuration request may be to configure various configuration parameters for the host, the configuration parameters including: the host IP address, the lease period of the host IP address, and the DNS IP address of the DNS server.
  • the method further includes:
  • the access gateway or the access configuration function entity independent of the access gateway sets the lease period of the host IP address for the client.
  • the optional setting method may include at least one of the following:
  • set the lease period of the host IP address for example, the current client access is to establish a temporary session and a regular session other than the temporary session, and determine the lease period of the IP address,
  • the first lease period corresponding to the relative temporary session may be slightly shorter than the second lease period of the regular session;
  • the access gateway or the access configuration function entity independent of the access gateway sets the lease of the host IP address according to the local policy related to setting the lease period or the policy received from the policy control function (Policy Control Function, PCF for short) period.
  • Policy Control Function Policy Control Function
  • the lease period of the host IP address and the validity period of the mDNS IP address are the same or approximately equivalent, but in another In some management systems in which different IP addresses are managed separately, the lease period of the host IP address and the validity period of the mDNS IP address may not be equal or approximately the same. In short, the previous periods of the two are not related, and special circumstances are not excluded. Under the equivalent.
  • the lease period information is sent to the domain name gateway, and the lease period information indicates the lease period of the host IP address.
  • the domain name gateway will set the validity period of the mDNS IP address based on the lease period information to be slightly longer than the lease period of the host IP address.
  • the method further includes:
  • the client will automatically request the lease renewal of the host IP address before the lease of the host IP address expires or based on user instructions.
  • the access configuration function entity embedded in the access gateway may be independent of the connection.
  • the access configuration function entity entering the gateway will receive the client's lease renewal request, and then request to extend the lease of the host IP address according to the demand.
  • the method further includes: when a preset condition is met, sending a release request to the domain name gateway, wherein the release request is used to delete the host IP address of the client and assign it to the The binding relationship between the client's mDNS and IP addresses.
  • the access configuration function entity (which may be referred to as the access configuration function for short) will send a release request to the domain name gateway when the preset conditions are met.
  • the sending of the release request will trigger the domain name gateway to release the corresponding binding In this way, it is equivalent to releasing the mDNS IP address assigned to the client in the domain name gateway.
  • the meeting of the preset condition includes one of the following:
  • the client will send the de-attach request when offline, for example, the UE will automatically send the de-attach request before shutting down, then the UE may use the original area at this time.
  • the host IP address and / or mDNS IP address assigned to the UE still remain assigned to the UE, which will cause the problem of inefficient use of the IP address. Therefore, in this embodiment, if the base station on the network side , A network element such as a gateway detects a de-attach request actively sent offline by the client, and may be considered to satisfy one of the preset conditions;
  • the validity period of the location update of the client is detected to be overdue; the UE and other clients may have mobility.
  • the UE involves various location update operations such as cell switching and tracking area update during the movement process. If the location is not updated for a long time, the UE may be currently It has been inactive for a long time, so it can be considered that the validity period of the location update is overdue at this time, and it can be considered that the corresponding binding relationship can be released, thereby releasing the host IP address and / or mDNS IP address;
  • Detecting that the lease period of the client's host IP address is overdue detecting that the lease period of the client's host IP address is overdue, indicating that the lease period of the host's IP address has expired, if the lease needs to be renewed, the client may need to pay fees or reapply In order to avoid illegal use of IP addresses, etc., it can be considered that the above-mentioned preset conditions are satisfied.
  • a radio access network Radio Access Network, RAN for short
  • RAN Radio Access Network
  • the method further includes:
  • the access gateway will also receive the client's lease renewal request.
  • the lease renewal request may be sent by the client or by the client's management device. In short, it can be received as Client request for renewal of host IP address and / or mDNS IP address.
  • the method further includes:
  • the access gateway deploys one or more domain name gateways for the client based on the configuration request, and records the information of these domain name gateways, for example, records the identifiers, IP addresses, or location information of these domain name gateways Various information, in some embodiments, needs to be recorded corresponding to the client's identification, for example, one or more of the client's various device parameters and / or client parameters and location parameters select a suitable domain name gateway, for example, select geographic
  • the domain name gateway that is relatively close in distance or network distance serves as the domain name gateway for the client to obtain the domain name service.
  • the deploying one or more domain name gateways for the client according to the configuration request includes:
  • a domain name gateway that can provide a service quality that suits the user ID is selected according to the user ID (International Mobile Subscriber Identity Code, IMSI for short).
  • IMSI International Mobile Subscriber Identity Code
  • the device identification may include: an international mobile phone equipment identification code (International Mobile Equipment Identity, referred to as IMEI), which can learn the device capability parameters of the device based on the device identification of the device, so as to select its device identification (for example, device capability ) The matching domain name gateway.
  • IMEI International Mobile Equipment Identity
  • the nearest domain name gateway is selected to serve it.
  • the selection strategy may be a local strategy stored in the access gateway, or a remote strategy stored in the PCF or the contract database. In short, it may be used for the domain name gateway of the access configuration function.
  • the client it is preferable to provide the client with two or more domain name gateways, at least one primary gateway, and a backup gateway corresponding to the primary gateway.
  • the method further includes:
  • the number of domain name gateways deployed for the client determine the number of the mDNS IP addresses dynamically requested by the domain name gateway for the client.
  • the number of mDNS IP addresses configured for a corresponding client by a single domain name gateway may be determined according to the number of domain name gateways. For example, when there is only one domain name gateway, the domain name gateway can configure at least two mDNS IP addresses for the client. If there are multiple domain name gateways, a single domain name gateway can configure one mDNS IP address for the client.
  • this embodiment provides a DNS server security defense device, including:
  • the first allocation module 110 is configured to dynamically allocate a first mDNS IP address to the client according to the client's mobile domain name system mDNS network protocol IP address request initiated by the access configuration function;
  • the first receiving module 120 is configured to receive a first domain name service request initiated by the client, wherein the destination address of the first domain name service request is the mDNS IP address;
  • the first sending module 130 is configured to send a second domain name service request to the corresponding DNS server by replacing the mDNS IP address with the corresponding DNS server based on the first domain name service request;
  • the providing module 140 is configured to provide the DNS server with a second domain name service response based on the first domain name service response provided by the second domain name service request to the client.
  • the first distribution module 110, the establishment module, the receiving module, the query module, the first sending module 130, and the providing module 140 provided in this embodiment may all be program modules, which can be executed by the processor to realize the functions of the foregoing modules.
  • the device can be used in a domain name gateway.
  • the security defense device of the DNS server may include:
  • the first allocation module 110 is configured to dynamically allocate a first mDNS IP address to the client according to a client mobile domain name system mDNS network protocol IP address request initiated by the access configuration function;
  • the establishment module is configured to establish a binding relationship between the first host IP address of the client and the first mDNS IP address;
  • a receiving module configured to receive a first domain name service request initiated by the client;
  • the query module is configured to query the binding relationship according to the second mDNS IP address and the second host IP address of the DNS server corresponding to the client carried in the first domain name service request,
  • the first sending module 130 is configured to send the second domain name to the DNS server corresponding to the second mDNS IP address if the second mDNS IP address and the second host IP address are included in the binding relationship Request for service;
  • the providing module 140 is configured to provide the DNS server with a second domain name service response based on the first domain name service response provided by the second domain name service request to the client.
  • the first sending module 130 is configured to replace the second mDNS IP address in the first domain name service request with the DNS server's DNS IP address to form the second Domain name service request; sending the second domain name service request to the DNS server.
  • the source addresses of the second domain name service request and the first domain name service request are both the host IP of the client address.
  • the first sending module 130 is configured to replace the first host IP address in the first domain name service request with a gateway IP address of a domain name gateway to form the gateway IP The address and the second domain name service request of the DNS IP address.
  • the providing module 140 is configured to replace the DNS IP address of the DNS server in the first domain name service response with the first mDNS IP address assigned to the client.
  • the first allocation module 110 is configured to dynamically select the first mDNS IP address from the mDNS IP address pool according to the client mDNS IP address request initiated by the access configuration function.
  • the first distribution module 110 is configured to perform one of the following:
  • the mDNS IP address is randomly selected from the used mDNS IP address pool.
  • the first allocation module 110 is configured to select a plurality of mDNS IP addresses from an mDNS IP address pool according to the mDNS IP address request of the client.
  • the first allocation module 110 is configured to select N of the mDNS IP addresses from the mDNS IP address pool according to the number N of addresses carried in the mDNS IP address request.
  • the device further includes:
  • a second allocation module configured to allocate a corresponding DNS server of the domain name service system to the client
  • the establishing module is configured to establish a binding relationship between the first host IP address, the first mDNS IP address, and the DNS IP address of the DNS server.
  • the first sending module 130 is configured if the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and The second mDNS IP address has a bound DNS IP address, and sends the second domain name service request to the bound DNS DNS IP address.
  • the first sending module 130 is configured if the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and The second mDNS IP address is not bound to the DNS IP address, and the second domain name service request is sent to the default DNS server.
  • the device further includes at least one of the following:
  • the DNS service restricted providing module 140 is configured to provide a restricted DNS service to the client if the second mDNS IP address and the second host IP address are not in the binding relationship;
  • a guiding module configured to guide the domain name service request to a predetermined system if the second mDNS IP address and the second host IP address are not in the binding relationship, wherein the predetermined system is used to Resolve attacks on domain name service requests;
  • the rejection module is configured to refuse to provide DNS services to the client if the second mDNS IP address and the second host IP address are not in the binding relationship.
  • the mDNS IP address request also carries address lease information
  • the device also includes:
  • the setting module is configured to set the validity period of the first mDNS IP address in the binding relationship according to the address lease period information.
  • the device further includes:
  • the first receiving module 120 is configured to receive the lease renewal request
  • the first extension module is configured to extend the validity period of the first mDNS IP address according to the lease renewal request.
  • the device further includes:
  • the first deletion module is configured to delete the binding relationship if the validity period expires.
  • the device further includes:
  • the second receiving module is set to receive the release request
  • the second deletion module is configured to delete the binding relationship between the first host IP address and the first mDNS IP address according to the release request, and release the first mDNS IP address.
  • the device further includes:
  • the third receiving module is set to receive the update request
  • the third deletion module is configured to delete the first binding relationship and establish the second binding relationship according to the update request; wherein, the first binding relationship is: the old first corresponding to the client before the update A binding relationship between a host IP address and the first mDNS IP address; the second binding relationship is: after the update, a new first host IP address corresponding to the client and the first mDNS IP address A binding relationship; wherein, the second binding relationship is different from the first binding relationship in that at least the first host IP address is different.
  • this embodiment provides a DNS server security defense device, including:
  • the fourth receiving module 210 is configured to receive the configuration request of the client
  • the third allocation module 220 is configured to allocate a host network protocol IP address to the client based on the configuration request;
  • the second sending module 230 is configured to send a mobile domain name system mDNS IP address request to the domain name gateway based on the host IP address;
  • the fifth receiving module 240 is configured to receive the mDNS IP address returned by the domain name gateway based on the mDNS IP address request;
  • the third sending module 250 is configured to send a configuration response carrying the host IP address and the mDNS IP address to the client.
  • the fourth receiving module 210, the second sending module 230, the fifth receiving module 240, and the third sending module 250 can all be program modules, which can be implemented by the processor to implement one or more of the aforementioned applications in access service functions Features.
  • the device further includes:
  • the second setting module is set to set the lease period of the host IP address
  • the sixth sending module is configured to send lease period information indicating the lease period to the domain name gateway, wherein the lease period information is used by the domain name gateway to set the mDNS assigned to the client The validity period of the address.
  • the device further includes:
  • a sixth receiving module configured to receive the lease renewal request of the client
  • the second delay module is configured to extend the lease period of the host IP address according to the lease renewal request
  • a seventh sending module is configured to send a lease renewal request to the domain name gateway, wherein the lease renewal request is used by the domain name gateway to extend the validity period of the mDNS IP address allocated to the client.
  • the device further includes:
  • the eighth sending module is configured to send a release request to the domain name gateway when the preset conditions are met, wherein the release request is used to release the host IP address of the client and the mDNS IP address assigned to the client The binding relationship between.
  • the meeting of the preset condition includes one of the following:
  • the device further includes:
  • the seventh receiving module is configured to receive the lease renewal request of the client
  • the third allocation module 220 is configured to allocate a new host IP address to the client according to the lease renewal request; and set the lease period of the new host IP address according to the lease renewal request;
  • the ninth sending module is configured to send an update request to the domain name gateway, wherein the update request is used by the domain name gateway to delete the old first binding relationship of the client and establish based on the new host The new host IP address establishes a second binding relationship.
  • the device further includes:
  • a deployment module configured to deploy one or more domain name gateways for the client according to the configuration request
  • the recording module is configured to record the information of the domain name gateway.
  • the deployment module is configured to deploy one or more domain name gateways for the client according to at least one of the client's user ID, device ID, location information, and selection strategy.
  • the deployment module is configured to determine, according to the number of domain name gateways deployed for the client, the mDNS IP address dynamically requested by the domain name gateway for the client number.
  • FIG. 7 is a flowchart of the mDNS IP address allocation process according to this example.
  • a typical external access configuration function is a Dynamic Host Configuration Protocol (Dynamic Host Configuration, DHCP for short) server, as shown in FIG. 7
  • the process includes the following steps:
  • Step 301 The client accesses the access gateway, sends a DHCP request to the DHCP server through the access gateway, and requests the network to allocate parameters such as the host IP address and DNS IP address;
  • Step 302 The DHCP server allocates the host IP address to the client, sets the IP address lease, and selects the domain name gateway at the same time, and records the domain name gateway information serving the client;
  • One or more domain name gateways can be deployed in a network.
  • the DHCP server selects one or more domain name gateways (usually two) based on the client's user ID, device ID, location information, and local policies.
  • the purpose of the domain name gateway is to enhance the reliability of the service, using one of the domain name gateways as the main entrance and the other as the backup entrance.
  • Step 303 the DHCP server sends an mDNS IP address request to the selected domain name gateway, which carries the host IP address, the lease period of the host IP address, and may carry user identification and other information;
  • step 303 needs to be repeated to send mDNS IP address requests to other domain name gateways.
  • Step 304 the domain name gateway selects the mDNS IP address from the local mDNS IP address pool, and establishes a binding relationship between (host IP address, mDNS IP address), and sets the validity period of the binding relationship according to the lease period of the IP address, Generally, the validity period is slightly longer than the lease period of the IP address.
  • the domain name gateway can allocate mDNS IP addresses according to the number of mDNS IP addresses indicated in the request, and one is assigned by default.
  • the mDNS IP address is randomly selected from the mDNS IP address pool, or preferentially to randomly select unused mDNS IP addresses. After all mDNS IP addresses have been occupied, then randomly select from the occupied mDNS.
  • one mDNS IP address is allowed to be assigned to multiple clients at the same time, but due to the corresponding different (host IP address, mDNS IP address) binding relationship, it will not affect the business, and can increase the mDNS IP address.
  • Utilization that is, mDNS IP addresses can be reused, can reduce the number of mDNS IP addresses in scenarios where the number of IP addresses is limited.
  • Step 305 the domain name gateway returns the selected mDNS IP address to the DHCP server;
  • Step 306 the DHCP server sends a DHCP response to the client through the access gateway, which carries parameters such as the host IP address, the lease period of the host IP address, and mDNS IP address, among which the mDNS IP address is sent to the client as the DNS IP address field parameter;
  • the DHCP server needs to wait for all domain name gateways to return the mDNS IP addresses, aggregate the mDNS IP addresses from different domain name gateways, and send them to the client as the primary and secondary DNS IP addresses. If the domain name gateway does not return or the allocation fails to be returned, select another domain name gateway to continue the request, or only send the mDNS IP address that returned success to the client.
  • the client After receiving the parameters, the client uses the domain name gateway corresponding to the mDNS IP address as the DNS server, and subsequently requests the domain name service from the domain name gateway.
  • the DNS server IP address obtained by each client is not the same, and the DNS address obtained by the same client at different times is also different.
  • Step 307 When the client needs to access the service, it sends a domain name service request (corresponding to the first domain name service request) to the domain name gateway according to the mDNS IP address, where the domain name corresponding to the service is carried in the request message In the header domain of the IP address, the source IP address is the host IP address, and the destination IP address is the mDNS IP address; if the user wants to access the example.com service, a domain name service request (corresponding to the first domain name service request) is sent to the domain name gateway to Obtain the IP address corresponding to the example.com website.
  • Step 308 after receiving the domain name service request, the domain name gateway queries the local storage host IP address and the mDNS IP address binding relationship according to the host IP address and mDNS IP address carried in the request message, and if it hits, the request is considered legal, Then send the domain name service request to the DNS server, otherwise it is considered an illegal request, reject the domain name service request, or use the restricted DNS function, such as only allowing the resolution of the domain name corresponding to the business service with a lower security level, or direct the domain name service request to the honey Tank system to induce clients to visit and locate possible threats;
  • the destination IP address is the DNS server IP address, that is, the destination IP address in step 307 is replaced by the mDNS IP address with the DNS server IP address, that is, the DNS IP address, regarding the source IP
  • the DNS server IP address that is, the DNS IP address
  • Method 1 The source IP address remains the same, which is still the client's host IP address.
  • the domain name gateway acts as a DNS proxy function. This method requires that the domain name gateway must be on the path of the message, and the service request sent by the client and the DNS server service response pass through the same domain name gateway.
  • Method 2 The source IP address uses the interface IP address of the domain name gateway.
  • the domain name gateway acts as a DNS cache function, and uses its own IP address to send the domain name service request to the DNS server.
  • the mDNS IP address is used as the source
  • the IP address sends a response message to the client and can cache the resolution result.
  • the cached solution is sent to the client to improve the resolution efficiency.
  • the DNS server uses the default DNS server IP address configured by the domain name gateway, or the DNS server IP address stored in the binding relationship according to (host IP address, mDNS IP address).
  • Step 309 the DNS server performs the domain name service process and returns a DNS service response to the domain name gateway, which carries the domain name resolution result, that is, the IP address of the service server;
  • Step 310 The domain name gateway returns a service response to the client, which carries the IP address of the service server.
  • the client obtains the IP address corresponding to the business server, and will use the IP address to access the business server.
  • FIG. 8 is a flowchart of the mDNS IP address redistribution process according to this example. Still taking the external DHCP server scenario as an example, when the client obtains the host IP address and the lease term is about to expire, the client sends a lease renewal to the access configuration function Apply to maintain the validity of the host network parameters, as shown in Figure 8, the process includes the following steps:
  • Step 401 the lease term of the host IP address is about to expire, and the client sends a DHCP lease renewal request to the DHCP server through the access gateway, which carries the host IP address being used;
  • Step 402 the DHCP server agrees to the client's lease renewal request, extends the lease period of the host's IP address, and queries the domain name gateway currently serving the client;
  • Step 403 the DHCP server sends an mDNS IP address refresh request to the queried domain name gateway to notify the domain name gateway to extend the validity period of the mDNS IP address, and the message carries the host IP address, mDNS IP address, and host IP address lease term;
  • Step 404 the domain name gateway extends the validity period of the mDNS IP address according to the lease period of the host IP address, and the validity period of the binding relationship (host IP address, mDNS IP address), for example, updating the validity period of the mDNS IP address and the binding relationship;
  • Step 405 the domain name gateway returns a refresh response
  • step 406 the DHCP server returns a DHCP response to the client for renewal confirmation.
  • the client When the domain name service is required, the client continues to allocate the host IP address to initiate a domain name service request to the domain name gateway specified by the mDNS IP address, as shown in steps 407 to 410, similar to steps 307 to 310 in FIG.
  • the domain name gateway can continue to provide domain name services to clients.
  • FIG. 9 is a flow chart of the mDNS IP address redistribution process according to this example, still taking the external DHCP server scenario as an example, when the client obtains the host IP address and the lease term is about to expire, the client sends a lease renewal to the access configuration function Application, using this process, you can also reconfigure the host parameters for the terminal. As shown in Figure 9, the process includes the following steps:
  • Step 501 the lease of the host IP address expires soon, and the client sends a DHCP lease renewal request to the DHCP server through the access gateway, which carries the host IP address being used by the client;
  • Step 502 the DHCP server extends the IP address lease, or reassigns the host IP address to the client, sets the IP address lease, and selects the domain name gateway for the client again;
  • Step 503 the DHCP server requests the newly selected domain name gateway to allocate an mDNS IP address, and establish a new (host IP address, mDNS IP address) binding relationship, the process is the same as steps 303 to 305 in FIG. 3;
  • Step 504 the DHCP service sends an mDNS IP address release request to the original domain name gateway, the original domain name gateway releases the corresponding mDNS IP address, deletes the binding relationship between (host IP address, mDNS IP address), and then returns the mDNS IP address release response ,
  • the DHCP server deletes the domain name gateway record of the client service;
  • Step 505 The DHCP server sends a DHCP response to the client through the access gateway, which carries the newly allocated mDNS IP address.
  • the client When the domain name service needs to be used, the client initiates a domain name service request to the new domain name gateway specified by the newly allocated mDNS IP address, as shown in steps 506 to 509.
  • the mDNS IP address can be updated when the user is online, thereby enhancing the dynamics of the domain name service entry and strengthening the protection of the DNS server.
  • Figure 10 is a flow chart of the normal release process of the mDNS IP address according to this example. Still taking the external DHCP server scenario as an example, when the client shuts down the network, it will actively release the host IP address, and then release the corresponding mDNS IP address. As shown in Figure 10, the process includes the following steps:
  • Step 601 the client sends a DHCP release request to the DHCP server through the access gateway, which carries the IP address of the host being used;
  • Step 602 the DHCP server queries the domain name gateway being used by the client;
  • Step 603 the DHCP server sends an mDNS IP address release request to the domain name gateway, which carries the host IP address and mDNS IP address information;
  • Step 604 the domain name gateway releases the client's occupation of the mDNS IP address, and deletes the (host IP address, mDNS IP address) binding relationship;
  • Step 605 the domain name gateway returns a release response to the DHCP server
  • Step 606 The DHCP server returns a DHCP release response to the client through the access gateway.
  • the domain name gateway releases the mDNS IP address in time to maintain the correct domain name service entry strategy.
  • FIG 11 is a flowchart of the mDNS IP address timeout release process according to this example. Still taking the external DHCP server scenario as an example, when the client leaves the network but does not send a DHCP release request, it needs to support the timeout release mechanism. As shown in Figure 11, the process includes the following steps:
  • Step 701 when the client does not send a lease renewal request within the specified lease period, the lease period timer in DHCP will overflow;
  • Step 702 the DHCP server actively releases the host IP address
  • Step 703 the DHCP server sends an mDNS IP address release request to the domain name gateway, which carries the host IP address and mDNS IP address information;
  • Step 704 the domain name gateway releases the client's occupation of the mDNS IP address, and deletes the (host IP address, mDNS IP address) binding relationship;
  • Step 705 the domain name gateway returns a release response to the DHCP server
  • the domain name gateway does not receive a refresh request or release request from the DHCP within the validity period of the mDNS IP address, in order to maintain the correct use of the mDNS IP address, the domain name gateway supports the timeout release function, as shown in steps 706 to 707 Show.
  • Step 706 when the domain name gateway does not receive a refresh request within the specified mDNS IP address validity period, the mDNS IP address validity period timer in the domain name gateway will overflow (that is, the lease period expires);
  • step 707 the domain name gateway releases the client's occupation of the mDNS IP address and deletes the (host IP address, mDNS IP address) binding relationship.
  • the domain name gateway maintains the correct binding relationship.
  • FIG. 12 is a flowchart of the mDNS IP address allocation process based on the built-in access configuration function of this example.
  • the access gateways of mobile networks such as GGSN and PGW, have built-in access configuration functions.
  • configuration parameters are provided directly to the client.
  • FIG. 8 the main difference between this process and FIG. 7 is that the IP address allocation, domain name gateway selection, and mDNS IP address allocation are completed during the access process.
  • These information are sent to the access signaling shown in step 806 to For the terminal, take the 4G network as an example.
  • the access gateway is the PGW, and the access configuration function is built in the PGW.
  • the process includes the following steps:
  • Step 801 the client accesses the mobile network and sends an attachment request to the access gateway (PGW);
  • Step 802 the built-in access configuration function of the access gateway allocates the host IP address to the client from the local IP address pool, selects the domain name gateway, and records the domain name gateway information serving the client, the validity of the host IP address and The status of the client in the mobile network is directly related;
  • Steps 803 to 805 the access gateway requests the mDNS IP address from the selected domain name gateway, the process is the same as steps 303 to 305 in FIG. 3;
  • Step 806 the access gateway sends an attachment response to the client, which carries parameters such as the host's IP address, mDNS IP address, etc., where the mDNS IP address is sent to the client as the DNS IP address field parameter;
  • the client After receiving the parameters, the client uses the domain name gateway corresponding to the mDNS IP address as the DNS server, and subsequently requests the domain name service from the domain name gateway.
  • Steps 807 to 810 when the client needs to access the service, the steps are the same as steps 307 to 310 of FIG.
  • the client obtains the IP address corresponding to the business server, and will use the IP address to access the business server, which belongs to the prior art and will not be repeated here.
  • the access parameter configuration process is completed during the access process, and the host configuration parameters are transmitted using access signaling.
  • the maintenance of the mDNS IP address is similar to the external access parameter configuration function scenario, and mainly includes the following operations:
  • the client updates the location within the validity period of the online status.
  • the access gateway extends the client's online status and notifies the domain name gateway to extend the validity period of the mDNS IP address.
  • the process is the same as steps 402 to 405 in FIG. 8.
  • Re-allocate mDNS IP address The client updates the location within the validity period of the online status.
  • the access gateway updates the host IP address or extends the client's online status.
  • it selects a new domain name gateway, requests the mDNS IP address from the new domain name gateway, and notifies the original
  • the domain name gateway releases the mDNS IP address, and the process is the same as steps 502 to 504 in FIG. 9.
  • the normal release of the mDNS IP address the client takes the initiative to go offline and sends a de-attach request to the access gateway.
  • the access gateway notifies the domain name gateway to release the mDNS IP address and delete user access data.
  • the process is the same as steps 602 to 605 in FIG.
  • mDNS overdue release when the location update validity period expires, the access gateway detects that the user is offline, and will notify the domain name gateway to release the mDNS IP address, and delete the user access data; or when the mDNS IP address validity period expires, the domain name gateway releases mDNS IP address.
  • the process is the same as the process shown in FIG.
  • This example proposes a defense system and method applied to the DNS server.
  • the DNS server IP address is transformed, thereby implementing active defense against the DNS server, increasing the difficulty of attackers, and reducing the probability of successful attacks. Thereby improving the security of the entire network.
  • DNG Domain Name Gateway
  • the domain name gateway is configured with a mobile DNS server IP address (Moving DNS Sever IP address, referred to as mDNS IP address) address pool
  • the access configuration function requests the mDNS IP address from the domain name gateway.
  • the domain name gateway selects the mDNS IP address from the mDNS IP address pool, and then returns to the access configuration function.
  • the access configuration function will The mDNS IP address is assigned to the client as a DNS IP address;
  • the client uses the allocated mDNS IP address to send the domain name service request to the domain name gateway, and the domain name gateway sends the domain name service request to the DNS server, and sends the result returned by the DNS server to the client;
  • the client accesses the business server according to the domain name resolution result
  • one or more domain name gateways are configured in the A1 network, and each domain name gateway is configured with a different mDNS IP address pool, and the mDNS IP address pool is composed of one or more IP address segments;
  • B0 host parameter configuration process uses DHCP protocol or access signaling
  • the access configuration function needs to select one or more domain name gateways
  • the B2 domain name gateway randomly assigns one or more mDNS IP addresses as the primary DNS IP address, or the primary and secondary DNS IP addresses, and preferentially selects the unoccupied mDNS IP addresses;
  • B3 carries the IP address assigned to the host and the lease of the IP address in the mDNS IP address request
  • the B4 domain name gateway selects the mDNS IP address, and establishes the binding relationship between the host IP address and the mDNS IP address;
  • the B5 domain name gateway sets the validity period of the binding relationship according to the IP address lease period. During the validity period, the domain name gateway receives the refresh request sent by the access configuration function, and then extends the validity period; during the validity period, the domain name gateway receives the host configuration function. When the request is released, or when the validity period is exceeded, the domain name gateway deletes the binding relationship;
  • the service result returned by the B6 domain name gateway to the client carries one or more mDNS IP addresses, and the multiple mDNS IP addresses come from one or more domain name gateways;
  • the C1 domain name gateway After receiving the domain name service request from the client, the C1 domain name gateway checks the request message according to the binding relationship between the host IP address and the mDNS IP address, and if it matches the binding relationship, sends the domain name service request to the DNS server, otherwise rejects Business requests, or use restricted DNS functions, or direct domain name business requests to the honeypot system;
  • the target address of the query request is the default DNS server IP address, or the DNS server IP address selected when assigning the mDNS IP address;
  • the C3 domain name gateway acts as a DNS proxy to send business requests to the DNS server using the client's host IP address, or acts as a DNS buffer to send business requests to the DNS server using the domain name gateway's IP address;
  • This example provides a system applied to the defense of a DNS server, including a client, an access gateway, an access configuration function, a domain name gateway, a DNS server, and a business server.
  • Client Establish a connection with the access gateway, receive the host IP address and mDNS IP address assigned by the access configuration function, and use the mDNS IP address as the DNS server IP address to initiate domain name service requests and access business applications.
  • Access gateway In the process of client access, the client configuration parameters are obtained from the access configuration function and provided to the client, and the client access to the Internet function is realized, so that the client can access the DNS server and service server.
  • Access configuration function According to the client's access information, assign the host IP address to the client, select the domain name gateway, request the mDNS IP address from the domain name gateway, configure the assigned host IP address and the obtained mDNS IP address to the client, and Maintain the validity of the host configuration.
  • Domain name gateway maintain mDNS IP address pool, select mDNS IP address from mDNS IP address pool for clients according to the request of host configuration function, and establish the binding relationship between client IP address and mDNS IP address, maintain mDNS IP The validity of the address and the binding relationship; when the client initiates a domain name request, check the validity of the request, if it is a normal request, send a business request to the DNS server, and return the result to the client, otherwise reject the domain name business request , Or direct the domain name request to the honeypot system.
  • the mDNS IP address pool configured for each domain name gateway is composed of one or more IP address segments. It is recommended to use multiple IP address segments, which can enhance the selected mDNS IP The dynamic nature of the address confuses attackers.
  • DNS server resolve to the corresponding IP address according to the requested service domain name and return.
  • Service server provides services to clients, and the correspondence between IP addresses and domain names is stored in the DNS server.
  • An embodiment of the present disclosure provides a communication device, including:
  • the transceiver can correspond to various communication interfaces, for example, a network interface (network card) and / or a transceiver antenna, etc .;
  • the memory which may include a storage medium, can be used for storing various data
  • a processor respectively connected to the transceiver and the memory, is configured to control the information transmission and reception of the transceiver by executing computer-executable instructions stored on the memory, and implement DNS provided by any of the foregoing technical solutions
  • the security defense method of the server is, for example, the method shown in any of FIG. 2 to FIG. 5 and FIG. 8 to FIG. 12.
  • the processor may include a central processing unit, a microprocessor, a digital signal processor, a programmable array, an application specific integrated circuit, and the like.
  • the processor may be connected to the memory and the memory through a communication bus such as an integrated circuit bus.
  • the communication device may be a device where an access configuration function such as the aforementioned domain name gateway or access gateway is located.
  • the communication device If the communication device is the aforementioned domain name gateway, it can execute one or more technical solutions in the defense method applied to the DNS server in the domain name gateway.
  • the communication device can execute one or more technical solutions in the defense method of the DNS server in the access gateway, for example, FIG. The method shown in any one of 2 to 5, and 8 to 12.
  • An embodiment of the present disclosure provides a computer storage medium that stores computer-executable instructions; after the computer-executable instructions are executed, the security defense method of the DNS server provided by any one of the foregoing technical solutions can be implemented, for example Used in devices with access configuration functions such as domain name gateways and access gateways.
  • the storage medium includes: a mobile storage device, a read-only memory (ROM, Read to Only Memory), a random access memory (RAM, Random Access Memory), a magnetic disk or an optical disk, and other media that can store program codes.
  • the computer storage medium may be a non-transitory storage medium.
  • the disclosed device and method may be implemented in other ways.
  • the device embodiments described above are only schematic.
  • the division of the unit is only a division of logical functions.
  • there may be another division manner for example, multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between the displayed or discussed components may be through some interfaces, and the indirect coupling or communication connection of the device or unit may be electrical, mechanical, or other forms of.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • the functional units in the embodiments of the present disclosure may all be integrated into one processing module, or each unit may be separately used as a unit, or two or more units may be integrated into one unit; the above integration
  • the unit can be implemented in the form of hardware, or in the form of hardware plus software functional units.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Disclosed are a safety defense method and apparatus for a DNS server, and a communication device and a storage medium. The method comprises: according to a mobile domain name system (mDNS) Internet protocol (IP) address request of a client, dynamically allocating an mDNS IP address for the client; receiving a first domain name service request initiated by the client, wherein a destination address of the first domain name service request is the mDNS IP address; on the basis of the first domain name service request, sending a second domain name service request to the mDNS IP address replaced with a corresponding DNS server; and the DNS server providing a second domain name service response to the client based on a first domain name service response provided by the second domain name service request.

