CN103685168A - Query request service method for DNS (Domain Name System) recursive server - Google Patents
Query request service method for DNS (Domain Name System) recursive server Download PDFInfo
- Publication number
- CN103685168A CN103685168A CN201210328266.XA CN201210328266A CN103685168A CN 103685168 A CN103685168 A CN 103685168A CN 201210328266 A CN201210328266 A CN 201210328266A CN 103685168 A CN103685168 A CN 103685168A
- Authority
- CN
- China
- Prior art keywords
- inquiry request
- credible
- server
- data packet
- response data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a query request service method for a DNS (Domain Name System) recursive server, and belongs to the technical field of networks. The method comprises the following steps: 1) dividing cache of the DNS recursive server into a credible cache area and an incredible cache area; 2) looking up whether matched resources exist in a resource record of the credible cache area after the recursive server receives a query request; if yes, returning the matched resource record to a query terminal, and if not, sending a query request to an authorized server; 3) monitoring the responded data package arrival rate of the query request by the recursive server; 4) putting the responded data package of the query request in the incredible cache area by the recursive server if the responded data package arrival rate exceeds a credible threshold; sending a query request again to the authorized server if the responded data package arrival rate does not exceed the credible threshold, sending the obtained DNS resource record to the query terminal, and adding into the credible cache area. According to the invention, the possibility of caching poisoning is reduced, and the efficiency of query is ensured.
Description
Technical field
The inquiry request method of servicing that the present invention relates to a kind of DNS recursion server, belongs to technical field of the computer network.
Background technology
The main entity of internet domain name system (Domain Name System, DNS) comprises provides the recursion server of resolving inquiry service and the authoritative server that authoritative answer service is provided.Its query script as shown in Figure 1.Concrete steps are:
1), when terminal use wishes to access www.sina.com, to recursion server, send DNS inquiry request message;
2) if in the buffer memory of recursion server completely not the relevant information of this domain name (suppose both not have the authoritative server address of com, also the authoritative server address that there is no sina.com), recursion server just needs to initiate query script to root server, thereby knows the address of com authoritative server;
3) recursion server then sends query messages to com authoritative server, so learn the address information of sina.com authoritative server;
4) by inquiring about to the continuation of sina.com authoritative server, recursion server has finally been known the address of www.sina.com;
5) recursion server returns to client by the resulting resource record of inquiry, and this record is stored in buffer memory.When other-end user inquires about www.sina.com to this recursion server, the resource record that recursion server is directly searched coupling in buffer memory just can respond in time.And terminal use also can be via this address information access map network resource.
In above-mentioned query script, recursion server sends after query messages to any one authoritative server, if corresponding forgery response data packet can be received by recursion server before correct response data packet arrives, and the udp port number and the packet ID that have mated the data query bag that recursion server sends out, recursion server will be cached wrong authoritative resource record, thereby causes Cache Poisoning.When subsequent user is inquired about this domain name, be all directed into the website of mistake or malice.
How identifying and to avoid the response message that recursion server buffer memory is incredible or forge, is a technical problem urgently to be resolved hurrily to reduce the possibility of DNS recursion server Cache Poisoning as far as possible.
Summary of the invention
For the technical problem existing in prior art, the object of the present invention is to provide a kind of inquiry request method of servicing of DNS recursion server.The present invention proposes the buffer memory of DNS recursion server to be divided into two parts: credible buffer area and insincere buffer area.Wherein credible buffer area is the correct DNS resource record of the buffer memory by normal queries; Insincere buffer area is because DNS recursion server throws doubt upon to some response and corresponding resource record by monitoring DNS flow.The use of credible buffer area is used data cached rule conventionally according to recursion server, and the data of insincere buffer area can not be directly used in reply client.Only have and fall back to below the credible thresholding that recursion server selects when monitoring result, just the resource record of insincere buffer area is initiated to query script again, and add corresponding response to credible buffer area.
