CN107623693A - Domain name mapping means of defence and device, system, computing device, storage medium - Google Patents

Domain name mapping means of defence and device, system, computing device, storage medium Download PDF

Info

Publication number
CN107623693A
CN107623693A CN201710915052.5A CN201710915052A CN107623693A CN 107623693 A CN107623693 A CN 107623693A CN 201710915052 A CN201710915052 A CN 201710915052A CN 107623693 A CN107623693 A CN 107623693A
Authority
CN
China
Prior art keywords
domain name
result
name mapping
address
page
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710915052.5A
Other languages
Chinese (zh)
Other versions
CN107623693B (en
Inventor
李宜檑
孙晓骏
熊昱之
高鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
3600 Technology Group Co ltd
Original Assignee
Beijing Qihoo Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Qihoo Technology Co Ltd filed Critical Beijing Qihoo Technology Co Ltd
Priority to CN201710915052.5A priority Critical patent/CN107623693B/en
Publication of CN107623693A publication Critical patent/CN107623693A/en
Application granted granted Critical
Publication of CN107623693B publication Critical patent/CN107623693B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of domain name mapping means of defence and device, system, computing device, storage medium, its method includes:The domain name mapping for carrying domain-name information request is sent into dns server to be parsed, intercepts the domain name mapping result that dns server returns;Domain name mapping result is analyzed according to home town ruling and/or cloud killing result, judges whether domain name mapping result is the data being held as a hostage;If so, being repaired to domain name mapping result, and return to the domain name mapping result after repairing.By intercepting the domain name mapping result returned, barrier together is built between user and dns server, is guaranteed network security.Domain name mapping result is analyzed according to home town ruling and/or cloud killing result, can make to judge whether domain name mapping result is held as a hostage, more accurately, improve the effective percentage of analysis.And after judgement, domain name mapping result is repaired, the correct domain name mapping result of return, effectively domain name mapping protected.