Description

DNS服务器的安全防御方法及装置、通信设备及存储介质DNS server security defense method and device, communication equipment and storage medium 技术领域Technical field
本公开涉及网络技术领域,尤其涉及一种域名系统DNS(Domain Name System,简称为DNS)服务器的安全防御方法及装置、通信设备及存储介质。The present disclosure relates to the field of network technology, and in particular to a domain name system DNS (Domain Name System, DNS for short) server security defense method and device, communication equipment, and storage medium.
背景技术Background technique
DNS服务器,是一种提供域名服务的服务器。请求端提供携带有域名的解析请求,DNS服务器接收到给解析请求之后,向请求端返回该域名对应的业务服务器的网络协议(Internet Protocol,简称为IP)地址,访问端以接收到的IP地址访问业务服务器,从而获得业务服务器所提供的服务。一方面,由于IP地址对于普通用户而言是相对枯燥和专业的字符串,另一方面一个用户需要访问的业务服务器众多,故记住各个业务服务器的IP地址几乎是不可能的,故域名解析服务的提供是非常重要的。在现有技术中发现,提供域名解析服务的DNS服务器非常容易受到黑客的攻击,从而导致DNS服务器的安全性问题,并可能由于DNS服务器的信息泄露会连带业务服务器的安全性问题。A DNS server is a server that provides domain name services. The requesting end provides a resolution request carrying the domain name. After receiving the resolution request, the DNS server returns the Internet protocol (Internet Protocol, IP for short) address of the service server corresponding to the domain name to the requesting end. The access end uses the received IP address Access the business server to obtain the services provided by the business server. On the one hand, since the IP address is a relatively boring and professional string for ordinary users, on the other hand, a user needs to access many business servers, so it is almost impossible to remember the IP address of each business server, so domain name resolution The provision of services is very important. In the prior art, it is found that the DNS server that provides the domain name resolution service is very vulnerable to hacker attacks, resulting in DNS server security problems, and may also be associated with the security issues of the business server due to information leakage of the DNS server.
发明内容Summary of the invention
有鉴于此,本公开实施例期望提供一种DNS服务器的安全防御方法及装置、通信设备及存储介质。In view of this, the embodiments of the present disclosure are expected to provide a DNS server security defense method and device, a communication device, and a storage medium.
本公开的技术方案是这样实现的:The technical solution of the present disclosure is implemented as follows:
第一方面,本公开实施例提供一种DNS服务器的安全防御方法,包括:In a first aspect, an embodiment of the present disclosure provides a DNS server security defense method, including:
根据客户端的移动域名系统(moving Domain Name System,简称为mDNS)网络协议(Internet Protocol,简称为IP)地址请求,为所述客 户端动态分配mDNS IP地址;According to the client's mobile domain name system (moving Domain Name System, referred to as mDNS) network protocol (Internet Protocol, referred to as IP) address request, dynamically assign mDNS IP address to the client;
接收所述客户端发起的第一域名服务请求,其中,所述第一域名服务请求的目的地址为所述mDNS IP地址;Receiving a first domain name service request initiated by the client, where the destination address of the first domain name service request is the mDNS IP address;
基于所述第一域名服务请求,向所述mDNS IP地址替换为对应的DNS服务器发送第二域名服务请求;Send a second domain name service request to the corresponding DNS server by replacing the mDNS IP address with the corresponding DNS server based on the first domain name service request;
将所述DNS服务器基于所述第二域名服务请求提供的第一域名服务响应向所述客户端提供第二域名服务响应。The DNS server provides a second domain name service response to the client based on the first domain name service response provided by the second domain name service request.
第二方面,本公开实施例提供一种DNS服务器的安全防御方法,包括:In a second aspect, an embodiment of the present disclosure provides a DNS server security defense method, including:
接收客户端的配置请求;Receive client configuration request;
基于所述配置请求,为所述客户端分配主机网络协议IP地址;Based on the configuration request, assigning a host network protocol IP address to the client;
基于所述主机IP地址向域名网关发送的移动域名系统mDNS IP地址请求;A mobile domain name system mDNS IP address request sent to the domain name gateway based on the host IP address;
接收所述域名网关基于mDNS IP地址请求返回的mDNS IP地址;Receiving the mDNS IP address returned by the domain name gateway based on the mDNS IP address request;
向所述客户端发送携带有所述主机IP地址及所述mDNS IP地址的配置响应。Sending a configuration response carrying the host IP address and the mDNS IP address to the client.
第三方面,本公开实施提供了一种DNS服务器的安全防御装置,包括:第一分配模块,被设置为根据客户端的mDNS网络协议IP地址请求,为所述客户端动态分配第一mDNS IP地址;In a third aspect, the implementation of the present disclosure provides a DNS server security defense device, including: a first allocation module configured to dynamically allocate a first mDNS IP address to the client according to the client's mDNS network protocol IP address request ;
第一接收模块,被设置为接收所述客户端发起的第一域名服务请求,其中,所述第一域名服务请求的目的地址为所述mDNS IP地址;A first receiving module, configured to receive a first domain name service request initiated by the client, wherein the destination address of the first domain name service request is the mDNS IP address;
第一发送模块,被设置为基于所述第一域名服务请求,向所述mDNS IP地址替换为对应的DNS服务器发送第二域名服务请求;The first sending module is configured to send a second domain name service request to the corresponding DNS server by replacing the mDNS IP address with the corresponding DNS server based on the first domain name service request;
提供模块,被设置为将所述DNS服务器基于所述第二域名服务请求提供的第一域名服务响应向所述客户端提供第二域名服务响应。The providing module is configured to provide the DNS server with a second domain name service response based on the first domain name service response provided by the second domain name service request to the client.
第四方面,本公开实施例提供一种DNS服务器的安全防御装置,包 括:According to a fourth aspect, an embodiment of the present disclosure provides a DNS server security defense device, including:
第四接收模块,被设置为接收客户端的配置请求;The fourth receiving module is configured to receive the configuration request of the client;
第三分配模块,被设置为基于所述配置请求,为所述客户端分配主机IP地址;A third allocation module, configured to allocate a host IP address to the client based on the configuration request;
第二发送模块,被设置为基于所述主机IP地址向域名网关发送的移动域名系统mDNS IP地址请求;The second sending module is configured to send a mobile domain name system mDNS IP address request to the domain name gateway based on the host IP address;
第五接收模块,被设置为接收所述域名网关基于mDNS IP地址请求返回的mDNS IP地址;The fifth receiving module is configured to receive the mDNS IP address returned by the domain name gateway based on the mDNS IP address request;
第三发送模块,被设置为向所述客户端发送携带有所述主机IP地址及所述mDNS IP地址的配置响应。The third sending module is configured to send a configuration response carrying the host IP address and the mDNS IP address to the client.
第五方面,本公开实施例提供一种通信设备,包括:According to a fifth aspect, an embodiment of the present disclosure provides a communication device, including:
收发器,transceiver,
存储器,Memory,
处理器,分别与所述收发器及所述存储器连接,被设置为通过执行存储在所述存储器上的计算机可执行指令控制所述收发器的信息收发,并实现第一方面和/或第二方面提供的DNS服务器的安全防御方法。A processor, respectively connected to the transceiver and the memory, is configured to control the transceiver of information by executing computer-executable instructions stored on the memory, and implement the first aspect and / or the second The security defense method of the DNS server provided by the aspect.
第六方面,本公开实施例提供一种计算机存储介质,所述计算机存储介质存储有计算机可执行指令;所述计算机可执行指令被执行后,能够实现第一方面和/或第二方面提供的DNS服务器的安全防御方法。According to a sixth aspect, an embodiment of the present disclosure provides a computer storage medium that stores computer-executable instructions; after the computer-executable instructions are executed, the first aspect and / or the second aspect can be implemented DNS server security defense method.
本公开实施例提供的DNS服务器的安全防御方法及装置、通信设备及存储介质,域名网关在配置客户端使用的DNS服务器时,隐藏了DNS服务器的真实IP地址,而是向客户端分配的是DNS服务器不能直接定位DNS服务器的mDNS IP地址;一方面客户端可以通过mDNS IP地址发送域名服务请求,域名网关基于第一域名服务请求向对应的DNS服务器发送第二域名服务请求。如此,保证了客户端正常的DNS服务获取的同时,隐藏了DNS服务器的真实IP地址,确保了DNS服务器 的安全性;且通过基于绑定关系的验证可以确保域名服务请求的安全性,从而达到了DNS服务的安全防御请求。The DNS server security defense method and apparatus, communication equipment, and storage medium provided by the embodiments of the present disclosure, when configuring the DNS server used by the client by the domain name gateway, the real IP address of the DNS server is hidden, but the client is assigned The DNS server cannot directly locate the mDNS IP address of the DNS server; on the one hand, the client can send a domain name service request through the mDNS IP address, and the domain name gateway sends a second domain name service request to the corresponding DNS server based on the first domain name service request. In this way, while ensuring the normal DNS service acquisition of the client, the real IP address of the DNS server is hidden, and the security of the DNS server is ensured; and the security of the domain name service request can be ensured through the verification based on the binding relationship, thereby achieving DNS service security defense request.
附图说明BRIEF DESCRIPTION
图1为本公开实施例提供的一种网络系统的架构示意图;1 is a schematic structural diagram of a network system provided by an embodiment of the present disclosure;
图2为本公开实施例提供的第一种DNS服务器的安全防御方法的流程示意图;FIG. 2 is a schematic flowchart of a first DNS server security defense method provided by an embodiment of the present disclosure;
图3为本公开实施例提供的第二种DNS服务器的安全防御方法的流程示意图;FIG. 3 is a schematic flowchart of a second DNS server security defense method provided by an embodiment of the present disclosure;
图4为本公开实施例提供的第三种DNS服务器的安全防御方法的流程示意图;4 is a schematic flowchart of a third DNS server security defense method provided by an embodiment of the present disclosure;
图5为本公开实施例提供的第一种DNS服务器的安全防御装置的结构示意图;5 is a schematic structural diagram of a first type of DNS server security defense device provided by an embodiment of the present disclosure;
图6为本公开实施例提供的第二种DNS服务器的安全防御装置的结构示意图;6 is a schematic structural diagram of a second type of DNS server security defense device provided by an embodiment of the present disclosure;
图7为本公开实施例提供的第四种DNS服务器的安全防御方法的流程示意图;7 is a schematic flowchart of a fourth DNS server security defense method provided by an embodiment of the present disclosure;
图8为本公开实施例提供的第五种DNS服务器的安全防御方法的流程示意图;8 is a schematic flowchart of a fifth DNS server security defense method provided by an embodiment of the present disclosure;
图9为本公开实施例提供的第六种DNS服务器的安全防御方法的流程示意图;9 is a schematic flowchart of a sixth DNS server security defense method provided by an embodiment of the present disclosure;
图10为本公开实施例提供的第七种DNS服务器的安全防御方法的流程示意图;10 is a schematic flowchart of a seventh DNS server security defense method provided by an embodiment of the present disclosure;
图11为本公开实施例提供的第八种DNS服务器的安全防御方法的流程示意图;11 is a schematic flowchart of an eighth DNS server security defense method provided by an embodiment of the present disclosure;
图12为本公开实施例提供的第九种DNS服务器的安全防御方法的流程示意图。12 is a schematic flowchart of a ninth DNS server security defense method provided by an embodiment of the present disclosure.
具体实施方式detailed description
以下结合说明书附图及可选实施例对本公开的技术方案做进一步的详细阐述。The technical solution of the present disclosure will be further elaborated below with reference to the drawings and optional embodiments of the specification.
如图1所示,本实施例提供一种网络系统,用于DNS服务器的防御方法,包括:As shown in FIG. 1, this embodiment provides a network system for a defense method of a DNS server, including:
增加了域名网关(Domain Name Gateway,简称为DNG),位于在接入网关到DNS服务器的路由路径上,且在一个网络中,可以部署1个或多个域名网关,每个域名网关都配置有mDNS IP地址池,这些mDNS IP地址池相互不重叠。同时增强接入配置功能,能够从域名网关获取mDNS IP地址作为DNS服务器IP地址配置给客户端,并维护该信息。其他网络功能,包括客户端、接入网关、DNS服务器、业务服务器都不受影响,因此本公开具有与现有技术兼容性好,易部署的特点。Added Domain Name Gateway (DNG), located on the routing path from the access gateway to the DNS server, and in a network, one or more domain name gateways can be deployed, and each domain name gateway is configured with mDNS IP address pools. These mDNS IP address pools do not overlap with each other. At the same time, it enhances the access configuration function, and can obtain the mDNS IP address from the domain name gateway as the DNS server IP address configuration to the client, and maintain this information. Other network functions, including clients, access gateways, DNS servers, and business servers are not affected. Therefore, the present disclosure has the characteristics of good compatibility with existing technologies and easy deployment.
客户端:建立与接入网关的连接,接收接入配置功能分配的主机IP地址,mDNS IP地址等参数,其中mDNS IP地址作为DNS服务器的虚拟IP地址;通过接入网关接入互联网,发起域名业务请求,访问业务应用。Client: establish a connection with the access gateway, receive the host IP address and mDNS IP address assigned by the access configuration function, where the mDNS IP address serves as the virtual IP address of the DNS server; access the Internet through the access gateway and initiate the domain Business requests, access to business applications.
接入网关:在客户端接入过程中,从接入配置功能获取客户端配置参数提供给客户端,并实现客户端接入互联网功能,使客户端能够通过域名网关访问访问DNS服务器、业务服务器。Access gateway: During the client access process, the client configuration parameters are obtained from the access configuration function and provided to the client, and the client access to the Internet function is realized, so that the client can access the DNS server and business server through the domain name gateway. .
接入配置功能:根据客户端的接入信息,为客户端分配主机IP地址,选择域名网关,向域名网关请求mDNS IP地址,将分配的主机IP地址、获取的mDNS IP地址配置给客户端,同时维护主机配置的有效性。Access configuration function: According to the client's access information, assign the host IP address to the client, select the domain name gateway, request the mDNS IP address from the domain name gateway, configure the assigned host IP address and the obtained mDNS IP address to the client, and Maintain the validity of the host configuration.
域名网关:维护mDNS IP地址池,根据主机配置功能的请求,为客户端从mDNS IP地址池中选择mDNS IP地址,在一些实施例中还会建立客户端IP地址与mDNS IP地址之间的绑定关系,维护mDNS IP地址以及 绑定关系的有效性;在客户端发起域名请求时,检查请求的合法性,如果是正常请求,则向DNS服务器发送业务请求,并将结果返回客户端,否则拒绝所述域名业务请求,或者使用DNS受限功能,或者将所述域名请求引导到蜜罐系统。Domain name gateway: maintain the mDNS IP address pool, select mDNS IP addresses from the mDNS IP address pool for the client according to the request of the host configuration function, and in some embodiments, establish a binding between the client IP address and the mDNS IP address Define the relationship and maintain the validity of the mDNS IP address and binding relationship; when the client initiates a domain name request, check the validity of the request, if it is a normal request, send a business request to the DNS server, and return the result to the client, otherwise Reject the domain name service request, or use the DNS restricted function, or direct the domain name request to the honeypot system.
DNS服务器:根据请求服务域名解析为对应的IP地址,并返回。DNS server: resolve to the corresponding IP address according to the requested service domain name and return.
业务服务器:向客户端提供业务,其IP地址和域名之间对应关系保存在DNS服务器。Service server: provides services to clients, and the correspondence between IP addresses and domain names is stored in the DNS server.
如图2所示,本实施例提供一种DNS服务器的安全防御方法,包括:As shown in FIG. 2, this embodiment provides a DNS server security defense method, including:
步骤S110:根据客户端的mDNS IP地址请求,为所述客户端动态分配mDNS IP地址;该分配的mDNS IP地址可为第一mDNS IP地址;例如,所述步骤S110可包括:根据入配置功能发起的客户端的mDNS IP地址请求,为所述客户端动态分配mDNS IP地址;该分配的mDNS IP地址可为第一mDNS IP地址。Step S110: dynamically assign an mDNS IP address to the client according to the client's mDNS IP address request; the assigned mDNS IP address may be the first mDNS IP address; for example, the step S110 may include: initiating according to the in-configuration function The client's mDNS IP address request dynamically allocates the mDNS IP address for the client; the assigned mDNS IP address may be the first mDNS IP address.
步骤S120:接收所述客户端发起的第一域名服务请求,其中,所述第一域名服务请求的目的地址为所述mDNS IP地址;Step S120: Receive a first domain name service request initiated by the client, where the destination address of the first domain name service request is the mDNS IP address;
步骤S130:基于所述第一域名服务请求,向所述mDNS IP地址替换为对应的DNS服务器发送第二域名服务请求;Step S130: Based on the first domain name service request, send a second domain name service request to the corresponding DNS server with the mDNS IP address replaced by the corresponding DNS server;
步骤S140:将所述DNS服务器基于所述第二域名服务请求提供的第一域名服务响应向所述客户端提供第二域名服务响应。Step S140: The DNS server provides a second domain name service response to the client based on the first domain name service response provided by the second domain name service request.
本实施例提供的DNS服务器的安全防御方法可以应用于域名网关中,该域名网关可为对应于物理网关,例如,该物理网关可为:客户端接入到网络的接入网关,典型的接入网关可包括:分组数据网关(Packet data network GataWay,简称为PGW)等。当然在一些实施例中,所述域名网关也可以是专门建立的,用于维护DNS服务器的安全性的网关,该网关可以直接或间接与接入网关连接,如此,客户端(安装和/或运行在终端中的应用程序、软件开发工具、组件或插件等)就可以通过接入网关访问到所述域名网关了。例如,客户端在接入到网络的过程中,例如,在与接入 网关建立连接的过程中,可以通过接入网关请求分配DNS服务器的IP地址,此时,接入网关可以通过域名网关之间的信息交互为该客户端分配mDNS IP地址。在本实施例中,所述mDNS IP地址可为DNS服务器的虚拟IP地址,与DNS服务器的真实IP地址(在本公开实施例中又称为DNS IP地址)不同。如此,DNS服务器的真实IP地址不会公开在整个网络中,也不会公开给客户端;从而增强了所述DNS服务器的真实IP地址的安全性,减少了黑客利用公开在公共网络中的DNS服务器的IP地址对齐发起攻击,从而减少了DNS服务器的自身安全性问题,同时减少了因为DNS服务器中存储的业务服务器的IP地址等信息导致的业务服务器的安全性问题,从而提升了DNS服务器和业务服务器的安全性。The security defense method of the DNS server provided in this embodiment may be applied to a domain name gateway, which may correspond to a physical gateway. For example, the physical gateway may be: an access gateway for a client to access the network, a typical connection The ingress gateway may include: a packet data gateway (Packet, data, GataWay, PGW for short), etc. Of course, in some embodiments, the domain name gateway may also be a specifically established gateway for maintaining the security of the DNS server. The gateway may be directly or indirectly connected to the access gateway. Thus, the client (installation and / or Application programs, software development tools, components or plug-ins running in the terminal) can be accessed to the domain name gateway through the access gateway. For example, during the process of accessing the network by the client, for example, during the process of establishing a connection with the access gateway, the client can request to allocate the IP address of the DNS server through the access gateway. In this case, the access gateway can pass the domain name gateway. The information exchange between assigns mDNS IP address to the client. In this embodiment, the mDNS IP address may be a virtual IP address of the DNS server, which is different from the real IP address of the DNS server (also referred to as DNS IP address in the embodiment of the present disclosure). In this way, the real IP address of the DNS server will not be disclosed in the entire network, nor will it be disclosed to the client; thereby enhancing the security of the real IP address of the DNS server, reducing the use of DNS disclosed in public networks by hackers The IP address of the server is aligned to launch an attack, thereby reducing the DNS server's own security problems, and at the same time reducing the security problems of the business server due to the IP address of the business server stored in the DNS server and other information, thereby improving the DNS server and Business server security.
在一些实施例中所述mDNS IP地址可为:目前该网络IP地址范围内的部分IP地址,这一部分m DNS IP地址作为目的地址时,携带该目的地址的数据包(例如,所述第一域名服务请求)可以确保路由到分配该mDNS IP地址的域名网关。在本公开实施例中给客户端分配所述mDNS IP地址是动态分配的,并不是预先分配的,如此,相对于静态分配,可以避免由于静态分配导致的mDNS IP地址长期的一致性,导致非法客户端窃取合法客户端的mDNS IP地址假冒合法客户端访问对应的DNS服务器导致的安全性问题。在一些实施例中,所述动态分配可包括:在所有的mDNS IP地址中随机选择并分配给客户端;在部分mDNS IP地址中随机选择并分配给客户端。此处,仅是对动态分配的一种限定,实现时所述动态分配不仅可以包括随机选择分配,还可包括按照一定的分配规则选择分配。此处的动态分配强调的是每次分配都是动态的,并非事先确定的,如此,由于动态分配则每次分配的mDNS IP地址可能不同。In some embodiments, the mDNS IP address may be: a part of the current IP address within the IP address range of the network. When this part of the DNS IP address is used as the destination address, a data packet carrying the destination address (for example, the first Domain name service request) can ensure routing to the domain name gateway that assigns the mDNS IP address. In the embodiment of the present disclosure, the mDNS IP address is dynamically allocated to the client, and is not pre-allocated. Thus, compared with static allocation, the long-term consistency of the mDNS IP address due to static allocation can be avoided, resulting in illegal The client steals the mDNS IP address of the legitimate client and impersonates the legitimate client to access the corresponding DNS server to cause security problems. In some embodiments, the dynamic allocation may include: randomly selecting and assigning to all clients in all mDNS IP addresses; and randomly selecting and assigning to clients in some mDNS IP addresses. Here, it is only a limitation on dynamic allocation. When implemented, the dynamic allocation may include not only random selection allocation, but also selection allocation according to a certain allocation rule. The dynamic allocation here emphasizes that each allocation is dynamic and is not determined in advance. Thus, due to the dynamic allocation, the mDNS IP address allocated each time may be different.
在本实施例中为客户端分配的mDNS IP地址会返回给客户端,例如,作为配置参数之一和所述第一主机IP地址返回给所述客户端,后续,若所述客户端需要域名服务时,会构建源地址为所述第一主机IP地址,并且目的地址为所述mDNS IP地址的域名服务请求,该域名服务请求在本公开实施例中称之为第一域名服务请求。由于第一域名服务请求中实质上 并不能路由到客户端想访问的DNS服务器的请求,故该第一域名服务请求转发到域名网关,域名网关接收到第一域名服务请求之后,例如,可根据预先建立的绑定关系或者动态为客户端分配的DNS服务器来构造第二域名服务请求,该第二域名服务请求的目的地址是被替换的,例如,将mDNS IP地址替换为DNS服务器的真实IP地址,在向外转发所述第二域名服务请求,如此,第二域名服务请求才能被正确路由到DNS服务器。In this embodiment, the mDNS IP address allocated to the client is returned to the client, for example, as one of the configuration parameters and the first host IP address is returned to the client, and subsequently, if the client needs a domain name During service, a domain name service request with a source address as the first host IP address and a destination address as the mDNS IP address is constructed, and the domain name service request is referred to as a first domain name service request in the embodiments of the present disclosure. Since the first domain name service request cannot substantially be routed to the DNS server request that the client wants to access, the first domain name service request is forwarded to the domain name gateway. After the domain name gateway receives the first domain name service request, for example, A pre-established binding relationship or a DNS server dynamically assigned to the client to construct a second domain name service request, the destination address of the second domain name service request is replaced, for example, the mDNS IP address is replaced with the real IP of the DNS server The address forwards the second domain name service request to the outside, so that the second domain name service request can be correctly routed to the DNS server.
在一些实施例中,所述步骤S110可包括:根据客户端的移动域名系统mDNS网络协议IP地址请求,为所述客户端动态分配第一mDNS IP地址;In some embodiments, the step S110 may include: dynamically assigning a first mDNS IP address to the client according to the client's mobile domain name system mDNS network protocol IP address request;
如图3所示,所述方法还包括:As shown in FIG. 3, the method further includes:
步骤S111:建立所述客户端的第一主机IP地址与所述第一mDNS IP地址的绑定关系;Step S111: Establish a binding relationship between the first host IP address of the client and the first mDNS IP address;
步骤S121:根据所述第一域名服务请求中携带的所述客户端对应的DNS服务器的第二mDNS IP地址及第二主机IP地址,查询所述绑定关系,Step S121: query the binding relationship according to the second mDNS IP address and the second host IP address of the DNS server corresponding to the client carried in the first domain name service request,
所述步骤S130可包括步骤S131;所述步骤S131可包括:若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中,向所述第二mDNS IP地址对应的DNS服务器发送第二域名服务请求。The step S130 may include a step S131; the step S131 may include: if the second mDNS IP address and the second host IP address are included in the binding relationship, correspond to the second mDNS IP address The DNS server sends a second domain name service request.
当然在生成所述第二域名服务请求之前,需要验证所述第一域名服务请求中携带的第二主机IP地址及所述第二mDNS IP地址地是否已经在域名网关中建立的绑定关系,若已建立了绑定关系,说明该客户端的第一域名服务请求时合法的,当前的第一域名服务请求是安全的,才构建所述第二域名服务请求,否则可以直接决绝所述第一域名服务请求发起的域名服务,从而再次提升了DNS服务器和DNS服务提供的安全性。Of course, before generating the second domain name service request, it is necessary to verify whether the second host IP address and the second mDNS IP address carried in the first domain name service request have been established in the domain name gateway binding relationship, If a binding relationship has been established, it indicates that the first domain name service request of the client is legal, and the current first domain name service request is safe, and then the second domain name service request is constructed, otherwise the first name can be directly rejected The domain name service request initiates the domain name service, thereby once again improving the security provided by the DNS server and DNS service.
当所述所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中,DNS服务器向对应的DNS发送第二域名服务请求,该第二域名服务请求与所述第一域名服务请求中携带同样的待解析的域名;如此,对应的DNS服务器接收到第二域名服务请求之后,本地查询或远程查询 出待解析的域名对应的业务服务器的IP地址,该域名可为业务服务器的域名,从而获得域名解析结果。将该业务服务器的IP地址携带在所述域名服务响应中返回给客户端或者客户端的接入网关,方便客户端根据获得的业务服务器的IP地址访问业务服务器,从而从业务服务器获得业务服务。此处的业务服务器可包括:社交服务器、网络购物服务器、论坛服务器、网页服务器、视频服务器、音频服务器、广告服务器、内容服务器、股票基金等交易提供服务器、教育系统服务器、医疗系统服务器等各种提供特定应用服务的服务器。当然以上仅是举例,实现时此处的业务服务器不局限于上述任意一个。When the second mDNS IP address and the second host IP address are included in the binding relationship, the DNS server sends a second domain name service request to the corresponding DNS, the second domain name service request and the second A domain name service request carries the same domain name to be resolved; in this way, after the corresponding DNS server receives the second domain name service request, the IP address of the business server corresponding to the domain name to be resolved is queried locally or remotely, and the domain name may be The domain name of the business server to obtain the domain name resolution result. Carry the IP address of the business server in the domain name service response and return it to the client or the client's access gateway, so that the client can access the business server according to the obtained IP address of the business server, thereby obtaining business services from the business server. The business server here may include: social server, online shopping server, forum server, web server, video server, audio server, advertising server, content server, stock fund and other transaction providing server, education system server, medical system server, etc. A server that provides specific application services. Of course, the above is only an example, and the service server here is not limited to any one of the above.
如此,一方面确保了客户端获得域名服务,另一方面避免了DNS服务器的真实IP地址的暴露在网络中导致的安全性问题。In this way, on the one hand, it ensures that the client obtains the domain name service, on the other hand, it avoids the security problems caused by the exposure of the real IP address of the DNS server in the network.