Technical scheme of the present invention is:
An inquiry request method of servicing for DNS recursion server, the steps include:
1) buffer memory of DNS recursion server is divided to credible buffer area and insincere buffer area; Wherein, credible buffer area is for the believable DNS resource record of buffer memory, and insincere buffer area is for storing DNS resource record corresponding to suspicious inquiry request;
2) recursion server is received after an inquiry request, searches the resource that whether has coupling in the resource record of credible buffer area; If had, coupling resource record is returned to inquiry end; If no, initiate inquiry request to authoritative server;
3) recursion server is monitored the response data packet arrival rate of this inquiry request; Described response data packet arrival rate is the response data packet for same inquiry request receiving in setting-up time length;
4) if the response data packet arrival rate of this inquiry request surpasses default credible thresholding, recursion server is placed in insincere buffer area by the response data packet of this inquiry request; If the response data packet arrival rate of this inquiry request does not surpass this default credible thresholding, again to authoritative server, initiate inquiry request, the DNS resource record obtaining is sent to inquiry end, and as a believable DNS resource record, add it to credible buffer area.
Further, when if the response data packet arrival rate of this inquiry request surpasses default credible thresholding, recursion server is received the inquiry request 2 identical with this inquiry request that other inquiry ends send, and the response data packet arrival rate of this inquiry request 2 does not surpass this default credible thresholding, and recursion server is initiated inquiry request for this inquiry request 2 to authoritative server.
Further, if the response data packet arrival rate of certain inquiry request surpasses default credible thresholding, described recursion server, by the object IP address in the query messages sending according to this inquiry request, is determined Cache Poisoning attack source.
Further, the response data packet arrival rate of described recursion server Real-Time Monitoring inquiry request.
The present invention has following features:
1) by dividing buffer zone, realize the isolation to insincere resource record;
2), when the response data packet arrival rate of same inquiry request is excessive, recursion server thinks that having Cache Poisoning to attack occurs, thereby the response receiving is judged to be insincere;
3) by the fruit that heavily comes to an end resource record in insincere buffer area, be filled into credible buffer area, guaranteed that recursion server is by being used buffer memory to improve the object of query processing efficiency.
Compared with prior art, good effect of the present invention is:
The present invention, by buffer zone being divided to credible buffer area and insincere buffer area, realizes the isolation to insincere resource record; Thereby avoid the response message that recursion server buffer memory is incredible or forge, reduced the possibility of DNS recursion server Cache Poisoning, guaranteed the efficiency of recursion server query processing.
Accompanying drawing explanation
Fig. 1 is existing DNS querying flow figure;
Fig. 2 is method flow diagram of the present invention.
Embodiment
In the present invention, the handling process of recursion server as shown in Figure 2.
1) recursion server is received after an inquiry request, first in the resource record of credible buffer memory, searches the resource that whether has coupling; First recursion server wishes the inquiry by credible buffer memory, match responding is returned to user as early as possible, thereby improving search efficiency (is not finding under attack condition, all results that inquire all can be saved in credible buffer memory, such as the authoritative server address of com in Fig. 1 example, the authoritative server address of sina.com and the address of www.sina.com.When attack being detected, the response message receiving just stores in suspected region.); If do not had, to authoritative server, initiate inquiry request, when response data packet arrival rate corresponding to this inquiry request surpasses default thresholding, just think that this buffer memory is just being poisoned attack, poisoning source is exactly the object IP address of the query messages that sends of recursion server.Such as when Cache Poisoning attack source sends domain name as the inquiry request of xxx.yyy.cn to recursion server, it does not find the recursion server of corresponding resource record to authoritative server, to initiate query script immediately in credible buffer memory; The major function of authoritative server is safeguarded DNS data exactly." response data packet arrival rate " is exactly the response data packet for same inquiry request receiving by statistics certain hour.
