Search

CN-121984743-A - Method for filtering webpage access based on kernel driver

CN121984743ACN 121984743 ACN121984743 ACN 121984743ACN-121984743-A

Abstract

The invention discloses a method for filtering web page access based on a kernel driver, which belongs to the technical field of Internet communication and comprises the following steps of firstly inputting an access website by a user for generating a DNS query request message by a user browser, secondly judging whether the DNS query request message exists in a local DNS cache, if yes, acquiring an IP address for access, and if not, executing the third step, sending a query request to a DNS server, constructing a complete DNS query request network packet according to a network protocol standard, capturing all DNS query request network packets sent to 53 ports by the kernel driver, and then analyzing a DNS query request network packet target domain name by a DNS protocol. The centralized and automatic management and control is realized, and the system is particularly suitable for scenes such as machine rooms, classrooms and the like which need unified network behavior management, and the operation and maintenance cost is greatly reduced.

Inventors

  • SUN XIANGZHI
  • TONG YONG

Assignees

  • 南京极域信息科技有限公司

Dates

Publication Date
20260505
Application Date
20260129

Claims (10)

  1. 1. The method for filtering the webpage access based on the kernel driver is characterized by comprising the following steps: step one, a user inputs an access website for generating a DNS query request message by a user browser; Judging whether a local DNS cache has a DNS query request message or not, if yes, acquiring an IP address for access, and if no, executing a step III; Step three, sending a query request to a DNS server, constructing a complete DNS query request network packet according to a network protocol standard, capturing all DNS query request network packets sent to a 53 port by a kernel driver, and then analyzing a DNS query request network packet target domain name through a DNS protocol; judging whether the target domain name is in a prefabricated blacklist, if so, executing a fifth step, and if not, executing a sixth step; Generating a pseudo DNS response packet from the DNS query request message, sending an IP address 127.0.0.1 in the DNS response packet to a user browser, and intercepting access by the browser; And step six, generating a true DNS response packet from the DNS query request message, and receiving the correct IP address in the true DNS response packet by the user browser for access.
  2. 2. The filtering method according to claim 1, wherein the DNS query request message includes a header, a question, and an answer; a header of 12 bytes containing an identifier, a flag bit, and a question number; The problem is the target domain name and type; answer, one or more real IP addresses after analysis.
  3. 3. The filtering method of claim 2, wherein the questions in the DNS query request message are of variable length.
  4. 4. A filtering method according to claim 3, wherein DNS messages are stored in a label compressed format in the problem section.
  5. 5. The filtering method according to claim 4, wherein the specific operation of the tag compression format storage is that each tag is preceded by a length of 1 byte and finally terminated by a 0.
  6. 6. The filtering method according to claim 5, wherein the format of the dummy DNS response packet and the real DNS response packet are the same as the DNS query request message; The content of the pseudo DNS response packet is inconsistent with that of the DNS query request message, the answer of the pseudo DNS response packet is tampered maliciously, and the IP address corresponding to the target domain name www.abc.com in the answer of the pseudo DNS response packet is tampered to 127.0.0.1; the true DNS response packet is consistent with the DNS query request message content.
  7. 7. The filtering method of claim 6, wherein the kernel driver registers the filter for the network layer.
  8. 8. The filtering method of claim 7, wherein the network layer registration filter comprises a filter engine module, a call driver module, and a filter layer; the filtering engine module is used for applying the filtering rules; The calling driving module is used for processing a DNS query request network packet sent to the 53 ports; Filter layer for filtering at predefined filtering point.
  9. 9. The filtering method of claim 8, wherein the filtering rules are matching conditions such as IP address, port, and actions such as allow/block/redirect.
  10. 10. The filtering method of claim 8, wherein the filter layers include an inbound IPv4 packet filter layer, an outbound IPv4 packet filter layer, and an IPv4 flow filter layer; an inbound IPv4 data packet filter layer for filtering inbound IPv4 data packets; the outbound IPv4 data packet filter layer is used for filtering the outbound IPv4 data packet; the IPv4 flow filtering layer is used for filtering TCP flow data.

Description

Method for filtering webpage access based on kernel driver Technical Field The invention relates to the technical field of internet communication, in particular to a method for filtering web page access based on a kernel driver. Background In businesses and educational institutions, it is a common need to limit users to access specific web pages through a browser. Conventional web page access restriction methods are typically based on an application layer (e.g., browser plug-ins or proxy servers) and are easily bypassed or broken. Furthermore, existing techniques often lack deep control of network traffic, resulting in inaccurate restriction policies. Based on the above, the invention designs a method for filtering web page access based on a kernel driver to solve the above problems. Disclosure of Invention Aiming at the defects in the prior art, the invention provides a method for filtering web page access based on a kernel driver. In order to achieve the above purpose, the invention is realized by the following technical scheme: A method for filtering web page access based on kernel driver comprises the following steps: step one, a user inputs an access website for generating a DNS query request message by a user browser; Judging whether a local DNS cache has a DNS query request message or not, if yes, acquiring an IP address for access, and if no, executing a step III; Step three, sending a query request to a DNS server, constructing a complete DNS query request network packet according to a network protocol standard, capturing all DNS query request network packets sent to a 53 port by a kernel driver, and then analyzing a DNS query request network packet target domain name through a DNS protocol; judging whether the target domain name is in a prefabricated blacklist, if so, executing a fifth step, and if not, executing a sixth step; Generating a pseudo DNS response packet from the DNS query request message, sending an IP address 127.0.0.1 in the DNS response packet to a user browser, and intercepting access by the browser; And step six, generating a true DNS response packet from the DNS query request message, and receiving the correct IP address in the true DNS response packet by the user browser for access. Further, the DNS query request message includes a header, a question, and an answer; a header of 12 bytes containing an identifier, a flag bit, and a question number; The problem is the target domain name and type; answer, one or more real IP addresses after analysis. Further, problems in DNS query request messages can vary in length. Further, in the problem section, the DNS packet is stored in a label compression format. Further, the specific operation of the label compressed format storage is that the length is represented by 1 byte before each label, and the end is represented by 0. For example www.example.com is stored as 3www7 sample 3com0. Furthermore, the formats of the false DNS response packet and the true DNS response packet are the same as the DNS query request message; The content of the pseudo DNS response packet is inconsistent with that of the DNS query request message, the answer of the pseudo DNS response packet is tampered maliciously, and the IP address corresponding to the target domain name www.abc.com in the answer of the pseudo DNS response packet is tampered to 127.0.0.1; the true DNS response packet is consistent with the DNS query request message content. Further, the kernel driver registers filters for the network layer. Further, the network layer registration filter comprises a filtering engine module, a calling driving module and a filtering layer. The filtering engine module is used for applying the filtering rules; The calling driving module is used for processing a DNS query request network packet sent to the 53 ports; Filter layer for filtering at predefined filtering point. Still further, filtering rules are matching conditions such as IP address, port, and actions such as allow/block/redirect. Further, the filter layer comprises an inbound IPv4 data packet filter layer, an outbound IPv4 data packet filter layer and an IPv4 stream filter layer; an inbound IPv4 data packet filter layer for filtering inbound IPv4 data packets; the outbound IPv4 data packet filter layer is used for filtering the outbound IPv4 data packet; the IPv4 flow filtering layer is used for filtering TCP flow data. The method has the advantages that by implementing the filtering mechanism in the kernel layer (rather than the application layer), the risk that the traditional browser plug-in or proxy server scheme is easily bypassed by a user through modes of replacing a browser, using VPN or modifying local Hosts files is effectively avoided, bottom interception in a true sense is realized, and interception is accurate and efficient, namely, by intercepting and analyzing a DNS query request, intervention is directly carried out in a domain name analysis stage. The method can accurately identify th