CN104468244B

CN104468244B - Domain name analysis system calamity is for constructing method and device

Info

Publication number: CN104468244B
Application number: CN201410852629.9A
Authority: CN
Inventors: 濮灿; 周鸿祎; 谭晓生
Original assignee: Beijing Qihoo Technology Co Ltd; Qizhi Software Beijing Co Ltd
Current assignee: Beijing Qihoo Technology Co Ltd
Priority date: 2014-12-31
Filing date: 2014-12-31
Publication date: 2018-04-20
Anticipated expiration: 2034-12-31
Also published as: CN104468244A

Abstract

The present invention relates to a kind of domain name analysis system calamity for constructing method, it includes the following steps：The real time data synchronization of a target group of planes for DNS service will be provided to calamity standby host group, included in the data for providing the data cached of domain name mapping basis；Domain name mapping request is received, is asked in response to the domain name mapping and utilizes the data cached carry out domain name mapping；Asked with the domain name mapping described in domain name mapping result response.In addition present invention also offers a kind of domain name analysis system calamity for constructing devices.It can be suitable for the disaster recovery and backup systems of existing Domain Name Service System with construction with the constructing method of the present invention, in existing Domain Name Service System or its network paralysis relied on, can temporarily and effectively play the effect of domain name resolution service.

Description

Domain name analysis system calamity is for constructing method and device

Technical field

The present invention relates to internet security technology, is related to a kind of domain name analysis system calamity for constructing method and device.

Background technology

Disaster recovery and backup systems are to be backed up for the operation system formed to a network group of planes and the technology of disaster tolerance, extensive use In an Internet service group of planes.In general, Internet service is provided with the operation system of normal operation, and by disaster recovery and backup systems to normal The operation system of operation carries out backup and fault detect etc. in real time, and operation system produce failure or it is under attack it Afterwards, just intelligently former operation system being replaced using disaster recovery and backup systems, identical service is opened to Internet user.

Disaster recovery and backup systems generally include synchronous data, fault detect and several big management logics of service switching.Wherein, data are synchronous Logic is managed, is to ensure the integrality of data, uniformity and availability between the production center and Disaster Preparation Center two places；Failure Detection management logic is to make assessment of failure and judgement according to certain strategy according to the data of data monitoring；Service switching management Logic, according to failure detection result, be responsible for when significant trouble either disaster occurs for the operation system of the production center it is automatic or It is manually switched to using disaster recovery and backup systems open service to substitute the operational mode of original operation system.

Although the principle of disaster recovery and backup systems is generally applied very much, current dns server and its phase relation System, since DNS service agreement is relatively simple, always carries no weight, correlation technique is left to be desired.

The content of the invention

The problem of in view of above-mentioned at least one aspect, the purpose of the present invention are just to provide a kind of domain name analysis system calamity Standby constructing method.

Correspondingly, according to modularized thoughts, another object of the present invention is to provide, a kind of domain name analysis system calamity is standby to build Structure device.

To achieve the object of the present invention, the present invention adopts the following technical scheme that：

A kind of domain name analysis system calamity of the present invention includes the following steps for constructing method：

The real time data synchronization of a target group of planes for DNS service will be provided to calamity standby host group, include in the data and be used for The data cached of domain name mapping basis is provided；

Domain name mapping request is received, is asked in response to the domain name mapping and utilizes the data cached carry out domain name mapping；

Asked with the domain name mapping described in domain name mapping result response.

In a kind of embodiment, each step of this method performs at least equipment of calamity standby host group.

In another embodiment, each step of this method by the calamity standby host group single device one or more processes It is performed.

In a further embodiment, it is described by real time data synchronization to the step of calamity standby host group independently of calamity standby host group extremely Performed in few equipment, remaining step performs in the same equipment of calamity standby host group.

In a kind of embodiment, it is described it is data cached recorded including history domain name mapping, the history domain name mapping is recorded as The target group of planes normally performs the DNS name resolution record for carrying out dns resolution and producing during DNS service, this method into During row domain name mapping, corresponding domain name mapping result is obtained by retrieving the history domain name mapping record.

Specifically, the history domain name mapping record includes the mapping relations from domain name to corresponding IP address.

In another embodiment, it is described it is data cached further include authorization message database, it is stored with awarding for each level of domain name Weigh the authorization message of server；When this method carries out domain name mapping, corresponding according to authorization message data place record authorizes Server info, performs recursive query to obtain the domain name mapping result.Preferably, the authorization message database with point The form of cloth database is realized.

Further, domain name analysis request carries out transfer with domain name analysis result by consolidated network address.

Preferably, domain name analysis request is encrypted transmission with domain name analysis result.

A kind of domain name analysis system calamity provided by the invention for constructing devices, including：

Synchronization unit, for the real time data synchronization of a target group of planes for DNS service will to be provided to calamity standby host group, the data In include for provide domain name mapping basis it is data cached；

Query unit, for receiving domain name mapping request, asks in response to the domain name mapping and utilizes described data cached Carry out domain name mapping；

Response unit, is configured as asking with the domain name mapping described in domain name mapping result response.

In a kind of embodiment, each unit described in the present apparatus is configured as performing at least equipment of calamity standby host group.

In another embodiment, each unit described in the present apparatus is configured as in the single device of the calamity standby host group by one Or multiple processes perform.

In another embodiment, the synchronization unit is configured as holding at least equipment independently of calamity standby host group OK, the query unit and response unit are configured as performing in the same equipment of calamity standby host group.

It is disclosed according to one embodiment of present invention, it is described data cached including history domain name mapping record, it is described to go through History domain name mapping is recorded as the target group of planes and normally performs the DNS domain name solution for carrying out dns resolution during DNS service and producing New record, when the query unit carries out domain name mapping, corresponding domain is obtained by retrieving the history domain name mapping record Name analysis result.

Preferably, the history domain name mapping record includes the mapping relations from domain name to corresponding IP address.

According to the present invention disclosed in another embodiment, it is described it is data cached further include authorization message database, it is stored with The authorization message of the authorization server of each level of domain name；When the query unit carries out domain name mapping, according to authorization message data The corresponding authorization server information of place record, performs recursive query to obtain the domain name mapping result.

Preferably, the authorization message database in a distributed manner database form realize.

Compared to the prior art, the present invention at least has the following advantages that：

1st, the present invention realizes the structure of the disaster recovery and backup systems of DNS service system, passes through the phase of real-time synchronization DNS service system Shut down the data of group, wherein more it is important that having backed up produced by those group of planes carry out normal analysis service in normal operation History solution new record formed data cached, thus, in conventional DNS service system jam or attacked When, you can interim and accurate dns resolution service is provided by the disaster recovery and backup systems for implementing this method, builds isolated island response mould Formula, dns resolution service is provided using disaster recovery and backup systems for Internet user.

2nd, as disaster recovery and backup systems, directly client is not exposed usually, but using dns resolution server as front end services Window, this disaster recovery and backup systems is transmitted to by dns resolution server by the domain name mapping request of user, and by the way that the request will be directed to Domain name mapping result via the dns resolution transit server response request, can more effectively protect disaster recovery and backup systems, make calamity Standby system more swimmingly can provide dns resolution service for Internet user.

Generally, existing Domain Name Service System can be suitable for construction with the disaster recovery and backup systems constructing method of the present invention Disaster recovery and backup systems, in existing Domain Name Service System or its network paralysis relied on, can temporarily and effectively play domain The effect of name analysis service.

The additional aspect of the present invention and advantage will be set forth in part in the description, these will become from the following description Obtain substantially, or recognized by the practice of the present invention.

Brief description of the drawings

Of the invention above-mentioned and/or additional aspect and advantage will become from the following description of the accompanying drawings of embodiments Substantially and it is readily appreciated that, wherein：

Fig. 1 is the domain name analysis system calamity of the present invention for the flow diagram of constructing method；

Fig. 2 is traditional dns resolution service principle schematic；

Fig. 3 is the domain name analysis system calamity of the present invention for the functional block diagram of constructing devices；

Fig. 4 is the flow diagram of the DNS disaster recovery and backup systems isolated island response automatic switching methods of the present invention；

Fig. 5 is the flow diagram of the step S22 of the DNS disaster recovery and backup systems isolated island response automatic switching methods of the present invention；

Fig. 6 is the functional block diagram of the DNS disaster recovery and backup systems isolated island response automatic switching control equipments of the present invention；

Fig. 7 is the functional block diagram of the identifying unit of the DNS disaster recovery and backup systems isolated island response automatic switching control equipments of the present invention.