在一些实施例中,为了提升安全性,所述DNS服务器还会从所述客户端的接入网关接收所述客户端的加密信息,该加密信息可包括:密钥和加密算法等,使得接入网关和域名网关之间采用所述加密信息对第一主机IP地址及第一mDNS IP地址进行加密传输。In some embodiments, to improve security, the DNS server may also receive encrypted information of the client from the access gateway of the client. The encrypted information may include: a key and an encryption algorithm, etc., so that the access gateway The encrypted information is used to encrypt the first host IP address and the first mDNS IP address with the domain name gateway.
在一些实施例中,所述步骤S131可包括:将所述第一域名服务请求中的所述第二mDNS IP地址替换为所述DNS服务器的DNS IP地址,形成所述第二域名服务请求;向所述DNS服务器发送所述第二域名服务请求。In some embodiments, the step S131 may include: replacing the second mDNS IP address in the first domain name service request with the DNS server's DNS IP address to form the second domain name service request; Sending the second domain name service request to the DNS server.
此处的DNS IP地址,可为所述DNS服务器的真实有效IP地址,在所述域名网关中有存储。The DNS IP address here may be the real effective IP address of the DNS server, and is stored in the domain name gateway.
在一些实施例中,若域名网关位于所述客户端和所述DNS服务器的路由路径上,所述第二域名服务请求和所述第一域名服务请求的源地址均为所述客户端的主机IP地址。In some embodiments, if the domain name gateway is located on the routing path of the client and the DNS server, the source addresses of the second domain name service request and the first domain name service request are both the host IP of the client address.
若域名网关位于客户端与DNS服务器的路由路径上,如此,客户端发送给DNS服务器的信息及DNS服务器发送给客户端的信息都会经过所述DNS服务器,如此,所述DNS服务器可以拦截到第一域名服务请求并 拦截到DNS服务器基于第二域名服务请求转发的域名服务响应,并可以基于客户端发送的第一DNS服务器请求转发给对应的客户端。例如,所述方法还包括:根据所述第一域名服务请求和所述第二域名服务请求,形成请求记录;该请求记录中至少包含有:待解析的域名及客户端的主机IP地址;所述请求记录还可包括:待解析的域名、客户端的主机IP地址及第二域名服务请求发送到的DNS服务器的DNS IP地址,如此,至少基于待解析的域名确定出当前第一域名响应要转发的客户端,或者,基于待解析的域名、客户端的主机IP地址及DNS服务器的DNS IP地址确定出客户端所对应的主机IP地址,从而转发给对应的客户端。If the domain name gateway is located on the routing path between the client and the DNS server, the information sent by the client to the DNS server and the information sent by the DNS server to the client will pass through the DNS server, so that the DNS server can intercept the first The domain name service request intercepts the domain name service response forwarded by the DNS server based on the second domain name service request, and may be forwarded to the corresponding client based on the first DNS server request sent by the client. For example, the method further includes: forming a request record according to the first domain name service request and the second domain name service request; the request record includes at least: the domain name to be resolved and the client's host IP address; The request record may further include: the domain name to be resolved, the client's host IP address, and the DNS IP address of the DNS server to which the second domain name service request is sent. Thus, at least based on the domain name to be resolved, the current first domain name response is determined to be forwarded The client, or, determines the host IP address corresponding to the client based on the domain name to be resolved, the client's host IP address, and the DNS server's DNS IP address, and forwards it to the corresponding client.
在一些实施例中,所述步骤S131可包括:In some embodiments, the step S131 may include:
将所述第一域名服务请求中的所述第一主机IP地址替换为域名网关的网关IP地址,形成同时包括所述网关IP地址及所述DNS IP地址的所述第二域名服务请求。Replacing the first host IP address in the first domain name service request with the gateway IP address of the domain name gateway to form the second domain name service request including both the gateway IP address and the DNS IP address.
域名网关未必设置在客户端与DNS服务器的消息路由的路由路径上,为了确保第一域名服务请求及第一域名服务响应均经过所述域名网关,第一域名服务请求中的目的地址被替换为DNS服务器的DNS IP地址,而第一域名服务请求中的源地址被替换为域名网关的网关IP地址,如此,第一域名服务响应的目的地址将会是域名网关的网关IP地址,接收到该第一域名服务之后,所述域名网关会将第一域名服务响应中携带的业务服务器的IP地址转发给对应的客户端,例如,基于所述请求记录向客户端转发。The domain name gateway is not necessarily set on the routing path of the message routing between the client and the DNS server. In order to ensure that both the first domain name service request and the first domain name service response pass through the domain name gateway, the destination address in the first domain name service request is replaced by The DNS IP address of the DNS server, and the source address in the first domain name service request is replaced with the gateway IP address of the domain name gateway. In this way, the destination address of the first domain name service response will be the gateway IP address of the domain name gateway. After the first domain name service, the domain name gateway forwards the IP address of the service server carried in the first domain name service response to the corresponding client, for example, based on the request record.
在一些实施例中,所述步骤SS140可包括:In some embodiments, the step SS140 may include:
将所述第一域名服务响应中的所述DNS服务器的DNS IP地址替换为分配给所述客户端的所述第一mDNS IP地址。Replacing the DNS IP address of the DNS server in the first domain name service response with the first mDNS IP address assigned to the client.
在一些实施中,所述第一域名服务响应的源地址可为所述DNS服务器的DNS IP地址,为了避免暴露,所述域名网关会删除该DNS IP地址,例如,将DNS IP地址替换为所述客户端分配的第一mDNS IP地址,在另 一些实施例中,也可以仅删除该DNS IP地址,并不进行替换。当然在进行DNS IP地址的替换过程中,也可以直接替换为域名网关的网关IP地址或者其他没有特定含义的虚拟IP地址等。若将该DNS IP地址替换为第一mDNS IP地址,可方便所述客户端根据源地址确接收到的数据包可域名服务请求对应的域名服务响应。如此,第二域名服务响应的源地址与所述第一域名服务响应的源地址不同。In some implementations, the source address of the first domain name service response may be the DNS IP address of the DNS server. To avoid exposure, the domain name gateway will delete the DNS IP address, for example, replace the DNS IP address with The first mDNS IP address assigned by the client mentioned above, in other embodiments, it is also possible to delete only the DNS IP address without replacing it. Of course, in the process of replacing the DNS IP address, it can also be directly replaced with the gateway IP address of the domain name gateway or other virtual IP addresses with no specific meaning. If the DNS IP address is replaced with the first mDNS IP address, it is convenient for the client to confirm the domain name service response corresponding to the domain name service request of the data packet that the client actually received according to the source address. In this way, the source address of the second domain name service response is different from the source address of the first domain name service response.
在另一些实施例中,若所述第一域名服务响应中未携带源地址,则所述第二域名服务响应可与所述第一域名服务响应,如此,所述DNS服务器可以直接将所述第一域名服务响应作为所述第二域名服务响应发送给客户端。总之,在本实施例中所述DNS服务器接收到所述第一域名服务响应之后,可能通过DNS IP地址替换、DNS IP地址删除及源地址检测有无等操作,将第一域名服务响应中提供的域名解析的结果作为所述第二域名服务响应发送给所述客户端。所述域名解析结果可包括:请求解析的域名对应的IP地址。In other embodiments, if the first domain name service response does not carry a source address, the second domain name service response may respond to the first domain name service response, so that the DNS server may directly The first domain name service response is sent to the client as the second domain name service response. In short, after receiving the first domain name service response in this embodiment, the DNS server may provide the first domain name service response through operations such as DNS IP address replacement, DNS IP address deletion, and source address detection. The domain name resolution result of is sent to the client as the second domain name service response. The domain name resolution result may include: the IP address corresponding to the domain name requested for resolution.
在另一些实施例中,一方面为了提升域名解析速率,另一方面为了减少DNS服务器的符合,所述方法还包括:构建携带有预设指示信息的第二域名服务请求,所述预设指示信息指示域名服务响应隐藏DNS IP地址,如此,第一域名服务响应中可能没有携带有源地址(例如,域名服务响应的数据包中的源地址为空)、携带有错误的源地址等信息,如此,DNS服务器无需进行源地址的替换,可直接将所述第一域名服务请求视为第二域名服务请求进行转发,或者,将第一域名服务请求的目的地址替换为客户端的主机IP地址之后转发即可。In other embodiments, on the one hand, in order to improve the domain name resolution rate, and on the other hand, to reduce the compliance of the DNS server, the method further includes: constructing a second domain name service request carrying preset indication information, the preset indication The information indicates that the domain name service response hides the DNS IP address. Thus, the first domain name service response may not carry the source address (for example, the source address in the data packet of the domain name service response is empty), or carry the wrong source address, etc., In this way, the DNS server does not need to replace the source address, and can directly forward the first domain name service request as a second domain name service request, or after replacing the destination address of the first domain name service request with the client's host IP address Just forward it.
在一些实施例中,所述步骤S110可包括:In some embodiments, the step S110 may include:
根据所述客户端的mDNS IP地址请求,从mDNS IP地址池中动态选择所述mDNS IP地址,例如动态选择的mDNS IP地址作为所述第一mDNS IP地址。According to the mDNS IP address request of the client, the mDNS IP address is dynamically selected from the mDNS IP address pool, for example, the dynamically selected mDNS IP address is used as the first mDNS IP address.
在本实施例中,所述域名网关中设置有mDNS IP地址池,在mDNS IP 地址池中存储有多个mDNS IP地址,可以分配给不同的客户端或者分配给不同时段的客户端。In this embodiment, the domain name gateway is provided with an mDNS IP address pool, and multiple mDNS IP addresses are stored in the mDNS IP address pool, which can be allocated to different clients or clients at different time periods.
在本实施例中,动态选择的mDNS IP地址是来自该域名网关的mDNS IP地址池。不同的域名网关的mDNS IP地址池包含的mDNS IP地址池,如此,接入网关接收到携带有mDNS IP地址的第一域名服务请求,可以根据该mDNS IP地址简便的确定出需要接收该第一域名服务请求的域名网关。In this embodiment, the dynamically selected mDNS IP address is the mDNS IP address pool from the domain name gateway. The mDNS IP address pools contained in the mDNS IP address pools of different domain name gateways. In this way, the access gateway receives the first domain name service request carrying the mDNS IP address, and can easily determine the need to receive the first DNS address based on the mDNS IP address. Domain name gateway requested by the domain name service.
例如,所述mDNS IP地址可包括:一个mDNS IP地址段,这些地址段内的mDNS IP地址连续,在接入网关中可以通过该mDNS IP地址段的起始地址和终止地址标识该mDNS IP地址段,如此,接入网关一但接受到第一域名服务请求之后,就可以根据该请求所携带的mDNS IP地址所归属的mDNS IP地址段确定出需要接收该第一域名服务请求的域名网关。For example, the mDNS IP address may include: an mDNS IP address segment, the mDNS IP addresses in these address segments are continuous, and the mDNS IP address may be identified in the access gateway by the start address and the end address of the mDNS IP address segment In this way, once the access gateway receives the first domain name service request, it can determine the domain name gateway that needs to receive the first domain name service request according to the mDNS IP address segment to which the mDNS IP address carried in the request belongs.
在一些实施例中,所述步骤S110可包括以下之一:In some embodiments, the step S110 may include one of the following:
根据所述客户端的mDNS IP地址请求,从mDNS IP地址池中随机选择分配给客户端的所述mDNS IP地址;由于不同的客户端可能对应的主机IP地址不同,故mDNS IP地址池中的mDNS IP地址可以分配给不同的客户端,也可以建立唯一的绑定关系;故在本实施例中域名网关可以从该mDNS IP地址池中随机选择;According to the client's mDNS IP address request, randomly select the mDNS IP address assigned to the client from the mDNS IP address pool; since different clients may correspond to different host IP addresses, the mDNS in the mDNS IP address pool The address can be assigned to different clients, or a unique binding relationship can be established; therefore, in this embodiment, the domain name gateway can be randomly selected from the mDNS IP address pool;
根据所述客户端的mDNS IP地址请求,从mDNS IP地址池中随机选择出当前闲置的mDNS IP地址;在一些实施中,所述域名网关还会记录mDNS IP地址的使用状态,优先选择未使用的(即闲置的)的mDNS IP地址分配给客户端;According to the client's mDNS IP address request, the currently idle mDNS IP address is randomly selected from the mDNS IP address pool; in some implementations, the domain name gateway will also record the use status of the mDNS IP address, preferentially selecting unused IP addresses (That is, idle) mDNS IP address is assigned to the client;
根据所述客户端的mDNS IP地址请求,若mDNS IP地址池不存在闲置的mDNS IP地址时,从已使用的mDNS IP地址池随机选择分配给客户端所述mDNS IP地址。若优先选择闲置的mDNS IP地址时,则可以从已使用的mDNS IP地址中选择出所述第一mDNS IP地址。According to the client's mDNS IP address request, if there is no idle mDNS IP address in the mDNS IP address pool, the mDNS IP address assigned to the client is randomly selected from the used mDNS IP address pool. If the idle mDNS IP address is preferentially selected, the first mDNS IP address can be selected from the used mDNS IP addresses.
在另一些实施中,若mDNS IP地址池中已经不存在闲置的mDNS IP 地址时,即所述mDNS IP地址池中的每一个mDNS IP地址都被占用了,则优选选择出建立的绑定关系少的mDNS IP地址分配给客户端。例如,mDNS IP地址A已参与第一数量的绑定关系的建立,mDNS IP地址B已参与第二数量的绑定关系的建立;若第一数量小于第二数量,则优先选择所述mDNS IP地址A参与当前的客户端所对应的主机IP地址的绑定关系的建立。如此,在进行域名服务的提供时,避免客户端大量的集中并行访问同一个绑定关系导致的访问延时大的问题。In other implementations, if there is no idle mDNS IP address in the mDNS IP address pool, that is, each mDNS IP address in the mDNS IP address pool is occupied, then the established binding relationship is preferably selected Less mDNS IP address is assigned to the client. For example, mDNS IP address A has participated in the establishment of the first number of binding relationships, and mDNS IP address B has participated in the establishment of the second number of binding relationships; if the first number is less than the second number, the mDNS IP is preferentially selected Address A participates in the establishment of the binding relationship of the host IP address corresponding to the current client. In this way, when providing the domain name service, the problem of large access delay caused by a large number of centralized and parallel access by the client to the same binding relationship is avoided.
例如,在一些实施例中,DNS服务器在进行所述合法性验证时,可以先以所述第一域名服务请求中携带的第二mDNS IP地址为检索依据查询所述绑定关系,然后查询到一个有与所述第二mDNS IP地址的一个第一mDNS IP地址时,再从该第一mDNS IP地址对应的一个或多个绑定关系中提取出与其对应的第一主机IP地址,与第二主机IP地址进行匹配,一方面可以减少不必要的匹配,另一方面可以加速验证效率。For example, in some embodiments, when the DNS server performs the legality verification, it may first query the binding relationship based on the second mDNS IP address carried in the first domain name service request, and then query When there is a first mDNS IP address corresponding to the second mDNS IP address, the first host IP address corresponding to the first mDNS IP address is extracted from one or more binding relationships corresponding to the first mDNS IP address. Matching the IP addresses of the two hosts can reduce unnecessary matching on the one hand and accelerate the verification efficiency on the other.
在一些实施例中,所述步骤S110可包括:根据所述客户端的所述mDNS IP地址请求,从mDNS IP地址池中选择多个分配给所述客户端的所述mDNS IP地址。In some embodiments, the step S110 may include: according to the mDNS IP address request of the client, selecting a plurality of mDNS IP addresses allocated to the client from an mDNS IP address pool.
在本实施例中若攻击者将其中某一个mDNS IP地址作为DNS服务器的DNS IP地址进行攻击时,域名服务器的防火墙的攻击之后,可能会屏蔽某一个mDNS IP地址,为了分配多个mDNS IP地址,如此客户端还可以通过未屏蔽使用的mDNS IP地址获取域名服务。In this embodiment, if an attacker attacks one of the mDNS IP addresses as the DNS server ’s DNS IP address, after the domain name server ’s firewall attacks, it may block a certain mDNS IP address in order to allocate multiple mDNS IP addresses In this way, the client can also obtain the domain name service through the unblocked mDNS IP address.
在一些实施例中,根据所述mDNS IP地址请求中携带的地址数量N,从mDNS IP地址池中选择N个分配给所述客户端的所述mDNS IP地址。In some embodiments, according to the number N of addresses carried in the mDNS IP address request, N N mDNS IP addresses allocated to the client are selected from an mDNS IP address pool.
在一些实施例中,例如,接入配置功能可以明确指示分配多少个mDNS IP地址。In some embodiments, for example, the access configuration function may explicitly indicate how many mDNS IP addresses are allocated.
在一些实例中,所述方法还包括:In some examples, the method further includes:
为所述客户端分配对应的域名服务系统DNS服务器;此处,可以根据所述客户端所在的位置信息为所述客户端分配所述DNS服务器,例如, 基于地理就近原则选择离所述客户端所在地理位置更近或网络位置更近的DNS服务器;在另一些实施例中,还可以根据DNS服务器的当前服务、对应的客户端数、客户端在线和离线等状态信息,为客户端分配DNS服务器。A DNS server corresponding to the domain name service system is allocated to the client; here, the DNS server may be allocated to the client according to the location information of the client, for example, based on the principle of geographic proximity A DNS server with a closer geographic location or a closer network location; in other embodiments, the DNS server can also be assigned to clients based on the current service of the DNS server, the corresponding number of clients, client online and offline status information, etc. .
所述步骤S120可包括:The step S120 may include:
建立所述第一主机IP地址、所述第一mDNS IP地址及所述DNS服务器的DNS IP地址建立绑定关系。Establish a binding relationship between the first host IP address, the first mDNS IP address, and the DNS server's DNS IP address.
在本实施例中,所述绑定关系不仅包括:第一主机IP地址、第一mDNS IP地址,还包括为客户端分配的DNS服务器的DNS IP地址,如此,若接收到第一域名服务请求之后,将基于绑定关系中记录的DNS IP地址构建所述第二域名服务请求。In this embodiment, the binding relationship includes not only the first host IP address and the first mDNS IP address, but also the DNS IP address of the DNS server assigned to the client. Thus, if the first domain name service request is received After that, the second domain name service request will be constructed based on the DNS IP address recorded in the binding relationship.
即,所述若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中,向所述第二mDNS IP地址对应的DNS服务器发送第二域名服务请求,包括:若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中且所述第二主机IP地址及所述第二mDNS IP地址有绑定DNS IP地址,向绑定的所述DNS IP地址发送所述第二域名服务请求。That is, if the second mDNS IP address and the second host IP address are included in the binding relationship, sending a second domain name service request to the DNS server corresponding to the second mDNS IP address includes: If the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and the second mDNS IP address have a bound DNS IP address, bind to The DNS domain name IP address of the second domain name service request.
在另一些实施例中,所述若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中,向所述第二mDNS IP地址对应的DNS服务器发送第二域名服务请求,包括:若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中且所述第二主机IP地址及所述第二mDNS IP地址未绑定有DNS IP地址,向默认DNS服务器发送所述第二域名服务请求。In other embodiments, if the second mDNS IP address and the second host IP address are included in the binding relationship, the second domain name is sent to the DNS server corresponding to the second mDNS IP address The service request includes: if the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and the second mDNS IP address are not bound to DNS The IP address sends the second domain name service request to the default DNS server.
不同地理位置和/或不同网络位置的DNS服务器可能连接的DNS服务器不同,所述DNS服务器可以将与自己在地理上或网络上连接更近的DNS服务器设置为默认DNS服务器,或者,根据DNS服务器的负载状况等信息设置默认DNS服务器,或者,选择域名解析能力较强的DNS服务器设置为默认DNS服务器,以确保域名服务解析的速率及成功率。体现 所述域名解析能力较强的参数可包括以下至少之一:DNS servers in different geographic locations and / or different network locations may be connected to different DNS servers. The DNS server may set a DNS server that is closer to itself geographically or on the network as the default DNS server, or, depending on the DNS server Set the default DNS server for information such as the load status, or select a DNS server with strong domain name resolution capability as the default DNS server to ensure the rate and success rate of domain name service resolution. The parameter that reflects the strong domain name resolution capability may include at least one of the following:
DNS服务器存储的域名数量;The number of domain names stored by the DNS server;
DNS服务器的历史解析成功率;Success rate of historical resolution of DNS server;
DNS服务器的运行稳定性参数。DNS server operating stability parameters.
所述域名数量越大,则域名解析能力越强;若所述历史解析成功率越高则所述域名解析能力越强;若所述DNS服务器的运行稳定性参数越高,则域名解析能力越强。在一些实施例中可以综合位置信息、域名解析能力强弱等选择出默认DNS服务器。The larger the number of domain names, the stronger the domain name resolution capability; if the historical resolution success rate is higher, the domain name resolution capability is stronger; if the DNS server's operational stability parameter is higher, the domain name resolution capability is greater Strong. In some embodiments, the default DNS server may be selected by combining location information, domain name resolution capabilities, and so on.
在一些实施例中,所述方法还包括以下至少之一:In some embodiments, the method further includes at least one of the following:
若所述第二mDNS IP地址与所述第二主机IP地址不在所述绑定关系中,向所述客户端提供受限DNS服务;例如,仅向客户端提供一些安全性能要求较底的DNS服务,例如,第一域名服务请求将仅转发给安全性能较低的DNS服务器;If the second mDNS IP address and the second host IP address are not in the binding relationship, provide a limited DNS service to the client; for example, only provide the client with some DNS with lower security performance requirements Services, for example, the first domain name service request will only be forwarded to the DNS server with lower security performance;
若所述第二mDNS IP地址与所述第二主机IP地址不在所述绑定关系中,将所述域名服务请求引导到预定系统,其中,所述预定系统,用于对域名服务请求的攻击进行解析;在预定系统可为攻击定位系统,例如,利用反向追踪技术定位可能是攻击的第一域名服务请求的来源客户端或改造域名服务请求形成第一域名服务请求的篡改端等;所述预定系统可为:蜜罐系统;所述蜜罐系统可为利用蜜罐技术提升防护能力的系统。蜜罐技术是一种对攻击方进行欺骗的技术,通过布置一些作为诱饵的主机、网络服务或者信息,诱使攻击方对它们实施攻击,从而可以对攻击行为进行捕获和分析,了解攻击方所使用的工具与方法,推测攻击意图和动机,能够让防御方清晰地了解他们所面对的安全威胁,并通过技术和管理手段来增强实际系统的安全防护能力;If the second mDNS IP address and the second host IP address are not in the binding relationship, direct the domain name service request to a predetermined system, wherein the predetermined system is used to attack the domain name service request Perform analysis; the predetermined system may be an attack location system, for example, using reverse tracking technology to locate the source client of the first domain name service request that may be attacked or the tampering terminal that transforms the domain name service request to form the first domain name service request; The predetermined system may be: a honeypot system; the honeypot system may be a system that uses honeypot technology to enhance protection capabilities. Honeypot technology is a technique to deceive the attacker. By arranging some hosts, network services or information as bait to induce the attacker to attack them, you can capture and analyze the attack behavior and understand the attacker's behavior. The tools and methods used to speculate on attack intentions and motives can enable the defenders to clearly understand the security threats they face, and enhance the security protection capabilities of the actual system through technical and management means;
若所述第二mDNS IP地址与所述第二主机IP地址不在所述绑定关系中,拒绝向所述客户端提供DNS服务。在一些实施例中,若不在绑定关系中可以直接拒绝DNS服务,则域名网关将拒绝转发所述第一域名服务 请求中的待解析的域名。If the second mDNS IP address and the second host IP address are not in the binding relationship, refuse to provide DNS services to the client. In some embodiments, if the DNS service can be directly rejected in the binding relationship, the domain name gateway will refuse to forward the domain name to be resolved in the first domain name service request.
在一些实施例中,所述mDNS IP地址请求中还携带有地址租期信息;In some embodiments, the mDNS IP address request also carries address lease information;
所述方法还包括:根据所述地址租期信息,设置绑定关系中所述第一mDNS IP地址的有效期。The method further includes: setting the validity period of the first mDNS IP address in the binding relationship according to the address lease period information.
在本实施例中所述地址租期信息指示的主机IP地址的租期长短,在本实施例中所述DNS服务器将根据所述地址租期信息指示的租期,设置分配给客户端的第一mDNS IP地址的有效期。在一些实施例中,所述有效期可以等于所述租期,在另一些实施例中,所述有效期可略长于所述有效期。所述租期和所述有效期的起始期限相同,对于用户或客户端而言,可能会在租期超期时才想起需要mDNS IP地址的续期,或者在主机IP地址续期有一定时间延迟,若在有效期之后提取对应的mDNS IP地址的续期,故若有效期和租期相等,则一但租期超期则有效期也超期,即便续订也需要重新为客户端分配新的mDNS IP地址。故在本实施中,在一些实施例中,所述有效期略长于所述租期,可选的有效期长于所述租期的时间长度可以根据主机IP地址续期的延迟时长来确定,也可以随机设定一个固定时长,例如,半天等。In this embodiment, the length of the lease of the host IP address indicated by the address lease information, in this embodiment, the DNS server will set the first assigned to the client according to the lease indicated by the address lease information The validity period of the mDNS IP address. In some embodiments, the validity period may be equal to the lease period. In other embodiments, the validity period may be slightly longer than the validity period. The start period of the lease period and the validity period are the same. For users or clients, it may be remembered that the renewal of the mDNS IP address is required when the lease period expires, or there is a certain delay in the renewal of the host IP address If the renewal of the corresponding mDNS IP address is extracted after the validity period, if the validity period is equal to the lease period, the validity period will also expire once the lease period expires. Even if it is renewed, a new mDNS IP address needs to be re-assigned to the client. Therefore, in this implementation, in some embodiments, the validity period is slightly longer than the lease period, and the length of time that the optional validity period is longer than the lease period may be determined according to the delay time of the renewal of the host IP address, or may be random Set a fixed duration, for example, half a day, etc.
在一些实施例中,所述方法还包括:接收续租请求;In some embodiments, the method further includes: receiving a lease renewal request;
根据所述续租请求,延长所述第一mDNS IP地址的有效期。According to the lease renewal request, the validity period of the first mDNS IP address is extended.
在一些实施例中,续租请求可为继续租用对应的第一mDNS IP地址的请求,该续租请求中可以携带有续租期限,故可以根据该续租期限延长所述有效期。In some embodiments, the lease renewal request may be a request to continue leasing the corresponding first mDNS IP address. The lease renewal request may carry a lease renewal period, so the validity period may be extended according to the lease renewal period.
在另一些实施例中,续租请求中可能仅携带了续租指示并未携带指示延长时长等相关的续租期限,则域名网关可以请求指示续租期限,也可以延长一个默认期限,重新确定的有效期。该默认期限可以为接入网关与域名网关实现协商的关于续租的固定时长。在另一些实施例中,所述延长一个默认期限,将更新后的有效期转发给客户端或客户端的接入网关,方便客户端或客户端对应的接入网关,在更新后的有效期超期之前再次请求续 期或者指示释放绑定关系等。In other embodiments, the lease renewal request may only carry the lease renewal instruction but not the instruction to extend the duration of the lease renewal period. The domain name gateway may request to indicate the lease renewal period, or may extend a default period to re-determine Of validity. The default period may be a fixed period of time for the lease renewal negotiated between the access gateway and the domain name gateway. In some other embodiments, the extension of a default time limit forwards the updated validity period to the client or the client's access gateway to facilitate the client or the client's corresponding access gateway, before the updated validity period expires again Request a renewal or instruct to release the binding relationship, etc.
在一些实施例中,所述方法还包括:In some embodiments, the method further includes:
若所述有效期超期,删除所述绑定关系。If the validity period expires, the binding relationship is deleted.
在另一些实施例中,所述方法还包括:In other embodiments, the method further includes:
向所述客户端或所述客户端的接入网关发送删除提示。Send a deletion prompt to the client or the client's access gateway.