Description

Domain name mapping means of defence and device, system, computing device, storage medium
Technical field
The present invention relates to network safety filed, and in particular to a kind of domain name mapping means of defence and device, system, calculating are set Standby, computer-readable storage medium.
Background technology
DNS (Domain Name System, domain name system) is referred to as network translation official, and domain name and IP are used as on internet The distributed data base that address mutually maps, have become the infrastructure device of internet at present.Dns server can use Family more easily accesses internet, and without spending, remember can be by IP number strings that machine is directly read.Dns server is by domain name solution The language (Ip) used for machine is analysed, the presence of dns server facilitates access of the user to network address, and it is convenient to have provided the user Network service.
With growing stronger day by day for network, DNS turns into the necessary infrastructure of network now.However, because DNS is as early The Internet designs of phase, in order to pursue the high speed in efficiency, it does not take into full account in security, and its protocol architecture is complete Full-open, not only without encryption and the authentication mechanism accessed, and lead the problems such as all do not verified for various inquiry requests Cause DNS difficult management.Simultaneously.Dns server is also increasingly huge, and DNS systems also become increasingly fragile, and these all cause The reason for DNS is subject under fire with kidnapping.Safety problem existing for DNS causes greatly to threaten to the Internet Security of user.Thing In reality, DNS has become hacker and does not send out the conventional means of molecule attack user, and DNS kidnaps generally existing.
Therefore, it is necessary to a kind of domain name mapping means of defence, to ensure the security of customer access network.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on State the domain name mapping means of defence and device, computing device, computer-readable storage medium of problem.
According to an aspect of the invention, there is provided a kind of domain name mapping means of defence, it includes:
The domain name mapping for carrying domain-name information request is sent into dns server to be parsed, dns server is intercepted and returns The domain name mapping result returned;
Domain name mapping result is analyzed according to home town ruling and/or cloud killing result, judges that domain name mapping result is The no data to be held as a hostage;
If so, being repaired to domain name mapping result, and return to the domain name mapping result after repairing.
According to another aspect of the present invention, there is provided a kind of domain name mapping protector, it includes:
Blocking module, parsed, blocked suitable for the domain name mapping request for carrying domain-name information is sent into dns server Cut the domain name mapping result that dns server returns;
Judge module is analyzed, suitable for being analyzed according to home town ruling and/or cloud killing result domain name mapping result, is sentenced Whether disconnected domain name mapping result is the data being held as a hostage;
Repair module, suitable for if so, repaired to domain name mapping result, and return to the domain name mapping result after repairing.
According to another aspect of the invention, there is provided a kind of domain name mapping guard system, it include cloud server and on The domain name mapping protector stated.
In accordance with a further aspect of the present invention, there is provided a kind of computing device, including:Processor, memory, communication interface and Communication bus, the processor, the memory and the communication interface complete mutual communication by the communication bus;
The memory is used to deposit an at least executable instruction, and the executable instruction makes the computing device above-mentioned Operated corresponding to domain name mapping means of defence.
In accordance with a further aspect of the present invention, there is provided a kind of computer-readable storage medium, be stored with the storage medium to A few executable instruction, the executable instruction make computing device be operated as corresponding to above-mentioned domain name mapping means of defence.
According to domain name mapping means of defence provided by the invention and device, system, computing device, storage medium, will carry The domain name mapping request for having domain-name information is sent to dns server and parsed, and intercepts the domain name mapping knot that dns server returns Fruit;Domain name mapping result is analyzed according to home town ruling and/or cloud killing result, judge domain name mapping result whether be by The data of abduction;If so, being repaired to domain name mapping result, and return to the domain name mapping result after repairing.Returned by intercepting The domain name mapping result returned, barrier together is built between user and dns server, is guaranteed network security.According to home town ruling And/or cloud killing result is analyzed domain name mapping result, can in time, active judge whether domain name mapping result is robbed It is more accurate when holding, and judging, improve the effective percentage of analysis.And after judgement, domain name mapping result is repaired, returned Correct domain name mapping result, do not influence the normal use of user while guaranteeing network security, and effectively to domain name solution Analysis is protected.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention, And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows the flow chart of domain name mapping means of defence according to an embodiment of the invention;
Fig. 2 shows the flow chart of domain name mapping means of defence in accordance with another embodiment of the present invention;
Fig. 3 shows the functional block diagram of domain name mapping protector according to an embodiment of the invention;
Fig. 4 shows the functional block diagram of domain name mapping protector according to an embodiment of the invention;
Fig. 5 shows a kind of structural representation of computing device according to an embodiment of the invention.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure Completely it is communicated to those skilled in the art.
Fig. 1 shows the flow chart of domain name mapping means of defence according to an embodiment of the invention.As shown in figure 1, domain Name parsing means of defence specifically comprises the following steps:
Step S101, the domain name mapping for carrying domain-name information request is sent to dns server and parsed, is intercepted The domain name mapping result that dns server returns.
Dns server directly returns after being parsed to domain name mapping request, when DNS is held as a hostage, now returns Domain name mapping result may be tampered, and it can not realize the real demand of user.Therefore, it is necessary to will be returned to dns server The domain name mapping result returned is intercepted, and in order to subsequently carry out analysis judgement to it, avoids returning to the domain name mapping being held as a hostage As a result.
Specifically when the domain name mapping request for carrying domain-name information to be sent to dns server and parsed, Ke Yili Remote procedure call protocol request function is hooked up with forgery function, the domain name mapping for carrying domain-name information request is sent to Dns server is parsed.Hook technologies are such as based on, one Fakefunc function of construction is adjusted to hook up original remote process With the request function of agreement, and a call back function is set to intercept the domain name mapping result that dns server returns, to avoid domain name The direct return of analysis result.
Step S102, domain name mapping result is analyzed according to home town ruling and/or cloud killing result, judges domain name solution Analyse whether result is the data being held as a hostage.
After driver intercepts domain name mapping result, the present embodiment translates domain names into result using asynchronous system and passed Level of privilege 3 is handed to be analyzed.For different operating system versions, different editions Internet protocol can use it is different Analysis strategy, domain name mapping result can be analyzed according to performance self-defined special data structure when implementing, Obtain corresponding data message, such as IP address information.
, can be according to home town ruling during concrete analysis, i.e., the rule that client is formulated is analyzed domain name mapping result. The cloud killing result that can also be performed according to cloud server is analyzed, and judges whether domain name mapping result is the number being held as a hostage According to.If so, performing step S103, otherwise, do not process, data are let pass, perform step S104.
Step S103, if so, being repaired to domain name mapping result.
Judge when domain name mapping result is the data being held as a hostage, it is necessary to be repaired to domain name mapping result.During reparation, root The regional information carried in being asked according to domain name mapping before, counted by cloud server according to regional information, domain-name information etc. Big data screened.Cloud server can access the feelings of the domain-name information according to the normal users positioned at the regional information Condition, obtain and return to white IP address corresponding to it, so as to get white IP address corresponding to regional information.If normal users are at certain Region A accesses certain IP1 more times, so as to get the IP1., can be according to it if locally there are local ip address white list In the white IP address of acquisition of information such as regional information, domain-name information or operator's informaiton.Using the white IP address got to domain Name analysis result is repaired.
Step S104, return to domain name analysis result.
By after reparation or the domain name mapping result be not held as a hostage returns, subsequently to use the domain name mapping result to access pair The page answered.
According to domain name mapping means of defence provided by the invention, the domain name mapping for carrying domain-name information request is sent to Dns server is parsed, and intercepts the domain name mapping result that dns server returns;According to home town ruling and/or cloud killing result Domain name mapping result is analyzed, judges whether domain name mapping result is the data being held as a hostage;If so, to domain name mapping result Repaired, and return to the domain name mapping result after repairing.By intercepting the domain name mapping result returned, taken in user and DNS One of barrier is built between business device, is guaranteed network security.Domain name mapping result is entered according to home town ruling and/or cloud killing result Row analysis, can in time, active judge whether domain name mapping result is held as a hostage, it is and more accurate when judging, improve analysis It is efficient.And after judgement, domain name mapping result is repaired, the correct domain name mapping result of return, in ensure ne The normal use of user is not influenceed while network is safe, and effectively domain name mapping is protected.
Fig. 2 shows the flow chart of domain name mapping means of defence in accordance with another embodiment of the present invention.As shown in Fig. 2 Domain name mapping means of defence specifically comprises the following steps:
Step S201, the domain name mapping for carrying domain-name information request is sent to dns server and parsed, is intercepted The domain name mapping result that dns server returns.
The description of step S101 in the embodiment of step reference picture 1, will not be repeated here.
Whether step S202, the IP address that judging domain name mapping result according to home town ruling includes belong to local ip address White list.
Whether the IP address that judging domain name mapping result according to home town ruling includes belongs to local ip address white list, if IP address belongs to local ip address white list, then judges that domain name analysis result is not the data being held as a hostage, without handling, directly Let pass, perform step S206.If IP address is not belonging to local ip address white list, step S203 is performed.
Whether step S203, the IP address that judging domain name mapping result according to home town ruling includes belong to local ip address Blacklist.
Whether the IP address that judging domain name mapping result according to home town ruling includes belongs to local ip address blacklist, if IP address belongs to local ip address blacklist, then judges that domain name analysis result is the data being held as a hostage, perform step S205.If IP Address is not belonging to local ip address blacklist, it is necessary to continue executing with step S204, according to various cloud killing results to domain name mapping As a result further analysis.