2) for this recursion server is poisoned, attack source sends large batch of forgery response message to recursion server, sends udp port number and the packet ID of DNS query messages to coupling recursion server to authoritative server;
3) if recursion server is judged the insincere degree of this response by the response data packet arrival rate of same inquiry request, if response data packet arrival rate surpasses after default thresholding so, recursion server is placed in insincere buffer area (for technical solution of the present invention is carried out to clear displaying by the match responding message receiving, the present invention judges the insincere degree of this response with the response data packet arrival rate of same inquiry request, but the present invention also can support other decision rules);
4) if recursion server now receive that other clients initiate to poisoning the inquiry request of buffer memory, and the response of the correspondence of the request that other clients are sent is fallen back to below credible thresholding, recursion server does not adopt the data in insincere buffer area, and again to authoritative server, initiates query script and replied;
5) until the response data packet arrival rate of this inquiry request that recursion server receives fall back to below credible thresholding, recursion server thinks that attack finishes, so again initiate query script, and add the resource record in response to confidence region, to realize the quick response to subsequent query.Such as: if any inquiry request message 1,2, corresponding query messages 1, has a large amount of forgery responses, corresponding query messages 2, still has a large amount of forgery responses, and recursion server just thinks that inquiry 1 and inquiry 2 are all the inquiries of forging so, be that to poison buffer memory used, and do not responded.But if these two are inquired about corresponding response below credible thresholding, recursion server just thinks that this is a normal inquiry so, thereby to authoritative server, initiate inquiry, then add the resource record in response to confidence region, to realize the quick response to subsequent query.
Claims (4)
1. an inquiry request method of servicing for DNS recursion server, the steps include:
1) buffer memory of DNS recursion server is divided to credible buffer area and insincere buffer area; Wherein, credible buffer area is for the believable DNS resource record of buffer memory, and insincere buffer area is for storing DNS resource record corresponding to suspicious inquiry request;
2) recursion server is received after an inquiry request, searches the resource that whether has coupling in the resource record of credible buffer area; If had, coupling resource record is returned to inquiry end; If no, initiate inquiry request to authoritative server;
3) recursion server is monitored the response data packet arrival rate of this inquiry request; Described response data packet arrival rate is the response data packet for same inquiry request receiving in setting-up time length;
4) if the response data packet arrival rate of this inquiry request surpasses default credible thresholding, recursion server is placed in insincere buffer area by the response data packet of this inquiry request; If the response data packet arrival rate of this inquiry request does not surpass this default credible thresholding, again to authoritative server, initiate inquiry request, the DNS resource record obtaining is sent to inquiry end, and as a believable DNS resource record, add it to credible buffer area.
2. the method for claim 1, it is characterized in that if the response data packet arrival rate of this inquiry request surpasses while presetting credible thresholding, recursion server is received the inquiry request 2 identical with this inquiry request that other inquiry ends send, and the response data packet arrival rate of this inquiry request 2 does not surpass this default credible thresholding, and recursion server is initiated inquiry request for this inquiry request 2 to authoritative server.
3. the method for claim 1, it is characterized in that if the response data packet arrival rate of certain inquiry request surpasses default credible thresholding, described recursion server, by the object IP address in the query messages sending according to this inquiry request, is determined Cache Poisoning attack source.