若有效期超期,若继续维持该绑定关系,一方面会导致绑定关系的mDNS IP地址的利用率低,另一方面若对应的主机IP地址分配给其他客户端,则可能导致的后续绑定关系查询验证的错误,故将及时释放所述绑定关系。在完成所述绑定关系的删除之后,所述方法还包括发送删除提示,该删除提示可发送给客户端或客户端的接入网关,从而触发所述客户端或客户端的接入网关更新客户端的配置参数。If the validity period expires, if the binding relationship is maintained, on the one hand, the utilization rate of the mDNS IP address in the binding relationship will be low; on the other hand, if the corresponding host IP address is allocated to other clients, it may lead to subsequent binding The relationship query verification error, so the binding relationship will be released in time. After the deletion of the binding relationship is completed, the method further includes sending a deletion prompt, which can be sent to the client or the client's access gateway, thereby triggering the client or the client's access gateway to update the client's Configuration parameters.
在一些实施例中,所述方法还包括:接收释放请求;根据所述释放请求,删除所述第一主机IP地址与所述第一mDNS IP地址的绑定关系,并释放所述第一mDNS IP地址。In some embodiments, the method further includes: receiving a release request; deleting the binding relationship between the first host IP address and the first mDNS IP address according to the release request, and releasing the first mDNS IP address.
该释放请求可为主动请求删除所述绑定关系,以释放所述绑定关系中的第一mDNS IP地址。The release request may be an active request to delete the binding relationship to release the first mDNS IP address in the binding relationship.
例如,所述客户端离线了,表示客户端可能不会需要通过该域名网关请求域名服务的需求,可以释放所述绑定关系,从而提升mDNS IP地址的有效使用率。For example, if the client is offline, it means that the client may not need to request the domain name service through the domain name gateway, and can release the binding relationship, thereby improving the effective utilization rate of the mDNS IP address.
再例如,所述客户端从一个网络区域迁移到了另一个网络区域,可能需要访问不同网络位置的DNS服务器或DNS服务器,则此时同样可以请求释放在原网络区域的绑定关系。For another example, if the client migrates from one network area to another network area, it may need to access DNS servers or DNS servers in different network locations, and at this time, it may also request to release the binding relationship in the original network area.
在本实施例中所述网络区域与无线网络或互联网的网络节点的位置和/或属相相关,例如,城域网覆盖的是一个城市的局域网,虽有在有些的地理区域临近或属于同一个大区域,但是接入网络位置却归属到不同的网络区域。再例如,不同运营商的网络连接到网络的客户端,可能归属的是 不同的网络区域,例如,通过移动网络连接到网络和通过联通网络连接到网络,则优先分配给相同运营商的域名网关和DNS服务器为该客户端提供相关服务,如此,两个客户端位于相同的地理位置也会归属到不同的网络区域。In this embodiment, the network area is related to the location and / or affiliation of network nodes of the wireless network or the Internet. For example, the metropolitan area network covers a city's local area network, although some geographical areas are close to or belong to the same Large area, but the access network location belongs to a different network area. As another example, clients of different operators ’networks connected to the network may belong to different network areas. For example, if they connect to the network through a mobile network and connect to the network through a Unicom network, the domain name gateway of the same operator is preferentially assigned. And the DNS server provides related services for the client, so that the two clients located in the same geographical location will belong to different network areas.
在一些实施例中,所述方法还包括:接收更新请求;In some embodiments, the method further includes: receiving an update request;
根据所述更新请求,删除第一绑定关系并建立第二绑定关系;其中,所述第一绑定关系为:更新前所述客户端对应的旧的第一主机IP地址与所述第一mDNS IP地址的绑定关系;所述第二绑定关系为:更新后所述客户端对应的新的第一主机IP地址与所述第一mDNS IP地址的绑定关系;其中,所述第二绑定关系相对于所述第一绑定关系,至少所述第一主机IP地址不同。Delete the first binding relationship and establish the second binding relationship according to the update request; wherein, the first binding relationship is: the old first host IP address corresponding to the client and the first A binding relationship of an mDNS IP address; the second binding relationship is: a binding relationship between the new first host IP address corresponding to the client and the first mDNS IP address after the update; wherein, the Compared with the first binding relationship, at least the first host IP address is different in the second binding relationship.
在一些实例中域名网关还会接收到更新请求,该更新请求为更新绑定关系,由于客户端绑定的主机IP地址换了,则可能需要同步更新所述绑定关系,故在一些实施例中若接收到更新请求,则需要删除旧的第一绑定关系并建立所述第二绑定关系。在所述更新请求中可以携带有需要删除第一绑定关系,同时还携带有新的主机IP地址。在另一些实施例中,所述更新请求中可能仅携带需要删除的第一绑定关系中的旧的主机IP地址,及更新后的新主机IP地址;总之,所述域名网关可以根据所述更新请求更新所述第一绑定关系,并建立新的与该客户端对应的第二绑定关系。In some instances, the domain name gateway will also receive an update request. The update request is to update the binding relationship. Since the host IP address bound by the client is changed, the binding relationship may need to be updated synchronously, so in some embodiments If an update request is received, it is necessary to delete the old first binding relationship and establish the second binding relationship. The update request may carry the need to delete the first binding relationship, and also carry a new host IP address. In other embodiments, the update request may only carry the old host IP address in the first binding relationship that needs to be deleted, and the updated new host IP address; in short, the domain name gateway may The update request updates the first binding relationship and establishes a new second binding relationship corresponding to the client.
如图4所示,本实施例提供一种DNS服务器的安全防御方法,包括:As shown in FIG. 4, this embodiment provides a DNS server security defense method, including:
步骤S210:接收客户端的配置请求;Step S210: Receive a configuration request from the client;
步骤S220:基于所述配置请求,为所述客户端分配主机IP地址;Step S220: Assign a host IP address to the client based on the configuration request;
步骤S230:基于所述主机IP地址向域名网关发送的mDNS IP地址请求;Step S230: an mDNS IP address request sent to the domain name gateway based on the host IP address;
步骤S240:接收所述域名网关基于mDNS IP地址请求返回的mDNS IP地址;Step S240: Receive the mDNS IP address returned by the domain name gateway based on the mDNS IP address request;
步骤S250:向所述客户端发送携带有所述主机IP地址及所述mDNS  IP地址的配置响应。Step S250: Send a configuration response carrying the host IP address and the mDNS IP address to the client.
本实施例提供的方法可应用于接入网关中,该接入网关可为用户设备(User Equipment,简称为UE)、物联网终端、车载设备或者智能电器等接入网络的接入设备,典型的接入设备可包括:基站、无线接入热点(hotspot)等设备。The method provided in this embodiment can be applied to an access gateway. The access gateway may be a user equipment (User Equipment, referred to as UE), an Internet of Things terminal, an in-vehicle device, or an intelligent electrical appliance. The access equipment may include: base stations, wireless access hotspots (hotspot) and other equipment.
在本实施中,接收到客户端的配置请求,例如,该配置请求可为:基于动态主机配置协议(Dynamic Host Configuration,简称为DHCP)的配置请求,该接入网关可为将配置请求发送给DHCP服务器,由DHCP服务器进行所述主机IP地址的配置,从而接入网关可以实现对客户端的主机IP地址的动态分配。在另一些实施中所述客户端的接入配置服务功能可以直接设置在所述接入网关中,如此,接入网关自行为所述客户端分配主机IP地址。总之,在本实施例中为所述客户端动态分配主机IP地址至少包括两种方式,一种通过与配置服务器的信息交互实现为所述客户端动态分配主机IP地址,另一种接入网关自行动态分配所述主机IP地址。在可选的实现过程中,所述配置请求可为对主机进行各种配置参数的配置,该配置参数包括:所述主机IP地址,主机IP地址的租期,DNS服务器的DNS IP地址。In this implementation, the configuration request of the client is received, for example, the configuration request may be: a configuration request based on Dynamic Host Configuration Protocol (Dynamic Host Configuration, referred to as DHCP), and the access gateway may send the configuration request to DHCP The server configures the host IP address by the DHCP server, so that the access gateway can implement dynamic allocation of the client's host IP address. In other implementations, the access configuration service function of the client may be directly set in the access gateway. In this way, the access gateway allocates the host IP address to the client by itself. In short, in this embodiment, dynamically assigning the host IP address to the client includes at least two ways, one is to dynamically assign the host IP address to the client through information interaction with the configuration server, and the other is to access the gateway The host IP address is dynamically allocated by itself. In an optional implementation process, the configuration request may be to configure various configuration parameters for the host, the configuration parameters including: the host IP address, the lease period of the host IP address, and the DNS IP address of the DNS server.
在一些实施例中,所述方法还包括:In some embodiments, the method further includes:
设置所述主机IP地址的租期;Set the lease period of the host IP address;
向所述域名网关发送指示所述租期的租期信息,其中,所述租期信息,用于所述域名网关设置分配给所述客户端的所述mDNS IP地址的有效期。Sending lease period information indicating the lease period to the domain name gateway, wherein the lease period information is used by the domain name gateway to set the validity period of the mDNS IP address allocated to the client.
在本实施例中所述接入网关或独立于接入网关的接入配置功能实体会为客户端设置主机IP地址的租期,可选的设置方式可包括以下至少之一:In this embodiment, the access gateway or the access configuration function entity independent of the access gateway sets the lease period of the host IP address for the client. The optional setting method may include at least one of the following:
根据所述客户端的租期指示,设置所述主机IP地址的租期;Set the lease period of the host IP address according to the lease period instruction of the client;
根据所述客户端请求接入的连接建立类型,设置所述主机IP地址的租期,例如,当前客户端接入是建立临时会话和临时会话以外的常规会话, 确定出IP地址的租期,相对的临时会话对应的第一租期可略短于所述常规会话的第二租期;According to the connection establishment type requested by the client, set the lease period of the host IP address, for example, the current client access is to establish a temporary session and a regular session other than the temporary session, and determine the lease period of the IP address, The first lease period corresponding to the relative temporary session may be slightly shorter than the second lease period of the regular session;
根据所述客户端所使用用户标识的签约数据,设置所述主机的IP地址的租期等;Set the lease period of the IP address of the host according to the contract data of the user identification used by the client;
接入网关或独立于接入网关的接入配置功能实体,根据设置租期相关的本地策略或从策略控制功能(Policy Control Function,简称为PCF)接收的策略,设置所述主机IP地址的租期。The access gateway or the access configuration function entity independent of the access gateway sets the lease of the host IP address according to the local policy related to setting the lease period or the policy received from the policy control function (Policy Control Function, PCF for short) period.
在一些实施例中,为了方便主机IP地址的使用期限和mDNS IP地址的使用期限的等同管理或类似管理,会使得主机IP地址的租期和mDNS IP地址的有效期相同或近似等同,但是在另一些分别不同IP地址分别管理的管理体系中,所述主机IP地址的租期和所述mDNS IP地址的有效期可以不等同也不近似等同,总之两者之前的期限各自没有关联,不排除特殊情况下的等同。In some embodiments, in order to facilitate the equivalent management or similar management of the use period of the host IP address and the use period of the mDNS IP address, the lease period of the host IP address and the validity period of the mDNS IP address are the same or approximately equivalent, but in another In some management systems in which different IP addresses are managed separately, the lease period of the host IP address and the validity period of the mDNS IP address may not be equal or approximately the same. In short, the previous periods of the two are not related, and special circumstances are not excluded. Under the equivalent.
在本实施例中为了实现主机IP地址的租期和mDNS IP地址的有效期的统一和协同管理,会向域名网关发送所述租期信息,该租期信息指示了主机IP地址的租期,如此,方便域名网关对应设置动态分配给客户端的mDNS IP地址的有效期。在一些实施例中,所述域名网关根据所述租期信息,会设置的mDNS IP地址的有效期略长于所述主机IP地址的租期。In this embodiment, in order to realize the unified and cooperative management of the lease period of the host IP address and the validity period of the mDNS IP address, the lease period information is sent to the domain name gateway, and the lease period information indicates the lease period of the host IP address. To facilitate the domain name gateway to set the validity period of the mDNS IP address dynamically assigned to the client. In some embodiments, the domain name gateway will set the validity period of the mDNS IP address based on the lease period information to be slightly longer than the lease period of the host IP address.
在一些实施例中,所述方法还包括:In some embodiments, the method further includes:
接收到所述客户端的续租请求;Receiving a lease renewal request from the client;
根据所述续租请求延长所述主机IP地址的租期;Extend the lease period of the host IP address according to the lease renewal request;
向所述域名网关发送续租请求,其中,所述续租请求,用于所述域名网关延长为所述客户端分配的mDNS IP地址的有效期。Sending a lease renewal request to the domain name gateway, wherein the lease renewal request is used by the domain name gateway to extend the validity period of the mDNS IP address allocated to the client.
例如,例如客户端会自动在主机IP地址的租期到期之前或者基于用户指示,请求主机IP地址的续租,如此,嵌入在接入网关内的接入配置功能实体或者独立于所述接入网关内的接入配置功能实体会接收到客户端的续租请求,然后根据需求请求延长主机IP地址的租期。For example, for example, the client will automatically request the lease renewal of the host IP address before the lease of the host IP address expires or based on user instructions. In this way, the access configuration function entity embedded in the access gateway may be independent of the connection. The access configuration function entity entering the gateway will receive the client's lease renewal request, and then request to extend the lease of the host IP address according to the demand.
在一些实施例中,所述方法还包括:在满足预设条件时,向所述域名网关发送释放请求,其中,所述释放请求,用于删除所述客户端的主机IP地址和分配给所述客户端的mDNS IP地址之间的绑定关系。In some embodiments, the method further includes: when a preset condition is met, sending a release request to the domain name gateway, wherein the release request is used to delete the host IP address of the client and assign it to the The binding relationship between the client's mDNS and IP addresses.
在本实施例中,接入配置功能实体(可简称为接入配置功能)会在满足预设条件时,向域名网关发送释放请求,该释放请求的发送,会触发域名网关解除对应的绑定关系,如此就相当于释放了域名网关中分配给客户端的mDNS IP地址。In this embodiment, the access configuration function entity (which may be referred to as the access configuration function for short) will send a release request to the domain name gateway when the preset conditions are met. The sending of the release request will trigger the domain name gateway to release the corresponding binding In this way, it is equivalent to releasing the mDNS IP address assigned to the client in the domain name gateway.
在一些实施例中,所述满足预设条件包括以下之一:In some embodiments, the meeting of the preset condition includes one of the following:
接收到所述客户端主动离线发送的去附着请求;客户端主动离线会发送去附着请求,例如,UE关机在关机前会自动发送去附着请求,则此时UE可能利用原来区域,如果在UE离线的过程中分配给UE的主机IP地址和/或mDNS IP地址都依旧保持分配给UE,如此,就会导致IP地址的使用效率低的问题,故在本实施例中,若网络侧的基站、网关等各种网元检测到客户端主动离线发送的去附着请求,可认为满足所述预设条件的一种;Receive the de-attach request that the client actively sends offline; the client will send the de-attach request when offline, for example, the UE will automatically send the de-attach request before shutting down, then the UE may use the original area at this time. During the offline process, the host IP address and / or mDNS IP address assigned to the UE still remain assigned to the UE, which will cause the problem of inefficient use of the IP address. Therefore, in this embodiment, if the base station on the network side , A network element such as a gateway detects a de-attach request actively sent offline by the client, and may be considered to satisfy one of the preset conditions;
检测到所述客户端的位置更新的有效期超期;UE等客户端可能具有移动性,UE在移动过程中涉及了小区切换、跟踪区更新等各种位置更新操作,若位置长期不更新,可能UE当前长期处于不工作状态,故此时可以认为位置更新的有效期超期,可认为可以释放对应的绑定关系,从而释放主机IP地址和/或mDNS IP地址了;The validity period of the location update of the client is detected to be overdue; the UE and other clients may have mobility. The UE involves various location update operations such as cell switching and tracking area update during the movement process. If the location is not updated for a long time, the UE may be currently It has been inactive for a long time, so it can be considered that the validity period of the location update is overdue at this time, and it can be considered that the corresponding binding relationship can be released, thereby releasing the host IP address and / or mDNS IP address;
检测到所述客户端的主机IP地址的租期超期;检测客户端的主机IP地址的租期超期,说明主机IP地址的租期到期了,若需要续租可能客户端需要缴纳费用或重新申请,为了避免IP地址被非法使用等,可以认为满足上述预设条件。Detecting that the lease period of the client's host IP address is overdue; detecting that the lease period of the client's host IP address is overdue, indicating that the lease period of the host's IP address has expired, if the lease needs to be renewed, the client may need to pay fees or reapply In order to avoid illegal use of IP addresses, etc., it can be considered that the above-mentioned preset conditions are satisfied.
检测到所述客户端已离线。例如,在一些实施例中,基站等无线接入网(Radio Access Network,简称为RAN)检测到客户端已经离线了,则认为当前继续保持该客户端与主机IP地址和/或mDNS IP地址就没有必要 了,否则会导致IP地址和/或mDNS IP地址的资源浪费。It is detected that the client is offline. For example, in some embodiments, if a radio access network (Radio Access Network, RAN for short) such as a base station detects that the client is offline, it is considered that the client and host IP address and / or mDNS IP address are currently maintained It is not necessary, otherwise it will result in waste of IP address and / or mDNS IP address resources.
在一些实施例中,所述方法还包括:In some embodiments, the method further includes:
接收所述客户端的续租请求;Receiving a lease renewal request from the client;
根据所述续租请求为所述客户端分配新的主机IP地址,并根据所述续租请求设置所述新的主机IP地址的租期;Assigning a new host IP address to the client according to the lease renewal request, and setting the lease period of the new host IP address according to the lease renewal request;
向所述域名网关发送所述更新请求,其中,所述更新请求,用于所述域名网关删除所述客户端旧的第一绑定关系并基于所述新的主机IP地址建立第二绑定关系。Sending the update request to the domain name gateway, wherein the update request is used by the domain name gateway to delete the old first binding relationship of the client and establish a second binding based on the new host IP address relationship.
在本实施例中,所述接入网关还会接收到客户端的续租请求,该续租请求可以是由客户端发送的,也可以是客户端的管理设备发送的,总之,可以接收到为该客户端请求续租主机IP地址和/或mDNS IP地址的请求。In this embodiment, the access gateway will also receive the client's lease renewal request. The lease renewal request may be sent by the client or by the client's management device. In short, it can be received as Client request for renewal of host IP address and / or mDNS IP address.
根据该续租请求为客户端分配新的主机IP地址,并设置该新分配的主机IP地址的租期,与此同时,向域名网关发送的更新请求,触发域名网关删除原来旧的绑定关系,并基于新的主机IP地址建立新的绑定关系,此时,接入网关、域名网关及客户端需要同步根据存储新的绑定关系。Assign a new host IP address to the client according to the lease renewal request and set the lease period of the newly assigned host IP address. At the same time, an update request sent to the domain name gateway triggers the domain name gateway to delete the original old binding relationship , And establish a new binding relationship based on the new host IP address. At this time, the access gateway, domain name gateway, and client need to synchronize to store the new binding relationship.
在一些实施例中,所述方法还包括:In some embodiments, the method further includes:
根据所述配置请求,为所述客户端部署一台或多台域名网关;Deploy one or more domain name gateways for the client according to the configuration request;
记录所述域名网关的信息。Record the information of the domain name gateway.
在本实施例中,所述接入网关会基于配置请求为客户端部署一台或多台域名网关,并记录这些域名网关的信息,例如,记录这些域名网关的标识、IP地址或者位置信息等各种信息,在一些实施例中需要与客户端的标识对应记录,例如,客户端的各种设备参数和/或客户端参数、位置参数中的一个或多个选择合适的域名网关,例如,选择地理距离或网络距离上离得比较近的域名网关作为该客户端的获取域名服务的域名网关。In this embodiment, the access gateway deploys one or more domain name gateways for the client based on the configuration request, and records the information of these domain name gateways, for example, records the identifiers, IP addresses, or location information of these domain name gateways Various information, in some embodiments, needs to be recorded corresponding to the client's identification, for example, one or more of the client's various device parameters and / or client parameters and location parameters select a suitable domain name gateway, for example, select geographic The domain name gateway that is relatively close in distance or network distance serves as the domain name gateway for the client to obtain the domain name service.
在一些实施例中,所述根据所述配置请求,为所述客户端部署一台或多台域名网关,包括:In some embodiments, the deploying one or more domain name gateways for the client according to the configuration request includes:
根据所述客户端的用户标识、设备标识、位置信息及选择策略的至少其中之一,为所述客户端部署一台或多个域名网关。Deploy one or more domain name gateways for the client according to at least one of the client's user ID, device ID, location information, and selection strategy.
例如,根据用户标识(国际移动用户标识码,简称为IMSI)选择可以提供与该用户标识想相适配服务质量的域名网关。For example, a domain name gateway that can provide a service quality that suits the user ID is selected according to the user ID (International Mobile Subscriber Identity Code, IMSI for short).
所述设备标识可包括:国际移动电话设备识别码(International Mobile Equipment Identity,简称为IMEI),可以根据该设备的设备标识获知该设备的设备能力参数等,从而选择与其设备标识(例如,设备能力)匹配的域名网关。The device identification may include: an international mobile phone equipment identification code (International Mobile Equipment Identity, referred to as IMEI), which can learn the device capability parameters of the device based on the device identification of the device, so as to select its device identification (for example, device capability ) The matching domain name gateway.
在比如基于客户端的位置信息,就近选择域名网关为其服务。For example, based on the location information of the client, the nearest domain name gateway is selected to serve it.
该选择策略可为存储在接入网关中的本地策略,也可是存储在PCF或者签约数据库中的远程策略,总之可以用于所述接入配置功能所述域名网关。The selection strategy may be a local strategy stored in the access gateway, or a remote strategy stored in the PCF or the contract database. In short, it may be used for the domain name gateway of the access configuration function.
通过为客户端选择域名网关,可以确保域名服务提供的服务质量。By selecting a domain name gateway for the client, you can ensure the quality of service provided by the domain name service.
另一个方面,优选的为客户端提供两个或两个以上的域名网关,至少提供一个主用网关,与主用网关对应的备用网关。On the other hand, it is preferable to provide the client with two or more domain name gateways, at least one primary gateway, and a backup gateway corresponding to the primary gateway.
在一些实施例中,所述方法还包括:In some embodiments, the method further includes:
根据为所述客户端部署的域名网关的个数,确定向所述域名网关请求的为所述客户端动态分配的所述mDNS IP地址的数目。According to the number of domain name gateways deployed for the client, determine the number of the mDNS IP addresses dynamically requested by the domain name gateway for the client.
在本实施例中,可以根据域名网关的个数确定单个域名网关为对应客户端配置的mDNS IP地址的数目。例如,域名网关仅为1个时,域名网关可以为客户端配置至少2个mDNS IP地址,若域名网关为多个时,单个域名网关可以为客户端配置1个mDNS IP地址。In this embodiment, the number of mDNS IP addresses configured for a corresponding client by a single domain name gateway may be determined according to the number of domain name gateways. For example, when there is only one domain name gateway, the domain name gateway can configure at least two mDNS IP addresses for the client. If there are multiple domain name gateways, a single domain name gateway can configure one mDNS IP address for the client.
如图5所示,本实施例提供一种DNS服务器的安全防御装置,包括:As shown in FIG. 5, this embodiment provides a DNS server security defense device, including:
第一分配模块110,被设置为根据接入配置功能发起的客户端的移动域名系统mDNS网络协议IP地址请求,为所述客户端动态分配第一mDNS IP地址;The first allocation module 110 is configured to dynamically allocate a first mDNS IP address to the client according to the client's mobile domain name system mDNS network protocol IP address request initiated by the access configuration function;
第一接收模块120,被设置为接收所述客户端发起的第一域名服务请求,其中,所述第一域名服务请求的目的地址为所述mDNS IP地址;The first receiving module 120 is configured to receive a first domain name service request initiated by the client, wherein the destination address of the first domain name service request is the mDNS IP address;
第一发送模块130,被设置为基于所述第一域名服务请求,向所述mDNS IP地址替换为对应的DNS服务器发送第二域名服务请求;The first sending module 130 is configured to send a second domain name service request to the corresponding DNS server by replacing the mDNS IP address with the corresponding DNS server based on the first domain name service request;
提供模块140,被设置为将所述DNS服务器基于所述第二域名服务请求提供的第一域名服务响应向所述客户端提供第二域名服务响应。The providing module 140 is configured to provide the DNS server with a second domain name service response based on the first domain name service response provided by the second domain name service request to the client.
本实施例提供的第一分配模块110、建立模块、接收模块、查询模块、第一发送模块130及提供模块140可均为程序模块,被处理器执行后能够实现前述各个模块的功能。The first distribution module 110, the establishment module, the receiving module, the query module, the first sending module 130, and the providing module 140 provided in this embodiment may all be program modules, which can be executed by the processor to realize the functions of the foregoing modules.
该装置可以应用于域名网关中。The device can be used in a domain name gateway.
在一些实施例中,所述DNS服务器的安全防御装置,可包括:In some embodiments, the security defense device of the DNS server may include:
第一分配模块110,被设置为根据接入配置功能发起的客户端移动域名系统mDNS网络协议IP地址请求,为所述客户端动态分配第一mDNS IP地址;The first allocation module 110 is configured to dynamically allocate a first mDNS IP address to the client according to a client mobile domain name system mDNS network protocol IP address request initiated by the access configuration function;
建立模块,被设置为建立所述客户端的第一主机IP地址与所述第一mDNS IP地址的绑定关系;The establishment module is configured to establish a binding relationship between the first host IP address of the client and the first mDNS IP address;
接收模块,被设置为接收所述客户端发起的第一域名服务请求;其中A receiving module, configured to receive a first domain name service request initiated by the client; wherein
查询模块,被设置为根据所述第一域名服务请求中携带的所述客户端对应的DNS服务器的第二mDNS IP地址及第二主机IP地址,查询所述绑定关系,The query module is configured to query the binding relationship according to the second mDNS IP address and the second host IP address of the DNS server corresponding to the client carried in the first domain name service request,
第一发送模块130,被设置为若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中,向所述第二mDNS IP地址对应的DNS服务器发送第二域名服务请求;The first sending module 130 is configured to send the second domain name to the DNS server corresponding to the second mDNS IP address if the second mDNS IP address and the second host IP address are included in the binding relationship Request for service;
提供模块140,被设置为将所述DNS服务器基于所述第二域名服务请求提供的第一域名服务响应向所述客户端提供第二域名服务响应。The providing module 140 is configured to provide the DNS server with a second domain name service response based on the first domain name service response provided by the second domain name service request to the client.
在一些实施例中,所述第一发送模块130,被设置为将所述第一域名 服务请求中的所述第二mDNS IP地址替换为所述DNS服务器的DNS IP地址,形成所述第二域名服务请求;向所述DNS服务器发送所述第二域名服务请求。In some embodiments, the first sending module 130 is configured to replace the second mDNS IP address in the first domain name service request with the DNS server's DNS IP address to form the second Domain name service request; sending the second domain name service request to the DNS server.
