[go: up one dir, main page]

CN114285821B - Domain name resolution method, device, electronic device, storage medium and product - Google Patents

Domain name resolution method, device, electronic device, storage medium and product Download PDF

Info

Publication number
CN114285821B
CN114285821B CN202111364551.2A CN202111364551A CN114285821B CN 114285821 B CN114285821 B CN 114285821B CN 202111364551 A CN202111364551 A CN 202111364551A CN 114285821 B CN114285821 B CN 114285821B
Authority
CN
China
Prior art keywords
domain name
address
name resolution
resolution request
application list
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202111364551.2A
Other languages
Chinese (zh)
Other versions
CN114285821A (en
Inventor
任博涛
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Secworld Information Technology Beijing Co Ltd
Qax Technology Group Inc
Original Assignee
Secworld Information Technology Beijing Co Ltd
Qax Technology Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Secworld Information Technology Beijing Co Ltd, Qax Technology Group Inc filed Critical Secworld Information Technology Beijing Co Ltd
Priority to CN202111364551.2A priority Critical patent/CN114285821B/en
Publication of CN114285821A publication Critical patent/CN114285821A/en
Application granted granted Critical
Publication of CN114285821B publication Critical patent/CN114285821B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a domain name resolution method, a domain name resolution device, electronic equipment, a storage medium and a product, which are applied to terminal equipment, wherein the domain name resolution method comprises the following steps: acquiring a domain name resolution request input by a user, and inquiring a domain name in a preset domain name application list according to the domain name resolution request; the domain name application list comprises domain names corresponding to authorized applications, and when the domain names contained in the domain name resolution request exist in the domain name application list, a target IP address corresponding to the domain names is determined, and the target IP address is used as a resolution result of the domain name resolution request. The method provided by the invention is applied to the user terminal, plays a role in carrying out application diversion on the trusted application by providing the local DNS service for monitoring the local port at the user terminal, improves the processing speed of application access, realizes dynamic control of the application access, and ensures the safety of the application access.

Description

一种域名解析方法、装置、电子设备、存储介质及产品Domain name resolution method, device, electronic device, storage medium and product

技术领域Technical Field

本发明涉及互联网技术领域,尤其涉及一种域名解析方法、装置、电子设备、存储介质及产品。The present invention relates to the field of Internet technology, and in particular to a domain name resolution method, device, electronic device, storage medium and product.

背景技术Background technique

随着移动互联网的快速发展,人们对应用安全访问的要求也越来越高,实现业务系统的安全访问尤为重要。With the rapid development of mobile Internet, people's requirements for secure access to applications are getting higher and higher, and it is particularly important to achieve secure access to business systems.

现有技术中,可信代理是零信任架构的数据平面组件,是确保业务安全访问的第一道关口,是动态访问控制能力的策略执行点。根据不同的场景,可信代理的具体产品形态具有较大差异。In the existing technology, the trusted agent is the data plane component of the zero-trust architecture, the first checkpoint to ensure secure business access, and the policy execution point for dynamic access control capabilities. Depending on different scenarios, the specific product form of the trusted agent varies greatly.

目前,可信应用代理对应用访问进行代理的前置条件是要求所有需要代理的应用将各自的域名解析均指向可信应用代理服务器,常用的实施方案有两种方式,第一种是修改各个应用各自的DNS域名解析,使所有需要代理的应用域名都解析为可信应用代理服务器的IP地址,这种方式在应用较多时维护起来比较困难,并且修改域名解析地址后,根据各地的DNS服务器刷新时间不同,需要很长时间才能生效;第二种是配置一个通配符域名指向可信应用代理服务器,仅适用于所有需要代理的应用域名具有相同后缀的情况,而且这种方案在生效后具有相同后缀的所有域名都指向了可信应用代理服务器,无法实现对应用访问进行更精细的控制,导致用户体验较差。At present, the prerequisite for the trusted application proxy to proxy application access is that all applications that need to be proxied point their domain name resolution to the trusted application proxy server. There are two common implementation plans. The first is to modify the DNS domain name resolution of each application so that all application domain names that need to be proxied are resolved to the IP address of the trusted application proxy server. This method is difficult to maintain when there are many applications. After the domain name resolution address is modified, it takes a long time to take effect depending on the different DNS server refresh times in different places. The second is to configure a wildcard domain name to point to the trusted application proxy server. This is only applicable to the case where all application domain names that need to be proxied have the same suffix. After this solution takes effect, all domain names with the same suffix point to the trusted application proxy server, which cannot achieve more refined control over application access, resulting in a poor user experience.

发明内容Summary of the invention

本发明提供一种域名解析方法、装置、电子设备、存储介质及产品,用以解决现有技术中应用访问实时性较低、无法对应用访问进行更精细化控制的技术问题,以实现提高应用访问的处理速度,保证应用访问的时效性和安全性的目的。The present invention provides a domain name resolution method, device, electronic device, storage medium and product, which are used to solve the technical problems in the prior art that application access has low real-time performance and cannot be more finely controlled, so as to achieve the purpose of improving the processing speed of application access and ensuring the timeliness and security of application access.

第一方面,本发明提供一种域名解析方法,应用于终端设备,包括:In a first aspect, the present invention provides a domain name resolution method, applied to a terminal device, comprising:

获取用户输入的域名解析请求;Get the domain name resolution request entered by the user;

根据所述域名解析请求,在预设的域名应用列表中进行域名查询;其中,所述域名应用列表包含已授权应用所对应的域名;According to the domain name resolution request, a domain name query is performed in a preset domain name application list; wherein the domain name application list includes domain names corresponding to authorized applications;

在所述域名应用列表中存在所述域名解析请求所包含的域名的情况下,确定与所述域名对应的目标IP地址,将所述目标IP地址作为所述域名解析请求的解析结果。In a case where the domain name included in the domain name resolution request exists in the domain name application list, a target IP address corresponding to the domain name is determined, and the target IP address is used as a resolution result of the domain name resolution request.

进一步,根据本发明提供的域名解析方法,所述确定与所述域名对应的目标IP地址,包括:Further, according to the domain name resolution method provided by the present invention, the determining of the target IP address corresponding to the domain name includes:

将零信任可信应用代理服务器的IP地址确定为与所述域名对应的目标IP地址。The IP address of the zero-trust trusted application proxy server is determined as the target IP address corresponding to the domain name.

进一步,根据本发明提供的域名解析方法,所述确定与所述域名对应的目标IP地址,包括:Further, according to the domain name resolution method provided by the present invention, the determining of the target IP address corresponding to the domain name includes:

根据所述域名,确定所述域名的第一IP地址;其中,所述域名的第一IP地址是与所述域名保存在DNS服务器中的第二IP地址不同的IP地址;Determine a first IP address of the domain name according to the domain name; wherein the first IP address of the domain name is an IP address different from a second IP address of the domain name stored in a DNS server;

将所述域名的第一IP地址确定为与所述域名对应的目标IP地址。The first IP address of the domain name is determined as the target IP address corresponding to the domain name.

进一步,根据本发明提供的域名解析方法,方法还包括:Furthermore, according to the domain name resolution method provided by the present invention, the method further includes:

获取用户的标识信息;Obtaining user identification information;

相应的,所述在所述域名应用列表中存在所述域名解析请求所包含的域名的情况下,确定与所述域名对应的目标IP地址,包括:Correspondingly, when the domain name included in the domain name resolution request exists in the domain name application list, determining the target IP address corresponding to the domain name includes:

在所述域名应用列表中存在所述域名解析请求所包含的域名的情况下,基于用户的标识信息,确定与所述域名对应的目标IP地址。In a case where the domain name included in the domain name resolution request exists in the domain name application list, a target IP address corresponding to the domain name is determined based on the user identification information.

进一步,根据本发明提供的域名解析方法,在所述根据所述域名解析请求,在预设的域名应用列表中进行域名查询之后,方法还包括:Further, according to the domain name resolution method provided by the present invention, after performing a domain name query in a preset domain name application list according to the domain name resolution request, the method further includes:

在所述域名应用列表中不存在所述域名解析请求所包含的域名的情况下,将所述域名解析请求转发给DNS服务器,以获得所述域名解析请求所包含的域名的第二IP地址。In the case that the domain name included in the domain name resolution request does not exist in the domain name application list, the domain name resolution request is forwarded to a DNS server to obtain a second IP address of the domain name included in the domain name resolution request.

