[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2018141172A1 - Method for controlling web browsing on terminal and for web browsing on terminal, router device, and terminal - Google Patents

Method for controlling web browsing on terminal and for web browsing on terminal, router device, and terminal Download PDF

Info

Publication number
WO2018141172A1
WO2018141172A1 PCT/CN2017/113957 CN2017113957W WO2018141172A1 WO 2018141172 A1 WO2018141172 A1 WO 2018141172A1 CN 2017113957 W CN2017113957 W CN 2017113957W WO 2018141172 A1 WO2018141172 A1 WO 2018141172A1
Authority
WO
WIPO (PCT)
Prior art keywords
domain name
name resolution
terminal
router device
response message
Prior art date
Application number
PCT/CN2017/113957
Other languages
French (fr)
Chinese (zh)
Inventor
翟景亮
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2018141172A1 publication Critical patent/WO2018141172A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the present disclosure relates to, but is not limited to, the field of communications, and in particular, a method for controlling a terminal to access the Internet and a terminal, a router device and a terminal.
  • DNS Domain Name System
  • TCP Transmission Control Protocol
  • IP Internet Protocol
  • the user equipment can transmit data related to the domain name resolution process by means of two-way resolution and encryption:
  • the terminal monitors and receives the domain name resolution request data of the local device; encrypts the domain name resolution request data and sends the data to the preset network address; receives the encrypted domain name resolution result data fed back by the network address through the router; the terminal decrypts the domain name resolution The result data is in response to the domain name resolution request data of the local machine.
  • the home router has no relevant network early warning function and related processing mechanism, and the user cannot know the state of the home router at a certain moment.
  • the terminal encryption and decryption process is cumbersome.
  • the embodiments of the present disclosure provide a method for controlling a terminal to access the Internet and a terminal to access the Internet, a router device and a terminal, and a system for controlling the terminal to access the Internet, which can simplify the process of encrypting and decrypting the terminal.
  • the embodiment of the present disclosure provides a method for controlling a terminal to access the Internet, including: the router device receives an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request to be accessed by the terminal.
  • the domain name resolution result corresponding to the domain name; the router device obtains the domain name resolution response message to be sent to the terminal and carries the domain name resolution result; and encrypts the domain name resolution response message, and the encrypted domain name is encrypted.
  • the parsing response message is sent to the terminal.
  • the encrypting the domain name resolution response message includes:
  • the router device encrypts part of the data in the domain name resolution response message.
  • the router device generates a domain name resolution response message that is to be delivered to the terminal and carries the domain name resolution result, and includes any one of the following:
  • the router device When the router device detects that the domain name resolution result is in the local cache of the router device, the router device carries the domain name resolution result in the domain name resolution response packet;
  • the router device When the router device detects that the domain name resolution result is not in the local cache of the router device, the router device requests the domain name resolution result from the server device, and carries the domain name resolution in the domain name resolution response packet. result.
  • the method further includes:
  • the router device updates the locally stored dynamic information table, wherein the dynamic information table stores the number of accesses by the terminal to access the domain name corresponding to the domain name resolution result within a preset time.
  • the router device determines that the terminal is an illegal connection.
  • the router device After the router device determines that the terminal is an illegal connection, the router device sends an alarm signal, and records the terminal identifier of the terminal for the user to check. read.
  • the key of the router device encrypting the partial data is manually set in advance on the router device and the terminal.
  • the embodiment of the present disclosure further provides a method for a terminal to access the Internet, including:
  • the terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the terminal receives the encrypted domain name resolution response message carrying the domain name resolution result
  • the terminal parses the domain name resolution response packet according to the preset key, and accesses the server corresponding to the IP address in the domain name resolution result.
  • the receiving, by the terminal, the encrypted domain name resolution response message carrying the domain name resolution result includes:
  • the terminal parses the domain name resolution response message according to the preset key, including:
  • the DNS client plug-in of the terminal decrypts part of the data in the domain name resolution response message according to the preset key.
  • the key that the terminal parses the domain name resolution response message is manually set in advance on the terminal and the router device.
  • the embodiment of the present disclosure further provides a router device, including:
  • the first communication device is configured to: receive an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal; Transmitting the encrypted domain name resolution response message to the terminal;
  • the first processor is configured to: generate the domain name resolution response message to be sent to the terminal and carry the domain name resolution result, and encrypt the domain name resolution response message.
  • the first processor is further configured to: encrypt part of the data in the domain name resolution response message.
  • the manner in which the first processor acquires the domain name resolution result in the domain name resolution response report includes any one of the following:
  • the first processor is configured to: detect that the router device has the domain in a local cache Carrying the domain name resolution result in the domain name resolution response packet;
  • the first processor is configured to: when it is detected that the domain name resolution result is not in the local cache of the router device, request the domain name resolution result from the server device, and carry the domain name resolution response message in the domain name resolution response message Domain name resolution results.
  • the first processor is further configured to: after sending the encrypted domain name resolution response message to the terminal,
  • the dynamic information table of the local storage is updated, wherein the dynamic information table stores the number of accesses by the terminal to access the domain name corresponding to the domain name resolution result within a preset time.
  • the first processor is further configured to: if it is detected that the number of accesses of the terminal exceeds a preset value, determine that the terminal is an illegal connection.
  • the key that the first processor encrypts the partial data is manually set in advance on the router device and the terminal.
  • the embodiment of the present disclosure further provides a terminal, including:
  • the second communication device is configured to: send an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the to-be-accessed domain name of the terminal;
  • the encrypted domain name resolution response message carrying the domain name resolution result;
  • the second processor is configured to: parse the domain name resolution response message according to the preset key, and access a server corresponding to the IP address in the domain name resolution result.
  • the second processor is further configured to: parse the domain name resolution response message that is encrypted by the partial data according to the preset key.
  • the second processor is further configured to: decrypt, by using a DNS client plug-in of the terminal, the encrypted data portion in the domain name resolution response message according to the preset key.
  • the second processor parses the key of the domain name resolution response message to be manually set in advance on the terminal and the router device.
  • the embodiment of the present disclosure further provides a system for controlling a terminal to access the Internet, including:
  • the terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the router device generates a domain name solution that is to be delivered to the terminal and carries the domain name resolution result.
  • the response packet is parsed, and the domain name resolution response message is encrypted, and the encrypted domain name resolution response message is sent to the terminal.
  • the encrypting, by the router device, the domain name resolution response message includes:
  • the router device encrypts part of the data in the domain name resolution response message.
  • the system further includes:
  • the router device updates the locally stored dynamic information table, where the dynamic information table stores the number of access times that the terminal accesses the domain name corresponding to the domain name resolution result within a preset time;
  • the router device determines that the terminal is an illegal connection.
  • Embodiments of the present disclosure also provide a storage medium.
  • the storage medium is arranged to store program code for performing the following steps:
  • the router device receives the unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the router device generates a domain name resolution response message to be sent to the terminal and carries the domain name resolution result
  • the domain name resolution response packet is encrypted, and the encrypted domain name resolution response message is sent to the terminal.
  • the storage medium is further configured to store program code for performing the following steps:
  • the terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the terminal receives the encrypted domain name resolution response message carrying the domain name resolution result
  • the terminal parses the domain name resolution response packet according to the preset key, and accesses the server corresponding to the IP address in the domain name resolution result.
  • Embodiments of the present disclosure also provide a computer readable storage medium storing a computer executable And an instruction, when the computer executable instruction is executed, implementing the method for controlling the terminal to access the Internet.
  • the embodiment of the present disclosure further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • the terminal sends a message for requesting domain name resolution to the router device, and the router device feeds back the encrypted response message carrying the domain name resolution result to the terminal, and the terminal parses the response message after parsing the response message. Access the server corresponding to the domain name resolution result.
  • FIG. 1 is a flowchart of a method for controlling a terminal to access the Internet according to an embodiment of the present disclosure
  • FIG. 2 is a network architecture diagram of a half-duplex domain name encryption mechanism in accordance with an embodiment of the present disclosure
  • FIG. 3 is a flow chart of adding and deleting device nodes in accordance with an alternative embodiment of the present disclosure
  • FIG. 4 is a functional block diagram of a network mechanism in accordance with an alternative embodiment of the present disclosure.
  • FIG. 5 is a schematic diagram of an overall flow of a network detection mechanism according to an alternative embodiment of the present disclosure.
  • the method and system of the present disclosure can operate on at least one of a router device and a terminal.
  • FIG. 1 is a flowchart of a method for controlling a terminal to access the Internet according to an embodiment of the present disclosure. As shown in FIG. 1 , the process may include the following steps:
  • Step S102 The router device receives an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • Step S104 The router device generates a domain name resolution response message that is to be sent to the terminal and carries the domain name resolution result, and encrypts the domain name resolution response message, and sends the encrypted domain name resolution response message to the terminal. It can be added that the domain name resolution result may include an IP address, and may also include several IP addresses.
  • the terminal sends a packet requesting the domain name resolution data to the router device, and the router device feeds back the encrypted response message carrying the domain name resolution result to the terminal. After the terminal parses the response packet, the terminal may Access the server corresponding to the domain name resolution result.
  • the router device encrypts part of the data in the domain name resolution response message.
  • the router device can select an important part of the domain name resolution response packet for encryption, such as the domain name resolution result, the data related to the domain name resolution result, the IP address, or the data related to the IP address. It is not possible to encrypt all messages.
  • the router device generates a domain name resolution response packet that is to be sent to the terminal and carries the domain name resolution result, and may include any one of the following:
  • the router device When the router device detects that the domain name resolution result is obtained in the local cache of the router device, the router device carries the domain name resolution result in the domain name resolution response packet;
  • the router device When the router device detects that the domain name resolution result is not in the local cache of the router device, the router device requests the domain name resolution result from the server device, and carries the domain name resolution result in the domain name resolution response packet.
  • the domain name parsing packet may be generated by the router device through the group package, and the packet may include data corresponding to the domain name resolution result, and the data may be obtained by using the foregoing two methods. It can be added that the domain name resolution result can be sent to the terminal after requesting the domain name resolution result from the server device.
  • the server device may be a domain name resolution server, and may store a correspondence between a domain name and an IP address.
  • the router device may update the locally stored dynamic information table, where the dynamic information table stores the terminal accessing within a preset time.
  • the domain name resolution result corresponds to the number of accesses of the domain name.
  • the router device may determine that the terminal is an illegal connection. Determining a terminal on the router device After the connection is illegal, the terminal can be blacked out, and the terminal is not allowed to access the Internet through the router device.
  • the router device may send an alarm signal and record the terminal identifier of the terminal.
  • the router device can record the illegal terminal for user access and subsequent processing, such as by other means to prohibit the terminal from accessing the router device local area network.
  • the key that the router device encrypts the part of the data may be manually set in advance on the router device and the terminal.
  • the key can be a key set by the user in advance on the router device and the user's own terminal device, without using the router device and the terminal to negotiate the key, thereby effectively avoiding interception during the key negotiation process.
  • a "symmetric key" encryption algorithm relative to a simple encryption algorithm can be selected when manually setting the key.
  • the embodiment of the present disclosure further provides a method for a terminal to access the Internet, and the method may include the following steps:
  • Step 1 The terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • Step 2 The terminal receives the encrypted domain name resolution response message carrying the domain name resolution result.
  • Step 3 The terminal parses the domain name resolution response message according to the preset key, and accesses the server corresponding to the IP address in the domain name resolution result, and the domain name resolution result is obtained by parsing the domain name resolution message.
  • part of the data in the domain name resolution response message is encrypted.
  • the part of data includes, for example, domain name resolution results, data related to domain name resolution results, IP addresses, data related to IP addresses, and the like.
  • the DNS client plug-in of the terminal may decrypt part of the data in the domain name resolution response message according to the preset key.
  • the DNS client device can intercept the domain name resolution response packet, and after decrypting, the packet can be submitted to an upper layer application, such as an IE.
  • the key that the terminal parses the domain name resolution response packet may be manually set in advance on the terminal and the router device.
  • An optional embodiment of the present disclosure provides an effective Wi-Fi management method, and proposes a new detection method for the network, which ensures that legitimate users can use the Wi-Fi network efficiently and safely. Keep track of the current status of your wireless router.
  • An alternative embodiment of the present disclosure first provides a method for managing a Wi-Fi network, that is, a half-duplex domain name encryption mechanism, including:
  • the wireless router After obtaining the domain name resolution result data, the wireless router encrypts the part of the data to generate a domain name resolution response message, and sends the message to the host of the domain name request.
  • the domain name resolution result data obtained by the wireless router may be sent by the domain name resolution server.
  • the access host requesting the domain name After receiving the domain name resolution response message, the access host requesting the domain name first decrypts the key data part of the message, and then submits the decrypted data to the process of requesting the upper layer domain name;
  • the foregoing method further has the following feature: the encryption and decryption key used by the wireless router and the access host may be pre-set by the user on the wireless router and the access host, and not on both sides of the wireless network.
  • the wireless router and the access host negotiate to complete, thereby effectively avoiding the risk of being intercepted during the key negotiation process;
  • the encryption operation may only be for the domain name resolution response message, and not for the entire domain name request process
  • the encryption process other than the domain name resolution response message in the key agreement and the domain name request can be reduced, and the limited resources of the wireless router can be alleviated.
  • the half-duplex domain name encryption mechanism can contain a tight fit of two parts:
  • the domain name resolution packet detection and encryption module on the wireless router side the processing of this part generally includes two cases:
  • the domain name resolution cache of the router can find the domain name to be requested by the downstream access device, the key data is encrypted and the group packet is sent to the domain name requesting device;
  • the DNS client plug-in measured by the user's Internet terminal the module can substantially intercept the packet after receiving the domain name resolution response message, and decrypt the decrypted data after decrypting the key data of the packet. Submit to upper-level applications, such as IE.
  • FIG. 2 is a network architecture diagram of a half-duplex domain name encryption mechanism according to an embodiment of the present disclosure.
  • it may include: a domain name resolution server in a host, a router, and an Internet (Internet) network.
  • a DNS domain name resolution plug-in may be installed in the entire network architecture.
  • the host device P1 can also be installed with a router R1 including functions such as encryption and detection.
  • the P1 can access the Wi-Fi LAN of the device R1, and the R1 device can communicate with the internet network.
  • Step 1 The device P1 is to access a certain website, and the upper layer application, such as a web browser (IE), may initiate a domain name resolution request including the website to the router device R1;
  • the upper layer application such as a web browser (IE)
  • IE web browser
  • Step 2 After the device R1 receives the domain name resolution request of the P1, the R1 may first search for the domain name resolution cache. If the domain name resolution record is not found, the domain name resolution server may be sent to the remote domain name resolution server on the internet network.
  • Step 3 After the device R1 finds the related domain name resolution data packet or after receiving the domain name resolution response packet sent by the remote domain name resolution server, the R1 device may encrypt the key data portion of the domain name response message, and then Sending the packet to the domain name resolution requesting device P1;
  • Step 4 After receiving the domain name resolution response packet, the device P1 can intercept the packet and decrypt the key data part in the packet before submitting the data to the upper application process. The subsequent data is submitted to the upper application process;
  • Step 5 in this way, the device P1 can get the correct domain name resolution result, and the P1 device can access the Internet normally.
  • a network early warning method which may generally include:
  • the wireless router dynamically maintains a list of access devices in the Wi-Fi LAN, and the dynamic information of each access device node is recorded in the list;
  • the dynamic information of the access device node can roughly include the following information:
  • IP address of the access device
  • the access device requests dynamic data of each domain name node within a certain period of time
  • Pointer to the next access device node (this pointer can be used to go to the dynamic statistics table of other terminals);
  • the dynamic data of the request domain name node may include the following parts of data:
  • the next request domain name node pointer (this pointer can be used to transfer to the dynamic data table of other domain names, where the number of times other domain names are requested by the terminal is stored);