在一些实施例中,若域名网关位于所述客户端和所述DNS服务器的路由路径上,所述第二域名服务请求和所述第一域名服务请求的源地址均为所述客户端的主机IP地址。In some embodiments, if the domain name gateway is located on the routing path of the client and the DNS server, the source addresses of the second domain name service request and the first domain name service request are both the host IP of the client address.
在一些实施例中,所述第一发送模块130,被设置为将所述第一域名服务请求中的所述第一主机IP地址替换为域名网关的网关IP地址,形成同时包括所述网关IP地址及所述DNS IP地址的所述第二域名服务请求。In some embodiments, the first sending module 130 is configured to replace the first host IP address in the first domain name service request with a gateway IP address of a domain name gateway to form the gateway IP The address and the second domain name service request of the DNS IP address.
在一些实施例中,所述提供模块140,被设置为将所述第一域名服务响应中的所述DNS服务器的DNS IP地址替换为分配给所述客户端的所述第一mDNS IP地址。In some embodiments, the providing module 140 is configured to replace the DNS IP address of the DNS server in the first domain name service response with the first mDNS IP address assigned to the client.
在一些实施例中,所述第一分配模块110,被设置为根据所述接入配置功能发起的客户端mDNS IP地址请求,从mDNS IP地址池中动态选择所述第一mDNS IP地址。In some embodiments, the first allocation module 110 is configured to dynamically select the first mDNS IP address from the mDNS IP address pool according to the client mDNS IP address request initiated by the access configuration function.
在一些实施例中,所述第一分配模块110,被设置为执行以下之一:In some embodiments, the first distribution module 110 is configured to perform one of the following:
根据所述客户端的mDNS IP地址请求,从mDNS IP地址池中随机选择所述mDNS IP地址;Randomly select the mDNS IP address from the mDNS IP address pool according to the mDNS IP address request of the client;
根据所述客户端的mDNS IP地址请求,从mDNS IP地址池中随机选择出当前闲置的所述mDNS IP地址;Randomly select the currently idle mDNS IP address from the mDNS IP address pool according to the client's mDNS IP address request;
根据所述客户端的mDNS IP地址请求,若mDNS IP地址池不存在闲置的mDNS IP地址时,从已使用的mDNS IP地址池随机选择mDNS IP地址。According to the mDNS IP address request of the client, if there is no idle mDNS IP address in the mDNS IP address pool, the mDNS IP address is randomly selected from the used mDNS IP address pool.
在一些实施例中,所述第一分配模块110,被设置为根据所述客户端的所述mDNS IP地址请求,从mDNS IP地址池中选择多个所述mDNS IP地址。In some embodiments, the first allocation module 110 is configured to select a plurality of mDNS IP addresses from an mDNS IP address pool according to the mDNS IP address request of the client.
在一些实施例中,所述第一分配模块110,被设置为根据所述mDNS IP地址请求中携带的地址数量N,从mDNS IP地址池中选择N个所述mDNS IP地址。In some embodiments, the first allocation module 110 is configured to select N of the mDNS IP addresses from the mDNS IP address pool according to the number N of addresses carried in the mDNS IP address request.
在一些实施例中,所述装置还包括:In some embodiments, the device further includes:
第二分配模块,被设置为为所述客户端分配对应的域名服务系统DNS服务器;A second allocation module configured to allocate a corresponding DNS server of the domain name service system to the client;
所述建立模块,被设置为建立所述第一主机IP地址、所述第一mDNS IP地址及所述DNS服务器的DNS IP地址建立绑定关系。The establishing module is configured to establish a binding relationship between the first host IP address, the first mDNS IP address, and the DNS IP address of the DNS server.
在一些实施例中,所述第一发送模块130,被设置为若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中且所述第二主机IP地址及所述第二mDNS IP地址有绑定DNS IP地址,向绑定的所述DNS IP地址发送所述第二域名服务请求。In some embodiments, the first sending module 130 is configured if the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and The second mDNS IP address has a bound DNS IP address, and sends the second domain name service request to the bound DNS DNS IP address.
在一些实施例中,所述第一发送模块130,被设置为若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中且所述第二主机IP地址及所述第二mDNS IP地址未绑定有DNS IP地址,向默认DNS服务器发送所述第二域名服务请求。In some embodiments, the first sending module 130 is configured if the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and The second mDNS IP address is not bound to the DNS IP address, and the second domain name service request is sent to the default DNS server.
在一些实施例中,所述装置还包括以下至少之一:In some embodiments, the device further includes at least one of the following:
DNS服务受限提供模块140,被设置为若所述第二mDNS IP地址与所述第二主机IP地址不在所述绑定关系中,向所述客户端提供受限DNS服务;The DNS service restricted providing module 140 is configured to provide a restricted DNS service to the client if the second mDNS IP address and the second host IP address are not in the binding relationship;
引导模块,被设置为若所述第二mDNS IP地址与所述第二主机IP地址不在所述绑定关系中,将所述域名服务请求引导到预定系统,其中,所述预定系统,用于对域名服务请求的攻击进行解析;A guiding module, configured to guide the domain name service request to a predetermined system if the second mDNS IP address and the second host IP address are not in the binding relationship, wherein the predetermined system is used to Resolve attacks on domain name service requests;
拒绝模块,被设置为若所述第二mDNS IP地址与所述第二主机IP地址不在所述绑定关系中,拒绝向所述客户端提供DNS服务。The rejection module is configured to refuse to provide DNS services to the client if the second mDNS IP address and the second host IP address are not in the binding relationship.
在一些实施例中,所述mDNS IP地址请求中还携带有地址租期信息;In some embodiments, the mDNS IP address request also carries address lease information;
所述装置还包括:The device also includes:
设置模块,被设置为根据所述地址租期信息,设置绑定关系中所述第一mDNS IP地址的有效期。The setting module is configured to set the validity period of the first mDNS IP address in the binding relationship according to the address lease period information.
在一些实施例中,所述装置还包括:In some embodiments, the device further includes:
第一接收模块120,被设置为接收续租请求;The first receiving module 120 is configured to receive the lease renewal request;
第一延长模块,被设置为根据所述续租请求,延长所述第一mDNS IP地址的有效期。The first extension module is configured to extend the validity period of the first mDNS IP address according to the lease renewal request.
在一些实施例中,所述装置还包括:In some embodiments, the device further includes:
第一删除模块,被设置为若所述有效期超期,删除所述绑定关系。The first deletion module is configured to delete the binding relationship if the validity period expires.
在一些实施例中,所述装置还包括:In some embodiments, the device further includes:
第二接收模块,被设置为接收释放请求;The second receiving module is set to receive the release request;
第二删除模块,被设置为根据所述释放请求,删除所述第一主机IP地址与所述第一mDNS IP地址的绑定关系,并释放所述第一mDNS IP地址。The second deletion module is configured to delete the binding relationship between the first host IP address and the first mDNS IP address according to the release request, and release the first mDNS IP address.
在一些实施例中,所述装置还包括:In some embodiments, the device further includes:
第三接收模块,被设置为接收更新请求;The third receiving module is set to receive the update request;
第三删除模块,被设置为根据所述更新请求,删除第一绑定关系并建立第二绑定关系;其中,所述第一绑定关系为:更新前所述客户端对应的旧的第一主机IP地址与所述第一mDNS IP地址的绑定关系;所述第二绑定关系为:更新后所述客户端对应的新的第一主机IP地址与所述第一mDNS IP地址的绑定关系;其中,所述第二绑定关系相对于所述第一绑定关系,至少所述第一主机IP地址不同。The third deletion module is configured to delete the first binding relationship and establish the second binding relationship according to the update request; wherein, the first binding relationship is: the old first corresponding to the client before the update A binding relationship between a host IP address and the first mDNS IP address; the second binding relationship is: after the update, a new first host IP address corresponding to the client and the first mDNS IP address A binding relationship; wherein, the second binding relationship is different from the first binding relationship in that at least the first host IP address is different.
如图6所示,本实施例提供一种DNS服务器的安全防御装置,包括:As shown in FIG. 6, this embodiment provides a DNS server security defense device, including:
第四接收模块210,被设置为接收客户端的配置请求;The fourth receiving module 210 is configured to receive the configuration request of the client;
第三分配模块220,被设置为基于所述配置请求,为所述客户端分配 主机网络协议IP地址;The third allocation module 220 is configured to allocate a host network protocol IP address to the client based on the configuration request;
第二发送模块230,被设置为基于所述主机IP地址向域名网关发送的移动域名系统mDNS IP地址请求;The second sending module 230 is configured to send a mobile domain name system mDNS IP address request to the domain name gateway based on the host IP address;
第五接收模块240,被设置为接收所述域名网关基于mDNS IP地址请求返回的mDNS IP地址;The fifth receiving module 240 is configured to receive the mDNS IP address returned by the domain name gateway based on the mDNS IP address request;
第三发送模块250,被设置为向所述客户端发送携带有所述主机IP地址及所述mDNS IP地址的配置响应。The third sending module 250 is configured to send a configuration response carrying the host IP address and the mDNS IP address to the client.
该第四接收模块210、第二发送模块230、第五接收模块240及第三发送模块250均可为程序模块,被处理器执行后能够实现前述一个或多个应用于接入服务功能中的功能。The fourth receiving module 210, the second sending module 230, the fifth receiving module 240, and the third sending module 250 can all be program modules, which can be implemented by the processor to implement one or more of the aforementioned applications in access service functions Features.
在一些实施例中,所述装置还包括:In some embodiments, the device further includes:
第二设置模块,被设置为设置所述主机IP地址的租期;The second setting module is set to set the lease period of the host IP address;
第六发送模块,被设置为向所述域名网关发送指示所述租期的租期信息,其中,所述租期信息,用于所述域名网关设置分配给所述客户端的所述m DNS IP地址的有效期。The sixth sending module is configured to send lease period information indicating the lease period to the domain name gateway, wherein the lease period information is used by the domain name gateway to set the mDNS assigned to the client The validity period of the address.
在一些实施例中,所述装置还包括:In some embodiments, the device further includes:
第六接收模块,被设置为接收到所述客户端的续租请求;A sixth receiving module, configured to receive the lease renewal request of the client;
第二延迟模块,被设置为根据所述续租请求延长所述主机IP地址的租期;The second delay module is configured to extend the lease period of the host IP address according to the lease renewal request;
第七发送模块,被设置为向所述域名网关发送续租请求,其中,所述续租请求,用于所述域名网关延长为所述客户端分配的mDNS IP地址的有效期。A seventh sending module is configured to send a lease renewal request to the domain name gateway, wherein the lease renewal request is used by the domain name gateway to extend the validity period of the mDNS IP address allocated to the client.
在一些实施例中,所述装置还包括:In some embodiments, the device further includes:
第八发送模块,被设置为在满足预设条件时,向所述域名网关发送释放请求,其中所述释放请求,用于解除所述客户端的主机IP地址和分配给所述客户端的mDNS IP地址之间的绑定关系。The eighth sending module is configured to send a release request to the domain name gateway when the preset conditions are met, wherein the release request is used to release the host IP address of the client and the mDNS IP address assigned to the client The binding relationship between.
在一些实施例中,所述满足预设条件包括以下之一:In some embodiments, the meeting of the preset condition includes one of the following:
接收到所述客户端主动离线发送的去附着请求;Receiving a detach request actively sent offline by the client;
检测到所述客户端的位置更新的有效期超期;Detecting that the validity period of the location update of the client is overdue;
检测到所述客户端的主机IP地址的租期超期;Detecting that the lease term of the client's host IP address has expired;
检测到所述客户端已离线。It is detected that the client is offline.
在一些实施例中,所述装置还包括:In some embodiments, the device further includes:
第七接收模块,被设置为接收所述客户端的续租请求;The seventh receiving module is configured to receive the lease renewal request of the client;
所述第三分配模块220,被设置为根据所述续租请求为所述客户端分配新的主机IP地址;并根据所述续租请求设置所述新的主机IP地址的租期;The third allocation module 220 is configured to allocate a new host IP address to the client according to the lease renewal request; and set the lease period of the new host IP address according to the lease renewal request;
第九发送模块,被设置为向所述域名网关发送更新请求,其中,所述更新请求,用于所述域名网关删除所述客户端旧的第一绑定关系并基于所述新的主机建立新的主机IP地址建立第二绑定关系。The ninth sending module is configured to send an update request to the domain name gateway, wherein the update request is used by the domain name gateway to delete the old first binding relationship of the client and establish based on the new host The new host IP address establishes a second binding relationship.
在一些实施例中,所述装置还包括:In some embodiments, the device further includes:
部署模块,被设置为根据所述配置请求,为所述客户端部署一台或多台域名网关;A deployment module, configured to deploy one or more domain name gateways for the client according to the configuration request;
记录模块,被设置为记录所述域名网关的信息。The recording module is configured to record the information of the domain name gateway.
在一些实施例中,所述部署模块,被设置为根据所述客户端的用户标识、设备标识、位置信息及选择策略的至少其中之一,为所述客户端部署一台或多个域名网关。In some embodiments, the deployment module is configured to deploy one or more domain name gateways for the client according to at least one of the client's user ID, device ID, location information, and selection strategy.
在一些实施例中,所述部署模块,被设置为根据为所述客户端部署的域名网关的个数,确定向所述域名网关请求的为所述客户端动态分配的所述mDNS IP地址的数目。In some embodiments, the deployment module is configured to determine, according to the number of domain name gateways deployed for the client, the mDNS IP address dynamically requested by the domain name gateway for the client number.
以下结合上述任意实施例提供几个可选示例:The following provides several optional examples in combination with any of the above embodiments:
示例1:Example 1:
图7是根据本示例的mDNS IP地址分配过程流程图,以外置接入配置功能为例,典型的外置接入配置功能为动态主机配置协议(Dynamic Host Configuration,简称DHCP)服务器,如图7所示,该流程包括如下步骤:FIG. 7 is a flowchart of the mDNS IP address allocation process according to this example. Taking the external access configuration function as an example, a typical external access configuration function is a Dynamic Host Configuration Protocol (Dynamic Host Configuration, DHCP for short) server, as shown in FIG. 7 As shown, the process includes the following steps:
步骤301:客户端接入到接入网关,通过接入网关向DHCP服务器发送DHCP请求,请求网络分配主机IP地址、DNS IP地址等参数;Step 301: The client accesses the access gateway, sends a DHCP request to the DHCP server through the access gateway, and requests the network to allocate parameters such as the host IP address and DNS IP address;
步骤302:DHCP服务器为客户端分配主机IP地址,设置IP地址租期,同时选择域名网关,并记录为该客户端服务的域名网关信息;Step 302: The DHCP server allocates the host IP address to the client, sets the IP address lease, and selects the domain name gateway at the same time, and records the domain name gateway information serving the client;
在1个网络中可以部署1台或多台域名网关,DHCP服务器根据客户端的用户标识、设备标识、位置信息,以及本地策略选择1个或多个域名网关(一般是2个),选择多个域名网关的目的是增强服务的可靠性,将其中一个域名网关作为主入口,另外的作为备用入口。One or more domain name gateways can be deployed in a network. The DHCP server selects one or more domain name gateways (usually two) based on the client's user ID, device ID, location information, and local policies. The purpose of the domain name gateway is to enhance the reliability of the service, using one of the domain name gateways as the main entrance and the other as the backup entrance.
可以在请求中指示希望请求的mDNS IP地址数量,如果选择1个域名网关,可以要求域名网关分配多个mDNS IP地址(可为2个),如果选择多个域名网关,建议向每个域名网关要求1个mDNS IP地址。You can indicate the number of mDNS IP addresses you want to request in the request. If you choose a domain name gateway, you can ask the domain name gateway to assign multiple mDNS IP addresses (may be 2). If you choose multiple domain name gateways, it is recommended to give each domain name gateway One mDNS IP address is required.
步骤303,DHCP服务器向所选择的域名网关发送mDNS IP地址请求,其中,携带主机IP地址,主机IP地址的租用期,并可携带用户标识等信息;Step 303, the DHCP server sends an mDNS IP address request to the selected domain name gateway, which carries the host IP address, the lease period of the host IP address, and may carry user identification and other information;
如果选择多个域名网关,则需要重复步骤303,向其他域名网关也发送mDNS IP地址请求。If multiple domain name gateways are selected, step 303 needs to be repeated to send mDNS IP address requests to other domain name gateways.
步骤304,域名网关从本地mDNS IP地址池中选择mDNS IP地址,并建立(主机IP地址、mDNS IP地址)之间的绑定关系,并根据IP地址的租用期设置该绑定关系的有效期,通常该有效期略大于IP地址的租用期。Step 304, the domain name gateway selects the mDNS IP address from the local mDNS IP address pool, and establishes a binding relationship between (host IP address, mDNS IP address), and sets the validity period of the binding relationship according to the lease period of the IP address, Generally, the validity period is slightly longer than the lease period of the IP address.
域名网关可以根据请求中指示的mDNS IP地址数量分配mDNS IP地址,默认分配1个。The domain name gateway can allocate mDNS IP addresses according to the number of mDNS IP addresses indicated in the request, and one is assigned by default.
mDNS IP地址从mDNS IP地址池内随机选取,或者优先随机选取没 有被占用的mDNS IP地址,在所有mDNS IP地址都已被占用后,再从已占用的mDNS中随机选取。The mDNS IP address is randomly selected from the mDNS IP address pool, or preferentially to randomly select unused mDNS IP addresses. After all mDNS IP addresses have been occupied, then randomly select from the occupied mDNS.
在上述分配过程中,允许出现1个mDNS IP地址同时分配多个客户端,但由于对应不同的(主机IP地址、mDNS IP地址)绑定关系,不会影响业务,同时能够提高mDNS IP地址的利用率,即mDNS IP地址可以被重用,在IP地址数量受限的场景下可以减少mDNS IP地址数量。In the above allocation process, one mDNS IP address is allowed to be assigned to multiple clients at the same time, but due to the corresponding different (host IP address, mDNS IP address) binding relationship, it will not affect the business, and can increase the mDNS IP address. Utilization, that is, mDNS IP addresses can be reused, can reduce the number of mDNS IP addresses in scenarios where the number of IP addresses is limited.
在上述过程中,可以选择为该客户端选择服务的DNS服务器,在绑定关系中增加DNS服务器IP地址信息,如果不选择DNS服务器,则使用默认DNS服务器。In the above process, you can choose the DNS server that serves the client, and add the DNS server IP address information to the binding relationship. If you do not select the DNS server, the default DNS server is used.
步骤305,域名网关将选择的mDNS IP地址返回给DHCP服务器;Step 305, the domain name gateway returns the selected mDNS IP address to the DHCP server;
步骤306,DHCP服务器通过接入网关向客户端发送DHCP响应,其中携带主机IP地址、主机IP地址租用期、mDNS IP地址等参数,其中mDNS IP地址作为DNS IP地址字段参数发送给客户端;Step 306, the DHCP server sends a DHCP response to the client through the access gateway, which carries parameters such as the host IP address, the lease period of the host IP address, and mDNS IP address, among which the mDNS IP address is sent to the client as the DNS IP address field parameter;
如果步骤303选择了多个域名网关,则DHCP服务器需要等所有域名网关都返回mDNS IP地址后,将来自不同域名网关的mDNS IP地址汇总后,作为主备DNS IP地址发送给客户端,如果有域名网关没有返回或返回分配失败,则选择其他域名网关继续请求,或只将返回成功的mDNS IP地址发送给客户端。If multiple domain name gateways are selected in step 303, the DHCP server needs to wait for all domain name gateways to return the mDNS IP addresses, aggregate the mDNS IP addresses from different domain name gateways, and send them to the client as the primary and secondary DNS IP addresses. If the domain name gateway does not return or the allocation fails to be returned, select another domain name gateway to continue the request, or only send the mDNS IP address that returned success to the client.
客户端收到所述参数后,将mDNS IP地址对应的域名网关当作DNS服务器,后续将向域名网关请求域名服务。After receiving the parameters, the client uses the domain name gateway corresponding to the mDNS IP address as the DNS server, and subsequently requests the domain name service from the domain name gateway.
由于mDNS IP地址是域名网关从mDNS IP地址池中动态选取的,因此每个客户端得到的DNS服务器IP地址不尽相同,同一个客户端在不同时间得到的DNS服务器IP地址也不相同。Since the mDNS IP address is dynamically selected by the domain name gateway from the mDNS IP address pool, the DNS server IP address obtained by each client is not the same, and the DNS address obtained by the same client at different times is also different.
步骤307,当客户端需要访问业务时,根据mDNS IP地址向域名网关发送域名服务请求(对应于所述第一域名服务请求),其中,携带所述业务对应的域名,在所述请求消息的IP地址头域部分,源IP地址为主机IP地址,目的IP地址为mDNS IP地址;如用户要访问example.com业务时, 向域名网关发送域名服务请求(对应于第一域名服务请求),以获取example.com网站对应的IP地址。Step 307: When the client needs to access the service, it sends a domain name service request (corresponding to the first domain name service request) to the domain name gateway according to the mDNS IP address, where the domain name corresponding to the service is carried in the request message In the header domain of the IP address, the source IP address is the host IP address, and the destination IP address is the mDNS IP address; if the user wants to access the example.com service, a domain name service request (corresponding to the first domain name service request) is sent to the domain name gateway to Obtain the IP address corresponding to the example.com website.
步骤308,域名网关收到域名服务请求后,根据所述请求消息中携带的主机IP地址、mDNS IP地址查询本地保存主机IP地址和mDNS IP地址绑定关系,如果命中,则认为该请求合法,则向DNS服务器发送域名服务请求,否则认为是非法请求,拒绝域名服务请求,或者使用受限DNS功能,比如只允许解析安全级别比较低的业务服务对应的域名,或将域名服务请求引导到蜜罐系统,诱导客户端进行访问,定位可能的威胁;Step 308, after receiving the domain name service request, the domain name gateway queries the local storage host IP address and the mDNS IP address binding relationship according to the host IP address and mDNS IP address carried in the request message, and if it hits, the request is considered legal, Then send the domain name service request to the DNS server, otherwise it is considered an illegal request, reject the domain name service request, or use the restricted DNS function, such as only allowing the resolution of the domain name corresponding to the business service with a lower security level, or direct the domain name service request to the honey Tank system to induce clients to visit and locate possible threats;
在向DNS服务器发送请求消息的IP地址头域部分,目的IP地址为DNS服务器IP地址,即将步骤307中的目的IP地址由mDNS IP地址替换为DNS服务器IP地址,即DNS IP地址,关于源IP地址有两种处理方式:In the IP address header field part of the request message sent to the DNS server, the destination IP address is the DNS server IP address, that is, the destination IP address in step 307 is replaced by the mDNS IP address with the DNS server IP address, that is, the DNS IP address, regarding the source IP There are two ways to deal with addresses:
方式一:源IP地址保持不变,仍为客户端的主机IP地址,此时域名网关充当DNS代理功能。这种方式要求域名网关必须位于消息的路径上,且由客户端发出的服务请求和DNS服务器服务响应经过同一域名网关。Method 1: The source IP address remains the same, which is still the client's host IP address. In this case, the domain name gateway acts as a DNS proxy function. This method requires that the domain name gateway must be on the path of the message, and the service request sent by the client and the DNS server service response pass through the same domain name gateway.
方式二:源IP地址使用域名网关的接口IP地址,此时域名网关充当DNS缓存功能,使用自己的IP地址向DNS服务器发送域名服务请求,当收到DNS服务结果后,使用mDNS IP地址作为源IP地址将响应消息发送给客户端,并可缓存解析结果,在后续其他客户端访问同一业务服务器时,将缓存的解决发送给客户端,以提高解析效率。Method 2: The source IP address uses the interface IP address of the domain name gateway. At this time, the domain name gateway acts as a DNS cache function, and uses its own IP address to send the domain name service request to the DNS server. When the DNS service result is received, the mDNS IP address is used as the source The IP address sends a response message to the client and can cache the resolution result. When other clients access the same service server, the cached solution is sent to the client to improve the resolution efficiency.
DNS服务器采用域名网关配置的默认DNS服务器IP地址,或者根据(主机IP地址、mDNS IP地址)绑定关系中保存的DNS服务器IP地址。The DNS server uses the default DNS server IP address configured by the domain name gateway, or the DNS server IP address stored in the binding relationship according to (host IP address, mDNS IP address).
通过上述过程,保证mDNS IP地址只能被指定客户端访问,非指定客户端不能访问。Through the above process, it is ensured that the mDNS IP address can only be accessed by designated clients, and non-designated clients cannot be accessed.
步骤309,DNS服务器执行域名服务过程,向域名网关返回DNS服务响应,其中携带域名解析结果,即业务服务器的IP地址;Step 309, the DNS server performs the domain name service process and returns a DNS service response to the domain name gateway, which carries the domain name resolution result, that is, the IP address of the service server;
步骤310,域名网关向客户端返回服务响应,其中携带业务服务器的 IP地址。Step 310: The domain name gateway returns a service response to the client, which carries the IP address of the service server.
客户端获取到业务服务器对应的IP地址,将使用该IP地址访问业务服务器。The client obtains the IP address corresponding to the business server, and will use the IP address to access the business server.
通过上述过程可以看到,客户端无法直接访问DNS服务器,只能通过域名网关进行访问,且每个客户端获取到的mDNS IP地址不尽相同,同一客户端在不同时间获取到mDNS IP地址也不尽相同,因此到达了动态变换DNS服务器IP地址的目的,从而能够保护DNS服务器。Through the above process, you can see that the client cannot directly access the DNS server, only through the domain name gateway, and the mDNS IP address obtained by each client is not the same, and the same client obtains the mDNS IP address at different times. Not the same, so the purpose of dynamically changing the IP address of the DNS server is reached, so that the DNS server can be protected.
示例2Example 2
图8是根据本示例的mDNS IP地址重新分配过程流程图,仍以外置DHCP服务器场景为例,当客户端获取主机IP地址都租期快到期时,客户端向接入配置功能发送续租申请,以保持主机网络参数的有效性,如图8所示,该流程包括如下步骤:Figure 8 is a flowchart of the mDNS IP address redistribution process according to this example. Still taking the external DHCP server scenario as an example, when the client obtains the host IP address and the lease term is about to expire, the client sends a lease renewal to the access configuration function Apply to maintain the validity of the host network parameters, as shown in Figure 8, the process includes the following steps:
步骤401,主机IP地址租期快到期,客户端通过接入网关向DHCP服务器发送DHCP续租请求,其中携带正在使用的主机IP地址;Step 401, the lease term of the host IP address is about to expire, and the client sends a DHCP lease renewal request to the DHCP server through the access gateway, which carries the host IP address being used;
步骤402,DHCP服务器同意客户端的续租请求,延长主机IP地址的租期,并查询当前为客户服务的域名网关;Step 402, the DHCP server agrees to the client's lease renewal request, extends the lease period of the host's IP address, and queries the domain name gateway currently serving the client;
步骤403,DHCP服务器向查询到的域名网关发送mDNS IP地址刷新请求,通知域名网关延长mDNS IP地址有效期,消息中携带主机IP地址、mDNS IP地址、主机IP地址租期;Step 403, the DHCP server sends an mDNS IP address refresh request to the queried domain name gateway to notify the domain name gateway to extend the validity period of the mDNS IP address, and the message carries the host IP address, mDNS IP address, and host IP address lease term;
步骤404,域名网关根据主机IP地址的租用期延长mDNS IP地址有效期,以及(主机IP地址,mDNS IP地址)绑定关系的有效期,例如,更新mDNS IP地址和绑定关系的有效期;Step 404, the domain name gateway extends the validity period of the mDNS IP address according to the lease period of the host IP address, and the validity period of the binding relationship (host IP address, mDNS IP address), for example, updating the validity period of the mDNS IP address and the binding relationship;
步骤405,域名网关返回刷新响应;Step 405, the domain name gateway returns a refresh response;
步骤406,DHCP服务器向客户端返回续租确认的DHCP响应。In step 406, the DHCP server returns a DHCP response to the client for renewal confirmation.
当需要使用域名服务时,客户端继续所分配的主机IP地址向mDNS IP地址指定的域名网关发起域名服务请求,如步骤407至步骤410所示,和 图7中的步骤307至步骤310类似。When the domain name service is required, the client continues to allocate the host IP address to initiate a domain name service request to the domain name gateway specified by the mDNS IP address, as shown in steps 407 to 410, similar to steps 307 to 310 in FIG.
通过上述过程,使得域名网关能够持续为客户端提供域名服务。Through the above process, the domain name gateway can continue to provide domain name services to clients.