进一步,根据本发明提供的域名解析方法,在所述获取用户输入的域名解析请求之前,包括:Furthermore, according to the domain name resolution method provided by the present invention, before obtaining the domain name resolution request input by the user, the method includes:

接收所述域名应用列表;Receiving the domain name application list;

其中,所述域名应用列表是在零信任可信访问控制台对所述用户的各个应用的IP地址进行域名映射得到的。The domain name application list is obtained by mapping the IP addresses of each application of the user to domain names in the zero trust trusted access console.

第二方面,本发明还提供一种域名解析装置,包括:In a second aspect, the present invention further provides a domain name resolution device, comprising:

获取模块,用于获取用户输入的域名解析请求;The acquisition module is used to obtain the domain name resolution request input by the user;

查询模块,用于根据所述域名解析请求,在预设的域名应用列表中进行域名查询;其中,所述域名应用列表包含已授权应用所对应的域名;A query module, used to perform a domain name query in a preset domain name application list according to the domain name resolution request; wherein the domain name application list includes domain names corresponding to authorized applications;

确定模块,用于在所述域名应用列表中存在所述域名解析请求所包含的域名的情况下,确定与所述域名对应的目标IP地址,将所述目标IP地址作为所述域名解析请求的解析结果。The determination module is used to determine the target IP address corresponding to the domain name when the domain name included in the domain name resolution request exists in the domain name application list, and use the target IP address as the resolution result of the domain name resolution request.

第三方面,本发明还提供一种电子设备,包括:In a third aspect, the present invention further provides an electronic device, comprising:

处理器、存储器和总线,其中,processor, memory and bus, wherein,

所述处理器和所述存储器通过所述总线完成相互间的通信;The processor and the memory communicate with each other via the bus;

所述存储器存储有可被所述处理器执行的程序指令,所述处理器调用所述程序指令能够执行如上任一项中所述域名解析方法的步骤。The memory stores program instructions that can be executed by the processor, and the processor calls the program instructions to execute the steps of the domain name resolution method described in any one of the above items.

第四方面,本发明还提供一种非暂态计算机可读存储介质,所述非暂态计算机可读存储介质存储计算机指令,所述计算机指令使计算机执行如上所述域名解析方法的步骤。In a fourth aspect, the present invention further provides a non-transitory computer-readable storage medium, wherein the non-transitory computer-readable storage medium stores computer instructions, and the computer instructions enable a computer to execute the steps of the domain name resolution method as described above.

第五方面,本发明还提供一种计算机程序产品,包括计算机程序,所述计算机程序被处理器执行时实现如上任一项所述域名解析方法的步骤。In a fifth aspect, the present invention further provides a computer program product, comprising a computer program, wherein when the computer program is executed by a processor, the steps of the domain name resolution method as described in any one of the above items are implemented.

本发明提供一种域名解析方法、装置、电子设备、存储介质及产品,应用于终端设备上,通过获取用户输入的域名解析请求,然后根据域名解析请求,在预设的域名应用列表中进行域名查询,其中,域名应用列表包含已授权应用所对应的域名,在域名应用列表中存在域名解析请求所包含的域名的情况下,确定与域名对应的目标IP地址,并将目标IP地址作为域名解析请求的解析结果。本发明提供的域名解析方法应用在终端设备上,通过在用户终端提供一个监听本地端口的本机DNS服务,起到对可信应用代理进行应用导流的作用,提高应用访问的处理速度,实现对应用访问的动态控制,保证应用访问的时效性和安全性。The present invention provides a domain name resolution method, device, electronic device, storage medium and product, which are applied to a terminal device, obtain a domain name resolution request input by a user, and then perform a domain name query in a preset domain name application list according to the domain name resolution request, wherein the domain name application list contains domain names corresponding to authorized applications, and when the domain name contained in the domain name resolution request exists in the domain name application list, determine the target IP address corresponding to the domain name, and use the target IP address as the resolution result of the domain name resolution request. The domain name resolution method provided by the present invention is applied to a terminal device, and by providing a local DNS service that monitors a local port on a user terminal, it plays a role in diverting applications to a trusted application agent, improves the processing speed of application access, realizes dynamic control of application access, and ensures the timeliness and security of application access.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作一简单地介绍,显而易见地,下面描述中的附图是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the present invention or the prior art, the following briefly introduces the drawings required for use in the embodiments or the description of the prior art. Obviously, the drawings described below are some embodiments of the present invention. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative work.

图1是现有技术中的域名解析处理的流程示意图;FIG1 is a schematic diagram of a flow chart of a domain name resolution process in the prior art;

图2是本发明提供的一种域名解析方法的流程示意图;FIG2 is a flow chart of a domain name resolution method provided by the present invention;

图3是本发明提供的一种域名解析方法的范例图;FIG3 is a diagram showing an example of a domain name resolution method provided by the present invention;

图4是本发明提供的一种域名解析装置的结构示意图;FIG4 is a schematic diagram of the structure of a domain name resolution device provided by the present invention;

图5是本发明提供的电子设备的结构示意图。FIG. 5 is a schematic diagram of the structure of an electronic device provided by the present invention.

具体实施方式Detailed ways

为使本发明的目的、技术方案和优点更加清楚,下面将结合本发明中的附图,对本发明中的技术方案进行清楚、完整地描述,显然,所描述的实施例是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the purpose, technical solution and advantages of the present invention clearer, the technical solution of the present invention will be clearly and completely described below in conjunction with the drawings of the present invention. Obviously, the described embodiments are part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of the present invention.

图1是现有技术中域名解析处理的流程示意图。如图1所示,现有技术中,进行域名解析时常常采用的是DNS服务器解析的方式,DNS服务器包括区域DNS服务器、全球根DNS服务器、顶级DNS服务器和权威DNS服务器。客户端电脑上使用的DNS为区域DNS服务器,区域DNS服务器在接收到域名解析请求后会向权威DNS服务器获取解析结果返回给用户,并将解析结果TTL值缓存到自身的服务器中。需要说明的是,区域DNS服务器一般是网络服务商提供的,也可以根据实际需要修改为常用的公共DNS。FIG1 is a flow chart of domain name resolution processing in the prior art. As shown in FIG1 , in the prior art, the DNS server resolution method is often used for domain name resolution. The DNS server includes a regional DNS server, a global root DNS server, a top-level DNS server, and an authoritative DNS server. The DNS used on the client computer is a regional DNS server. After receiving the domain name resolution request, the regional DNS server will obtain the resolution result from the authoritative DNS server and return it to the user, and cache the resolution result TTL value in its own server. It should be noted that the regional DNS server is generally provided by the network service provider, and can also be modified to a commonly used public DNS according to actual needs.

现有技术中要将一个域名解析为域名对应的IP地址,大致需要经过如下几步:In the prior art, to resolve a domain name into the IP address corresponding to the domain name, the following steps are generally required:

1、用户终端向区域DNS服务器发起域名解析请求。1. The user terminal initiates a domain name resolution request to the regional DNS server.

2、区域DNS服务器先向全球根DNS服务器发起域名解析请求,全球根DNS服务器返回所请求域名的顶级DNS服务器地址。2. The regional DNS server first initiates a domain name resolution request to the global root DNS server, and the global root DNS server returns the top-level DNS server address of the requested domain name.

3、区域DNS服务器根据得到的顶级DNS服务器地址再向该顶级DNS服务器发起域名解析请求,顶级DNS服务器返回所请求域名的权威DNS服务器地址。3. The regional DNS server initiates a domain name resolution request to the top-level DNS server based on the obtained top-level DNS server address, and the top-level DNS server returns the authoritative DNS server address of the requested domain name.

4、区域DNS服务器再根据权威DNS服务器地址向该权威DNS服务器发起域名解析请求,权威DNS服务器返回所请求域名的IP地址。4. The regional DNS server then initiates a domain name resolution request to the authoritative DNS server based on the address of the authoritative DNS server, and the authoritative DNS server returns the IP address of the requested domain name.

举例说明,如要请求一个域名(A.com)的解析地址有以下步骤:For example, if you want to request the resolution address of a domain name (A.com), you have to follow these steps:

(1)用户终端问区域DNS服务器A.com的IP是多少;(1) The user terminal asks the regional DNS server A.com what its IP address is;

(2)区域DNS问全球根DNS服务器A.com的IP是多少,全球根DNS服务器回答:管理com域名的顶级DNS服务器是xxx;(2) The regional DNS asks the global root DNS server what the IP address of A.com is. The global root DNS server answers: The top-level DNS server that manages the com domain name is xxx.