4. the method for claim 1, is characterized in that the response data packet arrival rate of described recursion server Real-Time Monitoring inquiry request.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210328266.XA CN103685168B (en) | 2012-09-07 | 2012-09-07 | A kind of inquiry request method of servicing of DNS recursion server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210328266.XA CN103685168B (en) | 2012-09-07 | 2012-09-07 | A kind of inquiry request method of servicing of DNS recursion server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103685168A true CN103685168A (en) | 2014-03-26 |
| CN103685168B CN103685168B (en) | 2016-12-07 |
Family
ID=50321500
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210328266.XA Active CN103685168B (en) | 2012-09-07 | 2012-09-07 | A kind of inquiry request method of servicing of DNS recursion server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103685168B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104144165A (en) * | 2014-08-11 | 2014-11-12 | 互联网域名系统北京市工程研究中心有限公司 | Caching method and system for resisting DNS dead domain attacks |
| CN105827599A (en) * | 2016-03-11 | 2016-08-03 | 中国互联网络信息中心 | Cache infection detection method and apparatus based on deep analysis on DNS message |
| CN105939337A (en) * | 2016-03-09 | 2016-09-14 | 杭州迪普科技有限公司 | DNS cache poisoning protection method and device |
| CN106561028A (en) * | 2015-10-02 | 2017-04-12 | 高效Ip公司 | Quarantining An Internet Protocol Address |
| CN105245630B (en) * | 2015-09-25 | 2019-04-23 | 互联网域名系统北京市工程研究中心有限公司 | The method and device of identification and defence DNS SERVFAIL attack |
| WO2019165665A1 (en) * | 2018-02-28 | 2019-09-06 | 网宿科技股份有限公司 | Domain name resolution method, server and system |
| CN111698345A (en) * | 2020-06-10 | 2020-09-22 | 山东伏羲智库互联网研究院 | Domain name query method, recursive server and storage medium |
| CN112543215A (en) * | 2019-09-23 | 2021-03-23 | 北京国双科技有限公司 | Access request processing method, system, device, storage medium and electronic equipment |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070250919A1 (en) * | 2005-11-10 | 2007-10-25 | Markmonitor Inc. | B2C Authentication System And Methods |
| CN101431449A (en) * | 2008-11-04 | 2009-05-13 | 中国科学院计算技术研究所 | Network flux cleaning system |
| CN101505218A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Detection method and apparatus for attack packet |
| US20090319659A1 (en) * | 2006-12-28 | 2009-12-24 | Hiroshi Terasaki | Source detection device for detecting a source of sending a virus and/or a dns attack linked to an application, method thereof, and program thereof |
| CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| JP2011049745A (en) * | 2009-08-26 | 2011-03-10 | Toshiba Corp | Device for defending dns cache poisoning attack |
| CN102035809A (en) * | 2009-09-29 | 2011-04-27 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for defending cache poison |
| CN102404318A (en) * | 2011-10-31 | 2012-04-04 | 杭州迪普科技有限公司 | Method and device for prevention of DNS (Domain Name Server) cathe attack |
| CN102624750A (en) * | 2012-04-22 | 2012-08-01 | 吴兴利 | Method and system for resisting domain name system (DNS) recursion attack |
-
2012
- 2012-09-07 CN CN201210328266.XA patent/CN103685168B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070250919A1 (en) * | 2005-11-10 | 2007-10-25 | Markmonitor Inc. | B2C Authentication System And Methods |
| US20090319659A1 (en) * | 2006-12-28 | 2009-12-24 | Hiroshi Terasaki | Source detection device for detecting a source of sending a virus and/or a dns attack linked to an application, method thereof, and program thereof |
| CN101431449A (en) * | 2008-11-04 | 2009-05-13 | 中国科学院计算技术研究所 | Network flux cleaning system |
| CN101505218A (en) * | 2009-03-18 | 2009-08-12 | 杭州华三通信技术有限公司 | Detection method and apparatus for attack packet |
| JP2011049745A (en) * | 2009-08-26 | 2011-03-10 | Toshiba Corp | Device for defending dns cache poisoning attack |
| CN102035809A (en) * | 2009-09-29 | 2011-04-27 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for defending cache poison |
| CN101741847A (en) * | 2009-12-22 | 2010-06-16 | 北京锐安科技有限公司 | Detecting method of DDOS (distributed denial of service) attacks |
| CN102404318A (en) * | 2011-10-31 | 2012-04-04 | 杭州迪普科技有限公司 | Method and device for prevention of DNS (Domain Name Server) cathe attack |
| CN102624750A (en) * | 2012-04-22 | 2012-08-01 | 吴兴利 | Method and system for resisting domain name system (DNS) recursion attack |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104144165A (en) * | 2014-08-11 | 2014-11-12 | 互联网域名系统北京市工程研究中心有限公司 | Caching method and system for resisting DNS dead domain attacks |
| CN105245630B (en) * | 2015-09-25 | 2019-04-23 | 互联网域名系统北京市工程研究中心有限公司 | The method and device of identification and defence DNS SERVFAIL attack |
| CN106561028A (en) * | 2015-10-02 | 2017-04-12 | 高效Ip公司 | Quarantining An Internet Protocol Address |
| CN105939337A (en) * | 2016-03-09 | 2016-09-14 | 杭州迪普科技有限公司 | DNS cache poisoning protection method and device |
| US20170264590A1 (en) * | 2016-03-09 | 2017-09-14 | Hangzhou Dptech Technologies Co., Ltd. | Preventing dns cache poisoning |
| CN105939337B (en) * | 2016-03-09 | 2019-08-06 | 杭州迪普科技股份有限公司 | The means of defence and device that DNS cache is poisoned |
| US10469532B2 (en) | 2016-03-09 | 2019-11-05 | Hangzhou Dptech Technologies Co., Ltd. | Preventing DNS cache poisoning |
| CN105827599A (en) * | 2016-03-11 | 2016-08-03 | 中国互联网络信息中心 | Cache infection detection method and apparatus based on deep analysis on DNS message |
| WO2019165665A1 (en) * | 2018-02-28 | 2019-09-06 | 网宿科技股份有限公司 | Domain name resolution method, server and system |
| CN112543215A (en) * | 2019-09-23 | 2021-03-23 | 北京国双科技有限公司 | Access request processing method, system, device, storage medium and electronic equipment |
| CN111698345A (en) * | 2020-06-10 | 2020-09-22 | 山东伏羲智库互联网研究院 | Domain name query method, recursive server and storage medium |
| CN111698345B (en) * | 2020-06-10 | 2022-09-20 | 山东伏羲智库互联网研究院 | Domain name query method, recursive server and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103685168B (en) | 2016-12-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103685168B (en) | A kind of inquiry request method of servicing of DNS recursion server | |
| US9985927B2 (en) | Managing content delivery network service providers by a content broker | |
| CN112217916B (en) | Novel caching method and system for industrial Internet identification resolution recursion server | |
| US9787775B1 (en) | Point of presence management in request routing | |
| US9525659B1 (en) | Request routing utilizing point of presence load information | |
| US8676918B2 (en) | Point of presence management in request routing | |
| US8886750B1 (en) | Alias resource record sets | |
| US9225613B2 (en) | Method for accessing content in networks and a corresponding system | |
| CN107872486B (en) | Communication method and device | |
| US20120297478A1 (en) | Method and system for preventing dns cache poisoning | |
| CN103701957A (en) | Domain name server (DNS) recursive method and system thereof | |
| CN111698345B (en) | Domain name query method, recursive server and storage medium | |
| CN111917900B (en) | Domain name agent request processing method and device | |
| CN114205330B (en) | Domain name resolution method, domain name resolution device, server, and storage medium | |
| CN106161667A (en) | A kind of domain name analytic method and device | |
| CN108337257B (en) | Authentication-free access method and gateway equipment | |
| CN103581361A (en) | Domain name resolution proxy method, device and system | |
| EP3151520B1 (en) | Quarantining an internet protocol address | |
| US10021176B2 (en) | Method and server for managing traffic-overload on a server | |
| CN109995885B (en) | Domain name space structure presentation method, device, equipment and medium | |
| CN108667948B (en) | A kind of method and device for realizing general protocol schedule | |
| KR101645222B1 (en) | Advanced domain name system and management method | |
| KR20150046675A (en) | A mobile terminal for connecting to website through ip network and a method for reducing connection time to the website | |
| CN101674311B (en) | Address inquiring method, gateway or user device, and server | |
| CN111092966A (en) | Domain name system, domain name access method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20210209 Address after: 100190 room 506, building 2, courtyard 4, South 4th Street, Zhongguancun, Haidian District, Beijing Patentee after: CHINA INTERNET NETWORK INFORMATION CENTER Address before: 100190 No. four, 4 South Street, Haidian District, Beijing, Zhongguancun Patentee before: Computer Network Information Center, Chinese Academy of Sciences |
|
| TR01 | Transfer of patent right |