示例4:Example 4:
图9是根据本示例的mDNS IP地址重新分配过程流程图,仍以外置DHCP服务器场景为例,当客户端获取主机IP地址都租期快到期时,客户端向接入配置功能发送续租申请,利用这个过程,也可以重新为终端配置主机参数。如图9所示,该流程包括如下步骤:Figure 9 is a flow chart of the mDNS IP address redistribution process according to this example, still taking the external DHCP server scenario as an example, when the client obtains the host IP address and the lease term is about to expire, the client sends a lease renewal to the access configuration function Application, using this process, you can also reconfigure the host parameters for the terminal. As shown in Figure 9, the process includes the following steps:
步骤501,主机IP地址租期快到期,客户端通过接入网关向DHCP服务器发送DHCP续租请求,其中携带客户端正在使用的主机IP地址;Step 501, the lease of the host IP address expires soon, and the client sends a DHCP lease renewal request to the DHCP server through the access gateway, which carries the host IP address being used by the client;
步骤502,DHCP服务器延长IP地址租期,或者为客户端重新分配主机IP地址,设置IP地址租期,并重新为客户端选择域名网关;Step 502, the DHCP server extends the IP address lease, or reassigns the host IP address to the client, sets the IP address lease, and selects the domain name gateway for the client again;
步骤503,DHCP服务器向新选择的域名网关请求分配mDNS IP地址,建立新的(主机IP地址、mDNS IP地址)之间的绑定关系,过程同图3步骤303至305;Step 503, the DHCP server requests the newly selected domain name gateway to allocate an mDNS IP address, and establish a new (host IP address, mDNS IP address) binding relationship, the process is the same as steps 303 to 305 in FIG. 3;
步骤504,DHCP服务向原域名网关发送mDNS IP地址释放请求去,原域名网关释放对应的mDNS IP地址,删除(主机IP地址、mDNS IP地址)之间的绑定关系,然后返回mDNS IP地址释放响应,DHCP服务器删除该客户端服务的域名网关记录;Step 504, the DHCP service sends an mDNS IP address release request to the original domain name gateway, the original domain name gateway releases the corresponding mDNS IP address, deletes the binding relationship between (host IP address, mDNS IP address), and then returns the mDNS IP address release response , The DHCP server deletes the domain name gateway record of the client service;
步骤505,DHCP服务器通过接入网关向客户端发送DHCP响应,其中携带新分配的mDNS IP地址。Step 505: The DHCP server sends a DHCP response to the client through the access gateway, which carries the newly allocated mDNS IP address.
当需要使用域名服务时,客户端向新分配的mDNS IP地址指定的新域名网关发起域名服务请求,如步骤506至步骤509所示。When the domain name service needs to be used, the client initiates a domain name service request to the new domain name gateway specified by the newly allocated mDNS IP address, as shown in steps 506 to 509.
通过上述过程,能够在用户在线时更新mDNS IP地址,从而增强域名服务入口的动态性,加强了对DNS服务器的保护。Through the above process, the mDNS IP address can be updated when the user is online, thereby enhancing the dynamics of the domain name service entry and strengthening the protection of the DNS server.
示例5:Example 5:
图10是根据本示例的mDNS IP地址正常释放过程过程流程图,仍以外置DHCP服务器场景为例,当客户端关闭网络时,会主动释放主机IP地址,此时释放对应的mDNS IP地址。如图10所示,该流程包括如下步骤:Figure 10 is a flow chart of the normal release process of the mDNS IP address according to this example. Still taking the external DHCP server scenario as an example, when the client shuts down the network, it will actively release the host IP address, and then release the corresponding mDNS IP address. As shown in Figure 10, the process includes the following steps:
步骤601,客户端通过接入网关向DHCP服务器发送DHCP释放请求,其中携带正在使用的主机IP地址;Step 601, the client sends a DHCP release request to the DHCP server through the access gateway, which carries the IP address of the host being used;
步骤602,DHCP服务器查询客户端正在使用的域名网关;Step 602, the DHCP server queries the domain name gateway being used by the client;
步骤603,DHCP服务器向域名网关发送mDNS IP地址释放请求,其中携带主机IP地址和mDNS IP地址信息;Step 603, the DHCP server sends an mDNS IP address release request to the domain name gateway, which carries the host IP address and mDNS IP address information;
步骤604,域名网关释放该客户端对该mDNS IP地址的占用,删除(主机IP地址,mDNS IP地址)绑定关系;Step 604, the domain name gateway releases the client's occupation of the mDNS IP address, and deletes the (host IP address, mDNS IP address) binding relationship;
步骤605,域名网关向DHCP服务器返回释放响应;Step 605, the domain name gateway returns a release response to the DHCP server;
步骤606,DHCP服务器通过接入网关向客户端返回DHCP释放响应。Step 606: The DHCP server returns a DHCP release response to the client through the access gateway.
通过上述过程,域名网关及时释放mDNS IP地址,维护正确的域名服务入口策略。Through the above process, the domain name gateway releases the mDNS IP address in time to maintain the correct domain name service entry strategy.
示例6:Example 6:
图11是根据本示例的mDNS IP地址超时释放过程过程流程图,仍以外置DHCP服务器场景为例,当客户端离开网络,但没有发送DHCP释放请求时,需要支持超时释放机制。如图11所示,该流程包括如下步骤:Figure 11 is a flowchart of the mDNS IP address timeout release process according to this example. Still taking the external DHCP server scenario as an example, when the client leaves the network but does not send a DHCP release request, it needs to support the timeout release mechanism. As shown in Figure 11, the process includes the following steps:
步骤701(图11中未展示),当客户端在指定的租期内没有发送续租请求,DHCP中的租期定时器会溢出;Step 701 (not shown in FIG. 11), when the client does not send a lease renewal request within the specified lease period, the lease period timer in DHCP will overflow;
步骤702,DHCP服务器主动释放主机IP地址;Step 702, the DHCP server actively releases the host IP address;
步骤703,DHCP服务器向域名网关发送mDNS IP地址释放请求,其中携带主机IP地址和mDNS IP地址信息;Step 703, the DHCP server sends an mDNS IP address release request to the domain name gateway, which carries the host IP address and mDNS IP address information;
步骤704,域名网关释放该客户端对该mDNS IP地址的占用,删除(主 机IP地址,mDNS IP地址)绑定关系;Step 704, the domain name gateway releases the client's occupation of the mDNS IP address, and deletes the (host IP address, mDNS IP address) binding relationship;
步骤705,域名网关向DHCP服务器返回释放响应;Step 705, the domain name gateway returns a release response to the DHCP server;
如果由于网络等原因,域名网关在mDNS IP地址有效期内没有收到DHCP Server发送的刷新请求或者释放请求,为了维持正确mDNS IP地址正确使用,域名网关支持超时释放功能,如步骤706至步骤707所示。If due to network reasons, the domain name gateway does not receive a refresh request or release request from the DHCP within the validity period of the mDNS IP address, in order to maintain the correct use of the mDNS IP address, the domain name gateway supports the timeout release function, as shown in steps 706 to 707 Show.
步骤706,当域名网关在指定的mDNS IP地址有效期内没有收到刷新请求时,域名网关中的mDNS IP地址有效期定时器会溢出(即租期超期);Step 706, when the domain name gateway does not receive a refresh request within the specified mDNS IP address validity period, the mDNS IP address validity period timer in the domain name gateway will overflow (that is, the lease period expires);
步骤707,域名网关释放该客户端对该mDNS IP地址的占用,删除(主机IP地址,mDNS IP地址)绑定关系。In step 707, the domain name gateway releases the client's occupation of the mDNS IP address and deletes the (host IP address, mDNS IP address) binding relationship.
通过上述过程,域名网关维护正确的绑定关系。Through the above process, the domain name gateway maintains the correct binding relationship.
示例7:Example 7:
图12是根据本示例的接入配置功能内置方式的mDNS IP地址分配过程流程图,这种场景常见于移动网络,移动网络的接入网关,如GGSN、PGW,内置接入配置功能,在用户接入过程中,直接为客户端提供配置参数。如图8所示,此流程与图7主要区别是,在接入过程中完成IP地址的分配、域名网关的选择和mDNS IP地址分配,这些信息通过步骤806所示的接入信令发送给终端,以4G网络为例,此时接入网关为PGW,接入配置功能内置在PGW,如图12所示,该流程包括如下步骤:Figure 12 is a flowchart of the mDNS IP address allocation process based on the built-in access configuration function of this example. This scenario is common in mobile networks. The access gateways of mobile networks, such as GGSN and PGW, have built-in access configuration functions. During the access process, configuration parameters are provided directly to the client. As shown in FIG. 8, the main difference between this process and FIG. 7 is that the IP address allocation, domain name gateway selection, and mDNS IP address allocation are completed during the access process. These information are sent to the access signaling shown in step 806 to For the terminal, take the 4G network as an example. At this time, the access gateway is the PGW, and the access configuration function is built in the PGW. As shown in FIG. 12, the process includes the following steps:
步骤801,客户端接入到移动网络,向接入网关(PGW)发送附着请求;Step 801, the client accesses the mobile network and sends an attachment request to the access gateway (PGW);
步骤802,接入网关的内置接入配置功能从本地的IP地址池中为客户端分配主机IP地址,选择域名网关,并记录为该客户端服务的域名网关信息,主机IP地址的有效性和客户端在移动网络中的状态直接相关;Step 802, the built-in access configuration function of the access gateway allocates the host IP address to the client from the local IP address pool, selects the domain name gateway, and records the domain name gateway information serving the client, the validity of the host IP address and The status of the client in the mobile network is directly related;
步骤803至805,接入网关向选择的域名网关请求mDNS IP地址,过程与图3步骤303至305相同;Steps 803 to 805, the access gateway requests the mDNS IP address from the selected domain name gateway, the process is the same as steps 303 to 305 in FIG. 3;
步骤806,接入网关向客户端发送附着响应,其中携带主机IP地址、mDNS IP地址等参数,其中mDNS IP地址作为DNS IP地址字段参数发送给客户端;Step 806, the access gateway sends an attachment response to the client, which carries parameters such as the host's IP address, mDNS IP address, etc., where the mDNS IP address is sent to the client as the DNS IP address field parameter;
客户端收到所述参数后,将mDNS IP地址对应的域名网关当作DNS服务器,后续将向域名网关请求域名服务。After receiving the parameters, the client uses the domain name gateway corresponding to the mDNS IP address as the DNS server, and subsequently requests the domain name service from the domain name gateway.
步骤807至810,当客户端需要访问业务时,步骤与图3的步骤307至310相同。Steps 807 to 810, when the client needs to access the service, the steps are the same as steps 307 to 310 of FIG.
客户端获取到业务服务器对应的IP地址,将使用该IP地址访问业务服务器,属于现有技术,不再赘述。The client obtains the IP address corresponding to the business server, and will use the IP address to access the business server, which belongs to the prior art and will not be repeated here.
通过上述过程可以看出,对应接入网关内置接入配置功能的场景,其接入参数配置过程是在接入过程中完成的,使用接入信令传输主机配置参数,而且。It can be seen from the above process that, corresponding to the scenario where the access gateway has a built-in access configuration function, the access parameter configuration process is completed during the access process, and the host configuration parameters are transmitted using access signaling.
关于mDNS IP地址的维护,与外置接入参数配置功能场景类似,主要包括以下操作:The maintenance of the mDNS IP address is similar to the external access parameter configuration function scenario, and mainly includes the following operations:
延长mDNS IP地址有效期:客户端在在线状态有效期内进行位置更新,接入网关延长客户端在线状态,同时通知域名网关延长mDNS IP地址有效期,过程与图8步骤402至405相同。Extend the validity period of the mDNS IP address: The client updates the location within the validity period of the online status. The access gateway extends the client's online status and notifies the domain name gateway to extend the validity period of the mDNS IP address. The process is the same as steps 402 to 405 in FIG. 8.
重新分配mDNS IP地址:客户端在在线状态有效期内进行位置更新,接入网关更新主机IP地址或者延长客户端在线状态,同时选择新的域名网关,向新域名网关请求mDNS IP地址,同时通知原域名网关释放mDNS IP地址,过程与图9步骤502至504相同。Re-allocate mDNS IP address: The client updates the location within the validity period of the online status. The access gateway updates the host IP address or extends the client's online status. At the same time, it selects a new domain name gateway, requests the mDNS IP address from the new domain name gateway, and notifies the original The domain name gateway releases the mDNS IP address, and the process is the same as steps 502 to 504 in FIG. 9.
mDNS IP地址正常释放:客户端主动离线,向接入网关发送去附着请求,接入网关通知域名网关释放mDNS IP地址,同时删除用户接入数据,过程与图10步骤602至605相同。The normal release of the mDNS IP address: the client takes the initiative to go offline and sends a de-attach request to the access gateway. The access gateway notifies the domain name gateway to release the mDNS IP address and delete user access data. The process is the same as steps 602 to 605 in FIG.
mDNS超期释放:当位置更新有效期超期时,接入网关检测到用户已经不在线,将通知域名网关释放mDNS IP地址,同时删除用户接入数据;或者当mDNS IP地址有效期超期时,域名网关释放mDNS IP地址。过程 与图11所示过程相同。mDNS overdue release: when the location update validity period expires, the access gateway detects that the user is offline, and will notify the domain name gateway to release the mDNS IP address, and delete the user access data; or when the mDNS IP address validity period expires, the domain name gateway releases mDNS IP address. The process is the same as the process shown in FIG.
从上述过程可以看出,内置接入配置功能的场景与外置接入配置功能场景类似,借助用户在线状态的维护,实现对DNS IP地址的维护。It can be seen from the above process that the scenario of the built-in access configuration function is similar to the scenario of the external access configuration function. With the maintenance of the user's online status, the maintenance of the DNS IP address is achieved.
示例8:Example 8:
本示例提出了一种应用于DNS服务器的防御系统和方法,通过引入域名网关,对DNS服务器IP地址进行变换,从而对DNS服务器实现主动防御,增加攻击者的攻击难度,降低攻击成功的概率,从而提高整个网络安全性。在接入网关到DNS服务器路径上,增加域名网关(Domain Name Gateway,简称DNG),包括:This example proposes a defense system and method applied to the DNS server. By introducing a domain name gateway, the DNS server IP address is transformed, thereby implementing active defense against the DNS server, increasing the difficulty of attackers, and reducing the probability of successful attacks. Thereby improving the security of the entire network. On the path from the access gateway to the DNS server, add the Domain Name Gateway (DNG), including:
A.域名网关配置移动DNS服务器IP地址(Moving DNS Sever IP地址,简称mDNS IP地址)地址池A. The domain name gateway is configured with a mobile DNS server IP address (Moving DNS Sever IP address, referred to as mDNS IP address) address pool
B.客户端获取或更新主机配置参数过程中,接入配置功能向域名网关请求mDNS IP地址,域名网关从mDNS IP地址池选择mDNS IP地址,然后返回给接入配置功能,接入配置功能将mDNS IP地址作为DNS IP地址分配给客户端;B. While the client obtains or updates the host configuration parameters, the access configuration function requests the mDNS IP address from the domain name gateway. The domain name gateway selects the mDNS IP address from the mDNS IP address pool, and then returns to the access configuration function. The access configuration function will The mDNS IP address is assigned to the client as a DNS IP address;
C.客户端使用所分配的mDNS IP地址向域名网关发送业务服务器域名业务请求,域名网关向DNS服务器发送域名业务请求,并将DNS服务器返回的结果发送给客户端;C. The client uses the allocated mDNS IP address to send the domain name service request to the domain name gateway, and the domain name gateway sends the domain name service request to the DNS server, and sends the result returned by the DNS server to the client;
D.客户端根据域名解析结果访问业务服务器D. The client accesses the business server according to the domain name resolution result
可选地:A1网络中配置一个或多个域名网关,每个域名网关配置不同的mDNS IP地址池,mDNS IP地址池有1个或多个IP地址段组成;Optionally: one or more domain name gateways are configured in the A1 network, and each domain name gateway is configured with a different mDNS IP address pool, and the mDNS IP address pool is composed of one or more IP address segments;
B0主机参数配置过程使用DHCP协议或者是接入信令;B0 host parameter configuration process uses DHCP protocol or access signaling;
B1在网络中有多个域名网关时,接入配置功能需要选择1个或多个域名网关;When B1 has multiple domain name gateways in the network, the access configuration function needs to select one or more domain name gateways;
B2域名网关随机分配1个或多个mDNS IP地址,作为主DNS IP地 址,或者主用和备用DNS IP地址,优先选取没有被占用的mDNS IP地址;The B2 domain name gateway randomly assigns one or more mDNS IP addresses as the primary DNS IP address, or the primary and secondary DNS IP addresses, and preferentially selects the unoccupied mDNS IP addresses;
B3在mDNS IP地址请求中携带分配给主机的IP地址和IP地址租期;B3 carries the IP address assigned to the host and the lease of the IP address in the mDNS IP address request;
B4域名网关选择mDNS IP地址,同时建立主机IP地址和mDNS IP地址之间的绑定关系;The B4 domain name gateway selects the mDNS IP address, and establishes the binding relationship between the host IP address and the mDNS IP address;
B5域名网关根据IP地址租期设定绑定关系的有效期,在有效期内,域名网关接收到接入配置功能发送的刷新请求,则延长有效期;在有效期内,域名网关接收到主机配置功能发送的释放请求时,或超出有效期时,则域名网关删除所述绑定关系;The B5 domain name gateway sets the validity period of the binding relationship according to the IP address lease period. During the validity period, the domain name gateway receives the refresh request sent by the access configuration function, and then extends the validity period; during the validity period, the domain name gateway receives the host configuration function. When the request is released, or when the validity period is exceeded, the domain name gateway deletes the binding relationship;
B6域名网关向客户端返回的服务结果中,携带1个或多个mDNS IP地址,多个mDNS IP地址来自1个或多个域名网关;The service result returned by the B6 domain name gateway to the client carries one or more mDNS IP addresses, and the multiple mDNS IP addresses come from one or more domain name gateways;
C1域名网关收到来自客户端的域名业务请求后,根据主机IP地址和mDNS IP地址之间的绑定关系,检查请求消息,如果与绑定关系匹配,则向DNS服务器发送域名业务请求,否则拒绝业务请求,或使用受限DNS功能,或将域名业务请求引导到蜜罐系统;After receiving the domain name service request from the client, the C1 domain name gateway checks the request message according to the binding relationship between the host IP address and the mDNS IP address, and if it matches the binding relationship, sends the domain name service request to the DNS server, otherwise rejects Business requests, or use restricted DNS functions, or direct domain name business requests to the honeypot system;
C2在域名网关向DNS Server查询时,查询请求的目标地址为默认的DNS服务器IP地址,或者是在分配mDNS IP地址时选择的DNS服务器IP地址;C2 When the domain name gateway queries DNS, the target address of the query request is the default DNS server IP address, or the DNS server IP address selected when assigning the mDNS IP address;
C3域名网关充当DNS代理使用客户端的主机IP地址向DNS服务器发送业务请求,或充当DNS缓存器使用域名网关的IP地址向DNS服务器发送业务请求;The C3 domain name gateway acts as a DNS proxy to send business requests to the DNS server using the client's host IP address, or acts as a DNS buffer to send business requests to the DNS server using the domain name gateway's IP address;
本示例提供一种应用于DNS服务器的防御的系统,包括客户端、接入网关、接入配置功能、域名网关、DNS服务器、业务服务器。This example provides a system applied to the defense of a DNS server, including a client, an access gateway, an access configuration function, a domain name gateway, a DNS server, and a business server.
客户端:建立与接入网关的连接,接收接入配置功能分配的主机IP地址,mDNS IP地址等参数,并将mDNS IP地址作为DNS服务器IP地址,发起域名业务请求,访问业务应用。Client: Establish a connection with the access gateway, receive the host IP address and mDNS IP address assigned by the access configuration function, and use the mDNS IP address as the DNS server IP address to initiate domain name service requests and access business applications.
接入网关:在客户端接入过程中,从接入配置功能获取客户端配置参 数提供给客户端,并实现客户端接入互联网功能,使客户端能够访问DNS服务器、业务服务器。Access gateway: In the process of client access, the client configuration parameters are obtained from the access configuration function and provided to the client, and the client access to the Internet function is realized, so that the client can access the DNS server and service server.
接入配置功能:根据客户端的接入信息,为客户端分配主机IP地址,选择域名网关,向域名网关请求mDNS IP地址,将分配的主机IP地址、获取的mDNS IP地址配置给客户端,同时维护主机配置的有效性。Access configuration function: According to the client's access information, assign the host IP address to the client, select the domain name gateway, request the mDNS IP address from the domain name gateway, configure the assigned host IP address and the obtained mDNS IP address to the client, and Maintain the validity of the host configuration.
域名网关:维护mDNS IP地址池,根据主机配置功能的请求,为客户端从mDNS IP地址池中选择mDNS IP地址,并建立客户端IP地址与mDNS IP地址之间的绑定关系,维护mDNS IP地址以及绑定关系的有效性;在客户端发起域名请求时,检查请求的合法性,如果是正常请求,则向DNS服务器发送业务请求,并将结果返回客户端,否则拒绝所述域名业务请求,或者将所述域名请求引导到蜜罐系统。Domain name gateway: maintain mDNS IP address pool, select mDNS IP address from mDNS IP address pool for clients according to the request of host configuration function, and establish the binding relationship between client IP address and mDNS IP address, maintain mDNS IP The validity of the address and the binding relationship; when the client initiates a domain name request, check the validity of the request, if it is a normal request, send a business request to the DNS server, and return the result to the client, otherwise reject the domain name business request , Or direct the domain name request to the honeypot system.
在一个网络中,存在一台或多台域名网关,每个域名网关配置的mDNS IP地址池,为一个或多个IP地址段组成,建议使用多个IP地址段,这样可以增强所选择mDNS IP地址的动态性,迷惑攻击者。In a network, there are one or more domain name gateways. The mDNS IP address pool configured for each domain name gateway is composed of one or more IP address segments. It is recommended to use multiple IP address segments, which can enhance the selected mDNS IP The dynamic nature of the address confuses attackers.
DNS服务器:根据请求服务域名解析为对应的IP地址,并返回。DNS server: resolve to the corresponding IP address according to the requested service domain name and return.
业务服务器:向客户端提供业务,其IP地址和域名之间对应关系保存在DNS服务器。Service server: provides services to clients, and the correspondence between IP addresses and domain names is stored in the DNS server.
本公开实施例提供一种通信设备,包括:An embodiment of the present disclosure provides a communication device, including:
收发器,可对应于各种通信接口,例如,网络接口(网卡)和/或收发天线等;The transceiver can correspond to various communication interfaces, for example, a network interface (network card) and / or a transceiver antenna, etc .;
存储器,可包括存储介质,能够用于各种数据的存储;The memory, which may include a storage medium, can be used for storing various data;
处理器,分别与所述收发器及所述存储器连接,被设置为通过执行存储在所述存储器上的计算机可执行指令控制所述收发器的信息收发,并实现前述任意一个技术方案提供的DNS服务器的安全防御方法,例如,图2至图5、图8至图12任意一个所示的方法。A processor, respectively connected to the transceiver and the memory, is configured to control the information transmission and reception of the transceiver by executing computer-executable instructions stored on the memory, and implement DNS provided by any of the foregoing technical solutions The security defense method of the server is, for example, the method shown in any of FIG. 2 to FIG. 5 and FIG. 8 to FIG. 12.
所述处理器可包括中央处理器、微处理器、数字信号处理器、可编程 阵列、专用集成电路等。The processor may include a central processing unit, a microprocessor, a digital signal processor, a programmable array, an application specific integrated circuit, and the like.
所述处理器可以通过集成电路总线等通信总线分别与所述存储器及存储器连接。该通信设备可为前述的域名网关、或者接入网关等接入配置功能所在的设备。The processor may be connected to the memory and the memory through a communication bus such as an integrated circuit bus. The communication device may be a device where an access configuration function such as the aforementioned domain name gateway or access gateway is located.
若该通信设备为前述的域名网关,则可以执行应用于域名网关中的DNS服务器的防御方法中的一个或多个技术方案。If the communication device is the aforementioned domain name gateway, it can execute one or more technical solutions in the defense method applied to the DNS server in the domain name gateway.
若该通信设备为前述的接入网关或独立于接入网关的接入配置功能实体,则可以执行应用于接入网关中的DNS服务器的防御方法中的一个或多个技术方案,例如,图2至图5、图8至图12任意一个所示的方法。If the communication device is the aforementioned access gateway or an access configuration functional entity independent of the access gateway, it can execute one or more technical solutions in the defense method of the DNS server in the access gateway, for example, FIG. The method shown in any one of 2 to 5, and 8 to 12.
本公开实施例提供一种计算机存储介质,所述计算机存储介质存储有计算机可执行指令;所述计算机可执行指令被执行后,能够实现前述任意一个技术方案提供的DNS服务器的安全防御方法,例如应用于域名网关、接入网关等具有接入配置功能的设备中。所述存储介质包括:移动存储设备、只读存储器(ROM,Read至Only Memory)、随机存取存储器(RAM,Random Access Memory)、磁碟或者光盘等各种可以存储程序代码的介质。所述计算机存储介质可为非瞬间存储介质。An embodiment of the present disclosure provides a computer storage medium that stores computer-executable instructions; after the computer-executable instructions are executed, the security defense method of the DNS server provided by any one of the foregoing technical solutions can be implemented, for example Used in devices with access configuration functions such as domain name gateways and access gateways. The storage medium includes: a mobile storage device, a read-only memory (ROM, Read to Only Memory), a random access memory (RAM, Random Access Memory), a magnetic disk or an optical disk, and other media that can store program codes. The computer storage medium may be a non-transitory storage medium.
在本申请所提供的几个实施例中,应该理解到,所揭露的设备和方法,可以通过其它的方式实现。以上所描述的设备实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,如:多个单元或组件可以结合,或可以集成到另一个系统,或一些特征可以忽略,或不执行。另外,所显示或讨论的各组成部分相互之间的耦合、或直接耦合、或通信连接可以是通过一些接口,设备或单元的间接耦合或通信连接,可以是电性的、机械的或其它形式的。In the several embodiments provided in this application, it should be understood that the disclosed device and method may be implemented in other ways. The device embodiments described above are only schematic. For example, the division of the unit is only a division of logical functions. In actual implementation, there may be another division manner, for example, multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored, or not implemented. In addition, the coupling or direct coupling or communication connection between the displayed or discussed components may be through some interfaces, and the indirect coupling or communication connection of the device or unit may be electrical, mechanical, or other forms of.
上述作为分离部件说明的单元可以是、或也可以不是物理上分开的,作为单元显示的部件可以是、或也可以不是物理单元,即可以位于一个地方,也可以分布到多个网络单元上;可以根据实际的需要选择其中的部分或全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
另外,在本公开各实施例中的各功能单元可以全部集成在一个处理模块中,也可以是各单元分别单独作为一个单元,也可以两个或两个以上单元集成在一个单元中;上述集成的单元既可以采用硬件的形式实现,也可以采用硬件加软件功能单元的形式实现。In addition, the functional units in the embodiments of the present disclosure may all be integrated into one processing module, or each unit may be separately used as a unit, or two or more units may be integrated into one unit; the above integration The unit can be implemented in the form of hardware, or in the form of hardware plus software functional units.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤。Those of ordinary skill in the art may understand that all or part of the steps to implement the above method embodiments may be completed by program instructions related hardware. The foregoing program may be stored in a computer-readable storage medium, and when the program is executed, The steps of the above method embodiments are included.
以上所述,仅为本公开的可选实施方式,但本公开的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本公开揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本公开的保护范围之内。因此,本公开的保护范围应以所述权利要求的保护范围为准。The above are only optional embodiments of the present disclosure, but the protection scope of the present disclosure is not limited to this, and any person skilled in the art can easily think of changes or replacements within the technical scope disclosed in the present disclosure All should be covered by the protection scope of the present disclosure. Therefore, the protection scope of the present disclosure shall be subject to the protection scope of the claims.