  • the update of the dynamic data of the access device node can roughly include data update in three cases:
  • FIG. 3 is a new and deleted device node according to an alternative embodiment of the present disclosure.
  • the flow chart may add a device node record when a new user accesses; if a user disconnects, the device node record corresponding to the user may be deleted;
  • the device requests the update of the domain name dynamic data, that is, the number of requests for the domain name, and the request for the addition of the domain name node.
  • the update of the data may be substantially updated after confirming that the encrypted domain name resolution response message has been successfully sent by the router;
  • the domain name request data of one or more access device nodes may be emptied;
  • the rule of the illegal user may include: if the number of times the user requests a certain domain name exceeds the specified pre-production (for example, 3 times), the access device cannot correctly decrypt the received encrypted domain name resolution response message, thereby determining that the user The user is an illegal access user. Because the normal access user, after receiving the correct domain name resolution data in a relatively short period of time, the domain name resolution is generally It is temporarily stored locally, so that it can be used directly afterwards, and the same domain name may not be requested multiple times.
  • the early warning mechanism can be set up with an independent indicator light on the wireless router.
  • the indicator light flashes for a period of time to warn the wireless router device user to illegally access the user.
  • the method for detecting the network in the present disclosure may generally include the following modules:
  • the device connection management module dynamically maintains a list of Wi-Fi LAN access devices of the wireless router device, where the device information of the access device and the information of the domain name access of the device for a period of time are recorded;
  • the domain name resolution response packet detection module the module listens to the domain name resolution response message in the domain name resolution server or the wireless router kernel, so as to perform data encryption, information statistics or other actions to trigger;
  • Network detection module determines the access device node according to the information recorded in the wireless router dynamic access list according to the rules described above, distinguishes whether the device node is illegal, and establishes and dynamically maintains the illegal device list.
  • the data structure of the illegal access device node may include the following information:
  • This module triggers the blinking behavior of the indicator light according to the result of the detection module, thereby alerting the wireless router user.
  • FIG. 4 is a functional module relationship diagram in a network mechanism according to an alternative embodiment of the present disclosure. As shown in FIG. 4, a relationship between a plurality of modules is shown.
  • the domain name resolution response packet detection module can detect that the wireless router receives or sends a domain name resolution response data packet
  • the domain name resolution response packet detection module confirms that the domain name response packet has succeeded.
  • the device connection management module may be triggered to update the device node information sent by the domain name response message;
  • the domain name resolution response packet detecting module may immediately trigger the network detection module to determine whether the device node is illegal;
  • the network detection module can record the illegal user information to the nonsense user list, and can trigger the network warning module to alert the wireless router user.
  • the domain name resolution one-way encryption mechanism can roughly include the following two aspects: domain name resolution client plug-in and router domain name resolution agent.
  • the domain name resolution client may be: receiving and storing the encryption key set by the user, and decrypting the data part of the corresponding domain name received by the host device and then handing it over to the corresponding application process.
  • the wireless router domain name resolution server can also accept and save the encryption key set by the user, and then encrypt the result data of the domain name resolution according to the key set by the user, and send the encrypted data to the domain name requesting host;
  • both the domain name resolution client and the router domain name resolution agent may have a user input key requirement, wherein the key format is similar to a dotted decimal IP address, but Users can enter any 12 digits;
  • the encryption process may be that the domain name resolution response packet detection module detects the domain name resolution response message, intercepts the message, and takes out the domain name resolution address in the packet, and converts it into a dotted decimal IP address, and the user.
  • the input key is used for packet encryption.
  • the encryption method is: each IP address block is added to the key block of the corresponding order, and then the remainder is 255, and finally the bit is inverted.
  • the domain name resolution response IP address in the message can be extracted and converted into a dotted decimal format, which is divided into four groups, and at the same time, the user is input.
  • the 12-bit key is also divided into four groups, and then according to the order of domain name resolution agent encryption, firstly, the four groups of data in the domain name parsing data packet are inverted by bit, and each group is added with appropriate data (such as 1020). Then, each group of data is subtracted from the user's 12-key grouping data in the corresponding order, and finally, the result of each grouping data operation is 255, and the correct result is obtained. Domain name resolution results.
  • the device connection management module of the router device is
  • the module can roughly perform the following functions:
  • one or more access devices of the wireless router use the data structure to establish an access device node, where the data structure includes the MAC address, the IP address, and the access domain name resolution list and the next access device node pointer of the device;
  • a domain name resolution node is established for each domain name accessed by the access device, and the data structure includes the accessed domain name, the number of times the same domain name is accessed within a specified time period, and the next domain name pointer; the data structure is embedded The domain name resolution list of the device node data structure.
  • the basic information of one or more devices in the wireless router's wireless fidelity Wi-Fi local area network may be obtained by acquiring the MAC address of the access device through the wireless network card, and combining the Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol, The method of obtaining the IP address information corresponding to each device by means of the bootses file and the arpping method corresponding to the DHCP process; each access device can correspond to a node in the access device list; at the same time, to ensure the device After the update of the access list information, the update of the access device node in the access device list may be completed by means of starting a timer;
  • Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol
  • a timer of the listening period can be started. When the time period ends, the domain name resolution list information of the access device node used is cleared.
  • the domain name resolution response packet detection module of the router device is
  • the module can roughly perform the following functions:
  • the device connection management module is notified to update the domain name resolution list information of the corresponding user
  • the trigger network detection module performs an illegal determination on the domain name requesting user.
  • the corresponding steps may include: first, listening to the domain name resolution response message, and substantially modifying the domain name resolution response function of the domain name resolution agent process, or by using the HOOK function to fetch the domain name resolution response message from the kernel.
  • the domain name response request device or the packet capture function can effectively obtain the domain name resolution request device information and the request domain name information. After confirming that the encrypted domain name response message is successfully sent, the message can be notified by the message or directly invoke the access device list update function. The method triggers the update of the domain name resolution list;
  • the network detection function can also be triggered by means of message notification or function call.
  • the network detection module of the router device is configured to detect the network detection module of the router device.
  • the module can roughly perform the following functions:
  • the corresponding steps may include:
  • determining whether the device in the device access list is illegal may be substantially for the access domain name node in the newly updated access device node, and extracting the number of times the device accesses each domain name is compared with a specific threshold condition, if it is greater than a threshold The access device is determined to be illegal. Otherwise, the access device is legal.
  • the latest update device node can be implemented by transmitting parameters.
  • the establishment and dynamic maintenance of the illegal user list may be performed by integrating the basic information of the illegal access device node into the illegal user linked list when the illegal access device is detected in the previous step, which may be substantially through a list of similar access device lists.
  • the notification network warning module performs the warning, which can be completed by setting the wireless router device node. For example, when there is a value in the illegal user list, when the system detects that there is an illegal user or the system time is full, the value of the specific device node is set to 1, and the indicator light flashes and can be set. The timer (30s) turns off the indicator after the timer expires.
  • the network device early warning module of the router device, related processing may include:
  • GPIO usable pin
  • a timer program is set in the underlying baseband code to periodically raise the level of the pin connected to the indicator light on the microprocessor, so that the switch in the circuit loop is periodically turned on, thereby realizing the blinking event of the indicator light. control;
  • the interface for the upper layer and the underlying baseband is encapsulated in the baseband program so that the upper layer or the bottom layer can effectively control the indicator light after detecting the relevant event, such as the device node value change.
  • the user can log in to the device management page to view and process the abnormal access device information.
  • FIG. 5 is a schematic diagram of an overall process of a network detection mechanism according to an alternative embodiment of the present disclosure. As shown in FIG. 5, the process includes the following steps:
  • Step 1 The user may pre-mand the same key in the router and the legal access device installed with the domain name resolution client.
  • Step 2 When a device on the downstream access device initiates a domain name resolution request, after the resolution is successful, the router may receive the domain name resolution response data packet.
  • Step 3 After receiving the domain name resolution response packet, the router may extract the data in the packet, such as the destination IP address, the requested domain name information, and the domain name resolution result.
  • Step 4 First, the result data of the domain name resolution may be encrypted by using a user pre-made key. After the encryption is completed, the encrypted data may be sent to the domain name requesting host.
  • Step 5 If the downstream access device is a legal access device, the user can use the pre-made key to decrypt the correct domain name resolution and initiate a normal data request. If it is an illegal user, the device will not obtain the correct data.
  • the domain name resolution request may send a request to the wrong address, and generally cannot achieve the purpose of the network;
  • Step 6 After the domain name requesting host successfully sends the response packet, the device may update the access device information list according to the information obtained from the domain name resolution message, otherwise the update operation is not performed;
  • Step 7 After the update of the access device node information is completed, the updated data node information may be transmitted to the network detection module, and the detection module may determine, according to the statistics of the requested domain name of the access device, whether the user is Internet users who are illegally connected;
  • Step 8 If the network detection module detects that an illegal user accesses the device, the network early warning module may be triggered periodically, and the network early warning module may periodically prompt the user to flash the user through the flashing indicator. Access, prompting the user to process the user of the network;
  • Step 9 After the entire processing mechanism is completed, you can return to step 2 to perform loop detection again.
  • the technical solution in the optional embodiment of the present disclosure has many advantages of ensuring network security through domain name encryption, and provides a convenient, fast, simple, and flexible way to complete domain name encryption key setting and downstream access device deployment. Moreover, only encrypting the domain name response result to some extent reduces the occupation of the limited resources of the wireless router; in addition, the user can clearly know the status of the wireless router at any time, whether it is being accessed by the illegal user, and then Time to pay attention to understand whether your home router is regular or occasionally illegal users try to access.
  • the embodiment of the present disclosure further provides a router device, including:
  • the first communication device is configured to: receive an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the encrypted domain name resolution response message is sent to the terminal;
  • the first processor is configured to: generate the domain name resolution response message to be sent to the terminal and carry the domain name resolution result, and encrypt the domain name resolution response message.
  • the first processor is further configured to: encrypt part of the data in the domain name resolution response message.
  • the part of data includes, for example, domain name resolution results, data related to domain name resolution results, IP addresses, data related to IP addresses, and the like.
  • the manner in which the first processor obtains the data portion of the domain name resolution response packet includes any one of the following:
  • the first processor is configured to: when detecting the domain name resolution result in the local cache of the router device, the first processor carries the domain name resolution result in the domain name resolution response message;
  • the first processor is configured to: when detecting that the domain name resolution result is not in the local cache of the router device, the first processor requests the domain name resolution result from the server device, and carries the domain name in the domain name resolution response packet Analyze the results.
  • the first processor is further configured to: after the encrypted domain name resolution response message is sent to the terminal, update the locally stored dynamic information table, where the dynamic information table stores the terminal in the The number of accesses to the domain name corresponding to the domain name resolution result during the preset time.
  • the first processor is further configured to: if it is detected that the number of accesses of the terminal exceeds a preset value, determine that the terminal is an illegal connection.
  • the key that the first processor encrypts the partial data is manually set in advance on the router device and the terminal.
  • the embodiment of the present disclosure further provides a terminal, including:
  • the second communication device is configured to: send an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal; and receive the encrypted A domain name resolution response message carrying the domain name resolution result;
  • the second processor is configured to: parse the domain name resolution response message according to the preset key, and access the server corresponding to the IP address in the domain name resolution result. It can be added that after obtaining the domain name resolution result, the second processor uploads the domain name resolution result to an application of the upper layer requesting the domain name request, such as a browser, by the specific application, and the domain name is accessed by the specific application.
  • the second processor is further configured to: parse the domain name resolution response message that is encrypted by the partial data according to the preset key.
  • the part of data includes, for example, domain name resolution results, data related to domain name resolution results, IP addresses, data related to IP addresses, and the like.
  • the second processor is further configured to: decrypt, by using the DNS client plug-in of the terminal, part of the data in the domain name resolution response message according to the preset key.
  • the second processor parses the key of the domain name resolution response message to be manually set in advance on the terminal and the router device.
  • the embodiment of the present disclosure further provides a system for controlling a terminal to access the Internet, including:
  • the terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the router device generates a domain name resolution response message to be sent to the terminal, and the domain name resolution response message is encrypted, and the encrypted domain name resolution response message is sent to the terminal.
  • the encrypting, by the router device, the domain name resolution response packet includes:
  • the router device encrypts part of the data in the domain name resolution response message.
  • the part of data includes, for example, domain name resolution results, data related to domain name resolution results, IP addresses, data related to IP addresses, and the like.
  • the system further includes:
  • the router device updates the dynamically stored dynamic information table, where the dynamic information table stores the number of access times that the terminal accesses the domain name corresponding to the domain name resolution result within a preset time;
  • the router device determines that the terminal is an illegal connection.
  • Embodiments of the present disclosure also provide a storage medium.
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • the router device receives an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal.
  • the router device generates a domain name resolution response message that is sent to the terminal and carries the domain name resolution result.
  • S3 Encrypt the domain name resolution response message, and send the encrypted domain name resolution response message to the terminal.
  • the storage medium is further arranged to store program code for performing the following steps:
  • the terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the terminal receives the encrypted domain name resolution response message carrying the domain name resolution result.
  • S6 The terminal parses the domain name resolution response packet according to the preset key, and accesses the server corresponding to the IP address in the domain name resolution result.
  • the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • a mobile hard disk e.g., a hard disk
  • magnetic memory e.g., a hard disk
  • the processor performs the method steps in the foregoing embodiments according to the stored program code in the storage medium.
  • the embodiment of the present disclosure further provides a computer readable storage medium storing computer executable instructions, where the computer executable instructions are executed to implement the method for controlling the terminal to access the Internet.
  • the embodiment of the present disclosure further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • computing devices which may be centralized on a single computing device or distributed over a network of computing devices, optionally implemented in program code executable by the computing device, such that they may be
  • the storage is performed by the computing device in a storage device, and in some cases, the steps shown or described may be performed in an order different than that herein, or they may be separately fabricated into different integrated circuit modules, or Multiple modules or steps are made into a single integrated circuit module.
  • the disclosure is not limited to any specific combination of hardware and software.
  • computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media.
  • Computer storage media include, but are not limited to, Random Access Memory (RAM), Read-Only Memory (ROM), and Electrically Erasable Programmable Read-only Memory (EEPROM). Flash memory or other memory technology, compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical disc storage, magnetic cassette, magnetic tape, disk storage or other magnetic storage device, or Any other medium used to store the desired information and that can be accessed by the computer.
  • communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
  • the terminal sends a message for requesting domain name resolution to the router device, and the router device feeds back the encrypted response message carrying the domain name resolution result to the terminal, and the terminal parses the response message after parsing the response message. Access the server corresponding to the domain name resolution result.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

A method for controlling web browsing on a terminal, comprising: a router device receives an unencrypted domain name resolution request packet transmitted by a terminal, where the domain name resolution request packet is used for requesting a domain name resolution result corresponding to a domain name to be visited by the terminal; the router device generates a domain name resolution response packet to be issued to the terminal and carrying the domain name resolution result, encrypts the domain name resolution response packet, and transmits the encrypted domain name resolution response packet to the terminal.

Description

控制终端上网及终端上网的方法,路由器设备及终端Method for controlling terminal access to the Internet and terminal access, router device and terminal 技术领域Technical field
本公开涉及但不限于通信领域,尤其是一种控制终端上网及终端上网的方法,路由器设备及终端。The present disclosure relates to, but is not limited to, the field of communications, and in particular, a method for controlling a terminal to access the Internet and a terminal, a router device and a terminal.
背景技术Background technique
域名系统(Domain Name System,简称为DNS)是一种用于传输控制协议(Transfer Control Protocol,简称为TCP)/网际协议(Internet Protocol,简称为IP)应用程序的分布式数据库,提供域名与IP地址之间的转换。通过域名系统,用户进行某些应用时,可以直接使用便于记忆的、有意义的域名,而由网络中的域名解析服务器将域名解析为正确的IP地址。The Domain Name System (DNS) is a distributed database for the Transmission Control Protocol (TCP)/Internet Protocol (IP) application. It provides domain names and IP addresses. Conversion between addresses. Through the domain name system, when users perform certain applications, they can directly use the easy-to-remember and meaningful domain name, and the domain name resolution server in the network resolves the domain name into the correct IP address.
随着家用无线保真(Wireless Fidelity,简称为Wi-Fi)环境不断普及,各种蹭网软件也不断涌现;随着物联网、智能家居进程的不断推进,家电设备越来越多地加入可以接入网络的行列,使得家用网络正在受到前所未有的冲击,很多人在使用家用路由器时都不约而同地选择加密、隐藏服务集标识符(Service Set Identifier,简称为SSID)或媒体接入控制(Medium Access Control,简称为MAC)地址过滤等基本的方法防止蹭网。With the continuous popularization of Wireless Fidelity (Wi-Fi) environment, various Internet software are also emerging. With the continuous advancement of the Internet of Things and smart home, more and more home appliances can be connected. Entering the ranks of the network, the home network is suffering an unprecedented impact. Many people choose to encrypt, hide the Service Set Identifier (SSID) or Media Access Control (Medium Access Control) when using the home router. Basic methods such as MAC) address filtering are used to prevent network attacks.
用户设备可以通过双向解析加密的方式来传输域名解析过程相关数据:The user equipment can transmit data related to the domain name resolution process by means of two-way resolution and encryption:
终端监听并接收本机的域名解析请求数据;加密该域名解析请求数据并发送给预设的网络地址;接收由所述网络地址经路由器反馈的已经加密的域名解析结果数据;终端解密该域名解析结果数据并以此应答本机的所述域名解析请求数据。The terminal monitors and receives the domain name resolution request data of the local device; encrypts the domain name resolution request data and sends the data to the preset network address; receives the encrypted domain name resolution result data fed back by the network address through the router; the terminal decrypts the domain name resolution The result data is in response to the domain name resolution request data of the local machine.
发明内容Summary of the invention
以下是对本文详细描述的主题的概述。本概述并非是为了限制权利要求的保护范围。The following is an overview of the topics detailed in this document. This Summary is not intended to limit the scope of the claims.
通过密码设置方式控制蹭网用户,在众多蹭网软件暴露出不足,而且双 向域名解析加密机制,对家庭路由来说是对有限资源的浪费;其次,家用路由器没有相关的蹭网预警功能及相关的处理机制,用户无法获知某一时刻家用路由器所处的状态。Controlling the users of the network through the password setting method, the lack of exposure in many network software, and double The domain name resolution encryption mechanism is a waste of limited resources for home routing. Secondly, the home router has no relevant network early warning function and related processing mechanism, and the user cannot know the state of the home router at a certain moment.
终端上网加密解密流程繁琐。The terminal encryption and decryption process is cumbersome.
本公开实施例提供了一种控制终端上网及终端上网的方法,路由器设备及终端,以及一种控制终端上网的系统,能够简化终端上网加密解密流程。The embodiments of the present disclosure provide a method for controlling a terminal to access the Internet and a terminal to access the Internet, a router device and a terminal, and a system for controlling the terminal to access the Internet, which can simplify the process of encrypting and decrypting the terminal.
本公开实施例提供了一种控制终端上网的方法,包括:路由器设备接收终端发送的未加密的域名解析请求报文,其中,所述域名解析请求报文用于请求与所述终端的待访问域名对应的域名解析结果;路由器设备获取待下发到所述终端的携带有所述域名解析结果的域名解析响应报文;对所述域名解析响应报文进行加密,将加密后的所述域名解析响应报文发送到所述终端。The embodiment of the present disclosure provides a method for controlling a terminal to access the Internet, including: the router device receives an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request to be accessed by the terminal. The domain name resolution result corresponding to the domain name; the router device obtains the domain name resolution response message to be sent to the terminal and carries the domain name resolution result; and encrypts the domain name resolution response message, and the encrypted domain name is encrypted. The parsing response message is sent to the terminal.
在一种示例性实施方式中,所述对所述域名解析响应报文进行加密包括:In an exemplary embodiment, the encrypting the domain name resolution response message includes:
所述路由器设备对所述域名解析响应报文中的部分数据进行加密。The router device encrypts part of the data in the domain name resolution response message.
在一种示例性实施方式中,路由器设备生成待下发到所述终端的携带有所述域名解析结果的域名解析响应报文,包括以下任意之一:In an exemplary embodiment, the router device generates a domain name resolution response message that is to be delivered to the terminal and carries the domain name resolution result, and includes any one of the following:
所述路由器设备检测到所述路由器设备本地缓存中有所述域名解析结果时,所述路由器设备在所述域名解析响应报文中携带所述域名解析结果;When the router device detects that the domain name resolution result is in the local cache of the router device, the router device carries the domain name resolution result in the domain name resolution response packet;
所述路由器设备检测到所述路由器设备本地缓存中没有所述域名解析结果时,所述路由器设备向服务器设备请求所述域名解析结果,并在所述域名解析响应报文中携带所述域名解析结果。When the router device detects that the domain name resolution result is not in the local cache of the router device, the router device requests the domain name resolution result from the server device, and carries the domain name resolution in the domain name resolution response packet. result.
在一种示例性实施方式中,将加密后的所述域名解析响应报文发送到所述终端之后,所述方法还包括:In an exemplary embodiment, after the encrypted domain name resolution response message is sent to the terminal, the method further includes:
所述路由器设备更新本地存储的动态信息表,其中,所述动态信息表中存储有所述终端在预设时间内访问与所述域名解析结果对应域名的访问次数。The router device updates the locally stored dynamic information table, wherein the dynamic information table stores the number of accesses by the terminal to access the domain name corresponding to the domain name resolution result within a preset time.
在一种示例性实施方式中,在所述路由器设备检测到所述终端的所述访问次数超过预设值的情况下,所述路由器设备确定所述终端为非法连接。In an exemplary embodiment, in a case where the router device detects that the number of accesses of the terminal exceeds a preset value, the router device determines that the terminal is an illegal connection.
在一种示例性实施方式中,所述路由器设备确定所述终端为非法连接之后,所述路由器设备发出告警信号,并记录所述终端的终端标识以备用户查 阅。In an exemplary embodiment, after the router device determines that the terminal is an illegal connection, the router device sends an alarm signal, and records the terminal identifier of the terminal for the user to check. read.
在一种示例性实施方式中,所述路由器设备加密所述部分数据的密钥为人工预先在所述路由器设备和所述终端上设置的。In an exemplary embodiment, the key of the router device encrypting the partial data is manually set in advance on the router device and the terminal.
本公开实施例还提供了一种终端上网的方法,包括:The embodiment of the present disclosure further provides a method for a terminal to access the Internet, including:
终端向路由器设备发送未加密的域名解析请求报文,其中,所述域名解析请求报文用于请求与所述终端的待访问域名对应的域名解析结果;The terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
终端接收被加密的携带有所述域名解析结果的域名解析响应报文;The terminal receives the encrypted domain name resolution response message carrying the domain name resolution result;
所述终端依据预设密钥解析所述域名解析响应报文,并访问所述域名解析结果中的IP地址对应的服务器。The terminal parses the domain name resolution response packet according to the preset key, and accesses the server corresponding to the IP address in the domain name resolution result.
在一种示例性实施方式中,所述终端接收被加密的携带有所述域名解析结果的域名解析响应报文包括:In an exemplary embodiment, the receiving, by the terminal, the encrypted domain name resolution response message carrying the domain name resolution result includes:
所述域名解析响应报文中的部分数据被加密。Part of the data in the domain name resolution response message is encrypted.
在一种示例性实施方式中,所述终端依据预设密钥解析所述域名解析响应报文,包括:In an exemplary embodiment, the terminal parses the domain name resolution response message according to the preset key, including:
所述终端的DNS客户端插件依据所述预设密钥解密所述域名解析响应报文中的部分数据。The DNS client plug-in of the terminal decrypts part of the data in the domain name resolution response message according to the preset key.
在一种示例性实施方式中,所述终端解析所述域名解析响应报文的密钥为人工预先在所述终端和所述路由器设备上设置的。In an exemplary embodiment, the key that the terminal parses the domain name resolution response message is manually set in advance on the terminal and the router device.
本公开实施例还提供了一种路由器设备,包括:The embodiment of the present disclosure further provides a router device, including:
第一通信装置,设置为:接收终端发送的未加密的域名解析请求报文,其中,所述域名解析请求报文用于请求与所述终端的待访问域名对应的域名解析结果;还设置为:将加密后的域名解析响应报文发送到所述终端;The first communication device is configured to: receive an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal; Transmitting the encrypted domain name resolution response message to the terminal;
第一处理器,设置为:生成待下发到所述终端的携带有所述域名解析结果的所述域名解析响应报文,并对所述域名解析响应报文进行加密。The first processor is configured to: generate the domain name resolution response message to be sent to the terminal and carry the domain name resolution result, and encrypt the domain name resolution response message.
在一种示例性实施方式中,所述第一处理器还设置为:对所述域名解析响应报文中的部分数据进行加密。In an exemplary embodiment, the first processor is further configured to: encrypt part of the data in the domain name resolution response message.
在一种示例性实施方式中,所述第一处理器获取所述域名解析响应报中的域名解析结果的方式包括以下任意之一:In an exemplary embodiment, the manner in which the first processor acquires the domain name resolution result in the domain name resolution response report includes any one of the following:
所述第一处理器是设置为:检测到所述路由器设备本地缓存中有所述域 名解析结果时,在所述域名解析响应报文中携带所述域名解析结果;The first processor is configured to: detect that the router device has the domain in a local cache Carrying the domain name resolution result in the domain name resolution response packet;
所述第一处理器是设置为:检测到所述路由器设备本地缓存中没有所述域名解析结果时,向服务器设备请求所述域名解析结果,并在所述域名解析响应报文中携带所述域名解析结果。The first processor is configured to: when it is detected that the domain name resolution result is not in the local cache of the router device, request the domain name resolution result from the server device, and carry the domain name resolution response message in the domain name resolution response message Domain name resolution results.
在一种示例性实施方式中,所述第一处理器还设置为:在将加密后的所述域名解析响应报文发送到所述终端之后,In an exemplary embodiment, the first processor is further configured to: after sending the encrypted domain name resolution response message to the terminal,
更新本地存储的动态信息表,其中,所述动态信息表中存储有所述终端在预设时间内访问与所述域名解析结果对应域名的访问次数。The dynamic information table of the local storage is updated, wherein the dynamic information table stores the number of accesses by the terminal to access the domain name corresponding to the domain name resolution result within a preset time.
在一种示例性实施方式中,所述第一处理器还设置为:在检测到所述终端的所述访问次数超过预设值的情况下,确定所述终端为非法连接。In an exemplary embodiment, the first processor is further configured to: if it is detected that the number of accesses of the terminal exceeds a preset value, determine that the terminal is an illegal connection.
在一种示例性实施方式中,所述第一处理器加密所述部分数据的密钥为人工预先在所述路由器设备和所述终端上设置的。In an exemplary embodiment, the key that the first processor encrypts the partial data is manually set in advance on the router device and the terminal.
本公开实施例还提供了一种终端,包括:The embodiment of the present disclosure further provides a terminal, including:
第二通信装置,设置为:向路由器设备发送未加密的域名解析请求报文,其中,所述域名解析请求报文用于请求与所述终端的待访问域名对应的域名解析结果;并接收被加密的携带有所述域名解析结果的域名解析响应报文;The second communication device is configured to: send an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the to-be-accessed domain name of the terminal; The encrypted domain name resolution response message carrying the domain name resolution result;
第二处理器,设置为:依据预设密钥解析所述域名解析响应报文,并访问所述域名解析结果中的IP地址对应的服务器。The second processor is configured to: parse the domain name resolution response message according to the preset key, and access a server corresponding to the IP address in the domain name resolution result.
在一种示例性实施方式中,所述第二处理器还设置为:依据预设密钥解析部分数据被加密的所述域名解析响应报文。In an exemplary embodiment, the second processor is further configured to: parse the domain name resolution response message that is encrypted by the partial data according to the preset key.
在一种示例性实施方式中,所述第二处理器还设置为:通过所述终端的DNS客户端插件依据所述预设密钥解密所述域名解析响应报文中的加密数据部分。In an exemplary embodiment, the second processor is further configured to: decrypt, by using a DNS client plug-in of the terminal, the encrypted data portion in the domain name resolution response message according to the preset key.
在一种示例性实施方式中,所述第二处理器解析所述域名解析响应报文的密钥为人工预先在所述终端和所述路由器设备上设置的。In an exemplary embodiment, the second processor parses the key of the domain name resolution response message to be manually set in advance on the terminal and the router device.
本公开实施例还提供了一种控制终端上网的系统,包括:The embodiment of the present disclosure further provides a system for controlling a terminal to access the Internet, including:
终端向路由器设备发送未加密的域名解析请求报文,其中,所述域名解析请求报文用于请求与所述终端的待访问域名对应的域名解析结果;The terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
路由器设备生成待下发到所述终端的携带有所述域名解析结果的域名解 析响应报文,并对所述域名解析响应报文进行加密,将加密后的所述域名解析响应报文发送到所述终端。The router device generates a domain name solution that is to be delivered to the terminal and carries the domain name resolution result. The response packet is parsed, and the domain name resolution response message is encrypted, and the encrypted domain name resolution response message is sent to the terminal.
在一种示例性实施方式中,所述路由器设备对所述域名解析响应报文进行加密包括:In an exemplary embodiment, the encrypting, by the router device, the domain name resolution response message includes:
所述路由器设备对所述域名解析响应报文中的部分数据进行加密。The router device encrypts part of the data in the domain name resolution response message.
在一种示例性实施方式中,将加密后的所述域名解析响应报文发送到所述终端之后,所述系统还包括:In an exemplary embodiment, after the encrypted domain name resolution response message is sent to the terminal, the system further includes:
所述路由器设备更新本地存储的动态信息表,其中,所述动态信息表中存储有所述终端在预设时间内访问与所述域名解析结果对应域名的访问次数;The router device updates the locally stored dynamic information table, where the dynamic information table stores the number of access times that the terminal accesses the domain name corresponding to the domain name resolution result within a preset time;
并在所述路由器设备检测到所述终端的所述访问次数超过预设值的情况下,所述路由器设备确定所述终端为非法连接。And in the case that the router device detects that the number of accesses of the terminal exceeds a preset value, the router device determines that the terminal is an illegal connection.
本公开实施例还提供了一种存储介质。该存储介质设置为存储用于执行以下步骤的程序代码:Embodiments of the present disclosure also provide a storage medium. The storage medium is arranged to store program code for performing the following steps:
路由器设备接收终端发送的未加密的域名解析请求报文,其中,所述域名解析请求报文用于请求与所述终端的待访问域名对应的域名解析结果;The router device receives the unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
路由器设备生成待下发到所述终端的携带有所述域名解析结果的域名解析响应报文;The router device generates a domain name resolution response message to be sent to the terminal and carries the domain name resolution result;
对所述域名解析响应报文进行加密,将加密后的所述域名解析响应报文发送到所述终端。The domain name resolution response packet is encrypted, and the encrypted domain name resolution response message is sent to the terminal.
在一种示例性实施方式中,存储介质还设置为存储用于执行以下步骤的程序代码:In an exemplary embodiment, the storage medium is further configured to store program code for performing the following steps:
终端向路由器设备发送未加密的域名解析请求报文,其中,所述域名解析请求报文用于请求与所述终端的待访问域名对应的域名解析结果;The terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
终端接收被加密的携带有所述域名解析结果的域名解析响应报文;The terminal receives the encrypted domain name resolution response message carrying the domain name resolution result;
所述终端依据预设密钥解析所述域名解析响应报文,并访问所述域名解析结果中的IP地址对应的服务器。The terminal parses the domain name resolution response packet according to the preset key, and accesses the server corresponding to the IP address in the domain name resolution result.
本公开实施例还提供了一种计算机可读存储介质,存储有计算机可执行 指令,所述计算机可执行指令被执行时实现上述控制终端上网的方法。Embodiments of the present disclosure also provide a computer readable storage medium storing a computer executable And an instruction, when the computer executable instruction is executed, implementing the method for controlling the terminal to access the Internet.
本公开实施例还提供了一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述终端上网的方法。The embodiment of the present disclosure further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
通过本公开实施例,终端向路由器设备发送未进行加密的用于请求域名解析的报文,路由器设备向终端反馈已经加密的携带有域名解析结果的响应报文,终端在解析该响应报文之后,访问该域名解析结果对应的服务器。由此,简化了终端上网加密解密流程,节省了路由器设备的资源,大幅缩减了终端上网的流程。In the embodiment of the present disclosure, the terminal sends a message for requesting domain name resolution to the router device, and the router device feeds back the encrypted response message carrying the domain name resolution result to the terminal, and the terminal parses the response message after parsing the response message. Access the server corresponding to the domain name resolution result. Thereby, the encryption and decryption process of the terminal online is simplified, the resources of the router device are saved, and the process of the terminal accessing the Internet is greatly reduced.
在阅读并理解了附图和详细描述后,可以明白其他方面。Other aspects will be apparent upon reading and understanding the drawings and detailed description.
附图概述BRIEF abstract
图1是根据本公开实施例的一种控制终端上网的方法流程图;FIG. 1 is a flowchart of a method for controlling a terminal to access the Internet according to an embodiment of the present disclosure;
图2是根据本公开实施例的半双工域名加密机制的网络架构图;2 is a network architecture diagram of a half-duplex domain name encryption mechanism in accordance with an embodiment of the present disclosure;
图3是根据本公开可选实施例的设备节点的新增和删除流程图;3 is a flow chart of adding and deleting device nodes in accordance with an alternative embodiment of the present disclosure;
图4是根据本公开可选实施例的蹭网机制中功能模块关系图;4 is a functional block diagram of a network mechanism in accordance with an alternative embodiment of the present disclosure;
图5是根据本公开可选实施例的蹭网检测机制整体流程示意图。FIG. 5 is a schematic diagram of an overall flow of a network detection mechanism according to an alternative embodiment of the present disclosure.
本公开的较佳实施方式Preferred embodiment of the present disclosure
下面结合附图对本公开的实施方式进行描述。Embodiments of the present disclosure will be described below with reference to the accompanying drawings.
可以说明的是,本文中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。It may be noted that the terms "first", "second" and the like are used herein to distinguish similar objects, and are not necessarily used to describe a particular order or order.
本公开中的方法及系统,可以运行于路由器设备和终端中至少任意之一上。The method and system of the present disclosure can operate on at least one of a router device and a terminal.
图1是根据本公开实施例的一种控制终端上网的方法流程图,如图1所示,该流程可以包括以下步骤:FIG. 1 is a flowchart of a method for controlling a terminal to access the Internet according to an embodiment of the present disclosure. As shown in FIG. 1 , the process may include the following steps:
步骤S102,路由器设备接收终端发送的未加密的域名解析请求报文,其中,该域名解析请求报文用于请求与该终端的待访问域名对应的域名解析结果; Step S102: The router device receives an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
步骤S104,路由器设备生成待下发到该终端的携带有该域名解析结果的域名解析响应报文,并对该域名解析响应报文进行加密,将加密后的该域名解析响应报文发送到该终端。可以补充的是,该域名解析结果可能包含一个IP地址,也可能包括若干个IP地址。Step S104: The router device generates a domain name resolution response message that is to be sent to the terminal and carries the domain name resolution result, and encrypts the domain name resolution response message, and sends the encrypted domain name resolution response message to the terminal. It can be added that the domain name resolution result may include an IP address, and may also include several IP addresses.
采用上述技术方案,终端向路由器设备发送未进行加密的请求域名解析数据的报文,路由器设备向终端反馈已经加密的携带有域名解析结果的响应报文,终端在解析该响应报文之后,可以访问到该域名解析结果对应的服务器。采用上述技术方案,避免了终端上网加密解密流程繁琐,节省了路由器设备的资源,大幅缩减了终端上网的流程。According to the foregoing technical solution, the terminal sends a packet requesting the domain name resolution data to the router device, and the router device feeds back the encrypted response message carrying the domain name resolution result to the terminal. After the terminal parses the response packet, the terminal may Access the server corresponding to the domain name resolution result. By adopting the above technical solution, the process of encrypting and decrypting the terminal online is avoided, the resources of the router device are saved, and the process of the terminal accessing the Internet is greatly reduced.
可选地,该路由器设备对该域名解析响应报文中的部分数据进行加密。路由器设备可以选择域名解析响应报文中重要的部分进行加密,比如域名解析结果、与域名解析结果相关的数据、IP地址、或与IP地址相关的数据等。可以不对全部报文进行加密。Optionally, the router device encrypts part of the data in the domain name resolution response message. The router device can select an important part of the domain name resolution response packet for encryption, such as the domain name resolution result, the data related to the domain name resolution result, the IP address, or the data related to the IP address. It is not possible to encrypt all messages.
可选地,路由器设备生成待下发到该终端的携带有该域名解析结果的域名解析响应报文,可以包括以下任意之一:Optionally, the router device generates a domain name resolution response packet that is to be sent to the terminal and carries the domain name resolution result, and may include any one of the following:
该路由器设备检测到该路由器设备本地缓存中有该域名解析结果时,该路由器设备在该域名解析响应报文中携带该域名解析结果;When the router device detects that the domain name resolution result is obtained in the local cache of the router device, the router device carries the domain name resolution result in the domain name resolution response packet;
该路由器设备检测到该路由器设备本地缓存中没有该域名解析结果时,该路由器设备向服务器设备请求该域名解析结果,并在该域名解析响应报文中携带该域名解析结果。可以说明的是,域名解析报文可以是路由器设备通过组包生成的,在该报文中可以包括域名解析结果对应的数据,该数据可以通过上述两种方式获取。可以补充的是,可以在向服务器设备请求到域名解析结果之后,将该域名解析结果发送给终端。该服务器设备可以是域名解析服务器,可以存储有域名与IP地址的对应关系。When the router device detects that the domain name resolution result is not in the local cache of the router device, the router device requests the domain name resolution result from the server device, and carries the domain name resolution result in the domain name resolution response packet. It can be noted that the domain name parsing packet may be generated by the router device through the group package, and the packet may include data corresponding to the domain name resolution result, and the data may be obtained by using the foregoing two methods. It can be added that the domain name resolution result can be sent to the terminal after requesting the domain name resolution result from the server device. The server device may be a domain name resolution server, and may store a correspondence between a domain name and an IP address.
可选地,将加密后的该域名解析响应报文发送到该终端之后,该路由器设备可以更新本地存储的动态信息表,其中,该动态信息表中存储有该终端在预设时间内访问与该域名解析结果对应域名的访问次数。Optionally, after the encrypted domain name resolution response message is sent to the terminal, the router device may update the locally stored dynamic information table, where the dynamic information table stores the terminal accessing within a preset time. The domain name resolution result corresponds to the number of accesses of the domain name.
可选地,在该路由器设备检测到该终端的该访问次数超过预设值的情况下,该路由器设备可以确定该终端为非法连接。在路由器设备确定一个终端 为非法连接之后,可以将该终端拉黑,不允许该终端通过该路由器设备上网。Optionally, in a case that the router device detects that the number of accesses of the terminal exceeds a preset value, the router device may determine that the terminal is an illegal connection. Determining a terminal on the router device After the connection is illegal, the terminal can be blacked out, and the terminal is not allowed to access the Internet through the router device.
可选地,该路由器设备确定该终端为非法连接之后,该路由器设备可以发出告警信号,并记录该终端的终端标识。路由器设备可以记录该非法终端以便用户查阅和后续处理如通过其他手段禁止该终端接入路由器设备局域网。Optionally, after the router device determines that the terminal is an illegal connection, the router device may send an alarm signal and record the terminal identifier of the terminal. The router device can record the illegal terminal for user access and subsequent processing, such as by other means to prohibit the terminal from accessing the router device local area network.
可选地,该路由器设备加密该部分数据的密钥可以为人工预先在该路由器设备和该终端上设置的。该密钥可以为用户提前在路由器设备和用户自己的终端设备设置的密钥,而不用路由器设备和终端进行协商密钥,从而有效避免了密钥协商过程中被截获。可选地,在人工设置该密钥时可以选择相对于简单加密算法的“对称密钥”加密算法。Optionally, the key that the router device encrypts the part of the data may be manually set in advance on the router device and the terminal. The key can be a key set by the user in advance on the router device and the user's own terminal device, without using the router device and the terminal to negotiate the key, thereby effectively avoiding interception during the key negotiation process. Alternatively, a "symmetric key" encryption algorithm relative to a simple encryption algorithm can be selected when manually setting the key.
本公开实施例还提供了一种终端上网的方法,该方法可以包括以下步骤:The embodiment of the present disclosure further provides a method for a terminal to access the Internet, and the method may include the following steps:
步骤一,终端向路由器设备发送未加密的域名解析请求报文,其中,该域名解析请求报文用于请求与该终端的待访问域名对应的域名解析结果;Step 1: The terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
步骤二,终端接收被加密的携带有该域名解析结果的域名解析响应报文;Step 2: The terminal receives the encrypted domain name resolution response message carrying the domain name resolution result.
步骤三,该终端依据预设密钥解析该域名解析响应报文,并访问该域名解析结果中的IP地址对应的服务器,该域名解析结果是解析该域名解析报文得到的。Step 3: The terminal parses the domain name resolution response message according to the preset key, and accesses the server corresponding to the IP address in the domain name resolution result, and the domain name resolution result is obtained by parsing the domain name resolution message.
可选地,该域名解析响应报文中的部分数据被加密。该部分数据例如:域名解析结果,与域名解析结果相关的数据,IP地址,与IP地址相关的数据,等等。Optionally, part of the data in the domain name resolution response message is encrypted. The part of data includes, for example, domain name resolution results, data related to domain name resolution results, IP addresses, data related to IP addresses, and the like.
可选地,该终端的DNS客户端插件可以依据该预设密钥解密该域名解析响应报文中的部分数据。DNS客户端设备可以截获该域名解析响应报文,进行解密之后,可以将报文提交给上层应用,如IE等。Optionally, the DNS client plug-in of the terminal may decrypt part of the data in the domain name resolution response message according to the preset key. The DNS client device can intercept the domain name resolution response packet, and after decrypting, the packet can be submitted to an upper layer application, such as an IE.
可选地,该终端解析该域名解析响应报文的密钥可以为人工预先在该终端和该路由器设备上设置的。Optionally, the key that the terminal parses the domain name resolution response packet may be manually set in advance on the terminal and the router device.
以下结合本公开可选实施例进行详细说明。The following is a detailed description in conjunction with alternative embodiments of the present disclosure.
本公开可选实施例提供一种有效Wi-Fi管理方法,并在此基础上提出了新的蹭网检测方法,在保证合法用户高效安全的使用Wi-Fi网络的同时可以 随时获知无线路由器当前的状态。An optional embodiment of the present disclosure provides an effective Wi-Fi management method, and proposes a new detection method for the network, which ensures that legitimate users can use the Wi-Fi network efficiently and safely. Keep track of the current status of your wireless router.
本公开可选实施例首先提供了一种管理Wi-Fi网络的方法,即半双工域名加密机制,包括:An alternative embodiment of the present disclosure first provides a method for managing a Wi-Fi network, that is, a half-duplex domain name encryption mechanism, including:
无线路由器在获取到域名解析结果数据后对该部分数据进行加密后生成域名解析响应报文,并将该报文发送给域名请求的主机。其中,无线路由器获取的域名解析结果数据可以是域名解析服务器发送的。After obtaining the domain name resolution result data, the wireless router encrypts the part of the data to generate a domain name resolution response message, and sends the message to the host of the domain name request. The domain name resolution result data obtained by the wireless router may be sent by the domain name resolution server.
域名请求的接入主机在收到域名解析响应报文后首先对该报文关键数据部分进行解密,然后将解密后的数据提交给上层域名请求的进程;After receiving the domain name resolution response message, the access host requesting the domain name first decrypts the key data part of the message, and then submits the decrypted data to the process of requesting the upper layer domain name;
可选地,上述方法还具有下面的特点:无线路由器和接入主机使用的加密解密的密钥可以是由用户分别在无线路由器和接入主机进行预先设置的,而并不是由无线网络两侧的无线路由器和接入主机协商来完成的,从而有效地避免了密钥协商过程中被认为截获的风险;Optionally, the foregoing method further has the following feature: the encryption and decryption key used by the wireless router and the access host may be pre-set by the user on the wireless router and the access host, and not on both sides of the wireless network. The wireless router and the access host negotiate to complete, thereby effectively avoiding the risk of being intercepted during the key negotiation process;
同时,该加密操作可以仅仅针对域名解析响应报文,而并非贯穿整个域名请求过程;At the same time, the encryption operation may only be for the domain name resolution response message, and not for the entire domain name request process;
在裁减了密钥协商和对域名请求中除域名解析响应报文外的加密过程,可以减轻无线路由器有限的资源。The encryption process other than the domain name resolution response message in the key agreement and the domain name request can be reduced, and the limited resources of the wireless router can be alleviated.
可选地,半双工域名加密机制可以包含两个部分的紧密配合:Alternatively, the half-duplex domain name encryption mechanism can contain a tight fit of two parts:
无线路由器侧的域名解析数据包检测和加密模块,该部分的处理大致包括两种情况:The domain name resolution packet detection and encryption module on the wireless router side, the processing of this part generally includes two cases:
1、在路由器域名解析缓存中可以查找到下游接入设备要请求的域名时,则将关键数据进行加密后组包发送给域名请求设备;1. When the domain name resolution cache of the router can find the domain name to be requested by the downstream access device, the key data is encrypted and the group packet is sent to the domain name requesting device;
2、在路由器本地缓存无法获取域名解析结果向远端域名解析服务器发送域名解析请求的情况下,在收到域名解析响应报文后,截取该报文关键数据进行加密后再组包发送给域名请求设备。2. When the local cache of the router fails to obtain the domain name resolution result and sends a domain name resolution request to the remote domain name resolution server, after receiving the domain name resolution response packet, the key data of the packet is intercepted and then sent to the domain name. Request a device.
用户上网终端测的DNS客户端插件,该模块则可以大致完成在上网终端设备接收到域名解析响应报文后截留该报文,在对该报文的关键数据进行解密后,将解密后的数据提交给上层应用,如IE等。The DNS client plug-in measured by the user's Internet terminal, the module can substantially intercept the packet after receiving the domain name resolution response message, and decrypt the decrypted data after decrypting the key data of the packet. Submit to upper-level applications, such as IE.
可选地,图2是根据本公开实施例的半双工域名加密机制的网络架构图, 如图2所示,可以包括:主机,路由器及Internet(因特网)网络中的域名解析服务器,参照图2对整个域名解析过程做一个详细的介绍:整个网络架构中可以安装有DNS域名解析插件的主机设备P1,还可以安装有包含加密和侦测等功能的路由器R1,P1可以接入设备R1的Wi-Fi局域网中,R1设备则可以与internet网络连通。Optionally, FIG. 2 is a network architecture diagram of a half-duplex domain name encryption mechanism according to an embodiment of the present disclosure. As shown in FIG. 2, it may include: a domain name resolution server in a host, a router, and an Internet (Internet) network. Referring to FIG. 2, a detailed description of the entire domain name resolution process may be performed: a DNS domain name resolution plug-in may be installed in the entire network architecture. The host device P1 can also be installed with a router R1 including functions such as encryption and detection. The P1 can access the Wi-Fi LAN of the device R1, and the R1 device can communicate with the internet network.
步骤一,设备P1要访问某一网站,上层应用如网页浏览器(Internet Explorer,简称为IE)等可以发起包含该网址的域名解析请求到路由器设备R1;Step 1: The device P1 is to access a certain website, and the upper layer application, such as a web browser (IE), may initiate a domain name resolution request including the website to the router device R1;
步骤二,设备R1收到P1的域名解析请求后,R1首先可以查找自己的域名解析缓存,如果没有查找到相关域名解析记录,则可以向internet网络上远端的域名解析服务器发送域名解析请求;Step 2: After the device R1 receives the domain name resolution request of the P1, the R1 may first search for the domain name resolution cache. If the domain name resolution record is not found, the domain name resolution server may be sent to the remote domain name resolution server on the internet network.
步骤三,在设备R1查找到相关域名解析数据组包过程中或者在接收到远端域名解析服务器发送的域名解析响应报文之后,R1设备可以将域名响应报文关键数据部分进行加密处理,然后在组包发送给域名解析请求设备P1;Step 3: After the device R1 finds the related domain name resolution data packet or after receiving the domain name resolution response packet sent by the remote domain name resolution server, the R1 device may encrypt the key data portion of the domain name response message, and then Sending the packet to the domain name resolution requesting device P1;
步骤四,设备P1收到域名解析响应报文后,在将数据提交给上层应用进程前,DNS客户端插件可以截取该报文,并将报文中的关键数据部分进行解密处理,然后将解密后的数据提交给上层应用进程;Step 4: After receiving the domain name resolution response packet, the device P1 can intercept the packet and decrypt the key data part in the packet before submitting the data to the upper application process. The subsequent data is submitted to the upper application process;
步骤五,这样,设备P1就可以拿到正确的域名解析结果,P1设备可以正常上网。Step 5, in this way, the device P1 can get the correct domain name resolution result, and the P1 device can access the Internet normally.
本公开可选实施例的另一关键部分则是蹭网预警方法,该方法则大致可以包括:Another key part of an alternative embodiment of the present disclosure is a network early warning method, which may generally include:
无线路由器动态维护Wi-Fi局域网中的接入设备列表,该列表中将记录每个接入设备节点的动态信息;The wireless router dynamically maintains a list of access devices in the Wi-Fi LAN, and the dynamic information of each access device node is recorded in the list;
监听Wi-Fi局域网接入设备的域名响应报文发送情况,并将域名请求动态信息更新至上述设备节点动态信息中;Monitoring the domain name response message transmission status of the Wi-Fi LAN access device, and updating the domain name request dynamic information to the device node dynamic information;
根据Wi-Fi局域网接入设备节点的动态信息情况,根据相应的判定规则分辨接入列表中的设备是否非法;Determining whether the device in the access list is illegal according to the corresponding determination rule according to the dynamic information of the Wi-Fi LAN access device node;
当检测到接入设备列表中有设备非法时,在保存非法用户信息后,则触 发预警机制对用户进行预警;When it is detected that there is a device illegal in the access device list, after the illegal user information is saved, Early warning mechanism to alert users;
可选地,针对该方法细节做阐述:Optionally, elaborate on the details of the method:
接入设备节点的动态信息大致可以包含如下信息:The dynamic information of the access device node can roughly include the following information:
接入设备的IP地址;IP address of the access device;
接入设备的MAC地址;MAC address of the access device;
接入设备在一定的时间段内请求每个域名节点的动态数据;The access device requests dynamic data of each domain name node within a certain period of time;
指向下一个接入设备节点的指针(该指针可以用于转到其他终端的动态数据统计表中);Pointer to the next access device node (this pointer can be used to go to the dynamic statistics table of other terminals);
其中,请求域名节点的动态数据可以包含如下几部分数据:The dynamic data of the request domain name node may include the following parts of data:
请求的域名;The requested domain name;
每个终端请求该域名的次数;The number of times each terminal requests the domain name;
下一个请求域名节点指针(该指针可以用于转到其他域名的动态数据表,该表中存储有其他域名被终端请求的次数统计);The next request domain name node pointer (this pointer can be used to transfer to the dynamic data table of other domain names, where the number of times other domain names are requested by the terminal is stored);
接入设备节点动态数据的更新大致可以包括三种情况的数据更新:The update of the dynamic data of the access device node can roughly include data update in three cases:
有新的用户接入和已接入用户断开联网的情况下接入设备节点的增加和删除,在该种情况下,图3是根据本公开可选实施例的设备节点的新增和删除流程图,如图3所示,当有新用户接入时,可以新增设备节点记录;如果有用户断开连接时,则可以删除该用户对应的设备节点记录;Addition and deletion of access device nodes in case of new user access and disconnected users disconnected, in this case, FIG. 3 is a new and deleted device node according to an alternative embodiment of the present disclosure. The flow chart, as shown in FIG. 3, may add a device node record when a new user accesses; if a user disconnects, the device node record corresponding to the user may be deleted;
设备请求域名动态数据的更新,即请求域名次数、请求域名节点的新增,该项数据的更新则大致可以是在确认加密后的域名解析响应报文已经由路由器发送成功发出后更新;The device requests the update of the domain name dynamic data, that is, the number of requests for the domain name, and the request for the addition of the domain name node. The update of the data may be substantially updated after confirming that the encrypted domain name resolution response message has been successfully sent by the router;
在一定时间(如5分钟)过后,可以将一个或多个接入设备节点(例如全部接入设备节点)的域名请求数据进行清空;After a certain period of time (such as 5 minutes), the domain name request data of one or more access device nodes (for example, all access device nodes) may be emptied;
非法用户的判定规则可以包括:如果在一段时间内用户请求某一域名的次数超过指定的预制(如3次)则认为接入设备无法正常解密收到的加密域名解析响应报文,从而认定该用户为非法接入用户。因为正常接入用户,在一段相对较短的时间内在收到正确的域名解析数据后,一般是将该域名解析数 据暂存在本地,以备后续可以直接使用,可以不多次请求同一域名。The rule of the illegal user may include: if the number of times the user requests a certain domain name exceeds the specified pre-production (for example, 3 times), the access device cannot correctly decrypt the received encrypted domain name resolution response message, thereby determining that the user The user is an illegal access user. Because the normal access user, after receiving the correct domain name resolution data in a relatively short period of time, the domain name resolution is generally It is temporarily stored locally, so that it can be used directly afterwards, and the same domain name may not be requested multiple times.
预警机制则大致可以是在无线路由器上设置独立的指示灯,在监测到有非法接入用户时和整点时闪烁指示灯一段时间,用以警示无线路由器设备用户有非法接入用户。The early warning mechanism can be set up with an independent indicator light on the wireless router. When the illegal access user is detected and the whole point is blinking, the indicator light flashes for a period of time to warn the wireless router device user to illegally access the user.
综上所述,本公开中的蹭网检测方法大致可包括如下几个模块:In summary, the method for detecting the network in the present disclosure may generally include the following modules:
设备连接管理模块:动态地维护无线路由器设备Wi-Fi局域网接入设备列表,该列表中记录接入设备的设备信息和该设备一段时间内域名访问的信息;The device connection management module: dynamically maintains a list of Wi-Fi LAN access devices of the wireless router device, where the device information of the access device and the information of the domain name access of the device for a period of time are recorded;
域名解析响应报文侦测模块:该模块则在域名解析服务器或者无线路由器内核中侦听域名解析响应报文,以便开展数据的加密、信息的统计或者其它动作的触发;The domain name resolution response packet detection module: the module listens to the domain name resolution response message in the domain name resolution server or the wireless router kernel, so as to perform data encryption, information statistics or other actions to trigger;
蹭网侦测模块:该模块则根据无线路由器动态接入列表记录的信息,按照上文所述的规则对接入设备节点进行判定,区分该设备节点是否非法,并建立并动态维护非法设备列表,其中非法接入设备节点数据结构中可以包含如下信息:Network detection module: The module determines the access device node according to the information recorded in the wireless router dynamic access list according to the rules described above, distinguishes whether the device node is illegal, and establishes and dynamically maintains the illegal device list. The data structure of the illegal access device node may include the following information:
MAC地址;MAC address;
IP地址;IP address;
超阈值访问的域名;Super-threshold access to the domain name;
访问上述域名的次数;The number of times to access the above domain name;
下一个非法接入设备节点指针;The next illegal access device node pointer;
蹭网预警模块:该模块则根据侦测模块的结果触发指示灯的闪烁行为,从而对无线路由器用户进行警示。蹭 Network Early Warning Module: This module triggers the blinking behavior of the indicator light according to the result of the detection module, thereby alerting the wireless router user.
图4是根据本公开可选实施例的蹭网机制中功能模块关系图,如图4所示,展示了多个模块之间的关系。4 is a functional module relationship diagram in a network mechanism according to an alternative embodiment of the present disclosure. As shown in FIG. 4, a relationship between a plurality of modules is shown.
首先,域名解析响应数据包侦测模块可以侦测无线路由器收到或者要发送域名解析响应数据包;First, the domain name resolution response packet detection module can detect that the wireless router receives or sends a domain name resolution response data packet;
其次,在该域名解析响应数据包侦测模块确认域名响应数据包已经成功 发送后,可以触发设备连接管理模块对域名响应报文发送的设备节点信息进行更新;Secondly, the domain name resolution response packet detection module confirms that the domain name response packet has succeeded. After being sent, the device connection management module may be triggered to update the device node information sent by the domain name response message;
第三,在设备节点信息更新完成后,该域名解析响应报文侦测模块可以紧接着触发蹭网检测模块对该设备节点进行是否非法的判定;Third, after the device node information is updated, the domain name resolution response packet detecting module may immediately trigger the network detection module to determine whether the device node is illegal;
第四,如果判定用户非法,蹭网侦测模块则可以将非法用户信息记录到废话用户列表,并可以触发蹭网预警模块,向无线路由器用户示警。Fourth, if it is determined that the user is illegal, the network detection module can record the illegal user information to the nonsense user list, and can trigger the network warning module to alert the wireless router user.
以下是本公开可选实施例中的可选实例。The following are optional examples in alternative embodiments of the present disclosure.
一可选实例,域名解析单向加密机制An optional instance, domain name resolution one-way encryption mechanism
域名解析单向加密机制大致可以包含如下两个方面:域名解析客户端插件和路由器域名解析代理。The domain name resolution one-way encryption mechanism can roughly include the following two aspects: domain name resolution client plug-in and router domain name resolution agent.
域名解析客户端大致可以是:接收并保存用户设置的加密密钥,并对该主机设备收到的域名解析相应包的数据部分进行解密后交给相应应用进程。The domain name resolution client may be: receiving and storing the encryption key set by the user, and decrypting the data part of the corresponding domain name received by the host device and then handing it over to the corresponding application process.
无线路由器域名解析服务端方面,则可以同样要接受并保存用户设置的加密密钥,然后依据用户设置的密钥对域名解析的结果数据进行加密处理,并将加密后数据发送给域名请求主机;The wireless router domain name resolution server can also accept and save the encryption key set by the user, and then encrypt the result data of the domain name resolution according to the key set by the user, and send the encrypted data to the domain name requesting host;
就域名解析单向加密机制中的加密与解密过程,首先,无论域名解析客户端还是路由器域名解析代理都可以有用户输入密钥的需求,其中密钥的格式类似点分十进制的IP地址,不过用户可以输入任意的12位数字;Regarding the encryption and decryption process in the domain name resolution one-way encryption mechanism, first, both the domain name resolution client and the router domain name resolution agent may have a user input key requirement, wherein the key format is similar to a dotted decimal IP address, but Users can enter any 12 digits;
其次,加密过程则可以是域名解析响应数据包侦测模块侦测到域名解析响应报文,截取该报文,并将报文中的域名解析地址取出,转化为点分十进制IP地址,与用户输入的密钥进行分组加密,加密方法为:每个IP地址块与对应次序的密钥块相加,然后对255求余,最后按位取反。Secondly, the encryption process may be that the domain name resolution response packet detection module detects the domain name resolution response message, intercepts the message, and takes out the domain name resolution address in the packet, and converts it into a dotted decimal IP address, and the user. The input key is used for packet encryption. The encryption method is: each IP address block is added to the key block of the corresponding order, and then the remainder is 255, and finally the bit is inverted.
最后,域名解析客户端在通过钩子(HOOK)手段拦截到域名响应报文后则可以提取出报文中域名解析应答IP地址,转化为点分十进制格式,分为四组,同时,将用户输入的12位密钥也分为四组,然后按照域名解析代理加密的顺序,首先用域名解析数据包中的四组数据按位取反,取反后每组加适当的数据(如1020),然后,将每组数据按照对应的顺序减去用户的12密钥分组数据,最后将每个分组数据运算结果对255进行求余,即可获得正确 的域名解析结果。Finally, after the domain name resolution client intercepts the domain name response message by means of a hook (HOOK), the domain name resolution response IP address in the message can be extracted and converted into a dotted decimal format, which is divided into four groups, and at the same time, the user is input. The 12-bit key is also divided into four groups, and then according to the order of domain name resolution agent encryption, firstly, the four groups of data in the domain name parsing data packet are inverted by bit, and each group is added with appropriate data (such as 1020). Then, each group of data is subtracted from the user's 12-key grouping data in the corresponding order, and finally, the result of each grouping data operation is 255, and the correct result is obtained. Domain name resolution results.
综上所述,尽管在加密方面,我们阐述了相对简单的分组加密方式,但是也可采用更为复杂的加密算法。In summary, although we have described a relatively simple method of packet encryption in terms of encryption, more complex encryption algorithms can be used.
另一可选实例,路由器设备的设备连接管理模块Another optional example, the device connection management module of the router device
该模块大致可以完成如下功能:The module can roughly perform the following functions:
1、以特定的数据结构动态记录当前路由器接入的设备列表;1. Dynamically record a list of devices accessed by the current router in a specific data structure;
2、在无线路由器域名解析服务端每次成功发送域名解析响应报文时,都对设备列表中的相关信息进行更新;2. When the domain name resolution response packet is successfully sent by the domain name resolution server of the wireless router, the related information in the device list is updated.
3、在规定时间段过后,统一清空所有用户的域名请求信息。3. After the specified time period has elapsed, the domain name request information of all users is uniformly cleared.
该部分的可选实现可以包括:Optional implementations of this section can include:
首先为无线路由器一个或多个接入设备使用数据结构建立接入设备节点,该数据结构包含设备的MAC地址、IP地址和访问域名解析链表和下一个接入设备节点指针;First, one or more access devices of the wireless router use the data structure to establish an access device node, where the data structure includes the MAC address, the IP address, and the access domain name resolution list and the next access device node pointer of the device;
其次,为接入设备访问的每个域名使用数据结构建立域名解析节点,该数据结构包含访问的域名、规定时间段内访问同一域名的次数、和下一域名指针;该数据结构被内嵌到设备节点数据结构的域名解析链表中。Secondly, a domain name resolution node is established for each domain name accessed by the access device, and the data structure includes the accessed domain name, the number of times the same domain name is accessed within a specified time period, and the next domain name pointer; the data structure is embedded The domain name resolution list of the device node data structure.
第三,无线路由器无线保真Wi-Fi局域网中的一个或多个设备的基础信息的获取大致可以是通过无线网卡获取到接入设备的MAC地址,并结合动态主机协议(Dynamic Host Configuration Protocol,简称为DHCP)服务进程对应的leases文件和arpping的手段,可以获取每个设备对应的IP地址信息的方式;每个接入设备可以对应接入设备链表中的一个节点;同时,为了保证该设备接入列表信息的更新,则可以通过启动定时器的手段,完成接入设备列表中接入设备节点的更新;Third, the basic information of one or more devices in the wireless router's wireless fidelity Wi-Fi local area network may be obtained by acquiring the MAC address of the access device through the wireless network card, and combining the Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol, The method of obtaining the IP address information corresponding to each device by means of the bootses file and the arpping method corresponding to the DHCP process; each access device can correspond to a node in the access device list; at the same time, to ensure the device After the update of the access list information, the update of the access device node in the access device list may be completed by means of starting a timer;
最后,要保证侦听周期结束后,清空接入设备列表中的域名解析列表信息,可以启动一个侦听周期的计时器,当计时周期结束时,清空所用接入设备节点的域名解析链表信息。 Finally, to ensure that the domain name resolution list information in the access device list is cleared after the end of the listening period, a timer of the listening period can be started. When the time period ends, the domain name resolution list information of the access device node used is cleared.
又一可选实例,路由器设备的域名解析响应数据包侦测模块Another optional example, the domain name resolution response packet detection module of the router device
该模块则大致可以完成如下功能:The module can roughly perform the following functions:
1、监听域名解析响应报文;1. Listening to the domain name resolution response message;
2、通知设备连接管理模块更新对应用户的域名解析列表信息;2. The device connection management module is notified to update the domain name resolution list information of the corresponding user;
3、触发蹭网侦测模块对该域名请求用户进行非法判定。3. The trigger network detection module performs an illegal determination on the domain name requesting user.
上述三个功能,对应的步骤可以包括:首先,监听域名解析响应报文,大致可以通过对域名解析代理进程域名解析响应函数进行改造,或者可以通过HOOK函数从内核抓取域名解析响应报文的方式实现;For the foregoing three functions, the corresponding steps may include: first, listening to the domain name resolution response message, and substantially modifying the domain name resolution response function of the domain name resolution agent process, or by using the HOOK function to fetch the domain name resolution response message from the kernel. Way to achieve
其次,通过域名响应函数或者抓包,可以有效地获取域名解析请求设备信息和请求域名信息,在确认加密后的域名响应报文发送成功后可以通过消息通知或者直接调用接入设备列表更新函数的方式触发域名解析列表的更新;Secondly, the domain name response request device or the packet capture function can effectively obtain the domain name resolution request device information and the request domain name information. After confirming that the encrypted domain name response message is successfully sent, the message can be notified by the message or directly invoke the access device list update function. The method triggers the update of the domain name resolution list;
最后,同样可以通过消息通知或者函数调用的方式触发蹭网检测功能。Finally, the network detection function can also be triggered by means of message notification or function call.
再一可选实例,路由器设备的蹭网侦测模块Another optional example, the network detection module of the router device
该模块则大致可以完成如下功能:The module can roughly perform the following functions:
1、判定设备接入列表中的设备是否非法;1. Determine whether the device in the device access list is illegal;
2、建立和动态维护非法用户列表;2. Establish and dynamically maintain an illegal user list;
3、通知蹭网预警模块进行示警。3. Notify the warning module of the network to perform the warning.
上述三个功能,对应的步骤可以包括:For the above three functions, the corresponding steps may include:
首先,判定设备接入列表中的设备是否非法,大致可以是针对最新更新的接入设备节点中的访问域名节点,提取出设备访问每个域名的次数与特定的阈值条件进行比较,如果大于阈值则判定该接入设备非法,否则,该接入设备合法;另外,最新更新设备节点可以通过传递参数的方式实现;First, determining whether the device in the device access list is illegal may be substantially for the access domain name node in the newly updated access device node, and extracting the number of times the device accesses each domain name is compared with a specific threshold condition, if it is greater than a threshold The access device is determined to be illegal. Otherwise, the access device is legal. In addition, the latest update device node can be implemented by transmitting parameters.
其次,建立和动态维护非法用户列表,可以是在上一步检测到非法接入设备时,将非法的接入设备节点基本信息整合到非法用户链表中,其大致可以通过类似接入设备列表链表的方式组织; Secondly, the establishment and dynamic maintenance of the illegal user list may be performed by integrating the basic information of the illegal access device node into the illegal user linked list when the illegal access device is detected in the previous step, which may be substantially through a list of similar access device lists. Way organization
第三,通知蹭网预警模块进行示警,则可以通过设置无线路由器设备节点的方式完成。例如,当非法用户列表中有值时,则可以在检测到系统有非法用户时或者系统时间整点时,则将特定的设备节点的值设置为1,此时指示灯闪烁,同时可以设定定时器(30s),在定时器计时结束后,关闭指示灯。Third, the notification network warning module performs the warning, which can be completed by setting the wireless router device node. For example, when there is a value in the illegal user list, when the system detects that there is an illegal user or the system time is full, the value of the specific device node is set to 1, and the indicator light flashes and can be set. The timer (30s) turns off the indicator after the timer expires.
又再一可选实例,路由器设备的蹭网预警模块,相关处理可以包括:Another optional example, the network device early warning module of the router device, related processing may include:
首先,在路由器大板上新增指示灯,并在电路板新增电路连线,使得指示灯与微处理器某一可用管脚(GPIO)相接,并通过二极管等电子元件与GPD(地线)形成回路;First, add a new indicator on the router board, and add a circuit connection on the board, so that the indicator light is connected to a usable pin (GPIO) of the microprocessor, and through the electronic components such as diodes and GPD (ground) Line) forming a loop;
其次,在底层基带代码中设置计时器程序,实现周期地拉高微处理器上与指示灯相连管脚的电平,使得上述电路回路中的开关周期性地打开,从而实现对指示灯闪烁事件的控制;Secondly, a timer program is set in the underlying baseband code to periodically raise the level of the pin connected to the indicator light on the microprocessor, so that the switch in the circuit loop is periodically turned on, thereby realizing the blinking event of the indicator light. control;
第三,在基带程序中封装供上层和底层基带调用的接口以便上层或者底层在侦测到相关事件后对指示灯进行有效的控制,如设备节点值变更。Third, the interface for the upper layer and the underlying baseband is encapsulated in the baseband program so that the upper layer or the bottom layer can effectively control the indicator light after detecting the relevant event, such as the device node value change.
最后,用户可以登录设备管理页面,对异常接入设备信息进行查阅和相关处理。Finally, the user can log in to the device management page to view and process the abnormal access device information.
图5是根据本公开可选实施例的蹭网检测机制整体流程示意图,如图5所示,该流程包括以下步骤:FIG. 5 is a schematic diagram of an overall process of a network detection mechanism according to an alternative embodiment of the present disclosure. As shown in FIG. 5, the process includes the following steps:
步骤1,用户首先可以在路由器和安装有域名解析客户端的合法接入设备中预制同样的密钥;Step 1: The user may pre-mand the same key in the router and the legal access device installed with the domain name resolution client.
步骤2,当下游接入设备某一设备发起域名解析请求,在解析成功后,路由器可以收到域名解析响应数据报文;Step 2: When a device on the downstream access device initiates a domain name resolution request, after the resolution is successful, the router may receive the domain name resolution response data packet.
步骤3,路由器在收到域名解析响应报文后,可以对报文中的数据进行提取,如目的IP地址、请求的域名信息、域名解析结果等;Step 3: After receiving the domain name resolution response packet, the router may extract the data in the packet, such as the destination IP address, the requested domain name information, and the domain name resolution result.
步骤4,首先可以对域名解析的结果数据使用用户预制的密钥进行加密,加密完成后可以将加密后数据发送给域名请求主机。 Step 4: First, the result data of the domain name resolution may be encrypted by using a user pre-made key. After the encryption is completed, the encrypted data may be sent to the domain name requesting host.
步骤5,下游接入设备如果是合法的接入设备,则可使用用户预制的密钥进行解密获取域名解析的正确结果,并发起正常数据请求;如果是非法的用户,则不会获取到正确的域名解析请求或者会向错误的地址发送请求,且一般不能达到蹭网的目的;Step 5: If the downstream access device is a legal access device, the user can use the pre-made key to decrypt the correct domain name resolution and initiate a normal data request. If it is an illegal user, the device will not obtain the correct data. The domain name resolution request may send a request to the wrong address, and generally cannot achieve the purpose of the network;
步骤6,在向域名请求主机成功发送响应报文后,则可以根据之前从域名解析报文中获取到的信息对接入设备信息列表进行数据更新,否则不进行更新操作;Step 6: After the domain name requesting host successfully sends the response packet, the device may update the access device information list according to the information obtained from the domain name resolution message, otherwise the update operation is not performed;
步骤7,在接入设备节点信息更新完成后,可以将更新后的数据节点信息传递给蹭网侦测模块,侦测模块则可以根据该接入设备的请求域名的统计数据进行判定用户是否为非法接入的蹭网用户;Step 7: After the update of the access device node information is completed, the updated data node information may be transmitted to the network detection module, and the detection module may determine, according to the statistics of the requested domain name of the access device, whether the user is Internet users who are illegally connected;
步骤8,如果蹭网侦测模块检测到有非法用户接入设备时,则可以定期触发蹭网预警模块,而蹭网预警模块则可以定期向用户通过闪烁指示灯的方式提醒用户有蹭网用户接入,提示用户对该蹭网用户进行处理;Step 8: If the network detection module detects that an illegal user accesses the device, the network early warning module may be triggered periodically, and the network early warning module may periodically prompt the user to flash the user through the flashing indicator. Access, prompting the user to process the user of the network;
步骤9,整个处理机制完成后,则可以返回步骤2,重新进行循环检测。Step 9. After the entire processing mechanism is completed, you can return to step 2 to perform loop detection again.
本公开可选实施例中的技术方案,具有通过域名加密保证网络安全的诸多优点,还提供了便捷、快速、简单、灵活的方式完成域名加密密钥的设定和下游接入设备的部署,而且仅仅对域名响应结果进行加密在一定程度上减轻了对无线路由器有限资源的占用;此外,通过本方法用户可以清楚地获知任何时刻无线路由器的状态,是否正在被非法用户接入,继而通过长时间地关注来了解自己的家用路由器是否经常性或者偶尔有非法用户试图接入。The technical solution in the optional embodiment of the present disclosure has many advantages of ensuring network security through domain name encryption, and provides a convenient, fast, simple, and flexible way to complete domain name encryption key setting and downstream access device deployment. Moreover, only encrypting the domain name response result to some extent reduces the occupation of the limited resources of the wireless router; in addition, the user can clearly know the status of the wireless router at any time, whether it is being accessed by the illegal user, and then Time to pay attention to understand whether your home router is regular or occasionally illegal users try to access.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到根据上述实施例的方法可借助软件加可选的通用硬件平台的方式来实现,当然也可以通过硬件。基于这样的理解,本公开的技术方案本质上或者说对本领域做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个存储介质(如ROM/RAM、磁碟、光盘)中,包括若干指令用以使得一台终端设备(可以是手机,计算机,服务器,或者网络设备等)执行本公开不同实施例所述的方法。 Through the description of the above embodiments, those skilled in the art can clearly understand that the method according to the foregoing embodiment can be implemented by means of software plus an optional general hardware platform, and of course, by hardware. Based on such understanding, portions of the technical solution of the present disclosure that are essential or contribute to the field may be embodied in the form of a software product stored in a storage medium (eg, ROM/RAM, disk, optical disk). A number of instructions are included to cause a terminal device (which may be a cell phone, computer, server, or network device, etc.) to perform the methods described in various embodiments of the present disclosure.
本公开实施例还提供了一种路由器设备,包括:The embodiment of the present disclosure further provides a router device, including:
第一通信装置,设置为:接收终端发送的未加密的域名解析请求报文,其中,该域名解析请求报文用于请求与该终端的待访问域名对应的域名解析结果;还设置为:将加密后的域名解析响应报文发送到该终端;The first communication device is configured to: receive an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal; The encrypted domain name resolution response message is sent to the terminal;
第一处理器,设置为:生成待下发到该终端的携带有该域名解析结果的该域名解析响应报文,并对该域名解析响应报文进行加密。The first processor is configured to: generate the domain name resolution response message to be sent to the terminal and carry the domain name resolution result, and encrypt the domain name resolution response message.
可选地,该第一处理器还设置为:对该域名解析响应报文中的部分数据进行加密。该部分数据例如:域名解析结果,与域名解析结果相关的数据,IP地址,与IP地址相关的数据,等等。Optionally, the first processor is further configured to: encrypt part of the data in the domain name resolution response message. The part of data includes, for example, domain name resolution results, data related to domain name resolution results, IP addresses, data related to IP addresses, and the like.
可选地,该第一处理器获取该域名解析响应报文数据部分的方式包括以下任意之一:Optionally, the manner in which the first processor obtains the data portion of the domain name resolution response packet includes any one of the following:
该第一处理器是设置为:检测到该路由器设备本地缓存中有该域名解析结果时,该第一处理器在该域名解析响应报文中携带该域名解析结果;The first processor is configured to: when detecting the domain name resolution result in the local cache of the router device, the first processor carries the domain name resolution result in the domain name resolution response message;
该第一处理器是设置为:检测到该路由器设备本地缓存中没有该域名解析结果时,该第一处理器向服务器设备请求该域名解析结果,并在该域名解析响应报文中携带该域名解析结果。The first processor is configured to: when detecting that the domain name resolution result is not in the local cache of the router device, the first processor requests the domain name resolution result from the server device, and carries the domain name in the domain name resolution response packet Analyze the results.
可选地,该第一处理器还设置为:在将加密后的该域名解析响应报文发送到该终端之后,更新本地存储的动态信息表,其中,该动态信息表中存储有该终端在预设时间内访问与该域名解析结果对应域名的访问次数。Optionally, the first processor is further configured to: after the encrypted domain name resolution response message is sent to the terminal, update the locally stored dynamic information table, where the dynamic information table stores the terminal in the The number of accesses to the domain name corresponding to the domain name resolution result during the preset time.
可选地,该第一处理器还设置为:在检测到该终端的该访问次数超过预设值的情况下,确定该终端为非法连接。Optionally, the first processor is further configured to: if it is detected that the number of accesses of the terminal exceeds a preset value, determine that the terminal is an illegal connection.
可选地,该第一处理器加密该部分数据的密钥为人工预先在该路由器设备和该终端上设置的。Optionally, the key that the first processor encrypts the partial data is manually set in advance on the router device and the terminal.
本公开实施例还提供了一种终端,包括:The embodiment of the present disclosure further provides a terminal, including:
第二通信装置,设置为:向路由器设备发送未加密的域名解析请求报文,其中,该域名解析请求报文用于请求与该终端的待访问域名对应的域名解析结果;并接收被加密的携带有该域名解析结果的域名解析响应报文; The second communication device is configured to: send an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal; and receive the encrypted A domain name resolution response message carrying the domain name resolution result;
第二处理器,设置为:依据预设密钥解析该域名解析响应报文,并访问该域名解析结果中的IP地址对应的服务器。可以补充的是,第二处理器在获取到域名解析结果之后,将该域名解析结果上传到终端的上层发起域名请求的应用程序,例如浏览器等,由这些特定的应用程序访问该域名。The second processor is configured to: parse the domain name resolution response message according to the preset key, and access the server corresponding to the IP address in the domain name resolution result. It can be added that after obtaining the domain name resolution result, the second processor uploads the domain name resolution result to an application of the upper layer requesting the domain name request, such as a browser, by the specific application, and the domain name is accessed by the specific application.
可选地,该第二处理器还设置为:依据预设密钥解析部分数据被加密的该域名解析响应报文。该部分数据例如:域名解析结果,与域名解析结果相关的数据,IP地址,与IP地址相关的数据,等等。Optionally, the second processor is further configured to: parse the domain name resolution response message that is encrypted by the partial data according to the preset key. The part of data includes, for example, domain name resolution results, data related to domain name resolution results, IP addresses, data related to IP addresses, and the like.
可选地,该第二处理器还设置为:通过该终端的DNS客户端插件依据该预设密钥解密该域名解析响应报文中的部分数据。Optionally, the second processor is further configured to: decrypt, by using the DNS client plug-in of the terminal, part of the data in the domain name resolution response message according to the preset key.
可选地,该第二处理器解析该域名解析响应报文的密钥为人工预先在该终端和该路由器设备上设置的。Optionally, the second processor parses the key of the domain name resolution response message to be manually set in advance on the terminal and the router device.
本公开实施例还提供了一种控制终端上网的系统,包括:The embodiment of the present disclosure further provides a system for controlling a terminal to access the Internet, including:
终端向路由器设备发送未加密的域名解析请求报文,其中,该域名解析请求报文用于请求与该终端的待访问域名对应的域名解析结果;The terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
路由器设备生成待下发到该终端的携带有该域名解析结果的域名解析响应报文,并对该域名解析响应报文进行加密,将加密后的该域名解析响应报文发送到该终端。The router device generates a domain name resolution response message to be sent to the terminal, and the domain name resolution response message is encrypted, and the encrypted domain name resolution response message is sent to the terminal.
可选地,所述路由器设备对所述域名解析响应报文进行加密包括:Optionally, the encrypting, by the router device, the domain name resolution response packet includes:
该路由器设备对该域名解析响应报文中的部分数据进行加密。该部分数据例如:域名解析结果,与域名解析结果相关的数据,IP地址,与IP地址相关的数据,等等。The router device encrypts part of the data in the domain name resolution response message. The part of data includes, for example, domain name resolution results, data related to domain name resolution results, IP addresses, data related to IP addresses, and the like.
可选地,将加密后的该域名解析响应报文发送到该终端之后,该系统还包括:Optionally, after the encrypted domain name resolution response message is sent to the terminal, the system further includes:
该路由器设备更新本地存储的动态信息表,其中,该动态信息表中存储有该终端在预设时间内访问与该域名解析结果对应域名的访问次数;The router device updates the dynamically stored dynamic information table, where the dynamic information table stores the number of access times that the terminal accesses the domain name corresponding to the domain name resolution result within a preset time;
并在该路由器设备检测到该终端的该访问次数超过预设值的情况下,该路由器设备确定该终端为非法连接。 And if the router device detects that the number of accesses of the terminal exceeds a preset value, the router device determines that the terminal is an illegal connection.
本公开实施例还提供了一种存储介质。可选地,在本实施例中,上述存储介质可以被设置为存储用于执行以下步骤的程序代码:Embodiments of the present disclosure also provide a storage medium. Optionally, in the embodiment, the foregoing storage medium may be configured to store program code for performing the following steps:
S1,路由器设备接收终端发送的未加密的域名解析请求报文,其中,该域名解析请求报文用于请求与该终端的待访问域名对应的域名解析结果;S1. The router device receives an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal.
S2,路由器设备生成待下发到该终端的携带有该域名解析结果的域名解析响应报文;S2. The router device generates a domain name resolution response message that is sent to the terminal and carries the domain name resolution result.
S3,对该域名解析响应报文进行加密,将加密后的该域名解析响应报文发送到该终端。S3: Encrypt the domain name resolution response message, and send the encrypted domain name resolution response message to the terminal.
可选地,存储介质还被设置为存储用于执行以下步骤的程序代码:Optionally, the storage medium is further arranged to store program code for performing the following steps:
S4,终端向路由器设备发送未加密的域名解析请求报文,其中,该域名解析请求报文用于请求与该终端的待访问域名对应的域名解析结果;S4, the terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
S5,终端接收被加密的携带有该域名解析结果的域名解析响应报文;S5. The terminal receives the encrypted domain name resolution response message carrying the domain name resolution result.
S6,该终端依据预设密钥解析该域名解析响应报文,并该访问域名解析结果中的IP地址对应的服务器。S6: The terminal parses the domain name resolution response packet according to the preset key, and accesses the server corresponding to the IP address in the domain name resolution result.
可选地,在本实施例中,上述存储介质可以包括但不限于:U盘、只读存储器(ROM,Read-Only Memory)、随机存取存储器(RAM,Random Access Memory)、移动硬盘、磁碟或者光盘等各种可以存储程序代码的介质。Optionally, in this embodiment, the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory. A variety of media that can store program code, such as a disc or a disc.
可选地,在本实施例中,处理器根据存储介质中已存储的程序代码执行上述实施例中的方法步骤。Optionally, in this embodiment, the processor performs the method steps in the foregoing embodiments according to the stored program code in the storage medium.
可选地,本实施例中的可选示例可以参考上述实施例及可选实施方式中所描述的示例,本实施例在此不再赘述。For an alternative example in this embodiment, reference may be made to the examples described in the foregoing embodiments and the optional embodiments, and details are not described herein again.
本公开实施例还提供了一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述控制终端上网的方法。The embodiment of the present disclosure further provides a computer readable storage medium storing computer executable instructions, where the computer executable instructions are executed to implement the method for controlling the terminal to access the Internet.
本公开实施例还提供了一种计算机可读存储介质,存储有计算机可执行指令,所述计算机可执行指令被执行时实现上述终端上网的方法。The embodiment of the present disclosure further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
本领域的技术人员可以明白,上述的本公开的模块或步骤可以用通用的 计算装置来实现,它们可以集中在单个的计算装置上,或者分布在多个计算装置所组成的网络上,可选地,它们可以用计算装置可执行的程序代码来实现,从而,可以将它们存储在存储装置中由计算装置来执行,并且在某些情况下,可以以不同于此处的顺序执行所示出或描述的步骤,或者将它们分别制作成不同集成电路模块,或者将它们中的多个模块或步骤制作成单个集成电路模块来实现。这样,本公开不限制于任何特定的硬件和软件结合。Those skilled in the art will appreciate that the above-described modules or steps of the present disclosure can be used universally. Implemented by computing devices, which may be centralized on a single computing device or distributed over a network of computing devices, optionally implemented in program code executable by the computing device, such that they may be The storage is performed by the computing device in a storage device, and in some cases, the steps shown or described may be performed in an order different than that herein, or they may be separately fabricated into different integrated circuit modules, or Multiple modules or steps are made into a single integrated circuit module. As such, the disclosure is not limited to any specific combination of hardware and software.
本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统、装置中的功能模块/单元可以被实施为软件、固件、硬件及其适当的组合。在硬件实施方式中,在以上描述中提及的功能模块/单元之间的划分不一定对应于物理组件的划分;例如,一个物理组件可以具有多个功能,或者一个功能或步骤可以由若干物理组件合作执行。某些组件或所有组件可以被实施为由处理器,如数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于随机存取存储器(RAM,Random Access Memory)、只读存储器(ROM,Read-Only Memory)、电可擦除只读存储器(EEPROM,Electrically Erasable Programmable Read-only Memory)、闪存或其他存储器技术、光盘只读存储器(CD-ROM,Compact Disc Read-Only Memory)、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。Those of ordinary skill in the art will appreciate that all or some of the steps, systems, and functional blocks/units of the methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be composed of several physical The components work together. Some or all of the components may be implemented as software executed by a processor, such as a digital signal processor or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on a computer readable medium, which may include computer storage media (or non-transitory media) and communication media (or transitory media). As is well known to those of ordinary skill in the art, the term computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media. Computer storage media include, but are not limited to, Random Access Memory (RAM), Read-Only Memory (ROM), and Electrically Erasable Programmable Read-only Memory (EEPROM). Flash memory or other memory technology, compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical disc storage, magnetic cassette, magnetic tape, disk storage or other magnetic storage device, or Any other medium used to store the desired information and that can be accessed by the computer. Moreover, it is well known to those skilled in the art that communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
本领域的普通技术人员可以理解,可以对本公开的技术方案进行修改或者等同替换,而不脱离本公开技术方案的精神和范围,均应涵盖在本公开的 权利要求范围当中。A person skilled in the art can understand that the technical solutions of the present disclosure may be modified or equivalently substituted without departing from the spirit and scope of the technical solutions of the present disclosure. Within the scope of the claims.
工业实用性Industrial applicability
通过本公开实施例,终端向路由器设备发送未进行加密的用于请求域名解析的报文,路由器设备向终端反馈已经加密的携带有域名解析结果的响应报文,终端在解析该响应报文之后,访问该域名解析结果对应的服务器。由此,简化了终端上网加密解密流程,节省了路由器设备的资源,大幅缩减了终端上网的流程。 In the embodiment of the present disclosure, the terminal sends a message for requesting domain name resolution to the router device, and the router device feeds back the encrypted response message carrying the domain name resolution result to the terminal, and the terminal parses the response message after parsing the response message. Access the server corresponding to the domain name resolution result. Thereby, the encryption and decryption process of the terminal online is simplified, the resources of the router device are saved, and the process of the terminal accessing the Internet is greatly reduced.