More than, do not limited for above-mentioned steps S202 and step S203 execution sequence.Wherein, the white name of local ip address List and/or local ip address blacklist are, it is necessary to regularly from cloud server with downloading high in the clouds IP address white list and/or high in the clouds IP Location blacklist, and according to high in the clouds IP address white list and/or high in the clouds IP address blacklist, update local ip address white list And/or local ip address blacklist, to ensure the comprehensive of local ip address white list and/or local ip address blacklist data Property.
High in the clouds IP address white list can be taken by layouting in each data center to one or more white DNS are known as Business device sends domain name analysis request, obtains corresponding white IP address, is added into the IP address white list of high in the clouds.To expand white IP Number of addresses, same domain name mapping can also be asked to be sent to multiple white dns servers, obtain the conjunction of all analysis results Collection.Or by being got ready in the daily records such as net shield, each white IP address (including corresponding regional information, operator etc. is calculated Information), it is added into the IP address white list of high in the clouds.
High in the clouds IP address blacklist can be collected by big data operation platform, include during collection giving birth to each domain name The black IP address of effect and the black IP address that all domain names are all come into force.
Step S204, domain name mapping result is analyzed according to cloud killing result, judge domain name mapping result whether be The data being held as a hostage.
Domain name mapping result is analyzed according to home town ruling, can not judge whether domain name mapping result is held as a hostage During data, it can also be judged according to cloud killing result.Cloud killing result is by by domain-name information, domain name mapping result Including IP address etc. be sent to cloud server, so that cloud server enters to rack according to information such as domain-name information, IP address Killing is handled, and obtains cloud killing result.
Because local ip address white list and/or local ip address blacklist are not updated in real time, high in the clouds IP The real-time property of location white list and/or high in the clouds IP address blacklist is stronger, and data are also more comprehensively.Cloud server is first according to domain The IP address that name analysis result includes is judged, judges whether the IP address belongs to high in the clouds IP address white list, if IP Location belongs to high in the clouds IP address white list, then obtains the cloud killing result that domain name mapping result is not the data being held as a hostage.If IP Location is not belonging to high in the clouds IP address white list, then judges whether IP address belongs to high in the clouds IP address blacklist.If IP address belongs to cloud IP address blacklist is held, then obtains the cloud killing result that domain name mapping result is the data being held as a hostage.So as to according to cloud killing knot Fruit, judge whether domain name mapping result is the data being held as a hostage.If IP address is not belonging to high in the clouds IP address white list, also it is not belonging to High in the clouds IP address blacklist, further, by the domain name mapping for carrying domain-name information request be sent to be pre-configured with belong to DNS Dns server in server white list, obtain the secure IP addresses that dns resolution obtains.The is downloaded according to the secure IP addresses One page.First page is the page corresponding to secure IP addresses, and the page can be the homepage of website corresponding to secure IP addresses Face.The IP address and sender's host information included according to domain name mapping result carries out network request, and downloads second page. Second page is the page corresponding to IP address, and the page can be the homepage of website corresponding to the IP address.To first page It is compared with second page, according to the similarity-rough set result of the page, obtains cloud killing result.
When being compared to first page and second page, first page and second page can be parsed respectively, is obtained Each self-corresponding dom tree.By being compared to both each tree nodes of DOM numbers, the similarity-rough set result of two pages is obtained.Phase Like the difference value for including first page and second page in degree comparative result.If difference value is more than predetermined threshold value such as 20%, recognize It is dissimilar for first page and second page, otherwise it is assumed that first page is similar with second page.In addition, can also adopt First page and second page are compared in other ways, obtain the similarity-rough set result of the page.Do not limit herein.
According to the similarity-rough set result from two pages, and the Http conditional codes of first page and the Http of second page Conditional code, if the Http conditional codes of second page are not 200, i.e. second page accesses failure, if Http conditional codes are 404,503 Deng.Now, it greatly there may be the situation that domain name mapping result is the data being held as a hostage.Need further to similarity-rough set knot Fruit is judged.If similarity-rough set result is that first page and second page are dissimilar, obtain domain name mapping result be by The cloud killing result of the data of abduction.If the Http conditional codes of second page are 200, i.e. second page accesses successfully, and similar It is that first page is similar with second page to spend comparative result, then obtains the cloud killing that domain name mapping result is not the data being held as a hostage As a result.Or the Http conditional codes of second page are different from the Http conditional codes of first page, and similarity-rough set result is the One page and second page are dissimilar, obtain the cloud killing result that domain name mapping result is the data being held as a hostage.Or second page The Http conditional codes in face are identical with the Http conditional codes of first page, and similarity-rough set result is first page and second page It is similar, then obtain the cloud killing result that domain name mapping result is not the data being held as a hostage.
If the Http conditional codes of second page are not 200, but similarity-rough set result is first page and second page phase Seemingly, or the Http conditional codes of second page and the Http conditional codes of first page it is different, but similarity-rough set result be first The page is similar with second page, now also needs to further be verified, and obtains the data whether domain name mapping result is held as a hostage Cloud killing result.
Because the type of IP address is different, before downloading, first page can also be pre-set according to the type of IP address And/or the download rule of second page, convenient when being compared to first page and second page, download is more easy to be compared The page.
According to above-mentioned cloud killing result, judge whether domain name mapping result is the data being held as a hostage.If so, perform step S205, otherwise, do not process, directly let pass, perform step S206.
Further, may be used also by above step S202-S204 when it is the data being held as a hostage to judge domain name mapping result So that its corresponding dns server to be verified, after the factor of excluding alien influences is defined as black dns server, drawn It is black to wait processing, to avoid sending a request to the black dns server again.
Step S205, domain name mapping result is repaired.
Step S206, return to the domain name mapping result after repairing.
The description of step S103-S104 in the embodiment of above step reference picture 1, will not be repeated here.
It should be noted that step S202-S204 can specifically be performed by the first process, step S205 is specifically entered by second Cheng Zhihang.Wherein, the first process and the second process are asynchronous process mode so that concurrent processing speed can be improved during processing.
According to domain name mapping means of defence provided by the invention, after the domain name mapping result that dns server returns is intercepted, Domain name mapping result is analyzed according to home town ruling, cloud killing result etc. successively, judge domain name mapping result whether be by The data of abduction.Can in time, active judge whether domain name mapping result is held as a hostage.And first judged locally, perform Speed it is fast.If home town ruling can not judge, judged by cloud killing result, ensured the accuracy judged.If domain Name analysis result is the data being held as a hostage, and domain name mapping result is repaired, correct domain name mapping knot after the reparation of return Fruit, does not influence the normal use of user while guaranteeing network security, and effectively domain name mapping is protected.
Fig. 3 shows the functional block diagram of domain name mapping protector according to an embodiment of the invention.As shown in figure 3, Domain name mapping protector includes following module:
Blocking module 310, solved suitable for the domain name mapping request for carrying domain-name information is sent into dns server Analysis, intercept the domain name mapping result that dns server returns.
Dns server directly returns after being parsed to domain name mapping request, when DNS is held as a hostage, now returns Domain name mapping result may be tampered, and it can not realize the real demand of user.Therefore, it is necessary to which blocking module 310 is to DNS The domain name mapping result that server returns is intercepted, and in order to subsequently carry out analysis judgement to it, avoids returning to what is be held as a hostage Domain name mapping result.
Blocking module 310 when the domain name mapping request for carrying domain-name information to be sent to dns server and parsed, Remote procedure call protocol request function can be hooked up using function is forged, hair is asked in the domain name mapping that will carry domain-name information Dns server is given to be parsed.As blocking module 310 is based on Hook technologies, one Fakefunc function of construction hooks up The request function of original remote procedure call protocol, and set a call back function to intercept the domain name solution that dns server returns Result is analysed, to avoid the direct return of domain name mapping result.
Judge module 320 is analyzed, suitable for dividing according to home town ruling and/or cloud killing result domain name mapping result Analysis, judges whether domain name mapping result is the data being held as a hostage.
After blocking module 310 intercepts domain name mapping result, the present embodiment translates domain names into knot using asynchronous system Fruit is transferred to level of privilege 3 and analyzed.Analyze the interconnection that judge module 320 is directed to different operating system version, different editions FidonetFido can use different analysis strategies, can be right according to the self-defined special data structure of performance when implementing Domain name mapping result is analyzed, and obtains corresponding data message, such as IP address information.
, can be according to home town ruling when analyzing the analysis of judge module 320, i.e., the rule that client is formulated is to domain name mapping knot Fruit is analyzed.The cloud killing result that analysis judge module 320 can also perform according to cloud server is analyzed, and judges domain Whether name analysis result is the data being held as a hostage.If analysis judge module 320 judges that domain name mapping result is the data being held as a hostage, Repair module 330 is performed, otherwise, does not process, data is let pass.
Analysis judge module 320 includes local judge module 321 and/or cloud killing result acquisition module 322.
Whether local judge module 321, the IP address included suitable for judging domain name mapping result belong to local ip address White list and/or local ip address blacklist;If IP address belongs to local ip address white list, domain name analysis result is judged not It is the data being held as a hostage;If IP address belongs to local ip address blacklist, judge that domain name analysis result is the data being held as a hostage.
Whether the IP address that local judge module 321 judges domain name mapping result according to home town ruling and included belongs to local IP address white list, if IP address belongs to local ip address white list, local judge module 321 judges domain name analysis result not It is the data being held as a hostage, without processing, directly lets pass.If IP address is not belonging to local ip address white list, local to judge mould Whether the IP address that block 321 judges domain name mapping result according to home town ruling and included belongs to local ip address blacklist, if IP Address belongs to local ip address blacklist, then local judge module 321 judges that domain name analysis result is the data being held as a hostage, and performs Repair module 330.If IP address is not belonging to local ip address blacklist, cloud killing result acquisition module 322 can be continued executing with, Domain name mapping result is analyzed according to various cloud killing results.
More than, first judge IP address with whether belonging to local ip address white list or IP for local judge module 321 The execution sequence whether location belongs to local ip address blacklist does not limit.
Wherein, because the data of local ip address white list and/or local ip address blacklist are needed according to actual conditions It is updated, the present apparatus further comprises timing update module 340.
Timing update module 340, suitable for timing from cloud server with downloading high in the clouds IP address white list and/or high in the clouds IP Location blacklist;According to high in the clouds IP address white list and/or high in the clouds IP address blacklist, update local ip address white list and/or Local ip address blacklist.
The timing of timing update module 340 downloads high in the clouds IP address white list from cloud server and/or high in the clouds IP address is black List, and according to high in the clouds IP address white list and/or high in the clouds IP address blacklist, update local ip address white list and/or Local ip address blacklist, to ensure the comprehensive of local ip address white list and/or local ip address blacklist data.
High in the clouds IP address white list can by cloud server by layouting in each data center, to be known as one or Multiple white dns servers send domain name analysis request, obtain corresponding white IP address, are added into high in the clouds IP address white list In.To expand white IP address quantity, cloud server can also ask same domain name mapping to be sent to multiple white DNS services Device, obtain the intersection of all analysis results.Or each white IP is calculated by being got ready in the daily records such as net shield in cloud server Address (including the information such as corresponding regional information, operator), is added into the IP address white list of high in the clouds.
High in the clouds IP address blacklist can be collected by big data operation platform, include during collection giving birth to each domain name The black IP address of effect and the black IP address that all domain names are all come into force.
Cloud killing result acquisition module 322, suitable for the IP address hair for including domain-name information and/or domain name mapping result Give cloud server, for cloud server according to domain-name information and/or IP address enter to rack killing processing, obtain cloud killing As a result;According to cloud killing result, judge whether domain name mapping result is the data being held as a hostage.
Whether local judge module 321 can not judge domain name mapping result when being the data being held as a hostage, and can also carry out cloud Killing result acquisition module 322 is judged.Cloud killing result is cloud killing result acquisition module 322 by domain-name information, domain name IP address that analysis result includes etc. is sent to cloud server, so that cloud server is according to domain-name information, IP address etc. Information enters to rack what is obtained after killing is handled.Cloud killing result acquisition module 322 is after cloud killing result is got, according to domain name Analysis result is the cloud killing result for the data being held as a hostage or domain name mapping result is not the cloud killing result for the data being held as a hostage, Judge whether domain name mapping result is the data being held as a hostage.
Repair module 330, suitable for if so, repaired to domain name mapping result, and return to the domain name mapping knot after repairing Fruit.
Analysis judge module 320 is judged when domain name mapping result is the data being held as a hostage, it is necessary to which repair module 330 is to domain name Analysis result is repaired.When repair module 330 is repaired, according to the regional information carried in the request of domain name mapping before, by cloud End server screens according to the big data to statistics such as regional information, domain-name informations.Cloud server can according to positioned at The normal users of the regional information access the situation of the domain-name information, obtain and return to white IP address corresponding to it, so as to repair Module 330 gets white IP address corresponding to regional information.As normal users in certain region A access certain IP1 more times, so as to repair Module 330 gets the IP1.If locally there are local ip address white list, repair module 330 can according to therein The white IP address of the acquisition of information such as domain information, domain-name information or operator's informaiton.Repair module 330 uses the white IP address got Domain name mapping result is repaired, and returns to the domain name mapping result after repairing.
Analyze judge module 320 specifically to be performed by the first process, repair module 330 is performed by the second process.Wherein, first Process and the second process are asynchronous process mode.
According to domain name mapping protector provided by the invention, after the domain name mapping result that dns server returns is intercepted, Domain name mapping result is analyzed according to home town ruling, cloud killing result etc. successively, judge domain name mapping result whether be by The data of abduction.Can in time, active judge whether domain name mapping result is held as a hostage.And first judged locally, perform Speed it is fast.If home town ruling can not judge, judged by cloud killing result, ensured the accuracy judged.If domain Name analysis result is the data being held as a hostage, and domain name mapping result is repaired, correct domain name mapping knot after the reparation of return Fruit, does not influence the normal use of user while guaranteeing network security, and effectively domain name mapping is protected.
Fig. 4 shows the functional block diagram of domain name mapping guard system according to an embodiment of the invention.As shown in figure 4, Domain name mapping guard system includes the domain name mapping protector 300 as shown in Figure 3 of cloud server 400.
Wherein, cloud server 400 is suitable to:Receive domain-name information and/or the domain name that domain name mapping protector 300 is sent The IP address that analysis result includes, according to domain-name information and/or IP address enter to rack killing processing, obtain cloud killing result, Cloud killing result is returned into domain name mapping protector 300.
Cloud server 400 includes high in the clouds IP killings module 410 and webpage killing module 420.
High in the clouds IP killings module 410, whether the IP address included suitable for judging domain name mapping result is with belonging to high in the clouds IP Location white list and/or high in the clouds IP address blacklist;If IP address belongs to high in the clouds IP address white list, domain name mapping result is obtained It is not the cloud killing result for the data being held as a hostage;If IP address belongs to high in the clouds IP address blacklist, domain name mapping result is obtained It is the cloud killing result for the data being held as a hostage.
Because local ip address white list and/or local ip address blacklist are not updated in real time, high in the clouds IP The real-time property of location white list and/or high in the clouds IP address blacklist is stronger, and data are also more comprehensively.High in the clouds IP killings module 410 The IP address first included according to domain name mapping result is judged, judges whether the IP address belongs to the white name of high in the clouds IP address Single, if IP address belongs to high in the clouds IP address white list, high in the clouds IP killings module 410 obtains domain name mapping result and is not held as a hostage Data cloud killing result.If high in the clouds IP killings module 410 judges that IP address is not belonging to high in the clouds IP address white list, then judges Whether IP address belongs to high in the clouds IP address blacklist.If IP address belongs to high in the clouds IP address blacklist, high in the clouds IP killing modules 410 obtain the cloud killing result that domain name mapping result is the data being held as a hostage.If high in the clouds IP killings module 410 judges IP address not Belong to high in the clouds IP address white list, be also not belonging to high in the clouds IP address blacklist, perform webpage killing module 420.
Webpage killing module 420, suitable for the domain name mapping request for carrying domain-name information is sent into the category being pre-configured with Dns server in dns server white list, obtain the secure IP addresses that dns resolution obtains;Downloaded according to secure IP addresses First page;First page is the page corresponding to secure IP addresses;The IP address included according to domain name mapping result and transmission Person's host information carries out network request, and downloads second page;Second page is the page corresponding to IP address;To first page and Second page is compared, and according to the similarity-rough set result of the page, obtains cloud killing result.
Webpage killing module 420 by the domain name mapping for carrying domain-name information request be sent to be pre-configured with belong to DNS Dns server in server white list, obtain the secure IP addresses that dns resolution obtains.Webpage killing module 420 is according to the peace Full IP address downloads first page.First page is the page corresponding to secure IP addresses, and the page can be secure IP addresses pair The homepage for the website answered.IP address and sender's main frame letter that webpage killing module 420 includes according to domain name mapping result Breath carries out network request, and downloads second page.Second page is the page corresponding to IP address, and the page can be the IP address The homepage of corresponding website.Webpage killing module 420 is compared to first page and second page, according to the similar of the page Comparative result is spent, obtains cloud killing result.
Webpage killing module 420 can parse first page respectively when being compared to first page and second page And second page, obtain each self-corresponding dom tree.Webpage killing module 420 is by comparing both each tree nodes of DOM numbers Compared with obtaining the similarity-rough set result of two pages.Include the difference of first page and second page in similarity-rough set result Value.If difference value is more than predetermined threshold value such as 20%, webpage killing module 420 thinks that first page and second page are dissimilar, no Then, webpage killing module 420 thinks that first page is similar with second page.In addition, webpage killing module 420 can also adopt First page and second page are compared in other ways, obtain the similarity-rough set result of the page.Do not limit herein.
Webpage killing module 420 is according to the Http conditional codes of the similarity-rough set result from two pages, and first page With the Http conditional codes of second page, if the Http conditional codes of second page are not 200, i.e. second page accesses failure, such as Http conditional codes are 404,503 etc..Now, it greatly there may be the situation that domain name mapping result is the data being held as a hostage.Webpage Killing module 420 needs further to judge similarity-rough set result.If similarity-rough set result is first page and the Two pages are dissimilar, then webpage killing module 420 obtains the cloud killing result that domain name mapping result is the data being held as a hostage.If the The Http conditional codes of two pages are 200, i.e. second page accesses successfully, and similarity-rough set result is first page and second page Face is similar, then webpage killing module 420 obtains the cloud killing result that domain name mapping result is not the data being held as a hostage.Or second The Http conditional codes of the page are different from the Http conditional codes of first page, and similarity-rough set result is first page and second page Face is dissimilar, and webpage killing module 420 obtains the cloud killing result that domain name mapping result is the data being held as a hostage.Or second page The Http conditional codes in face are identical with the Http conditional codes of first page, and similarity-rough set result is first page and second page Similar, then webpage killing module 420 obtains the cloud killing result that domain name mapping result is not the data being held as a hostage.
If the Http conditional codes of second page are not 200, but similarity-rough set result is first page and second page phase Seemingly, or the Http conditional codes of second page and the Http conditional codes of first page it is different, but similarity-rough set result be first The page is similar with second page, and webpage killing module 420 now also needs to further be verified, and obtaining domain name mapping result is The cloud killing result of the no data being held as a hostage.
Because the type of IP address is different, cloud server 400 also includes downloading rule module 430.Before downloading, download Rule module 430 can also pre-set the download rule of first page and/or second page according to the type of IP address, convenient When being compared to first page and second page, webpage killing module 420 can download the page for being more easy to be compared.
The description of the embodiment of description reference picture 3 of domain name mapping protector, will not be repeated here.
According to domain name mapping guard system provided by the invention, the domain name mapping for carrying domain-name information request is sent to Dns server is parsed, and intercepts the domain name mapping result that dns server returns;According to home town ruling and/or cloud killing result Domain name mapping result is analyzed, judges whether domain name mapping result is the data being held as a hostage;If so, to domain name mapping result Repaired, and return to the domain name mapping result after repairing.By intercepting the domain name mapping result returned, taken in user and DNS One of barrier is built between business device, is guaranteed network security.Domain name mapping result is entered according to home town ruling and/or cloud killing result Row analysis, can in time, active judge whether domain name mapping result is held as a hostage, it is and more accurate when judging, improve analysis It is efficient.And after judgement, domain name mapping result is repaired, the correct domain name mapping result of return, in ensure ne The normal use of user is not influenceed while network is safe, and effectively domain name mapping is protected.
Present invention also provides a kind of nonvolatile computer storage media, the computer-readable storage medium is stored with least One executable instruction, the computer executable instructions can perform the domain name mapping means of defence in above-mentioned any means embodiment.
Fig. 5 shows a kind of structural representation of computing device according to an embodiment of the invention, of the invention specific real Specific implementation of the example not to computing device is applied to limit.
As shown in figure 5, the computing device can include:Processor (processor) 502, communication interface (Communications Interface) 504, memory (memory) 506 and communication bus 508.
Wherein:
Processor 502, communication interface 504 and memory 506 complete mutual communication by communication bus 508.
Communication interface 504, for being communicated with the network element of miscellaneous equipment such as client or other servers etc..
Processor 502, for configuration processor 510, it can specifically perform in above-mentioned domain name mapping means of defence embodiment Correlation step.
Specifically, program 510 can include program code, and the program code includes computer-managed instruction.
Processor 502 is probably central processor CPU, or specific integrated circuit ASIC (Application Specific Integrated Circuit), or it is arranged to implement the integrated electricity of one or more of the embodiment of the present invention Road.The one or more processors that computing device includes, can be same type of processor, such as one or more CPU;Also may be used To be different types of processor, such as one or more CPU and one or more ASIC.
Memory 506, for depositing program 510.Memory 506 may include high-speed RAM memory, it is also possible to also include Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Program 510 specifically can be used for so that processor 502 performs following operation:
In a kind of optional embodiment, program 510 is used for the domain name for causing processor 502 to carry domain-name information Analysis request is sent to dns server and parsed, and intercepts the domain name mapping result that dns server returns;According to home town ruling And/or cloud killing result is analyzed domain name mapping result, judge whether domain name mapping result is the data being held as a hostage;If It is that domain name mapping result is repaired, and returns to the domain name mapping result after repairing.
In a kind of optional embodiment, program 510 is used to cause processor 502 to hook up remotely mistake using function is forged Journey invocation protocol asks function, and the domain name mapping for carrying domain-name information request is sent into dns server is parsed;Set Call back function intercepts the domain name mapping result that dns server returns.
In a kind of optional embodiment, program 510 is used to cause processor 502 to intercept domain name solution in driver After analysing result, result is translated domain names into using asynchronous system it is transferred to level of privilege 3 and analyzed.
In a kind of optional embodiment, program 510 is used to cause processor 502 to judge that domain name mapping result includes IP address whether belong to local ip address white list and/or local ip address blacklist;If IP address belongs to local ip address White list, then judge that domain name analysis result is not the data being held as a hostage;If IP address belongs to local ip address blacklist, judge Domain name mapping result is the data being held as a hostage.
In a kind of optional embodiment, program 510 is used to cause the timing of processor 502 to download cloud from cloud server Hold IP address white list and/or high in the clouds IP address blacklist;According to high in the clouds IP address white list and/or the black name of high in the clouds IP address It is single, update local ip address white list and/or local ip address blacklist.
In a kind of optional embodiment, program 510 is used to cause processor 502 by domain-name information and/or domain name solution The IP address that analysis result includes is sent to cloud server, so that cloud server enters according to domain-name information and/or IP address Killing of racking is handled, and obtains cloud killing result;According to cloud killing result, judge whether domain name mapping result is the number being held as a hostage According to.
In a kind of optional embodiment, program 510 is used to cause processor 502 to judge that domain name mapping result includes IP address whether belong to high in the clouds IP address white list and/or high in the clouds IP address blacklist;If IP address belongs to high in the clouds IP address White list, then obtain the cloud killing result that domain name mapping result is not the data being held as a hostage;If IP address belongs to high in the clouds IP address Blacklist, then obtain the cloud killing result that domain name mapping result is the data being held as a hostage.
In a kind of optional embodiment, program 510 is used for the domain name for causing processor 502 to carry domain-name information Analysis request is sent to the dns server belonged in dns server white list being pre-configured with, and obtains the peace that dns resolution obtains Full IP address;First page is downloaded according to secure IP addresses;First page is the page corresponding to secure IP addresses;According to domain name solution The IP address and sender's host information that analysis result includes carry out network request, and download second page;Second page is IP The page corresponding to address;First page and second page are compared, according to the similarity-rough set result of the page, cloud is obtained and looks into Kill result.
In a kind of optional embodiment, program 510 is used to cause processor 502 to obtain first page and second page Similarity-rough set result, and Http conditional codes of the Http conditional codes of first page and second page;According to similarity ratio The Http conditional codes of relatively result, the Http conditional codes of first page and second page, obtain cloud killing result.
In a kind of optional embodiment, if program 510 is used for the Http conditional codes for causing the second page of processor 502 It is not 200, and similarity-rough set result is dissmilarity, then obtains the cloud killing knot that domain name mapping result is the data being held as a hostage Fruit.
In a kind of optional embodiment, if program 510 is used for the Http conditional codes for causing the second page of processor 502 It is different from the Http conditional codes of first page, and similarity-rough set result is dissmilarity, then it is to be robbed to obtain domain name mapping result The cloud killing result for the data held.
In a kind of optional embodiment, program 510 is used to cause type of the processor 502 according to IP address, in advance The download of first page and/or second page rule is set.
In a kind of optional embodiment, program 510 is used to processor 502 is performed according to local by the first process Rule and/or cloud killing result are analyzed domain name mapping result, judge whether domain name mapping result is the data being held as a hostage The step of;The step of being performed by the second process and repaired to domain name mapping result, and returning to the domain name mapping result after repairing; Wherein, the first process and the second process are asynchronous process mode.
In a kind of optional embodiment, program 510 is used to processor 502 is carried in being asked according to domain name mapping Regional information, obtain regional information corresponding to white IP address;Domain name mapping result is repaired using white IP address, and returned Domain name mapping result after returning something for repairs again.
In program 510 specific implementation of each step may refer to corresponding steps in above-mentioned domain name mapping protection embodiment and Corresponding description, will not be described here in unit.It is apparent to those skilled in the art that for description convenience and Succinctly, the specific work process of the equipment of foregoing description and module, the corresponding process that may be referred in preceding method embodiment are retouched State, will not be repeated here.
The scheme provided by the present embodiment, the domain name mapping for carrying domain-name information request is sent to dns server Parsed, intercept the domain name mapping result that dns server returns;According to home town ruling and/or cloud killing result to domain name solution Analysis result is analyzed, and judges whether domain name mapping result is the data being held as a hostage;If so, domain name mapping result is repaiied It is multiple, and return to the domain name mapping result after repairing.By intercepting the domain name mapping result returned, user and dns server it Between build one of barrier, guarantee network security.Domain name mapping result is divided according to home town ruling and/or cloud killing result Analysis, can in time, active judge whether domain name mapping result is held as a hostage, it is and more accurate when judging, improve the effective of analysis Rate.And after judgement, domain name mapping result is repaired, the correct domain name mapping result of return, pacified in Logistics networks The normal use of user is not influenceed while complete, and effectively domain name mapping is protected.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein. Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair Bright preferred forms.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect, Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore, Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power Profit requires, summary and accompanying drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be realized with hardware, or to be run on one or more processor Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice Microprocessor or digital signal processor (DSP) are realized in the device of domain name mapping protection according to embodiments of the present invention The some or all functions of some or all parts.The present invention is also implemented as being used to perform method as described herein Some or all equipment or program of device (for example, computer program and computer program product).Such reality The program of the existing present invention can store on a computer-readable medium, or can have the form of one or more signal. Such signal can be downloaded from internet website and obtained, and either be provided or in the form of any other on carrier signal There is provided.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims, Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame Claim.
The invention discloses:A1. a kind of domain name mapping means of defence, it includes:
The domain name mapping for carrying domain-name information request is sent into dns server to be parsed, dns server is intercepted and returns The domain name mapping result returned;
Domain name analysis result is analyzed according to home town ruling and/or cloud killing result, judges domain name solution Analyse whether result is the data being held as a hostage;
If so, being repaired to domain name analysis result, and return to the domain name mapping result after repairing.
A2. the method according to A1, wherein, it is described that the domain name mapping for carrying domain-name information request is sent to DNS Server is parsed, and is intercepted the domain name mapping result that dns server returns and is further comprised:
Remote procedure call protocol request function is hooked up using function is forged, please by the domain name mapping for carrying domain-name information Ask and be sent to dns server and parsed;
Call back function is set to intercept the domain name mapping result that the dns server returns.
A3. the method according to A1 or A2, wherein, the foundation home town ruling and/or cloud killing result are to the domain Name analysis result carries out analysis and further comprised:
After driver intercepts domain name analysis result, domain name analysis result is passed using asynchronous system Level of privilege 3 is handed to be analyzed.
A4. the method according to any one of A1-A3, wherein, described parsed according to home town ruling to domain name is tied Fruit is analyzed, and judges whether domain name analysis result is that the data being held as a hostage further comprise:
Whether the IP address that judging domain name analysis result includes belongs to local ip address white list and/or local IP Address blacklist;
If IP address belongs to local ip address white list, judge that domain name analysis result is not the data being held as a hostage;
If IP address belongs to local ip address blacklist, judge that domain name analysis result is the data being held as a hostage.
A5. the method according to A4, wherein, methods described also includes:
Timing downloads high in the clouds IP address white list and/or high in the clouds IP address blacklist from cloud server;
According to high in the clouds IP address white list and/or high in the clouds IP address blacklist, local ip address white list and/or sheet are updated Ground IP address blacklist.
A6. the method according to any one of A1-A3, wherein, it is described that domain name is parsed according to cloud killing result As a result analyzed, judge whether domain name analysis result is that the data being held as a hostage further comprise:
The IP address that domain name information and/or domain name analysis result include is sent to cloud server, with For cloud server according to domain name information and/or IP address enter to rack killing processing, obtain cloud killing result;
According to the cloud killing result, judge whether domain name analysis result is the data being held as a hostage.
A7. the method according to A6, wherein, the cloud server according to IP address enter to rack killing handle, obtain Cloud killing result further comprises:
Whether the IP address that judging domain name analysis result includes belongs to high in the clouds IP address white list and/or high in the clouds IP Address blacklist;
If IP address belongs to high in the clouds IP address white list, it is not the data being held as a hostage to obtain domain name analysis result Cloud killing result;
If IP address belongs to high in the clouds IP address blacklist, the cloud that domain name analysis result is the data being held as a hostage is obtained Killing result.
A8. the method according to A6, wherein, the cloud server enters according to domain name information and/or IP address Killing of racking is handled, and is obtained cloud killing result and is further comprised:
By the domain name mapping for carrying domain name information request be sent to be pre-configured with belong to dns server white list In dns server, obtain the obtained secure IP addresses of dns resolution;
First page is downloaded according to the secure IP addresses;The first page is page corresponding to the secure IP addresses Face;
The IP address and sender's host information included according to domain name analysis result carries out network request, and downloads Second page;The second page is the page corresponding to the IP address;
The first page and the second page are compared, according to the similarity-rough set result of the page, obtain cloud Killing result.
A9. the method according to A8, wherein, it is described that first page and the second page are compared, according to page The similarity-rough set result in face, obtain cloud killing result and further comprise:
Obtain the similarity-rough set result of first page and second page, and Http conditional codes of first page and described The Http conditional codes of second page;
According to the Http shapes of the similarity-rough set result, the Http conditional codes of the first page and the second page State code, obtain cloud killing result.
A10. the method according to A9, wherein, it is described according to the similarity-rough set result, the first page The Http conditional codes of Http conditional codes and the second page, obtain cloud killing result and further comprise:
If the Http conditional codes of the second page are not 200, and the similarity-rough set result is dissmilarity, then obtains Domain name analysis result is the cloud killing result for the data being held as a hostage.
A11. the method according to A9, wherein, it is described according to the similarity-rough set result, the first page The Http conditional codes of Http conditional codes and the second page, obtain cloud killing result and further comprise:
If the Http conditional codes of the second page are different from the Http conditional codes of the first page, and the similarity Comparative result is dissmilarity, then obtains the cloud killing result that domain name analysis result is the data being held as a hostage.
A12. the method according to any one of A8-A11, wherein, methods described also includes:
According to the type of IP address, the download for pre-setting the first page and/or the second page is regular.
A13. the method according to any one of A1-A12, wherein, it is described according to home town ruling and/or cloud killing result Domain name analysis result is analyzed, judge the step of whether domain name analysis result is the data being held as a hostage specifically by First process performs;
It is described that domain name analysis result is repaired, and return repair after domain name mapping result the step of specifically by Second process performs;
Wherein, first process and second process are asynchronous process mode.
A14. the method according to any one of A1-A13, wherein, it is described that domain name analysis result is repaired, And the domain name mapping result returned after repairing further comprises:
According to the regional information carried in domain name analysis request, white IP address corresponding to the regional information is obtained;
Domain name analysis result is repaired using the white IP address, and returns to the domain name mapping knot after repairing Fruit.
The invention also discloses:B15. a kind of domain name mapping protector, it includes:
Blocking module, parsed, blocked suitable for the domain name mapping request for carrying domain-name information is sent into dns server Cut the domain name mapping result that dns server returns;
Judge module is analyzed, suitable for dividing according to home town ruling and/or cloud killing result domain name analysis result Analysis, judges whether domain name analysis result is the data being held as a hostage;
Repair module, if judging that domain name analysis result is the data be held as a hostage suitable for the analysis judge module, Domain name analysis result is repaired, and returns to the domain name mapping result after repairing.
B16. the device according to B15, wherein, the blocking module is further adapted for:
Remote procedure call protocol request function is hooked up using function is forged, please by the domain name mapping for carrying domain-name information Ask and be sent to dns server and parsed;Call back function is set to intercept the domain name mapping result that the dns server returns.
B17. the device according to B15 or B16, wherein, the analysis judge module is further adapted for:
After driver intercepts domain name analysis result, domain name analysis result is passed using asynchronous system Level of privilege 3 is handed to be analyzed.
B18. the device according to any one of B15-B17, wherein, the analysis judge module further comprises:
Whether local judge module, the IP address included suitable for judging domain name analysis result belong to local ip address White list and/or local ip address blacklist;If IP address belongs to local ip address white list, domain name parsing knot is judged Fruit is not the data being held as a hostage;If IP address belongs to local ip address blacklist, judge that domain name analysis result is to be robbed The data held.
B19. the device according to B18, wherein, described device also includes:
Timing update module, high in the clouds IP address white list and/or high in the clouds IP address are downloaded from cloud server suitable for timing Blacklist;According to high in the clouds IP address white list and/or high in the clouds IP address blacklist, local ip address white list and/or sheet are updated Ground IP address blacklist.
B20. the device according to any one of B15-B17, wherein, the analysis judge module further comprises:
Cloud killing result acquisition module, suitable for the IP for including domain name information and/or domain name analysis result Address is sent to cloud server, for cloud server according to domain name information and/or IP address enter to rack killing processing, Obtain cloud killing result;According to the cloud killing result, judge whether domain name analysis result is the data being held as a hostage.
B21. the device according to any one of B15-B20, wherein, the analysis judge module is specifically by the first process Operation;
The repair module is run by the second process;
Wherein, first process and second process are asynchronous process mode.
B22. the device according to any one of B15-B21, wherein, the repair module is further adapted for:
According to the regional information carried in domain name analysis request, white IP address corresponding to the regional information is obtained; Domain name analysis result is repaired using the white IP address, and returns to the domain name mapping result after repairing.
The invention also discloses:C23. a kind of domain name mapping guard system, it includes:In cloud server and B15-B22 Domain name mapping protector described in any one;
The cloud server is suitable to:Receive domain-name information and/or the domain name solution that domain name parsing protector is sent The IP address that includes of analysis result, entered to rack killing processing according to domain-name information and/or IP address, obtain cloud killing result, will Cloud killing result returns to domain name parsing protector.
C24. the system according to C23, wherein, the cloud server includes:
High in the clouds IP killing modules, whether the IP address included suitable for judging domain name analysis result is with belonging to high in the clouds IP Location white list and/or high in the clouds IP address blacklist;If IP address belongs to high in the clouds IP address white list, domain name parsing is obtained As a result it is not the cloud killing result for the data being held as a hostage;If IP address belongs to high in the clouds IP address blacklist, domain name is obtained Analysis result is the cloud killing result for the data being held as a hostage.
C25. the system according to C23, wherein, the cloud server includes:
Webpage killing module, suitable for the domain name mapping request for carrying domain name information is sent into the category being pre-configured with Dns server in dns server white list, obtain the secure IP addresses that dns resolution obtains;According to the secure IP addresses Download first page;The first page is the page corresponding to the secure IP addresses;According to being wrapped in domain name analysis result The IP address and sender's host information included carries out network request, and downloads second page;The second page is for the IP The page corresponding to location;The first page and the second page are compared, according to the similarity-rough set result of the page, obtained Take cloud killing result.
C26. the system according to C25, wherein, the webpage killing module is further adapted for:
Obtain the similarity-rough set result of first page and second page, and Http conditional codes of first page and described The Http conditional codes of second page;According to the similarity-rough set result, the Http conditional codes of the first page and described The Http conditional codes of two pages, obtain cloud killing result.
C27. the system according to C25, wherein, the webpage killing module is further adapted for:
If the Http conditional codes of the second page are not 200, and the similarity-rough set result is dissmilarity, then obtains Domain name analysis result is the cloud killing result for the data being held as a hostage.
C28. the system according to C25, wherein, the webpage killing module is further adapted for:
If the Http conditional codes of the second page are different from the Http conditional codes of the first page, and the similarity Comparative result is dissmilarity, then obtains the cloud killing result that domain name analysis result is the data being held as a hostage.
C29. the system according to any one of C25-C28, wherein, the cloud server also includes:
Rule module is downloaded, suitable for the type according to IP address, pre-sets the first page and/or the second page The download rule in face.
The invention also discloses:D30. a kind of computing device, including:Processor, memory, communication interface and communication are total Line, the processor, the memory and the communication interface complete mutual communication by the communication bus;
The memory is used to deposit an at least executable instruction, and the executable instruction makes the computing device such as Operated corresponding to domain name mapping means of defence any one of A1-A14.
The invention also discloses:E31. a kind of computer-readable storage medium, being stored with least one in the storage medium can hold Row instruction, the executable instruction make domain name mapping means of defence pair of the computing device as any one of A1-A14 The operation answered.

Claims (10)

1. a kind of domain name mapping means of defence, it includes:
The domain name mapping for carrying domain-name information request is sent into dns server to be parsed, intercepts what dns server returned Domain name mapping result;
Domain name analysis result is analyzed according to home town ruling and/or cloud killing result, judges domain name parsing knot Whether fruit is the data being held as a hostage;
If so, being repaired to domain name analysis result, and return to the domain name mapping result after repairing.
2. the method according to claim 11, wherein, it is described to be sent to the domain name mapping for carrying domain-name information request Dns server is parsed, and is intercepted the domain name mapping result that dns server returns and is further comprised:
Remote procedure call protocol request function is hooked up using function is forged, hair is asked into the domain name mapping for carrying domain-name information Dns server is given to be parsed;
Call back function is set to intercept the domain name mapping result that the dns server returns.
3. method according to claim 1 or 2, wherein, the foundation home town ruling and/or cloud killing result are to the domain Name analysis result carries out analysis and further comprised:
After driver intercepts domain name analysis result, domain name analysis result is transferred to using asynchronous system Level of privilege 3 is analyzed.
4. according to the method any one of claim 1-3, wherein, described parsed according to home town ruling to domain name is tied Fruit is analyzed, and judges whether domain name analysis result is that the data being held as a hostage further comprise:
Whether the IP address that judging domain name analysis result includes belongs to local ip address white list and/or local ip address Blacklist;
If IP address belongs to local ip address white list, judge that domain name analysis result is not the data being held as a hostage;
If IP address belongs to local ip address blacklist, judge that domain name analysis result is the data being held as a hostage.
5. according to the method for claim 4, wherein, methods described also includes:
Timing downloads high in the clouds IP address white list and/or high in the clouds IP address blacklist from cloud server;
According to high in the clouds IP address white list and/or high in the clouds IP address blacklist, local ip address white list and/or local IP are updated Address blacklist.
6. according to the method any one of claim 1-3, wherein, it is described that domain name is parsed according to cloud killing result As a result analyzed, judge whether domain name analysis result is that the data being held as a hostage further comprise:
The IP address that domain name information and/or domain name analysis result include is sent to cloud server, for cloud End server according to domain name information and/or IP address enter to rack killing processing, obtain cloud killing result;
According to the cloud killing result, judge whether domain name analysis result is the data being held as a hostage.
7. a kind of domain name mapping protector, it includes:
Blocking module, parsed, intercepted suitable for the domain name mapping request for carrying domain-name information is sent into dns server The domain name mapping result that dns server returns;
Judge module is analyzed, suitable for being analyzed according to home town ruling and/or cloud killing result domain name analysis result, is sentenced Whether disconnected domain name analysis result is the data being held as a hostage;
Repair module, if judging that domain name analysis result is the data be held as a hostage suitable for the analysis judge module, to institute State domain name mapping result to be repaired, and return to the domain name mapping result after repairing.
8. a kind of domain name mapping guard system, it includes:Domain name mapping protection dress described in cloud server and claim 7 Put;
The cloud server is suitable to:Receive domain-name information and/or domain name mapping knot that domain name parsing protector is sent The IP address that fruit includes, according to domain-name information and/or IP address enter to rack killing processing, obtain cloud killing result, cloud is looked into Kill result and return to domain name parsing protector.
9. a kind of computing device, including:Processor, memory, communication interface and communication bus, the processor, the storage Device and the communication interface complete mutual communication by the communication bus;
The memory is used to deposit an at least executable instruction, and the executable instruction makes the computing device such as right will Ask and operated corresponding to the domain name mapping means of defence any one of 1-6.
10. a kind of computer-readable storage medium, an at least executable instruction, the executable instruction are stored with the storage medium Make operation corresponding to domain name mapping means of defence of the computing device as any one of claim 1-6.
CN201710915052.5A 2017-09-30 2017-09-30 Domain name resolution protection method, device, system, computing equipment and storage medium Active CN107623693B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710915052.5A CN107623693B (en) 2017-09-30 2017-09-30 Domain name resolution protection method, device, system, computing equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710915052.5A CN107623693B (en) 2017-09-30 2017-09-30 Domain name resolution protection method, device, system, computing equipment and storage medium

Publications (2)

Publication Number Publication Date
CN107623693A true CN107623693A (en) 2018-01-23
CN107623693B CN107623693B (en) 2021-03-19

Family

ID=61091821

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710915052.5A Active CN107623693B (en) 2017-09-30 2017-09-30 Domain name resolution protection method, device, system, computing equipment and storage medium

Country Status (1)

Country Link
CN (1) CN107623693B (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108282495A (en) * 2018-03-14 2018-07-13 北京奇艺世纪科技有限公司 A kind of DNS kidnaps defence method and device
CN108650211A (en) * 2018-03-14 2018-10-12 北京奇艺世纪科技有限公司 A kind of detection method and device of DNS abduction
CN109474625A (en) * 2018-12-25 2019-03-15 北京知道创宇信息技术有限公司 Network safety protection method, device and embedded system
CN110191203A (en) * 2019-05-15 2019-08-30 聚好看科技股份有限公司 Realize the method and electronic equipment of server dynamic access

Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050030917A1 (en) * 2001-08-17 2005-02-10 Amit Haller Device, system, method and computer readable medium obtaining a network attribute, such as a DNS address, for a short distance wireless network
US6973507B2 (en) * 2001-06-01 2005-12-06 Nitgen Technologies, Inc. Method for resolution services of special domain names
US20100106854A1 (en) * 2008-10-29 2010-04-29 Hostway Corporation System and method for controlling non-existing domain traffic
CN101984713A (en) * 2010-10-20 2011-03-09 中兴通讯股份有限公司 Method, terminal and system for realizing business data shunting
CN102790807A (en) * 2011-05-16 2012-11-21 奇智软件(北京)有限公司 Domain name resolution agent method and system, and domain name resolution agent server
CN103581363A (en) * 2013-11-29 2014-02-12 杜跃进 Method and device for controlling baleful domain name and illegal access
CN103607385A (en) * 2013-11-14 2014-02-26 北京奇虎科技有限公司 Method and apparatus for security detection based on browser
CN103634306A (en) * 2013-11-18 2014-03-12 北京奇虎科技有限公司 Security detection method and security detection server for network data
CN103825895A (en) * 2014-02-24 2014-05-28 联想(北京)有限公司 Information processing method and electronic device
CN104079682A (en) * 2014-07-07 2014-10-01 中国联合网络通信集团有限公司 Address translation method and device based on domain name system (DNS)
CN105991604A (en) * 2015-02-27 2016-10-05 中兴通讯股份有限公司 Method and device for preventing form domain name hijacking
CN106686020A (en) * 2017-03-29 2017-05-17 北京奇虎科技有限公司 Detection method, device and system for safety of domain names
CN107018156A (en) * 2017-06-01 2017-08-04 北京云端智度科技有限公司 The defence support method of Domain Hijacking
US20170244750A1 (en) * 2016-02-19 2017-08-24 Secureworks Corp. System and Method for Collection of Forensic and Event Data
US9755886B2 (en) * 2009-09-30 2017-09-05 Micro Focus Software Inc. Techniques for conditional name resolution and configuration
CN107147662A (en) * 2017-06-01 2017-09-08 北京云端智度科技有限公司 The method that Domain Hijacking is found
US20180007088A1 (en) * 2016-06-29 2018-01-04 AVAST Software s.r.o. Detection of domain name system hijacking

Patent Citations (17)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6973507B2 (en) * 2001-06-01 2005-12-06 Nitgen Technologies, Inc. Method for resolution services of special domain names
US20050030917A1 (en) * 2001-08-17 2005-02-10 Amit Haller Device, system, method and computer readable medium obtaining a network attribute, such as a DNS address, for a short distance wireless network
US20100106854A1 (en) * 2008-10-29 2010-04-29 Hostway Corporation System and method for controlling non-existing domain traffic
US9755886B2 (en) * 2009-09-30 2017-09-05 Micro Focus Software Inc. Techniques for conditional name resolution and configuration
CN101984713A (en) * 2010-10-20 2011-03-09 中兴通讯股份有限公司 Method, terminal and system for realizing business data shunting
CN102790807A (en) * 2011-05-16 2012-11-21 奇智软件(北京)有限公司 Domain name resolution agent method and system, and domain name resolution agent server
CN103607385A (en) * 2013-11-14 2014-02-26 北京奇虎科技有限公司 Method and apparatus for security detection based on browser
CN103634306A (en) * 2013-11-18 2014-03-12 北京奇虎科技有限公司 Security detection method and security detection server for network data
CN103581363A (en) * 2013-11-29 2014-02-12 杜跃进 Method and device for controlling baleful domain name and illegal access
CN103825895A (en) * 2014-02-24 2014-05-28 联想(北京)有限公司 Information processing method and electronic device
CN104079682A (en) * 2014-07-07 2014-10-01 中国联合网络通信集团有限公司 Address translation method and device based on domain name system (DNS)
CN105991604A (en) * 2015-02-27 2016-10-05 中兴通讯股份有限公司 Method and device for preventing form domain name hijacking
US20170244750A1 (en) * 2016-02-19 2017-08-24 Secureworks Corp. System and Method for Collection of Forensic and Event Data
US20180007088A1 (en) * 2016-06-29 2018-01-04 AVAST Software s.r.o. Detection of domain name system hijacking
CN106686020A (en) * 2017-03-29 2017-05-17 北京奇虎科技有限公司 Detection method, device and system for safety of domain names
CN107018156A (en) * 2017-06-01 2017-08-04 北京云端智度科技有限公司 The defence support method of Domain Hijacking
CN107147662A (en) * 2017-06-01 2017-09-08 北京云端智度科技有限公司 The method that Domain Hijacking is found

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108282495A (en) * 2018-03-14 2018-07-13 北京奇艺世纪科技有限公司 A kind of DNS kidnaps defence method and device
CN108650211A (en) * 2018-03-14 2018-10-12 北京奇艺世纪科技有限公司 A kind of detection method and device of DNS abduction
CN109474625A (en) * 2018-12-25 2019-03-15 北京知道创宇信息技术有限公司 Network safety protection method, device and embedded system
CN110191203A (en) * 2019-05-15 2019-08-30 聚好看科技股份有限公司 Realize the method and electronic equipment of server dynamic access
CN110191203B (en) * 2019-05-15 2022-02-01 聚好看科技股份有限公司 Method for realizing dynamic access of server and electronic equipment

Also Published As

Publication number Publication date
CN107623693B (en) 2021-03-19

Similar Documents

Publication Publication Date Title
US10666670B2 (en) Managing security breaches in a networked computing environment
CN103607385B (en) Method and apparatus for security detection based on browser
US10491621B2 (en) Website security tracking across a network
CN102833258B (en) Network address access method and system
CN113489713B (en) Network attack detection method, device, equipment and storage medium
CN107623693A (en) Domain name mapping means of defence and device, system, computing device, storage medium
CN108989355B (en) Vulnerability detection method and device
US20170295198A1 (en) Security management in a networked computing environment
US11050783B2 (en) System and method for detecting client participation in malware activity
CN103384888A (en) Systems and methods for malware detection and scanning
CN103701816B (en) Perform the scan method and scanning means of the server of Denial of Service attack
CN111177672A (en) Page access control method and device and electronic equipment
CN113676563B (en) Scheduling method, device, equipment and storage medium of content distribution network service
CN107634947A (en) Limitation malice logs in or the method and apparatus of registration
CN107016074A (en) A kind of webpage loading method and device
CN107689965A (en) Means of defence, the apparatus and system of the network equipment
CN112291258A (en) Gateway risk control method and device
CN114549068A (en) Short link generation method, equipment, device and computer readable storage medium
CN110247857A (en) Current-limiting method and device
CN116601630A (en) Generating defensive target database attacks through dynamic honey database responses
CN103036896A (en) Method and system for testing malicious links
CN108924159A (en) The verification method and device in a kind of message characteristic identification library
CN112528181B (en) Two-dimensional code management method, device, computer equipment and readable storage medium
CN107360189A (en) Break through the vulnerability scanning method and device of Web protection
CN105978908B (en) A kind of non-real-time information web portal security guard method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20220913

Address after: No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science and Technology Park, High-tech Zone, Binhai New District, Tianjin 300000

Patentee after: 3600 Technology Group Co.,Ltd.

Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park)

Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd.