[go: up one dir, main page]

CN118400350B - Method and system for identifying and finding different types of domain name authoritative servers - Google Patents

Method and system for identifying and finding different types of domain name authoritative servers Download PDF

Info

Publication number
CN118400350B
CN118400350B CN202410467082.4A CN202410467082A CN118400350B CN 118400350 B CN118400350 B CN 118400350B CN 202410467082 A CN202410467082 A CN 202410467082A CN 118400350 B CN118400350 B CN 118400350B
Authority
CN
China
Prior art keywords
authoritative
domain name
servers
server
authority
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202410467082.4A
Other languages
Chinese (zh)
Other versions
CN118400350A (en
Inventor
刘美辰
韩晗
虞宇琪
赵芸伟
王鲁华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
National Computer Network and Information Security Management Center
Original Assignee
National Computer Network and Information Security Management Center
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by National Computer Network and Information Security Management Center filed Critical National Computer Network and Information Security Management Center
Priority to CN202410467082.4A priority Critical patent/CN118400350B/en
Publication of CN118400350A publication Critical patent/CN118400350A/en
Application granted granted Critical
Publication of CN118400350B publication Critical patent/CN118400350B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/08Configuration management of networks or network elements
    • H04L41/0894Policy-based network configuration management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供一种识别发现不同类型域名权威服务器的方法及系统,涉及数据处理技术领域,所述方法包括:通过网络请求方式获取网络公开域名排名数据得到域名集合及其权威服务器集合;根据所述域名集合,通过解析域名的NS记录,获取每个域名对应的权威服务器,构成待识别权威服务器集合;根据待识别权威服务器集合,构建权威服务器相互间及与解析域名间的关联关系;分析权威服务器相互间及与解析域名间的关联关系;根据关联关系信息分别建立用于识别发现两种不同类型权威服务器的多项判定策略,通过判定策略以得到第三方托管权威服务器和自建权威服务器。本发明可以有效识别发现自建和第三方托管两种不同类型权威服务器。

The present invention provides a method and system for identifying and discovering authoritative servers of different types of domain names, and relates to the technical field of data processing. The method comprises: obtaining a domain name set and its authoritative server set by obtaining network public domain name ranking data through a network request method; obtaining the authoritative server corresponding to each domain name by resolving the NS record of the domain name according to the domain name set, and forming an authoritative server set to be identified; constructing the association relationship between the authoritative servers and the resolved domain names according to the authoritative server set to be identified; analyzing the association relationship between the authoritative servers and the resolved domain names; establishing multiple determination strategies for identifying and discovering two different types of authoritative servers according to the association relationship information, and obtaining a third-party hosted authoritative server and a self-built authoritative server through the determination strategy. The present invention can effectively identify and discover two different types of authoritative servers, namely, self-built and third-party hosted.

Description

Method and system for identifying and finding different types of domain name authoritative servers
Technical Field
The invention relates to the technical field of data processing, in particular to a method and a system for identifying and finding different types of domain name authoritative servers.
Background
The Domain Name System (DNS) is a key infrastructure supporting the Internet, realizes mapping between domain names and IP, and provides convenience for users to access the Internet. The DNS is a distributed hierarchical system, the resolution servers of different levels are responsible for resolving domain name records of different levels, the authoritative server is the last layer of resolution server, plays a crucial role in the domain name resolution process, and is responsible for resolving all domain names in an authorized area into IP addresses or alias (CNAME) records.
At present, a large number of authoritative servers exist in a real network environment, and the resolution service quality of the authoritative servers is uneven, so that the resolution efficiency and resolution performance of domain names are directly affected. The analysis service quality of the authoritative server is studied, and firstly, the type of the authoritative server needs to be determined. The authoritative servers can be divided into two types, namely a self-built authoritative server and a third party hosting authoritative server, at present, only a few authoritative servers of third party well-known hosting and analyzing service providers are well known, but most of the types of the authoritative servers existing in other networks cannot be determined, and no effective identification discovery method is known yet.
Disclosure of Invention
The invention aims to solve the technical problem of providing a method and a system for identifying and finding authoritative servers of different types, which can effectively identify and find two authoritative servers of different types by a self-built and third party.
In order to solve the technical problems, the technical scheme of the invention is as follows:
in a first aspect, a method of identifying discovery of different types of domain name authoritative servers, the method comprising:
acquiring network public domain name ranking data in a network request mode to obtain a domain name set and an authoritative server set;
Acquiring authority servers corresponding to each domain name through resolving NS records of the domain name according to the domain name set to form an authority server set to be identified;
Constructing association relations between authority servers and between resolved domain names according to the authority server set to be identified;
analyzing the association relation between authority servers and the resolved domain name;
And respectively establishing a plurality of judging strategies for identifying and finding two different types of authoritative servers according to the association relation information, and obtaining the third party hosting authoritative server and the self-built authoritative server through the judging strategies.
Further, obtaining network public domain name ranking data in a network request mode to obtain a domain name set and an authoritative server set thereof, wherein the method comprises the following steps:
The analysis and acquisition authority server set module is used for carrying out standardized processing on domain names in the domain name set;
Iteratively sending a query request to a root server and a top-level domain server by using a DNS protocol for each domain name in the domain name set;
Acquiring an authorized NS record corresponding to the domain name, and extracting an authoritative server set from the authorized NS record;
And storing the domain name and corresponding authoritative server set data in a database.
Further, constructing association relations between authority servers and between resolved domain names according to the set of authority servers to be identified, including:
Establishing the association relationship between authoritative servers by analyzing the keyword similarity between the authoritative server domain names;
The method comprises the steps that a cluster identification authoritative server belongs to the same similarity group, and an authoritative server similarity set is constructed;
And establishing association relations between the authoritative server and the resolved domain names by analyzing the keyword similarity and the main body similarity between the authoritative server and the resolved domain names and statistically analyzing the number of the resolved domain names and the number of the coverage top-level domain pairs so as to construct a plurality of corresponding association sets.
Further, the association relationship between the authoritative servers and the resolved domain name comprises similarity between the authoritative servers, the number of the domain names and the top-level domain range which are responsible for resolving by the authoritative servers, consistency between the authoritative servers and the resolved domain name main body, and similarity between the authoritative servers and the resolved domain name.
Further, respectively establishing a plurality of judging strategies for identifying and discovering two different types of authoritative servers according to the association relation information, wherein the judging strategies comprise the following steps:
the authority servers larger than the two thresholds are primarily identified as third party hosting authority servers by setting the number of the resolved domain names and the two thresholds of the top range;
and extracting the main domain name of the third party hosting authority server, and verifying whether the corresponding service website exists.
Further, respectively establishing a plurality of judging strategies for identifying and discovering two different types of authoritative servers according to the association relation information, wherein the judging strategies comprise the following steps:
Setting two thresholds of the number of resolved domain names and a top range, and if the number of the resolved domain names and the top range of the authority servers is smaller than the two thresholds, primarily identifying the authority servers as self-built authority servers;
an authoritative server having the same or similar primary domain name as the resolved domain name is identified as a self-built authoritative server.
Further, after establishing the association relationship between the authoritative server and the resolved domain name to construct a plurality of corresponding association sets, the method further comprises:
storing the constructed association relation set into a database;
the association is indexed to find the server or domain name associated with the particular authoritative server.
In a second aspect, a system for identifying and discovering different types of domain name authoritative servers includes:
the system comprises an acquisition module, a domain name analysis module and a domain name analysis module, wherein the acquisition module is used for acquiring network public domain name ranking data in a network request mode to obtain a domain name set and an authoritative server set thereof;
The processing module is used for constructing association relations between authority servers and resolution domain names according to the set of the authority servers to be identified, analyzing the association relations between the authority servers and the resolution domain names, respectively establishing a plurality of judging strategies for identifying and finding two different types of authority servers according to the association relation information, and obtaining a third party hosting authority server and a self-built authority server through the judging strategies.
In a third aspect, a computing device includes:
One or more processors;
and a storage means for storing one or more programs that, when executed by the one or more processors, cause the one or more processors to implement the method.
In a fourth aspect, a computer readable storage medium has a program stored therein, which when executed by a processor, implements the method.
The scheme of the invention at least comprises the following beneficial effects:
According to the method, firstly, the network public domain name ranking data are collected, the representativeness and the universality of the obtained domain name set are ensured, so that the accuracy of the subsequent identification step is improved, the authority server corresponding to each domain name is obtained through the NS record of the resolved domain name, the accurate set of the authority servers to be identified is constructed, and a solid foundation is further laid for identifying the authority servers of different types.
The step of constructing the association relationship between the authoritative servers and the resolved domain names can comprehensively analyze the similarity between the authoritative servers and the association between the authoritative servers and the resolved domain names, so that the mode and the rule hidden behind the data are revealed.
According to the invention, a plurality of judging strategies for identifying two different types of authoritative servers are respectively established according to the association relation information. The strategy is flexible and efficient, and the third party hosting authority server and the self-building authority server can be rapidly and accurately identified.
By accurately identifying different types of authoritative servers, a network resource manager can better understand and grasp the distribution and configuration conditions of network resources, thereby more effectively managing and optimizing the resources.
Accurately identifying different types of authoritative servers facilitates timely discovery and prevention of network security risks. For example, for a self-built authoritative server, due to potential safety hazards, a manager can take reinforcing measures in time, and for a third party hosting authoritative server, the service quality and the safety of the third party hosting authoritative server can be more trusted.
Drawings
FIG. 1 is a flow chart of a method for identifying and discovering different types of domain name authoritative servers according to an embodiment of the present invention.
FIG. 2 is a schematic diagram of a system for identifying and discovering different types of domain name authoritative servers in accordance with an embodiment of the present invention.
Fig. 3 is a schematic structural diagram corresponding to embodiment 1 of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
As shown in fig. 1, an embodiment of the present invention proposes a method for identifying and discovering different types of domain name authoritative servers, the method comprising the steps of:
step 11, obtaining network public domain name ranking data through a network request mode to obtain a domain name set and an authoritative server set thereof;
step 12, according to the domain name set, acquiring an authoritative server corresponding to each domain name through resolving an NS record of the domain name to form an authoritative server set to be identified;
Step 13, constructing association relations between authority servers and between resolved domain names according to the set of authority servers to be identified;
Step 14, analyzing the association relation between authority servers and the resolved domain name;
and 15, respectively establishing a plurality of judging strategies for identifying and finding two different types of authoritative servers according to the association relation information, and obtaining a third party hosting authoritative server and a self-built authoritative server through the judging strategies.
In the embodiment of the invention, the domain name set is obtained from the network public domain name ranking data through the step 11, so that the processed data is the domain name which is active and popular currently, and the accuracy of data analysis and identification in the subsequent steps is improved. Step 12, rapidly acquiring authority server information of each domain name through the NS records of the resolved domain names, and constructing an authority server set to be identified. Step 13 and step 14 not only analyze the relationship between authoritative servers, but also go deep into the association between authoritative servers and their resolved domain names. In step 15, a plurality of decision strategies are established according to the association relation information, and the strategies can flexibly cope with the identification requirements of different types of authoritative servers. This flexibility allows the method to be applied more widely in a variety of practical scenarios, improving its usability and adaptability. By identifying different types of authoritative servers (such as third party hosting and self-building), network administrators can more clearly understand the distribution and configuration of network resources, thereby performing more refined resource management and optimization. Accurate categorization of authoritative servers helps to discover potential security risks in time. For example, a self-building authoritative server may lack specialized security safeguards, while a third party hosting authoritative server may be more severely regulated and protected. By identifying these server types, security precautions can be enhanced in a targeted manner.
In another preferred embodiment of the present invention, the step 11 may include:
step 111, analyzing and obtaining an authoritative server set module, and carrying out standardized processing on domain names in a domain name set;
Step 112, for each domain name in the domain name set, iteratively sending a query request to the root server and the top-level domain server by using DNS protocol;
Step 113, acquiring an authorized NS record corresponding to the domain name, and extracting an authoritative server set from the authorized NS record;
Step 114, storing the domain name and its corresponding authoritative server set data in a database.
In the embodiment of the present invention, step 111 performs standardization processing on the domain names in the domain name set, so that accuracy and consistency of data can be ensured, and analysis errors or repeated processing caused by format differences are avoided, thereby improving quality of subsequent data analysis and processing. In step 112, the DNS protocol is used to iteratively send the query request to the root server and the top domain server, so that the method can efficiently and accurately acquire the authoritative server information corresponding to the domain name, redundancy and errors in the query process are reduced, and the efficiency and accuracy of data acquisition are improved. And step 113, accurately extracting the authoritative server set from the acquired authorized NS records, wherein the step ensures the accuracy of the data and provides key basic data for subsequent data analysis and server type identification. Step 114, the domain name and the corresponding authoritative server set data are stored in a database, so that not only is the data persisted, but also the subsequent data searching, updating and analyzing operations are facilitated. In addition, the database storage also provides safe backup and backtracking capabilities of the data, and ensures the integrity and safety of the data.
In another preferred embodiment of the present invention, the step 13 may include:
Step 131, establishing the association relationship between authoritative servers by analyzing the keyword similarity between the authoritative server domain names;
Step 132, clustering to identify the same similarity group to which the authoritative server belongs, and constructing an authoritative server similarity set;
And step 133, establishing an association relationship between the authoritative server and the resolved domain name by analyzing the keyword similarity and the main body similarity between the authoritative server and the resolved domain name and statistically analyzing the number of the resolved domain names and the number of the coverage top-level domains so as to construct a plurality of corresponding association sets.
In the embodiment of the present invention, step 131 establishes the association relationship between the authoritative server domain names by analyzing the keyword similarity between the authoritative server domain names, so as to more deeply mine the interconnection between the authoritative servers. Such similarity analysis helps reveal authoritative servers that may have some association in function, management or attribution, providing a rich clue to subsequent identification and classification. And 132, clustering to identify the same similarity group to which the authoritative server belongs, and constructing an authoritative server similarity set, wherein the step realizes the optimized organization and classification of the data. By clustering, authoritative servers with similar characteristics can be classified, the complexity of data processing is simplified, and the efficiency and accuracy of a subsequent judgment strategy are improved. And 133, establishing a multidimensional association relationship by comprehensively analyzing the keyword similarity and the main body similarity between the authoritative server and the resolved domain name and counting the number of the resolved domain names and the number of the covered top-level domains. The method not only considers the direct connection between the domain name and the server, but also introduces wider statistical and analysis dimensions, so that the constructed relationship network is more comprehensive and deeper. The construction of such multidimensional relationships facilitates more accurate identification and understanding of the characteristics and behavior patterns of different types of authoritative servers.
In a preferred embodiment of the present invention, the association between the authoritative servers and the resolved domain name includes similarity between the authoritative servers, the number of resolved domain names and top-level domain range of the authoritative servers, consistency between the authoritative servers and the main body of the resolved domain name, and similarity between the authoritative servers and the resolved domain name.
In the embodiment of the invention, the similarity among the authoritative servers is mainly reflected in the aspects of domain name constitution, IP address distribution, management strategy and the like. For example, the same organization or entity may manage multiple authoritative servers that may have similar keywords or suffixes on domain names that indicate that there is some association or shared resource between them. An authoritative server may be responsible for resolving multiple domain names, the number of which and the top-level domain scope involved (e.g. com,. Net,. Org, etc.) are key indicators for assessing their importance and impact. For example, an authoritative server responsible for a large number of domain name resolutions may take a more important role in the network, with stability and security also having a greater impact on the overall network. There may be principal consistency between authoritative servers and the domain names they resolve, i.e., the organization or entity represented by the domain name is the same as or related to the administrator or operator of the authoritative server. This consistency helps to confirm the authenticity and legitimacy of the domain name, as the authoritative server typically validates and authorizes the domain name resolved by it. In addition to principal consistency, there may be similarity in terms of keywords, semantics, or visual design between the authoritative server and the domain name it resolves. This similarity may result from brand policy, market location, or user friendliness considerations, enabling users to more easily identify and remember domain names associated with a particular authoritative server.
In another preferred embodiment of the present invention, the step 15 may include:
Step 151, preliminarily identifying an authoritative server larger than two thresholds as a third party hosting authoritative server by setting two thresholds of the number of resolved domain names and a top range;
And step 152, extracting the main domain name of the third party hosting authority server, and verifying whether the corresponding service website exists.
In the embodiment of the present invention, step 151, by setting two thresholds of the number of resolved domain names and the top-level domain range, authoritative servers that may belong to third party hosts can be quickly and primarily screened out. This approach is based on the assumption that third party hosting authoritative servers are typically responsible for large and cross-top domain name resolution, enabling efficient preliminary identification. Step 152, after the primary identification is the third party hosting authority server, further extracts the main domain name and verifies whether the corresponding service website exists, which significantly improves the accuracy of identification. By verifying the presence of the service website, it can be confirmed that these authoritative servers are indeed operated by a professional third party hosting service provider, thereby reducing the likelihood of false positives.
In another preferred embodiment of the present invention, the step 15 may include:
Step 153, by setting two thresholds of the number of resolved domain names and the top level range, if the number of resolved domain names is smaller than the authority servers of the two thresholds, primarily identifying the authority servers as self-built authority servers;
Step 154, identifying an authoritative server having the same or similar primary domain name as the resolved domain name as a self-built authoritative server.
In the embodiment of the present invention, in step 153, by setting two thresholds of the number of resolved domain names and the top level range, the authority server can be accurately classified preliminarily. When the number of resolved domain names and top-level domain ranges for which the authority servers are responsible are smaller than the set threshold, the servers are more likely to belong to self-built authoritative servers. Step 154, identifying the authoritative server having the same or similar primary domain name as the resolved domain name as a self-built authoritative server, which significantly enhances the accuracy of the identification. The self-building authoritative server typically has a close relationship with the domain name it resolves, e.g., using the same primary domain name or similar domain name structure. Through the similarity recognition, the authoritative servers can be determined more accurately, so that the accuracy and reliability of the overall recognition are improved.
In a preferred embodiment of the present invention, after the step 133, the method further includes:
step 1331, storing the constructed association relation set into a database;
step 1332 indexes the associations to find servers or domain names associated with a particular authoritative server.
In the embodiment of the invention, in step 1331, the constructed association relation set is stored in a database, so that the data is stored in a lasting manner. This means that even if an interruption occurs in the processing or a subsequent analysis is required, the association relation which has been established is not lost, and can be retrieved and accessed from the database at any time. In addition, the database is used as a centralized data storage point, and a plurality of association relation sets can be integrated, so that global analysis and query are facilitated. Step 1332, indexing the association relationship can significantly improve the efficiency of data retrieval and query. An index is a data structure that allows a database system to quickly locate data that matches a particular query condition. In this case, other servers or domain names associated with a particular authoritative server may be quickly looked up by indexing, thereby speeding up the analysis process.
As shown in FIG. 2, embodiments of the present invention also provide a system 20 for identifying discovery of different types of domain name authoritative servers, comprising:
The acquisition module 21 is used for acquiring network public domain name ranking data in a network request mode to obtain a domain name set and an authoritative server set thereof, acquiring an authoritative server corresponding to each domain name through resolving an NS record of the domain name according to the domain name set, and forming the authoritative server set to be identified;
The processing module 22 is configured to construct an association relationship between authority servers and a resolved domain name according to the set of authority servers to be identified, analyze the association relationship between authority servers and the resolved domain name, respectively establish a plurality of decision strategies for identifying and finding two different types of authority servers according to the association relationship information, and obtain a third party hosting authority server and a self-built authority server through the decision strategies.
Optionally, obtaining the ranking data of the network public domain name by a network request mode to obtain a domain name set and an authoritative server set thereof includes:
The analysis and acquisition authority server set module is used for carrying out standardized processing on domain names in the domain name set;
Iteratively sending a query request to a root server and a top-level domain server by using a DNS protocol for each domain name in the domain name set;
Acquiring an authorized NS record corresponding to the domain name, and extracting an authoritative server set from the authorized NS record;
And storing the domain name and corresponding authoritative server set data in a database.
Optionally, constructing association relations between authority servers and between resolved domain names according to the set of authority servers to be identified, including:
Establishing the association relationship between authoritative servers by analyzing the keyword similarity between the authoritative server domain names;
The method comprises the steps that a cluster identification authoritative server belongs to the same similarity group, and an authoritative server similarity set is constructed;
And establishing association relations between the authoritative server and the resolved domain names by analyzing the keyword similarity and the main body similarity between the authoritative server and the resolved domain names and statistically analyzing the number of the resolved domain names and the number of the coverage top-level domain pairs so as to construct a plurality of corresponding association sets.
Optionally, the association relationship between the authoritative servers and the resolved domain name includes similarity between the authoritative servers, the number and top-level domain range of the domain name that the authoritative servers are responsible for resolving, consistency between the authoritative servers and the main body of the resolved domain name, and similarity between the authoritative servers and the resolved domain name.
Optionally, establishing a plurality of decision strategies for identifying and discovering two different types of authoritative servers according to the association relation information respectively, including:
the authority servers larger than the two thresholds are primarily identified as third party hosting authority servers by setting the number of the resolved domain names and the two thresholds of the top range;
and extracting the main domain name of the third party hosting authority server, and verifying whether the corresponding service website exists.
Optionally, establishing a plurality of decision strategies for identifying and discovering two different types of authoritative servers according to the association relation information respectively, including:
Setting two thresholds of the number of resolved domain names and a top range, and if the number of the resolved domain names and the top range of the authority servers is smaller than the two thresholds, primarily identifying the authority servers as self-built authority servers;
an authoritative server having the same or similar primary domain name as the resolved domain name is identified as a self-built authoritative server.
Optionally, after establishing the association relationship between the authoritative server and the resolved domain name to construct a plurality of corresponding association sets, the method further includes:
storing the constructed association relation set into a database;
the association is indexed to find the server or domain name associated with the particular authoritative server.
Example 1
As shown in fig. 3, a method for identifying and discovering different types of domain name authoritative servers includes:
Step 1, a domain name set, which is based on a domain name set identified and found by an authoritative server, wherein the domain name set is used for selecting domain names which are concerned by users in a real network and have larger access, such as Alexa ranking and Cisco Umbrella ranking domain names;
Step 2, analyzing and acquiring an authoritative server set module, firstly, carrying out standardized processing on the domain names in the domain name set to ensure that the domain names to be analyzed are registered domain names, and then, iteratively sending a query request to a root server and a top-level domain server by using a DNS protocol for each domain name in the domain name set to acquire an authorized NS record corresponding to the domain name and extracting the authoritative server set from the authorized NS record;
And thirdly, establishing association relation between the authoritative servers and the resolved domain names by analyzing the keyword similarity between the authoritative servers and establishing association relation between the authoritative servers, further clustering to identify which servers belong to the same similarity group, constructing an authoritative server similarity set, further, establishing association relation between the authoritative servers and the resolved domain names by analyzing the keyword similarity and the main body similarity between the authoritative servers and the resolved domain names and statistically analyzing the number of the resolved domain names and the number of the coverage top domains, and finally, storing the established association relation set into a database, designing a reasonable dictionary data structure to support efficient query, and indexing the association relation so as to quickly find other servers or domain names associated with the specific authoritative servers. The module specifically comprises four sub-modules, namely an authority server mutual similarity analysis sub-module, a sub-module for acquiring the number of authority server authority resolution domain names, an analysis sub-module for judging whether the authority server is consistent with a resolution domain name main body or not, and a similarity analysis sub-module between the authority server and the resolution domain names:
Step 31, an authoritative server mutual similarity analysis submodule aggregates authoritative servers with the same main domain name or similar domain names through keyword similarity matching;
Step 32, acquiring authority server authority resolution domain name range and number submodule, and counting the number of domain names and the number of top-level domains corresponding to the domain names which each authority server is responsible for resolving;
Step 33, judging whether the authoritative server and the resolved domain belong to the same main body or not by the information of the domain name WHOIS, the IP WHOIS, the domain name ICP record, the website content and the like through the analysis sub-module of whether the authoritative server and the resolved domain name main body are consistent or not;
step 34, analyzing whether the authoritative server and the resolved domain name have the same or similar main domain name or not by matching keywords by the similarity analysis sub-module between the authoritative server and the resolved domain name;
Step 4, a third party hosting authority server identification discovery module identifies an authority server of a hosting type from the authority server set, and the third party hosting authority server identification discovery module is based on the following three different discovery strategies:
Step 41, resolving domain name number threshold value judging strategy, the basis of the strategy is that the third party hosting service provider is oriented to a large number of users, so that the number of domain names resolved by the authoritative server is generally large, and the top-level domain range covered by the authoritative server is also large. The strategy preliminarily identifies the authoritative server as a third party hosting authoritative server by setting two thresholds of the number of the resolved domain names and the top range, wherein the number of the authority servers is larger than the two thresholds;
Step 42, extracting the main domain name of the hosting authority server identified in 4.1 by the domain name resolution service website verification policy, verifying whether a corresponding service website exists (if the server is a hosting server, a website with the main domain name as an address generally exists, so that domain name registration and resolution service is conveniently provided for a user), and further verifying to improve the identification accuracy;
Step 43, authoritative server similar aggregation policy, in order to achieve load balancing of the resolved traffic and improve the resolving efficiency, the third party hosting service provider generally configures a plurality of authoritative resolving servers, and the main domain name is the same or similar, so that other servers in the same aggregation group as the servers identified in step 41 and step 42 can also be determined as third party hosting authoritative servers;
And 5, a self-built authoritative server identification discovery module identifies the self-built authoritative server from the authority server set based on the following three different discovery strategies:
In step 51, the threshold decision strategy for resolving the number of domain names is that the self-built authoritative server is only responsible for resolving a few domain names in the company, and these domain names generally have the same main domain name, but only involve one or a few top-level domains. Therefore, the strategy is primarily identified as a self-built authoritative server by setting two thresholds of the number of the resolved domain names and the top range, if the number of the resolved domain names is smaller than the authority server of the two thresholds;
step 52, a primary domain name similarity policy, which identifies an authoritative server having the same primary domain name as the resolved domain name or a similar primary domain name as the self-established authoritative server based on the characteristic that the self-established authoritative server and the resolved domain name thereof generally have the same primary domain name or a similar primary domain name;
and step 53, the principal consistency policy further identifies whether the principal is a self-built authoritative server or not by verifying whether the principal is consistent with the principal of the domain name of the authoritative server identified by the policies in step 51 and step 52, thereby improving the accuracy of identification discovery.
The invention is further described below with reference to examples.
The identification discovery of the two different types of authoritative servers, namely third party hosting and self-building, mainly comprises the following steps:
1. the domain name set acquisition step is as follows:
The domain name set which is commonly used by users and has larger access can be collected, and network public domain name ranking data, such as Alex ranking millions of domain name data or Cisco Umbrella ranking millions of domain name data, can be obtained by using a network request mode.
2. The step of acquiring the authoritative server set is as follows:
Based on the domain name set, acquiring an authoritative server corresponding to each domain name by analyzing an NS record of the domain name, and forming an authoritative server set to be identified. This step requires that if there is a Fully Qualified Domain Name (FQDN) in the domain name set, the host name needs to be removed, and an NS record corresponding to the registered domain name is requested, for example www.freedesktop.org, where the registered domain name is freedeaktop.
3. The method for constructing the association relationship between authoritative servers and the resolved domain name comprises the following steps:
Step 1, traversing an authoritative server set, and aggregating authoritative servers with the same main domain name or similar domain names through keyword similarity matching, wherein the aggregate set is recorded as setauth _same. For example, ns1.Xserver.jp/ns2.Xserver.jp/ns3.Xserver.jp/ns4.Xserver.jp/ns5.Xserver.jp,5 authoritative servers possess the same primary domain name (xserver.jp), so the aggregation is grouped into a group, similarly ns1-08.Azure-dns. Com/ns1-08.Azure-dns. Net/ns1-08.Azure-dns. Org/ns1-08.Azure-dns. Info, and the other parts have similar domain name structures (ns 1-08. Azure-dns.) except top-level domain differences, so the aggregation is grouped into a group.
Step 2, counting the number of the responsible resolved domain names of each authoritative server and the number of the top-level domains corresponding to the domain names (used for identifying the range covering the top-level domains), and constructing a dictionary dictdomain _ tld _num;
And 3, analyzing whether the authoritative server and the resolved domain name thereof have the same or similar main domain name through keyword matching, and constructing a dictionary dictprimary _domain_consistency. For example, the authoritative server ns1.Zoznam. Sk and the resolution domain name zoznam. Sk have the same main domain name zoznam. Sk, and the authoritative server ns1. Bancocucullan. Com, sv and resolution domain name bancocucullan. Com have similar main domain names.
And step 4, acquiring related information of the main bodies of the authoritative server and the resolved domain name thereof through the information of the domain name WHOIS, the IP WHOIS, the ICP record, the website content and the like, judging whether the main bodies of the authoritative server and the resolved domain name are consistent, and constructing the dictionary dictsubject _consistency. For example, the authoritative server ns1.Jjworld. Net. Cn and the resolved domain name jj. Cn are both ICP record subject units of the competitive world (Beijing) network technology limited company, so that the consistency of the two subjects can be judged.
4. Traversing the authoritative server set, and identifying a third party hosting authoritative server, wherein the method comprises the following steps of:
Step 1, firstly, respectively setting two thresholds n1 and n2 of the number of resolved domain names and the top-level domain range, then traversing the dictionary dictdomain _ tld _num, and primarily identifying the servers with the number of resolved domain names and the top-level range larger than the two thresholds as third party hosting authority servers. The size of the two thresholds can be dynamically changed, and the larger the two values, the higher the accuracy of the primary identification is, but the larger the primary identification is, so that part of hosting servers can be over-dropped and cannot be identified. Based on statistical empirical values, n1 and n2 may be set to 20,5, respectively.
Step 2, traversing the server identified in step 1, extracting the main domain name thereof, and determining whether the authoritative server has a corresponding service site (if the authoritative server is a hosting server, a website with the main domain name as an address generally exists, so that domain name registration and resolution services are conveniently provided for users), for example, an Arian authoritative server dns10.hichina.com, and a service website www.hichina.com exist. And reserving a server with a site, filtering off the absence, and further verifying through the step to improve the identification accuracy.
And step 3, combining the aggregation result of the authoritative servers in the association relationship, and expanding the identification result. Because the third party hosting service provider is generally configured with a plurality of authoritative resolution servers and the main domain names are the same or similar to each other for realizing the load balance of the resolution traffic and improving the resolution efficiency. Traversing the server and aggregate set setauth _ same identified in step 2, and other authoritative servers for which the identified server is located in the same aggregate group, also identifies as third party hosting authoritative servers. For example, servers expiren3.hichena.com and dns10.hichena.com belong to one aggregation group, dns10.hichena.com is identified as a third party hosting authority server through step 1 and step 2, and expiren3.hichena.com is filtered out when passing through step 1 because of the smaller number of resolved domain names, but is also identified as a third party hosting authority server at this time as well as the identified authority server dns10.hichena.com.
5. Traversing the authoritative server set, and identifying the self-built authoritative server, wherein the method comprises the following steps of:
Step 1, in contrast to identifying a third party hosting authority server, traversing dictionary dictdomain _ tld _num, screening authority servers with the number of resolved domain names and top-level domain range statistics smaller than threshold values n1 and n2, and identifying the authority servers as self-built authority servers.
And 2, traversing the dictionary dictprimary _domain_constitutent based on the characteristic that the self-building authoritative server and the resolved domain name thereof generally have the same main domain name or similar main domain names, analyzing whether all domain names which are responsible for resolving the authoritative server and the self-building authoritative server have the same main domain name or similar domain names, and if so, identifying the self-building authoritative server. For example, the authoritative server dns1.Hitwh.edu.cn and the resolved domain name www.dns2.hitwh.edu.cn/lib.hitwh.edu.cn/job.hitwh.edu.cn/jwc.hi twh.edu.cn, etc., have the same main domain name hitwh.edu.cn, so the authoritative server dns1.Hitwh.edu.cn is identified as a self-built authoritative server.
And 3, traversing the self-built authoritative servers identified in the step 1 and the step 2, and checking whether the authoritative servers and all the resolved domain names belong to the same main body or not against a dictionary dictsubject-consisten. If the server belongs to the same main body, reserving, otherwise deleting from the identified self-built authoritative server set.
It should be noted that, the system is a system corresponding to the above method, and all implementation manners in the above method embodiment are applicable to the embodiment, so that the same technical effects can be achieved.
Embodiments of the invention also provide a computing device comprising a processor, a memory storing a computer program which, when executed by the processor, performs a method as described above. All the implementation manners in the method embodiment are applicable to the embodiment, and the same technical effect can be achieved.
Embodiments of the present invention also provide a computer-readable storage medium storing instructions that, when executed on a computer, cause the computer to perform a method as described above. All the implementation manners in the method embodiment are applicable to the embodiment, and the same technical effect can be achieved.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
It will be clear to those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described systems, apparatuses and units may refer to corresponding procedures in the foregoing method embodiments, and are not repeated herein.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present invention may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. The storage medium includes various media capable of storing program codes such as a U disk, a mobile hard disk, a ROM, a RAM, a magnetic disk or an optical disk.
Furthermore, it should be noted that in the apparatus and method of the present invention, it is apparent that the components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present invention. Also, the steps of performing the series of processes described above may naturally be performed in chronological order in the order of description, but are not necessarily performed in chronological order, and some steps may be performed in parallel or independently of each other. It will be appreciated by those of ordinary skill in the art that all or any of the steps or components of the methods and apparatus of the present invention may be implemented in hardware, firmware, software, or any combination thereof in any computing device (including processors, storage media, etc.) or network of computing devices, as would be apparent to one of ordinary skill in the art upon reading the present specification.
The object of the invention can thus also be achieved by running a program or a set of programs on any computing device. The computing device may be a well-known general purpose device. The object of the invention can thus also be achieved by merely providing a program product containing program code for implementing said method or apparatus. That is, such a program product also constitutes the present invention, and a storage medium storing such a program product also constitutes the present invention. It is apparent that the storage medium may be any known storage medium or any storage medium developed in the future. It should also be noted that in the apparatus and method of the present invention, it is apparent that the components or steps may be disassembled and/or assembled. Such decomposition and/or recombination should be considered as equivalent aspects of the present invention. The steps of executing the series of processes may naturally be executed in chronological order in the order described, but are not necessarily executed in chronological order. Some steps may be performed in parallel or independently of each other.
While the foregoing is directed to the preferred embodiments of the present invention, it will be appreciated by those skilled in the art that various modifications and adaptations can be made without departing from the principles of the present invention, and such modifications and adaptations are intended to be comprehended within the scope of the present invention.

Claims (8)

1. A method of identifying authoritative servers that discover different types of domain names, the method comprising:
acquiring network public domain name ranking data in a network request mode to obtain a domain name set and an authoritative server set;
Acquiring authority servers corresponding to each domain name through resolving NS records of the domain name according to the domain name set to form an authority server set to be identified;
Constructing association relations between authority servers and between resolved domain names according to the authority server set to be identified;
analyzing the association relation between authority servers and the resolved domain name;
respectively establishing a plurality of judging strategies for identifying and finding two different types of authoritative servers according to the association relation information, and obtaining a third party hosting authoritative server and a self-built authoritative server through the judging strategies;
establishing a plurality of judging strategies for identifying and finding two different types of authoritative servers according to the association relation information respectively, wherein the judging strategies comprise the following steps:
the authority servers larger than the two thresholds are primarily identified as third party hosting authority servers by setting the number of the resolved domain names and the two thresholds of the top range;
extracting a main domain name of a third party hosting authority server, and verifying whether a corresponding service website exists or not;
Setting two thresholds of the number of resolved domain names and a top range, and if the number of the resolved domain names and the top range of the authority servers is smaller than the two thresholds, primarily identifying the authority servers as self-built authority servers;
an authoritative server having the same or similar primary domain name as the resolved domain name is identified as a self-built authoritative server.
2. The method for identifying and discovering different types of domain name authoritative servers according to claim 1, wherein obtaining network public domain name ranking data in a network request mode to obtain a domain name set and an authoritative server set thereof comprises:
The analysis and acquisition authority server set module is used for carrying out standardized processing on domain names in the domain name set;
Iteratively sending a query request to a root server and a top-level domain server by using a DNS protocol for each domain name in the domain name set;
Acquiring an authorized NS record corresponding to the domain name, and extracting an authoritative server set from the authorized NS record;
And storing the domain name and corresponding authoritative server set data in a database.
3. The method for identifying and discovering different types of domain name authoritative servers according to claim 2, wherein constructing association relations between authoritative servers and resolved domain names according to the set of authoritative servers to be identified comprises:
Establishing the association relationship between authoritative servers by analyzing the keyword similarity between the authoritative server domain names;
The method comprises the steps that a cluster identification authoritative server belongs to the same similarity group, and an authoritative server similarity set is constructed;
and establishing association relations between the authoritative server and the resolved domain names by analyzing the keyword similarity and the main body similarity between the authoritative server and the resolved domain names and statistically analyzing the number of the resolved domain names and the number of the covered top-level domains so as to construct a plurality of corresponding association sets.
4. The method of claim 3, wherein the association between the authoritative servers and the resolved domain name comprises similarity between the authoritative servers, the number of the resolved domain names and the top domain range of the authoritative servers, consistency between the authoritative servers and the main body of the resolved domain name, and similarity between the authoritative servers and the resolved domain name.
5. The method for identifying and discovering different types of domain name authoritative servers according to claim 4, wherein after establishing the association relationship between the authoritative servers and the resolved domain names to construct the corresponding plurality of association sets, further comprising:
storing the constructed association relation set into a database;
the association is indexed to find the server or domain name associated with the particular authoritative server.
6. A system for identifying and discovering different types of domain name authoritative servers, comprising:
the system comprises an acquisition module, a domain name analysis module and a domain name analysis module, wherein the acquisition module is used for acquiring network public domain name ranking data in a network request mode to obtain a domain name set and an authoritative server set thereof;
The system comprises a processing module, an analysis module, a third party hosting authority server, a self-building authority server, a third party hosting authority server and a self-building authority server, wherein the processing module is used for constructing the association relation between the authority servers and the resolved domain name according to the set of the authority servers to be identified;
establishing a plurality of judging strategies for identifying and finding two different types of authoritative servers according to the association relation information respectively, wherein the judging strategies comprise the following steps:
the authority servers larger than the two thresholds are primarily identified as third party hosting authority servers by setting the number of the resolved domain names and the two thresholds of the top range;
extracting a main domain name of a third party hosting authority server, and verifying whether a corresponding service website exists or not;
Setting two thresholds of the number of resolved domain names and a top range, and if the number of the resolved domain names and the top range of the authority servers is smaller than the two thresholds, primarily identifying the authority servers as self-built authority servers;
an authoritative server having the same or similar primary domain name as the resolved domain name is identified as a self-built authoritative server.
7. A computing device, comprising:
One or more processors;
Storage means for storing one or more programs which when executed by the one or more processors cause the one or more processors to implement the method of any of claims 1 to 5.
8. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a program which, when executed by a processor, implements the method according to any of claims 1 to 5.
CN202410467082.4A 2024-04-18 2024-04-18 Method and system for identifying and finding different types of domain name authoritative servers Active CN118400350B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410467082.4A CN118400350B (en) 2024-04-18 2024-04-18 Method and system for identifying and finding different types of domain name authoritative servers

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410467082.4A CN118400350B (en) 2024-04-18 2024-04-18 Method and system for identifying and finding different types of domain name authoritative servers

Publications (2)

Publication Number Publication Date
CN118400350A CN118400350A (en) 2024-07-26
CN118400350B true CN118400350B (en) 2025-03-04

Family

ID=91987219

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410467082.4A Active CN118400350B (en) 2024-04-18 2024-04-18 Method and system for identifying and finding different types of domain name authoritative servers

Country Status (1)

Country Link
CN (1) CN118400350B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108111639A (en) * 2018-03-08 2018-06-01 华东师范大学 A kind of method and system for improving domain name system availability
CN108337271A (en) * 2017-01-17 2018-07-27 北京云端智度科技有限公司 A method of promoting DNS security and performance

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170041332A1 (en) * 2015-08-07 2017-02-09 Cisco Technology, Inc. Domain classification based on domain name system (dns) traffic
CN105721624B (en) * 2016-01-22 2019-06-21 中国互联网络信息中心 A new type of authoritative domain name resolution service method and device
CN108494891A (en) * 2018-02-28 2018-09-04 网宿科技股份有限公司 A kind of domain name analytic method, server and system
CN108900648B (en) * 2018-06-13 2020-11-06 网宿科技股份有限公司 Method and device for controlling flow proportion of multiple CNAME (compressed air multicast AME)
CN111726428B (en) * 2020-06-12 2023-09-22 网宿科技股份有限公司 Authoritative server selection method, device, equipment and storage medium
US11677714B2 (en) * 2020-09-21 2023-06-13 Level 3 Communications, Llc Collecting passive DNS traffic to generate a virtual authoritative DNS server
CN115150358B (en) * 2021-03-31 2024-02-13 贵州白山云科技股份有限公司 Domain name acquisition method, electronic device and system
CN117692426A (en) * 2022-09-02 2024-03-12 华为云计算技术有限公司 Domain name resolution method and device and domain name server
CN115883513B (en) * 2022-11-24 2024-08-06 中国科学院信息工程研究所 A resolver detection method based on DNS watermark technology and its classification method
CN116170403B (en) * 2023-01-09 2024-08-09 中国互联网络信息中心 Method and device for decentralized domain name resolution based on Handle system

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108337271A (en) * 2017-01-17 2018-07-27 北京云端智度科技有限公司 A method of promoting DNS security and performance
CN108111639A (en) * 2018-03-08 2018-06-01 华东师范大学 A kind of method and system for improving domain name system availability

Also Published As

Publication number Publication date
CN118400350A (en) 2024-07-26

Similar Documents

Publication Publication Date Title
US11716344B2 (en) Elastic asset-based licensing model for use in a vulnerability management system
US11005779B2 (en) Method of and server for detecting associated web resources
Lever et al. A lustrum of malware network communication: Evolution and insights
US9300623B1 (en) Domain name system cache integrity check
US10171318B2 (en) System and method of identifying internet-facing assets
CN102025713B (en) Access control method, system and DNS (Domain Name Server) server
US9191402B2 (en) Domain classification based on client request behavior
US20150350154A1 (en) Using Distributed Network Elements to Send Authoritative DNS Responses
US20070271393A1 (en) System and Methods for Domain Name Acquisition and Management
WO2018113730A1 (en) Method and apparatus for detecting network security
CN107342913B (en) Detection method and device for CDN node
CN104468860A (en) Method and device for recognizing risk of domain name resolution server
KR20090030256A (en) Name Challenge Enforcement Areas
van Adrichem et al. A measurement study of DNSSEC misconfigurations
Magnusson et al. A second look at DNS QNAME minimization
CN111010456B (en) A primary domain name acquisition and verification method
WO2023040070A1 (en) Method and apparatus for detecting domain name takeover vulnerability
CN118400350B (en) Method and system for identifying and finding different types of domain name authoritative servers
CN115913583B (en) Business data access method, device and equipment and computer storage medium
EP3311555A1 (en) Advanced security for domain names
CN111371747A (en) Method for preventing information leakage of domain name resolution server
CN116800716A (en) Method and system for acquiring enterprise IP address field
US12401618B1 (en) Internet infrastructure system and method
Nazemi et al. Analysis of DNS Dependencies and their Security Implications in Australia: A Comparative Study of General and Indigenous Populations
CN115022018B (en) Method for controlling malicious domain name based on dynamic adjustment reporting of network entity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant