Search

CN-118158195-B - Catcher for network domain name and address relation information

CN118158195BCN 118158195 BCN118158195 BCN 118158195BCN-118158195-B

Abstract

The invention discloses a catcher of network domain name and address relation information, which comprises a filtering module, a processing module, a storage module and an output module, wherein the filtering module is used for receiving all uplink and downlink data packets of a mirror image interface through an interface L, filtering out DNS data packets and delivering the DNS data packets to the processing module, the processing module is used for processing the filtered DNS data packets to generate an R table, the storage module is used for storing the R table and generating an S table based on the R table, the S table is a table for recording domain name and network ip address relation information, and the output module is used for receiving domain name inquiry requests of external subscribers through an interface U and returning inquiry results to the external subscribers according to the S table. The invention realizes the establishment of the relative real-time domain name and network ip address relation information with low investment, low risk and low time delay.

Inventors

  • WANG HONGYI
  • CHEN GANG
  • ZHAO HONGWEI

Assignees

  • 上海量讯物联技术有限公司

Dates

Publication Date
20260508
Application Date
20240412

Claims (9)

  1. 1. The capturer for the network domain name and address relation information is characterized by comprising a filtering module, a processing module, a storage module and an output module; The filter module is provided with an interface L, and the output module is provided with an interface U; the interface L is interconnected with a mirror image interface on gateway equipment; The filtering module is used for receiving all the uplink and downlink data packets of the mirror image interface through the interface L, filtering out DNS data packets and delivering the DNS data packets to the processing module; The processing module is used for processing the screened DNS data packets to generate an R table, wherein the R table is called DNS RELATIVE list, and the processing module comprises the following steps of extracting abstract information of each DNS data packet, wherein the abstract information comprises information in Flag fields, queries fields and Answers fields of the DNS data packet, and marking a timestamp and recording the timestamp in the R table; the storage module is used for storing an R table and generating an S table based on the R table, wherein the S table is a table for recording the relationship information of the domain name and the network ip address; The output module is used for receiving the domain name query request of the external subscriber through the interface U and returning a query result to the external subscriber according to the S table; The filtering module receives the filtering rules from the processing module and filters out the DNS data packets according to the filtering rules.
  2. 2. The capturer of network domain Name and Address relationship information according to claim 1, wherein the storage module is further configured to generate an Rb table based on the R table, and includes the steps of selecting a QR value of 1 for each row of the R table, then taking out the Name and Address relationship in the addresses field in the record, marking a current timestamp, and then entering the Rb table; If the domain name query request received by the output module is a quick query, and the current S table has no corresponding query result, the query result is returned according to the content in the Rb table matched with the domain name to be queried; If the domain name query request received by the output module is detailed query, and the current S table does not have a corresponding query result, the query result is returned according to the content in the matching R table of the domain name to be queried, wherein the detailed query means that the query is about to return the relationship and detailed content of the domain name and the network ip address.
  3. 3. A catcher of network domain name and address relation information according to claim 1, characterized in that said S-table is a carrier of interaction information between the output module and the storage module; After receiving the domain name query request, the output module updates the domain name into the S table if no corresponding query result exists in the current S table, and sends the updated S table to the storage module; After receiving the S table sent by the output module, the storage module inquires according to the domain name newly updated to the S table, stores the corresponding inquiry result to the S table, and returns the updated S table to the output module.
  4. 4. The network domain name and address relationship information capturer of claim 1, wherein the processing module is configured to process the screened DNS packet to generate a P table and an a table, and the processing includes the steps of: According to the value of the QR field of the flag bit in the DNS data packet, the combination of the network ip address, the protocol type and the port number of the data packet with the QR value of 0 is recorded in a P table, the P table is called as a DNS Potential list, the combination of the network ip address, the protocol type and the port number of the data packet with the QR value of 1 is recorded in an A table, and the A table is called as a DNS ACTIVE list.
  5. 5. The capturer for network domain name and address relationship information according to claim 4, further comprising a test module, wherein the test module is provided with an interface M, the interface L is interconnected with the interface M on the test module, and the flow of the interface M is mirrored on the interface L; the test module is used for executing the following steps: The method comprises the steps that a test module receives a test instruction of a processing module, and a source network ip address is determined according to the instruction; Secondly, the testing module obtains a testable DNS server based on network ip address, protocol type and port number identification through a P table and an A table, obtains a domain name to be checked through an S table, and the domain name to be checked is a domain name of which the corresponding result is not queried based on an R table; thirdly, the testing module constructs a DNS request packet by using the source network ip address, DNS server information recorded in the A table and the domain name to be checked in the S table, and accesses the DNS server; fourthly, the testing module constructs a DNS request packet by using the source network ip address, DNS server information recorded in the P table and the domain name to be checked in the S table, and accesses the DNS server; Fifthly, if the DNS server does not inquire any record about the domain name, the domain name provided by the subscriber is considered invalid, and the testing module supplements the source network ip address of the subscriber to the DNS callback packet; When the output module receives the S table of the storage module, the S table is checked, and if the network ip address corresponding to the domain name in the S table is the source network ip address of the catcher configured at the M port, the domain name is marked as an invalid domain name.
  6. 6. A catcher for network domain name and address relation information according to claim 1, wherein the filtering module receives DNS data packets circularly received by a plurality of queues, the maximum number of receivable packets supported by each queue is adjustable, and the specific circular method is that an ordered sequence number is compiled for each queue in advance, when the first queue is full, the filtering module automatically uses the next queue to continue receiving, when the last queue starts receiving, the first queue is immediately emptied and the sequence number is set as the last sequence number, and the sequence numbers of other queues are advanced by one bit.
  7. 7. A network domain name and address relationship information capturer according to claim 6, wherein the processing module is configured with a periodic timer T0 that is started when the capturer is powered on, the timer T0 expiring to retrieve the data packets in its current first sequence from the filtering module for processing.
  8. 8. The network domain name and address relationship information capturer of claim 1, wherein the output module is further configured to perform validity check on a domain name query request of an external subscriber, and determine whether the domain name query request of the subscriber meets the following rule: Rule 1, the number of domain name entries queried once cannot be larger than the upper limit preset by the output module; rule 2, domain name character string form, case and case distinguishing, length range being 1-255; Rule 3, domain name must not contain the following characters: "@", "\", ":", "<", ">", "|", "/" # "," = ","' ","; rule 4, allow domain name to start with a "x" wild card; rule 5, domain name allow 2-4 level domain name; rule 6, "" symbols cannot be consecutive and cannot appear at the end.
  9. 9. A network domain name and address relationship information capturer according to claim 1, characterized in that the filtering module obtains a ratio r for filtering from the processing module of the capturer, for the ratio r of filtering, if the processing module does not issue the ratio r of filtering, the filtering module defaults to receive all packets in a ratio of 1:1, otherwise the filtering module receives samples for uplink data packets and downlink data packets in a manner of taking one packet per r packets, respectively.

Description

Catcher for network domain name and address relation information Technical Field The invention belongs to the field of computer communication and communication security, and particularly relates to a catcher for network domain name and address relation information. Background In a computer network based on the TCP/network ip address protocol, when a host accesses a target service provider (server) through domain name (domain), the network ip address of the target service provider (server) is obtained through domain name translation. The prior art host (host) has the following several methods for obtaining the ip address of the network. First, the host (host) locally stores the network ip address cache that has accessed the domain name (domain), for non-first accesses, the host (host) can directly obtain the network ip address at the local cache without following the protocol external to the host (host), second, the host (host) initiates a domain name resolution request to a local preset domain name (or proxy) server (DNS) and provides the network ip address of the target service provider (server) by the DNS server, and third, the host (host) initiates a domain name query request of non-DNS protocol to the preset third party server, which does not involve DNS protocol but does follow other protocols, such as Https/SSL. Based on network security policies, information security and other traffic labeling or filtering traffic requirements, an Internet Service Provider (ISP) or enterprise network management department needs to identify, record and update domain names (domains) and network ip address relationships that stream own forwarding node traffic. Typical requirements are, for example, 1, public regulatory authorities require blocking access to specific domain names, 2, organizations' internal and external information security monitoring authorities recognize domain name security threats, require restrictions on specific domain names, and 3, users need to implement blacklist and whitelist control of host (host) access. For ISPs, the prior art has the following schemes for the above identification, recording and updating: First, an ISP will typically provide a host (host) accessing its network with DNS servers that it can manage, using other protocols to announce DNS server addresses to the host (host) during its initial access phase. For a host (host) using an ISP network to issue DNS, since the specific network ip address of the target service provider (server) it accesses is provided by the ISP DNS, the domain name (domain) and network ip address relationship it accesses can be obtained by the ISP. Second, the gateway for the host (host) to access the internet is typically on an ISP network element, and the ISP can provide a proxy for DNS services for the host (host) on the gateway, and force DNS resolution requests for the host (host) to access non-ISPs to be processed on proxy services of the ISP gateway, and similarly to the first scheme, the ISP can also obtain domain name (domain) and network ip address relationships. Third, since all the upstream and downstream traffic of the host (host) must pass through the forwarding network of the ISP, theoretically, the ISP can configure related functions on the devices of the specific nodes of the network, capture and process the original ip address data packet, and obtain the domain name (domain) and the ip address relationship from the network layer. For ISP, the technical scheme for identifying, recording and updating domain name (domain) and network ip address relationship in network traffic must consider the key difficulties that firstly, in the context of large network traffic of ISP, the implementation scheme may cause additional performance expense of key network elements and negatively affect network investment benefits, secondly, compared with a small network, the ISP network has high complexity and poor elasticity, expensive network element equipment is difficult to replace or change according to special requirements of the scheme, and furthermore, the scheme must consider the difference of management specifications executed by different network element management departments (such as gateway and DNS belonging to two departments) in ISP, when a plurality of departments are involved, the conflict between the specifications may be caused, so that the scheme is difficult to land, and finally, the scheme must consider the real-time property of domain name (domain) and network ip address relationship, and the introduced excessive processing delay can weaken the implementation effect of the scheme. Specifically, the prior art solutions have the following corresponding drawbacks: For the first scheme, the main drawback is that the host (host) must use DNS announced by the ISP, otherwise, the DNS of the ISP can only update the relationship between the domain name (domain) and the ip address of the network according to other DNS synchronization data, however