Search

CN-121984712-A - Security defense method, system, computer equipment and medium for domain name resource record replay attack

CN121984712ACN 121984712 ACN121984712 ACN 121984712ACN-121984712-A

Abstract

The invention discloses a security defense method, a system, computer equipment and a medium for domain name resource record replay attack, wherein the method comprises the steps that a client initiates a DNS query request and forwards the DNS query request to a secondary domain authoritative server based on a recursion server, the secondary domain authoritative server constructs message core data based on newly-added data in DNS additional information, digital signature is carried out on the message core data based on a private key of a regional signing key to obtain a DNS message signature, a DNS response message is constructed, the DNS response message is forwarded to the client based on the recursion server, the client carries out digital signature verification on the DNS response message, and after the verification is passed, an address record set is extracted from the DNS response message and a target server is accessed. The invention constructs the DNS response message by adding the data in the DNS additional information, and carries out digital signature verification on the DNS response message, thereby ensuring the credibility of the message content and effectively resisting domain name hijacking attack.

Inventors

  • PAN LANLAN

Assignees

  • 深圳开鸿数字产业发展有限公司

Dates

Publication Date
20260505
Application Date
20251229

Claims (18)

  1. 1. A security defense method against domain name resource record replay attacks, the method comprising: the client initiates a DNS query request to a recursion server, and forwards the DNS query request to a secondary domain authority server corresponding to a target domain name based on the recursion server; the second-level domain authority server responds to the DNS query request, constructs message core data based on newly added data in DNS additional information, digitally signs the message core data based on a private key of a regional signing key to obtain a DNS message signature, constructs a DNS response message based on the DNS message signature, and returns the DNS response message to the recursion server so as to forward the DNS response message to a client based on the recursion server; And the client performs digital signature verification on the DNS response message based on the public key of the regional signature key, extracts an address record set corresponding to the target domain name from the DNS response message after the digital signature verification is passed, and accesses the target server based on the address record set.
  2. 2. The security defense method for domain name resource record replay attack of claim 1, wherein a client initiates a DNS query request to a recursive server and forwards the DNS query request to a secondary domain authority server corresponding to a target domain name based on the recursive server, comprising: The client initiates a DNS query request to the recursion server, wherein the DNS query request is used for requesting to query an IP address corresponding to the target domain name; and after receiving the DNS query request, the recursive server forwards the DNS query request to a secondary domain authority server corresponding to the target domain name.
  3. 3. The security defense method for domain name resource record replay attack of claim 2, wherein the secondary domain authority server constructs packet core data based on the newly added data in DNS additional information in response to the DNS query request, comprising: After receiving the DNS query request, the second-level domain authority server determines the position of newly added data in the DNS additional information in the pseudo resource record; Extracting a plurality of pieces of pseudo resource data from the pseudo resource record based on the position of the newly added data in the pseudo resource record to obtain the preamble data; And constructing the message core data according to the DNS message basic format and the preamble data.
  4. 4. A method of security defense against domain name resource record replay attacks according to claim 3, wherein extracting a number of pseudo-resource data from a pseudo-resource record based on the position of the newly added data in the pseudo-resource record, to obtain the preamble data, comprises: And determining all pseudo resource data arranged in the pseudo resource record before the DNS additional information based on the position of the newly added data in the pseudo resource record, and extracting all the pseudo resource data arranged before the newly added data as the prepositive data.
  5. 5. The method according to claim 4, wherein the DNS message base format includes header data, questions, answers, and authorization information, wherein the header data includes a number of question records, a number of answer records, and a number of authorization information records.
  6. 6. The method for security defense against domain name resource record replay attacks of claim 5, wherein a secondary domain authority server constructs message core data in response to the DNS query request, further comprising: The second-level domain authority server configures the validity period of the message core data, and the validity period of the message core data is smaller than the validity period of the signature in the resource record signature.
  7. 7. The security defense method for domain name resource record replay attacks of claim 6, wherein constructing a DNS response message based on the DNS message signature comprises: And the second-level domain authority server fills the validity period of the message core data and the DNS message signature into newly-added data of the DNS additional information so as to complete the security enhancement of the DNS additional information and supplement the associated information to obtain the DNS response message.
  8. 8. The security defense method for domain name resource record replay attack of claim 7, wherein the client performs digital signature verification on the DNS response message based on the public key of the zone signing key, comprising: the client acquires a public key of the regional signature key based on DNS security extension chained queries; extracting the validity period of the message core data from the DNS response message and a DNS message signature; comparing the validity period of the extracted message core data with the current time stamp; When the DNS response message is not expired, the client side constructs rules of message core data according to the second-level domain authority server, and extracts corresponding data from the DNS response message to reconstruct the message core data; And carrying out digital signature verification on the reconstructed message core data, the validity period of the message core data and the DNS message signature by using the public key of the region signing key.
  9. 9. The security defense method against domain name resource record replay attacks of claim 8, wherein comparing the validity period of the extracted message core data with a current timestamp comprises: If the validity period of the message core data is greater than or equal to the current time stamp, determining that the DNS response message is not expired; If the validity period of the message core data is smaller than the current time stamp, determining that the DNS response message is an overdue message, and discarding the DNS response message.
  10. 10. The security defense method against domain name resource record replay attacks of claim 9, wherein the method further comprises: if the digital signature is not checked, determining that the DNS response message is tampered, and discarding the DNS response message.
  11. 11. A security defense system for domain name resource record replay attacks, characterized in that the system is adapted to implement the steps of the security defense method for domain name resource record replay attacks according to any one of claims 1-10, the system comprising a client, a recursive server and a secondary domain authority server; Wherein, the client comprises: The DNS query request initiating module is used for initiating a DNS query request to the recursion server and forwarding the DNS query request to a secondary domain authority server corresponding to the target domain name based on the recursion server; the digital signature verification module is used for carrying out digital signature verification on the DNS response message based on the public key of the regional signature key, extracting an address record set corresponding to the target domain name from the DNS response message after the digital signature verification is passed, and accessing the target server based on the address record set; the secondary domain authority server includes: And the DNS response message construction module is used for responding to the DNS query request, constructing message core data based on newly added data in DNS additional information, digitally signing the message core data based on a private key of a regional signing key to obtain a DNS message signature, constructing a DNS response message based on the DNS message signature, and returning the DNS response message to the recursion server so as to forward the DNS response message to the client based on the recursion server.
  12. 12. The security defense system for domain name resource record replay attacks of claim 11, wherein DNS response message construction module comprises: The position determining unit of the newly added data is used for determining the position of the newly added data in the DNS additional information in the pseudo resource record after receiving the DNS query request; the front data extraction unit is used for extracting a plurality of pieces of pseudo resource data from the pseudo resource records based on the positions of the newly added data in the pseudo resource records to obtain front data; and the message core data construction unit is used for constructing the message core data according to the DNS message basic format and the preposed data.
  13. 13. The security defense system for domain name resource record replay attacks of claim 12, wherein the DNS response message construction module further comprises: The validity period configuration unit is used for configuring the validity period of the message core data by the secondary domain authority server, and the validity period of the message core data is smaller than the validity period of the signature in the resource record signature.
  14. 14. The security defense system for domain name resource record replay attacks of claim 13, wherein the DNS response message construction module further comprises: And the additional information security enhancement unit is used for filling the validity period of the message core data and the DNS message signature into newly-added data of the DNS additional information so as to complete security enhancement of the DNS additional information and supplement associated information to obtain the DNS response message.
  15. 15. The security defense system for domain name resource record replay attacks of claim 14, wherein the digital signature verification module comprises: The public key acquisition unit of the regional signature key is used for acquiring the public key of the regional signature key based on DNS security extension chained queries; The data extraction unit is used for extracting the validity period of the message core data and the DNS message signature from the DNS response message; the validity period checking unit is used for comparing the validity period of the extracted message core data with the current time stamp; The data reconstruction unit is used for extracting corresponding data reconstruction message core data from the DNS response message according to the rule of constructing the message core data by the second-level domain authority server when the DNS response message is not expired; and the signature verification unit is used for carrying out digital signature verification on the reconstructed message core data, the validity period of the message core data and the DNS message signature by using the public key of the regional signature key.
  16. 16. The security defense system against domain name resource record replay attacks of claim 15, wherein the validity period verification unit comprises: The unexpired judging unit is used for determining that the DNS response message is unexpired if the valid period of the message core data is greater than or equal to the current time stamp; and the expiration judging unit is used for determining the DNS response message as an expiration message and discarding the DNS response message if the validity period of the message core data is smaller than the current time stamp.
  17. 17. A computer device comprising a memory, a processor and a security defense program for domain name resource record replay attacks stored in the memory and executable on the processor, the processor implementing the steps of the security defense method for domain name resource record replay attacks according to any one of claims 1-11 when executing the security defense program for domain name resource record replay attacks.
  18. 18. A computer readable storage medium, wherein a security defense procedure for domain name resource record replay attacks is stored on the computer readable storage medium, and wherein the security defense procedure for domain name resource record replay attacks implements the steps of the security defense method for domain name resource record replay attacks according to any one of claims 1 to 11 on the computer readable storage medium.

