WO2020083288A1 - Procédé et appareil de protection de la sécurité pour serveur dns, et dispositif de communication et support d'informations - Google Patents

Procédé et appareil de protection de la sécurité pour serveur dns, et dispositif de communication et support d'informations Download PDF

Info

Publication number
WO2020083288A1
WO2020083288A1 PCT/CN2019/112547 CN2019112547W WO2020083288A1 WO 2020083288 A1 WO2020083288 A1 WO 2020083288A1 CN 2019112547 W CN2019112547 W CN 2019112547W WO 2020083288 A1 WO2020083288 A1 WO 2020083288A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
mdns
domain name
client
request
Prior art date
Application number
PCT/CN2019/112547
Other languages
English (en)
Chinese (zh)
Inventor
郝振武
吴强
谢大雄
陆平
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2020083288A1 publication Critical patent/WO2020083288A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses

Definitions

  • the present disclosure relates to the field of network technology, and in particular to a domain name system DNS (Domain Name System, DNS for short) server security defense method and device, communication equipment, and storage medium.
  • DNS Domain Name System
  • a DNS server is a server that provides domain name services.
  • the requesting end provides a resolution request carrying the domain name.
  • the DNS server After receiving the resolution request, the DNS server returns the Internet protocol (Internet Protocol, IP for short) address of the service server corresponding to the domain name to the requesting end.
  • IP Internet Protocol
  • the access end uses the received IP address Access the business server to obtain the services provided by the business server.
  • IP address is a relatively boring and professional string for ordinary users
  • a user needs to access many business servers, so it is almost impossible to remember the IP address of each business server, so domain name resolution
  • the provision of services is very important.
  • the DNS server that provides the domain name resolution service is very vulnerable to hacker attacks, resulting in DNS server security problems, and may also be associated with the security issues of the business server due to information leakage of the DNS server.
  • the embodiments of the present disclosure are expected to provide a DNS server security defense method and device, a communication device, and a storage medium.
  • an embodiment of the present disclosure provides a DNS server security defense method, including:
  • mDNS Moving Domain Name System
  • IP Internet Protocol
  • the DNS server provides a second domain name service response to the client based on the first domain name service response provided by the second domain name service request.
  • an embodiment of the present disclosure provides a DNS server security defense method, including:
  • the implementation of the present disclosure provides a DNS server security defense device, including: a first allocation module configured to dynamically allocate a first mDNS IP address to the client according to the client's mDNS network protocol IP address request ;
  • a first receiving module configured to receive a first domain name service request initiated by the client, wherein the destination address of the first domain name service request is the mDNS IP address;
  • the first sending module is configured to send a second domain name service request to the corresponding DNS server by replacing the mDNS IP address with the corresponding DNS server based on the first domain name service request;
  • the providing module is configured to provide the DNS server with a second domain name service response based on the first domain name service response provided by the second domain name service request to the client.
  • an embodiment of the present disclosure provides a DNS server security defense device, including:
  • the fourth receiving module is configured to receive the configuration request of the client
  • a third allocation module configured to allocate a host IP address to the client based on the configuration request
  • the second sending module is configured to send a mobile domain name system mDNS IP address request to the domain name gateway based on the host IP address;
  • the fifth receiving module is configured to receive the mDNS IP address returned by the domain name gateway based on the mDNS IP address request;
  • the third sending module is configured to send a configuration response carrying the host IP address and the mDNS IP address to the client.
  • an embodiment of the present disclosure provides a communication device, including:
  • a processor respectively connected to the transceiver and the memory, is configured to control the transceiver of information by executing computer-executable instructions stored on the memory, and implement the first aspect and / or the second The security defense method of the DNS server provided by the aspect.
  • an embodiment of the present disclosure provides a computer storage medium that stores computer-executable instructions; after the computer-executable instructions are executed, the first aspect and / or the second aspect can be implemented DNS server security defense method.
  • the DNS server security defense method and apparatus, communication equipment, and storage medium provided by the embodiments of the present disclosure, when configuring the DNS server used by the client by the domain name gateway, the real IP address of the DNS server is hidden, but the client is assigned The DNS server cannot directly locate the mDNS IP address of the DNS server; on the one hand, the client can send a domain name service request through the mDNS IP address, and the domain name gateway sends a second domain name service request to the corresponding DNS server based on the first domain name service request.
  • FIG. 1 is a schematic structural diagram of a network system provided by an embodiment of the present disclosure
  • FIG. 2 is a schematic flowchart of a first DNS server security defense method provided by an embodiment of the present disclosure
  • FIG. 3 is a schematic flowchart of a second DNS server security defense method provided by an embodiment of the present disclosure
  • FIG. 4 is a schematic flowchart of a third DNS server security defense method provided by an embodiment of the present disclosure
  • FIG. 5 is a schematic structural diagram of a first type of DNS server security defense device provided by an embodiment of the present disclosure
  • FIG. 6 is a schematic structural diagram of a second type of DNS server security defense device provided by an embodiment of the present disclosure
  • FIG. 7 is a schematic flowchart of a fourth DNS server security defense method provided by an embodiment of the present disclosure.
  • FIG. 8 is a schematic flowchart of a fifth DNS server security defense method provided by an embodiment of the present disclosure.
  • FIG. 9 is a schematic flowchart of a sixth DNS server security defense method provided by an embodiment of the present disclosure.
  • FIG. 10 is a schematic flowchart of a seventh DNS server security defense method provided by an embodiment of the present disclosure
  • FIG. 11 is a schematic flowchart of an eighth DNS server security defense method provided by an embodiment of the present disclosure.
  • FIG. 12 is a schematic flowchart of a ninth DNS server security defense method provided by an embodiment of the present disclosure.
  • this embodiment provides a network system for a defense method of a DNS server, including:
  • DNG Added Domain Name Gateway
  • DNS Added Domain Name Gateway
  • the present disclosure has the characteristics of good compatibility with existing technologies and easy deployment.
  • Client establish a connection with the access gateway, receive the host IP address and mDNS IP address assigned by the access configuration function, where the mDNS IP address serves as the virtual IP address of the DNS server; access the Internet through the access gateway and initiate the domain Business requests, access to business applications.
  • Access gateway During the client access process, the client configuration parameters are obtained from the access configuration function and provided to the client, and the client access to the Internet function is realized, so that the client can access the DNS server and business server through the domain name gateway. .
  • Access configuration function According to the client's access information, assign the host IP address to the client, select the domain name gateway, request the mDNS IP address from the domain name gateway, configure the assigned host IP address and the obtained mDNS IP address to the client, and Maintain the validity of the host configuration.
  • Domain name gateway maintain the mDNS IP address pool, select mDNS IP addresses from the mDNS IP address pool for the client according to the request of the host configuration function, and in some embodiments, establish a binding between the client IP address and the mDNS IP address Define the relationship and maintain the validity of the mDNS IP address and binding relationship; when the client initiates a domain name request, check the validity of the request, if it is a normal request, send a business request to the DNS server, and return the result to the client, otherwise Reject the domain name service request, or use the DNS restricted function, or direct the domain name request to the honeypot system.
  • DNS server resolve to the corresponding IP address according to the requested service domain name and return.
  • Service server provides services to clients, and the correspondence between IP addresses and domain names is stored in the DNS server.
  • this embodiment provides a DNS server security defense method, including:
  • Step S110 dynamically assign an mDNS IP address to the client according to the client's mDNS IP address request; the assigned mDNS IP address may be the first mDNS IP address; for example, the step S110 may include: initiating according to the in-configuration function The client's mDNS IP address request dynamically allocates the mDNS IP address for the client; the assigned mDNS IP address may be the first mDNS IP address.
  • Step S120 Receive a first domain name service request initiated by the client, where the destination address of the first domain name service request is the mDNS IP address;
  • Step S130 Based on the first domain name service request, send a second domain name service request to the corresponding DNS server with the mDNS IP address replaced by the corresponding DNS server;
  • Step S140 The DNS server provides a second domain name service response to the client based on the first domain name service response provided by the second domain name service request.
  • the security defense method of the DNS server provided in this embodiment may be applied to a domain name gateway, which may correspond to a physical gateway.
  • the physical gateway may be: an access gateway for a client to access the network, a typical connection
  • the ingress gateway may include: a packet data gateway (Packet, data, GataWay, PGW for short), etc.
  • the domain name gateway may also be a specifically established gateway for maintaining the security of the DNS server.
  • the gateway may be directly or indirectly connected to the access gateway.
  • the client installation and / or Application programs, software development tools, components or plug-ins running in the terminal
  • the domain name gateway can be accessed to the domain name gateway through the access gateway.
  • the client can request to allocate the IP address of the DNS server through the access gateway.
  • the access gateway can pass the domain name gateway.
  • the mDNS IP address may be a virtual IP address of the DNS server, which is different from the real IP address of the DNS server (also referred to as DNS IP address in the embodiment of the present disclosure).
  • the real IP address of the DNS server will not be disclosed in the entire network, nor will it be disclosed to the client; thereby enhancing the security of the real IP address of the DNS server, reducing the use of DNS disclosed in public networks by hackers
  • the IP address of the server is aligned to launch an attack, thereby reducing the DNS server's own security problems, and at the same time reducing the security problems of the business server due to the IP address of the business server stored in the DNS server and other information, thereby improving the DNS server and Business server security.
  • the mDNS IP address may be: a part of the current IP address within the IP address range of the network.
  • a data packet carrying the destination address (for example, the first Domain name service request) can ensure routing to the domain name gateway that assigns the mDNS IP address.
  • the mDNS IP address is dynamically allocated to the client, and is not pre-allocated. Thus, compared with static allocation, the long-term consistency of the mDNS IP address due to static allocation can be avoided, resulting in illegal The client steals the mDNS IP address of the legitimate client and impersonates the legitimate client to access the corresponding DNS server to cause security problems.
  • the dynamic allocation may include: randomly selecting and assigning to all clients in all mDNS IP addresses; and randomly selecting and assigning to clients in some mDNS IP addresses.
  • the dynamic allocation may include not only random selection allocation, but also selection allocation according to a certain allocation rule. The dynamic allocation here emphasizes that each allocation is dynamic and is not determined in advance. Thus, due to the dynamic allocation, the mDNS IP address allocated each time may be different.
  • the mDNS IP address allocated to the client is returned to the client, for example, as one of the configuration parameters and the first host IP address is returned to the client, and subsequently, if the client needs a domain name
  • a domain name service request with a source address as the first host IP address and a destination address as the mDNS IP address is constructed, and the domain name service request is referred to as a first domain name service request in the embodiments of the present disclosure. Since the first domain name service request cannot substantially be routed to the DNS server request that the client wants to access, the first domain name service request is forwarded to the domain name gateway.
  • the domain name gateway After the domain name gateway receives the first domain name service request, for example, A pre-established binding relationship or a DNS server dynamically assigned to the client to construct a second domain name service request, the destination address of the second domain name service request is replaced, for example, the mDNS IP address is replaced with the real IP of the DNS server The address forwards the second domain name service request to the outside, so that the second domain name service request can be correctly routed to the DNS server.
  • the first domain name service request for example, A pre-established binding relationship or a DNS server dynamically assigned to the client to construct a second domain name service request
  • the destination address of the second domain name service request is replaced, for example, the mDNS IP address is replaced with the real IP of the DNS server
  • the address forwards the second domain name service request to the outside, so that the second domain name service request can be correctly routed to the DNS server.
  • the step S110 may include: dynamically assigning a first mDNS IP address to the client according to the client's mobile domain name system mDNS network protocol IP address request;
  • the method further includes:
  • Step S111 Establish a binding relationship between the first host IP address of the client and the first mDNS IP address;
  • Step S121 query the binding relationship according to the second mDNS IP address and the second host IP address of the DNS server corresponding to the client carried in the first domain name service request,
  • the step S130 may include a step S131; the step S131 may include: if the second mDNS IP address and the second host IP address are included in the binding relationship, correspond to the second mDNS IP address
  • the DNS server sends a second domain name service request.
  • the domain name service request initiates the domain name service, thereby once again improving the security provided by the DNS server and DNS service.
  • the DNS server sends a second domain name service request to the corresponding DNS, the second domain name service request and the second A domain name service request carries the same domain name to be resolved; in this way, after the corresponding DNS server receives the second domain name service request, the IP address of the business server corresponding to the domain name to be resolved is queried locally or remotely, and the domain name may be The domain name of the business server to obtain the domain name resolution result. Carry the IP address of the business server in the domain name service response and return it to the client or the client's access gateway, so that the client can access the business server according to the obtained IP address of the business server, thereby obtaining business services from the business server.
  • the business server here may include: social server, online shopping server, forum server, web server, video server, audio server, advertising server, content server, stock fund and other transaction providing server, education system server, medical system server, etc.
  • a server that provides specific application services may include: social server, online shopping server, forum server, web server, video server, audio server, advertising server, content server, stock fund and other transaction providing server, education system server, medical system server, etc.
  • the above is only an example, and the service server here is not limited to any one of the above.
  • the DNS server may also receive encrypted information of the client from the access gateway of the client.
  • the encrypted information may include: a key and an encryption algorithm, etc., so that the access gateway The encrypted information is used to encrypt the first host IP address and the first mDNS IP address with the domain name gateway.
  • the step S131 may include: replacing the second mDNS IP address in the first domain name service request with the DNS server's DNS IP address to form the second domain name service request; Sending the second domain name service request to the DNS server.
  • the DNS IP address here may be the real effective IP address of the DNS server, and is stored in the domain name gateway.
  • the source addresses of the second domain name service request and the first domain name service request are both the host IP of the client address.
  • the domain name gateway is located on the routing path between the client and the DNS server, the information sent by the client to the DNS server and the information sent by the DNS server to the client will pass through the DNS server, so that the DNS server can intercept the first
  • the domain name service request intercepts the domain name service response forwarded by the DNS server based on the second domain name service request, and may be forwarded to the corresponding client based on the first DNS server request sent by the client.
  • the method further includes: forming a request record according to the first domain name service request and the second domain name service request; the request record includes at least: the domain name to be resolved and the client's host IP address; The request record may further include: the domain name to be resolved, the client's host IP address, and the DNS IP address of the DNS server to which the second domain name service request is sent.
  • the current first domain name response is determined to be forwarded
  • the client or, determines the host IP address corresponding to the client based on the domain name to be resolved, the client's host IP address, and the DNS server's DNS IP address, and forwards it to the corresponding client.
  • the step S131 may include:
  • the domain name gateway is not necessarily set on the routing path of the message routing between the client and the DNS server.
  • the destination address in the first domain name service request is replaced by The DNS IP address of the DNS server, and the source address in the first domain name service request is replaced with the gateway IP address of the domain name gateway.
  • the destination address of the first domain name service response will be the gateway IP address of the domain name gateway.
  • the step SS140 may include:
  • the source address of the first domain name service response may be the DNS IP address of the DNS server.
  • the domain name gateway will delete the DNS IP address, for example, replace the DNS IP address with The first mDNS IP address assigned by the client mentioned above, in other embodiments, it is also possible to delete only the DNS IP address without replacing it.
  • it can also be directly replaced with the gateway IP address of the domain name gateway or other virtual IP addresses with no specific meaning. If the DNS IP address is replaced with the first mDNS IP address, it is convenient for the client to confirm the domain name service response corresponding to the domain name service request of the data packet that the client actually received according to the source address. In this way, the source address of the second domain name service response is different from the source address of the first domain name service response.
  • the second domain name service response may respond to the first domain name service response, so that the DNS server may directly
  • the first domain name service response is sent to the client as the second domain name service response.
  • the DNS server may provide the first domain name service response through operations such as DNS IP address replacement, DNS IP address deletion, and source address detection.
  • the domain name resolution result of is sent to the client as the second domain name service response.
  • the domain name resolution result may include: the IP address corresponding to the domain name requested for resolution.
  • the method further includes: constructing a second domain name service request carrying preset indication information, the preset indication The information indicates that the domain name service response hides the DNS IP address.
  • the first domain name service response may not carry the source address (for example, the source address in the data packet of the domain name service response is empty), or carry the wrong source address, etc., In this way, the DNS server does not need to replace the source address, and can directly forward the first domain name service request as a second domain name service request, or after replacing the destination address of the first domain name service request with the client's host IP address Just forward it.
  • the step S110 may include:
  • the mDNS IP address is dynamically selected from the mDNS IP address pool, for example, the dynamically selected mDNS IP address is used as the first mDNS IP address.
  • the domain name gateway is provided with an mDNS IP address pool, and multiple mDNS IP addresses are stored in the mDNS IP address pool, which can be allocated to different clients or clients at different time periods.
  • the dynamically selected mDNS IP address is the mDNS IP address pool from the domain name gateway.
  • the access gateway receives the first domain name service request carrying the mDNS IP address, and can easily determine the need to receive the first DNS address based on the mDNS IP address. Domain name gateway requested by the domain name service.
  • the mDNS IP address may include: an mDNS IP address segment, the mDNS IP addresses in these address segments are continuous, and the mDNS IP address may be identified in the access gateway by the start address and the end address of the mDNS IP address segment In this way, once the access gateway receives the first domain name service request, it can determine the domain name gateway that needs to receive the first domain name service request according to the mDNS IP address segment to which the mDNS IP address carried in the request belongs.
  • the step S110 may include one of the following:
  • the client's mDNS IP address request randomly select the mDNS IP address assigned to the client from the mDNS IP address pool; since different clients may correspond to different host IP addresses, the mDNS in the mDNS IP address pool The address can be assigned to different clients, or a unique binding relationship can be established; therefore, in this embodiment, the domain name gateway can be randomly selected from the mDNS IP address pool;
  • the currently idle mDNS IP address is randomly selected from the mDNS IP address pool; in some implementations, the domain name gateway will also record the use status of the mDNS IP address, preferentially selecting unused IP addresses (That is, idle) mDNS IP address is assigned to the client;
  • the mDNS IP address assigned to the client is randomly selected from the used mDNS IP address pool. If the idle mDNS IP address is preferentially selected, the first mDNS IP address can be selected from the used mDNS IP addresses.
  • the established binding relationship is preferably selected Less mDNS IP address is assigned to the client. For example, mDNS IP address A has participated in the establishment of the first number of binding relationships, and mDNS IP address B has participated in the establishment of the second number of binding relationships; if the first number is less than the second number, the mDNS IP is preferentially selected Address A participates in the establishment of the binding relationship of the host IP address corresponding to the current client. In this way, when providing the domain name service, the problem of large access delay caused by a large number of centralized and parallel access by the client to the same binding relationship is avoided.
  • the DNS server when it performs the legality verification, it may first query the binding relationship based on the second mDNS IP address carried in the first domain name service request, and then query When there is a first mDNS IP address corresponding to the second mDNS IP address, the first host IP address corresponding to the first mDNS IP address is extracted from one or more binding relationships corresponding to the first mDNS IP address. Matching the IP addresses of the two hosts can reduce unnecessary matching on the one hand and accelerate the verification efficiency on the other.
  • the step S110 may include: according to the mDNS IP address request of the client, selecting a plurality of mDNS IP addresses allocated to the client from an mDNS IP address pool.
  • an attacker attacks one of the mDNS IP addresses as the DNS server ’s DNS IP address
  • the domain name server after the domain name server ’s firewall attacks, it may block a certain mDNS IP address in order to allocate multiple mDNS IP addresses In this way, the client can also obtain the domain name service through the unblocked mDNS IP address.
  • N N mDNS IP addresses allocated to the client are selected from an mDNS IP address pool.
  • the access configuration function may explicitly indicate how many mDNS IP addresses are allocated.
  • the method further includes:
  • a DNS server corresponding to the domain name service system is allocated to the client; here, the DNS server may be allocated to the client according to the location information of the client, for example, based on the principle of geographic proximity A DNS server with a closer geographic location or a closer network location; in other embodiments, the DNS server can also be assigned to clients based on the current service of the DNS server, the corresponding number of clients, client online and offline status information, etc. .
  • the step S120 may include:
  • the binding relationship includes not only the first host IP address and the first mDNS IP address, but also the DNS IP address of the DNS server assigned to the client.
  • the second domain name service request will be constructed based on the DNS IP address recorded in the binding relationship.
  • sending a second domain name service request to the DNS server corresponding to the second mDNS IP address includes: If the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and the second mDNS IP address have a bound DNS IP address, bind to The DNS domain name IP address of the second domain name service request.
  • the second domain name is sent to the DNS server corresponding to the second mDNS IP address
  • the service request includes: if the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and the second mDNS IP address are not bound to DNS
  • the IP address sends the second domain name service request to the default DNS server.
  • DNS servers in different geographic locations and / or different network locations may be connected to different DNS servers.
  • the DNS server may set a DNS server that is closer to itself geographically or on the network as the default DNS server, or, depending on the DNS server Set the default DNS server for information such as the load status, or select a DNS server with strong domain name resolution capability as the default DNS server to ensure the rate and success rate of domain name service resolution.
  • the parameter that reflects the strong domain name resolution capability may include at least one of the following:
  • the default DNS server may be selected by combining location information, domain name resolution capabilities, and so on.
  • the method further includes at least one of the following:
  • the second mDNS IP address and the second host IP address are not in the binding relationship, provide a limited DNS service to the client; for example, only provide the client with some DNS with lower security performance requirements Services, for example, the first domain name service request will only be forwarded to the DNS server with lower security performance;
  • the predetermined system may be an attack location system, for example, using reverse tracking technology to locate the source client of the first domain name service request that may be attacked or the tampering terminal that transforms the domain name service request to form the first domain name service request;
  • the predetermined system may be: a honeypot system; the honeypot system may be a system that uses honeypot technology to enhance protection capabilities. Honeypot technology is a technique to deceive the attacker.
  • the domain name gateway will refuse to forward the domain name to be resolved in the first domain name service request.
  • the mDNS IP address request also carries address lease information
  • the method further includes: setting the validity period of the first mDNS IP address in the binding relationship according to the address lease period information.
  • the DNS server will set the first assigned to the client according to the lease indicated by the address lease information
  • the validity period of the mDNS IP address may be equal to the lease period. In other embodiments, the validity period may be slightly longer than the validity period. The start period of the lease period and the validity period are the same.
  • the renewal of the mDNS IP address is required when the lease period expires, or there is a certain delay in the renewal of the host IP address If the renewal of the corresponding mDNS IP address is extracted after the validity period, if the validity period is equal to the lease period, the validity period will also expire once the lease period expires. Even if it is renewed, a new mDNS IP address needs to be re-assigned to the client.
  • the validity period is slightly longer than the lease period, and the length of time that the optional validity period is longer than the lease period may be determined according to the delay time of the renewal of the host IP address, or may be random Set a fixed duration, for example, half a day, etc.
  • the method further includes: receiving a lease renewal request
  • the validity period of the first mDNS IP address is extended.
  • the lease renewal request may be a request to continue leasing the corresponding first mDNS IP address.
  • the lease renewal request may carry a lease renewal period, so the validity period may be extended according to the lease renewal period.
  • the lease renewal request may only carry the lease renewal instruction but not the instruction to extend the duration of the lease renewal period.
  • the domain name gateway may request to indicate the lease renewal period, or may extend a default period to re-determine Of validity.
  • the default period may be a fixed period of time for the lease renewal negotiated between the access gateway and the domain name gateway.
  • the extension of a default time limit forwards the updated validity period to the client or the client's access gateway to facilitate the client or the client's corresponding access gateway, before the updated validity period expires again Request a renewal or instruct to release the binding relationship, etc.
  • the method further includes:
  • the method further includes:
  • the method further includes sending a deletion prompt, which can be sent to the client or the client's access gateway, thereby triggering the client or the client's access gateway to update the client's Configuration parameters.
  • the method further includes: receiving a release request; deleting the binding relationship between the first host IP address and the first mDNS IP address according to the release request, and releasing the first mDNS IP address.
  • the release request may be an active request to delete the binding relationship to release the first mDNS IP address in the binding relationship.
  • the client may not need to request the domain name service through the domain name gateway, and can release the binding relationship, thereby improving the effective utilization rate of the mDNS IP address.
  • the client migrates from one network area to another network area, it may need to access DNS servers or DNS servers in different network locations, and at this time, it may also request to release the binding relationship in the original network area.
  • the network area is related to the location and / or affiliation of network nodes of the wireless network or the Internet.
  • the metropolitan area network covers a city's local area network, although some geographical areas are close to or belong to the same Large area, but the access network location belongs to a different network area.
  • clients of different operators ’networks connected to the network may belong to different network areas. For example, if they connect to the network through a mobile network and connect to the network through a Unicom network, the domain name gateway of the same operator is preferentially assigned.
  • the DNS server provides related services for the client, so that the two clients located in the same geographical location will belong to different network areas.
  • the method further includes: receiving an update request;
  • the first binding relationship is: the old first host IP address corresponding to the client and the first A binding relationship of an mDNS IP address
  • the second binding relationship is: a binding relationship between the new first host IP address corresponding to the client and the first mDNS IP address after the update; wherein, the Compared with the first binding relationship, at least the first host IP address is different in the second binding relationship.
  • the domain name gateway will also receive an update request.
  • the update request is to update the binding relationship. Since the host IP address bound by the client is changed, the binding relationship may need to be updated synchronously, so in some embodiments If an update request is received, it is necessary to delete the old first binding relationship and establish the second binding relationship.
  • the update request may carry the need to delete the first binding relationship, and also carry a new host IP address. In other embodiments, the update request may only carry the old host IP address in the first binding relationship that needs to be deleted, and the updated new host IP address; in short, the domain name gateway may The update request updates the first binding relationship and establishes a new second binding relationship corresponding to the client.
  • this embodiment provides a DNS server security defense method, including:
  • Step S210 Receive a configuration request from the client
  • Step S220 Assign a host IP address to the client based on the configuration request
  • Step S230 an mDNS IP address request sent to the domain name gateway based on the host IP address;
  • Step S240 Receive the mDNS IP address returned by the domain name gateway based on the mDNS IP address request;
  • Step S250 Send a configuration response carrying the host IP address and the mDNS IP address to the client.
  • the method provided in this embodiment can be applied to an access gateway.
  • the access gateway may be a user equipment (User Equipment, referred to as UE), an Internet of Things terminal, an in-vehicle device, or an intelligent electrical appliance.
  • the access equipment may include: base stations, wireless access hotspots (hotspot) and other equipment.
  • the configuration request of the client is received, for example, the configuration request may be: a configuration request based on Dynamic Host Configuration Protocol (Dynamic Host Configuration, referred to as DHCP), and the access gateway may send the configuration request to DHCP
  • the server configures the host IP address by the DHCP server, so that the access gateway can implement dynamic allocation of the client's host IP address.
  • the access configuration service function of the client may be directly set in the access gateway. In this way, the access gateway allocates the host IP address to the client by itself.
  • dynamically assigning the host IP address to the client includes at least two ways, one is to dynamically assign the host IP address to the client through information interaction with the configuration server, and the other is to access the gateway
  • the host IP address is dynamically allocated by itself.
  • the configuration request may be to configure various configuration parameters for the host, the configuration parameters including: the host IP address, the lease period of the host IP address, and the DNS IP address of the DNS server.
  • the method further includes:
  • the access gateway or the access configuration function entity independent of the access gateway sets the lease period of the host IP address for the client.
  • the optional setting method may include at least one of the following:
  • set the lease period of the host IP address for example, the current client access is to establish a temporary session and a regular session other than the temporary session, and determine the lease period of the IP address,
  • the first lease period corresponding to the relative temporary session may be slightly shorter than the second lease period of the regular session;
  • the access gateway or the access configuration function entity independent of the access gateway sets the lease of the host IP address according to the local policy related to setting the lease period or the policy received from the policy control function (Policy Control Function, PCF for short) period.
  • Policy Control Function Policy Control Function
  • the lease period of the host IP address and the validity period of the mDNS IP address are the same or approximately equivalent, but in another In some management systems in which different IP addresses are managed separately, the lease period of the host IP address and the validity period of the mDNS IP address may not be equal or approximately the same. In short, the previous periods of the two are not related, and special circumstances are not excluded. Under the equivalent.
  • the lease period information is sent to the domain name gateway, and the lease period information indicates the lease period of the host IP address.
  • the domain name gateway will set the validity period of the mDNS IP address based on the lease period information to be slightly longer than the lease period of the host IP address.
  • the method further includes:
  • the client will automatically request the lease renewal of the host IP address before the lease of the host IP address expires or based on user instructions.
  • the access configuration function entity embedded in the access gateway may be independent of the connection.
  • the access configuration function entity entering the gateway will receive the client's lease renewal request, and then request to extend the lease of the host IP address according to the demand.
  • the method further includes: when a preset condition is met, sending a release request to the domain name gateway, wherein the release request is used to delete the host IP address of the client and assign it to the The binding relationship between the client's mDNS and IP addresses.
  • the access configuration function entity (which may be referred to as the access configuration function for short) will send a release request to the domain name gateway when the preset conditions are met.
  • the sending of the release request will trigger the domain name gateway to release the corresponding binding In this way, it is equivalent to releasing the mDNS IP address assigned to the client in the domain name gateway.
  • the meeting of the preset condition includes one of the following:
  • the client will send the de-attach request when offline, for example, the UE will automatically send the de-attach request before shutting down, then the UE may use the original area at this time.
  • the host IP address and / or mDNS IP address assigned to the UE still remain assigned to the UE, which will cause the problem of inefficient use of the IP address. Therefore, in this embodiment, if the base station on the network side , A network element such as a gateway detects a de-attach request actively sent offline by the client, and may be considered to satisfy one of the preset conditions;
  • the validity period of the location update of the client is detected to be overdue; the UE and other clients may have mobility.
  • the UE involves various location update operations such as cell switching and tracking area update during the movement process. If the location is not updated for a long time, the UE may be currently It has been inactive for a long time, so it can be considered that the validity period of the location update is overdue at this time, and it can be considered that the corresponding binding relationship can be released, thereby releasing the host IP address and / or mDNS IP address;
  • Detecting that the lease period of the client's host IP address is overdue detecting that the lease period of the client's host IP address is overdue, indicating that the lease period of the host's IP address has expired, if the lease needs to be renewed, the client may need to pay fees or reapply In order to avoid illegal use of IP addresses, etc., it can be considered that the above-mentioned preset conditions are satisfied.
  • a radio access network Radio Access Network, RAN for short
  • RAN Radio Access Network
  • the method further includes:
  • the access gateway will also receive the client's lease renewal request.
  • the lease renewal request may be sent by the client or by the client's management device. In short, it can be received as Client request for renewal of host IP address and / or mDNS IP address.
  • the method further includes:
  • the access gateway deploys one or more domain name gateways for the client based on the configuration request, and records the information of these domain name gateways, for example, records the identifiers, IP addresses, or location information of these domain name gateways Various information, in some embodiments, needs to be recorded corresponding to the client's identification, for example, one or more of the client's various device parameters and / or client parameters and location parameters select a suitable domain name gateway, for example, select geographic
  • the domain name gateway that is relatively close in distance or network distance serves as the domain name gateway for the client to obtain the domain name service.
  • the deploying one or more domain name gateways for the client according to the configuration request includes:
  • a domain name gateway that can provide a service quality that suits the user ID is selected according to the user ID (International Mobile Subscriber Identity Code, IMSI for short).
  • IMSI International Mobile Subscriber Identity Code
  • the device identification may include: an international mobile phone equipment identification code (International Mobile Equipment Identity, referred to as IMEI), which can learn the device capability parameters of the device based on the device identification of the device, so as to select its device identification (for example, device capability ) The matching domain name gateway.
  • IMEI International Mobile Equipment Identity
  • the nearest domain name gateway is selected to serve it.
  • the selection strategy may be a local strategy stored in the access gateway, or a remote strategy stored in the PCF or the contract database. In short, it may be used for the domain name gateway of the access configuration function.
  • the client it is preferable to provide the client with two or more domain name gateways, at least one primary gateway, and a backup gateway corresponding to the primary gateway.
  • the method further includes:
  • the number of domain name gateways deployed for the client determine the number of the mDNS IP addresses dynamically requested by the domain name gateway for the client.
  • the number of mDNS IP addresses configured for a corresponding client by a single domain name gateway may be determined according to the number of domain name gateways. For example, when there is only one domain name gateway, the domain name gateway can configure at least two mDNS IP addresses for the client. If there are multiple domain name gateways, a single domain name gateway can configure one mDNS IP address for the client.
  • this embodiment provides a DNS server security defense device, including:
  • the first allocation module 110 is configured to dynamically allocate a first mDNS IP address to the client according to the client's mobile domain name system mDNS network protocol IP address request initiated by the access configuration function;
  • the first receiving module 120 is configured to receive a first domain name service request initiated by the client, wherein the destination address of the first domain name service request is the mDNS IP address;
  • the first sending module 130 is configured to send a second domain name service request to the corresponding DNS server by replacing the mDNS IP address with the corresponding DNS server based on the first domain name service request;
  • the providing module 140 is configured to provide the DNS server with a second domain name service response based on the first domain name service response provided by the second domain name service request to the client.
  • the first distribution module 110, the establishment module, the receiving module, the query module, the first sending module 130, and the providing module 140 provided in this embodiment may all be program modules, which can be executed by the processor to realize the functions of the foregoing modules.
  • the device can be used in a domain name gateway.
  • the security defense device of the DNS server may include:
  • the first allocation module 110 is configured to dynamically allocate a first mDNS IP address to the client according to a client mobile domain name system mDNS network protocol IP address request initiated by the access configuration function;
  • the establishment module is configured to establish a binding relationship between the first host IP address of the client and the first mDNS IP address;
  • a receiving module configured to receive a first domain name service request initiated by the client;
  • the query module is configured to query the binding relationship according to the second mDNS IP address and the second host IP address of the DNS server corresponding to the client carried in the first domain name service request,
  • the first sending module 130 is configured to send the second domain name to the DNS server corresponding to the second mDNS IP address if the second mDNS IP address and the second host IP address are included in the binding relationship Request for service;
  • the providing module 140 is configured to provide the DNS server with a second domain name service response based on the first domain name service response provided by the second domain name service request to the client.
  • the first sending module 130 is configured to replace the second mDNS IP address in the first domain name service request with the DNS server's DNS IP address to form the second Domain name service request; sending the second domain name service request to the DNS server.
  • the source addresses of the second domain name service request and the first domain name service request are both the host IP of the client address.
  • the first sending module 130 is configured to replace the first host IP address in the first domain name service request with a gateway IP address of a domain name gateway to form the gateway IP The address and the second domain name service request of the DNS IP address.
  • the providing module 140 is configured to replace the DNS IP address of the DNS server in the first domain name service response with the first mDNS IP address assigned to the client.
  • the first allocation module 110 is configured to dynamically select the first mDNS IP address from the mDNS IP address pool according to the client mDNS IP address request initiated by the access configuration function.
  • the first distribution module 110 is configured to perform one of the following:
  • the mDNS IP address is randomly selected from the used mDNS IP address pool.
  • the first allocation module 110 is configured to select a plurality of mDNS IP addresses from an mDNS IP address pool according to the mDNS IP address request of the client.
  • the first allocation module 110 is configured to select N of the mDNS IP addresses from the mDNS IP address pool according to the number N of addresses carried in the mDNS IP address request.
  • the device further includes:
  • a second allocation module configured to allocate a corresponding DNS server of the domain name service system to the client
  • the establishing module is configured to establish a binding relationship between the first host IP address, the first mDNS IP address, and the DNS IP address of the DNS server.
  • the first sending module 130 is configured if the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and The second mDNS IP address has a bound DNS IP address, and sends the second domain name service request to the bound DNS DNS IP address.
  • the first sending module 130 is configured if the second mDNS IP address and the second host IP address are included in the binding relationship and the second host IP address and The second mDNS IP address is not bound to the DNS IP address, and the second domain name service request is sent to the default DNS server.
  • the device further includes at least one of the following:
  • the DNS service restricted providing module 140 is configured to provide a restricted DNS service to the client if the second mDNS IP address and the second host IP address are not in the binding relationship;
  • a guiding module configured to guide the domain name service request to a predetermined system if the second mDNS IP address and the second host IP address are not in the binding relationship, wherein the predetermined system is used to Resolve attacks on domain name service requests;
  • the rejection module is configured to refuse to provide DNS services to the client if the second mDNS IP address and the second host IP address are not in the binding relationship.
  • the mDNS IP address request also carries address lease information
  • the device also includes:
  • the setting module is configured to set the validity period of the first mDNS IP address in the binding relationship according to the address lease period information.
  • the device further includes:
  • the first receiving module 120 is configured to receive the lease renewal request
  • the first extension module is configured to extend the validity period of the first mDNS IP address according to the lease renewal request.
  • the device further includes:
  • the first deletion module is configured to delete the binding relationship if the validity period expires.
  • the device further includes:
  • the second receiving module is set to receive the release request
  • the second deletion module is configured to delete the binding relationship between the first host IP address and the first mDNS IP address according to the release request, and release the first mDNS IP address.
  • the device further includes:
  • the third receiving module is set to receive the update request
  • the third deletion module is configured to delete the first binding relationship and establish the second binding relationship according to the update request; wherein, the first binding relationship is: the old first corresponding to the client before the update A binding relationship between a host IP address and the first mDNS IP address; the second binding relationship is: after the update, a new first host IP address corresponding to the client and the first mDNS IP address A binding relationship; wherein, the second binding relationship is different from the first binding relationship in that at least the first host IP address is different.
  • this embodiment provides a DNS server security defense device, including:
  • the fourth receiving module 210 is configured to receive the configuration request of the client
  • the third allocation module 220 is configured to allocate a host network protocol IP address to the client based on the configuration request;
  • the second sending module 230 is configured to send a mobile domain name system mDNS IP address request to the domain name gateway based on the host IP address;
  • the fifth receiving module 240 is configured to receive the mDNS IP address returned by the domain name gateway based on the mDNS IP address request;
  • the third sending module 250 is configured to send a configuration response carrying the host IP address and the mDNS IP address to the client.
  • the fourth receiving module 210, the second sending module 230, the fifth receiving module 240, and the third sending module 250 can all be program modules, which can be implemented by the processor to implement one or more of the aforementioned applications in access service functions Features.
  • the device further includes:
  • the second setting module is set to set the lease period of the host IP address
  • the sixth sending module is configured to send lease period information indicating the lease period to the domain name gateway, wherein the lease period information is used by the domain name gateway to set the mDNS assigned to the client The validity period of the address.
  • the device further includes:
  • a sixth receiving module configured to receive the lease renewal request of the client
  • the second delay module is configured to extend the lease period of the host IP address according to the lease renewal request
  • a seventh sending module is configured to send a lease renewal request to the domain name gateway, wherein the lease renewal request is used by the domain name gateway to extend the validity period of the mDNS IP address allocated to the client.
  • the device further includes:
  • the eighth sending module is configured to send a release request to the domain name gateway when the preset conditions are met, wherein the release request is used to release the host IP address of the client and the mDNS IP address assigned to the client The binding relationship between.
  • the meeting of the preset condition includes one of the following:
  • the device further includes:
  • the seventh receiving module is configured to receive the lease renewal request of the client
  • the third allocation module 220 is configured to allocate a new host IP address to the client according to the lease renewal request; and set the lease period of the new host IP address according to the lease renewal request;
  • the ninth sending module is configured to send an update request to the domain name gateway, wherein the update request is used by the domain name gateway to delete the old first binding relationship of the client and establish based on the new host The new host IP address establishes a second binding relationship.
  • the device further includes:
  • a deployment module configured to deploy one or more domain name gateways for the client according to the configuration request
  • the recording module is configured to record the information of the domain name gateway.
  • the deployment module is configured to deploy one or more domain name gateways for the client according to at least one of the client's user ID, device ID, location information, and selection strategy.
  • the deployment module is configured to determine, according to the number of domain name gateways deployed for the client, the mDNS IP address dynamically requested by the domain name gateway for the client number.
  • FIG. 7 is a flowchart of the mDNS IP address allocation process according to this example.
  • a typical external access configuration function is a Dynamic Host Configuration Protocol (Dynamic Host Configuration, DHCP for short) server, as shown in FIG. 7
  • the process includes the following steps:
  • Step 301 The client accesses the access gateway, sends a DHCP request to the DHCP server through the access gateway, and requests the network to allocate parameters such as the host IP address and DNS IP address;
  • Step 302 The DHCP server allocates the host IP address to the client, sets the IP address lease, and selects the domain name gateway at the same time, and records the domain name gateway information serving the client;
  • One or more domain name gateways can be deployed in a network.
  • the DHCP server selects one or more domain name gateways (usually two) based on the client's user ID, device ID, location information, and local policies.
  • the purpose of the domain name gateway is to enhance the reliability of the service, using one of the domain name gateways as the main entrance and the other as the backup entrance.
  • Step 303 the DHCP server sends an mDNS IP address request to the selected domain name gateway, which carries the host IP address, the lease period of the host IP address, and may carry user identification and other information;
  • step 303 needs to be repeated to send mDNS IP address requests to other domain name gateways.
  • Step 304 the domain name gateway selects the mDNS IP address from the local mDNS IP address pool, and establishes a binding relationship between (host IP address, mDNS IP address), and sets the validity period of the binding relationship according to the lease period of the IP address, Generally, the validity period is slightly longer than the lease period of the IP address.
  • the domain name gateway can allocate mDNS IP addresses according to the number of mDNS IP addresses indicated in the request, and one is assigned by default.
  • the mDNS IP address is randomly selected from the mDNS IP address pool, or preferentially to randomly select unused mDNS IP addresses. After all mDNS IP addresses have been occupied, then randomly select from the occupied mDNS.
  • one mDNS IP address is allowed to be assigned to multiple clients at the same time, but due to the corresponding different (host IP address, mDNS IP address) binding relationship, it will not affect the business, and can increase the mDNS IP address.
  • Utilization that is, mDNS IP addresses can be reused, can reduce the number of mDNS IP addresses in scenarios where the number of IP addresses is limited.
  • Step 305 the domain name gateway returns the selected mDNS IP address to the DHCP server;
  • Step 306 the DHCP server sends a DHCP response to the client through the access gateway, which carries parameters such as the host IP address, the lease period of the host IP address, and mDNS IP address, among which the mDNS IP address is sent to the client as the DNS IP address field parameter;
  • the DHCP server needs to wait for all domain name gateways to return the mDNS IP addresses, aggregate the mDNS IP addresses from different domain name gateways, and send them to the client as the primary and secondary DNS IP addresses. If the domain name gateway does not return or the allocation fails to be returned, select another domain name gateway to continue the request, or only send the mDNS IP address that returned success to the client.
  • the client After receiving the parameters, the client uses the domain name gateway corresponding to the mDNS IP address as the DNS server, and subsequently requests the domain name service from the domain name gateway.
  • the DNS server IP address obtained by each client is not the same, and the DNS address obtained by the same client at different times is also different.