Claims (31)

  1. 一种DNS服务器的安全防御方法,包括:A DNS server security defense method, including:
    根据客户端的移动域名系统mDNS网络协议IP地址请求,为所述客户端动态分配mDNS IP地址;According to the client's mobile domain name system mDNS network protocol IP address request, dynamically assign the mDNS IP address for the client;
    接收所述客户端发起的第一域名服务请求,其中,所述第一域名服务请求的目的地址为所述mDNS IP地址;Receiving a first domain name service request initiated by the client, where the destination address of the first domain name service request is the mDNS IP address;
    基于所述第一域名服务请求,向所述mDNS IP地址替换为对应的DNS服务器发送第二域名服务请求;Send a second domain name service request to the corresponding DNS server by replacing the mDNS IP address with the corresponding DNS server based on the first domain name service request;
    将所述DNS服务器基于所述第二域名服务请求提供的第一域名服务响应向所述客户端提供第二域名服务响应。The DNS server provides a second domain name service response to the client based on the first domain name service response provided by the second domain name service request.
  2. 根据权利要求1所述的方法,其中,所述方法还包括:The method of claim 1, wherein the method further comprises:
    所述根据客户端的移动域名系统mDNS网络协议IP地址请求,为所述客户端动态分配mDNS IP地址,包括:The dynamically assigning the mDNS IP address to the client according to the client's mobile domain name system mDNS network protocol IP address request includes:
    根据客户端的移动域名系统mDNS网络协议IP地址请求,为所述客户端动态分配第一mDNS IP地址;According to the client's mobile domain name system mDNS network protocol IP address request, dynamically assign the first mDNS IP address for the client;
    所述方法还包括:The method also includes:
    建立所述客户端的第一主机IP地址与所述第一mDNS IP地址的绑定关系;Establishing a binding relationship between the first host IP address of the client and the first mDNS IP address;
    根据所述第一域名服务请求中携带的所述客户端对应的DNS服务器的第二mDNS IP地址及第二主机IP地址,查询所述绑定关系,Query the binding relationship according to the second mDNS IP address and the second host IP address of the DNS server corresponding to the client carried in the first domain name service request,
    所述基于所述第一域名服务请求,向所述mDNS IP地址替换为对应的DNS服务器发送第二域名服务请求,包括:Based on the first domain name service request, sending a second domain name service request to the corresponding DNS server by replacing the mDNS IP address with the corresponding DNS server includes:
    若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中,向所述第二mDNS IP地址对应的DNS服务器发送第二域名服务请求。If the second mDNS IP address and the second host IP address are included in the binding relationship, send a second domain name service request to the DNS server corresponding to the second mDNS IP address.
  3. 根据权利要求1所述的方法,其中,The method according to claim 1, wherein
    若域名网关位于所述客户端和所述DNS服务器的路由路径上,所述第二域名服务请求和所述第一域名服务请求的源地址均为所述客户端的主机IP地址。If the domain name gateway is located on the routing path of the client and the DNS server, the source addresses of the second domain name service request and the first domain name service request are both the client's host IP address.
  4. 根据权利要求1所述的方法,其中,The method according to claim 1, wherein
    所述若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中,向所述第二mDNS IP地址对应的DNS服务器发送第二域名服务请求,包括:If the second mDNS IP address and the second host IP address are included in the binding relationship, sending a second domain name service request to the DNS server corresponding to the second mDNS IP address includes:
    将所述第一域名服务请求中的所述第一主机IP地址替换为域名网关的网关IP地址,形成同时包括所述网关IP地址及所述DNS IP地址的所述第二域名服务请求。Replacing the first host IP address in the first domain name service request with the gateway IP address of the domain name gateway to form the second domain name service request including both the gateway IP address and the DNS IP address.
  5. 根据权利要求1至4任一项所述的方法,其中,The method according to any one of claims 1 to 4, wherein
    所述将所述DNS服务器基于所述第二域名服务请求提供的第一域名服务响应向所述客户端提供第二域名服务响应,包括:The providing the second domain name service response to the client by the DNS server based on the first domain name service response provided by the second domain name service request includes:
    将所述第一域名服务响应中的所述DNS服务器的DNS IP地址替换为分配给所述客户端的所述mDNS IP地址。Replacing the DNS IP address of the DNS server in the first domain name service response with the mDNS IP address assigned to the client.
  6. 根据权利要求1至4任一项所述的方法,其中,The method according to any one of claims 1 to 4, wherein
    所述根据客户端的移动域名系统mDNS网络协议IP地址请求,为所述客户端动态分配mDNS IP地址,包括:The dynamically assigning the mDNS IP address to the client according to the client's mobile domain name system mDNS network protocol IP address request includes:
    根据所述客户端的mDNS IP地址请求,从mDNS IP地址池中动态选择所述mDNS IP地址。According to the mDNS IP address request of the client, the mDNS IP address is dynamically selected from the mDNS IP address pool.
  7. 根据权利要求6所述的方法,其中,所述根据客户端的移动域名系统mDNS网络协议IP地址请求,为所述客户端动态分配mDNS IP地址,包括以下之一:The method of claim 6, wherein the dynamically assigning an mDNS IP address to the client according to the client's mobile domain name system mDNS network protocol IP address request includes one of the following:
    根据所述客户端的mDNS IP地址请求,从mDNS IP地址池中随机选择所述mDNS IP地址;Randomly select the mDNS IP address from the mDNS IP address pool according to the mDNS IP address request of the client;
    根据所述客户端的mDNS IP地址请求,从mDNS IP地址池中随机选择出当前闲置的所述mDNS IP地址;Randomly select the currently idle mDNS IP address from the mDNS IP address pool according to the client's mDNS IP address request;
    根据所述客户端的mDNS IP地址请求,若mDNS IP地址池不存在闲置的mDNS IP地址时,从已使用的mDNS IP地址池随机选择所述mDNS IP地址。According to the mDNS IP address request of the client, if there is no idle mDNS IP address in the mDNS IP address pool, the mDNS IP address is randomly selected from the used mDNS IP address pool.
  8. 根据权利要求6所述的方法,其中,所述根据客户端的移动域名系统mDNS网络协议IP地址请求,为所述客户端动态分配mDNS IP地址,包括:The method according to claim 6, wherein the dynamically assigning an mDNS IP address to the client according to the client's mobile domain name system mDNS network protocol IP address request includes:
    根据所述客户端的所述mDNS IP地址请求,从mDNS IP地址池中选择多个所述mDNS IP地址。According to the mDNS IP address request of the client, multiple mDNS IP addresses are selected from the mDNS IP address pool.
  9. 根据权利要求8所述的方法,其中,The method according to claim 8, wherein
    所述根据所述客户端的所述mDNS IP地址请求,从mDNS IP地址池中选择多个所述mDNS IP地址,包括:According to the mDNS IP address request of the client, selecting multiple mDNS IP addresses from the mDNS IP address pool includes:
    根据所述mDNS IP地址请求中携带的地址数量N,从mDNS IP地址池中选择N个所述mDNS IP地址。According to the number N of addresses carried in the mDNS IP address request, select the N mDNS IP addresses from the mDNS IP address pool.
  10. 根据权利要求2至4任一项所述的方法,其中,The method according to any one of claims 2 to 4, wherein
    所述方法还包括:The method also includes:
    为所述客户端分配对应的域名服务系统DNS服务器;Assigning a DNS server corresponding to the domain name service system to the client;
    所述建立所述客户端的第一主机IP地址与所述第一mDNS IP地址的绑定关系,包括:The establishment of a binding relationship between the first host IP address of the client and the first mDNS IP address includes:
    建立所述第一主机IP地址、所述第一mDNS IP地址及所述DNS服务器的DNS IP地址建立绑定关系。Establish a binding relationship between the first host IP address, the first mDNS IP address, and the DNS server's DNS IP address.
  11. 根据权利要求10所述的方法,其中,The method of claim 10, wherein
    所述若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中,向所述第二mDNS IP地址对应的DNS服务器发送第二域名服务请求,包括:If the second mDNS IP address and the second host IP address are included in the binding relationship, sending a second domain name service request to the DNS server corresponding to the second mDNS IP address includes:
    若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中且所述第二主机IP地址及所述第二mDNS IP地址有绑定DNS IP地址,向绑定的所述DNS IP地址发送所述第二域名服务请求。If the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and the second mDNS IP address have a bound DNS IP address, bind to The DNS domain name IP address of the second domain name service request.
  12. 根据权利要求10所述的方法,其中,The method of claim 10, wherein
    所述若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中,向所述第二mDNS IP地址对应的DNS服务器发送第二域名服务请求,包括:If the second mDNS IP address and the second host IP address are included in the binding relationship, sending a second domain name service request to the DNS server corresponding to the second mDNS IP address includes:
    若所述第二mDNS IP地址与所述第二主机IP地址包含在所述绑定关系中且所述第二主机IP地址及所述第二mDNS IP地址未绑定有DNS IP地址,向默认DNS服务器发送所述第二域名服务请求。If the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and the second mDNS IP address are not bound to a DNS IP address, the default The DNS server sends the second domain name service request.
  13. 根据权利要求2至4任一项所述的方法,其中,所述方法还包括以下至少之一:The method according to any one of claims 2 to 4, wherein the method further comprises at least one of the following:
    若所述第二mDNS IP地址与所述第二主机IP地址不在所述绑定关系中,向所述客户端提供受限DNS服务;If the second mDNS IP address and the second host IP address are not in the binding relationship, provide a limited DNS service to the client;
    若所述第二mDNS IP地址与所述第二主机IP地址不在所述绑定关系中,将所述域名服务请求引导到预定系统,其中,所述预定系统,用于对域名服务请求的攻击进行解析;If the second mDNS IP address and the second host IP address are not in the binding relationship, direct the domain name service request to a predetermined system, wherein the predetermined system is used to attack the domain name service request To parse;
    若所述第二mDNS IP地址与所述第二主机IP地址不在所述绑定关系中,拒绝向所述客户端提供DNS服务。If the second mDNS IP address and the second host IP address are not in the binding relationship, refuse to provide DNS services to the client.
  14. 根据权利要求2至4任一项所述的方法,其中,The method according to any one of claims 2 to 4, wherein
    所述mDNS IP地址请求中还携带有地址租期信息;The mDNS IP address request also carries address lease information;
    所述方法还包括:The method also includes:
    根据所述地址租期信息,设置绑定关系中所述第一mDNS IP地址的有效期。According to the address lease period information, the validity period of the first mDNS IP address in the binding relationship is set.
  15. 根据权利要求14所述的方法,其中,所述方法还包括:The method according to claim 14, wherein the method further comprises:
    接收续租请求;Receive renewal request;
    根据所述续租请求,延长所述第一mDNS IP地址的有效期。According to the lease renewal request, the validity period of the first mDNS IP address is extended.
  16. 根据权利要求14所述的方法,其中,所述方法还包括:The method according to claim 14, wherein the method further comprises:
    若所述有效期超期,删除所述绑定关系。If the validity period expires, the binding relationship is deleted.
  17. 根据权利要求2至4任一项所述的方法,其中,所述方法还包括:The method according to any one of claims 2 to 4, wherein the method further comprises:
    接收释放请求;Receive a release request;
    根据所述释放请求,删除所述第一主机IP地址与所述第一mDNS  IP地址的绑定关系,并释放所述第一mDNS IP地址。According to the release request, delete the binding relationship between the first host IP address and the first mDNS IP address, and release the first mDNS IP address.
  18. 根据权利要求2至4任一项所述的方法,其中,所述方法还包括:The method according to any one of claims 2 to 4, wherein the method further comprises:
    接收更新请求;Receive an update request;
    根据所述更新请求,删除第一绑定关系并建立第二绑定关系;其中,所述第一绑定关系为:更新前所述客户端对应的旧的第一主机IP地址与所述第一mDNS IP地址的绑定关系;所述第二绑定关系为:更新后所述客户端对应的新的第一主机IP地址与所述第一mDNS IP地址的绑定关系;其中,所述第二绑定关系相对于所述第一绑定关系,至少所述第一主机IP地址不同。Delete the first binding relationship and establish the second binding relationship according to the update request; wherein, the first binding relationship is: the old first host IP address corresponding to the client and the first A binding relationship of an mDNS IP address; the second binding relationship is: a binding relationship between the new first host IP address corresponding to the client and the first mDNS IP address after the update; wherein, the Compared with the first binding relationship, at least the first host IP address is different in the second binding relationship.
  19. 一种DNS服务器的安全防御方法,包括:A DNS server security defense method, including:
    接收客户端的配置请求;Receive client configuration request;
    基于所述配置请求,为所述客户端分配主机网络协议IP地址;Based on the configuration request, assigning a host network protocol IP address to the client;
    基于所述主机IP地址向域名网关发送的移动域名系统mDNS IP地址请求;A mobile domain name system mDNS IP address request sent to the domain name gateway based on the host IP address;
    接收所述域名网关基于mDNS IP地址请求返回的mDNS IP地址;Receiving the mDNS IP address returned by the domain name gateway based on the mDNS IP address request;
    向所述客户端发送携带有所述主机IP地址及所述mDNS IP地址的配置响应。Sending a configuration response carrying the host IP address and the mDNS IP address to the client.
  20. 根据权利要求19所述的方法,其中,所述方法还包括:The method of claim 19, wherein the method further comprises:
    设置所述主机IP地址的租期;Set the lease period of the host IP address;
    向所述域名网关发送指示所述租期的租期信息,其中,所述租期信息,用于所述域名网关设置分配给所述客户端的所述m DNS IP地 址的有效期。Sending lease period information indicating the lease period to the domain name gateway, wherein the lease period information is used by the domain name gateway to set the validity period of the mDNS IP address allocated to the client.
  21. 根据权利要求20所述的方法,其中,所述方法还包括:The method of claim 20, wherein the method further comprises:
    接收到所述客户端的续租请求;Receiving a lease renewal request from the client;
    根据所述续租请求延长所述主机IP地址的租期;Extend the lease period of the host IP address according to the lease renewal request;
    向所述域名网关发送续租请求,其中,所述续租请求,用于所述域名网关延长为所述客户端分配的mDNS IP地址的有效期。Sending a lease renewal request to the domain name gateway, wherein the lease renewal request is used by the domain name gateway to extend the validity period of the mDNS IP address allocated to the client.
  22. 根据权利要求19或20所述的方法,其中,所述方法还包括:The method according to claim 19 or 20, wherein the method further comprises:
    在满足预设条件时,向所述域名网关发送释放请求,其中所述释放请求,用于解除所述客户端的主机IP地址和分配给所述客户端的mDNS IP地址之间的绑定关系。When a preset condition is met, a release request is sent to the domain name gateway, where the release request is used to release the binding relationship between the client's host IP address and the mDNS IP address assigned to the client.
  23. 根据权利要求22所述的方法,其中,The method of claim 22, wherein
    所述满足预设条件包括以下之一:Satisfying the preset condition includes one of the following:
    接收到所述客户端主动离线发送的去附着请求;Receiving a detach request actively sent offline by the client;
    检测到所述客户端的位置更新的有效期超期;Detecting that the validity period of the location update of the client is overdue;
    检测到所述客户端的主机IP地址的租期超期;Detecting that the lease term of the client's host IP address has expired;
    检测到所述客户端已离线。It is detected that the client is offline.
  24. 根据权利要求19或20所述的方法,其中,所述方法还包括:The method according to claim 19 or 20, wherein the method further comprises:
    接收所述客户端的续租请求;Receiving a lease renewal request from the client;
    根据所述续租请求为所述客户端分配新的主机IP地址,并根据 所述续租请求设置所述新的主机IP地址的租期;Assign a new host IP address to the client according to the lease renewal request, and set the lease period of the new host IP address according to the lease renewal request;
    向所述域名网关发送更新请求,其中,所述更新请求,用于所述域名网关删除所述客户端旧的第一绑定关系并基于所述新的主机建立新的主机IP地址建立第二绑定关系。Sending an update request to the domain name gateway, wherein the update request is used by the domain name gateway to delete the old first binding relationship of the client and establish a second host IP address based on the new host to establish a second Binding relationship.
  25. 根据权利要求19或20所述的方法,其中,所述方法还包括:The method according to claim 19 or 20, wherein the method further comprises:
    根据所述配置请求,为所述客户端部署一台或多台域名网关;Deploy one or more domain name gateways for the client according to the configuration request;
    记录所述域名网关的信息。Record the information of the domain name gateway.
  26. 根据权利要求25所述的方法,其中,所述根据所述配置请求,为所述客户端部署一台或多台域名网关,包括:The method according to claim 25, wherein the deploying one or more domain name gateways for the client according to the configuration request includes:
    根据所述客户端的用户标识、设备标识、位置信息及选择策略的至少其中之一,为所述客户端部署一台或多个域名网关。Deploy one or more domain name gateways for the client according to at least one of the client's user ID, device ID, location information, and selection strategy.
  27. 根据权利要求25所述的方法,其中,所述方法还包括:The method of claim 25, wherein the method further comprises:
    根据为所述客户端部署的域名网关的个数,确定向所述域名网关请求的为所述客户端动态分配的所述mDNS IP地址的数目。According to the number of domain name gateways deployed for the client, determine the number of the mDNS IP addresses dynamically requested by the domain name gateway for the client.
  28. 一种DNS服务器的安全防御装置,包括:A DNS server security defense device, including:
    第一分配模块,被设置为根据客户端的移动域名系统mDNS网络协议IP地址请求,为所述客户端动态分配第一mDNS IP地址;The first allocation module is configured to dynamically allocate the first mDNS IP address to the client according to the client's mobile domain name system mDNS network protocol IP address request;
    第一接收模块,被设置为接收所述客户端发起的第一域名服务请求,其中,所述第一域名服务请求的目的地址为所述mDNS IP地址;A first receiving module, configured to receive a first domain name service request initiated by the client, wherein the destination address of the first domain name service request is the mDNS IP address;
    第一发送模块,被设置为基于所述第一域名服务请求,向所述mDNS IP地址替换为对应的DNS服务器发送第二域名服务请求;The first sending module is configured to send a second domain name service request to the corresponding DNS server by replacing the mDNS IP address with the corresponding DNS server based on the first domain name service request;
    提供模块,被设置为将所述DNS服务器基于所述第二域名服务请求提供的第一域名服务响应向所述客户端提供第二域名服务响应。The providing module is configured to provide the DNS server with a second domain name service response based on the first domain name service response provided by the second domain name service request to the client.
  29. 一种DNS服务器的安全防御装置,包括:A DNS server security defense device, including:
    第四接收模块,被设置为接收客户端的配置请求;The fourth receiving module is configured to receive the configuration request of the client;
    第三分配模块,被设置为基于所述配置请求,为所述客户端分配主机网络协议IP地址;A third allocation module, configured to allocate a host network protocol IP address to the client based on the configuration request;
    第二发送模块,被设置为基于所述主机IP地址向域名网关发送的移动域名系统mDNS IP地址请求;The second sending module is configured to send a mobile domain name system mDNS IP address request to the domain name gateway based on the host IP address;
    第五接收模块,被设置为接收所述域名网关基于mDNS IP地址请求返回的mDNS IP地址;The fifth receiving module is configured to receive the mDNS IP address returned by the domain name gateway based on the mDNS IP address request;
    第三发送模块,被设置为向所述客户端发送携带有所述主机IP地址及所述mDNS IP地址的配置响应。The third sending module is configured to send a configuration response carrying the host IP address and the mDNS IP address to the client.
  30. 一种通信设备,包括:A communication device, including:
    收发器,transceiver,
    存储器,Memory,
    处理器,分别与所述收发器及所述存储器连接,被设置为通过执行存储在所述存储器上的计算机可执行指令控制所述收发器的信息收发,并实现权利要求1至18或19至27任一项中提供的方法。A processor, connected to the transceiver and the memory, respectively, is configured to control information transmission and reception of the transceiver by executing computer-executable instructions stored on the memory, and implement claims 1 to 18 or 19 The method provided in any one of 27.
  31. 一种计算机存储介质,所述计算机存储介质存储有计算机可执行指令;所述计算机可执行指令被执行后,能够实现权利要求1至18或19至27任一项中提供的方法。A computer storage medium storing computer executable instructions; after the computer executable instructions are executed, the method provided in any one of claims 1 to 18 or 19 to 27 can be implemented.
PCT/CN2019/112547 2018-10-26 2019-10-22 Safety defense method and apparatus for dns server, and communication device and storage medium WO2020083288A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811257892.8A CN111107171B (en) 2018-10-26 2018-10-26 Security defense method and device for DNS (Domain name Server), communication equipment and medium
CN201811257892.8 2018-10-26

