CN107623693A - Domain name mapping means of defence and device, system, computing device, storage medium - Google Patents
Domain name mapping means of defence and device, system, computing device, storage medium Download PDFInfo
- Publication number
- CN107623693A CN107623693A CN201710915052.5A CN201710915052A CN107623693A CN 107623693 A CN107623693 A CN 107623693A CN 201710915052 A CN201710915052 A CN 201710915052A CN 107623693 A CN107623693 A CN 107623693A
- Authority
- CN
- China
- Prior art keywords
- domain name
- result
- name mapping
- address
- page
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of domain name mapping means of defence and device, system, computing device, storage medium, its method includes:The domain name mapping for carrying domain-name information request is sent into dns server to be parsed, intercepts the domain name mapping result that dns server returns;Domain name mapping result is analyzed according to home town ruling and/or cloud killing result, judges whether domain name mapping result is the data being held as a hostage;If so, being repaired to domain name mapping result, and return to the domain name mapping result after repairing.By intercepting the domain name mapping result returned, barrier together is built between user and dns server, is guaranteed network security.Domain name mapping result is analyzed according to home town ruling and/or cloud killing result, can make to judge whether domain name mapping result is held as a hostage, more accurately, improve the effective percentage of analysis.And after judgement, domain name mapping result is repaired, the correct domain name mapping result of return, effectively domain name mapping protected.
Description
Technical field
The present invention relates to network safety filed, and in particular to a kind of domain name mapping means of defence and device, system, calculating are set
Standby, computer-readable storage medium.
Background technology
DNS (Domain Name System, domain name system) is referred to as network translation official, and domain name and IP are used as on internet
The distributed data base that address mutually maps, have become the infrastructure device of internet at present.Dns server can use
Family more easily accesses internet, and without spending, remember can be by IP number strings that machine is directly read.Dns server is by domain name solution
The language (Ip) used for machine is analysed, the presence of dns server facilitates access of the user to network address, and it is convenient to have provided the user
Network service.
With growing stronger day by day for network, DNS turns into the necessary infrastructure of network now.However, because DNS is as early
The Internet designs of phase, in order to pursue the high speed in efficiency, it does not take into full account in security, and its protocol architecture is complete
Full-open, not only without encryption and the authentication mechanism accessed, and lead the problems such as all do not verified for various inquiry requests
Cause DNS difficult management.Simultaneously.Dns server is also increasingly huge, and DNS systems also become increasingly fragile, and these all cause
The reason for DNS is subject under fire with kidnapping.Safety problem existing for DNS causes greatly to threaten to the Internet Security of user.Thing
In reality, DNS has become hacker and does not send out the conventional means of molecule attack user, and DNS kidnaps generally existing.
Therefore, it is necessary to a kind of domain name mapping means of defence, to ensure the security of customer access network.
The content of the invention
In view of the above problems, it is proposed that the present invention so as to provide one kind overcome above mentioned problem or at least in part solve on
State the domain name mapping means of defence and device, computing device, computer-readable storage medium of problem.
According to an aspect of the invention, there is provided a kind of domain name mapping means of defence, it includes:
The domain name mapping for carrying domain-name information request is sent into dns server to be parsed, dns server is intercepted and returns
The domain name mapping result returned;
Domain name mapping result is analyzed according to home town ruling and/or cloud killing result, judges that domain name mapping result is
The no data to be held as a hostage;
If so, being repaired to domain name mapping result, and return to the domain name mapping result after repairing.
According to another aspect of the present invention, there is provided a kind of domain name mapping protector, it includes:
Blocking module, parsed, blocked suitable for the domain name mapping request for carrying domain-name information is sent into dns server
Cut the domain name mapping result that dns server returns;
Judge module is analyzed, suitable for being analyzed according to home town ruling and/or cloud killing result domain name mapping result, is sentenced
Whether disconnected domain name mapping result is the data being held as a hostage;
Repair module, suitable for if so, repaired to domain name mapping result, and return to the domain name mapping result after repairing.
According to another aspect of the invention, there is provided a kind of domain name mapping guard system, it include cloud server and on
The domain name mapping protector stated.
In accordance with a further aspect of the present invention, there is provided a kind of computing device, including:Processor, memory, communication interface and
Communication bus, the processor, the memory and the communication interface complete mutual communication by the communication bus;
The memory is used to deposit an at least executable instruction, and the executable instruction makes the computing device above-mentioned
Operated corresponding to domain name mapping means of defence.
In accordance with a further aspect of the present invention, there is provided a kind of computer-readable storage medium, be stored with the storage medium to
A few executable instruction, the executable instruction make computing device be operated as corresponding to above-mentioned domain name mapping means of defence.
According to domain name mapping means of defence provided by the invention and device, system, computing device, storage medium, will carry
The domain name mapping request for having domain-name information is sent to dns server and parsed, and intercepts the domain name mapping knot that dns server returns
Fruit;Domain name mapping result is analyzed according to home town ruling and/or cloud killing result, judge domain name mapping result whether be by
The data of abduction;If so, being repaired to domain name mapping result, and return to the domain name mapping result after repairing.Returned by intercepting
The domain name mapping result returned, barrier together is built between user and dns server, is guaranteed network security.According to home town ruling
And/or cloud killing result is analyzed domain name mapping result, can in time, active judge whether domain name mapping result is robbed
It is more accurate when holding, and judging, improve the effective percentage of analysis.And after judgement, domain name mapping result is repaired, returned
Correct domain name mapping result, do not influence the normal use of user while guaranteeing network security, and effectively to domain name solution
Analysis is protected.
Described above is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And can be practiced according to the content of specification, and in order to allow above and other objects of the present invention, feature and advantage can
Become apparent, below especially exemplified by the embodiment of the present invention.
Brief description of the drawings
By reading the detailed description of hereafter preferred embodiment, it is various other the advantages of and benefit it is common for this area
Technical staff will be clear understanding.Accompanying drawing is only used for showing the purpose of preferred embodiment, and is not considered as to the present invention
Limitation.And in whole accompanying drawing, identical part is denoted by the same reference numerals.In the accompanying drawings:
Fig. 1 shows the flow chart of domain name mapping means of defence according to an embodiment of the invention;
Fig. 2 shows the flow chart of domain name mapping means of defence in accordance with another embodiment of the present invention;
Fig. 3 shows the functional block diagram of domain name mapping protector according to an embodiment of the invention;
Fig. 4 shows the functional block diagram of domain name mapping protector according to an embodiment of the invention;
Fig. 5 shows a kind of structural representation of computing device according to an embodiment of the invention.
Embodiment
The exemplary embodiment of the disclosure is more fully described below with reference to accompanying drawings.Although the disclosure is shown in accompanying drawing
Exemplary embodiment, it being understood, however, that may be realized in various forms the disclosure without should be by embodiments set forth here
Limited.On the contrary, these embodiments are provided to facilitate a more thoroughly understanding of the present invention, and can be by the scope of the present disclosure
Completely it is communicated to those skilled in the art.
Fig. 1 shows the flow chart of domain name mapping means of defence according to an embodiment of the invention.As shown in figure 1, domain
Name parsing means of defence specifically comprises the following steps:
Step S101, the domain name mapping for carrying domain-name information request is sent to dns server and parsed, is intercepted
The domain name mapping result that dns server returns.
Dns server directly returns after being parsed to domain name mapping request, when DNS is held as a hostage, now returns
Domain name mapping result may be tampered, and it can not realize the real demand of user.Therefore, it is necessary to will be returned to dns server
The domain name mapping result returned is intercepted, and in order to subsequently carry out analysis judgement to it, avoids returning to the domain name mapping being held as a hostage
As a result.
Specifically when the domain name mapping request for carrying domain-name information to be sent to dns server and parsed, Ke Yili
Remote procedure call protocol request function is hooked up with forgery function, the domain name mapping for carrying domain-name information request is sent to
Dns server is parsed.Hook technologies are such as based on, one Fakefunc function of construction is adjusted to hook up original remote process
With the request function of agreement, and a call back function is set to intercept the domain name mapping result that dns server returns, to avoid domain name
The direct return of analysis result.
Step S102, domain name mapping result is analyzed according to home town ruling and/or cloud killing result, judges domain name solution
Analyse whether result is the data being held as a hostage.
After driver intercepts domain name mapping result, the present embodiment translates domain names into result using asynchronous system and passed
Level of privilege 3 is handed to be analyzed.For different operating system versions, different editions Internet protocol can use it is different
Analysis strategy, domain name mapping result can be analyzed according to performance self-defined special data structure when implementing,
Obtain corresponding data message, such as IP address information.
, can be according to home town ruling during concrete analysis, i.e., the rule that client is formulated is analyzed domain name mapping result.
The cloud killing result that can also be performed according to cloud server is analyzed, and judges whether domain name mapping result is the number being held as a hostage
According to.If so, performing step S103, otherwise, do not process, data are let pass, perform step S104.
Step S103, if so, being repaired to domain name mapping result.
Judge when domain name mapping result is the data being held as a hostage, it is necessary to be repaired to domain name mapping result.During reparation, root
The regional information carried in being asked according to domain name mapping before, counted by cloud server according to regional information, domain-name information etc.
Big data screened.Cloud server can access the feelings of the domain-name information according to the normal users positioned at the regional information
Condition, obtain and return to white IP address corresponding to it, so as to get white IP address corresponding to regional information.If normal users are at certain
Region A accesses certain IP1 more times, so as to get the IP1., can be according to it if locally there are local ip address white list
In the white IP address of acquisition of information such as regional information, domain-name information or operator's informaiton.Using the white IP address got to domain
Name analysis result is repaired.
Step S104, return to domain name analysis result.
By after reparation or the domain name mapping result be not held as a hostage returns, subsequently to use the domain name mapping result to access pair
The page answered.
According to domain name mapping means of defence provided by the invention, the domain name mapping for carrying domain-name information request is sent to
Dns server is parsed, and intercepts the domain name mapping result that dns server returns;According to home town ruling and/or cloud killing result
Domain name mapping result is analyzed, judges whether domain name mapping result is the data being held as a hostage;If so, to domain name mapping result
Repaired, and return to the domain name mapping result after repairing.By intercepting the domain name mapping result returned, taken in user and DNS
One of barrier is built between business device, is guaranteed network security.Domain name mapping result is entered according to home town ruling and/or cloud killing result
Row analysis, can in time, active judge whether domain name mapping result is held as a hostage, it is and more accurate when judging, improve analysis
It is efficient.And after judgement, domain name mapping result is repaired, the correct domain name mapping result of return, in ensure ne
The normal use of user is not influenceed while network is safe, and effectively domain name mapping is protected.
Fig. 2 shows the flow chart of domain name mapping means of defence in accordance with another embodiment of the present invention.As shown in Fig. 2
Domain name mapping means of defence specifically comprises the following steps:
Step S201, the domain name mapping for carrying domain-name information request is sent to dns server and parsed, is intercepted
The domain name mapping result that dns server returns.
The description of step S101 in the embodiment of step reference picture 1, will not be repeated here.
Whether step S202, the IP address that judging domain name mapping result according to home town ruling includes belong to local ip address
White list.
Whether the IP address that judging domain name mapping result according to home town ruling includes belongs to local ip address white list, if
IP address belongs to local ip address white list, then judges that domain name analysis result is not the data being held as a hostage, without handling, directly
Let pass, perform step S206.If IP address is not belonging to local ip address white list, step S203 is performed.
Whether step S203, the IP address that judging domain name mapping result according to home town ruling includes belong to local ip address
Blacklist.
Whether the IP address that judging domain name mapping result according to home town ruling includes belongs to local ip address blacklist, if
IP address belongs to local ip address blacklist, then judges that domain name analysis result is the data being held as a hostage, perform step S205.If IP
Address is not belonging to local ip address blacklist, it is necessary to continue executing with step S204, according to various cloud killing results to domain name mapping
As a result further analysis.
More than, do not limited for above-mentioned steps S202 and step S203 execution sequence.Wherein, the white name of local ip address
List and/or local ip address blacklist are, it is necessary to regularly from cloud server with downloading high in the clouds IP address white list and/or high in the clouds IP
Location blacklist, and according to high in the clouds IP address white list and/or high in the clouds IP address blacklist, update local ip address white list
And/or local ip address blacklist, to ensure the comprehensive of local ip address white list and/or local ip address blacklist data
Property.
High in the clouds IP address white list can be taken by layouting in each data center to one or more white DNS are known as
Business device sends domain name analysis request, obtains corresponding white IP address, is added into the IP address white list of high in the clouds.To expand white IP
Number of addresses, same domain name mapping can also be asked to be sent to multiple white dns servers, obtain the conjunction of all analysis results
Collection.Or by being got ready in the daily records such as net shield, each white IP address (including corresponding regional information, operator etc. is calculated
Information), it is added into the IP address white list of high in the clouds.
High in the clouds IP address blacklist can be collected by big data operation platform, include during collection giving birth to each domain name
The black IP address of effect and the black IP address that all domain names are all come into force.
Step S204, domain name mapping result is analyzed according to cloud killing result, judge domain name mapping result whether be
The data being held as a hostage.
Domain name mapping result is analyzed according to home town ruling, can not judge whether domain name mapping result is held as a hostage
During data, it can also be judged according to cloud killing result.Cloud killing result is by by domain-name information, domain name mapping result
Including IP address etc. be sent to cloud server, so that cloud server enters to rack according to information such as domain-name information, IP address
Killing is handled, and obtains cloud killing result.
Because local ip address white list and/or local ip address blacklist are not updated in real time, high in the clouds IP
The real-time property of location white list and/or high in the clouds IP address blacklist is stronger, and data are also more comprehensively.Cloud server is first according to domain
The IP address that name analysis result includes is judged, judges whether the IP address belongs to high in the clouds IP address white list, if IP
Location belongs to high in the clouds IP address white list, then obtains the cloud killing result that domain name mapping result is not the data being held as a hostage.If IP
Location is not belonging to high in the clouds IP address white list, then judges whether IP address belongs to high in the clouds IP address blacklist.If IP address belongs to cloud
IP address blacklist is held, then obtains the cloud killing result that domain name mapping result is the data being held as a hostage.So as to according to cloud killing knot
Fruit, judge whether domain name mapping result is the data being held as a hostage.If IP address is not belonging to high in the clouds IP address white list, also it is not belonging to
High in the clouds IP address blacklist, further, by the domain name mapping for carrying domain-name information request be sent to be pre-configured with belong to DNS
Dns server in server white list, obtain the secure IP addresses that dns resolution obtains.The is downloaded according to the secure IP addresses
One page.First page is the page corresponding to secure IP addresses, and the page can be the homepage of website corresponding to secure IP addresses
Face.The IP address and sender's host information included according to domain name mapping result carries out network request, and downloads second page.
Second page is the page corresponding to IP address, and the page can be the homepage of website corresponding to the IP address.To first page
It is compared with second page, according to the similarity-rough set result of the page, obtains cloud killing result.
When being compared to first page and second page, first page and second page can be parsed respectively, is obtained
Each self-corresponding dom tree.By being compared to both each tree nodes of DOM numbers, the similarity-rough set result of two pages is obtained.Phase
Like the difference value for including first page and second page in degree comparative result.If difference value is more than predetermined threshold value such as 20%, recognize
It is dissimilar for first page and second page, otherwise it is assumed that first page is similar with second page.In addition, can also adopt
First page and second page are compared in other ways, obtain the similarity-rough set result of the page.Do not limit herein.
According to the similarity-rough set result from two pages, and the Http conditional codes of first page and the Http of second page
Conditional code, if the Http conditional codes of second page are not 200, i.e. second page accesses failure, if Http conditional codes are 404,503
Deng.Now, it greatly there may be the situation that domain name mapping result is the data being held as a hostage.Need further to similarity-rough set knot
Fruit is judged.If similarity-rough set result is that first page and second page are dissimilar, obtain domain name mapping result be by
The cloud killing result of the data of abduction.If the Http conditional codes of second page are 200, i.e. second page accesses successfully, and similar
It is that first page is similar with second page to spend comparative result, then obtains the cloud killing that domain name mapping result is not the data being held as a hostage
As a result.Or the Http conditional codes of second page are different from the Http conditional codes of first page, and similarity-rough set result is the
One page and second page are dissimilar, obtain the cloud killing result that domain name mapping result is the data being held as a hostage.Or second page
The Http conditional codes in face are identical with the Http conditional codes of first page, and similarity-rough set result is first page and second page
It is similar, then obtain the cloud killing result that domain name mapping result is not the data being held as a hostage.
If the Http conditional codes of second page are not 200, but similarity-rough set result is first page and second page phase
Seemingly, or the Http conditional codes of second page and the Http conditional codes of first page it is different, but similarity-rough set result be first
The page is similar with second page, now also needs to further be verified, and obtains the data whether domain name mapping result is held as a hostage
Cloud killing result.
Because the type of IP address is different, before downloading, first page can also be pre-set according to the type of IP address
And/or the download rule of second page, convenient when being compared to first page and second page, download is more easy to be compared
The page.
According to above-mentioned cloud killing result, judge whether domain name mapping result is the data being held as a hostage.If so, perform step
S205, otherwise, do not process, directly let pass, perform step S206.
Further, may be used also by above step S202-S204 when it is the data being held as a hostage to judge domain name mapping result
So that its corresponding dns server to be verified, after the factor of excluding alien influences is defined as black dns server, drawn
It is black to wait processing, to avoid sending a request to the black dns server again.
Step S205, domain name mapping result is repaired.
Step S206, return to the domain name mapping result after repairing.
The description of step S103-S104 in the embodiment of above step reference picture 1, will not be repeated here.
It should be noted that step S202-S204 can specifically be performed by the first process, step S205 is specifically entered by second
Cheng Zhihang.Wherein, the first process and the second process are asynchronous process mode so that concurrent processing speed can be improved during processing.
According to domain name mapping means of defence provided by the invention, after the domain name mapping result that dns server returns is intercepted,
Domain name mapping result is analyzed according to home town ruling, cloud killing result etc. successively, judge domain name mapping result whether be by
The data of abduction.Can in time, active judge whether domain name mapping result is held as a hostage.And first judged locally, perform
Speed it is fast.If home town ruling can not judge, judged by cloud killing result, ensured the accuracy judged.If domain
Name analysis result is the data being held as a hostage, and domain name mapping result is repaired, correct domain name mapping knot after the reparation of return
Fruit, does not influence the normal use of user while guaranteeing network security, and effectively domain name mapping is protected.
Fig. 3 shows the functional block diagram of domain name mapping protector according to an embodiment of the invention.As shown in figure 3,
Domain name mapping protector includes following module:
Blocking module 310, solved suitable for the domain name mapping request for carrying domain-name information is sent into dns server
Analysis, intercept the domain name mapping result that dns server returns.
Dns server directly returns after being parsed to domain name mapping request, when DNS is held as a hostage, now returns
Domain name mapping result may be tampered, and it can not realize the real demand of user.Therefore, it is necessary to which blocking module 310 is to DNS
The domain name mapping result that server returns is intercepted, and in order to subsequently carry out analysis judgement to it, avoids returning to what is be held as a hostage
Domain name mapping result.
Blocking module 310 when the domain name mapping request for carrying domain-name information to be sent to dns server and parsed,
Remote procedure call protocol request function can be hooked up using function is forged, hair is asked in the domain name mapping that will carry domain-name information
Dns server is given to be parsed.As blocking module 310 is based on Hook technologies, one Fakefunc function of construction hooks up
The request function of original remote procedure call protocol, and set a call back function to intercept the domain name solution that dns server returns
Result is analysed, to avoid the direct return of domain name mapping result.
Judge module 320 is analyzed, suitable for dividing according to home town ruling and/or cloud killing result domain name mapping result
Analysis, judges whether domain name mapping result is the data being held as a hostage.
After blocking module 310 intercepts domain name mapping result, the present embodiment translates domain names into knot using asynchronous system
Fruit is transferred to level of privilege 3 and analyzed.Analyze the interconnection that judge module 320 is directed to different operating system version, different editions
FidonetFido can use different analysis strategies, can be right according to the self-defined special data structure of performance when implementing
Domain name mapping result is analyzed, and obtains corresponding data message, such as IP address information.
, can be according to home town ruling when analyzing the analysis of judge module 320, i.e., the rule that client is formulated is to domain name mapping knot
Fruit is analyzed.The cloud killing result that analysis judge module 320 can also perform according to cloud server is analyzed, and judges domain
Whether name analysis result is the data being held as a hostage.If analysis judge module 320 judges that domain name mapping result is the data being held as a hostage,
Repair module 330 is performed, otherwise, does not process, data is let pass.
Analysis judge module 320 includes local judge module 321 and/or cloud killing result acquisition module 322.
Whether local judge module 321, the IP address included suitable for judging domain name mapping result belong to local ip address
White list and/or local ip address blacklist;If IP address belongs to local ip address white list, domain name analysis result is judged not
It is the data being held as a hostage;If IP address belongs to local ip address blacklist, judge that domain name analysis result is the data being held as a hostage.
Whether the IP address that local judge module 321 judges domain name mapping result according to home town ruling and included belongs to local
IP address white list, if IP address belongs to local ip address white list, local judge module 321 judges domain name analysis result not
It is the data being held as a hostage, without processing, directly lets pass.If IP address is not belonging to local ip address white list, local to judge mould
Whether the IP address that block 321 judges domain name mapping result according to home town ruling and included belongs to local ip address blacklist, if IP
Address belongs to local ip address blacklist, then local judge module 321 judges that domain name analysis result is the data being held as a hostage, and performs
Repair module 330.If IP address is not belonging to local ip address blacklist, cloud killing result acquisition module 322 can be continued executing with,
Domain name mapping result is analyzed according to various cloud killing results.
More than, first judge IP address with whether belonging to local ip address white list or IP for local judge module 321
The execution sequence whether location belongs to local ip address blacklist does not limit.
Wherein, because the data of local ip address white list and/or local ip address blacklist are needed according to actual conditions
It is updated, the present apparatus further comprises timing update module 340.
Timing update module 340, suitable for timing from cloud server with downloading high in the clouds IP address white list and/or high in the clouds IP
Location blacklist;According to high in the clouds IP address white list and/or high in the clouds IP address blacklist, update local ip address white list and/or
Local ip address blacklist.
The timing of timing update module 340 downloads high in the clouds IP address white list from cloud server and/or high in the clouds IP address is black
List, and according to high in the clouds IP address white list and/or high in the clouds IP address blacklist, update local ip address white list and/or
Local ip address blacklist, to ensure the comprehensive of local ip address white list and/or local ip address blacklist data.
High in the clouds IP address white list can by cloud server by layouting in each data center, to be known as one or
Multiple white dns servers send domain name analysis request, obtain corresponding white IP address, are added into high in the clouds IP address white list
In.To expand white IP address quantity, cloud server can also ask same domain name mapping to be sent to multiple white DNS services
Device, obtain the intersection of all analysis results.Or each white IP is calculated by being got ready in the daily records such as net shield in cloud server
Address (including the information such as corresponding regional information, operator), is added into the IP address white list of high in the clouds.
High in the clouds IP address blacklist can be collected by big data operation platform, include during collection giving birth to each domain name
The black IP address of effect and the black IP address that all domain names are all come into force.
Cloud killing result acquisition module 322, suitable for the IP address hair for including domain-name information and/or domain name mapping result
Give cloud server, for cloud server according to domain-name information and/or IP address enter to rack killing processing, obtain cloud killing
As a result;According to cloud killing result, judge whether domain name mapping result is the data being held as a hostage.
Whether local judge module 321 can not judge domain name mapping result when being the data being held as a hostage, and can also carry out cloud
Killing result acquisition module 322 is judged.Cloud killing result is cloud killing result acquisition module 322 by domain-name information, domain name
IP address that analysis result includes etc. is sent to cloud server, so that cloud server is according to domain-name information, IP address etc.
Information enters to rack what is obtained after killing is handled.Cloud killing result acquisition module 322 is after cloud killing result is got, according to domain name
Analysis result is the cloud killing result for the data being held as a hostage or domain name mapping result is not the cloud killing result for the data being held as a hostage,
Judge whether domain name mapping result is the data being held as a hostage.
Repair module 330, suitable for if so, repaired to domain name mapping result, and return to the domain name mapping knot after repairing
Fruit.
Analysis judge module 320 is judged when domain name mapping result is the data being held as a hostage, it is necessary to which repair module 330 is to domain name
Analysis result is repaired.When repair module 330 is repaired, according to the regional information carried in the request of domain name mapping before, by cloud
End server screens according to the big data to statistics such as regional information, domain-name informations.Cloud server can according to positioned at
The normal users of the regional information access the situation of the domain-name information, obtain and return to white IP address corresponding to it, so as to repair
Module 330 gets white IP address corresponding to regional information.As normal users in certain region A access certain IP1 more times, so as to repair
Module 330 gets the IP1.If locally there are local ip address white list, repair module 330 can according to therein
The white IP address of the acquisition of information such as domain information, domain-name information or operator's informaiton.Repair module 330 uses the white IP address got
Domain name mapping result is repaired, and returns to the domain name mapping result after repairing.
Analyze judge module 320 specifically to be performed by the first process, repair module 330 is performed by the second process.Wherein, first
Process and the second process are asynchronous process mode.
According to domain name mapping protector provided by the invention, after the domain name mapping result that dns server returns is intercepted,
Domain name mapping result is analyzed according to home town ruling, cloud killing result etc. successively, judge domain name mapping result whether be by
The data of abduction.Can in time, active judge whether domain name mapping result is held as a hostage.And first judged locally, perform
Speed it is fast.If home town ruling can not judge, judged by cloud killing result, ensured the accuracy judged.If domain
Name analysis result is the data being held as a hostage, and domain name mapping result is repaired, correct domain name mapping knot after the reparation of return
Fruit, does not influence the normal use of user while guaranteeing network security, and effectively domain name mapping is protected.
Fig. 4 shows the functional block diagram of domain name mapping guard system according to an embodiment of the invention.As shown in figure 4,
Domain name mapping guard system includes the domain name mapping protector 300 as shown in Figure 3 of cloud server 400.
Wherein, cloud server 400 is suitable to:Receive domain-name information and/or the domain name that domain name mapping protector 300 is sent
The IP address that analysis result includes, according to domain-name information and/or IP address enter to rack killing processing, obtain cloud killing result,
Cloud killing result is returned into domain name mapping protector 300.
Cloud server 400 includes high in the clouds IP killings module 410 and webpage killing module 420.
High in the clouds IP killings module 410, whether the IP address included suitable for judging domain name mapping result is with belonging to high in the clouds IP
Location white list and/or high in the clouds IP address blacklist;If IP address belongs to high in the clouds IP address white list, domain name mapping result is obtained
It is not the cloud killing result for the data being held as a hostage;If IP address belongs to high in the clouds IP address blacklist, domain name mapping result is obtained
It is the cloud killing result for the data being held as a hostage.
Because local ip address white list and/or local ip address blacklist are not updated in real time, high in the clouds IP
The real-time property of location white list and/or high in the clouds IP address blacklist is stronger, and data are also more comprehensively.High in the clouds IP killings module 410
The IP address first included according to domain name mapping result is judged, judges whether the IP address belongs to the white name of high in the clouds IP address
Single, if IP address belongs to high in the clouds IP address white list, high in the clouds IP killings module 410 obtains domain name mapping result and is not held as a hostage
Data cloud killing result.If high in the clouds IP killings module 410 judges that IP address is not belonging to high in the clouds IP address white list, then judges
Whether IP address belongs to high in the clouds IP address blacklist.If IP address belongs to high in the clouds IP address blacklist, high in the clouds IP killing modules
410 obtain the cloud killing result that domain name mapping result is the data being held as a hostage.If high in the clouds IP killings module 410 judges IP address not
Belong to high in the clouds IP address white list, be also not belonging to high in the clouds IP address blacklist, perform webpage killing module 420.
Webpage killing module 420, suitable for the domain name mapping request for carrying domain-name information is sent into the category being pre-configured with
Dns server in dns server white list, obtain the secure IP addresses that dns resolution obtains;Downloaded according to secure IP addresses
First page;First page is the page corresponding to secure IP addresses;The IP address included according to domain name mapping result and transmission
Person's host information carries out network request, and downloads second page;Second page is the page corresponding to IP address;To first page and
Second page is compared, and according to the similarity-rough set result of the page, obtains cloud killing result.
Webpage killing module 420 by the domain name mapping for carrying domain-name information request be sent to be pre-configured with belong to DNS
Dns server in server white list, obtain the secure IP addresses that dns resolution obtains.Webpage killing module 420 is according to the peace
Full IP address downloads first page.First page is the page corresponding to secure IP addresses, and the page can be secure IP addresses pair
The homepage for the website answered.IP address and sender's main frame letter that webpage killing module 420 includes according to domain name mapping result
Breath carries out network request, and downloads second page.Second page is the page corresponding to IP address, and the page can be the IP address
The homepage of corresponding website.Webpage killing module 420 is compared to first page and second page, according to the similar of the page
Comparative result is spent, obtains cloud killing result.
Webpage killing module 420 can parse first page respectively when being compared to first page and second page
And second page, obtain each self-corresponding dom tree.Webpage killing module 420 is by comparing both each tree nodes of DOM numbers
Compared with obtaining the similarity-rough set result of two pages.Include the difference of first page and second page in similarity-rough set result
Value.If difference value is more than predetermined threshold value such as 20%, webpage killing module 420 thinks that first page and second page are dissimilar, no
Then, webpage killing module 420 thinks that first page is similar with second page.In addition, webpage killing module 420 can also adopt
First page and second page are compared in other ways, obtain the similarity-rough set result of the page.Do not limit herein.
Webpage killing module 420 is according to the Http conditional codes of the similarity-rough set result from two pages, and first page
With the Http conditional codes of second page, if the Http conditional codes of second page are not 200, i.e. second page accesses failure, such as
Http conditional codes are 404,503 etc..Now, it greatly there may be the situation that domain name mapping result is the data being held as a hostage.Webpage
Killing module 420 needs further to judge similarity-rough set result.If similarity-rough set result is first page and the
Two pages are dissimilar, then webpage killing module 420 obtains the cloud killing result that domain name mapping result is the data being held as a hostage.If the
The Http conditional codes of two pages are 200, i.e. second page accesses successfully, and similarity-rough set result is first page and second page
Face is similar, then webpage killing module 420 obtains the cloud killing result that domain name mapping result is not the data being held as a hostage.Or second
The Http conditional codes of the page are different from the Http conditional codes of first page, and similarity-rough set result is first page and second page
Face is dissimilar, and webpage killing module 420 obtains the cloud killing result that domain name mapping result is the data being held as a hostage.Or second page
The Http conditional codes in face are identical with the Http conditional codes of first page, and similarity-rough set result is first page and second page
Similar, then webpage killing module 420 obtains the cloud killing result that domain name mapping result is not the data being held as a hostage.
If the Http conditional codes of second page are not 200, but similarity-rough set result is first page and second page phase
Seemingly, or the Http conditional codes of second page and the Http conditional codes of first page it is different, but similarity-rough set result be first
The page is similar with second page, and webpage killing module 420 now also needs to further be verified, and obtaining domain name mapping result is
The cloud killing result of the no data being held as a hostage.
Because the type of IP address is different, cloud server 400 also includes downloading rule module 430.Before downloading, download
Rule module 430 can also pre-set the download rule of first page and/or second page according to the type of IP address, convenient
When being compared to first page and second page, webpage killing module 420 can download the page for being more easy to be compared.
The description of the embodiment of description reference picture 3 of domain name mapping protector, will not be repeated here.
According to domain name mapping guard system provided by the invention, the domain name mapping for carrying domain-name information request is sent to
Dns server is parsed, and intercepts the domain name mapping result that dns server returns;According to home town ruling and/or cloud killing result
Domain name mapping result is analyzed, judges whether domain name mapping result is the data being held as a hostage;If so, to domain name mapping result
Repaired, and return to the domain name mapping result after repairing.By intercepting the domain name mapping result returned, taken in user and DNS
One of barrier is built between business device, is guaranteed network security.Domain name mapping result is entered according to home town ruling and/or cloud killing result
Row analysis, can in time, active judge whether domain name mapping result is held as a hostage, it is and more accurate when judging, improve analysis
It is efficient.And after judgement, domain name mapping result is repaired, the correct domain name mapping result of return, in ensure ne
The normal use of user is not influenceed while network is safe, and effectively domain name mapping is protected.
Present invention also provides a kind of nonvolatile computer storage media, the computer-readable storage medium is stored with least
One executable instruction, the computer executable instructions can perform the domain name mapping means of defence in above-mentioned any means embodiment.
Fig. 5 shows a kind of structural representation of computing device according to an embodiment of the invention, of the invention specific real
Specific implementation of the example not to computing device is applied to limit.
As shown in figure 5, the computing device can include:Processor (processor) 502, communication interface
(Communications Interface) 504, memory (memory) 506 and communication bus 508.
Wherein:
Processor 502, communication interface 504 and memory 506 complete mutual communication by communication bus 508.
Communication interface 504, for being communicated with the network element of miscellaneous equipment such as client or other servers etc..
Processor 502, for configuration processor 510, it can specifically perform in above-mentioned domain name mapping means of defence embodiment
Correlation step.
Specifically, program 510 can include program code, and the program code includes computer-managed instruction.
Processor 502 is probably central processor CPU, or specific integrated circuit ASIC (Application
Specific Integrated Circuit), or it is arranged to implement the integrated electricity of one or more of the embodiment of the present invention
Road.The one or more processors that computing device includes, can be same type of processor, such as one or more CPU;Also may be used
To be different types of processor, such as one or more CPU and one or more ASIC.
Memory 506, for depositing program 510.Memory 506 may include high-speed RAM memory, it is also possible to also include
Nonvolatile memory (non-volatile memory), for example, at least a magnetic disk storage.
Program 510 specifically can be used for so that processor 502 performs following operation:
In a kind of optional embodiment, program 510 is used for the domain name for causing processor 502 to carry domain-name information
Analysis request is sent to dns server and parsed, and intercepts the domain name mapping result that dns server returns;According to home town ruling
And/or cloud killing result is analyzed domain name mapping result, judge whether domain name mapping result is the data being held as a hostage;If
It is that domain name mapping result is repaired, and returns to the domain name mapping result after repairing.
In a kind of optional embodiment, program 510 is used to cause processor 502 to hook up remotely mistake using function is forged
Journey invocation protocol asks function, and the domain name mapping for carrying domain-name information request is sent into dns server is parsed;Set
Call back function intercepts the domain name mapping result that dns server returns.
In a kind of optional embodiment, program 510 is used to cause processor 502 to intercept domain name solution in driver
After analysing result, result is translated domain names into using asynchronous system it is transferred to level of privilege 3 and analyzed.
In a kind of optional embodiment, program 510 is used to cause processor 502 to judge that domain name mapping result includes
IP address whether belong to local ip address white list and/or local ip address blacklist;If IP address belongs to local ip address
White list, then judge that domain name analysis result is not the data being held as a hostage;If IP address belongs to local ip address blacklist, judge
Domain name mapping result is the data being held as a hostage.
In a kind of optional embodiment, program 510 is used to cause the timing of processor 502 to download cloud from cloud server
Hold IP address white list and/or high in the clouds IP address blacklist;According to high in the clouds IP address white list and/or the black name of high in the clouds IP address
It is single, update local ip address white list and/or local ip address blacklist.
In a kind of optional embodiment, program 510 is used to cause processor 502 by domain-name information and/or domain name solution
The IP address that analysis result includes is sent to cloud server, so that cloud server enters according to domain-name information and/or IP address
Killing of racking is handled, and obtains cloud killing result;According to cloud killing result, judge whether domain name mapping result is the number being held as a hostage
According to.
In a kind of optional embodiment, program 510 is used to cause processor 502 to judge that domain name mapping result includes
IP address whether belong to high in the clouds IP address white list and/or high in the clouds IP address blacklist;If IP address belongs to high in the clouds IP address
White list, then obtain the cloud killing result that domain name mapping result is not the data being held as a hostage;If IP address belongs to high in the clouds IP address
Blacklist, then obtain the cloud killing result that domain name mapping result is the data being held as a hostage.
In a kind of optional embodiment, program 510 is used for the domain name for causing processor 502 to carry domain-name information
Analysis request is sent to the dns server belonged in dns server white list being pre-configured with, and obtains the peace that dns resolution obtains
Full IP address;First page is downloaded according to secure IP addresses;First page is the page corresponding to secure IP addresses;According to domain name solution
The IP address and sender's host information that analysis result includes carry out network request, and download second page;Second page is IP
The page corresponding to address;First page and second page are compared, according to the similarity-rough set result of the page, cloud is obtained and looks into
Kill result.
In a kind of optional embodiment, program 510 is used to cause processor 502 to obtain first page and second page
Similarity-rough set result, and Http conditional codes of the Http conditional codes of first page and second page;According to similarity ratio
The Http conditional codes of relatively result, the Http conditional codes of first page and second page, obtain cloud killing result.
In a kind of optional embodiment, if program 510 is used for the Http conditional codes for causing the second page of processor 502
It is not 200, and similarity-rough set result is dissmilarity, then obtains the cloud killing knot that domain name mapping result is the data being held as a hostage
Fruit.
In a kind of optional embodiment, if program 510 is used for the Http conditional codes for causing the second page of processor 502
It is different from the Http conditional codes of first page, and similarity-rough set result is dissmilarity, then it is to be robbed to obtain domain name mapping result
The cloud killing result for the data held.
In a kind of optional embodiment, program 510 is used to cause type of the processor 502 according to IP address, in advance
The download of first page and/or second page rule is set.
In a kind of optional embodiment, program 510 is used to processor 502 is performed according to local by the first process
Rule and/or cloud killing result are analyzed domain name mapping result, judge whether domain name mapping result is the data being held as a hostage
The step of;The step of being performed by the second process and repaired to domain name mapping result, and returning to the domain name mapping result after repairing;
Wherein, the first process and the second process are asynchronous process mode.
In a kind of optional embodiment, program 510 is used to processor 502 is carried in being asked according to domain name mapping
Regional information, obtain regional information corresponding to white IP address;Domain name mapping result is repaired using white IP address, and returned
Domain name mapping result after returning something for repairs again.
In program 510 specific implementation of each step may refer to corresponding steps in above-mentioned domain name mapping protection embodiment and
Corresponding description, will not be described here in unit.It is apparent to those skilled in the art that for description convenience and
Succinctly, the specific work process of the equipment of foregoing description and module, the corresponding process that may be referred in preceding method embodiment are retouched
State, will not be repeated here.
The scheme provided by the present embodiment, the domain name mapping for carrying domain-name information request is sent to dns server
Parsed, intercept the domain name mapping result that dns server returns;According to home town ruling and/or cloud killing result to domain name solution
Analysis result is analyzed, and judges whether domain name mapping result is the data being held as a hostage;If so, domain name mapping result is repaiied
It is multiple, and return to the domain name mapping result after repairing.By intercepting the domain name mapping result returned, user and dns server it
Between build one of barrier, guarantee network security.Domain name mapping result is divided according to home town ruling and/or cloud killing result
Analysis, can in time, active judge whether domain name mapping result is held as a hostage, it is and more accurate when judging, improve the effective of analysis
Rate.And after judgement, domain name mapping result is repaired, the correct domain name mapping result of return, pacified in Logistics networks
The normal use of user is not influenceed while complete, and effectively domain name mapping is protected.
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system
Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various
Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
In the specification that this place provides, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice in the case of these no details.In some instances, known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it will be appreciated that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description to the exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
The application claims of shield features more more than the feature being expressly recited in each claim.It is more precisely, such as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following embodiment are expressly incorporated in the embodiment, wherein each claim is in itself
Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to be carried out adaptively to the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.Can be the module or list in embodiment
Member or component be combined into a module or unit or component, and can be divided into addition multiple submodule or subelement or
Sub-component.In addition at least some in such feature and/or process or unit exclude each other, it can use any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, summary and accompanying drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification (including adjoint power
Profit requires, summary and accompanying drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
Replace.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included some features rather than further feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in the following claims, embodiment claimed is appointed
One of meaning mode can use in any combination.
The all parts embodiment of the present invention can be realized with hardware, or to be run on one or more processor
Software module realize, or realized with combinations thereof.It will be understood by those of skill in the art that it can use in practice
Microprocessor or digital signal processor (DSP) are realized in the device of domain name mapping protection according to embodiments of the present invention
The some or all functions of some or all parts.The present invention is also implemented as being used to perform method as described herein
Some or all equipment or program of device (for example, computer program and computer program product).Such reality
The program of the existing present invention can store on a computer-readable medium, or can have the form of one or more signal.
Such signal can be downloaded from internet website and obtained, and either be provided or in the form of any other on carrier signal
There is provided.
It should be noted that the present invention will be described rather than limits the invention for above-described embodiment, and ability
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference symbol between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of some different elements and being come by means of properly programmed computer real
It is existing.In if the unit claim of equipment for drying is listed, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any order.These words can be explained and run after fame
Claim.
The invention discloses:A1. a kind of domain name mapping means of defence, it includes:
The domain name mapping for carrying domain-name information request is sent into dns server to be parsed, dns server is intercepted and returns
The domain name mapping result returned;
Domain name analysis result is analyzed according to home town ruling and/or cloud killing result, judges domain name solution
Analyse whether result is the data being held as a hostage;
If so, being repaired to domain name analysis result, and return to the domain name mapping result after repairing.
A2. the method according to A1, wherein, it is described that the domain name mapping for carrying domain-name information request is sent to DNS
Server is parsed, and is intercepted the domain name mapping result that dns server returns and is further comprised:
Remote procedure call protocol request function is hooked up using function is forged, please by the domain name mapping for carrying domain-name information
Ask and be sent to dns server and parsed;
Call back function is set to intercept the domain name mapping result that the dns server returns.
A3. the method according to A1 or A2, wherein, the foundation home town ruling and/or cloud killing result are to the domain
Name analysis result carries out analysis and further comprised:
After driver intercepts domain name analysis result, domain name analysis result is passed using asynchronous system
Level of privilege 3 is handed to be analyzed.
A4. the method according to any one of A1-A3, wherein, described parsed according to home town ruling to domain name is tied
Fruit is analyzed, and judges whether domain name analysis result is that the data being held as a hostage further comprise:
Whether the IP address that judging domain name analysis result includes belongs to local ip address white list and/or local IP
Address blacklist;
If IP address belongs to local ip address white list, judge that domain name analysis result is not the data being held as a hostage;
If IP address belongs to local ip address blacklist, judge that domain name analysis result is the data being held as a hostage.
A5. the method according to A4, wherein, methods described also includes:
Timing downloads high in the clouds IP address white list and/or high in the clouds IP address blacklist from cloud server;
According to high in the clouds IP address white list and/or high in the clouds IP address blacklist, local ip address white list and/or sheet are updated
Ground IP address blacklist.
A6. the method according to any one of A1-A3, wherein, it is described that domain name is parsed according to cloud killing result
As a result analyzed, judge whether domain name analysis result is that the data being held as a hostage further comprise:
The IP address that domain name information and/or domain name analysis result include is sent to cloud server, with
For cloud server according to domain name information and/or IP address enter to rack killing processing, obtain cloud killing result;
According to the cloud killing result, judge whether domain name analysis result is the data being held as a hostage.
A7. the method according to A6, wherein, the cloud server according to IP address enter to rack killing handle, obtain
Cloud killing result further comprises:
Whether the IP address that judging domain name analysis result includes belongs to high in the clouds IP address white list and/or high in the clouds IP
Address blacklist;
If IP address belongs to high in the clouds IP address white list, it is not the data being held as a hostage to obtain domain name analysis result
Cloud killing result;
If IP address belongs to high in the clouds IP address blacklist, the cloud that domain name analysis result is the data being held as a hostage is obtained
Killing result.
A8. the method according to A6, wherein, the cloud server enters according to domain name information and/or IP address
Killing of racking is handled, and is obtained cloud killing result and is further comprised:
By the domain name mapping for carrying domain name information request be sent to be pre-configured with belong to dns server white list
In dns server, obtain the obtained secure IP addresses of dns resolution;
First page is downloaded according to the secure IP addresses;The first page is page corresponding to the secure IP addresses
Face;
The IP address and sender's host information included according to domain name analysis result carries out network request, and downloads
Second page;The second page is the page corresponding to the IP address;
The first page and the second page are compared, according to the similarity-rough set result of the page, obtain cloud
Killing result.
A9. the method according to A8, wherein, it is described that first page and the second page are compared, according to page
The similarity-rough set result in face, obtain cloud killing result and further comprise:
Obtain the similarity-rough set result of first page and second page, and Http conditional codes of first page and described
The Http conditional codes of second page;
According to the Http shapes of the similarity-rough set result, the Http conditional codes of the first page and the second page
State code, obtain cloud killing result.
A10. the method according to A9, wherein, it is described according to the similarity-rough set result, the first page
The Http conditional codes of Http conditional codes and the second page, obtain cloud killing result and further comprise:
If the Http conditional codes of the second page are not 200, and the similarity-rough set result is dissmilarity, then obtains
Domain name analysis result is the cloud killing result for the data being held as a hostage.
A11. the method according to A9, wherein, it is described according to the similarity-rough set result, the first page
The Http conditional codes of Http conditional codes and the second page, obtain cloud killing result and further comprise:
If the Http conditional codes of the second page are different from the Http conditional codes of the first page, and the similarity
Comparative result is dissmilarity, then obtains the cloud killing result that domain name analysis result is the data being held as a hostage.
A12. the method according to any one of A8-A11, wherein, methods described also includes:
According to the type of IP address, the download for pre-setting the first page and/or the second page is regular.
A13. the method according to any one of A1-A12, wherein, it is described according to home town ruling and/or cloud killing result
Domain name analysis result is analyzed, judge the step of whether domain name analysis result is the data being held as a hostage specifically by
First process performs;
It is described that domain name analysis result is repaired, and return repair after domain name mapping result the step of specifically by
Second process performs;
Wherein, first process and second process are asynchronous process mode.
A14. the method according to any one of A1-A13, wherein, it is described that domain name analysis result is repaired,
And the domain name mapping result returned after repairing further comprises:
According to the regional information carried in domain name analysis request, white IP address corresponding to the regional information is obtained;
Domain name analysis result is repaired using the white IP address, and returns to the domain name mapping knot after repairing
Fruit.
The invention also discloses:B15. a kind of domain name mapping protector, it includes:
Blocking module, parsed, blocked suitable for the domain name mapping request for carrying domain-name information is sent into dns server
Cut the domain name mapping result that dns server returns;
Judge module is analyzed, suitable for dividing according to home town ruling and/or cloud killing result domain name analysis result
Analysis, judges whether domain name analysis result is the data being held as a hostage;
Repair module, if judging that domain name analysis result is the data be held as a hostage suitable for the analysis judge module,
Domain name analysis result is repaired, and returns to the domain name mapping result after repairing.
B16. the device according to B15, wherein, the blocking module is further adapted for:
Remote procedure call protocol request function is hooked up using function is forged, please by the domain name mapping for carrying domain-name information
Ask and be sent to dns server and parsed;Call back function is set to intercept the domain name mapping result that the dns server returns.
B17. the device according to B15 or B16, wherein, the analysis judge module is further adapted for:
After driver intercepts domain name analysis result, domain name analysis result is passed using asynchronous system
Level of privilege 3 is handed to be analyzed.
B18. the device according to any one of B15-B17, wherein, the analysis judge module further comprises:
Whether local judge module, the IP address included suitable for judging domain name analysis result belong to local ip address
White list and/or local ip address blacklist;If IP address belongs to local ip address white list, domain name parsing knot is judged
Fruit is not the data being held as a hostage;If IP address belongs to local ip address blacklist, judge that domain name analysis result is to be robbed
The data held.
B19. the device according to B18, wherein, described device also includes:
Timing update module, high in the clouds IP address white list and/or high in the clouds IP address are downloaded from cloud server suitable for timing
Blacklist;According to high in the clouds IP address white list and/or high in the clouds IP address blacklist, local ip address white list and/or sheet are updated
Ground IP address blacklist.
B20. the device according to any one of B15-B17, wherein, the analysis judge module further comprises:
Cloud killing result acquisition module, suitable for the IP for including domain name information and/or domain name analysis result
Address is sent to cloud server, for cloud server according to domain name information and/or IP address enter to rack killing processing,
Obtain cloud killing result;According to the cloud killing result, judge whether domain name analysis result is the data being held as a hostage.
B21. the device according to any one of B15-B20, wherein, the analysis judge module is specifically by the first process
Operation;
The repair module is run by the second process;
Wherein, first process and second process are asynchronous process mode.
B22. the device according to any one of B15-B21, wherein, the repair module is further adapted for:
According to the regional information carried in domain name analysis request, white IP address corresponding to the regional information is obtained;
Domain name analysis result is repaired using the white IP address, and returns to the domain name mapping result after repairing.
The invention also discloses:C23. a kind of domain name mapping guard system, it includes:In cloud server and B15-B22
Domain name mapping protector described in any one;
The cloud server is suitable to:Receive domain-name information and/or the domain name solution that domain name parsing protector is sent
The IP address that includes of analysis result, entered to rack killing processing according to domain-name information and/or IP address, obtain cloud killing result, will
Cloud killing result returns to domain name parsing protector.
C24. the system according to C23, wherein, the cloud server includes:
High in the clouds IP killing modules, whether the IP address included suitable for judging domain name analysis result is with belonging to high in the clouds IP
Location white list and/or high in the clouds IP address blacklist;If IP address belongs to high in the clouds IP address white list, domain name parsing is obtained
As a result it is not the cloud killing result for the data being held as a hostage;If IP address belongs to high in the clouds IP address blacklist, domain name is obtained
Analysis result is the cloud killing result for the data being held as a hostage.
C25. the system according to C23, wherein, the cloud server includes:
Webpage killing module, suitable for the domain name mapping request for carrying domain name information is sent into the category being pre-configured with
Dns server in dns server white list, obtain the secure IP addresses that dns resolution obtains;According to the secure IP addresses
Download first page;The first page is the page corresponding to the secure IP addresses;According to being wrapped in domain name analysis result
The IP address and sender's host information included carries out network request, and downloads second page;The second page is for the IP
The page corresponding to location;The first page and the second page are compared, according to the similarity-rough set result of the page, obtained
Take cloud killing result.
C26. the system according to C25, wherein, the webpage killing module is further adapted for:
Obtain the similarity-rough set result of first page and second page, and Http conditional codes of first page and described
The Http conditional codes of second page;According to the similarity-rough set result, the Http conditional codes of the first page and described
The Http conditional codes of two pages, obtain cloud killing result.
C27. the system according to C25, wherein, the webpage killing module is further adapted for:
If the Http conditional codes of the second page are not 200, and the similarity-rough set result is dissmilarity, then obtains
Domain name analysis result is the cloud killing result for the data being held as a hostage.
C28. the system according to C25, wherein, the webpage killing module is further adapted for:
If the Http conditional codes of the second page are different from the Http conditional codes of the first page, and the similarity
Comparative result is dissmilarity, then obtains the cloud killing result that domain name analysis result is the data being held as a hostage.
C29. the system according to any one of C25-C28, wherein, the cloud server also includes:
Rule module is downloaded, suitable for the type according to IP address, pre-sets the first page and/or the second page
The download rule in face.
The invention also discloses:D30. a kind of computing device, including:Processor, memory, communication interface and communication are total
Line, the processor, the memory and the communication interface complete mutual communication by the communication bus;
The memory is used to deposit an at least executable instruction, and the executable instruction makes the computing device such as
Operated corresponding to domain name mapping means of defence any one of A1-A14.
The invention also discloses:E31. a kind of computer-readable storage medium, being stored with least one in the storage medium can hold
Row instruction, the executable instruction make domain name mapping means of defence pair of the computing device as any one of A1-A14
The operation answered.
Claims (10)
1. a kind of domain name mapping means of defence, it includes:
The domain name mapping for carrying domain-name information request is sent into dns server to be parsed, intercepts what dns server returned
Domain name mapping result;
Domain name analysis result is analyzed according to home town ruling and/or cloud killing result, judges domain name parsing knot
Whether fruit is the data being held as a hostage;
If so, being repaired to domain name analysis result, and return to the domain name mapping result after repairing.
2. the method according to claim 11, wherein, it is described to be sent to the domain name mapping for carrying domain-name information request
Dns server is parsed, and is intercepted the domain name mapping result that dns server returns and is further comprised:
Remote procedure call protocol request function is hooked up using function is forged, hair is asked into the domain name mapping for carrying domain-name information
Dns server is given to be parsed;
Call back function is set to intercept the domain name mapping result that the dns server returns.
3. method according to claim 1 or 2, wherein, the foundation home town ruling and/or cloud killing result are to the domain
Name analysis result carries out analysis and further comprised:
After driver intercepts domain name analysis result, domain name analysis result is transferred to using asynchronous system
Level of privilege 3 is analyzed.
4. according to the method any one of claim 1-3, wherein, described parsed according to home town ruling to domain name is tied
Fruit is analyzed, and judges whether domain name analysis result is that the data being held as a hostage further comprise:
Whether the IP address that judging domain name analysis result includes belongs to local ip address white list and/or local ip address
Blacklist;
If IP address belongs to local ip address white list, judge that domain name analysis result is not the data being held as a hostage;
If IP address belongs to local ip address blacklist, judge that domain name analysis result is the data being held as a hostage.
5. according to the method for claim 4, wherein, methods described also includes:
Timing downloads high in the clouds IP address white list and/or high in the clouds IP address blacklist from cloud server;
According to high in the clouds IP address white list and/or high in the clouds IP address blacklist, local ip address white list and/or local IP are updated
Address blacklist.
6. according to the method any one of claim 1-3, wherein, it is described that domain name is parsed according to cloud killing result
As a result analyzed, judge whether domain name analysis result is that the data being held as a hostage further comprise:
The IP address that domain name information and/or domain name analysis result include is sent to cloud server, for cloud
End server according to domain name information and/or IP address enter to rack killing processing, obtain cloud killing result;
According to the cloud killing result, judge whether domain name analysis result is the data being held as a hostage.
7. a kind of domain name mapping protector, it includes:
Blocking module, parsed, intercepted suitable for the domain name mapping request for carrying domain-name information is sent into dns server
The domain name mapping result that dns server returns;
Judge module is analyzed, suitable for being analyzed according to home town ruling and/or cloud killing result domain name analysis result, is sentenced
Whether disconnected domain name analysis result is the data being held as a hostage;
Repair module, if judging that domain name analysis result is the data be held as a hostage suitable for the analysis judge module, to institute
State domain name mapping result to be repaired, and return to the domain name mapping result after repairing.
8. a kind of domain name mapping guard system, it includes:Domain name mapping protection dress described in cloud server and claim 7
Put;
The cloud server is suitable to:Receive domain-name information and/or domain name mapping knot that domain name parsing protector is sent
The IP address that fruit includes, according to domain-name information and/or IP address enter to rack killing processing, obtain cloud killing result, cloud is looked into
Kill result and return to domain name parsing protector.
9. a kind of computing device, including:Processor, memory, communication interface and communication bus, the processor, the storage
Device and the communication interface complete mutual communication by the communication bus;
The memory is used to deposit an at least executable instruction, and the executable instruction makes the computing device such as right will
Ask and operated corresponding to the domain name mapping means of defence any one of 1-6.
10. a kind of computer-readable storage medium, an at least executable instruction, the executable instruction are stored with the storage medium
Make operation corresponding to domain name mapping means of defence of the computing device as any one of claim 1-6.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710915052.5A CN107623693B (en) | 2017-09-30 | 2017-09-30 | Domain name resolution protection method, device, system, computing equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201710915052.5A CN107623693B (en) | 2017-09-30 | 2017-09-30 | Domain name resolution protection method, device, system, computing equipment and storage medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN107623693A true CN107623693A (en) | 2018-01-23 |
CN107623693B CN107623693B (en) | 2021-03-19 |
Family
ID=61091821
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201710915052.5A Active CN107623693B (en) | 2017-09-30 | 2017-09-30 | Domain name resolution protection method, device, system, computing equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN107623693B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108282495A (en) * | 2018-03-14 | 2018-07-13 | 北京奇艺世纪科技有限公司 | A kind of DNS kidnaps defence method and device |
CN108650211A (en) * | 2018-03-14 | 2018-10-12 | 北京奇艺世纪科技有限公司 | A kind of detection method and device of DNS abduction |
CN109474625A (en) * | 2018-12-25 | 2019-03-15 | 北京知道创宇信息技术有限公司 | Network safety protection method, device and embedded system |
CN110191203A (en) * | 2019-05-15 | 2019-08-30 | 聚好看科技股份有限公司 | Realize the method and electronic equipment of server dynamic access |
Citations (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050030917A1 (en) * | 2001-08-17 | 2005-02-10 | Amit Haller | Device, system, method and computer readable medium obtaining a network attribute, such as a DNS address, for a short distance wireless network |
US6973507B2 (en) * | 2001-06-01 | 2005-12-06 | Nitgen Technologies, Inc. | Method for resolution services of special domain names |
US20100106854A1 (en) * | 2008-10-29 | 2010-04-29 | Hostway Corporation | System and method for controlling non-existing domain traffic |
CN101984713A (en) * | 2010-10-20 | 2011-03-09 | 中兴通讯股份有限公司 | Method, terminal and system for realizing business data shunting |
CN102790807A (en) * | 2011-05-16 | 2012-11-21 | 奇智软件(北京)有限公司 | Domain name resolution agent method and system, and domain name resolution agent server |
CN103581363A (en) * | 2013-11-29 | 2014-02-12 | 杜跃进 | Method and device for controlling baleful domain name and illegal access |
CN103607385A (en) * | 2013-11-14 | 2014-02-26 | 北京奇虎科技有限公司 | Method and apparatus for security detection based on browser |
CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
CN103825895A (en) * | 2014-02-24 | 2014-05-28 | 联想(北京)有限公司 | Information processing method and electronic device |
CN104079682A (en) * | 2014-07-07 | 2014-10-01 | 中国联合网络通信集团有限公司 | Address translation method and device based on domain name system (DNS) |
CN105991604A (en) * | 2015-02-27 | 2016-10-05 | 中兴通讯股份有限公司 | Method and device for preventing form domain name hijacking |
CN106686020A (en) * | 2017-03-29 | 2017-05-17 | 北京奇虎科技有限公司 | Detection method, device and system for safety of domain names |
CN107018156A (en) * | 2017-06-01 | 2017-08-04 | 北京云端智度科技有限公司 | The defence support method of Domain Hijacking |
US20170244750A1 (en) * | 2016-02-19 | 2017-08-24 | Secureworks Corp. | System and Method for Collection of Forensic and Event Data |
US9755886B2 (en) * | 2009-09-30 | 2017-09-05 | Micro Focus Software Inc. | Techniques for conditional name resolution and configuration |
CN107147662A (en) * | 2017-06-01 | 2017-09-08 | 北京云端智度科技有限公司 | The method that Domain Hijacking is found |
US20180007088A1 (en) * | 2016-06-29 | 2018-01-04 | AVAST Software s.r.o. | Detection of domain name system hijacking |
-
2017
- 2017-09-30 CN CN201710915052.5A patent/CN107623693B/en active Active
Patent Citations (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6973507B2 (en) * | 2001-06-01 | 2005-12-06 | Nitgen Technologies, Inc. | Method for resolution services of special domain names |
US20050030917A1 (en) * | 2001-08-17 | 2005-02-10 | Amit Haller | Device, system, method and computer readable medium obtaining a network attribute, such as a DNS address, for a short distance wireless network |
US20100106854A1 (en) * | 2008-10-29 | 2010-04-29 | Hostway Corporation | System and method for controlling non-existing domain traffic |
US9755886B2 (en) * | 2009-09-30 | 2017-09-05 | Micro Focus Software Inc. | Techniques for conditional name resolution and configuration |
CN101984713A (en) * | 2010-10-20 | 2011-03-09 | 中兴通讯股份有限公司 | Method, terminal and system for realizing business data shunting |
CN102790807A (en) * | 2011-05-16 | 2012-11-21 | 奇智软件(北京)有限公司 | Domain name resolution agent method and system, and domain name resolution agent server |
CN103607385A (en) * | 2013-11-14 | 2014-02-26 | 北京奇虎科技有限公司 | Method and apparatus for security detection based on browser |
CN103634306A (en) * | 2013-11-18 | 2014-03-12 | 北京奇虎科技有限公司 | Security detection method and security detection server for network data |
CN103581363A (en) * | 2013-11-29 | 2014-02-12 | 杜跃进 | Method and device for controlling baleful domain name and illegal access |
CN103825895A (en) * | 2014-02-24 | 2014-05-28 | 联想(北京)有限公司 | Information processing method and electronic device |
CN104079682A (en) * | 2014-07-07 | 2014-10-01 | 中国联合网络通信集团有限公司 | Address translation method and device based on domain name system (DNS) |
CN105991604A (en) * | 2015-02-27 | 2016-10-05 | 中兴通讯股份有限公司 | Method and device for preventing form domain name hijacking |
US20170244750A1 (en) * | 2016-02-19 | 2017-08-24 | Secureworks Corp. | System and Method for Collection of Forensic and Event Data |
US20180007088A1 (en) * | 2016-06-29 | 2018-01-04 | AVAST Software s.r.o. | Detection of domain name system hijacking |
CN106686020A (en) * | 2017-03-29 | 2017-05-17 | 北京奇虎科技有限公司 | Detection method, device and system for safety of domain names |
CN107018156A (en) * | 2017-06-01 | 2017-08-04 | 北京云端智度科技有限公司 | The defence support method of Domain Hijacking |
CN107147662A (en) * | 2017-06-01 | 2017-09-08 | 北京云端智度科技有限公司 | The method that Domain Hijacking is found |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108282495A (en) * | 2018-03-14 | 2018-07-13 | 北京奇艺世纪科技有限公司 | A kind of DNS kidnaps defence method and device |
CN108650211A (en) * | 2018-03-14 | 2018-10-12 | 北京奇艺世纪科技有限公司 | A kind of detection method and device of DNS abduction |
CN109474625A (en) * | 2018-12-25 | 2019-03-15 | 北京知道创宇信息技术有限公司 | Network safety protection method, device and embedded system |
CN110191203A (en) * | 2019-05-15 | 2019-08-30 | 聚好看科技股份有限公司 | Realize the method and electronic equipment of server dynamic access |
CN110191203B (en) * | 2019-05-15 | 2022-02-01 | 聚好看科技股份有限公司 | Method for realizing dynamic access of server and electronic equipment |
Also Published As
Publication number | Publication date |
---|---|
CN107623693B (en) | 2021-03-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10666670B2 (en) | Managing security breaches in a networked computing environment | |
CN103607385B (en) | Method and apparatus for security detection based on browser | |
US10491621B2 (en) | Website security tracking across a network | |
CN102833258B (en) | Network address access method and system | |
CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
CN107623693A (en) | Domain name mapping means of defence and device, system, computing device, storage medium | |
CN108989355B (en) | Vulnerability detection method and device | |
US20170295198A1 (en) | Security management in a networked computing environment | |
US11050783B2 (en) | System and method for detecting client participation in malware activity | |
CN103384888A (en) | Systems and methods for malware detection and scanning | |
CN103701816B (en) | Perform the scan method and scanning means of the server of Denial of Service attack | |
CN111177672A (en) | Page access control method and device and electronic equipment | |
CN113676563B (en) | Scheduling method, device, equipment and storage medium of content distribution network service | |
CN107634947A (en) | Limitation malice logs in or the method and apparatus of registration | |
CN107016074A (en) | A kind of webpage loading method and device | |
CN107689965A (en) | Means of defence, the apparatus and system of the network equipment | |
CN112291258A (en) | Gateway risk control method and device | |
CN114549068A (en) | Short link generation method, equipment, device and computer readable storage medium | |
CN110247857A (en) | Current-limiting method and device | |
CN116601630A (en) | Generating defensive target database attacks through dynamic honey database responses | |
CN103036896A (en) | Method and system for testing malicious links | |
CN108924159A (en) | The verification method and device in a kind of message characteristic identification library | |
CN112528181B (en) | Two-dimensional code management method, device, computer equipment and readable storage medium | |
CN107360189A (en) | Break through the vulnerability scanning method and device of Web protection | |
CN105978908B (en) | A kind of non-real-time information web portal security guard method and device |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220913 Address after: No. 9-3-401, No. 39, Gaoxin 6th Road, Binhai Science and Technology Park, High-tech Zone, Binhai New District, Tianjin 300000 Patentee after: 3600 Technology Group Co.,Ltd. Address before: 100088 room 112, block D, 28 new street, new street, Xicheng District, Beijing (Desheng Park) Patentee before: BEIJING QIHOO TECHNOLOGY Co.,Ltd. |