(3)区域DNS服务器问顶级DNS服务器A.com的IP是多少,顶级DNS服务器回答:管理A.com的权威DNS是xxx;(3) The regional DNS server asks the top-level DNS server what the IP address of A.com is. The top-level DNS server replies: The authoritative DNS that manages A.com is xxx.

(4)区域DNS服务器问权威DNS服务器A.com的IP是多少,权威DNS服务器则回答:IP地址是XXXX。(4) The regional DNS server asks the authoritative DNS server A.com what its IP address is, and the authoritative DNS server replies: The IP address is XXXX.

整个的处理过程只能通过区域DNS服务器与多个DNS服务器之间进行交互,没有实现对应用访问的动态控制,导致用户获取到域名对应的IP地址的时效性较低。The entire processing process can only be carried out through the interaction between the regional DNS server and multiple DNS servers. Dynamic control of application access is not implemented, resulting in low timeliness for users to obtain the IP address corresponding to the domain name.

图2为本发明提供的域名解析方法的流程示意图,如图2所示,本发明提供的域名解析方法,应用于终端设备上,包括以下步骤:FIG. 2 is a flow chart of a domain name resolution method provided by the present invention. As shown in FIG. 2 , the domain name resolution method provided by the present invention, applied on a terminal device, comprises the following steps:

步骤201:获取用户输入的域名解析请求。Step 201: Obtain a domain name resolution request input by a user.

在本实施例中,获取用户终端设备上发起的域名解析请求,该域名解析请求中包含要请求的域名信息,域名信息可以是A.com,也可以是B.com,具体可以根据用户的实际需要进行设定,在此不作具体限定。In this embodiment, a domain name resolution request initiated by a user terminal device is obtained. The domain name resolution request includes the domain name information to be requested. The domain name information can be A.com or B.com. It can be set according to the actual needs of the user and is not specifically limited here.

需要说明的是,在获取用户输入的域名解析请求之前,需要在终端设备上安装一个本机DNS服务(local host DNS),用于处理本发明提供的域名解析方法的各个步骤,其中,DNS域名系统(Domain Name System)是互联网的一项服务,它作为将域名和目标IP地址相互映射的一个分布式数据库,能够使用户更方便、更快速地访问互联网,DNS服务通常使用TCP和UDP的53端口提供服务。It should be noted that before obtaining the domain name resolution request input by the user, a local host DNS service needs to be installed on the terminal device to process the various steps of the domain name resolution method provided by the present invention. The DNS domain name system (Domain Name System) is a service of the Internet. It is a distributed database that maps domain names and target IP addresses to each other, enabling users to access the Internet more conveniently and quickly. The DNS service usually uses TCP and UDP port 53 to provide services.

步骤202:根据所述域名解析请求,在预设的域名应用列表中进行域名查询;其中,所述域名应用列表包含已授权应用所对应的域名。Step 202: According to the domain name resolution request, a domain name query is performed in a preset domain name application list; wherein the domain name application list includes domain names corresponding to authorized applications.

在本实施例中,根据得到的域名解析请求,从中获取到需要查询的域名,然后在预设的域名应用列表中进行域名查询,需要说明的是,域名应用列表存在于本机DNS服务中,而且域名应用列表中包含的是已经授权的各个应用所对应的域名信息,也就是用户具有访问权限的所有应用对应的域名,这些域名信息在本实施例中可以是传统DNS服务器不支持的域名信息。In this embodiment, based on the obtained domain name resolution request, the domain name to be queried is obtained, and then the domain name query is performed in the preset domain name application list. It should be noted that the domain name application list exists in the local DNS service, and the domain name application list contains the domain name information corresponding to each authorized application, that is, the domain names corresponding to all applications to which the user has access rights. In this embodiment, these domain name information may be domain name information that is not supported by traditional DNS servers.

步骤203:在所述域名应用列表中存在所述域名解析请求所包含的域名的情况下,确定与所述域名对应的目标IP地址,将所述目标IP地址作为所述域名解析请求的解析结果。Step 203: When the domain name included in the domain name resolution request exists in the domain name application list, determine the target IP address corresponding to the domain name, and use the target IP address as the resolution result of the domain name resolution request.

在本实施例中,若从步骤201中获取的域名解析请求中得到的域名,存在终端设备上的本机DNS服务中的域名应用列表中,则从域名解析应用列表中确定出与该域名对应的目标IP地址,将该目标IP地址作为域名解析请求的解析结果。需要说明的是,在域名应用列表中确定的目标IP地址有可能是域名对应的内网的IP地址,也有可能是域名对应的零信任可信应用代理服务器的IP地址,根据对应的IP地址将域名对应的应用访问导流到内网或零信任可信应用代理服务器中,实现应用访问的应用导流处理。其中,目标IP地址可以根据实际需要进行设定,在此不作具体限定。In this embodiment, if the domain name obtained from the domain name resolution request obtained in step 201 exists in the domain name application list in the local DNS service on the terminal device, the target IP address corresponding to the domain name is determined from the domain name resolution application list, and the target IP address is used as the resolution result of the domain name resolution request. It should be noted that the target IP address determined in the domain name application list may be the IP address of the intranet corresponding to the domain name, or it may be the IP address of the zero-trust trusted application proxy server corresponding to the domain name. According to the corresponding IP address, the application access corresponding to the domain name is diverted to the intranet or the zero-trust trusted application proxy server to implement application diversion processing of application access. Among them, the target IP address can be set according to actual needs and is not specifically limited here.

举例说明,假如从域名解析请求中得的域名A.com,若域名A.com在本机DNS服务中的域名应用列表中时,则根据域名与IP地址之间的映射关系,在预设的域名应用列表中确定出域名所对应的IP地址12.12.12.12作为域名解析请求的解析结果,将该域名对应的应用访问导流到对应的内网或零信任可信代理服务器中。For example, if the domain name A.com is obtained from the domain name resolution request, and if the domain name A.com is in the domain name application list in the local DNS service, then based on the mapping relationship between the domain name and the IP address, the IP address 12.12.12.12 corresponding to the domain name is determined in the preset domain name application list as the resolution result of the domain name resolution request, and the application access corresponding to the domain name is directed to the corresponding intranet or zero-trust trusted proxy server.

需要说明的是,在用户终端上提供虚拟的本机DNS服务采用的是反向代理技术。反向代理技术中需要反向代理服务器,反向代理服务器位于用户与目标服务器之间,本发明实施例中在终端设备上提供的虚拟的本机DNS服务就属于反向代理服务器,虽然说本机DNS服务是位于用户与目标服务器之间的虚拟服务器,但是对于用户而言,本机DNS服务就相当于目标服务器,即用户直接访问本机DNS服务就可以获得目标服务器的资源。而且,反向代理服务器通常用来作为应用层的防火墙,对网站基于Web的攻击行为提供一定的防护。It should be noted that the virtual local DNS service provided on the user terminal adopts the reverse proxy technology. The reverse proxy technology requires a reverse proxy server, which is located between the user and the target server. The virtual local DNS service provided on the terminal device in the embodiment of the present invention belongs to the reverse proxy server. Although the local DNS service is a virtual server located between the user and the target server, for the user, the local DNS service is equivalent to the target server, that is, the user can directly access the local DNS service to obtain the resources of the target server. In addition, the reverse proxy server is usually used as an application layer firewall to provide certain protection against Web-based attacks on the website.

需要说明的是,在利用虚拟的本机DNS服务进行应用导流时,导流的平台不同所采用的方法也不一样,如linux系统和mac系统采用的是更改/etc/resolv.conf的方式,windows系统是更改网卡属性的DNS服务器,本质是将用户原来配置的区域DNS服务器更改为本发明提供的本机DNS服务。本机DNS服务作为一个中间人的方式,用户终端输入的域名解析请求会先发送给本机DNS服务,若在本机DNS服务中的域名应用列表中存在与该域名对应的目标IP地址,则直接返回目标IP地址;若不存在则本机DNS服务会将该域名解析请求传递给区域DNS服务器,区域DNS服务器则继续查询。It should be noted that when using a virtual local DNS service for application diversion, the methods used for different diversion platforms are also different. For example, the Linux system and the Mac system use the method of changing /etc/resolv.conf, and the Windows system changes the DNS server of the network card attributes. The essence is to change the regional DNS server originally configured by the user to the local DNS service provided by the present invention. The local DNS service acts as a middleman. The domain name resolution request input by the user terminal will be sent to the local DNS service first. If the target IP address corresponding to the domain name exists in the domain name application list in the local DNS service, the target IP address will be directly returned; if not, the local DNS service will pass the domain name resolution request to the regional DNS server, and the regional DNS server will continue to query.

根据本发明提供的域名解析方法,应用于终端设备中,通过将从获取的域名解析请求中得到的域名在预设的域名应用列表中进行域名查询,在域名应用列表中存在域名解析请求所包含的域名的情况下,确定出域名对应的目标IP地址,并将目标IP地址作为该域名解析请求的解析结果。本发明提供的域名解析方法应用在终端设备上,通过在用户终端安装一个监听本地端口的本机DNS服务,起到对可信应用代理进行应用导流的作用,提高应用访问的处理速度,实现对应用访问的动态控制,同时保证了应用访问的时效性和安全性。The domain name resolution method provided by the present invention is applied to a terminal device, and the domain name obtained from the acquired domain name resolution request is queried in a preset domain name application list. When the domain name included in the domain name resolution request exists in the domain name application list, the target IP address corresponding to the domain name is determined, and the target IP address is used as the resolution result of the domain name resolution request. The domain name resolution method provided by the present invention is applied to a terminal device, and by installing a local DNS service that monitors a local port in a user terminal, it plays a role in guiding the trusted application proxy, improves the processing speed of application access, realizes dynamic control of application access, and ensures the timeliness and security of application access.

在本发明的另一个实施例中,所述确定与所述域名对应的目标IP地址,包括:In another embodiment of the present invention, the determining the target IP address corresponding to the domain name includes:

将零信任可信应用代理服务器的IP地址确定为与所述域名对应的目标IP地址。The IP address of the zero-trust trusted application proxy server is determined as the target IP address corresponding to the domain name.

在本实施例中,在域名应用列表中存在域名对应的目标IP地址的情况下,将零信任可信应用代理服务器的IP地址确定为该域名对应的目标IP地址。In this embodiment, when there is a target IP address corresponding to the domain name in the domain name application list, the IP address of the zero-trust trusted application proxy server is determined as the target IP address corresponding to the domain name.

本实施例中,用户需要在登录认证成功后获取得到域名应用列表,域名应用列表中存在的映射关系包括域名与零信任可信应用代理服务器的IP地址之间的映射关系,本实施例中在域名应用列表中存在多个域名映射同一个零信任可信应用代理服务器的IP地址的情况,如零信任可信应用代理服务器的IP地址为2.2.2.2,在用户认证成功后获取到3个应用域名列表,分别为:A.COM:2.2.2.2、B.COM:2.2.2.2、C.COM:192.168.2.2,其中,A和B都是已被授权的可信代理应用,域名对应的IP地址都为零信任可信应用代理服务器的IP地址,C是一个内网应用,映射的是内网地址。In this embodiment, the user needs to obtain the domain name application list after the login authentication is successful. The mapping relationship in the domain name application list includes the mapping relationship between the domain name and the IP address of the zero-trust trusted application proxy server. In this embodiment, there are multiple domain names in the domain name application list mapped to the same zero-trust trusted application proxy server IP address. For example, the IP address of the zero-trust trusted application proxy server is 2.2.2.2. After the user authentication is successful, three application domain name lists are obtained, namely: A.COM: 2.2.2.2, B.COM: 2.2.2.2, C.COM: 192.168.2.2, among which A and B are both authorized trusted proxy applications, and the IP addresses corresponding to the domain names are the IP addresses of the zero-trust trusted application proxy servers. C is an intranet application, and the mapping is the intranet address.

需要说明的是,零信任是一种新一代的网络安全防护理念,关键在于打破默认的“信任”,本质上是“持续验证,永不信任”,默认不信任企业网络内外的任何人、设备和系统,基于身份认证和授权重新构建访问控制的信任基础,从而确保身份可信、设备可信、应用可信和链路可信。其中,可信代理是零信任架构的数据平面组件,是确保业务安全访问的第一道关口,是动态访问控制能力的策略执行点。It should be noted that zero trust is a new generation of network security protection concept. The key is to break the default "trust". In essence, it is "continuous verification, never trust". By default, no one, device or system inside or outside the enterprise network is trusted. The trust foundation of access control is rebuilt based on identity authentication and authorization, thereby ensuring that the identity, device, application and link are trusted. Among them, the trusted agent is the data plane component of the zero trust architecture, the first gateway to ensure secure business access, and the policy execution point of dynamic access control capabilities.

零信任可信应用代理服务器对应用访问进行代理的前置条件是要求所有需要代理的应用将各自的域名解析都指向可信应用代理服务器的IP地址。因此,在本实施例中,将零信任可信代理服务器的IP地址确定为域名对应的目标IP地址,实现将应用访问导流到零信任可信应用代理服务器中,使所有请求都会通过零信任可信应用代理服务器进行访问控制。The prerequisite for the zero-trust trusted application proxy server to proxy application access is that all applications that need to be proxied point their domain name resolutions to the IP address of the trusted application proxy server. Therefore, in this embodiment, the IP address of the zero-trust trusted proxy server is determined as the target IP address corresponding to the domain name, so that application access is directed to the zero-trust trusted application proxy server, so that all requests will be access-controlled through the zero-trust trusted application proxy server.

举例说明,从域名解析请求中获取到的域名为a.com,零信任可信代理服务器的IP地址为2.2.2.2,由于该域名原来对应的IP为1.1.1.1,按照现有技术中的查询方式存在一定的时效性,在本发明实施例中的本机DNS服务中的域名应用列表中将零信任可信代理服务器的IP地址2.2.2.2与域名a.com之间建立一定的映射关系,将零信任可信代理服务器的IP地址2.2.2.2作为该域名的目标IP地址返回,直接将域名对应的应用导流到网关中,实现域名的快速查询。For example, the domain name obtained from the domain name resolution request is a.com, and the IP address of the zero-trust trusted proxy server is 2.2.2.2. Since the original IP corresponding to the domain name is 1.1.1.1, there is a certain timeliness in the query method in the prior art. In the domain name application list in the local DNS service in the embodiment of the present invention, a certain mapping relationship is established between the IP address 2.2.2.2 of the zero-trust trusted proxy server and the domain name a.com, and the IP address 2.2.2.2 of the zero-trust trusted proxy server is returned as the target IP address of the domain name, and the application corresponding to the domain name is directly directed to the gateway to achieve fast query of the domain name.

根据本发明提供的域名解析方法,通过将零信任可信应用代理服务器的IP地址确定为域名对应的目标IP地址,保证了应用访问处理的时效性和安全性,提升了用户体验。According to the domain name resolution method provided by the present invention, by determining the IP address of the zero-trust trusted application proxy server as the target IP address corresponding to the domain name, the timeliness and security of application access processing are guaranteed, and the user experience is improved.

在本发明的另一个实施例中,所述确定与所述域名对应的目标IP地址,包括:In another embodiment of the present invention, the determining the target IP address corresponding to the domain name includes:

根据所述域名,确定所述域名的第一IP地址;其中,所述域名的第一IP地址是与所述域名保存在DNS服务器中的第二IP地址不同的IP地址;Determine a first IP address of the domain name according to the domain name; wherein the first IP address of the domain name is an IP address different from a second IP address of the domain name stored in a DNS server;

将所述域名的第一IP地址确定为与所述域名对应的目标IP地址。The first IP address of the domain name is determined as the target IP address corresponding to the domain name.

在本实施例中,第一IP地址是指域名所对应的内网的IP地址,第二IP地址是指域名保存在DNS服务器中对应的公网的IP地址。本实施例中,根据域名信息从本机DNS服务中的域名应用列表中确定出该域名的第一IP地址,并将第一IP地址确定为与该域名对应的目标IP地址。需要说明的是,第一IP地址与保存在DNS服务器中的第二IP地址不同,两者是分别对应不同网络类型的IP地址。具体可以根据实际需要进行设定,在此不作具体限定。In this embodiment, the first IP address refers to the IP address of the intranet corresponding to the domain name, and the second IP address refers to the IP address of the public network corresponding to the domain name stored in the DNS server. In this embodiment, the first IP address of the domain name is determined from the domain name application list in the local DNS service according to the domain name information, and the first IP address is determined as the target IP address corresponding to the domain name. It should be noted that the first IP address is different from the second IP address stored in the DNS server, and the two are IP addresses corresponding to different network types. It can be set according to actual needs and is not specifically limited here.

需要说明的是,每个终端除了有一个网卡IP地址外,还会有一个虚拟的本地环回地址,其中,本地环回地址是以127.开头的,对于127.开头的这类本地环回地址属于用户终端设备,而本发明实施例中的本机DNS服务正是监听在以127.开头的本地环回址的53端口向终端提供DNS解析服务。It should be noted that in addition to a network card IP address, each terminal also has a virtual local loopback address, where the local loopback address starts with 127. This type of local loopback address starting with 127. belongs to the user terminal device, and the local DNS service in the embodiment of the present invention listens to port 53 of the local loopback address starting with 127. to provide DNS resolution services to the terminal.

需要说明的是,本实施例中,域名解析的一般都是内网域名,这种域名解析的方式采用本机DNS服务进行解析,对应的是第一IP地址。在互联网应用中,如果用户未登录本发明中的零信任可信客户端是解析不了这些内网域名的。It should be noted that in this embodiment, the domain name resolution is generally an intranet domain name. This domain name resolution method uses the local DNS service for resolution, which corresponds to the first IP address. In Internet applications, if the user is not logged in to the zero-trust trusted client in the present invention, these intranet domain names cannot be resolved.

根据本发明实施例提供的域名解析方法,通过将根据域名在本机DNS服务中的域名应用列表中的确定的第一IP地址作为域名对应的目标IP地址,保证了用户在访问内网时也能根据域名与IP地址的映射关系迅速获取到IP地址进行访问,提高了应用访问的时效性,并且避免用户域名的劫持攻击。The domain name resolution method provided by the embodiment of the present invention uses the first IP address determined in the domain name application list in the local DNS service as the target IP address corresponding to the domain name, thereby ensuring that the user can quickly obtain the IP address for access based on the mapping relationship between the domain name and the IP address when accessing the intranet, thereby improving the timeliness of application access and avoiding hijacking attacks on user domain names.

在本发明的另一个实施例中,方法还包括:In another embodiment of the present invention, the method further comprises:

获取用户的标识信息;Obtaining user identification information;

相应的,所述在所述域名应用列表中存在所述域名解析请求所包含的域名的情况下,确定与所述域名对应的目标IP地址,包括:Correspondingly, when the domain name included in the domain name resolution request exists in the domain name application list, determining the target IP address corresponding to the domain name includes:

在所述域名应用列表中存在所述域名解析请求所包含的域名的情况下,基于用户的标识信息,确定与所述域名对应的目标IP地址。In a case where the domain name included in the domain name resolution request exists in the domain name application list, a target IP address corresponding to the domain name is determined based on the user identification information.

在本实施例中,还需要为不同的用户确定不同的域名解析策略。本实施例中获取用户的标识信息,其中,标识信息是指区分不同用户信息的标志,如用户1用A表示,用户2用B表示等。当在本机DNS服务中的域名应用列表中存在域名解析请求所包含的域名的情况下,基于用户的标识信息,确定与域名对应的目标IP地址。In this embodiment, different domain name resolution strategies need to be determined for different users. In this embodiment, the user's identification information is obtained, where the identification information refers to a mark that distinguishes different user information, such as user 1 is represented by A, user 2 is represented by B, etc. When the domain name included in the domain name resolution request exists in the domain name application list in the local DNS service, the target IP address corresponding to the domain name is determined based on the user's identification information.

需要说明的是,在本机DNS服务中的域名应用列表中包含各个域名信息和各个域名所对应的IP地址信息,而基于用户的标识信息可以确定出该用户已被授权的域名应用列表信息,然后根据域名应用列表中的映射关系确定出与域名对应的目标IP地址。如设定用户1的标识信息为A,用户2的标识信息为B,在网关中判断确定标识A所对应的用户1的域名应用列表1:a.com:2.2.2.2、b.com:2.2.2.2和c.com:192.168.2.2,标识B所对应的用户2的域名应用列表2为:a.com:2.2.2.2和c.com:192.168.2.2。在确定用户2的标识信息后,若要访问域名b.com时,根据域名应用列表中的映射关系得到该域名没有对应的IP地址,用户2无法访问该应用;若要访问域名c.com时,则将对应的IP地址192.168.2.2确定为该域名所对应的目标IP地址。It should be noted that the domain name application list in the local DNS service contains each domain name information and the IP address information corresponding to each domain name, and based on the user's identification information, the domain name application list information that the user has been authorized to determine, and then determine the target IP address corresponding to the domain name according to the mapping relationship in the domain name application list. For example, if the identification information of user 1 is set to A and the identification information of user 2 is set to B, the domain name application list 1 of user 1 corresponding to identification A is determined in the gateway: a.com:2.2.2.2, b.com:2.2.2.2 and c.com:192.168.2.2, and the domain name application list 2 of user 2 corresponding to identification B is: a.com:2.2.2.2 and c.com:192.168.2.2. After determining the identification information of user 2, if the user wants to access the domain name b.com, according to the mapping relationship in the domain name application list, the domain name has no corresponding IP address, and user 2 cannot access the application; if the user wants to access the domain name c.com, the corresponding IP address 192.168.2.2 is determined as the target IP address corresponding to the domain name.

需要说明的是,同一个域名也有可能解析出不同的IP地址,每个域名至少对应一个IP地址,而每一个IP地址仅对应一个域名,即同一个域名1所对应的IP地址是不同的,如在网关中基于用户的标识信息,确定用户1的域名应用列表中包含域名1,用户2的域名应用列表中也包含域名1,但是,用户1中的域名应用列表中的域名1的IP地址为IP地址1,而用户2中的域名应用列表中的域名1的IP地址则为IP地址2,同一域名对应的IP地址不同。域名和IP地址之间的映射关系具体可以根据实际的需要进行设定,在此不作具体限定。It should be noted that the same domain name may also resolve to different IP addresses. Each domain name corresponds to at least one IP address, and each IP address corresponds to only one domain name, that is, the IP addresses corresponding to the same domain name 1 are different. For example, based on the user's identification information in the gateway, it is determined that the domain name application list of user 1 contains domain name 1, and the domain name application list of user 2 also contains domain name 1. However, the IP address of domain name 1 in the domain name application list of user 1 is IP address 1, while the IP address of domain name 1 in the domain name application list of user 2 is IP address 2. The IP addresses corresponding to the same domain name are different. The mapping relationship between domain names and IP addresses can be set according to actual needs and is not specifically limited here.

举例说明,如场景一:在网关中确定用户1得到的域名应用列表1为a.com:2.2.2.2、b.com:2.2.2.2和c.com:192.168.2.2,用户2得到的域名应用列表1为a.com:3.3.3.3和c.com:192.168.2.2,使用户1和用户2使用不同的可信应用代理,能够起到负载均衡的作用;场景二:在网关中判断确定用户1得到的域名应用列表1为c.com:192.168.2.2,用户2得到的域名应用列表2为c.com:192.168.2.3,不同的用户获取到同一个应用的不同IP地址,可以为该应用提供DNS负载均衡的能力。For example, in scenario 1, it is determined in the gateway that the domain name application list 1 obtained by user 1 is a.com:2.2.2.2, b.com:2.2.2.2 and c.com:192.168.2.2, and the domain name application list 1 obtained by user 2 is a.com:3.3.3.3 and c.com:192.168.2.2. User 1 and user 2 use different trusted application proxies, which can achieve load balancing. Scenario 2: It is determined in the gateway that the domain name application list 1 obtained by user 1 is c.com:192.168.2.2, and the domain name application list 2 obtained by user 2 is c.com:192.168.2.3. Different users obtain different IP addresses of the same application, which can provide DNS load balancing capabilities for the application.

根据本发明实施例提供的域名解析方法,通过获取用户的标识信息,然后,在域名应用列表中存在域名解析请求所包含的域名的情况下,基于用户的标识信息,确定与域名对应的目标IP地址,可以实现同一个域名对应不同的IP地址,可以实现负载均衡和敏感应用隐藏的目的,满足企业多样化的需求场景。According to the domain name resolution method provided by the embodiment of the present invention, by obtaining the user's identification information, and then, when the domain name included in the domain name resolution request exists in the domain name application list, the target IP address corresponding to the domain name is determined based on the user's identification information. This can achieve the same domain name corresponding to different IP addresses, achieve the purpose of load balancing and hiding sensitive applications, and meet the diverse demand scenarios of enterprises.

在本发明的另一个实施例中,在所述根据所述域名解析请求,在预设的域名应用列表中进行域名查询之后,方法还包括:In another embodiment of the present invention, after performing a domain name query in a preset domain name application list according to the domain name resolution request, the method further includes:

在所述域名应用列表中不存在所述域名解析请求所包含的域名的情况下,将所述域名解析请求转发给DNS服务器,以获得所述域名解析请求所包含的域名的第二IP地址。In the case that the domain name included in the domain name resolution request does not exist in the domain name application list, the domain name resolution request is forwarded to a DNS server to obtain a second IP address of the domain name included in the domain name resolution request.

在本实施例中,如果要查询的域名不存在用户被授权的域名应用列表中,本机DNS服务需要将域名解析请求转发给区域DNS服务器,获取域名解析请求所包含的域名的第二IP地址。需要说明的是,如图3所示,本机DNS服务向区域DNS服务器发起域名解析请求,区域DNS服务器先向全球根DNS服务器发起域名解析请求,全球根DNS服务器返回所请求域名的顶级DNS服务器地址。区域DNS服务器再向顶级DNS服务器发起域名解析请求,顶级DNS服务器返回所请求域名的权威DNS服务器地址,区域DNS服务器再向权威DNS服务器发起域名解析请求,权威DNS服务器返回所请求域名的第二IP地址。其中,第二IP地址是属于访问公网对应的IP地址。In this embodiment, if the domain name to be queried does not exist in the domain name application list authorized by the user, the local DNS service needs to forward the domain name resolution request to the regional DNS server to obtain the second IP address of the domain name contained in the domain name resolution request. It should be noted that, as shown in Figure 3, the local DNS service initiates a domain name resolution request to the regional DNS server, and the regional DNS server first initiates a domain name resolution request to the global root DNS server, and the global root DNS server returns the top-level DNS server address of the requested domain name. The regional DNS server then initiates a domain name resolution request to the top-level DNS server, and the top-level DNS server returns the authoritative DNS server address of the requested domain name. The regional DNS server then initiates a domain name resolution request to the authoritative DNS server, and the authoritative DNS server returns the second IP address of the requested domain name. Among them, the second IP address is the IP address corresponding to accessing the public network.

需要说明的是,需要应用导流的域名则返回用户被授权的域名应用列表中该域名对应的IP地址,不需要导流的则采用本实施例中的域名解析方式请求原来的DNS服务器得到相应的IP地址结果,本机DNS服务会将接收到DNS服务器返回的第二IP地址返回给用户。It should be noted that the domain name that requires application diversion will return the IP address corresponding to the domain name in the user's authorized domain name application list. If no diversion is required, the domain name resolution method in this embodiment will be used to request the original DNS server to obtain the corresponding IP address result. The local DNS service will return the second IP address returned by the DNS server to the user.

根据本发明实施例提供的域名解析方法,当本机DNS服务中的域名应用列表中不存在域名解析请求所包含的域名时,将域名解析请求转发给DNS服务器,以获得域名解析请求所包含的域名的第二IP地址,能够保证在域名应用列表不存在要请求域名的情况下,也能完成域名解析的任务要求。According to the domain name resolution method provided by an embodiment of the present invention, when the domain name included in the domain name resolution request does not exist in the domain name application list in the local DNS service, the domain name resolution request is forwarded to the DNS server to obtain the second IP address of the domain name included in the domain name resolution request, which can ensure that the task requirement of domain name resolution can be completed even if the requested domain name does not exist in the domain name application list.

在本发明的另一个实施例中,在所述获取用户输入的域名解析请求之前,包括:In another embodiment of the present invention, before obtaining the domain name resolution request input by the user, the process includes:

接收所述域名应用列表;Receiving the domain name application list;

其中,所述域名应用列表是在零信任可信访问控制台对所述用户的各个应用的IP地址进行域名映射得到的。The domain name application list is obtained by mapping the IP addresses of each application of the user to domain names in the zero trust trusted access console.

在本实施例中,本机DNS服务需要在获取用户输入的域名解析请求之前,接收域名应用列表,该域名应用列表是在零信任可信访问控制台对用户具有访问权限的各个应用的IP地址进行域名映射得到的,根据已授权的用户账号信息,在用户成功登入后会获取到包括已授权应用的IP地址的域名应用列表。然后,零信任可信访问控制台将生成的域名应用列表传递给本机DNS服务中,用于后续的域名解析。需要说明的是,域名应用列表中包含某一用户的各个应用的IP地址和各个域名之间的映射关系,在其他实施例中,域名应用列表还可以包含其他的映射关系。具体可以根据实际需要进行设定,在此不作具体限定。In this embodiment, the local DNS service needs to receive a domain name application list before obtaining the domain name resolution request input by the user. The domain name application list is obtained by mapping the domain names of the IP addresses of various applications to which the user has access rights in the zero-trust trusted access console. According to the authorized user account information, after the user successfully logs in, the domain name application list including the IP addresses of authorized applications will be obtained. Then, the zero-trust trusted access console passes the generated domain name application list to the local DNS service for subsequent domain name resolution. It should be noted that the domain name application list contains the mapping relationship between the IP addresses of various applications of a certain user and each domain name. In other embodiments, the domain name application list may also contain other mapping relationships. It can be set according to actual needs and is not specifically limited here.

根据本发明提供的域名解析方法,本机DNS服务需要接收域名应用列表,用于后续用户通过零信任可信终端登录后输入的域名解析请求,获取到用户所有具有权限访问的应用列表,保证域名解析的时效性和安全性。According to the domain name resolution method provided by the present invention, the local DNS service needs to receive a domain name application list for subsequent domain name resolution requests input by users after logging in through a zero-trust trusted terminal, and obtain a list of all applications that the user has permission to access, thereby ensuring the timeliness and security of domain name resolution.

图4为本发明实施例提供的一种域名解析装置,如图4所示,本发明实施例提供的域名解析装置,包括:FIG4 is a domain name resolution device provided by an embodiment of the present invention. As shown in FIG4 , the domain name resolution device provided by an embodiment of the present invention includes:

获取模块401,用于获取用户输入的域名解析请求;The acquisition module 401 is used to acquire a domain name resolution request input by a user;

查询模块402,用于根据所述域名解析请求,在预设的域名应用列表中进行域名查询;其中,所述域名应用列表包含已授权应用所对应的域名;A query module 402 is used to perform a domain name query in a preset domain name application list according to the domain name resolution request; wherein the domain name application list includes domain names corresponding to authorized applications;

确定模块403,用于在所述域名应用列表中存在所述域名解析请求所包含的域名的情况下,确定与所述域名对应的目标IP地址,将所述目标IP地址作为所述域名解析请求的解析结果。The determination module 403 is used to determine the target IP address corresponding to the domain name when the domain name included in the domain name resolution request exists in the domain name application list, and use the target IP address as the resolution result of the domain name resolution request.

根据本发明提供的域名解析装置,应用于终端设备中,通过将从获取的域名解析请求中得到的域名在预设的域名应用列表中进行域名查询,在域名应用列表中存在域名解析请求所包含的域名的情况下,确定出域名对应的目标IP地址,并将目标IP地址作为该域名解析请求的解析结果。本发明提供的域名解析方法应用在终端设备上,通过在用户终端安装一个监听本地端口的本机DNS服务,起到对可信应用代理进行应用导流的作用,提高应用访问的处理速度,实现对应用访问的动态控制,同时保证了应用访问的时效性和安全性。The domain name resolution device provided by the present invention is applied to a terminal device, and performs a domain name query in a preset domain name application list by using the domain name obtained from the domain name resolution request. When the domain name included in the domain name resolution request exists in the domain name application list, the target IP address corresponding to the domain name is determined, and the target IP address is used as the resolution result of the domain name resolution request. The domain name resolution method provided by the present invention is applied to a terminal device, and by installing a local DNS service that monitors a local port in a user terminal, it plays a role in diverting applications to a trusted application proxy, improves the processing speed of application access, realizes dynamic control of application access, and ensures the timeliness and security of application access.

进一步,确定模块403还用于:Further, the determination module 403 is further used for:

将零信任可信应用代理服务器的IP地址确定为与所述域名对应的目标IP地址。The IP address of the zero-trust trusted application proxy server is determined as the target IP address corresponding to the domain name.

根据本发明提供的域名解析装置,通过将零信任可信应用代理服务器的IP地址确定为域名对应的目标IP地址,保证了应用访问处理的时效性和安全性,提升了用户体验。According to the domain name resolution device provided by the present invention, by determining the IP address of the zero-trust trusted application proxy server as the target IP address corresponding to the domain name, the timeliness and security of application access processing are guaranteed, and the user experience is improved.

进一步,确定模块403还用于:Further, the determination module 403 is further used for:

根据所述域名,确定所述域名的第一IP地址;其中,所述域名的第一IP地址是与所述域名保存在DNS服务器中的第二IP地址不同的IP地址;Determine a first IP address of the domain name according to the domain name; wherein the first IP address of the domain name is an IP address different from a second IP address of the domain name stored in a DNS server;

将所述域名的第一IP地址确定为与所述域名对应的目标IP地址。The first IP address of the domain name is determined as the target IP address corresponding to the domain name.

根据本发明实施例提供的域名解析装置,通过将根据域名在本机DNS服务中的域名应用列表中的确定的第一IP地址作为域名对应的目标IP地址,保证了用户在访问内网时也能根据域名与IP地址的映射关系迅速获取到IP地址进行访问,提高了应用访问的时效性,并且避免用户域名的劫持攻击。The domain name resolution device provided according to the embodiment of the present invention uses the first IP address determined in the domain name application list in the local DNS service as the target IP address corresponding to the domain name, thereby ensuring that the user can quickly obtain the IP address for access based on the mapping relationship between the domain name and the IP address when accessing the intranet, thereby improving the timeliness of application access and avoiding hijacking attacks on user domain names.

进一步,所述装置还包括获取模块,获取模块用于:Furthermore, the device further comprises an acquisition module, which is used to:

获取用户的标识信息;Obtaining user identification information;

相应的,所述在所述域名应用列表中存在所述域名解析请求所包含的域名的情况下,确定与所述域名对应的目标IP地址,包括:Correspondingly, when the domain name included in the domain name resolution request exists in the domain name application list, determining the target IP address corresponding to the domain name includes:

在所述域名应用列表中存在所述域名解析请求所包含的域名的情况下,基于用户的标识信息,确定与所述域名对应的目标IP地址。In a case where the domain name included in the domain name resolution request exists in the domain name application list, a target IP address corresponding to the domain name is determined based on the user identification information.

根据本发明实施例提供的域名解析装置,通过获取用户的标识信息,然后,在域名应用列表中存在域名解析请求所包含的域名的情况下,基于用户的标识信息,确定与域名对应的目标IP地址,可以实现同一个域名对应不同的用户的IP地址,满足企业多样化的需求场景。The domain name resolution device provided by the embodiment of the present invention obtains the user's identification information, and then, when the domain name included in the domain name resolution request exists in the domain name application list, determines the target IP address corresponding to the domain name based on the user's identification information, thereby achieving the same domain name corresponding to different users' IP addresses, thereby meeting the diverse demand scenarios of enterprises.

进一步,查询模块402还用于:Further, the query module 402 is also used for:

在所述域名应用列表中不存在所述域名解析请求所包含的域名的情况下,将所述域名解析请求转发给DNS服务器,以获得所述域名解析请求所包含的域名的第二IP地址。In the case that the domain name included in the domain name resolution request does not exist in the domain name application list, the domain name resolution request is forwarded to a DNS server to obtain a second IP address of the domain name included in the domain name resolution request.

根据本发明实施例提供的域名解析装置,当本机DNS服务中的域名应用列表中不存在域名解析请求所包含的域名时,将域名解析请求转发给DNS服务器,以获得域名解析请求所包含的域名的第二IP地址,能够保证在域名应用列表不存在要请求域名的情况下,也能完成域名解析的任务要求。According to the domain name resolution device provided by the embodiment of the present invention, when the domain name included in the domain name resolution request does not exist in the domain name application list in the local DNS service, the domain name resolution request is forwarded to the DNS server to obtain the second IP address of the domain name included in the domain name resolution request, which can ensure that the task requirement of domain name resolution can be completed even if the requested domain name does not exist in the domain name application list.

进一步,所述装置还包括接收模块,接收模块用于:Furthermore, the device further comprises a receiving module, and the receiving module is used for:

接收所述域名应用列表;Receiving the domain name application list;

其中,所述域名应用列表是在零信任可信访问控制台对所述用户的各个应用的IP地址进行域名映射得到的。The domain name application list is obtained by mapping the IP addresses of each application of the user to domain names in the zero trust trusted access console.

根据本发明提供的域名解析方法,本机DNS服务需要接收域名应用列表,用于后续用户通过零信任可信终端登录后输入的域名解析请求,获取到用户所有具有权限访问的应用列表,保证域名解析的时效性和安全性。According to the domain name resolution method provided by the present invention, the local DNS service needs to receive a domain name application list for subsequent domain name resolution requests input by users after logging in through a zero-trust trusted terminal, and obtain a list of all applications that the user has permission to access, thereby ensuring the timeliness and security of domain name resolution.

由于本发明实施例所述装置与上述实施例所述方法的原理相同,对于更加详细的解释内容在此不再赘述。Since the principle of the device described in the embodiment of the present invention is the same as that of the method described in the above embodiment, a more detailed explanation is not repeated here.

图5为本发明实施例中提供的电子设备实体结构示意图,如图5所示,本发明提供一种电子设备,包括:处理器(processor)501、存储器(memory)502和总线503;FIG5 is a schematic diagram of the physical structure of an electronic device provided in an embodiment of the present invention. As shown in FIG5 , the present invention provides an electronic device, including: a processor (processor) 501, a memory (memory) 502 and a bus 503;

其中,处理器501、存储器502通过总线503完成相互间的通信;The processor 501 and the memory 502 communicate with each other via the bus 503;

处理器501用于调用存储器502中的程序指令,以执行上述各方法实施例中所提供的方法,例如包括:获取用户输入的域名解析请求,根据所述域名解析请求,在预设的域名应用列表中进行域名查询,其中,所述域名应用列表包含已授权应用所对应的域名,在所述域名应用列表中存在所述域名解析请求所包含的域名的情况下,确定与所述域名对应的目标IP地址,将所述目标IP地址作为所述域名解析请求的解析结果。The processor 501 is used to call the program instructions in the memory 502 to execute the methods provided in the above-mentioned method embodiments, for example, including: obtaining a domain name resolution request input by a user, and performing a domain name query in a preset domain name application list according to the domain name resolution request, wherein the domain name application list includes domain names corresponding to authorized applications, and when the domain name included in the domain name resolution request exists in the domain name application list, determining a target IP address corresponding to the domain name, and using the target IP address as the resolution result of the domain name resolution request.

本发明实施例中提供一种非暂态计算机可读存储介质,非暂态计算机可读存储介质存储计算机指令,计算机指令使所述计算机执行上述各方法实施例中所提供的方法,例如包括:获取用户输入的域名解析请求,根据所述域名解析请求,在预设的域名应用列表中进行域名查询,其中,所述域名应用列表包含已授权应用所对应的域名,在所述域名应用列表中存在所述域名解析请求所包含的域名的情况下,确定与所述域名对应的目标IP地址,将所述目标IP地址作为所述域名解析请求的解析结果。In an embodiment of the present invention, a non-transitory computer-readable storage medium is provided, and the non-transitory computer-readable storage medium stores computer instructions. The computer instructions enable the computer to execute the methods provided in the above-mentioned method embodiments, for example, including: obtaining a domain name resolution request input by a user, and performing a domain name query in a preset domain name application list according to the domain name resolution request, wherein the domain name application list includes domain names corresponding to authorized applications, and when the domain name included in the domain name resolution request exists in the domain name application list, determining a target IP address corresponding to the domain name, and using the target IP address as the resolution result of the domain name resolution request.

本发明还提供一种计算机程序产品,所述计算机程序产品包括存储在非暂态计算机可读存储介质上的计算机程序,所述计算机程序包括程序指令,当所述程序指令被计算机执行时,计算机能够执行上述各实施例所提供的方法,该方法包括:获取用户输入的域名解析请求,根据所述域名解析请求,在预设的域名应用列表中进行域名查询,其中,所述域名应用列表包含已授权应用所对应的域名,在所述域名应用列表中存在所述域名解析请求所包含的域名的情况下,确定与所述域名对应的目标IP地址,将所述目标IP地址作为所述域名解析请求的解析结果。The present invention also provides a computer program product, which includes a computer program stored on a non-transitory computer-readable storage medium, and the computer program includes program instructions. When the program instructions are executed by a computer, the computer can execute the methods provided in the above embodiments, and the methods include: obtaining a domain name resolution request input by a user, and performing a domain name query in a preset domain name application list according to the domain name resolution request, wherein the domain name application list includes domain names corresponding to authorized applications, and when the domain name included in the domain name resolution request exists in the domain name application list, determining a target IP address corresponding to the domain name, and using the target IP address as the resolution result of the domain name resolution request.

本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储于一计算机可读取存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。A person of ordinary skill in the art can understand that all or part of the steps of implementing the above method embodiment can be completed by hardware related to program instructions, and the aforementioned program can be stored in a computer-readable storage medium. When the program is executed, it executes the steps of the above method embodiment; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk, etc., various media that can store program codes.

最后应说明的是:以上实施例仅用以说明本发明的技术方案,而非对其限制;尽管参照前述实施例对本发明进行了详细的说明,本领域的普通技术人员应当理解:其依然可以对前述各实施例中所记载的技术方案进行修改,或者对其中部分技术特征进行等同替换;而这些修改或者替换,并不使相应技术方案的本质脱离本发明各实施例技术方案的精神和范围。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention, rather than to limit it. Although the present invention has been described in detail with reference to the aforementioned embodiments, those skilled in the art should understand that they can still modify the technical solutions described in the aforementioned embodiments, or replace some of the technical features therein by equivalents. However, these modifications or replacements do not deviate the essence of the corresponding technical solutions from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (6)

1. A domain name resolution method, applied to a terminal device, comprising:
acquiring a domain name resolution request input by a user;
According to the domain name resolution request, domain name inquiry is carried out in a preset domain name application list; the domain name application list comprises domain names corresponding to authorized applications;
When a domain name included in the domain name resolution request exists in the domain name application list, determining a target IP address corresponding to the domain name, taking the target IP address as a resolution result of the domain name resolution request, wherein,
The IP address of the zero-trust trusted application proxy server is determined to be a target IP address corresponding to the domain name, so that application access is guided into the zero-trust trusted application proxy server, and all requests are subjected to access control through the zero-trust trusted application proxy server;
The determining the target IP address corresponding to the domain name includes:
determining a first IP address of the domain name according to the domain name; wherein the first IP address of the domain name is an IP address different from the second IP address of the domain name stored in the DNS server; determining a first IP address of the domain name as a target IP address corresponding to the domain name;
After the domain name query is performed in the preset domain name application list according to the domain name resolution request, the method further comprises the following steps:
and forwarding the domain name resolution request to a DNS server to obtain a second IP address of the domain name contained in the domain name resolution request under the condition that the domain name contained in the domain name resolution request does not exist in the domain name application list.
2. The domain name resolution method according to claim 1, wherein the method further comprises:
acquiring identification information of a user;
correspondingly, when the domain name included in the domain name resolution request exists in the domain name application list, determining the target IP address corresponding to the domain name includes:
when the domain name included in the domain name resolution request exists in the domain name application list, determining a target IP address corresponding to the domain name based on identification information of a user.
3. The domain name resolution method according to claim 1, comprising, prior to said obtaining a domain name resolution request entered by a user:
Receiving the domain name application list;
the domain name application list is obtained by mapping domain names of IP addresses of various applications of the user in a zero-trust trusted access control console.
4. A domain name resolution device, comprising:
the acquisition module is used for acquiring a domain name resolution request input by a user;
the query module is used for querying the domain name in a preset domain name application list according to the domain name resolution request; the domain name application list comprises domain names corresponding to authorized applications;
A determining module, configured to determine, when a domain name included in the domain name resolution request exists in the domain name application list, a target IP address corresponding to the domain name, and take the target IP address as a resolution result of the domain name resolution request, where,
The IP address of the zero-trust trusted application proxy server is determined as the target IP address corresponding to the domain name, so that the application access is led to the zero-trust trusted application proxy server, all requests are controlled by the zero-trust trusted application proxy server,
The determination module is also for:
determining a first IP address of the domain name according to the domain name; wherein the first IP address of the domain name is an IP address different from the second IP address of the domain name stored in the DNS server; determining a first IP address of the domain name as a target IP address corresponding to the domain name;
the query module is further configured to:
and forwarding the domain name resolution request to a DNS server to obtain a second IP address of the domain name contained in the domain name resolution request under the condition that the domain name contained in the domain name resolution request does not exist in the domain name application list.
5. An electronic device, comprising:
a processor, a memory, and a bus, wherein,
The processor and the memory complete communication with each other through the bus;
The memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the steps of the domain name resolution method of any of claims 1 to 3.
6. A non-transitory computer readable storage medium storing computer instructions that cause a computer to perform the steps of the domain name resolution method of any of claims 1 to 3.
CN202111364551.2A 2021-11-17 2021-11-17 Domain name resolution method, device, electronic device, storage medium and product Active CN114285821B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111364551.2A CN114285821B (en) 2021-11-17 2021-11-17 Domain name resolution method, device, electronic device, storage medium and product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111364551.2A CN114285821B (en) 2021-11-17 2021-11-17 Domain name resolution method, device, electronic device, storage medium and product

Publications (2)

Publication Number Publication Date
CN114285821A CN114285821A (en) 2022-04-05
CN114285821B true CN114285821B (en) 2024-08-02

Family

ID=80869362

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111364551.2A Active CN114285821B (en) 2021-11-17 2021-11-17 Domain name resolution method, device, electronic device, storage medium and product

Country Status (1)

Country Link
CN (1) CN114285821B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115002072B (en) * 2022-05-31 2024-06-14 郑州浪潮数据技术有限公司 JMX-based data acquisition method, JMX-based data acquisition device and JMX-based data acquisition medium
CN115174248B (en) * 2022-07-18 2023-08-04 天翼云科技有限公司 Method and device for controlling network access

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112600868A (en) * 2020-11-10 2021-04-02 清华大学 Domain name resolution method, domain name resolution device and electronic equipment

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102790807B (en) * 2011-05-16 2016-05-25 北京奇虎科技有限公司 Domain name resolution agent method and system, domain name resolution agent server
CN106330849A (en) * 2015-07-07 2017-01-11 安恒通(北京)科技有限公司 Method and device for preventing domain name hijacking
CN110086895A (en) * 2019-04-11 2019-08-02 天津字节跳动科技有限公司 Domain name analytic method, device, medium and electronic equipment
CN110113447B (en) * 2019-06-27 2022-02-18 网易(杭州)网络有限公司 Domain name resolution method and device
CN111010460A (en) * 2019-12-16 2020-04-14 南京亚信智网科技有限公司 Domain name resolution method and device
CN111314472B (en) * 2020-02-21 2022-03-11 聚好看科技股份有限公司 Domain name resolution method, domain name resolution server and terminal equipment

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112600868A (en) * 2020-11-10 2021-04-02 清华大学 Domain name resolution method, domain name resolution device and electronic equipment

Also Published As

Publication number Publication date
CN114285821A (en) 2022-04-05

Similar Documents

Publication Publication Date Title
US9674180B2 (en) Using identity/resource profile and directory enablers to support identity management
JP5530562B2 (en) Validating domain name system record updates
EP3202117B1 (en) Using credentials stored in different directories to access a common endpoint
JP5357246B2 (en) System, method and program product for integrated authentication
US11095614B2 (en) Configuring hostname based firewall policies
US7860882B2 (en) Method and system for distributed retrieval of data objects using tagged artifacts within federated protocol operations
US9100398B2 (en) Enhancing directory service authentication and authorization using contextual information
WO2022247751A1 (en) Method, system and apparatus for remotely accessing application, device, and storage medium
CN113381979B (en) Access request proxy method and proxy server
US9973590B2 (en) User identity differentiated DNS resolution
US8195806B2 (en) Managing remote host visibility in a proxy server environment
US20100031317A1 (en) Secure access
US11729171B1 (en) Preventing leakage of cookie data
US10257182B2 (en) Login proxy for third-party applications
CN114285821B (en) Domain name resolution method, device, electronic device, storage medium and product
CN114338597A (en) Network access method and device
US9894057B2 (en) Method and system for managing secure custom domains
CN113194099B (en) Data proxy method and proxy server
CN115913583A (en) Business data access method, device and equipment and computer storage medium
CN113347261A (en) Mechanism for filling access token information based on business field
KR20150019303A (en) Techniques for identifying authentication server based on dns protocol

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information

Country or region after: China

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant after: QAX Technology Group Inc.

Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Applicant before: QAX Technology Group Inc.

Country or region before: China

Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.

CB02 Change of applicant information
GR01 Patent grant
GR01 Patent grant