Description

Security defense method, system, computer equipment and medium for domain name resource record replay attack Technical Field The present invention relates to the field of network security technologies, and in particular, to a security defense method, system, computer device, and medium for domain name resource record replay attack. Background In internet applications, when a Client (such as a PC, a mobile phone, a tablet, etc., hereinafter referred to as "Client") accesses an internet service, it cannot directly establish a connection with a target server through a Domain name, and the Domain name must be converted into a corresponding IP address (IPv 4 address or IPv6 address) through a DNS (Domain NAME SYSTEM) Domain name resolution process, so as to implement data transmission and service access. For example, when a user opens an APP on a mobile phone, the Client initiates a DNS query request to a recursive server (hereinafter referred to as "RecurDNS") to request that a corresponding domain name be resolved into a corresponding IP address, recurDNS obtains a resolution result through hierarchical query (root authority server→top domain authority server→secondary domain authority server), and returns the resolution result to the Client, where the Client establishes a connection with a jittering server based on the IP address, so as to implement loading and playing of short video content. In order to resist domain name hijacking and other attacks, a DNSSEC (DNS security extension) scheme is widely adopted in the prior art, and the core logic of the DNSSEC scheme is to verify the authenticity and integrity of a resource record through digital signature. The specific implementation process of DNSSEC mainly comprises two stages of resource record pre-signing and Client security inquiry. The DNSSEC scheme can effectively resist domain name hijacking attack, but in practical application, the DNSSEC scheme has the defects of incapacity of resisting old resource record replay attack, large consumption of signature verification resources and the like, and cannot meet the security requirement under the condition of rapidly switching services. Accordingly, there is a need in the art for improvement. Disclosure of Invention Aiming at the defects in the prior art, the invention provides a security defense method, a security defense system, a security defense computer device and a security defense medium aiming at domain name resource record replay attacks, and the technical scheme adopted by the invention is as follows: in a first aspect, the present invention provides a security defense method for domain name resource record replay attacks, the method comprising: the client initiates a DNS query request to a recursion server, and forwards the DNS query request to a secondary domain authority server corresponding to a target domain name based on the recursion server; the second-level domain authority server responds to the DNS query request, constructs message core data based on newly added data in DNS additional information, digitally signs the message core data based on a private key of a regional signing key to obtain a DNS message signature, constructs a DNS response message based on the DNS message signature, and returns the DNS response message to the recursion server so as to forward the DNS response message to a client based on the recursion server; And the client performs digital signature verification on the DNS response message based on the public key of the regional signature key, extracts an address record set corresponding to the target domain name from the DNS response message after the digital signature verification is passed, and accesses the target server based on the address record set. In one implementation, a client initiates a DNS query request to a recursive server, and forwards the DNS query request to a secondary domain authority server corresponding to a target domain name based on the recursive server, including: The client initiates a DNS query request to the recursion server, wherein the DNS query request is used for requesting to query an IP address corresponding to the target domain name; and after receiving the DNS query request, the recursive server forwards the DNS query request to a secondary domain authority server corresponding to the target domain name. In one implementation, the second-level domain authority server responds to the DNS query request and constructs packet core data based on the newly added data in the DNS additional information, including: After receiving the DNS query request, the second-level domain authority server determines the position of newly added data in the DNS additional information in the pseudo resource record; Extracting a plurality of pieces of pseudo resource data from the pseudo resource record based on the position of the newly added data in the pseudo resource record to obtain the preamble data; And constructing the message core data according