Publications (1)

Publication Number Publication Date
WO2020083288A1 true WO2020083288A1 (en) 2020-04-30

Family

ID=70330908

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/112547 WO2020083288A1 (en) 2018-10-26 2019-10-22 Safety defense method and apparatus for dns server, and communication device and storage medium

Country Status (2)

Country Link
CN (1) CN111107171B (en)
WO (1) WO2020083288A1 (en)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112291363B (en) * 2020-11-06 2023-09-08 腾讯科技(深圳)有限公司 Method, apparatus, electronic device, and computer-readable storage medium for wireless communication
CN112637175B (en) * 2020-12-17 2021-08-20 山东云天安全技术有限公司 Defense method and device for industrial Internet of things
CN112333299B (en) * 2021-01-04 2021-12-28 观脉科技(北京)有限公司 Domain name resolution method, configuration method and equipment
CN113206894B (en) * 2021-05-08 2024-04-23 腾讯科技(深圳)有限公司 Method and device for discovering DNS server, computer equipment and storage medium
CN115766434A (en) * 2021-09-03 2023-03-07 中国移动通信集团山东有限公司 VXLAN configuration method and equipment
CN114710314B (en) * 2022-02-21 2023-06-06 深圳腾银信息咨询有限责任公司 Access method, device, system and medium for configured software service platform
CN117061253B (en) * 2023-10-12 2023-12-22 南京赛宁信息技术有限公司 Detection method and system for dynamically deploying honeypots

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005036317A2 (en) * 2003-09-19 2005-04-21 Motorola, Inc. Automatic sub domain delegation of private name spaces for home-to-home virtual private networks
CN101277306A (en) * 2008-05-14 2008-10-01 华为技术有限公司 Method, system and equipment for processing DNS service
US20120084449A1 (en) * 2010-10-05 2012-04-05 Verizon Patent And Licensing Inc. Dynamic selection of packet data network gateways
CN108040134A (en) * 2017-12-06 2018-05-15 杭州迪普科技股份有限公司 A kind of method and device of DNS Transparent Proxies
CN108632221A (en) * 2017-03-22 2018-10-09 华为技术有限公司 Position method, equipment and the system of the compromised slave in Intranet

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8549118B2 (en) * 2009-12-10 2013-10-01 At&T Intellectual Property I, L.P. Updating a domain name server with information corresponding to dynamically assigned internet protocol addresses
CN104427011B (en) * 2013-09-02 2019-03-22 中兴通讯股份有限公司 The method and domain name cache server of domain name mapping
CN107231445A (en) * 2016-03-23 2017-10-03 中兴通讯股份有限公司 A kind of dynamic domain name system DNS reorientation methods, apparatus and system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005036317A2 (en) * 2003-09-19 2005-04-21 Motorola, Inc. Automatic sub domain delegation of private name spaces for home-to-home virtual private networks
CN101277306A (en) * 2008-05-14 2008-10-01 华为技术有限公司 Method, system and equipment for processing DNS service
US20120084449A1 (en) * 2010-10-05 2012-04-05 Verizon Patent And Licensing Inc. Dynamic selection of packet data network gateways
CN108632221A (en) * 2017-03-22 2018-10-09 华为技术有限公司 Position method, equipment and the system of the compromised slave in Intranet
CN108040134A (en) * 2017-12-06 2018-05-15 杭州迪普科技股份有限公司 A kind of method and device of DNS Transparent Proxies

Also Published As

Publication number Publication date
CN111107171A (en) 2020-05-05
CN111107171B (en) 2022-07-12

Similar Documents

Publication Publication Date Title
WO2020083288A1 (en) Safety defense method and apparatus for dns server, and communication device and storage medium
EP3821622B1 (en) Systems and methods for enabling private communication within a user equipment group
RU2758457C2 (en) Systems and methods for managing a session of a protocol data unit (pdu) adapted to an application
WO2020207490A1 (en) System, apparatus and method to support data server selection
WO2019129154A1 (en) Service request processing method and device
US10142159B2 (en) IP address allocation
WO2018001144A1 (en) Base station, and method, apparatus and system for responding to access request
WO2017088628A1 (en) Address converting method, device and system, network identity control method and device
US20040179537A1 (en) Method and apparatus providing a mobile server function in a wireless communications device
CN112437456A (en) Communication method and device in non-public network
WO2015196755A1 (en) Address allocation method in subscriber identifier and locator separation network, and access service router
WO2022033346A1 (en) Network slicing management system, application server and terminal device
CN109936515B (en) Access configuration method, information providing method and device
KR20220128993A (en) Method, device, and system for generating and managing anchor keys in a communication network for encrypted communication with service applications
CN104253798A (en) Network security monitoring method and system
US20240098583A1 (en) PDU session continuity for a UE moving between a telecommunications network and a gateway device
CN102149172A (en) Method, device and system for selecting access gateway
WO2021002180A1 (en) Relay method, relay system, and relay program
CN105429936A (en) Defense method and apparatus of malicious occupation of storage resources in private network router
JP2006211406A (en) Communication system using network, communication apparatus and program used for the communication system
WO2020029793A1 (en) Internet access behavior management system, device and method
KR100745434B1 (en) Differentiated connectivity in a pay-per-use public data access system
US20100122322A1 (en) Method for admission control of multiple service flows paging in mobile packet domain
JP5726302B2 (en) Secret or protected access to a network of nodes distributed across a communication architecture using a topology server
CN115361685A (en) End-to-end roaming authentication method and system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19876291

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 27.08.2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19876291

Country of ref document: EP

Kind code of ref document: A1