Embodiment

The embodiment of the present invention is described below in detail, the example of the embodiment is shown in the drawings, wherein from beginning to end Same or similar label represents same or similar element or has the function of same or like element.Below with reference to attached The embodiment of figure description is exemplary, and is only used for explaining the present invention, and is not construed as limiting the claims.

Those skilled in the art of the present technique are appreciated that unless expressly stated, singulative " one " used herein, " one It is a ", " described " and "the" may also comprise plural form.It is to be further understood that what is used in the specification of the present invention arranges Diction " comprising " refer to there are the feature, integer, step, operation, element and/or component, but it is not excluded that in the presence of or addition One or more other features, integer, step, operation, element, component and/or their groups.It should be understood that when we claim member Part is " connected " or during " coupled " to another element, it can be directly connected or coupled to other elements, or there may also be Intermediary element.In addition, " connection " used herein or " coupling " can include wireless connection or wireless coupling.It is used herein to arrange Taking leave "and/or" includes whole or any cell and all combinations of one or more associated list items.

Those skilled in the art of the present technique are appreciated that unless otherwise defined, all terms used herein (including technology art Language and scientific terminology), there is the meaning identical with the general understanding of the those of ordinary skill in fields of the present invention.Should also Understand, those terms such as defined in the general dictionary, it should be understood that have with the context of the prior art The consistent meaning of meaning, and unless by specific definitions as here, idealization or the implication of overly formal otherwise will not be used To explain.

Those skilled in the art of the present technique are appreciated that " terminal " used herein above, " terminal device " both include wireless communication The equipment of number receiver, it only possesses the equipment of the wireless signal receiver of non-emissive ability, and including receiving and transmitting hardware Equipment, its have on bidirectional communication link, can perform two-way communication reception and launch hardware equipment.This equipment It can include：Honeycomb or other communication equipments, it shows with single line display or multi-line display or without multi-line The honeycomb of device or other communication equipments；PCS (Personal Communications Service, PCS Personal Communications System), it can With combine voice, data processing, fax and/or its communication ability；PDA (Personal Digital Assistant, it is personal Digital assistants), it can include radio frequency receiver, pager, the Internet/intranet access, web browser, notepad, day Go through and/or GPS (Global Positioning System, global positioning system) receiver；Conventional laptop and/or palm Type computer or other equipment, its have and/or the conventional laptop including radio frequency receiver and/or palmtop computer or its His equipment." terminal " used herein above, " terminal device " they can be portable, can transport, installed in the vehicles (aviation, Sea-freight and/or land) in, or be suitable for and/or be configured in local runtime, and/or with distribution form, operate in the earth And/or any other position operation in space." terminal " used herein above, " terminal device " can also be communication terminal, on Network termination, music/video playback terminal, such as can be PDA, MID (Mobile Internet Device, mobile Internet Equipment) and/or with music/video playing function mobile phone or the equipment such as smart television, set-top box.

Those skilled in the art of the present technique are appreciated that server used herein above, high in the clouds, remote network devices etc. are general Read, there is effects equivalent, it includes but not limited to computer, network host, single network server, multiple webserver collection Or the cloud that multiple servers are formed.Here, cloud is taken by a large amount of computers or network based on cloud computing (Cloud Computing) Business device is formed, wherein, cloud computing is one kind of Distributed Calculation, and one be made of the computer collection of a group loose couplings is super Virtual machine., can be by any logical between remote network devices, terminal device and WNS servers in the embodiment of the present invention Letter mode realizes communication, includes but not limited to, mobile communication based on 3GPP, LTE, WIMAX, based on TCP/IP, udp protocol Computer network communication and the low coverage wireless transmission method based on bluetooth, Infrared Transmission standard.

It will be appreciated by those skilled in the art that " application ", " application program ", " application software " and class alleged by the present invention It is the same concept well known to those skilled in the art like the concept of statement, refers to be instructed by series of computation machine and related data The computer software for being suitable for electronics operation of the organic construction of resource.Unless specified, this name is in itself from programming language Species, rank, are also limited from the operating system or platform of its operation of relying.In the nature of things, this genus also from appoint The terminal of what form is limited.

What will be disclosed herein is related to the related art scheme of the present invention, including two aspects, and how real first aspect is The service of the structure of existing disaster recovery and backup systems opens, and second aspect is how to realize disaster identification so that it is guaranteed that in normal DNS service system System and its disaster recovery and backup systems between realize effectively, in time, intelligently switch, thereby of both disclose, it will help this area skill Art personnel more systematically understand the present invention.

The first aspect of related art scheme for the present invention, that is, provide a kind of domain name analysis system constructing method and Device, device therein are instantiation of the foundation modularized thoughts to method therein, can be by way of programming by described in Method and apparatus be embodied as software, be installed in computer equipment be particularly the dedicated computer with server-capabilities set Run in standby, access internet opens its service, and with constructing playscript with stage directions dns resolution server, or constructs reality A group of planes for existing local dns resolution server, for providing DNS name resolution service for client, so as to acknowledged client end.

Referring to Fig. 1, the domain name analysis system calamity of the present invention, for constructing method, being embodied as one or more can be installed on Such as Windows sequence of maneuvers system (includes but not limited to Windows XP, Window 7, the family release of Windows 8 Deng) or Unix sequence of maneuvers system (include but not limited to Unix, Linux, IOS, Ubuntu etc.) software, by the software Operation, and realize corresponding specific steps.Specifically comprise the following steps：

Step S11, it will thus provide the real time data synchronization of a target group of planes for DNS service to calamity standby host group, is wrapped in the data Containing be useful for provide domain name mapping basis it is data cached.

Usually, there is provided the server of DNS service, similar to cloud architecture, is formed by the organic construction of multiple servers equipment A group of planes, is mutually arranged with dns resolution server, realizes dns resolution service.Wherein, a DNS service group of planes is mainly used for realizing recurrence System, by the recursive system into internet for parsing corresponding domain in the server recursive call of each level of domain name Name, obtains IP address, to construct domain name analysis result, with response to external request.And dns resolution server is as front end applications Window, is responsible for receiving the domain name mapping request for the client for initiating request, and the request is supplied to a group of planes, it is desirable to which a group of planes is made Go out the response of domain name mapping result, then asked with the corresponding domain name mapping of corresponding domain name mapping result response.

Disaster recovery and backup systems constructed by the present invention, are both standby to the calamity of the whole domain name system in internet and based on to multiple The calamity of a related group of planes for local dns server it is standby and realize.The realization of disaster recovery and backup systems, based on data synchronization；With failure It is detected as the premise of its switchover operation；Using switching control as management logic.But disaster recovery and backup systems can be with Real Time Open, its fault detect And follow-up switching control can be realized by third party, thus this first aspect of the present invention be not related to related fault detect and The technology of switching control.

Data are synchronously that the present invention realizes the standby key foundation of the calamity of DNS service system.Realize data management by synchronization logic, Generally use data backup means.Data backup is system, the basis of data disaster tolerance, and the realization of low side disaster tolerance, is high-end The powerful guarantee of disaster tolerance (real time data protection).At present redundancy technique mainly have snapshot, offline backup, strange land storage it is standby Part.Standby system is by backup policy, to the operating system of computer information system, file system, application program, data base set The data sets such as system, realize the complete copy sometime put, and the data of copy are in non-presence, it is impossible to accessed at once, It must such as recover mode by corresponding operating and use Backup Data.The premise of high-end disaster tolerance system is being built, is having to carry out The backup of local system, this is the starting point of disaster tolerance technology.

When the present invention realizes data synchronization, using high-end disaster tolerance mode, to realize that the real time data to a DNS service group of planes is protected Shield, specifically, exactly on polylith disk, multiple arrays, multiple servers, multiple data centers preserve with portion in real time More parts of storages of data, in order to avoid physical fault.Real time data protection is needed using data backup as premise, it is not Artificial maloperation and pernicious operation can be taken precautions against.It is emphasized that the purpose of disaster tolerance is to allow data when disaster occurs, moreover it is possible to quilt Access, protected by real time data, ensure the integrality of data, therefore, the disaster tolerance system of institute's construction of the present invention does not ensure that Data it is newest.

As it was previously stated, data backup is the means of disaster tolerance, it is not purpose, the purpose of disaster tolerance is the access of data, therefore should Recovery and the recovery of network and relevant switching control, and the key of disaster tolerance.Specifically, it is exactly to occur in disaster Afterwards, database switches, using restarting, real-time performance switching etc., the whole process at disaster recovery center adapter original production center； It further comprises at the same time after former data center repairs, database, application, network need the whole process that switchback again comes.These Process, can by it is manual switching, can also be completed by automation process；Also, how corresponding assessment is made accordingly, And technical staff's problem to be solved.The present invention will subsequently be carried out detailed by the realization of another method and device to the part Thin announcement, therefore temporarily by not table.

It follows that the data that the software of the method by being configured to the present invention will provide a target group of planes for DNS service are real When be synchronized to calamity standby host group, become the just optimized integration of disaster tolerance system of the present invention.In order to further illustrate described in synchronization Data, as follows please referring initially to an application example.

Incorporated by reference to Fig. 2, as follows by taking the resolving of this domain name of Netease portal address www.163.com as an example, illustrate just The main process of dns resolution in the case of often：

Step 1：User computer sends parsing www.163.com to local dns (parsing) server set in its system Request.So-called local dns server refers to a DNS service IP address, can be obtained automatically from operator, can also It is manual setting.

Step 2：Local dns server can check whether the caching of this domain name in the space of oneself, if not provided, The domain name mapping that www.163.com will be sent to root server is asked.

Step 3：After root server receives local dns server on the analysis request of domain name, the domain name of analysis request, Return to the IP address of the server of home server .com this domain name node.

Step 4：Local dns server is sent after the server ip address of .com top level domain is connected to .com top level domain Inquire about the analysis request of www.163.com.

Step 5：.com top domain server returns to local after receiving on the analysis request of www.163.com IP address of the dns server on the dns server of 163 this second-level domain.

Step 6：Local dns server continues to initiate on www.163.com to the dns server of 163 this second-level domain Analysis request.

Step 7：All subdomain names under the management server management 163.com in 163 this domain.In its name space There is this subdomain name of www, its corresponding IP address is 111.1.53.220, therefore the dns server in 163.com domains can return The corresponding IP address 111.1.53.220 of www.163.com are to local dns server.

Step 8：Local dns server receives 163.com this domain server on www.163.com analysis results Afterwards, the corresponding IP address 111.1.53.220 of user is returned to, while this result can be retained a period of time, in case other are used The inquiry at family.

Step 9：User computer is begun to after the corresponding IP address 111.1.53.220 of www.163.com domain names is obtained To this IP requested webpage content of 111.1.53.220.So far, a full request process of analysis of DNS terminates.

In above-mentioned example, local dns server is reduced to a server, actually, it is generally the case that its backstage The foregoing group of planes that may be collectively formed by multiple servers is realized.Dns resolution server, no matter which kind of situation, be required for Serve as the dns server of application front end.Those skilled in the art should know this.

In above-mentioned example, step 2 can check whether domain name mapping request in the space of local dns server first In domain name request, and then described in step 8 can translate domain names into result preserve a period of time in case other users inquire about The fact.It is necessarily data cached comprising some in the data of a target group of planes it is possible thereby to know, these it is data cached usually with The form of Log Types is stored, and can also be improved in the present invention in the form of database.

In one embodiment of the invention in relation to data cached realization, the normal service that DNS service is provided can be continued to use The form of a group of planes, make it is described it is data cached recorded including history domain name mapping, the history domain name mapping is recorded as the target A group of planes normally performs the DNS name resolution record for carrying out dns resolution during DNS service and producing, typically with journal file Form storage.Every domain name mapping record, which includes at least, domain name, IP address corresponding with domain name, domain name here and Correspondence between IP address, is primarily referred to as their mapping relations each other.Further, it is possible to be every in cache database Bar domain name mapping record assigns a life cycle, and in the life cycle, the record is effective, more than the life cycle, then may be used Deleted by the present invention or ignored.The present invention is when needing to be used to parse domain name using the cache database, preferential foundation Domain name in request data, the cache database is retrieved from history domain name mapping record, finds corresponding effective note Record, obtains corresponding IP address, then replys corresponding domain name mapping request.Certainly, if it exceeds the life cycle, or There is no corresponding record during person is data cached, then still need to realize inquiry (if enable disaster recovery and backup systems by recursive system Each level name server on public network is remained to if normally accessing).Since same terminal device is generally made by same user With, its surf the Internet behavior expression go out certain inertia, be used to access portion specific website, therefore, by this it is data cached and its Correlation technique, can be that user improves more efficient faster dns resolution service, and can save some mobile terminal devices Flow consumption, for each level server of domain name paralysed lead to not recursive query in the case of for, these caching numbers According to vital analytic function will be played.

It is described data cached including an authorization message data in another embodiment of the invention in relation to data cached realization Storehouse, this database can be built using known Anycast (Anycast) technology distribution.The authorization message data stock Contain the authorization message of the authorization server of each level of domain name；Can be when carrying out domain name mapping, according to authorization message database The corresponding authorization server information recorded, performs recursive query to obtain the domain name mapping as a result, being suitable as The scene of DNS recursive queries group of planes paralysis uses.

What the authorization message database was built based on being recorded also with the history domain name mapping.It is many Well known, a domain name service group of planes can obtain the corresponding authorization service of each level of domain name during recursive query is performed The authorization message of device, the authorization message database can be constructed using these authorization messages, is used for realization virtual root node, Virtual root node service is opened to internet, realizes the standby parsing effect of calamity of more system.In this case, according to the present invention The real standby system of institute, can be combined with virtual root node technology and provides security service, empty when dns resolution failure occurs in root node Dns resolution function can be realized instead of root node by intending root node.Certainly, enough letters must be stored with authorization message database Breath, i.e. all DNS requests and the corresponding authorization message specified in region, such fake root are stored in authorization message database Node can have enough resources to carry out response to DNS request.Therefore, the realization of virtual root node is in authorization message data Realized on the basis of storehouse.With reference to newly-increased authorization message database and virtual root node, failure can be parsed in root node When for client provide dns resolution function, DNS Single Point of Faliures can be reduced and improve DNS defensive attack abilities, at the same time also Access privilege control can be set to virtual root node, shield the attack data of DNS, improve the security and stabilization of dns resolution Property.Attacked for dangerous DNS, inquiry is less than specific authorization message from authorization message database, then virtual root node will not Analysis service etc. is provided for it.

According to foregoing announcement on realizing data cached two kinds of embodiments and its corresponding expanded function, this Field technology personnel ought to know, be this area skill on data cached more specific implementation forms and its expansion application What art personnel can according to the present invention need and flexibly realize.For example, described is data cached it can be appreciated that wrapping at the same time The history domain name mapping record in both of the aforesaid embodiment and the authorization message database are included, also, not only can be by described in History domain name mapping record be used as temporal cache, can also be using history domain name mapping record as having longer life cycle Data be stored in the related independent data table of authorization message database, certain time length is reached in temporal cache by high frequency Rate is converted into the history domain name mapping with longer life cycle in use, can record the history domain name mapping of temporal cache Record storage is carried out when subsequently carrying out domain name mapping in the tables of data as query object prior to recursive system Inquiry.

Topology and its level framework in relation to a DNS service group of planes, and the topology of disaster recovery and backup systems and level framework, Ke Yiyou Those skilled in the art are realized according to known Principles of Network, and data and control between the two is more paid close attention in the present invention Relation, therefore, is related to its topology and level framework relation, without repeating.

As it was previously stated, by the data on a DNS service group of planes, especially it is therein it is data cached be synchronized to calamity standby host group it Afterwards, calamity standby host group possesses corresponding analytic ability, its analysis service can be further opened in subsequent step.

Step S12, domain name mapping request is received, is asked in response to the domain name mapping and utilizes the data cached carry out domain Name parsing.

Disaster recovery and backup systems of the present invention, since it efficiently make use of data cached, realize the function of virtual root node, therefore Possess independent virtual root node.It is specifically that virtual rhizosphere is played the role of by an authorization message database.When When rhizosphere or top level domain server fail are unable to normal service, or even when exterior every other authorization server all occurs During failure, local DNS system perhaps becomes parsing isolated island, in this case, this system should be allowed to realize in theory similar Calamity for pattern, start calamity for emergency answering pattern, ensure internet base before root domain server or authorization server are repaired This normal operation, time enough is left for system repairing and recovery.