Claims (24)

  1. 一种控制终端上网的方法,包括:A method for controlling a terminal to access the Internet includes:
    路由器设备接收终端发送的未加密的域名解析请求报文,其中,所述域名解析请求报文用于请求与所述终端的待访问域名对应的域名解析结果;The router device receives the unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
    路由器设备生成待下发到所述终端的携带有所述域名解析结果的域名解析响应报文;The router device generates a domain name resolution response message to be sent to the terminal and carries the domain name resolution result;
    对所述域名解析响应报文进行加密,将加密后的所述域名解析响应报文发送到所述终端。The domain name resolution response packet is encrypted, and the encrypted domain name resolution response message is sent to the terminal.
  2. 根据权利要求1所述的方法,其中,所述对所述域名解析响应报文进行加密包括:The method of claim 1, wherein the encrypting the domain name resolution response message comprises:
    所述路由器设备对所述域名解析响应报文中的部分数据进行加密。The router device encrypts part of the data in the domain name resolution response message.
  3. 根据权利要求1所述的方法,其中,路由器设备获取所述域名解析结果的方式包括以下任意之一:The method of claim 1, wherein the manner in which the router device obtains the domain name resolution result comprises any one of the following:
    所述路由器设备检测到所述路由器设备本地缓存中有所述域名解析结果时,所述路由器设备在所述域名解析响应报文中携带所述域名解析结果;When the router device detects that the domain name resolution result is in the local cache of the router device, the router device carries the domain name resolution result in the domain name resolution response packet;
    所述路由器设备检测到所述路由器设备本地缓存中没有所述域名解析结果时,所述路由器设备向服务器设备请求所述域名解析结果,并在所述域名解析响应报文中携带所述域名解析结果。When the router device detects that the domain name resolution result is not in the local cache of the router device, the router device requests the domain name resolution result from the server device, and carries the domain name resolution in the domain name resolution response packet. result.
  4. 根据权利要求1所述的方法,将加密后的所述域名解析响应报文发送到所述终端之后,所述方法还包括:The method of claim 1, after the encrypted domain name resolution response message is sent to the terminal, the method further includes:
    所述路由器设备更新本地存储的动态信息表,其中,所述动态信息表中存储有所述终端在预设时间内访问与所述域名解析结果对应域名的访问次数。The router device updates the locally stored dynamic information table, wherein the dynamic information table stores the number of accesses by the terminal to access the domain name corresponding to the domain name resolution result within a preset time.
  5. 根据权利要求4所述的方法,还包括:The method of claim 4 further comprising:
    在所述路由器设备检测到所述终端的所述访问次数超过预设值的情况下,所述路由器设备确定所述终端为非法连接。When the router device detects that the number of accesses of the terminal exceeds a preset value, the router device determines that the terminal is an illegal connection.
  6. 根据权利要求5所述的方法,还包括: The method of claim 5 further comprising:
    所述路由器设备确定所述终端为非法连接之后,所述路由器设备发出告警信号,并记录所述终端的终端标识。After the router device determines that the terminal is an illegal connection, the router device sends an alarm signal, and records the terminal identifier of the terminal.
  7. 根据权利要求1至6任一项所述的方法,其中,所述路由器设备加密所述部分数据的密钥为人工预先在所述路由器设备和所述终端上设置的。The method according to any one of claims 1 to 6, wherein the key of the router device encrypting the partial data is manually set in advance on the router device and the terminal.
  8. 一种终端上网的方法,包括:A method for a terminal to access the Internet includes:
    终端向路由器设备发送未加密的域名解析请求报文,其中,所述域名解析请求报文用于请求与所述终端的待访问域名对应的域名解析结果;The terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
    终端接收被加密的携带有所述域名解析结果的域名解析响应报文;The terminal receives the encrypted domain name resolution response message carrying the domain name resolution result;
    所述终端依据预设密钥解析所述域名解析响应报文,并访问域名解析结果中的网际协议IP地址对应的服务器。The terminal parses the domain name resolution response packet according to the preset key, and accesses the server corresponding to the internet protocol IP address in the domain name resolution result.
  9. 根据权利要求8所述的方法,其中,所述终端接收被加密的携带有所述域名解析结果的域名解析响应报文包括:The method of claim 8, wherein the receiving, by the terminal, the encrypted domain name resolution response message carrying the domain name resolution result comprises:
    所述域名解析响应报文中的部分数据被加密。Part of the data in the domain name resolution response message is encrypted.
  10. 根据权利要求9所述的方法,其中,所述终端依据预设密钥解析所述域名解析响应报文,包括:The method of claim 9, wherein the terminal parses the domain name resolution response message according to the preset key, including:
    所述终端的域名系统DNS客户端插件依据所述预设密钥解密所述域名解析响应报文。The domain name system DNS client plug-in of the terminal decrypts the domain name resolution response message according to the preset key.
  11. 根据权利要求8至10中任一项所述的方法,其中,所述终端解析所述域名解析响应报文的密钥为人工预先在所述终端和所述路由器设备上设置的。The method according to any one of claims 8 to 10, wherein the key for the terminal to parse the domain name resolution response message is manually set in advance on the terminal and the router device.
  12. 一种路由器设备,包括:A router device comprising:
    第一通信装置,设置为:接收终端发送的未加密的域名解析请求报文,其中,所述域名解析请求报文用于请求与所述终端的待访问域名对应的域名解析结果;还设置为:将加密后的域名解析响应报文发送到所述终端;The first communication device is configured to: receive an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal; Transmitting the encrypted domain name resolution response message to the terminal;
    第一处理器,设置为:生成待下发到所述终端的携带有所述域名解析结果的所述域名解析响应报文,并对所述域名解析响应报文进行加密。The first processor is configured to: generate the domain name resolution response message to be sent to the terminal and carry the domain name resolution result, and encrypt the domain name resolution response message.
  13. 根据权利要求12所述的路由器设备,所述第一处理器还设置为: 对所述域名解析响应报文中的部分数据进行加密。The router device according to claim 12, wherein the first processor is further configured to: And encrypting part of the data in the domain name resolution response message.
  14. 根据权利要求12所述的路由器设备,其中,所述第一处理器生成所述域名解析响应报文的方式包括以下任意之一:The router device according to claim 12, wherein the manner in which the first processor generates the domain name resolution response message comprises any one of the following:
    所述第一处理器是设置为:检测到所述路由器设备本地缓存中有所述域名解析结果时,在所述域名解析响应报文中携带所述域名解析结果;The first processor is configured to: when detecting the domain name resolution result in the local cache of the router device, carrying the domain name resolution result in the domain name resolution response packet;
    所述第一处理器是设置为:检测到所述路由器设备本地缓存中没有所述域名解析结果时,向服务器设备请求所述域名解析结果,并在所述域名解析响应报文中携带所述域名解析结果。The first processor is configured to: when it is detected that the domain name resolution result is not in the local cache of the router device, request the domain name resolution result from the server device, and carry the domain name resolution response message in the domain name resolution response message Domain name resolution results.
  15. 根据权利要求12所述的路由器设备,所述第一处理器还设置为:在将加密后的所述域名解析响应报文发送到所述终端之后,The router device according to claim 12, wherein the first processor is further configured to: after transmitting the encrypted domain name resolution response message to the terminal,
    更新本地存储的动态信息表,其中,所述动态信息表中存储有所述终端在预设时间内访问与所述域名解析结果对应域名的访问次数。The dynamic information table of the local storage is updated, wherein the dynamic information table stores the number of accesses by the terminal to access the domain name corresponding to the domain name resolution result within a preset time.
  16. 根据权利要求15所述的路由器设备,所述第一处理器还设置为:在检测到所述终端的所述访问次数超过预设值的情况下,确定所述终端为非法连接。The router device according to claim 15, wherein the first processor is further configured to: if it is detected that the number of accesses of the terminal exceeds a preset value, determine that the terminal is an illegal connection.
  17. 根据权利要求12至16任一项所述的路由器设备,其中,所述第一处理器加密所述部分数据的密钥为人工预先在所述路由器设备和所述终端上设置的。The router device according to any one of claims 12 to 16, wherein the key for encrypting the partial data by the first processor is manually set in advance on the router device and the terminal.
  18. 一种终端,包括:A terminal comprising:
    第二通信装置,设置为:向路由器设备发送未加密的域名解析请求报文,其中,所述域名解析请求报文用于请求与所述终端的待访问域名对应的域名解析结果;并接收被加密的携带有所述域名解析结果的域名解析响应报文;The second communication device is configured to: send an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the to-be-accessed domain name of the terminal; The encrypted domain name resolution response message carrying the domain name resolution result;
    第二处理器,设置为:依据预设密钥解析所述域名解析响应报文,并访问所述域名解析结果中的网际协议IP地址对应的服务器。The second processor is configured to: parse the domain name resolution response message according to the preset key, and access a server corresponding to the internet protocol IP address in the domain name resolution result.
  19. 根据权利要求18所述的终端,所述第二处理器还设置为:依据预设密钥解析部分数据被加密的所述域名解析响应报文。The terminal according to claim 18, wherein the second processor is further configured to: parse the domain name resolution response message that is encrypted by the partial data according to the preset key.
  20. 根据权利要求19所述的终端,所述第二处理器还设置为:通过所述终端的域名系统DNS客户端插件依据预设密钥解析部分数据被加密的所 述域名解析响应报文。The terminal according to claim 19, wherein the second processor is further configured to: through the domain name system DNS client plug-in of the terminal, parse the part data to be encrypted according to the preset key The domain name resolution response message.
  21. 根据权利要求18至20中任一项所述的终端,其中,所述第二处理器解析所述域名解析响应报文的密钥为人工预先在所述终端和所述路由器设备上设置的。The terminal according to any one of claims 18 to 20, wherein the key that the second processor parses the domain name resolution response message is manually set in advance on the terminal and the router device.
  22. 一种控制终端上网的系统,包括:A system for controlling a terminal to access the Internet, comprising:
    终端向路由器设备发送未加密的域名解析请求报文,其中,所述域名解析请求报文用于请求与所述终端的待访问域名对应的域名解析结果;The terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
    路由器设备生成待下发到所述终端的携带有所述域名解析结果的域名解析响应报文,并对所述域名解析响应报文进行加密,将加密后的所述域名解析响应报文发送到所述终端。The router device generates a domain name resolution response message to be sent to the terminal and carries the domain name resolution result, and encrypts the domain name resolution response message, and sends the encrypted domain name resolution response message to the The terminal.
  23. 根据权利要求22所述的系统,其中,所述路由器设备对所述域名解析响应报文进行加密包括:The system of claim 22, wherein the encrypting the domain name resolution response message by the router device comprises:
    所述路由器设备对所述域名解析响应报文中的部分数据进行加密。The router device encrypts part of the data in the domain name resolution response message.
  24. 根据权利要求22所述的系统,将加密后的所述域名解析响应报文发送到所述终端之后,所述系统还包括:The system of claim 22, after the encrypted domain name resolution response message is sent to the terminal, the system further includes:
    所述路由器设备更新本地存储的动态信息表,其中,所述动态信息表中存储有所述终端在预设时间内访问与所述域名解析结果对应域名的访问次数;The router device updates the locally stored dynamic information table, where the dynamic information table stores the number of access times that the terminal accesses the domain name corresponding to the domain name resolution result within a preset time;
    并在所述路由器设备检测到所述终端的所述访问次数超过预设值的情况下,所述路由器设备确定所述终端为非法连接。 And in the case that the router device detects that the number of accesses of the terminal exceeds a preset value, the router device determines that the terminal is an illegal connection.
PCT/CN2017/113957 2017-02-06 2017-11-30 Method for controlling web browsing on terminal and for web browsing on terminal, router device, and terminal WO2018141172A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710066140.2A CN108400953A (en) 2017-02-06 2017-02-06 Control terminal is surfed the Internet and the method for terminal online, router device and terminal
CN201710066140.2 2017-02-06