  • Step 307 When the client needs to access the service, it sends a domain name service request (corresponding to the first domain name service request) to the domain name gateway according to the mDNS IP address, where the domain name corresponding to the service is carried in the request message In the header domain of the IP address, the source IP address is the host IP address, and the destination IP address is the mDNS IP address; if the user wants to access the example.com service, a domain name service request (corresponding to the first domain name service request) is sent to the domain name gateway to Obtain the IP address corresponding to the example.com website.
  • Step 308 after receiving the domain name service request, the domain name gateway queries the local storage host IP address and the mDNS IP address binding relationship according to the host IP address and mDNS IP address carried in the request message, and if it hits, the request is considered legal, Then send the domain name service request to the DNS server, otherwise it is considered an illegal request, reject the domain name service request, or use the restricted DNS function, such as only allowing the resolution of the domain name corresponding to the business service with a lower security level, or direct the domain name service request to the honey Tank system to induce clients to visit and locate possible threats;
  • the destination IP address is the DNS server IP address, that is, the destination IP address in step 307 is replaced by the mDNS IP address with the DNS server IP address, that is, the DNS IP address, regarding the source IP
  • the DNS server IP address that is, the DNS IP address
  • Method 1 The source IP address remains the same, which is still the client's host IP address.
  • the domain name gateway acts as a DNS proxy function. This method requires that the domain name gateway must be on the path of the message, and the service request sent by the client and the DNS server service response pass through the same domain name gateway.
  • Method 2 The source IP address uses the interface IP address of the domain name gateway.
  • the domain name gateway acts as a DNS cache function, and uses its own IP address to send the domain name service request to the DNS server.
  • the mDNS IP address is used as the source
  • the IP address sends a response message to the client and can cache the resolution result.
  • the cached solution is sent to the client to improve the resolution efficiency.
  • the DNS server uses the default DNS server IP address configured by the domain name gateway, or the DNS server IP address stored in the binding relationship according to (host IP address, mDNS IP address).
  • Step 309 the DNS server performs the domain name service process and returns a DNS service response to the domain name gateway, which carries the domain name resolution result, that is, the IP address of the service server;
  • Step 310 The domain name gateway returns a service response to the client, which carries the IP address of the service server.
  • the client obtains the IP address corresponding to the business server, and will use the IP address to access the business server.
  • FIG. 8 is a flowchart of the mDNS IP address redistribution process according to this example. Still taking the external DHCP server scenario as an example, when the client obtains the host IP address and the lease term is about to expire, the client sends a lease renewal to the access configuration function Apply to maintain the validity of the host network parameters, as shown in Figure 8, the process includes the following steps:
  • Step 401 the lease term of the host IP address is about to expire, and the client sends a DHCP lease renewal request to the DHCP server through the access gateway, which carries the host IP address being used;
  • Step 402 the DHCP server agrees to the client's lease renewal request, extends the lease period of the host's IP address, and queries the domain name gateway currently serving the client;
  • Step 403 the DHCP server sends an mDNS IP address refresh request to the queried domain name gateway to notify the domain name gateway to extend the validity period of the mDNS IP address, and the message carries the host IP address, mDNS IP address, and host IP address lease term;
  • Step 404 the domain name gateway extends the validity period of the mDNS IP address according to the lease period of the host IP address, and the validity period of the binding relationship (host IP address, mDNS IP address), for example, updating the validity period of the mDNS IP address and the binding relationship;
  • Step 405 the domain name gateway returns a refresh response
  • step 406 the DHCP server returns a DHCP response to the client for renewal confirmation.
  • the client When the domain name service is required, the client continues to allocate the host IP address to initiate a domain name service request to the domain name gateway specified by the mDNS IP address, as shown in steps 407 to 410, similar to steps 307 to 310 in FIG.
  • the domain name gateway can continue to provide domain name services to clients.
  • FIG. 9 is a flow chart of the mDNS IP address redistribution process according to this example, still taking the external DHCP server scenario as an example, when the client obtains the host IP address and the lease term is about to expire, the client sends a lease renewal to the access configuration function Application, using this process, you can also reconfigure the host parameters for the terminal. As shown in Figure 9, the process includes the following steps:
  • Step 501 the lease of the host IP address expires soon, and the client sends a DHCP lease renewal request to the DHCP server through the access gateway, which carries the host IP address being used by the client;
  • Step 502 the DHCP server extends the IP address lease, or reassigns the host IP address to the client, sets the IP address lease, and selects the domain name gateway for the client again;
  • Step 503 the DHCP server requests the newly selected domain name gateway to allocate an mDNS IP address, and establish a new (host IP address, mDNS IP address) binding relationship, the process is the same as steps 303 to 305 in FIG. 3;
  • Step 504 the DHCP service sends an mDNS IP address release request to the original domain name gateway, the original domain name gateway releases the corresponding mDNS IP address, deletes the binding relationship between (host IP address, mDNS IP address), and then returns the mDNS IP address release response ,
  • the DHCP server deletes the domain name gateway record of the client service;
  • Step 505 The DHCP server sends a DHCP response to the client through the access gateway, which carries the newly allocated mDNS IP address.
  • the client When the domain name service needs to be used, the client initiates a domain name service request to the new domain name gateway specified by the newly allocated mDNS IP address, as shown in steps 506 to 509.
  • the mDNS IP address can be updated when the user is online, thereby enhancing the dynamics of the domain name service entry and strengthening the protection of the DNS server.
  • Figure 10 is a flow chart of the normal release process of the mDNS IP address according to this example. Still taking the external DHCP server scenario as an example, when the client shuts down the network, it will actively release the host IP address, and then release the corresponding mDNS IP address. As shown in Figure 10, the process includes the following steps:
  • Step 601 the client sends a DHCP release request to the DHCP server through the access gateway, which carries the IP address of the host being used;
  • Step 602 the DHCP server queries the domain name gateway being used by the client;
  • Step 603 the DHCP server sends an mDNS IP address release request to the domain name gateway, which carries the host IP address and mDNS IP address information;
  • Step 604 the domain name gateway releases the client's occupation of the mDNS IP address, and deletes the (host IP address, mDNS IP address) binding relationship;
  • Step 605 the domain name gateway returns a release response to the DHCP server
  • Step 606 The DHCP server returns a DHCP release response to the client through the access gateway.
  • the domain name gateway releases the mDNS IP address in time to maintain the correct domain name service entry strategy.
  • FIG 11 is a flowchart of the mDNS IP address timeout release process according to this example. Still taking the external DHCP server scenario as an example, when the client leaves the network but does not send a DHCP release request, it needs to support the timeout release mechanism. As shown in Figure 11, the process includes the following steps:
  • Step 701 when the client does not send a lease renewal request within the specified lease period, the lease period timer in DHCP will overflow;
  • Step 702 the DHCP server actively releases the host IP address
  • Step 703 the DHCP server sends an mDNS IP address release request to the domain name gateway, which carries the host IP address and mDNS IP address information;
  • Step 704 the domain name gateway releases the client's occupation of the mDNS IP address, and deletes the (host IP address, mDNS IP address) binding relationship;
  • Step 705 the domain name gateway returns a release response to the DHCP server
  • the domain name gateway does not receive a refresh request or release request from the DHCP within the validity period of the mDNS IP address, in order to maintain the correct use of the mDNS IP address, the domain name gateway supports the timeout release function, as shown in steps 706 to 707 Show.
  • Step 706 when the domain name gateway does not receive a refresh request within the specified mDNS IP address validity period, the mDNS IP address validity period timer in the domain name gateway will overflow (that is, the lease period expires);
  • step 707 the domain name gateway releases the client's occupation of the mDNS IP address and deletes the (host IP address, mDNS IP address) binding relationship.
  • the domain name gateway maintains the correct binding relationship.
  • FIG. 12 is a flowchart of the mDNS IP address allocation process based on the built-in access configuration function of this example.
  • the access gateways of mobile networks such as GGSN and PGW, have built-in access configuration functions.
  • configuration parameters are provided directly to the client.
  • FIG. 8 the main difference between this process and FIG. 7 is that the IP address allocation, domain name gateway selection, and mDNS IP address allocation are completed during the access process.
  • These information are sent to the access signaling shown in step 806 to For the terminal, take the 4G network as an example.
  • the access gateway is the PGW, and the access configuration function is built in the PGW.
  • the process includes the following steps:
  • Step 801 the client accesses the mobile network and sends an attachment request to the access gateway (PGW);
  • Step 802 the built-in access configuration function of the access gateway allocates the host IP address to the client from the local IP address pool, selects the domain name gateway, and records the domain name gateway information serving the client, the validity of the host IP address and The status of the client in the mobile network is directly related;
  • Steps 803 to 805 the access gateway requests the mDNS IP address from the selected domain name gateway, the process is the same as steps 303 to 305 in FIG. 3;
  • Step 806 the access gateway sends an attachment response to the client, which carries parameters such as the host's IP address, mDNS IP address, etc., where the mDNS IP address is sent to the client as the DNS IP address field parameter;
  • the client After receiving the parameters, the client uses the domain name gateway corresponding to the mDNS IP address as the DNS server, and subsequently requests the domain name service from the domain name gateway.
  • Steps 807 to 810 when the client needs to access the service, the steps are the same as steps 307 to 310 of FIG.
  • the client obtains the IP address corresponding to the business server, and will use the IP address to access the business server, which belongs to the prior art and will not be repeated here.