By the present invention subsequently by the switching method of announcement, the related system of the related art scheme of the present invention is applied, After disaster generation, relevant DNS service function, which will be switched to, is directed toward Disaster Preparation Center, namely the calamity standby host constructed by the present invention Group.However, client needs to access the service of disaster tolerance node again, another question is brought, how network switches.It is specific and Speech is exactly how the locally applied access path (network address) of dns server is changed to point in disaster tolerance by direction original production center The heart.After disaster reparation, need to be directed toward original production center again in turn.It is most simple that method is exactly to change dns resolution service The IP mapping relations of device, the network address of the offer DNS service of disaster recovery and backup systems is changed to by original destination address.Occur in disaster Before, IP address is mapped as production center server；After disaster generation, IP address obtains server by being mapped as disaster recovery center； After disaster is repaired, IP is mapped as the production center and obtains server again.

On realizing that this details intelligently switched will be described in detail in the second aspect of the invention, first party of the invention Face premised on realizing this intelligence switching temporarily so as to illustrate.In the first aspect, client asks its domain name mapping Dns resolution server is transmitted to, domain name mapping request is transmitted to the service of disaster recovery and backup systems by dns resolution server, standby by calamity The service execution parsing of system, domain name analysis result is returned to dns resolution server, then by dns resolution server by the domain name Analysis result response was asked by the domain name mapping of transfer originally.

Therefore, disaster recovery and backup systems of the invention, after it receives the domain name mapping request that the forwarding of dns resolution server comes, It will need to it as parsing.Its parsing scheme can flexibly realize different mechanism for resolving, example with reference to foregoing a variety of variants Such as：

In the first mechanism for resolving, corresponding to the data cached situation for only including history domain name mapping record, then calamity is standby After system can extract domain name from the domain name mapping request, preferentially from the data cached magnanimity history domain of its storage In name solution new record retrieval whether there is with the corresponding record of the domain name, when it is present, then to be deposited in the record with the domain name Mapping relations IP address as domain name mapping result.It is of course also possible to consider related for history domain name mapping record setting The factor of life cycle, does not consider further that for the history domain name mapping record more than default life cycle.But do not recommend usually , can because if disaster recovery and backup systems are paralysed based on public network or the reason for each level servers go down of domain name using this strategy The server that can not correspond to each level to domain name by public network carries out the actual domain name of recursive query acquisition, using this Meaning once strategy is also little.May be also effective in view of each level server of domain name, simply a group of planes for dns server goes out Show failure, in this case, can be further by the standby system of calamity of the present invention if IP address cannot be obtained from data cached System performs recursive query, if it is possible to obtains effective parsing, then can similarly generate more accurate domain name mapping result.

Second of mechanism for resolving, corresponding to the data cached situation for including authorization message database.Can be first by the standby system of calamity Unite after extracting domain name from the domain name mapping request, preferentially perform inquiry using authorization message, if can obtain effectively IP analysis results, then with this response.If including history domain name mapping in authorization message database records corresponding data Table, then can continue to use the first mechanism for resolving, if first attempting to obtain from the tables of data as a result, cannot obtain as a result, sharp again Inquired about with the authorization message in authorization message database；Or conversely, being inquired about first with authorization message, inquiry must not History domain name mapping record is recycled to be inquired about.

The third mechanism for resolving, correspond to it is existing it is data cached in existing authorization message database, and have as caching The history domain name mapping record of data, and also have the situation of preferable history domain name mapping record in authorization message database.This In the case of kind, can also flexibly it be used with reference to foregoing two kinds of mechanism.For example, first inquired about from caching history domain name mapping record, Must not inquire about and inquired about again from the history domain name mapping record of tables of data, then inquire about and do not carried out when it's convenient using authorization message further Inquiry；It is or on the contrary.

As long as built in a previous step using data cached it can be seen from the analysis of a variety of mechanism for resolving more than Effective storage expression system, then neatly can efficiently use it, finally obtain corresponding domain in this step Name analysis result.

Step S13, asked with the domain name mapping described in domain name mapping result response.

After back obtains domain name mapping result, this step can translate domain names into result and be asked according to domain name mapping Forwarding side address feed back to dns resolution server carry out transfer, it is original that result response is translated domain names into by dns resolution server Domain name mapping request originator, complete domain name resolution process.

It is pointed out that the present invention disaster recovery and backup systems, can not direct reception client end initiate domain name mapping request, Also not directly to client response domain name analysis result, but by consolidated network address, it is primarily referred to as pointed by IP address Dns resolution server realizes domain name mapping request and the transfer of domain name mapping result.Since disaster recovery and backup systems have the peace of higher , can before full requirement, domain name mapping request and domain name mapping result are transmitted between dns resolution server and a disaster recovery and backup systems group of planes To encrypt in advance, encrypted mode is varied, the mode of preferential recommendation public key encryption (asymmetric encryption).

Although content described above, is described using calamity standby host group as main body, however, according to the present invention first The software that aspect is realized, but can flexibly be installed in multiple devices.It is contemplated that with the following several ways safety present invention The software of first aspect, to form the system for the method and apparatus for realizing first aspect present invention：

In a kind of mode, each step of the present invention is implemented in same software, and the calamity for being installed on the present invention is standby In an independent equipment for a group of planes, and the miscellaneous equipment of calamity standby host group then need to only be equipped with what is communicated with an independent equipment Client modules, form pattern similar to C/S frameworks, to realize the centralized Control of a group of planes with this.Change as this mode Change example, show operation aspect, corresponding software can run an independent service processes or multiple matched processes are come This method is performed, an independent service processes are relatively simple to understand, as the situation of multiple processes, for example, can be by the present invention Step S11 be embodied as a process, and step S12, S13 is embodied as a process, two processes independently work, complete Into respective task.Two processes may be configured as system service process.

Another way, it is contemplated that step S11 and the mutual independence of other two step, it may be considered that by step S11 Data synchronizing function be implemented as an independent software installation in an autonomous device independently of calamity standby host group, it is such as described DNS (parsing) server in, and other two step is still embodied as same software installation in the front end of calamity standby host group In service equipment, both are sub-packed in two equipment, are not mutually exclusive and are worked in coordination, and similarly can also meet the needs of of the invention.

Therefore, it could be aware that, be related to the knowledge in terms of system building and software realization, Ke Yijie in application process of the present invention Close techniques known and flexibly realized that those skilled in the art should not limit technology to the first aspect of the present invention with this The understanding of scheme.

Referring to Fig. 3, the domain name analysis system calamity of the present invention is for constructing devices, on the basis of preceding method, foundation mould Block thinking, which improves, to be realized, specifically includes synchronization unit 11, query unit 12, response unit 13 by caching number obtained by synchronization According to：

The synchronization unit 11, for the real time data synchronization of a target group of planes for DNS service will to be provided to calamity standby host group, Include in the data for providing the data cached of domain name mapping basis.

It follows that the data for the target group of planes that will provide DNS service by being configured to the software of the device of the invention are real When be synchronized to calamity standby host group, become the just optimized integration of disaster tolerance system of the present invention.In order to further illustrate described in synchronization Data, as follows please referring initially to an application example.

It is described data cached including an authorization message data in another embodiment of the invention in relation to data cached realization Storehouse, this database can be built using known BGP Anycast (Anycast) technology distribution.The authorization message data Stock contains the authorization message of the authorization server of each level of domain name；Can be when carrying out domain name mapping, according to authorization message number The corresponding authorization server information recorded according to place, performs recursive query to obtain the domain name mapping as a result, being suitable for Scene as the paralysis of a DNS recursive queries group of planes uses.

As it was previously stated, by the data on a DNS service group of planes, especially it is therein it is data cached be synchronized to calamity standby host group it Afterwards, calamity standby host group possesses corresponding analytic ability, subsequently can further open its analysis service.

The query unit 12, for receiving domain name mapping request, in response to domain name mapping request described in utilization Data cached carry out domain name mapping.

As long as built it can be seen from the analysis of a variety of mechanism for resolving more than in synchronization unit 11 using data cached Effective storage expression system, then neatly can efficiently use it in this query unit 12, final to obtain Corresponding domain name mapping result.

The response unit 13, is configured as asking with the domain name mapping described in domain name mapping result response.

After query unit 12 obtains domain name mapping result, this response unit 13 can translate domain names into result according to domain The forwarding side address of name analysis request feeds back to dns resolution server and carries out transfer, and knot is translated domain names into by dns resolution server The original domain name mapping request originator of fruit response, completes domain name resolution process.