Publications (1)

Publication Number Publication Date
WO2018141172A1 true WO2018141172A1 (en) 2018-08-09

Family

ID=63039349

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/113957 WO2018141172A1 (en) 2017-02-06 2017-11-30 Method for controlling web browsing on terminal and for web browsing on terminal, router device, and terminal

Country Status (2)

Country Link
CN (1) CN108400953A (en)
WO (1) WO2018141172A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113726917A (en) * 2020-05-26 2021-11-30 网神信息技术(北京)股份有限公司 Domain name determination method and device and electronic equipment
CN116319675A (en) * 2023-05-15 2023-06-23 阿里云计算有限公司 Domain name resolution method, system, electronic equipment and storage medium
CN117278211A (en) * 2023-09-27 2023-12-22 北京火山引擎科技有限公司 Domain name encryption method, decryption method and device based on content distribution network

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205236A (en) * 2020-09-18 2022-03-18 中兴通讯股份有限公司 Network configuration method, terminal, system and storage medium
CN112491838B (en) * 2020-11-17 2022-05-10 北京航空航天大学杭州创新研究院 Method and system for safely sending message through industrial internet
CN112671779B (en) * 2020-12-25 2022-10-18 赛尔网络有限公司 DoH server-based domain name query method, device, equipment and medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1494795A (en) * 2001-02-28 2004-05-05 ի���� Method for providing internet addresses that contain special characters
CN101088245A (en) * 2004-12-07 2007-12-12 思科技术公司 Performing security functions on a message payload in a network element
CN102075589A (en) * 2009-11-19 2011-05-25 国际商业机器公司 Method and system of user-based DNS server access control
US20130103784A1 (en) * 2011-02-02 2013-04-25 3Crowd Technologies, Inc. Routing client requests

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7418504B2 (en) * 1998-10-30 2008-08-26 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US7188180B2 (en) * 1998-10-30 2007-03-06 Vimetx, Inc. Method for establishing secure communication link between computers of virtual private network
CN104052829A (en) * 2013-03-14 2014-09-17 弗里塞恩公司 Adaptive name resolution
CN104144123B (en) * 2013-05-10 2017-06-16 中国电信股份有限公司 Access method, system and the route type gateway apparatus of internet
CN103634307A (en) * 2013-11-19 2014-03-12 北京奇虎科技有限公司 Method for certificating webpage content and browser
CN105141612A (en) * 2015-09-01 2015-12-09 中国互联网络信息中心 DNS (Domain Name System) data packet privacy protection method
CN105282047B (en) * 2015-09-25 2020-04-14 小米科技有限责任公司 Access request processing method and device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1494795A (en) * 2001-02-28 2004-05-05 ի���� Method for providing internet addresses that contain special characters
CN101088245A (en) * 2004-12-07 2007-12-12 思科技术公司 Performing security functions on a message payload in a network element
CN102075589A (en) * 2009-11-19 2011-05-25 国际商业机器公司 Method and system of user-based DNS server access control
US20130103784A1 (en) * 2011-02-02 2013-04-25 3Crowd Technologies, Inc. Routing client requests

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113726917A (en) * 2020-05-26 2021-11-30 网神信息技术(北京)股份有限公司 Domain name determination method and device and electronic equipment
CN113726917B (en) * 2020-05-26 2024-04-12 奇安信网神信息技术(北京)股份有限公司 Domain name determination method and device and electronic equipment
CN116319675A (en) * 2023-05-15 2023-06-23 阿里云计算有限公司 Domain name resolution method, system, electronic equipment and storage medium
CN117278211A (en) * 2023-09-27 2023-12-22 北京火山引擎科技有限公司 Domain name encryption method, decryption method and device based on content distribution network

Also Published As

Publication number Publication date
CN108400953A (en) 2018-08-14

Similar Documents

Publication Publication Date Title
WO2018141172A1 (en) Method for controlling web browsing on terminal and for web browsing on terminal, router device, and terminal
KR102390410B1 (en) Techniques for enabling computing devices to identify when they are in close proximity to each other
Alliance Lightweight machine to machine technical specification
CN112260995B (en) Access authentication method, device and server
TWI592051B (en) Network assisted fraud detection apparatus and methods
US10970699B2 (en) Point of sale pairing to wireless networks
US9282084B2 (en) Method and apparatus for provisioning a temporary identity module using a key-sharing scheme
US20160119316A1 (en) Wireless network authentication method and wireless network authentication apparatus
CN102404741B (en) Method and device for detecting abnormal online of mobile terminal
TWI592046B (en) Network sharing device, system and method
US20150143486A1 (en) Simplified Wi-Fi Setup
CN103095861A (en) Determining whether a device is inside a network
US10172003B2 (en) Communication security processing method, and apparatus
US10750369B2 (en) Method, apparatus, and platform for sharing wireless local area network
WO2012113329A1 (en) Device management method and apparatus
CN112311769A (en) Method, system, electronic device and medium for security authentication
CN109729000B (en) Instant messaging method and device
WO2018018780A1 (en) Access method and apparatus for controlling wifi access device, and storage medium
JP2016091279A (en) Account management program, image forming apparatus, and image formation system
US11330038B2 (en) Systems and methods for utilizing blockchain for securing browsing behavior information
CN110866288B (en) Data protection method, system and terminal based on block chain
WO2018014555A1 (en) Data transmission control method and apparatus
JP2012138729A (en) Data processing device, program and data processing system
CN111585748B (en) Data transmission method and device
JP6920614B2 (en) Personal authentication device, personal authentication system, personal authentication program, and personal authentication method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17895369

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17895369

Country of ref document: EP

Kind code of ref document: A1