  • the access parameter configuration process is completed during the access process, and the host configuration parameters are transmitted using access signaling.
  • the maintenance of the mDNS IP address is similar to the external access parameter configuration function scenario, and mainly includes the following operations:
  • the client updates the location within the validity period of the online status.
  • the access gateway extends the client's online status and notifies the domain name gateway to extend the validity period of the mDNS IP address.
  • the process is the same as steps 402 to 405 in FIG. 8.
  • Re-allocate mDNS IP address The client updates the location within the validity period of the online status.
  • the access gateway updates the host IP address or extends the client's online status.
  • it selects a new domain name gateway, requests the mDNS IP address from the new domain name gateway, and notifies the original
  • the domain name gateway releases the mDNS IP address, and the process is the same as steps 502 to 504 in FIG. 9.
  • the normal release of the mDNS IP address the client takes the initiative to go offline and sends a de-attach request to the access gateway.
  • the access gateway notifies the domain name gateway to release the mDNS IP address and delete user access data.
  • the process is the same as steps 602 to 605 in FIG.
  • mDNS overdue release when the location update validity period expires, the access gateway detects that the user is offline, and will notify the domain name gateway to release the mDNS IP address, and delete the user access data; or when the mDNS IP address validity period expires, the domain name gateway releases mDNS IP address.
  • the process is the same as the process shown in FIG.
  • This example proposes a defense system and method applied to the DNS server.
  • the DNS server IP address is transformed, thereby implementing active defense against the DNS server, increasing the difficulty of attackers, and reducing the probability of successful attacks. Thereby improving the security of the entire network.
  • DNG Domain Name Gateway
  • the domain name gateway is configured with a mobile DNS server IP address (Moving DNS Sever IP address, referred to as mDNS IP address) address pool
  • the access configuration function requests the mDNS IP address from the domain name gateway.
  • the domain name gateway selects the mDNS IP address from the mDNS IP address pool, and then returns to the access configuration function.
  • the access configuration function will The mDNS IP address is assigned to the client as a DNS IP address;
  • the client uses the allocated mDNS IP address to send the domain name service request to the domain name gateway, and the domain name gateway sends the domain name service request to the DNS server, and sends the result returned by the DNS server to the client;
  • the client accesses the business server according to the domain name resolution result
  • one or more domain name gateways are configured in the A1 network, and each domain name gateway is configured with a different mDNS IP address pool, and the mDNS IP address pool is composed of one or more IP address segments;
  • B0 host parameter configuration process uses DHCP protocol or access signaling
  • the access configuration function needs to select one or more domain name gateways
  • the B2 domain name gateway randomly assigns one or more mDNS IP addresses as the primary DNS IP address, or the primary and secondary DNS IP addresses, and preferentially selects the unoccupied mDNS IP addresses;
  • B3 carries the IP address assigned to the host and the lease of the IP address in the mDNS IP address request
  • the B4 domain name gateway selects the mDNS IP address, and establishes the binding relationship between the host IP address and the mDNS IP address;
  • the B5 domain name gateway sets the validity period of the binding relationship according to the IP address lease period. During the validity period, the domain name gateway receives the refresh request sent by the access configuration function, and then extends the validity period; during the validity period, the domain name gateway receives the host configuration function. When the request is released, or when the validity period is exceeded, the domain name gateway deletes the binding relationship;
  • the service result returned by the B6 domain name gateway to the client carries one or more mDNS IP addresses, and the multiple mDNS IP addresses come from one or more domain name gateways;
  • the C1 domain name gateway After receiving the domain name service request from the client, the C1 domain name gateway checks the request message according to the binding relationship between the host IP address and the mDNS IP address, and if it matches the binding relationship, sends the domain name service request to the DNS server, otherwise rejects Business requests, or use restricted DNS functions, or direct domain name business requests to the honeypot system;
  • the target address of the query request is the default DNS server IP address, or the DNS server IP address selected when assigning the mDNS IP address;
  • the C3 domain name gateway acts as a DNS proxy to send business requests to the DNS server using the client's host IP address, or acts as a DNS buffer to send business requests to the DNS server using the domain name gateway's IP address;
  • This example provides a system applied to the defense of a DNS server, including a client, an access gateway, an access configuration function, a domain name gateway, a DNS server, and a business server.
  • Client Establish a connection with the access gateway, receive the host IP address and mDNS IP address assigned by the access configuration function, and use the mDNS IP address as the DNS server IP address to initiate domain name service requests and access business applications.
  • Access gateway In the process of client access, the client configuration parameters are obtained from the access configuration function and provided to the client, and the client access to the Internet function is realized, so that the client can access the DNS server and service server.
  • Access configuration function According to the client's access information, assign the host IP address to the client, select the domain name gateway, request the mDNS IP address from the domain name gateway, configure the assigned host IP address and the obtained mDNS IP address to the client, and Maintain the validity of the host configuration.
  • Domain name gateway maintain mDNS IP address pool, select mDNS IP address from mDNS IP address pool for clients according to the request of host configuration function, and establish the binding relationship between client IP address and mDNS IP address, maintain mDNS IP The validity of the address and the binding relationship; when the client initiates a domain name request, check the validity of the request, if it is a normal request, send a business request to the DNS server, and return the result to the client, otherwise reject the domain name business request , Or direct the domain name request to the honeypot system.
  • the mDNS IP address pool configured for each domain name gateway is composed of one or more IP address segments. It is recommended to use multiple IP address segments, which can enhance the selected mDNS IP The dynamic nature of the address confuses attackers.
  • DNS server resolve to the corresponding IP address according to the requested service domain name and return.
  • Service server provides services to clients, and the correspondence between IP addresses and domain names is stored in the DNS server.
  • An embodiment of the present disclosure provides a communication device, including:
  • the transceiver can correspond to various communication interfaces, for example, a network interface (network card) and / or a transceiver antenna, etc .;
  • the memory which may include a storage medium, can be used for storing various data
  • a processor respectively connected to the transceiver and the memory, is configured to control the information transmission and reception of the transceiver by executing computer-executable instructions stored on the memory, and implement DNS provided by any of the foregoing technical solutions
  • the security defense method of the server is, for example, the method shown in any of FIG. 2 to FIG. 5 and FIG. 8 to FIG. 12.
  • the processor may include a central processing unit, a microprocessor, a digital signal processor, a programmable array, an application specific integrated circuit, and the like.
  • the processor may be connected to the memory and the memory through a communication bus such as an integrated circuit bus.
  • the communication device may be a device where an access configuration function such as the aforementioned domain name gateway or access gateway is located.
  • the communication device If the communication device is the aforementioned domain name gateway, it can execute one or more technical solutions in the defense method applied to the DNS server in the domain name gateway.
  • the communication device can execute one or more technical solutions in the defense method of the DNS server in the access gateway, for example, FIG. The method shown in any one of 2 to 5, and 8 to 12.
  • An embodiment of the present disclosure provides a computer storage medium that stores computer-executable instructions; after the computer-executable instructions are executed, the security defense method of the DNS server provided by any one of the foregoing technical solutions can be implemented, for example Used in devices with access configuration functions such as domain name gateways and access gateways.
  • the storage medium includes: a mobile storage device, a read-only memory (ROM, Read to Only Memory), a random access memory (RAM, Random Access Memory), a magnetic disk or an optical disk, and other media that can store program codes.
  • the computer storage medium may be a non-transitory storage medium.
  • the disclosed device and method may be implemented in other ways.
  • the device embodiments described above are only schematic.
  • the division of the unit is only a division of logical functions.
  • there may be another division manner for example, multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored, or not implemented.
  • the coupling or direct coupling or communication connection between the displayed or discussed components may be through some interfaces, and the indirect coupling or communication connection of the device or unit may be electrical, mechanical, or other forms of.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • the functional units in the embodiments of the present disclosure may all be integrated into one processing module, or each unit may be separately used as a unit, or two or more units may be integrated into one unit; the above integration
  • the unit can be implemented in the form of hardware, or in the form of hardware plus software functional units.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un appareil de protection de la sécurité destinés à un serveur DNS, ainsi qu'un dispositif de communication et un support d'informations. Le procédé comprend les étapes suivantes : selon une demande d'adresse de protocole Internet (IP) de système de noms de domaine mobile (mDNS) d'un client, attribution dynamique d'une adresse IP mDNS pour le client ; réception d'une première demande de service de noms de domaine lancée par le client, une adresse de destination de la première demande de service de noms de domaine étant l'adresse IP mDNS ; sur la base de la première demande de service de noms de domaine, envoi d'une seconde demande de service de noms de domaine à l'adresse IP mDNS remplacée par un serveur DNS correspondant ; et fourniture, par le serveur DNS, d'une seconde réponse de service de noms de domaine au client sur la base d'une première réponse de service de noms de domaine fournie par la seconde demande de service de noms de domaine.
PCT/CN2019/112547 2018-10-26 2019-10-22 Procédé et appareil de protection de la sécurité pour serveur dns, et dispositif de communication et support d'informations WO2020083288A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201811257892.8 2018-10-26
CN201811257892.8A CN111107171B (zh) 2018-10-26 2018-10-26 Dns服务器的安全防御方法及装置、通信设备及介质

Publications (1)

Publication Number Publication Date
WO2020083288A1 true WO2020083288A1 (fr) 2020-04-30

Family

ID=70330908

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/112547 WO2020083288A1 (fr) 2018-10-26 2019-10-22 Procédé et appareil de protection de la sécurité pour serveur dns, et dispositif de communication et support d'informations

Country Status (2)

Country Link
CN (1) CN111107171B (fr)
WO (1) WO2020083288A1 (fr)

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112291363B (zh) * 2020-11-06 2023-09-08 腾讯科技(深圳)有限公司 无线通信的方法、装置、电子设备和计算机可读存储介质
CN112637175B (zh) * 2020-12-17 2021-08-20 山东云天安全技术有限公司 一种用于工业物联网的防御方法及装置
CN112333299B (zh) * 2021-01-04 2021-12-28 观脉科技(北京)有限公司 一种域名解析方法、配置方法及设备
CN113206894B (zh) 2021-05-08 2024-04-23 腾讯科技(深圳)有限公司 Dns服务器的发现方法、装置、计算机设备及存储介质
CN115766434A (zh) * 2021-09-03 2023-03-07 中国移动通信集团山东有限公司 Vxlan的配置方法和设备
CN114710314B (zh) * 2022-02-21 2023-06-06 深圳腾银信息咨询有限责任公司 一种配置化的软件服务平台访问方法、装置、系统及介质
CN117061253B (zh) * 2023-10-12 2023-12-22 南京赛宁信息技术有限公司 一种动态部署蜜罐的检测方法与系统

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005036317A2 (fr) * 2003-09-19 2005-04-21 Motorola, Inc. Delegation de sous-domaine automatique d'espaces de noms prives pour reseaux prives virtuels domestiques-domestiques
CN101277306A (zh) * 2008-05-14 2008-10-01 华为技术有限公司 一种处理dns业务的方法、系统及设备
US20120084449A1 (en) * 2010-10-05 2012-04-05 Verizon Patent And Licensing Inc. Dynamic selection of packet data network gateways
CN108040134A (zh) * 2017-12-06 2018-05-15 杭州迪普科技股份有限公司 一种dns透明代理的方法及装置
CN108632221A (zh) * 2017-03-22 2018-10-09 华为技术有限公司 定位内网中的受控主机的方法、设备及系统

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8549118B2 (en) * 2009-12-10 2013-10-01 At&T Intellectual Property I, L.P. Updating a domain name server with information corresponding to dynamically assigned internet protocol addresses
CN104427011B (zh) * 2013-09-02 2019-03-22 中兴通讯股份有限公司 域名解析的方法和域名缓存服务器
CN107231445A (zh) * 2016-03-23 2017-10-03 中兴通讯股份有限公司 一种动态域名系统dns重定向方法、装置及系统

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005036317A2 (fr) * 2003-09-19 2005-04-21 Motorola, Inc. Delegation de sous-domaine automatique d'espaces de noms prives pour reseaux prives virtuels domestiques-domestiques
CN101277306A (zh) * 2008-05-14 2008-10-01 华为技术有限公司 一种处理dns业务的方法、系统及设备
US20120084449A1 (en) * 2010-10-05 2012-04-05 Verizon Patent And Licensing Inc. Dynamic selection of packet data network gateways
CN108632221A (zh) * 2017-03-22 2018-10-09 华为技术有限公司 定位内网中的受控主机的方法、设备及系统
CN108040134A (zh) * 2017-12-06 2018-05-15 杭州迪普科技股份有限公司 一种dns透明代理的方法及装置

Also Published As

Publication number Publication date
CN111107171B (zh) 2022-07-12
CN111107171A (zh) 2020-05-05

Similar Documents

Publication Publication Date Title
WO2020083288A1 (fr) Procédé et appareil de protection de la sécurité pour serveur dns, et dispositif de communication et support d'informations
EP3821622B1 (fr) Systèmes et procédés pour permettre une communication privée au sein d'un groupe d'équipements d'utilisateurs
RU2758457C2 (ru) Системы и способы для управления сеансом блока данных протокола (pdu), адаптированного к приложению
WO2020207490A1 (fr) Système, appareil et procédé pour prendre en charge une sélection de serveur de données
WO2019129154A1 (fr) Procédé et dispositif de traitement de demande de service
US10142159B2 (en) IP address allocation
WO2017088628A1 (fr) Procédé, dispositif et système de conversion d'adresse, procédé et dispositif de commande d'identité de réseau
WO2018001144A1 (fr) Station de base, procédé, appareil et système pour répondre à une demande d'accès
US20040179537A1 (en) Method and apparatus providing a mobile server function in a wireless communications device
CN112437456A (zh) 一种非公共网络中的通信方法及设备
WO2015196755A1 (fr) Procédé d'attribution d'adresses dans un réseau de séparation de localisateurs et d'identifiants d'abonnés, et routeur de service d'accès
WO2022033346A1 (fr) Système de gestion de tranchage de réseau, serveur d'application et dispositif de terminal
CN109936515B (zh) 接入配置方法、信息提供方法及装置
KR20220128993A (ko) 서비스 애플리케이션들과의 암호화된 통신을 위한 통신 네트워크에서의 앵커 키 생성 및 관리를 위한 방법, 디바이스, 및 시스템
CN104253798A (zh) 一种网络安全监控方法和系统
US20240098583A1 (en) PDU session continuity for a UE moving between a telecommunications network and a gateway device
CN102149172A (zh) 接入网关选择的方法、设备和系统
WO2021002180A1 (fr) Procédé de relais, système de relais, et programme de relais
CN105429936A (zh) 专网路由器内存储资源恶意占用抵御方法及装置
JP2006211406A (ja) ネットワークを用いた通信システム及びその通信システムに用いられる通信装置及びプログラム
WO2020029793A1 (fr) Système, dispositif et procédé de gestion de comportement d'accès internet
KR100745434B1 (ko) 네트워크 액세스 방법 및 장치와, 기록 매체
US20100122322A1 (en) Method for admission control of multiple service flows paging in mobile packet domain
JP5726302B2 (ja) トポロジサーバを用いた、通信アーキテクチャにわたって分散されたノードのネットワークに対する秘密または保護されたアクセス
CN115361685A (zh) 一种端到端漫游认证方法、系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19876291

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 27.08.2021)

122 Ep: pct application non-entry in european phase

Ref document number: 19876291

Country of ref document: EP

Kind code of ref document: A1