In a kind of mode, by synchronization unit 11, query unit 12 and the response unit 13 of the present invention by same software structure Make, and the software installation in the present invention calamity standby host group an independent equipment in, and the miscellaneous equipment of calamity standby host group then only The client modules to communicate with an independent equipment need to be equipped with, pattern similar to C/S frameworks are formed with this, to realize The centralized Control of a group of planes.As the variation instance of this mode, operation aspect is shown, corresponding software can run independent one A service processes or multiple matched processes perform the unit described in this, and an independent service processes are relatively simple to understand, As for the situation of multiple processes, for example, the synchronization unit 11 of the present invention can be embodied as a process, and by step cargo tracer Member 12 and response unit 13 are embodied as a process, and two processes independently work, and complete respective task.Two processes are equal It may be configured as system service process.

Another way, it is contemplated that the mutual independence of synchronization unit 11 and other two unit, it may be considered that will be synchronous The data synchronizing function of unit 11 is constructed using an independent software, by the software installation in independently of the one of calamity standby host group In platform autonomous device, example is as mentioned in DNS (parsing) server, and other two unit still using same software come structure Make, by the software installation in the front end services equipment of calamity standby host group, both are sub-packed in two equipment, be not mutually exclusive and Work in coordination, similarly can also meet the needs of of the invention.

Further, continuing with the technical solution for understanding second aspect of the present invention.Similarly, the technology of the second aspect of the present invention Scheme, can also realize relevant software, be installed in the computer equipment with server-capabilities, with being taken easy to server The operating system built is engaged, there is provided corresponding service.

The task of the second aspect of the present invention technical solution, is the fault detect and intelligence switching control for realizing disaster recovery and backup systems Logic processed, but can be independently installed in miscellaneous equipment independently of first aspect present invention technical solution.In general, according to this Method and apparatus involved by invention second aspect technical solution, are installed in DNS (parsing) server as business front end, To recognize the group of planes or network of relation failure that provide DNS service at the first time, and will rapidly it provide DNS service A group of planes navigates to the calamity standby host group of aforementioned first aspect technical solution structure.And in the fault clearance, and can be rapidly Switchback.It is pointed out that content used by foregoing related first aspect present invention technical solution, also will be below in connection with this It is cited in the announcement of invention second aspect technical solution, those skilled in the art should not isolate the contact in terms of the two.

Referring to Fig. 4, a kind of DNS disaster recovery and backup systems isolated island response automatic switching method of offer for this of the invention, including Following steps：

Step S21, reception and gather provide DNS service a group of planes operation data.

As the dns server as application front end for the automatic switching method for realizing the present invention, it is provided with DNS Correspondence is constructed between a group of planes for DNS service, the TCP or udp protocol of agreement can be included by predetermined communication port Port etc. gathers the operation data of every equipment in these group of planes, and the type that these operation data are selected is very flexible, and Can also flexibly it be used.It is exemplified below some operation data for reference：

1st, performance data, the throughput information of dns resolution is carried out for characterizing the group of planes each second.In general, every machine Device in the condition of normal use, its dns resolution quantity that can be performed it is limited and relative constant, it is therefore, pre- by one The throughput threshold of setting, can judge certain equipment, or judge whether the handling capacity of a whole group of planes is normal.It is designated herein Handling capacity refer to receive domain name mapping ask and return the number that corresponding domain name mapping result carries out response.

2nd, machine data, for characterizing the operation information of at least one hardware of every equipment in a group of planes.Machine data master Refer to the seizure condition of the CPU and/or memory when machine is run, for example, CPU is chronically at the operation of high usage such as 100% State, and the long-term relatively low state of free memory might mean that certain is unnecessary busy.This can also be passed through in theory A little machine datas judge the running quality of single device or a whole group of planes.

3rd, using data, for characterizing the log information of domain name mapping record.Log information designated herein, is primarily referred to as Raw information for the data cached history domain name mapping record for forming first aspect present invention.These information both can be Go out authorization message by subsequent development in disaster recovery and backup systems to be utilized, can also be only serve as in the method basis for estimation it With.Using these log informations, at least it can be seen that whether there is parsing exception, such as a large amount of domain name analysis requests on a large scale Corresponding normal parsing etc. cannot be obtained, therefore application data obviously can also be used as an operation data to be used.

4th, alarm data, for characterizing warning information caused by a group of planes.Alarm data designated herein, mainly a group of planes In equipment system monitoring function produce alarm data, such as Windows systems " management " component caused by alert number According to using these data, also can determine that single device or the operating status of a group of planes.

5th, variance data, for characterizing the different information between cache pool and database.Buffer pool designated herein, refers to Data in the cushion space of buffer history domain name mapping record, and database designated herein, then refer to history domain Name solution new record, which is postponed, to be rushed in space in the private file for the storage format for extracting into specification.These variance datas are recorded, it is main It is to provide for the difference between data cached on temporal cache data and specification.

It is above-mentioned to provide various types of operation data, enumerating for data particular type is simply run, is not to running number According to doing comprehensive restriction.After these operation data are collected, also to regard its different effect and carry out further interests, different In the case of, the type of used operation data may be different, and flexibly change will be subsequently further described for these.

Step S22, computing is carried out to the operation data according to default configuration information, to form the DNS service machine The operating status of group judges result.

Dns server is on the basis of it have collected the substantial amounts of operation data of the group of planes in relation to providing DNS service, Ke Yijin The data mining of row intelligence, with reference to the principle of machine learning, makes the operating status of a normal group of planes and more intelligent accurately sentences It is fixed.In order to reach this purpose, referring to Fig. 5, this step is realized using following specific steps：

Step S221, the achievement data collection as determinating reference is established.

The achievement data collection foundation, it is necessary to reference to it is described operation data selection depending on, and select operation number According to then dependent on default configuration information.The achievement data collection of four kinds of situations in the corresponding form is given below for reference：

1st, performance data：1000, machine data：90%

2nd, alarm data：Danger, machine data：10%

3rd, variance data：90%, using data：file.log

4th, using data：file.log

According to above-mentioned four indices data set, the index that the present invention can be established do it is following mutually it should be understood that：

1st, when performance data reaches the handling capacity of 1000 times but machine data (CPU and/or memory accounting) just has arrived at When 90%, the determinating reference of the present invention is just constituted.

2nd, when machine data (CPU and/or memory accounting) only used 10% alarm data for " danger " state just occur When, just constitute determinating reference of the invention.

3rd, when application data reach 90% for the variance data in the file of file.log, sentencing for the present invention is just constituted Determine benchmark.

4th, only with application data file.log files as real-time judgment benchmark.

On the basis of above-mentioned achievement data collection is constructed, can subsequently it done further based on these achievement data collection Processing.It should be noted that these achievement data collection either just given before software installation, can also pass through The user interface that software provides carries out maintenance on demand.These achievement data collection can be stored in a file for verifying this hair Bright implementation.

Although being presented above four groups of achievement data collection,, can also be by the achievement data collection in some embodiments Only one group of standard index is interpreted as, for characterizing the normal condition for the group of planes for providing DNS service, software programming hardly possible is simplified with this Degree.

Step S222, according to default configuration information, select or generate corresponding algorithm.

The configuration information, in some cases, may between achievement data collection there are one-to-one relationship, but if Achievement data collection is only one group of standard, then need to only correspond to this group of achievement data collection.Configuration information be typically observe by The tactful configuration information that the certain format of institute's specification of the present invention is expressed.For example, in the present invention, there is multigroup finger for foregoing The example of data set is marked, following tactful configuration information can be formulated, its implication accordingly characterized is also given in the table below：

Sequence number	The first element	Second key element	Algorithm	Symbolical meanings
					1	Performance data	Machine data	A	Algorithm A is applicable in for performance and machine data
2	Alarm data	Machine data	B	Algorithm B is applicable in for alarm and machine data
					3	Variance data	Using data	C	Algorithm C is applicable in difference and using data
4	Using data	It is unresponsive	D	The unresponsive part of application data is applicable in algorithm D

Tactful configuration information above is used only for example, actually there is very flexible configuration mode, in theory, as long as Achievement data collection can be set up with algorithm and associated, the configuration information of the present invention can be formed, regardless of whether these match somebody with somebody confidence Breath embodies form and key element number etc..In general, a group policy configuration information should correspond to one group of achievement data collection, with Just distinguish different situations and be applicable in different algorithms, under different group policy configuration information effects, participate in the operation number of computing Lower involved operation data and achievement data collection are acted on according to other group policy configuration informations are different from the achievement data collection. But achievement data collection can also be unified into a standard index data set as previously described, and each tactful configuration information corresponds to The same standard index data set.

