CN118827135A - Domain name attack repair method, device, equipment, storage medium and product - Google Patents

Abstract

The present application discloses a domain name attack repair method, device, equipment, storage medium and computer program product, which relates to the field of network security technology. The method includes: performing domain name resolution monitoring for a maintenance domain name to obtain a monitoring result; performing parsing and judging the monitoring result based on a preset domain name reference library and a trusted authorized address library to obtain a judgment result, wherein the domain name reference library includes a first Internet Protocol address corresponding to the maintenance domain name, and the trusted authorized address library includes a second Internet Protocol address corresponding to the authorized server of the maintenance domain name; performing domain name attack repair according to the judgment result. The use of this solution can automatically perform domain name resolution monitoring, abnormality judgment and attack repair work, timely repair the attacked domain name, ensure the security and stability of the domain name, and improve network security protection.

Description

Domain name attack repair method, device, equipment, storage medium and product

Technical Field

The present application relates to the field of network security technology, and in particular to a domain name attack repair method, device, equipment, storage medium and computer program product.

Background Art

DNS (Domain Name System) is a system that maps domain names to IP (Internet Protocol) addresses to form an address book. It is a basic service of the Internet and the basic entrance for users to access websites.

However, the importance of DNS makes it a major target for hackers. Traditional DNS query and response messages are transmitted in plain text, which means they can be read or tampered with by the network, ISP (Internet Service Provider) or anyone who can monitor the transmission. This has led to attacks such as DNS hijacking, cache tampering, and DNS spoofing, causing users to be redirected to a fake website or attacked by malware when visiting the attacked website, causing huge losses to both users and websites. For such attacks, traditional processing methods require manual detection and repair, but manual processing may be untimely, unreliable, and non-automatic, making it difficult to detect and respond to attacks in a timely manner and ensure network security.

In summary, how to promptly repair attacked domain names has become a technical problem that urgently needs to be solved in this field.

Summary of the invention

The main purpose of this application is to provide a domain name attack repair method, device, equipment, storage medium and product, aiming to promptly repair the attacked domain name to improve network security protection.

To achieve the above objectives, the present application provides a domain name attack repair method, the domain name attack repair method comprising:

Perform domain name resolution monitoring on the maintained domain name and obtain monitoring results;

The monitoring result is parsed and determined based on a preset domain name reference library and a trusted authorized address library to obtain a determination result, wherein the domain name reference library includes a first Internet Protocol address corresponding to the maintenance domain name, and the trusted authorized address library includes a second Internet Protocol address corresponding to the authorization server of the maintenance domain name;

The domain name attack is repaired according to the determination result.

Optionally, before the step of performing domain name resolution monitoring on the maintenance domain name, the method further includes:

Determine the list of maintenance domain names to be maintained;

Querying the resolution record of each maintenance domain name in the maintenance domain name list through a preset domain name system query tool;

The cached resolution result and the authorized resolution result of each of the maintenance domain names in the resolution record are used as the first Internet Protocol address corresponding to the maintenance domain name, and stored in the domain name reference library;

The second Internet Protocol address record corresponding to each of the authorization servers maintaining the domain name in the resolution record is stored in a trusted authorization address library.

Optionally, the step of performing domain name resolution monitoring on the maintenance domain name to obtain the monitoring result includes:

Monitor the cache resolution of the maintenance domain name on the cache server to obtain the current cache resolution result corresponding to the maintenance domain name;

Monitor the authorization resolution of the maintenance domain name on the authorization server to obtain the current authorization resolution result corresponding to the maintenance domain name;

Monitor the Internet Protocol address of the authorization server to obtain the current authorization address corresponding to the maintenance domain name;

The current cache resolution result, the current authorization result and the current authorization address are determined as monitoring results of domain name resolution monitoring.

Optionally, the step of parsing and determining the monitoring result based on a preset domain name reference library and a trusted authorized address library includes:

Determine whether the current cache resolution result and the current authorization resolution result are in the domain name reference library, and determine whether the current authorization address is in the trusted authorization address library;

If the current cached resolution result and the current authorization result are both in the domain name reference database, then determining that the determination result for the maintained domain name is that the resolution is correct;

If the current cache resolution result is in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is in the trusted authorization address library, then determining that the determination result for the maintenance domain name is the first domain name hijacking;

If the current cache resolution result is in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is not in the trusted authorization address library, then determining that the determination result for the maintenance domain name is second domain name hijacking;

If the current cache resolution result is not in the domain name reference library and the current authorization result is in the domain name reference library, determining that the determination result for the maintenance domain name is cache poisoning;

If the current cache resolution result is not in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is in the trusted authorization address library, then determining that the determination result for the maintenance domain name is a third domain name hijacking;

If the current cache resolution result is not in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is not in the trusted authorization address library, then the determination result for the maintenance domain name is determined to be the fourth domain name hijacking.

Optionally, the step of repairing the domain name attack according to the determination result includes:

If the determination result is that the cache is poisoned, performing a cache refresh operation on the cache server;

If the determination result is the first domain name hijacking, the second domain name hijacking, the third domain name hijacking or the fourth domain name hijacking, a domain name system forced resolution operation is performed.

Optionally, the monitoring result includes a life cycle hop count, and after the step of performing domain name attack repair according to the determination result, the method further includes:

Calculating the hop count difference between the life cycle hop count and the reference life cycle hop count;

The hijacked device is determined according to the hop count difference.

In addition, to achieve the above-mentioned purpose, the present application also provides a domain name attack repair device, the domain name attack repair device comprising:

A monitoring module is used to monitor the domain name resolution for the maintained domain name and obtain the monitoring result;

A judgment module, used for parsing and judging the monitoring result based on a preset domain name reference library and a trusted authorized address library to obtain a judgment result, wherein the domain name reference library includes a first Internet Protocol address corresponding to the maintenance domain name, and the trusted authorized address library includes a second Internet Protocol address corresponding to the authorization server of the maintenance domain name;

A repair module is used to repair the domain name attack according to the determination result.

In addition, to achieve the above-mentioned purpose, the present application also provides a terminal device, which includes: a memory, a processor, and a domain name attack repair program stored on the memory and executable on the processor, and the domain name attack repair program, when executed by the processor, implements the steps of the domain name attack repair method described above.

In addition, to achieve the above-mentioned purpose, the present application also proposes a storage medium, which is a computer-readable storage medium, and a domain name attack repair program is stored on the storage medium. When the domain name attack repair program is executed by the processor, the steps of the domain name attack repair method described above are implemented.

In addition, to achieve the above-mentioned purpose, the present application also provides a computer program product, which includes a domain name attack repair program, and when the domain name attack repair program is executed by a processor, it implements the steps of the domain name attack repair method described above.

The embodiments of the present application propose a domain name attack repair method, device, equipment, storage medium and computer program product. The domain name attack repair method includes: performing domain name resolution monitoring on a maintenance domain name to obtain a monitoring result; parsing and judging the monitoring result based on a preset domain name reference library and a trusted authorized address library to obtain a judgment result, wherein the domain name reference library includes a first Internet Protocol address corresponding to the maintenance domain name, and the trusted authorized address library includes a second Internet Protocol address corresponding to an authorized server of the maintenance domain name; and performing domain name attack repair according to the judgment result.

Compared with the traditional domain name attack repair method, the present application obtains the monitoring result of the maintenance domain name by performing domain name resolution monitoring on the maintenance domain name, so as to understand the resolution status of the maintenance domain name in real time, which is helpful to timely discover whether there is a security risk in the maintenance domain name; then, the monitored domain name resolution monitoring result is analyzed and determined based on the preset domain name reference library and the trusted authorization address library to obtain the determination result, wherein the domain name reference library includes the first Internet Protocol address corresponding to the maintenance domain name, and the trusted authorization address library includes the second Internet Protocol address corresponding to the authorization server of the maintenance domain name, so that the domain name resolution monitoring result is automatically determined by the domain name reference library and the trusted authorization address library, without manual one-by-one comparison and verification, which improves the network detection efficiency and reduces the possibility of misjudgment and missed judgment; finally, the domain name attack is repaired for the maintenance domain name according to the determination result, so that the attacked domain name is repaired in time by automating the domain name resolution monitoring, abnormal determination and attack repair work, ensuring the security and stability of the domain name and improving network security.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG1 is a schematic diagram of the device structure of the hardware operating environment of the terminal device involved in the embodiment of the present application;

FIG2 is a schematic diagram of cache poisoning involved in an embodiment of a domain name attack repair method of the present application;

FIG3 is a flow chart of a first embodiment of a domain name attack repair method of the present application;

FIG4 is a schematic diagram of a process of business judgment involved in an embodiment of a domain name attack repair method of the present application;

FIG5 is a flow chart of instruction processing involved in an embodiment of a domain name attack repair method of the present application;

FIG6 is a schematic diagram of functional modules of a processing center involved in an embodiment of a domain name attack repair method of the present application;

FIG. 7 is a schematic diagram of functional modules of an embodiment of a domain name attack repair device of the present application.

The realization of the purpose, functional features and advantages of this application will be further explained in conjunction with embodiments and with reference to the accompanying drawings.

DETAILED DESCRIPTION

It should be understood that the specific embodiments described herein are only used to explain the present application and are not used to limit the present application.

The following will be combined with the drawings in the embodiments of the present application to clearly and completely describe the technical solutions in the embodiments of the present application. Obviously, the described embodiments are only part of the embodiments of the present application, not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by ordinary technicians in this field without creative work are within the scope of protection of this application.

It should be noted that all directional indications in the embodiments of the present application (such as up, down, left, right, front, back, etc.) are only used to explain the relative position relationship, movement status, etc. between the components under a certain specific posture (as shown in the accompanying drawings). If the specific posture changes, the directional indication will also change accordingly.

In this application, unless otherwise clearly specified and limited, the terms "connection", "fixation", etc. should be understood in a broad sense. For example, "fixation" can be a fixed connection, a detachable connection, or an integral connection; it can be a mechanical connection or an electrical connection; it can be a direct connection or an indirect connection through an intermediate medium, it can be the internal connection of two elements or the interaction relationship between two elements, unless otherwise clearly defined. For ordinary technicians in this field, the specific meanings of the above terms in this application can be understood according to specific circumstances.

In addition, in this application, descriptions such as "first", "second", etc. are only used for descriptive purposes and cannot be understood as indicating or implying their relative importance or implicitly indicating the number of technical features indicated. Therefore, the features defined as "first" and "second" may explicitly or implicitly include at least one of the features. In addition, the technical solutions between the various embodiments can be combined with each other, but they must be based on the ability of ordinary technicians in this field to implement them. When the combination of technical solutions is contradictory or cannot be implemented, it should be deemed that such combination of technical solutions does not exist and is not within the scope of protection required by this application.

An embodiment of the present application provides a terminal device.

As shown in FIG. 1 , FIG. 1 is a schematic diagram of the device structure of the hardware operating environment of the terminal device involved in the embodiment of the present application.

In this embodiment, the terminal device may be an intelligent terminal such as a server or a PC.

As shown in Figure 1, in the hardware operating environment of the terminal device, the terminal device may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, and a communication bus 1002. Among them, the communication bus 1002 is used to realize the connection and communication between these components. The user interface 1003 may include a display screen (Display), an input unit such as a keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface and a wireless interface. The network interface 1004 may optionally include a standard wired interface and a wireless interface (such as a WI-FI interface). The memory 1005 may be a high-speed RAM memory, or a stable memory (non-volatile memory), such as a disk memory. The memory 1005 may also be a storage device independent of the aforementioned processor 1001.

Those skilled in the art will appreciate that the terminal device structure shown in FIG. 1 does not constitute a limitation on the device, and may include more or fewer components than shown, or a combination of certain components, or a different arrangement of components.

As shown in FIG. 1 , the memory 1005 as a computer storage medium may include an operating system, a network communication module, a user interface module, and a domain name attack repair program.

In the device shown in FIG1 , the network interface 1004 is mainly used to connect to the backend server and perform data communication with the backend server; the user interface 1003 is mainly used to connect to the client (user end) and perform data communication with the client; and the processor 1001 can be used to call the domain name attack repair program stored in the memory 1005 and perform the following operations:

Perform domain name resolution monitoring on the maintained domain name and obtain monitoring results;

The monitoring result is parsed and determined based on a preset domain name reference library and a trusted authorized address library to obtain a determination result, wherein the domain name reference library includes a first Internet Protocol address corresponding to the maintenance domain name, and the trusted authorized address library includes a second Internet Protocol address corresponding to the authorization server of the maintenance domain name;

The domain name attack is repaired according to the determination result.

Optionally, the processor 1001 may also be configured to call a domain name attack repair program stored in the memory 1005, and perform the following operations:

Determine the list of maintenance domain names to be maintained;

Querying the resolution record of each maintenance domain name in the maintenance domain name list through a preset domain name system query tool;

The cached resolution result and the authorized resolution result of each of the maintenance domain names in the resolution record are used as the first Internet Protocol address corresponding to the maintenance domain name, and stored in the domain name reference library;

The second Internet Protocol address record corresponding to each of the authorization servers maintaining the domain name in the resolution record is stored in a trusted authorization address library.

Optionally, the processor 1001 may also be configured to call a domain name attack repair program stored in the memory 1005, and perform the following operations:

Monitor the cache resolution of the maintenance domain name on the cache server to obtain the current cache resolution result corresponding to the maintenance domain name;

Monitor the authorization resolution of the maintenance domain name on the authorization server to obtain the current authorization resolution result corresponding to the maintenance domain name;

Monitor the Internet Protocol address of the authorization server to obtain the current authorization address corresponding to the maintenance domain name;

The current cache resolution result, the current authorization result and the current authorization address are determined as monitoring results of domain name resolution monitoring.

Optionally, the processor 1001 may also be configured to call a domain name attack repair program stored in the memory 1005, and perform the following operations:

Determine whether the current cache resolution result and the current authorization resolution result are in the domain name reference library, and determine whether the current authorization address is in the trusted authorization address library;

If the current cached resolution result and the current authorization result are both in the domain name reference database, then determining that the determination result for the maintained domain name is that the resolution is correct;

If the current cache resolution result is in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is in the trusted authorization address library, then determining that the determination result for the maintenance domain name is the first domain name hijacking;

If the current cache resolution result is in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is not in the trusted authorization address library, then determining that the determination result for the maintenance domain name is second domain name hijacking;

If the current cache resolution result is not in the domain name reference library and the current authorization result is in the domain name reference library, determining that the determination result for the maintenance domain name is cache poisoning;

If the current cache resolution result is not in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is in the trusted authorization address library, then determining that the determination result for the maintenance domain name is a third domain name hijacking;

If the current cache resolution result is not in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is not in the trusted authorization address library, then the determination result for the maintenance domain name is determined to be the fourth domain name hijacking.

Optionally, the processor 1001 may also be configured to call a domain name attack repair program stored in the memory 1005, and perform the following operations:

If the determination result is that the cache is poisoned, performing a cache refresh operation on the cache server;

If the determination result is the first domain name hijacking, the second domain name hijacking, the third domain name hijacking or the fourth domain name hijacking, a domain name system forced resolution operation is performed.

Optionally, the monitoring result includes the life cycle hop count, and the processor 1001 may also be used to call the domain name attack repair program stored in the memory 1005, and perform the following operations:

Calculating the hop count difference between the life cycle hop count and the reference life cycle hop count;

The hijacked device is determined according to the hop count difference.

Based on the above hardware structure, the overall concept of each embodiment of the domain name attack repair method of the present application is proposed.

In the embodiments of the present application, for important websites such as government, news media, and online shopping businesses, during particularly important meetings, illegal hijacking and cache poisoning of the domain name system may occur. If not handled in a timely manner, there will be very adverse political, economic, and social impacts. The traditional solution has the following problems: First, it only protects whether the domain name is available or not, and cannot predict domain name hijacking, and cannot automatically complete operations such as refreshing the cache and forcing the domain name to resolve. There is a problem of low processing efficiency, and in most cases it cannot be completed within 5 minutes. Second, there is no strict standard for judging security issues, which is prone to manual error judgment.

For protocol security prevention, the current DNSSEC protocol (Domain Name System Security Extensions, a DNS security authentication mechanism) only provides authenticity and integrity verification, and cannot ensure the confidentiality of DNS traffic communication, and cannot prevent DNS hijacking; HTTPDNS (a protocol extension that enhances the security of the domain name system) is also commonly used only for links from user clients to SPs (Service Providers); DNS OVER TLS (DOT for short, a DNS based on the transport layer security protocol) achieves confidentiality and integrity, but there is a problem of low efficiency when implemented on the authorization side. Therefore, the traditional DNS side currently does not have the ability to prevent, and all methods are related log message feature analysis methods collected afterwards, and there is no automated repair method, resulting in users being redirected to a fake website or attacked by malware when visiting the attacked website, causing huge losses to both users and websites. For this type of attack behavior, the traditional processing method requires manual detection and repair, but manual processing may be untimely, unreliable, and non-automatic, making it difficult to detect and respond to attack behaviors in a timely manner and ensure network security.

In summary, how to promptly repair attacked domain names has become a technical problem that urgently needs to be solved in this field.

In response to the above problems, an embodiment of the present application proposes a domain name attack repair method, which includes: performing domain name resolution monitoring on a maintenance domain name to obtain a monitoring result; parsing and judging the monitoring result based on a preset domain name reference library and a trusted authorization address library to obtain a judgment result, wherein the domain name reference library includes a first Internet Protocol address corresponding to the maintenance domain name, and the trusted authorization address library includes a second Internet Protocol address corresponding to the authorization server of the maintenance domain name; and performing domain name attack repair according to the judgment result.

Compared with the traditional domain name attack repair method, the embodiment of the present application obtains the monitoring result of the maintenance domain name by performing domain name resolution monitoring on the maintenance domain name, so as to understand the resolution status of the maintenance domain name in real time, which is helpful to timely discover whether there is a security risk in the maintenance domain name; then, based on the preset domain name reference library and the trusted authorization address library, the monitored domain name resolution monitoring result is analyzed and determined to obtain a determination result, wherein the domain name reference library includes the first Internet Protocol address corresponding to the maintenance domain name, and the trusted authorization address library includes the second Internet Protocol address corresponding to the authorization server of the maintenance domain name, so that the domain name resolution monitoring result is automatically determined by the domain name reference library and the trusted authorization address library, without manual one-by-one comparison and verification, thereby improving the network detection efficiency and reducing the possibility of misjudgment and missed judgment; finally, the domain name attack is repaired for the maintenance domain name according to the determination result, so that the attacked domain name is repaired in time by automating the domain name resolution monitoring, abnormal determination and attack repair work, ensuring the security and stability of the domain name and improving network security.

Based on the above-mentioned overall concept of the domain name attack repair method of the present application, various embodiments of the domain name attack repair method of the present application are proposed.

Before explaining the domain name attack repair method of the present application, in this embodiment, three common DNS attack types, namely DNS hijacking, cache poisoning and domain name registration attack, are first introduced.

DNS hijacking is a situation where hackers monitor the domain name resolution request session from a normal user to a domain name cache server or from a recursive server to an authoritative server, construct a response packet that modifies the IP address based on the session content, and feed it back to the normal user in advance. Usually, when link mirroring is hijacked, two response packets for the same request domain name will be received when capturing packets.

The normal process for users to access the website by entering the domain name is as follows: the customer visits WWW.CESHI.COM (a website domain name). If the DNS cache server and recursive server have no results, it will start from the root node and recursively access step by step to find the authorized server of CESHI.COM, and then find the corresponding A record (DNS record that resolves the domain name to an IPv4 address) or AAAA record (DNS record that resolves the domain name to an IPv6 address) of this domain name and feedback to the customer.

Since DNS is a UDP (user datagram protocol) message and is transmitted in plain text, illegal clients can construct responses through firewalls, set up fake authorization servers and other devices on the intermediate links, give incorrect A records back to the client, or attack the authorization server and change the relevant domain name records. Finally, the DNS cache recursive server receives the incorrect recursive result and then feeds it back to the client. There is a possibility of domain name hijacking on these links.

Cache poisoning attacks are also known as domain name server cache pollution or domain name server snapshot infringement. Currently, DNS uses the UDP protocol to transmit query and response data packets, and adopts a simple trust mechanism. For the first received response data packet, only the original query packet sending IP address, port and random query ID (Identity document identification number) are confirmed, and no analysis is performed on the legitimacy of the data packet. If it matches, it is accepted as the correct response data packet, the DNS resolution process continues, and all subsequent response data packets are discarded. In this way, illegal users can impersonate the authorized server to send a forged response packet to the cache server, and complete the response first to pollute the DNS cache, as long as the forged original query packet IP address, port and random query TID (Task Identifier) match.

The cache poisoning attack process is shown in Figure 2: ① The hacker controls host A to send a domain name query request WWW.CESHI.COM to the cache server and the authorization server; ② The hacker controls multiple bots B and others to send forged reply messages for the domain name request and upload them to CMNET (China Mobile Network). These messages include key information such as the wrong IP address provided by the hacker, the randomly generated TID and the port number. When the TID of the forged message is the same as the query TID randomly generated for the request, the attack is successful, and the cache server will add the query result to the cache, thus entering the "cache poisoning" state.

There are two main types of domain name registration attacks: one is to directly attack the domain name server to obtain the username and password information, and then modify the corresponding domain name resolution A record after entering the system; the other is to impersonate the original domain name administrator to crack the password of the E-MAIL (email) account that controls the domain name, and then use the MAKE CHANGES function (a function that allows domain name owners or managers to modify the relevant settings or information of their domain names) via E-MAIL to modify the company's registered domain name records, or transfer the domain name to other organizations.

It should be noted that, in this embodiment, DNS hijacking and domain name registration attack are both specific types of domain name hijacking.

Please refer to Figure 3, which is a flowchart of the first embodiment of the domain name attack repair method of the present application. It should be noted that although the logical order is shown in the flowchart, in some cases, the steps shown or described can be performed in a different order than here.

In this embodiment, for ease of understanding and explanation, the DNS important domain name recovery processing center is used as the direct execution entity in this embodiment, hereinafter referred to as the processing center, to explain the domain name attack repair method of this application.

As shown in FIG3 , in this embodiment, the domain name attack repair method of the present application may include:

Step S10: Perform domain name resolution monitoring on the maintained domain name to obtain monitoring results.

It should be noted that, in this embodiment, the maintenance domain name refers to the domain name of key websites that need to be maintained. For example, during major conferences, important websites such as government, news media, and online shopping businesses need to be maintained, and the domain names corresponding to these important websites are the maintenance domain names.

In this embodiment, the processing center will set up a special monitoring system or tool to ensure that the relevant data of the domain name resolution of the maintained domain name can be collected in real time and accurately. The processing center will follow the monitoring frequency and strategy pre-set by the user to monitor the domain name resolution of the maintained domain name in real time. The monitoring results obtained may include indicators such as the resolved IP address of the domain name and DNS server information, which is convenient for relevant personnel to quickly understand the current status of the domain name resolution, timely discover and deal with potential problems, and provide strong guarantees for the normal operation of the Internet.

Furthermore, in a feasible embodiment, before step S10, the domain name attack repair method of the present application may further include:

Step S40: Determine a list of domain names to be maintained.

In this embodiment, the processing center collects maintenance domain names to be maintained from sources such as business departments, system configurations or databases, and organizes the collected maintenance domain names into a clear maintenance domain name list. At the same time, the list can mark relevant information such as the category and importance level of each maintenance domain name.

Step S50: query the resolution record of each maintenance domain name in the maintenance domain name list through a preset domain name system query tool.

In this embodiment, the processing center selects a suitable domain name system query tool, such as nslookup, dig, etc., according to actual needs, and sets relevant parameters of the query tool, such as query type (A record, NS record, etc.), recursive query or non-recursive query, etc. After setting the relevant parameters, a query operation is performed on each domain name in the maintained domain name list to obtain the resolution record of each maintained domain name, and the resolution record includes the cached resolution result, the authorized resolution result and the IP address of the authorized server, etc.

Step S60: storing the cached resolution result and the authorized resolution result of each maintenance domain name in the resolution record as the first Internet Protocol address corresponding to the maintenance domain name in the domain name reference library.

In this embodiment, the processing center distinguishes between the cached resolution results and the authorized resolution results from the resolution records, determines the base IP address of the maintenance domain name based on the cached resolution results and the authorized resolution results, and stores it in the domain name reference library as the first Internet Protocol address of the maintenance domain name, so as to facilitate subsequent comparison of the monitoring results of the maintenance domain name with the first Internet Protocol address in the domain name reference library.

Step S70: storing the second Internet Protocol address record corresponding to the authorization server of each maintenance domain name in the resolution record into the trusted authorization address library.

In this embodiment, the processing center distinguishes the IP address (i.e., the second Internet Protocol address) record corresponding to the authorization server of each maintenance domain name from the resolution record, and stores it in the trusted authorization address library to facilitate the subsequent comparison of the monitoring results of the monitored maintenance domain name with the second Internet Protocol address in the trusted authorization address library.

Thus, in this embodiment, by determining a list of domain names to be maintained and obtaining their resolution records through a domain name system query tool, and then building a complete domain name reference library and a trusted authorization address library, it can be ensured that the processing center can accurately and efficiently provide reliable data support for subsequent domain name resolution monitoring and judgment.

For example, in a feasible embodiment, taking dig as a domain name system query tool, the processing center can obtain the resolution result of the local cache through the command: DIG@cache server domain name A; obtain the resolution result of the authorized server domain name through the command: DIG@authorized server domain name A; obtain the IP of the authorized server through the command: DIG@authorized server domain name NS. According to the above commands, the processing center performs authorized dialing on the maintenance domain names in turn, and can obtain the resolution IP records of each maintenance domain name in the maintenance domain name list to form a domain name reference library, and form a trusted authorized address library by querying the IP address of the DNS server specified in the NS record.

Step S20: Analyze and determine the monitoring results based on the preset domain name reference library and the trusted authorized address library to obtain a determination result, wherein the domain name reference library includes a first Internet Protocol address corresponding to the maintenance domain name, and the trusted authorized address library includes a second Internet Protocol address corresponding to the authorization server of the maintenance domain name.

In this embodiment, the domain name reference library pre-constructed by the processing center includes the reference IP address corresponding to each maintenance domain name in the maintenance domain name list, the reference IP address is the first Internet Protocol address, and the trusted authorization address library includes the authorized IP address corresponding to the authorization server of each maintenance domain name in the maintenance domain name list, that is, the second Internet Protocol address. After the processing center monitors the domain name resolution record of the maintenance domain name in real time, it judges the monitoring result according to the domain name reference library and the trusted authorization address library to obtain a judgment result. The judgment result may be correct resolution, cache poisoning or domain name hijacking, etc. In actual application scenarios, the judgment result may also include more situations, which are not specifically limited in this embodiment.

Step S30: Repair the domain name attack according to the determination result.

In this embodiment, the processing center performs targeted domain name attack repair according to the judgment result. For example, the processing center monitors and maintains the cached results of the domain name, and compares them with the domain name reference library. If the cached results are not within the scope of the domain name reference library, it means that cache poisoning or domain name hijacking exists; then, the authorized server domain name resolution is further dialed. If all the landing points of the authorized server domain name resolution are within the domain name reference library, it means that there is a cache poisoning attack, the cached results are polluted, and the processing center needs to perform a cache refresh operation; if the authorized server domain name resolution landing point is not within the domain name reference library, it means that there is a domain name hijacking in the intermediate link or the authorized server has been changed, and a forced resolution operation is required.

In an embodiment of the present application, domain name resolution monitoring is performed on the maintenance domain name to obtain a monitoring result; the monitoring result is parsed and determined based on a preset domain name reference library and a trusted authorized address library to obtain a determination result, wherein the domain name reference library includes a first Internet Protocol address corresponding to the maintenance domain name, and the trusted authorized address library includes a second Internet Protocol address corresponding to the authorized server of the maintenance domain name; and the domain name attack repair is performed according to the determination result.

In this way, the embodiment of the present application obtains the monitoring result of the maintenance domain name by performing domain name resolution monitoring on the maintenance domain name, so as to understand the resolution status of the maintenance domain name in real time, which is helpful to timely discover whether there is a security risk in the maintenance domain name; then, based on the preset domain name reference library and the trusted authorization address library, the monitored domain name resolution monitoring result is analyzed and determined to obtain a determination result, wherein the domain name reference library includes the first Internet Protocol address corresponding to the maintenance domain name, and the trusted authorization address library includes the second Internet Protocol address corresponding to the authorization server of the maintenance domain name, so that the domain name resolution monitoring result is automatically determined by the domain name reference library and the trusted authorization address library, without manual one-by-one comparison and verification, thereby improving the network detection efficiency and reducing the possibility of misjudgment and missed judgment; finally, the domain name attack repair is performed on the maintenance domain name according to the determination result. In this way, by automating the domain name resolution monitoring, abnormal determination and attack repair work, the attacked domain name is repaired in time, ensuring the security and stability of the domain name and improving network security.

Furthermore, based on the above-mentioned first embodiment of the domain name attack repair method of the present application, a second embodiment of the domain name attack repair method of the present application is proposed.

In this embodiment, the above step S10: performing domain name resolution monitoring on the maintenance domain name to obtain the monitoring result includes:

Step S101: monitor the cache resolution of the maintenance domain name on the cache server to obtain the current cache resolution result corresponding to the maintenance domain name.

It should be noted that in this embodiment, when a user accesses a domain name, a DNS query request will first be initiated to the cache server to request the IP address of the domain name to be resolved. If there is a corresponding result in the cache server, the result will be returned directly to the user. The result is the current cache resolution result of the domain name accessed by the user.

In this embodiment, the processing center determines which cache servers store the resolution records of the maintenance domain names of important websites based on the preset cache server configuration, and for each determined cache server, monitors the maintenance domain name cache resolution on the cache server to obtain the current cache resolution result corresponding to the maintenance domain name.

Step S102: monitor the authorization resolution of the maintenance domain name on the authorization server to obtain the current authorization resolution result corresponding to the maintenance domain name.

It should be noted that, in this embodiment, when a user accesses a domain name, he will first initiate a DNS query request to the cache server, requesting to resolve the IP address of the domain name. If there is no corresponding result in the cache server, the DNS system will start querying from the root node through the recursive server until the corresponding authorization server is found, and then obtain the final resolution result from the authorization server. The structure is the current authorized resolution result of the domain name accessed by the user.

In this embodiment, the processing center monitors the authorization resolution of the maintenance domain name on the authorization server and obtains the current authorization resolution result corresponding to the maintenance domain name.

Step S103: Monitor the Internet Protocol address of the authorization server to obtain the current authorization address corresponding to the maintenance domain name.

In this embodiment, the processing center monitors the IP address of the authorization server to obtain the current authorization address corresponding to the maintenance domain name.

Step S104: determining the current cache resolution result, the current authorization result and the current authorization address as the monitoring result of the domain name resolution monitoring.

In this embodiment, the processing center determines the current cache resolution result, the current authorization result and the current authorization address obtained through monitoring as the monitoring result of the domain name resolution monitoring.

Furthermore, in a feasible embodiment, the above step S20: parsing and determining the monitoring result based on the preset domain name reference library and the trusted authorized address library includes:

Step S201: Determine whether the current cache resolution result and the current authorization resolution result are in the domain name reference library, and determine whether the current authorization address is in the trusted authorization address library.

In this embodiment, the processing center determines whether the monitored current cache resolution result and the current authorization resolution result are in the pre-built domain name reference library, and determines whether the monitored current authorization address is in the pre-built trusted authorization address library.

It should be noted that, in a feasible embodiment, the processing center can perform resolution judgment on the current cache resolution result, the current authorization resolution result and the current authorization address in real time. In another feasible embodiment, the processing center can also monitor and perform resolution judgment on the current authorization resolution result and the current authorization address at intervals according to the TTL period (Time to Live lifetime, usually 3600 seconds). Users can adjust the resolution monitoring frequency and period of the domain name maintenance according to the actual application scenario, and this is not specifically limited in this embodiment.

Step S202: If the current cached resolution result and the current authorization result are both in the domain name reference database, it is determined that the determination result for the maintained domain name is that the resolution is correct.

In this embodiment, when the processing center determines that the current cache result and the current authorization result are both in the domain name reference library, it determines that the determination result for the maintenance domain name is correct resolution, indicating that the cache and authorization of the maintenance domain name in the DNS are normal, and the domain name has not been attacked.

Step S203: If the current cache resolution result is in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is in the trusted authorization address library, then the determination result for the maintained domain name is determined to be the first domain name hijacking.

In this embodiment, when the processing center determines that the current cached resolution result is in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is in the trusted authorization address library, it means that there is no new authorization server on the query link of the maintained domain name, which is the authorization server domain name hijacking, that is, the first domain name hijacking.

Step S204: If the current cache resolution result is in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is not in the trusted authorization address library, then the determination result for the maintained domain name is determined to be second domain name hijacking.

In this embodiment, when the processing center determines that the current cached resolution result is in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is not in the trusted authorization address library, it means that there is a new authorization server in the query link of the maintained domain name. It should be noted that during major meetings, important websites such as government, news media, and online shopping businesses will be blocked. During this period, if a new authorization server is detected, it is determined that a link-type domain name hijacking has occurred, that is, a second domain name hijacking.

Step S205: If the current cache resolution result is not in the domain name reference database and the current authorization result is in the domain name reference database, it is determined that the determination result for the maintenance domain name is cache poisoning.

In this embodiment, when the processing center determines that the current cached resolution result is not in the domain name reference library and the current authorization result is in the domain name reference library, it means that there is a problem with the cached result of the maintained domain name, but there is no problem with the authorization result, which is cache poisoning.

Step S206: If the current cache resolution result is not in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is in the trusted authorization address library, then the determination result for the maintained domain name is determined to be the third domain name hijacking.

In this embodiment, when the processing center determines that the current cached resolution result is not in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is in the trusted authorization address library, it means that the authorization server that maintains the domain name has been attacked, which is the authorization server domain name hijacking, that is, the third domain name hijacking.

Step S207: If the current cache resolution result is not in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is not in the trusted authorization address library, then the determination result for the maintained domain name is determined to be the fourth domain name hijacking.

In this embodiment, when the processing center determines that the current cache resolution result is not in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is not in the trusted authorization address library, it means that the maintenance domain name is a link-type domain name hijacking, that is, the fourth domain name hijacking.

Furthermore, in a feasible embodiment, the above step S30: performing domain name attack repair according to the determination result includes:

Step S301: If the result of the determination is cache poisoning, a cache refresh operation is performed on the cache server.

In this implementation, when the processing center determines that the current maintenance domain name has cache poisoning, it can directly call the network management interface to perform a cache refresh operation on the cache server, and obtain the authorization resolution result from the authorization server and store it in the cache server.

In addition, in a feasible embodiment, if the same maintenance domain name appears a preset number of cache poisoning judgment results, a forced resolution operation is performed. By performing the forced resolution operation, the network problems caused by cache poisoning can be quickly located and resolved, reducing the time for troubleshooting and repair, and eliminating the inconveniences such as page jump exceptions and loading failures encountered by users when using network services due to cache poisoning, thereby improving user satisfaction with network services. The preset number of times can be set according to the actual application scenario, and this is not specifically limited in this embodiment.

Step S302: If the determination result is the first domain name hijacking, the second domain name hijacking, the third domain name hijacking or the fourth domain name hijacking, a forced resolution operation of the domain name system is performed.

It should be noted that, in the present embodiment, domain name hijacking includes multiple types such as first domain name hijacking, second domain name hijacking, third domain name hijacking, fourth domain name hijacking, etc. The type identification of domain name hijacking has been stated above and will not be repeated here.

In this embodiment, when the processing center determines that the current maintained domain name is hijacked, a forced resolution operation of the domain name system can be performed to forcibly resolve the domain name to the last A record pointing to the cache server, ensuring that users access the correct website according to the domain name.

It should also be noted that, in this embodiment, the processing center determines the specific type of domain name hijacking so that relevant technical personnel can promptly and accurately repair network faults based on the determination results, avoid manual errors or omissions, reduce network troubleshooting time, improve user experience, and enhance network defense capabilities.

In addition, in a feasible embodiment, the implementation methods of the forced resolution operation of the domain name system include a fully automated implementation method and a semi-automated implementation method, wherein the fully automated implementation is implemented by the processing center calling the network management interface; the semi-automated implementation method requires manual confirmation in the middle, and a comprehensive comparison of the WeChat public account method, the network management method, and the SMS method is made, and considering network security and convenience, the SMS confirmation method is finally selected to implement it, such as by sending a SMS alarm: "There is a domain name hijacking in the test network. The previous version resolves the IP: *.*.*.*, do you want to force resolution?" If the maintenance personnel of the designated mobile phone replies 1, the forced resolution is automatically completed. If the reply is 2, only an alarm is issued, and no forced resolution operation is performed. Of course, based on the actual application scenario, the WeChat public account method, the network management method, etc. can also be adopted for forced resolution confirmation, and this is not specifically limited in this embodiment.

Exemplarily, in this embodiment, the processing center can perform business judgment on the current cache resolution result, the current authorization resolution result and the current authorization address in sequence, as shown in FIG4 , wherein the current version cache resolution result is the current cache resolution result, the authorization result is the current authorization resolution result, the authorization server IP is the current authorization address, the key domain name resolution library is the domain name reference library, and the trusted authorized IP list is the trusted authorization address library. The specific process of business judgment includes:

Step 1: Determine whether the current version cache resolution result is within the IP address segment of the key domain name benchmark library.

Step 2: If yes, it means the cache result is correct, and determine whether the authorization result is in the key domain name base database. If yes, it means both the cache and the authorization are normal, and go to step 11 to end.

Step 3: If the result of step 2 is no, it means that there is a problem with the authorization result. Continue to determine whether the authorization server IP is in the trusted authorized IP list.

Step 4: If the result of step 3 is yes, it means that there is no new authorization server on the link, and the authorization server domain name is hijacked. Since the TTL has not timed out, the current cache result is normal, so an alarm can be issued within the TTL period and a forced solution entry can be provided for manual intervention.

Step 5: If the result of step 3 is no, it means that there is a new authorized server IP, but this is impossible during the network blockage, so it is determined to be a link-type domain name hijacking. Since the TTL has not timed out, an alarm is provided and manual intervention is performed.

Step 6: If step 1 is judged as no, it means that the cache result has been changed. Determine whether the authorization result is normal.

Step 7: If the result of step 6 is yes, it means that there is a problem with the cache result, but there is no problem with the authorization result. It is cache poisoning. Just refresh the cache and get the parsing result from the authorization server.

Step 8: If the result of step 6 is no, it means that the authorization and cache results are abnormal. Continue to determine whether the authorized IP is in the trusted authorized IP list.

Step 9: If the answer to step 8 is yes, it means that the authorization server has been attacked. Directly force the domain name to the last cached version, refresh the cache, and then end at step 11.

Step 10: If the answer to step 8 is no, it indicates that there is a link-type domain name hijacking. Directly force the domain name to the last cached version, refresh the cache, and then end at step 11.

In addition, in a feasible embodiment, the processing center constructs instructions to complete domain name attack repair functions such as forced resolution and cache refresh of the DNS network manager. After the processing center sends the instructions to the DNS network manager server, it waits to receive the instruction effectiveness feedback information from the network manager server. The specific instruction processing flow is shown in Figure 5. First, the processing center calls the rp_command() method. The rp_command() method is used to construct a function for the processing center to send instructions to the network management server. Its main purpose is to allow the automated repair platform or related systems to remotely control and operate the DNS network manager. Specifically, the processing center sends the command to the DNS network management, and the command is encapsulated in the format of XML (a file format); then, the DNS network management interface receives the command sent by the processing center, performs authentication and information verification, saves the command after completing the information verification, and promptly feedbacks whether the command is successfully received in the same connection. If the DNS network management fails to successfully receive the command within a certain period of time, the processing center needs to re-send the command; then, the DNS network management platform executes the command according to the content of the command, and returns the result information of the command effectiveness to the processing center by calling the rp_command_back() method. The returned content is the result encapsulated in the format of an XML file; finally, the processing center calls the write_log method to write a log according to the result of the command execution. It is convenient for subsequent calls and inquiries.

It should be noted that, in this embodiment, the function constructed by the rp_command() method is:

https://network management server IP address/DNSWebService/dnsCommand?rp.

public String rp_command(String dnsId,String randVal,String pwdHash,String command，String commandHash，Int commandType，Long commandSequence,IntencryptAlgorithm,Int hashAlgorithm,Int compressionFormat，StringcommandVersion) is used to send commands to the network management server. The rp_command() method contains 11 parameters, which are explained as follows:

String dnsId: DNS identifier used to identify a specific DNS service or record.

String randVal: A random value, possibly used to prevent replay attacks or for other security purposes.

String pwdHash: Password hash, used for authentication to ensure that only clients who know the correct password can send commands.

String command: The command content to be sent, that is, the specific operation that you want the DNS network management server to perform.

String commandHash: The hash value of the command content, used to verify the integrity of the command and that it has not been tampered with.

int commandType: command type, indicating the type or purpose of this command.

long commandSequence: command sequence number, used to ensure the order and uniqueness of commands, and may also be used to prevent replay attacks.

int encryptAlgorithm: encryption algorithm, indicating the type of algorithm used to encrypt instruction content.

int hashAlgorithm: Hash algorithm, the algorithm type used to calculate the instruction hash.

int compressionFormat: Compression format. If the instruction content needs to be compressed, specify the compression format here.

String commandVersion: command version, used to identify the format or protocol version of the command.

The return value of this function is public String: Returns a string that may contain the response status, error message, or other relevant information.

The DNS gateway platform returns an XML data stream through the rp_commandrsp() method, which describes the result code of this operation.

The function constructed by the DNS gateway platform through the rp_command_back() method is:

https://network management server IP address/DNSWebService/commandack?rp.

public String dns_commandack(String dnsId,String randVal,String pwdHash,String result,String resultHash,Int encryptAlgorithm,InthashAlgorithm,Int compressionFormat), this function is used to send a command to the processing center, indicating whether the command is successfully completed, where:

public String dns_commandack: Returns a string type of data, which usually contains information about the command execution result.

String dnsId: represents the unique identifier of the DNS server.

String randVal: A random value used to ensure uniqueness of the request or for security purposes (such as preventing replay attacks).

String pwdHash: The hash value of the password, used for authentication to ensure that only authorized users can call this method.

String result: indicates the execution result of the previous instruction.

String resultHash: The hash value of the result, used to verify whether the result parameter has been tampered with.

Int encryptAlgorithm: The type of algorithm used for encryption or hashing.

Int hashAlgorithm: The type of algorithm used for hashing, which may be different from the encryption algorithm.

Int compressionFormat: data compression format.

Furthermore, in a feasible embodiment, the monitoring result includes the life cycle hop count. After the above step S30, the domain name attack repair method of the present application may further include:

Step A10: Calculate the hop count difference between the lifetime hop count and the reference lifetime hop count.

Step A20: Determine the hijacking device according to the hop count difference.

It should be noted that the TTL hop count is a field set in the IP data packet, which indicates the number of routers that the data packet can pass through in the network. Every time the data packet passes through a router, the TTL value will be reduced by 1 until the TTL value reaches 0, and the data packet will be discarded.

In this embodiment, since ICMP (Internet Control Message Protocol) messages are easier to detect when hijacked, hackers usually choose to hijack DNS messages. DNS messages carry key information about domain name resolution. Once hijacked, users may be redirected to malicious websites, which may lead to information leakage or property loss.

In this case, in order to identify and locate the hijacking behavior, the processing center can collect data packets in the network by means of packet capture, etc., and determine which additional devices the data packet has passed through during transmission by comparing the difference in TTL hops (i.e., baseline life cycle hops) of the data packet under normal circumstances with the TTL hops in suspected hijacking situations. These additional devices may be the nodes where the hijacking occurred, and then the specific hijacking device can be locked, providing strong support for subsequent defense and response measures, helping to improve the security and stability of the network.

In addition, in a feasible embodiment, as shown in FIG6 , the processing center may include a basic resource library module, a domain name monitoring module, an attack judgment module, an automatic recovery module and a reverse tracking module, wherein:

The basic resource library module is used to store the domain name base library and the trusted authorized address library. The domain name base library stores the A records of the authorized servers of important domain names (i.e., maintained domain names), and the trusted authorized address library stores the authorized server IP address data.

The domain name monitoring module is used to monitor the domain name resolution for the maintained domain name and obtain the monitoring results. Specifically, the domain name monitoring module mainly performs three types of monitoring. The first is to monitor whether there is an abnormal authorized DNS. If there is an abnormal increase in authorized DNS, it is possible that the newly added authorized server-type domain name hijacking on the link is a second. The key domain name authorization server is analyzed and collected at TTL period intervals. If the collected authorization server versions are inconsistent, it means that there is a problem with the authorization server data configuration. The data was tampered with during the network blockage period, which is a domain name hijacking in the authorization server mode. The third is to monitor the key domain name resolution on the cache server. If it is inconsistent with the authorization server, there may be cache poisoning or domain name hijacking. In addition, the domain name monitoring module can also dial the web page after the hijacking is repaired, extract the first 20 bytes of the web page, and compare it with the page before the repair to determine whether the business has been restored.

The attack judgment module is used to parse and judge the monitoring results based on the domain name reference library and the trusted authorized address library to obtain the judgment results. Specifically, the attack judgment module includes a domain name hijacking judgment model, an authorization attack judgment model and a cache poisoning judgment model.

The automatic recovery module is used to repair domain name attacks according to the judgment results. For example, it uses the WEBSERVICE interface to communicate with the DNS network management server and executes the instructions after the judgment, such as refreshing the DNS cache, performing forced resolution of the DNS domain name, and other operations.

The reverse tracking module is used to calculate the hop difference between the lifetime hop count and the benchmark lifetime hop count; the hijacking device is determined based on the hop difference. Specifically, the reverse tracking module determines which node device has generated the hijacking based on the TTL hop count in the IPV4 message. Since hijacking ICMP messages is easy to be discovered, hackers generally only hijack DNS messages. In this case, the hop difference can be analyzed by means of packet capture to determine the passed device.

Thus, in this embodiment, by monitoring the cache resolution, authorized resolution, and authorized addresses of the maintained domain name, it is possible to timely discover and respond to potential attacks such as domain name hijacking and cache poisoning, and automatically adopt cache refresh operations and domain name system forced resolution operations to effectively and timely eliminate tampered resolution results and restore correct domain name resolution, thereby protecting users from malicious websites and avoiding economic and image losses for important websites. At the same time, by comparing the current resolution results with the contents of the domain name reference library and the trusted authorized address library, the status of the domain name resolution can be accurately judged, abnormal situations can be discovered and handled in a timely manner, the stability and reliability of the DNS system can be enhanced, and this helps reduce network failures caused by domain name resolution errors and improves network security.

In addition, an embodiment of the present application also provides a domain name attack repair device.

Referring to FIG. 7 , the domain name attack repair device of the present application may include:

The monitoring module 10 is used to perform domain name resolution monitoring on the maintained domain name and obtain monitoring results;

The judgment module 20 is used to parse and judge the monitoring result based on a preset domain name reference library and a trusted authorized address library to obtain a judgment result, wherein the domain name reference library includes a first Internet Protocol address corresponding to the maintenance domain name, and the trusted authorized address library includes a second Internet Protocol address corresponding to the authorization server of the maintenance domain name;

The repair module 30 is used to repair the domain name attack according to the determination result.

Optionally, the domain name attack repair device of the present application may also include:

The reference library construction module is used to determine a list of maintenance domain names to be maintained; query the resolution records of each maintenance domain name in the maintenance domain name list through a preset domain name system query tool; store the cached resolution results and authorized resolution results of each maintenance domain name in the resolution record as the first Internet Protocol address corresponding to the maintenance domain name in the domain name reference library; store the second Internet Protocol address record corresponding to the authorization server of each maintenance domain name in the resolution record in the trusted authorization address library.

Optionally, the monitoring module 10 is further used for:

Monitor the cache resolution of the maintenance domain name on the cache server to obtain the current cache resolution result corresponding to the maintenance domain name;

Monitor the authorization resolution of the maintenance domain name on the authorization server to obtain the current authorization resolution result corresponding to the maintenance domain name;

Monitor the Internet Protocol address of the authorization server to obtain the current authorization address corresponding to the maintenance domain name;

The current cache resolution result, the current authorization result and the current authorization address are determined as monitoring results of domain name resolution monitoring.

Optionally, the judging module 20 is further configured to:

Determine whether the current cache resolution result and the current authorization resolution result are in the domain name reference library, and determine whether the current authorization address is in the trusted authorization address library;

If the current cached resolution result and the current authorization result are both in the domain name reference database, then determining that the determination result for the maintained domain name is that the resolution is correct;

If the current cache resolution result is in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is in the trusted authorization address library, then determining that the determination result for the maintenance domain name is the first domain name hijacking;

If the current cache resolution result is in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is not in the trusted authorization address library, then determining that the determination result for the maintenance domain name is second domain name hijacking;

If the current cache resolution result is not in the domain name reference library and the current authorization result is in the domain name reference library, determining that the determination result for the maintenance domain name is cache poisoning;

If the current cache resolution result is not in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is in the trusted authorization address library, then determining that the determination result for the maintenance domain name is a third domain name hijacking;

If the current cache resolution result is not in the domain name reference library, the current authorization result is not in the domain name reference library, and the current authorization address is not in the trusted authorization address library, then the determination result for the maintenance domain name is determined to be the fourth domain name hijacking.

Optionally, the repair module 30 is further used to:

If the determination result is that the cache is poisoned, performing a cache refresh operation on the cache server;

If the determination result is the first domain name hijacking, the second domain name hijacking, the third domain name hijacking or the fourth domain name hijacking, a domain name system forced resolution operation is performed.

Optionally, the monitoring result includes the life cycle hop count, and the domain name attack repair device of the present application may further include:

The reverse tracking module is used to calculate the hop count difference between the life cycle hop count and the reference life cycle hop count; and determine the hijacking device according to the hop count difference.

The specific embodiments of the storage medium of the present application are basically the same as the embodiments of the above-mentioned domain name attack repair method, and will not be described in detail here.

In addition, an embodiment of the present application also proposes a computer program product, including a domain name attack repair program, which implements the steps of the domain name attack repair method described above when executed by a processor.

The specific implementation methods of the computer program product of the present application are basically the same as the embodiments of the above-mentioned domain name attack repair method, and will not be repeated here.

It should be noted that, in this article, the terms "include", "comprises" or any other variations thereof are intended to cover non-exclusive inclusion, so that a process, method, article or device including a series of elements includes not only those elements, but also other elements not explicitly listed, or also includes elements inherent to such process, method, article or device. In the absence of further restrictions, an element defined by the sentence "comprises a ..." does not exclude the existence of other identical elements in the process, method, article or device including the element.

The serial numbers of the above-mentioned embodiments of the present application are for description only and do not represent the advantages or disadvantages of the embodiments.

Through the description of the above implementation methods, those skilled in the art can clearly understand that the above-mentioned embodiment methods can be implemented by means of software plus a necessary general hardware platform, and of course by hardware, but in many cases the former is a better implementation method. Based on such an understanding, the technical solution of the present application, or the part that contributes to the prior art, can be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk), and includes a number of instructions for a terminal device (which can be a mobile phone, computer, server, air conditioner, or network device, etc.) to execute the methods described in each embodiment of the present application.

The above are only preferred embodiments of the present application, and are not intended to limit the patent scope of the present application. Any equivalent structure or equivalent process transformation made using the contents of the present application specification and drawings, or directly or indirectly applied in other related technical fields, are also included in the patent protection scope of the present application.

Claims (10)

1. The domain name attack restoration method is characterized by comprising the following steps of:

Performing domain name analysis monitoring on the maintenance domain name to obtain a monitoring result;

Analyzing and judging the monitoring result based on a preset domain name reference library and a trust authority address library to obtain a judging result, wherein the domain name reference library comprises a first internet protocol address corresponding to the maintenance domain name, and the trust authority address library comprises a second internet protocol address corresponding to an authority server for maintaining the domain name;

and carrying out domain name attack restoration according to the judging result.

2. The domain name attack restoration method according to claim 1, wherein before the step of performing domain name resolution monitoring for a maintenance domain name, the method further comprises:

determining a maintenance domain name list to be maintained;

inquiring the analysis record of each maintenance domain name in the maintenance domain name list through a preset domain name system inquiry tool;

Storing the cache analysis result and the authorization analysis result of each maintenance domain name in the analysis record as a first internet protocol address corresponding to the maintenance domain name in a domain name reference library;

And storing second internet protocol address records corresponding to the authorization servers maintaining the domain names in the analysis records into a trust authorization address library.

3. The method for repairing domain name attack according to claim 1, wherein the step of performing domain name resolution monitoring for the maintenance domain name to obtain a monitoring result comprises:

Monitoring the cache analysis of the maintenance domain name on the cache server to obtain a current cache analysis result corresponding to the maintenance domain name;

Monitoring the authority analysis of the maintenance domain name on the authority server to obtain a current authority analysis result corresponding to the maintenance domain name;

monitoring the internet protocol address of the authorization server to obtain the current authorization address corresponding to the maintenance domain name;

and determining the current cache analysis result, the current authorization result and the current authorization address as monitoring results of domain name analysis monitoring.

4. The domain name attack restoration method as set forth in claim 3, wherein the step of parsing the monitoring result based on a preset domain name reference library and a trust authority address library includes:

judging whether the current cache analysis result and the current authorization analysis result are in the domain name reference library or not, and judging whether the current authorization address is in the trust authorization address library or not;

if the current cache analysis result and the current authorization result are both in the domain name reference library, determining that the judgment result aiming at the maintenance domain name is correct in analysis;

If the current cache analysis result is in the domain name reference library, the current authorization result is not in the domain name reference library and the current authorization address is in the trust authorization address library, determining that the judgment result for maintaining the domain name is a first domain name hijacking;

if the current cache analysis result is in the domain name reference library, the current authorization result is not in the domain name reference library and the current authorization address is not in the trust authorization address library, determining that the judgment result for maintaining the domain name is a second domain name hijacking;

if the current cache analysis result is not in the domain name reference library and the current authorization result is in the domain name reference library, determining that the judgment result aiming at the maintenance domain name is cache poisoning;

If the current cache analysis result is not in the domain name reference library, the current authorization result is not in the domain name reference library and the current authorization address is in the trust authorization address library, determining that the determination result for maintaining the domain name is a third domain name hijacking;

and if the current cache analysis result is not in the domain name reference library, the current authorization result is not in the domain name reference library and the current authorization address is not in the trust authorization address library, determining that the judgment result for maintaining the domain name is a fourth domain name hijacking.

5. The domain name attack restoration method as set forth in claim 4, wherein the step of performing domain name attack restoration according to the determination result includes:

If the judging result is that the cache is detoxicated, performing cache refreshing operation on the cache server;

And if the judging result is the first domain name hijacking, the second domain name hijacking, the third domain name hijacking or the fourth domain name hijacking, carrying out the forced resolution operation of the domain name system.

6. The domain name attack restoration method according to claim 5, wherein the monitoring result includes a number of life cycle hops, and after the step of performing domain name attack restoration according to the determination result, the method further comprises:

Calculating a hop count difference between the number of the life cycle hops and a reference life cycle hop count;

and determining hijacking equipment according to the hop count difference value.

7. A domain name attack restoration device, characterized in that the domain name attack restoration device comprises:

The monitoring module is used for carrying out domain name analysis monitoring on the maintenance domain name to obtain a monitoring result;

the judging module is used for analyzing and judging the monitoring result based on a preset domain name reference library and a trust authority address library to obtain a judging result, wherein the domain name reference library comprises a first internet protocol address corresponding to the maintenance domain name, and the trust authority address library comprises a second internet protocol address corresponding to the authority server for maintaining the domain name;

And the restoration module is used for carrying out domain name attack restoration according to the judging result.

8. A terminal device, characterized in that the terminal device comprises: a memory, a processor and a domain name attack restoration program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the domain name attack restoration method according to any of claims 1 to 6.

9. A storage medium, characterized in that the storage medium is a computer readable storage medium, on which a domain name attack restoration program is stored, which when executed by a processor implements the steps of the domain name attack restoration method according to any of claims 1 to 6.

10. A computer program product comprising a domain name attack restoration program which when executed by a processor implements the steps of the domain name attack restoration method according to any of claims 1 to 6.