It can be seen from the above that by tactful configuration information, can known algorithm in selecting system, whole process is very intelligent. Further, can also in the algorithm item of tactful configuration information, provide corresponding expression formula come dynamically provide algorithm generation according to According to, then the corresponding algorithm of foundations generation provided by software according to treaty rule using these by tactful configuration information, using life Into algorithm be applicable in it.As it can be seen that the present invention has associated achievement data collection and or between unknown algorithm by configuration information Relation, gives machine learning model, has height intelligent characteristic, can the various operation conditions of Dynamic Recognition, thus follow-up More intelligent calamity is made for switching control.

Similarly, the configuration information, tactful configuration information especially therein, and/or the algorithm of the dymamic setting, can To be supplied to user to be inputted and safeguarded by providing a graphic user interface, corresponding data can then be stored in one In tables of data or file, in case the software of the present invention uses.Further, for inputting or improving the user interface of achievement data collection And for set or change the tactful configuration information and/can algorithm user interface, can be same user interface, can be with By programming personnel's flexible design as needed.

Step S223, on the basis of achievement data collection, computing is carried out to the operation data using the algorithm, is sentenced Whether the operating status that operation data are characterized surely is abnormal.

Achievement data collection and configuration information is determined foregoing, after referring specifically to tactful configuration information, can utilize The Algorithm Options that tactful configuration information provides, determine corresponding algorithm, and the key element provided in configuration information is compareed using the algorithm, By operation of the corresponding key element run in data with the progress of this benchmark of achievement data collection mathematically, such as count, compare, conclude Etc., final operation result is obtained, makes the fortune of the equipment or a whole group of planes in the group of planes that the operation data are characterized The whether abnormal judgement of row state.

In some cases, the configuration information can also provide an execution option, such as characterization packet discard is not The option of response is given, in this case, after unfavorable judgement result is made with corresponding algorithm, the option can be applicable in And response is refused follow-up domain name mapping request, direct packet loss processing.

In order to vivider understand the present invention, an above-mentioned machine learning model by the present invention is given below and identifies The example of DNS attacks.

In this example, achievement data, which integrates, can provide the time as 100ms, same using being directed in data in 100ms The analysis request quantity of domain name is 5000 times.The situation that tactful configuration information application data, unit interval are combined is using calculation Method K.In this case, when the dns resolution server for being configured with the software for realizing this method recognizes gathered application number According to, within the unit interval of 100ms scope for same domain name generate more than 5000 times domain name mapping request when, do not meet Historical behavior is accustomed to, and in this case, triggering algorithm K is subject to further computing and verification, by algorithm K according to history domain name mapping Request is counted and drawn in history use habit, and the number which is accessed in 100ms is far below 5000 times, such case Under, algorithm K can be determined further, judge that network attack is occurring for the time, and it is different then to make operating status Normal judgement.In this illustration, algorithm K realize it is relative complex, in fact, an extra statistics process can also be passed through The historical behavior custom of each domain name is counted, the number of requests of achievement data concentration is generated with this, in this case, Algorithm K only needs that the access number for being currently directed to the domain name is compared and can be made with the number of requests that achievement data is concentrated Judge.

In another embodiment, it is some journal file that can be specified in achievement data concentration using data, and strategy configuration Specified in information and algorithm X is applicable in the unresponsive situation of the journal file.When algorithm X is run, the nothing for counting the journal file should Record is answered, when in the scheduled time, such as in 100 minutes, when caused log recording is unresponsive record, then can directly be sentenced The fixed corresponding equipment for providing DNS service or a group of planes break down, so as to can also make the conclusion of operating status exception.

Two kinds of situations above, in narration, for simplicity, it will thus provide a group of planes for DNS service is reduced to unit and is explained State, it will be understood by those skilled in the art that in these examples, naturally it is also possible to or it is contemplated that organic judgement of a group of planes Situation, and these belong to the combination of mathematics and programming technique, and those skilled in the art should rationally grasp, example Such as can be to consider that up to some equipment same type situation occur and are considered as in the overall paralysis or public network of a group of planes in the algorithm Domain name each level dns server do not reach, further judge that operating status is abnormal accordingly.In view of similar situation is more Become, it is impossible to exhaust, and the present invention has been discovered that the relation between a group of planes and unit therein so that those skilled in the art It is enough flexibly to strain, therefore without repeating.

When realized with algorithm a DNS service group of planes operating status judge after, just form corresponding operating status as a result, Final switching control can be made accordingly.

Step 23, when it is described judgement result characterization abnormal operating condition when, it will thus provide the destination address of DNS service is revised as The network address of disaster recovery and backup systems；When the judgement result characterization normal operating condition, it will thus provide the destination address of DNS service is repaiied It is changed to point to original destination address.

It could be aware that, the operating status judges that the essence of result is a two-value option, or characterization operating status Normally, i.e. DNS service group of planes normal operation；Or characterization operating status is abnormal, i.e. DNS service group of planes misoperation.Therefore, it is right Both of these case is answered to make different switchings.

When the judgement result characterization abnormal operating condition, dns resolution server knows the original machine for providing DNS service Group or can not be difficult to continue to provide dns resolution service, no matter the reason is that attacked for DNS, or because network not Reachable, the logic that dns resolution server is realized according to this step, is required to make corresponding handover operation so that follow-up Dns resolution request can be transmitted to the disaster recovery and backup systems that the technical solution of the first aspect of the present invention is realized, be transported by disaster recovery and backup systems Domain name mapping is carried out with the technology of foregoing announcement.When disaster recovery and backup systems obtain domain name mapping result and are transmitted to this dns resolution service Device and then the client for initiating domain name mapping request with the domain name mapping result response by this dns resolution server.At this During a, dns resolution server only plays transfer, in order to avoid security attack, suitably translates domain names into request and domain name Analysis result is encrypted transmission, either to dns resolution server and initiates the transmission between the client of request, still Transmission between dns resolution server and disaster recovery and backup systems, using encryption mechanism, can make DNS data safer, perfect Traditional DNS Protocol.

When the judgement result characterization normal operating condition, dns resolution server knows the DNS service that provided originally A group of planes has removed fault recovery normal service, and thus, the logic that dns resolution server is realized according to this step is, it is necessary to make Switchback operates so that and follow-up dns resolution request is no longer parsed by disaster recovery and backup systems, but by providing DNS service originally Cluster system is parsed, though and disaster recovery and backup systems are then returned to its open DNS service due to not receiving domain name mapping request and It is standby.

Complete above two contrary switching during, dns server can also by a customer data base to The user group push instant message of its client (such as certain type of mobile terminal safety software) is installed, user is installed Relative client software receive the instant message after, also can automatically change and switch its dns server address makes its direction The safer dns server that disaster recovery and backup systems provide；Or the instant message is shown to user's voluntarily decision-making.

And in dns resolution server, the action of switching is made, then is realized by changing its inner parameter.Specifically It is a network address parameter expressed in the form of IP address, under default situations, which is the original DNS service that provides The IP address (destination address) of opening its dns resolution service specified by a group of planes, but judge result for abnormal operating condition when, The IP address for being used to open its dns resolution service of disaster recovery and backup systems is then revised as by this step.Conversely, DNS clothes ought be provided originally When a group of planes for business recovers normal service, then need to change back the network address parameter from the IP address of disaster recovery and backup systems providing originally The IP address of its dns resolution service of the opening of a group of planes for DNS service.This network parameter can be configured at a file or registration In table, and interface, or user interface provided by the invention can be set to carry out manual modification by corresponding system.The former Specific implementation form according to different operating system depending on.

Referring to Fig. 6, a kind of DNS disaster recovery and backup systems isolated island response automatic switching control equipment of offer for this of the invention, including Collecting unit 21, identifying unit 22 and switch unit 23.

The collecting unit 21, for receiving and gathering the operation data for the group of planes for providing DNS service.

As the dns server as application front end for the automatic switching control equipment for realizing the present invention, it is provided with DNS Correspondence is constructed between a group of planes for DNS service, the TCP or udp protocol of agreement can be included by predetermined communication port Port etc. gathers the operation data of every equipment in these group of planes, and the type that these operation data are selected is very flexible, and Can also flexibly it be used.It is exemplified below some operation data for reference：

3rd, using data, for characterizing the log information of domain name mapping record.Log information designated herein, is primarily referred to as Raw information for the data cached history domain name mapping record for forming first aspect present invention.These information both can be Go out authorization message by subsequent development in disaster recovery and backup systems to be utilized, can also be only served as in the present apparatus basis for estimation it With.Using these log informations, at least it can be seen that whether there is parsing exception, such as a large amount of domain name analysis requests on a large scale Corresponding normal parsing etc. cannot be obtained, therefore application data obviously can also be used as an operation data to be used.

The identifying unit 22, is configured as carrying out computing to the operation data according to default configuration information, with The operating status for forming the DNS service group of planes judges result.

Dns server is on the basis of it have collected the substantial amounts of operation data of the group of planes in relation to providing DNS service, Ke Yijin The data mining of row intelligence, with reference to the principle of machine learning, makes the operating status of a normal group of planes and more intelligent accurately sentences It is fixed.In order to reach this purpose, referring to Fig. 7, this identifying unit 22 specifically includes Index Establishment module 221, algorithm generation mould Block 222 and computing determination module 223.

The Index Establishment module 221, for establishing the achievement data collection as determinating reference.

1st, performance data：1000, machine data：90%

2nd, alarm data：Danger, machine data：10%

3rd, variance data：90%, using data：file.log

4th, using data：file.log

4th, only with application data file.log files as real-time judgment benchmark.

The algorithm generation module 222, for according to default configuration information, selecting or generating corresponding algorithm.

Similarly, the configuration information, tactful configuration information especially therein, and/or the algorithm of the dymamic setting, can It is supplied to user to be inputted and safeguarded with the graphic user interface provided by the setup unit of the present invention, phase The data answered can be then stored in a tables of data or file, in case the software of the present invention uses.Further, for inputting or changing Into achievement data collection user interface and for set or change the tactful configuration information and/can algorithm user interface, Can be same user interface, can be by programming personnel's flexible design as needed.

The computing determination module 223, is configured as on the basis of achievement data collection, using the algorithm to described Run data and carry out computing, judge whether the operating status that operation data are characterized is abnormal.

In this example, achievement data, which integrates, can provide the time as 100ms, same using being directed in data in 100ms The analysis request quantity of domain name is 5000 times.The situation that tactful configuration information application data, unit interval are combined is using calculation Method K.In this case, when the dns resolution server for being configured with the software for constructing the present apparatus recognizes gathered application Data, when scope generates the domain name mapping request more than 5000 times for same domain name within the unit interval of 100ms, are not inconsistent Historical behavior custom is closed, in this case, triggering algorithm K is subject to further computing and verification, by algorithm K according to history domain name solution Analysis request is counted and drawn in history use habit, and the number which is accessed in 100ms is far below 5000 times, this feelings Under condition, algorithm K can be determined further, judged that network attack is occurring for the time, can then be made operating status Abnormal judgement.In this illustration, algorithm K realize it is relative complex, in fact, can also by an extra statistics into Journey counts the historical behavior custom of each domain name, and the number of requests of achievement data concentration, such case are generated with this Under, algorithm K only needs the access number for being currently directed to the domain name being compared with the number of requests that achievement data is concentrated Determine.

The switch unit 23, when being configured as the judgement result characterization abnormal operating condition, it will thus provide DNS takes The destination address of business is revised as the network address of disaster recovery and backup systems；When the judgement result characterization normal operating condition, it will thus provide The destination address of DNS service is modified to point to original destination address.

When the judgement result characterization abnormal operating condition, dns resolution server knows the original machine for providing DNS service Group or can not be difficult to continue to provide dns resolution service, no matter the reason is that attacked for DNS, or because network not Reachable, the logic that dns resolution server is realized according to this switch unit 23, is required to make corresponding handover operation so that Follow-up dns resolution request can be transmitted to the disaster recovery and backup systems that the technical solution of the first aspect of the present invention is realized, standby by calamity System carries out domain name mapping with the technology of foregoing announcement.When disaster recovery and backup systems obtain domain name mapping result and are transmitted to this DNS solutions Analysis server and then the client for initiating domain name mapping request with the domain name mapping result response by this dns resolution server End.In this process, dns resolution server only plays transfer, in order to avoid security attack, suitably translates domain names into request Transmission is encrypted with domain name mapping result, either to dns resolution server and initiates the transmission between the client of request, Or the transmission between dns resolution server and disaster recovery and backup systems, using encryption mechanism, can make DNS data safer, complete It has been apt to traditional DNS Protocol.

When the judgement result characterization normal operating condition, dns resolution server knows the DNS service that provided originally A group of planes has removed fault recovery normal service, and thus, the logic that dns resolution server is realized according to this switch unit 23, needs Make switchback operation so that follow-up dns resolution request is no longer parsed by disaster recovery and backup systems, but by providing DNS originally The cluster system of service is parsed, though and disaster recovery and backup systems are then returned to its open DNS service due to not receiving domain name mapping Request and it is standby.

And in dns resolution server, the action of switching is made, then is realized by changing its inner parameter.Specifically It is a network address parameter expressed in the form of IP address, under default situations, which is the original DNS service that provides The IP address (destination address) of opening its dns resolution service specified by a group of planes, but judge result for abnormal operating condition when, The IP address for being used to open its dns resolution service of disaster recovery and backup systems is then revised as by this switch unit 23.Once network address quilt Modification, just completes the switching between different system.Conversely, when the group of planes for providing DNS service originally recovers normal service, then Need to change back the network address parameter from the IP address of disaster recovery and backup systems provided the opening of a group of planes of DNS service its DNS originally The IP address of analysis service.This network parameter can be configured in a file or registration table, and can be by corresponding System sets interface, or the user interface for the setup unit offer for passing through the present invention to carry out manual modification.The former tool Depending on body way of realization is according to different operating system.

The announcement of above-mentioned multiple embodiments of method and apparatus involved by technical solution according to a second aspect of the present invention can be with To find out, one of essence of the invention is the function by realizing intelligent attack judgement with reference to machine learning techniques, Although only providing section Example herein, according to the identical principle with the present invention, those skilled in the art can be herein On the basis of continue change and dissolve a variety of decision methods.This behavior decision-making function, in conjunction with bottom layer realization, it is possible to achieve DNS takes The safer protection effect of business device.

For example, in an embodiment of the present invention, corresponding network number is asked in each domain name mapping for reception According to bag, the corresponding DNS behavior types of the network packet can be judged in a manner of similar aforementioned machines study, and according to true Fixed DNS behavior types determine the processing main body handled the network packet, and then the network packet is gone to really Fixed processing main body is handled.In embodiments of the present invention, processing main body can be formed by two layers, be inner nuclear layer respectively, answered With layer.Inner nuclear layer includes network layer, driving layer etc., it is possible to achieve the function such as cache, attack protection, and application layer can be right Acquisition of address, address data memory after network packet progress basic analytical, including domain name mapping etc..With in the prior art The processing methods of DNS behaviors compare, network packet is respectively divided to inner nuclear layer and application layer process, can be by DNS Request is handled according to actual request, can also be stronger interior by disposal ability if running into the attack of the DNS request of millions of times in one second Check it to be handled, and meet timeliness and require relatively low DNS request, then can be by application layer process.Using kernel DNS request is handled respectively with application layer, it is contemplated that the huge disposal ability of kernel, can realize the DNS query of big flow.And And when the modification caused by DNS request or startup cause loading, because kernel and application layer are handled respectively, therefore can be with Using one of them current DNS request of processing, another continuation externally provides service.Therefore, the embodiment of the present invention improves unit Traffic handing capacity, while greatly improving the disposal ability and security protection ability of system, moreover it is possible to realize that quick domain name is moved State management and configuration, and then realize the sophisticated functions demand much customized.

When DNS behavior types are determined as attack, then, it may be determined that processing main body is kernel, and works as DNS behaviors When type is domain name mapping behavior, it may be determined that processing main body is application layer.In order to lifted the response speed of domain name resolution service, Process performance and security protection ability, according to the Analytic principle of DNS, can realize that cache and safety are anti-in kernel module Shield, normal condition kernel module can efficiently, stably handle the attack protection of 98% analysis request and the overwhelming majority.And handle Logic is relative complex, is not that so high basis parses and management function is placed on application layer realization to performance requirement.

Therefore, when processing main body is kernel, the network packet is detected by kernel, filtering will carry in network packet DNS attacks；And the network packet after filtering is forwarded to application layer and is handled.Kernel detects network data Bao Shi, can start the strategies such as anti-DDOS attack strategy, IP speed limits strategy, domain name speed limit strategy, correspondingly, can be in kernel For the internal module of each strategy setting independence, Different Strategies are used for realization.

Herein it should be noted that each network packet possesses a condition code, and each condition code is an only nothing Two, therefore, the attribute of the DNS request of network packet can be judged according to condition code, penetrates the normal data packet that disguises oneself as DNS attack operations.Now judge DNS attacks whether are carried in the network packet according to following steps：

Step A, the condition code of calculating network data packet；

Step B, whether judging characteristic code is the condition code of DNS attacks, if so, step C is performed, if it is not, performing step Rapid D；

If step C, it is determined that carry DNS attacks in network packet；

Step D, if not, it is determined that do not carry DNS attacks in network packet.

Wherein, the set of the condition code of known DNS attacks is typically stored with database, will when needing verification The condition code calculated in step A is matched with the set of database, if there are the set for the condition codes that calculate of step A In, then it is DNS attacks, it is on the contrary then be not.

Wherein, condition code can be determined according to domain-name informations such as IP or domain names, for example, calculating coming for specified time interior reception Condition code is obtained from the network packet number of same IP, and/or calculates the network from same domain name received in specified time Number-of-packet.If the network packet number received in 1 second from same IP or same domain names is far longer than the bag number that receive, just Prove that the IP address or domain name have been changed into attack source.This is also IP speed limits strategy, the basic principle of domain name speed limit strategy.Demonstrate,proved The bright IP address or domain name for being changed into attack source, receives the network packet from this source, can directly give up again afterwards Or filter out, avoid being attacked by it, improve security of system energy and treatment effeciency.

After kernel filters attack, network packet is sent to application layer and is handled.Application layer can be with Network packet is parsed, the corresponding address information of domain name is obtained, so that obtaining related data feeds back to client.With And application layer can be managed the data such as domain-name information, realize data management function.

With reference to the explanation of full text of the present invention, it can be seen that method involved by the technical solution of the first aspect of the present invention and Device, has constructed disaster recovery and backup systems so that disaster recovery and backup systems are capable of providing the domain name resolution service of isolated island formula；And the second of the present invention Method and apparatus involved by the technical solution of aspect, then can make intelligent failure inspection between calamity standby host group and a common group of planes Survey and switching control, therefore, by the DNS service system that constructs of the present invention, the DNS service of internet is made that safely more aobvious The contribution of work.

In conclusion the implementation of the present invention, is conducive to build disaster recovery and backup systems, and it is traditional to serve disaster recovery and backup systems The security management and control of a DNS service group of planes.

It should be noted that provided herein algorithm and formula not with any certain computer, virtual system or miscellaneous equipment It is intrinsic related.Various general-purpose systems can also be used together with example based on this.As described above, this kind of system is constructed The required structure of system is obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that can be with Realize the content of invention described herein using various programming languages, and the description done above to language-specific be in order to Disclose the preferred forms of the present invention.

In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.

Similarly, it will be appreciated that in order to simplify the present invention and help to understand one or more of various aspects of the present invention, In the description to the exemplary embodiment of the present invention above, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method and apparatus of the disclosure should be construed to reflect following intention：That is institute Claimed invention requires features more more than the feature being expressly recited in each claim.More precisely, As claims reflect, inventive aspect is all features less than single embodiment disclosed above.Therefore, it then follows tool Thus claims of body embodiment are expressly incorporated in the embodiment, wherein the conduct of each claim in itself The separate embodiments of the present invention.

Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and attached drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit requires, summary and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation Replace.

In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments..

The all parts embodiment of the present invention can be with hardware realization, or to be run on one or more processor Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice Microprocessor or digital signal processor (DSP) realize one in web portal security detection device according to embodiments of the present invention The some or all functions of a little or whole components.The present invention is also implemented as performing method as described herein Some or all equipment or program of device (for example, computer program and computer program product).Such realization The program of the present invention can store on a computer-readable medium, or can have the form of one or more signal.This The signal of sample can be downloaded from internet website and obtained, and either provided on carrier signal or carried in the form of any other For.

The above is only some embodiments of the present invention, it is noted that for the ordinary skill people of the art For member, various improvements and modifications may be made without departing from the principle of the present invention, these improvements and modifications also should It is considered as protection scope of the present invention.

Claims

1. a kind of domain name analysis system calamity is for constructing method, it is characterised in that includes the following steps：

By the authorization message database real-time synchronization for the target group of planes for providing DNS service to the calamity standby host for being configured with virtual root node Group, the authorization message database purchase have the authorization message of the authorization server of each level of domain name；

Domain name mapping request is received, is asked in response to the domain name mapping and utilizes the authorization message data of the calamity standby host group Storehouse and the virtual root node, according to the corresponding authorization server information of authorization message data place record, perform recurrence and look into Ask to obtain the domain name mapping result；

2. domain name analysis system calamity according to claim 1 is for constructing method, it is characterised in that：Each step of this method is in calamity Performed at least equipment of standby host group.

3. domain name analysis system calamity according to claim 1 is for constructing method, it is characterised in that：Each step of this method by Performed by one or more processes of the single device of the calamity standby host group.

4. domain name analysis system calamity according to claim 1 is for constructing method, it is characterised in that：It is described by authorization message number According to storehouse real-time synchronization to the step of the calamity standby host group for being configured with virtual root node independently of at least one of the calamity standby host group Performed in equipment, remaining step performs in the same equipment of the calamity standby host group.

5. domain name analysis system calamity according to claim 1 is for constructing method, it is characterised in that：The authorization message data Storehouse is also stored with history domain name mapping record, and the history domain name mapping is recorded as the target group of planes and normally performs DNS service During carry out dns resolution and produce DNS name resolution record, this method carry out domain name mapping when, by being gone through described in retrieval History domain name mapping records and obtains corresponding domain name mapping result.

6. domain name analysis system calamity according to claim 5 is for constructing method, it is characterised in that：The history domain name mapping Record includes the mapping relations from domain name to corresponding IP address.

7. the domain name analysis system calamity according to right wants 1 is for constructing method, it is characterised in that：The authorization message database The form of database is realized in a distributed manner.

8. domain name analysis system calamity according to claim 1 is for constructing method, it is characterised in that：Domain name analysis request With domain name analysis result transfer is carried out by consolidated network address.

9. domain name analysis system calamity according to claim 1 is for constructing method, it is characterised in that：Domain name analysis request Transmission is encrypted with domain name analysis result.

10. a kind of domain name analysis system calamity is for constructing devices, it is characterised in that including：

Synchronization unit, the authorization message database real-time synchronization for will provide a target group of planes for DNS service are virtual to being configured with The calamity standby host group of root node, the authorization message database purchase have the authorization message of the authorization server of each level of domain name；

Query unit, for receiving domain name mapping request, asks in response to the domain name mapping and utilizes the institute of the calamity standby host group Authorization message database and the virtual root node are stated, the corresponding authorization server letter according to authorization message data place record Breath, performs recursive query to obtain the domain name mapping result；

11. domain name analysis system calamity according to claim 10 is for constructing devices, it is characterised in that：Each list described in the present apparatus Member is configured as performing at least equipment of calamity standby host group.

12. domain name analysis system calamity according to claim 10 is for constructing devices, it is characterised in that：The calamity standby host group's One or more processes of single device, are configured as performing in each unit described in the present apparatus.

13. domain name analysis system calamity according to claim 10 is for constructing devices, it is characterised in that：The synchronization unit quilt It is configured to perform at least equipment independently of calamity standby host group, the query unit and response unit are configured as in calamity Performed in the same equipment of standby host group.

14. domain name analysis system calamity according to claim 10 is for constructing devices, it is characterised in that：The authorization message number History domain name mapping record is also stored with according to storehouse, the history domain name mapping is recorded as the target group of planes and normally performs DNS clothes The DNS name resolution record for carrying out dns resolution during business and producing, when the query unit carries out domain name mapping, passes through inspection The domain name mapping of Suo Suoshu history records and obtains corresponding domain name mapping result.

15. domain name analysis system calamity according to claim 14 is for constructing devices, it is characterised in that：The history domain name solution New record includes the mapping relations from domain name to corresponding IP address.

16. the domain name analysis system calamity according to right wants 10 is for constructing devices, it is characterised in that：The authorization message data Storehouse in a distributed manner database form realize.

17. domain name analysis system calamity according to claim 10 is for constructing devices, it is characterised in that：Domain name parsing please Ask and carry out transfer by consolidated network address with domain name analysis result.

18. domain name analysis system calamity according to claim 10 is for constructing devices, it is characterised in that：Domain name parsing please Ask and be encrypted transmission with domain name analysis result.