CN119182612B

CN119182612B - A DNS user identification system and method

Info

Publication number: CN119182612B
Application number: CN202411686793.7A
Authority: CN
Inventors: 乔现朋; 佟欣哲; 孙琦; 陈奇; 姚鑫鹏
Original assignee: Tianyi Safety Technology Co Ltd
Current assignee: Tianyi Safety Technology Co Ltd
Priority date: 2024-11-22
Filing date: 2024-11-22
Publication date: 2025-04-25
Anticipated expiration: 2044-11-22
Also published as: CN119182612A

Abstract

The present application discloses a DNS user identification system and method. When a user registers, an authentication server generates authentication identification information and key information for the user; the authentication identification information and key information are sent to a gateway device and a DNS server, respectively. When the gateway device sends a DNS request to the DNS server, the authentication identification information is encrypted using the key information sent by the authentication server to the gateway device, and the obtained ciphertext data is carried in the DNS request. The ciphertext data carried in the DNS request is obtained; the ciphertext data is decrypted using the key information sent by the authentication server to the DNS server to obtain the authentication identification information. If the authentication identification information decrypted by the DNS server is consistent with the authentication identification information of the user sent by the authentication server to the DNS server, the user is determined to be a DNS user, thereby improving the accuracy of DNS user identification.

Description

DNS user identification system and method

Technical Field

The application relates to the technical field of DNS (Domain name System) networks, in particular to a DNS user identification system and a method.

Background

The operator network comprises an internet of things network, a broadband fixed network, a private line and the like according to the use scene. The private line can allocate a private public network IP address to the enterprise user, and other three networks can not allocate private public network IP to the user, and all the networks access the Internet through a network address translation NAT mode. In this large background, there are two situations, one is to use static NAT, which causes the IP of the public network of multiple users to be the same, and the other is to use dynamic NAT configured by the operator for the users, and use an address pool to perform NAT surfing, which causes the IP address to be dynamically changeable when the users surf the internet.

With the rise of commercial DNS services, DNS services are more desirable to provide DNS resolution only to users registering services and personalized services to users. The two cases mentioned above result in users not being able to be accurately identified, and DNS requests can be arbitrarily forged, failing to meet the requirements of DNS traffic. So that the accuracy of DNS user identification in the prior art is poor.

Disclosure of Invention

The application provides a DNS user identification system and a DNS user identification method, which are used for solving the problem of poor accuracy of DNS user identification in the prior art.

In a first aspect, the present application provides a DNS user identifying system, including a gateway device, a DNS server, and an authentication server;

the authentication server is used for generating authentication identification information and key information of the user when the user registers; sending the authentication identification information and the key information to the gateway device and the DNS server respectively;

The gateway device is used for sending a DNS request to the DNS server, wherein the DNS request carries ciphertext data corresponding to authentication identification information of the user, and the ciphertext data is obtained by encrypting the authentication identification information according to the key information;

The DNS server is used for acquiring the ciphertext data carried in the DNS request, decrypting the ciphertext data according to the key information, and determining that the user is a DNS user if authentication identification information obtained by decryption is consistent with authentication identification information of the user sent to the DNS server by the authentication server.

In a second aspect, the present application provides a DNS user identifying method, applied to a gateway device, where the method includes:

The method comprises the steps of sending a DNS request to a DNS server, wherein the DNS request carries ciphertext data corresponding to authentication identification information of a user, the ciphertext data are obtained by encrypting the authentication identification information according to key information, the DNS server obtains the ciphertext data carried in the DNS request, decrypting the ciphertext data according to the key information, determining that the user is the DNS user if the authentication identification information obtained by decryption is consistent with the authentication identification information of the user sent to the DNS server by the authentication server, generating the authentication identification information and the key information of the user when the authentication server registers the user, and sending the authentication identification information and the key information to gateway equipment and the DNS server respectively.

In a third aspect, the present application provides a DNS user identifying method, applied to a DNS server, where the method includes:

receiving a DNS request sent by gateway equipment, wherein the DNS request carries ciphertext data corresponding to authentication identification information of a user, and the ciphertext data is obtained by encrypting the authentication identification information according to key information by the gateway equipment;

Decrypting the ciphertext data according to the key information, and determining that the user is a DNS user if authentication identification information obtained by decryption is consistent with authentication identification information of the user sent to the DNS server by the authentication server;

The authentication server generates authentication identification information and key information of the user when the user is registered, and sends the authentication identification information and the key information to the gateway equipment and the DNS server respectively.

In a fourth aspect, the present application provides a DNS user identifying method, applied to an authentication server, the method including:

when a user registers, generating authentication identification information and key information of the user, and respectively transmitting the authentication identification information and the key information to gateway equipment and a DNS server;

The gateway equipment sends a DNS request to the DNS server, wherein the DNS request carries ciphertext data corresponding to authentication identification information of the user, and the ciphertext data is obtained by encrypting the authentication identification information according to the key information;

Decrypting the ciphertext data according to the key information, and determining that the user is a DNS user if authentication identification information obtained by decryption is consistent with authentication identification information of the user sent to the DNS server by the authentication server.

In a fifth aspect, the present application provides a DNS user identifying device, applied to a gateway device, where the device includes:

The encryption module is used for encrypting the authentication identification information of the user sent by the authentication server according to the key information of the user sent by the authentication server to obtain ciphertext data;

The system comprises a first sending module, a DNS server and a second sending module, wherein the first sending module is used for sending a DNS request to the DNS server, and the DNS request carries ciphertext data corresponding to authentication identification information of a user;

The DNS server acquires the ciphertext data carried in the DNS request, decrypts the ciphertext data according to key information, determines the user as the DNS user if authentication identification information obtained by decryption is consistent with authentication identification information of the user sent to the DNS server by the authentication server, generates authentication identification information and key information of the user when the user is registered by the authentication server, and sends the authentication identification information and the key information to the gateway equipment and the DNS server respectively.

In a sixth aspect, the present application provides a DNS user identifying device, applied to a DNS server, the device including:

the system comprises a receiving module, a receiving module and a receiving module, wherein the receiving module is used for receiving a DNS request sent by gateway equipment, wherein the DNS request carries ciphertext data corresponding to authentication identification information of a user, and the ciphertext data is obtained by encrypting the authentication identification information according to key information by the gateway equipment;

The identification module is used for acquiring the ciphertext data carried in the DNS request, decrypting the ciphertext data according to the key information, and determining that the user is a DNS user if authentication identification information obtained by decryption is consistent with authentication identification information of the user sent to the DNS server by the authentication server;

In a seventh aspect, the present application provides a DNS user identifying device applied to an authentication server, the device including:

the generation module is used for generating authentication identification information and key information of the user when the user registers;

The second sending module is used for respectively sending the authentication identification information and the key information to the gateway equipment and the DNS server;

In an eighth aspect, the present application provides a gateway device, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;

A memory for storing a computer program;

and the processor is used for realizing the DNS user identification method applied to the gateway equipment when executing the program stored in the memory.

In a ninth aspect, the present application provides a DNS server, including a processor, a communication interface, a memory, and a communication bus, where the processor, the communication interface, and the memory complete communication with each other through the communication bus;

A memory for storing a computer program;

And the processor is used for realizing the DNS user identification method applied to the DNS server when executing the program stored in the memory.

In a tenth aspect, the present application provides an authentication server, including a processor, a communication interface, a memory, and a communication bus, wherein the processor, the communication interface, and the memory complete communication with each other through the communication bus;

A memory for storing a computer program;

and the processor is used for realizing the DNS user identification method applied to the authentication server when executing the program stored in the memory.

In an eleventh aspect, the present application provides a computer readable storage medium, in which a computer program is stored, the computer program implementing the DNS user identifying method when executed by a processor.

In a twelfth aspect, the present application provides a computer program product which, when invoked by a computer, causes the computer to perform the DNS user identifying method.

The technical scheme has the following advantages or beneficial effects:

In the application, when the user is registered, the authentication server generates authentication identification information and key information of the user, and the authentication identification information and the key information are respectively sent to the gateway equipment and the DNS server. When the gateway equipment sends a DNS request to the DNS server, the key information sent to the gateway equipment by the authentication server is adopted to encrypt the authentication identification information, and the obtained ciphertext data is carried in the DNS request. And decrypting the ciphertext data by adopting key information sent to the DNS server by the authentication server to obtain authentication identification information. Further, the DNS server performs consistency judgment between the authentication identification information obtained by decryption and the authentication identification information of the user transmitted to the DNS server by the authentication server. If the two users are consistent, the user is a user registered with the authentication server, and the user is determined to be a DNS user at the moment. The application generates authentication identification information and key information when the user authenticates, carries ciphertext data obtained by encrypting the authentication identification information by the key information in the DNS request, and then the DNS server decrypts to obtain authentication identification information, and finally consistency judgment is carried out through the authentication identification information of the user sent to the DNS server by the authentication server to obtain a DNS user identification result. Compared with the prior art, the accuracy of DNS user identification is improved by adopting a static NAT or dynamic NAT to perform user identification.

Drawings

In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic diagram of a DNS user identification system provided by the present application;

Fig. 2 is a schematic diagram of a first DNS user identification process provided in the present application;

fig. 3 is a schematic diagram of a second DNS user identification process provided in the present application;

Fig. 4 is a schematic diagram of a third DNS user identifying process provided in the present application;

FIG. 5 is a flowchart of the key information and random number issue management provided by the present application;

fig. 6 is a flowchart of gateway device side key information and random number usage provided in the present application;

Fig. 7 is a flowchart of using the key information and the random number of the DNS server provided by the present application;

Fig. 8 is a schematic diagram of a format of authentication information provided in the present application in a DNS data table;

Fig. 9 is a flowchart of a DNS server-side error handling process provided by the present application;

fig. 10 is a flow chart of service processing in the DNS user identification process provided by the present application;

Fig. 11 is a schematic diagram of a DNS user identification application scenario provided by the present application;

fig. 12 is a schematic structural diagram of a first DNS user identifying device provided by the present application;

fig. 13 is a schematic structural diagram of a second DNS user identifying device provided by the present application;

Fig. 14 is a schematic structural diagram of a third DNS user identifying device provided by the present application;

Fig. 15 is a schematic structural diagram of an electronic device according to the present application.

Detailed Description

For the purposes of making the objects and embodiments of the present application more apparent, an exemplary embodiment of the present application will be described in detail below with reference to the accompanying drawings in which exemplary embodiments of the present application are illustrated, it being apparent that the exemplary embodiments described are only some, but not all, of the embodiments of the present application.

It should be noted that the brief description of the terminology in the present application is for the purpose of facilitating understanding of the embodiments described below only and is not intended to limit the embodiments of the present application. Unless otherwise indicated, these terms should be construed in their ordinary and customary meaning.

The terms first, second, third and the like in the description and in the claims and in the above-described figures are used for distinguishing between similar or similar objects or entities and not necessarily for describing a particular sequential or chronological order, unless otherwise indicated. It is to be understood that the terms so used are interchangeable under appropriate circumstances.

The terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a product or apparatus that comprises a list of elements is not necessarily limited to all elements explicitly listed, but may include other elements not expressly listed or inherent to such product or apparatus.

The term "module" refers to any known or later developed hardware, software, firmware, artificial intelligence, fuzzy logic, or combination of hardware or/and software code that is capable of performing the function associated with that element.

It should be noted that the above embodiments are merely for illustrating the technical solution of the present application and not for limiting the same, and although the present application has been described in detail with reference to the above embodiments, it should be understood by those skilled in the art that the technical solution described in the above embodiments may be modified or some or all of the technical features may be equivalently replaced, and these modifications or substitutions do not make the essence of the corresponding technical solution deviate from the scope of the technical solution of the embodiments of the present application.

The foregoing description, for purposes of explanation, has been presented in conjunction with specific embodiments. The illustrative discussions above are not intended to be exhaustive or to limit the embodiments to the precise forms disclosed above. Many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles and the practical application, to thereby enable others skilled in the art to best utilize the embodiments and various embodiments with various modifications as are suited to the particular use contemplated.

The DNS user identification method provided by the application can be applied to the scene of the Internet of things. The terms involved in the present application are explained as follows:

DNS (Domain NAME SYSTEM ) is a distributed database on the internet that maps Domain names and IP addresses to each other, enabling users to more conveniently access the internet without having to remember IP strings that can be read directly by the machine.

EDNS (Extension Mechanisms for DNS) is a DNS extension protocol that allows DNS servers and clients to communicate more information in DNS queries and responses. The common uses of EDNS are two, namely ensuring the non-repudiation (DNSSEC) of data and ensuring the optimization of analysis results.

UUID is an abbreviation for universally unique identification code (Universally Unique Identifier). The authentication identification information of the user in the application is UUID.

NAT (Network Address Translation ) is an IETF (INTERNET ENGINEERING TASK Force, internet engineering task Force) standard that allows an entire organization to appear on the Internet at a public IP (Internet Protocol) address. NAT methods can be used when some hosts inside the private network have been assigned local IP addresses, but now want to communicate with hosts on the internet. As its name suggests, it is a technique that translates an internal private network address (IP address) into a legitimate network IP address. NAT can not only solve the problem of insufficient IP address, but also effectively avoid the attack from outside the network, conceal and protect the computer inside the network.

Fig. 1 is a schematic diagram of a DNS user identifying system provided by the present application, including a gateway device 11, a DNS server 12, and an authentication server 13;

The authentication server 13 is used for generating authentication identification information and key information of a user when the user is registered, and respectively transmitting the authentication identification information and the key information to the gateway device 11 and the DNS server 12;

The gateway device 11 is configured to send a DNS request to the DNS server 12, where the DNS request carries ciphertext data corresponding to authentication identifier information of the user, where the ciphertext data is obtained by encrypting the authentication identifier information according to the key information;

the DNS server 12 is configured to obtain the ciphertext data carried in the DNS request, decrypt the ciphertext data according to the key information, and determine that the user is a DNS user if authentication identification information obtained by decrypting is consistent with authentication identification information of the user sent to the DNS server by the authentication server 13.

The gateway device sends a registration request to an authentication server, wherein the registration request carries identification information of a user, the authentication server generates authentication identification information (UUID) and key information of the user according to the identification information of the user when receiving the registration request, and sends the authentication identification information and the key information to the gateway device and the DNS server respectively.

Alternatively, the key information may be an encryption and decryption key pair including encryption information and decryption information. The gateway device encrypts the authentication identification information by using the encryption information in the encryption and decryption key pair to obtain ciphertext data. And the DNS server decrypts the ciphertext data by using the decryption information in the encryption and decryption key pair to obtain authentication identification information carried in the DNS request. Alternatively, the key information may be a key value, and the gateway device encrypts the authentication identifier information by using the key value to obtain ciphertext data. And the DNS server decrypts the ciphertext data by using the key value to obtain authentication identification information carried in the DNS request.

When the gateway equipment sends a DNS request to the DNS server, firstly, a user client sends a request carrying user identification information to the gateway equipment, and the client determines key information and authentication identification information of a user of the user identification information sent to the gateway equipment by an authentication server according to the user identification information in the request. And then encrypting the authentication identification information by adopting the key information to obtain ciphertext data. The ciphertext data is carried in a DNS request, which is sent to a DNS server. And then decrypting the ciphertext data according to the key information of the user sent to the DNS server by the authentication server to obtain authentication identification information in the DNS request. If the authentication identification information obtained through decryption is consistent with the authentication identification information of the user sent to the DNS server by the authentication server, determining that the user corresponding to the user identification information is the DNS user.

For PC-side devices, for example, mobile phones, tablet computers, and the like. The corresponding DNS request interception agent function can be configured on the PC side device, and the PC side device provided with the DNS request interception agent function can be used as gateway equipment to communicate with a DNS server and an authentication server. Taking a PC side device as a mobile phone as an example, if a corresponding DNS request interception agent function is configured in the mobile phone, an authentication server generates authentication identification information and key information of a user when the user is registered, the authentication identification information and the key information are respectively sent to the mobile phone and the DNS server, the mobile phone sends a DNS request to the DNS server, the DNS request carries ciphertext data corresponding to the authentication identification information of the user, the ciphertext data is obtained by encrypting the authentication identification information according to the key information, the DNS server obtains the ciphertext data carried in the DNS request, the ciphertext data is decrypted according to the key information, and if the authentication identification information obtained by decryption is consistent with the authentication identification information of the user sent to the DNS server by the authentication server, the user is determined to be the DNS user.

In order to further guarantee the security of data, the authentication server is specifically configured to acquire user identification information carried in a registration request when the registration request is received, determine a first authentication time period, determine each sub-authentication time period in the first authentication time period according to a preset time interval, generate authentication identification information and key information of the sub-authentication time period of the user according to the user identification information for each sub-authentication time period, and send the authentication identification information and the key information of each sub-authentication time period to the gateway device and the DNS server respectively.

In the present application, the authentication server can generate authentication identification information and key information required for the next day on the same day. For example, the day is 10 months 1 day, the first authentication period may be a 24 hour period within the day of 10 months 2 days. And determining each sub-authentication time period in the first authentication time period according to a preset time interval. The preset time interval is, for example, an equal time interval of 5 minutes, 10 minutes, or the like. Taking a preset time interval of 10 minutes as an example, every 10 minutes from the zero point within 24 hours of 10 months and 2 days is taken as a sub-authentication time period. And the authentication identification information and the key information of each sub-authentication time period are respectively sent to the gateway equipment and the DNS server. It should be noted that the authentication identification information of each sub-authentication period may be the same, that is, the user corresponds to unique authentication identification information. Of course, the authentication identification information of each sub-authentication period may also be different. The key information of each sub-authentication period may be different in consideration of data security.

The gateway device is specifically configured to determine a first sub-authentication time period to which a current time belongs when sending a DNS request to the DNS server, and encrypt authentication identification information of the first sub-authentication time period of the user according to key information of the first sub-authentication time period of the user to obtain the ciphertext data;

The DNS server is specifically configured to determine a second sub-authentication time period to which the current time belongs when the DNS request is received, and decrypt the ciphertext data according to key information of the second sub-authentication time period of the user.

When the gateway device sends a DNS request to the DNS server, a first sub-authentication time period to which the current moment belongs is firstly determined, and then key information and authentication identification information of the first sub-authentication time period of the user can be determined according to authentication identification information and key information of each sub-authentication time period sent by the authentication server. Encrypting the authentication identification information of the first sub-authentication time period of the user according to the key information of the first sub-authentication time period of the user to obtain ciphertext data, carrying the ciphertext data in a DNS request, and sending the DNS request to a DNS server.

And the DNS server determines a second sub-authentication time period to which the current moment belongs when receiving the DNS request, and then can determine the key information and the authentication identification information of the second sub-authentication time period of the user according to the authentication identification information and the key information of each sub-authentication time period sent by the authentication server. And decrypting the ciphertext data according to the key information of the second sub-authentication time period of the user to obtain authentication identification information. And judging whether the authentication identification information obtained by decryption is consistent with the authentication identification information of the second sub-authentication time period, and if so, determining that the user is a DNS user. After the user is determined to be the DNS user, DNS analysis is performed, and the DNS analysis result is returned to the client of the user.

The authentication server is further used for determining a second authentication time period when all authentication identification information and key information are determined to be invalid after a first time period is preset, determining each sub-authentication time period in the second authentication time period according to a preset time interval, generating authentication identification information and key information of the sub-authentication time period of the user according to the user identification information for each sub-authentication time period, and sending the authentication identification information and the key information of each sub-authentication time period to the gateway equipment and the DNS server respectively.

The preset first time period is, for example, 30 minutes, 60 minutes, or the like. Taking the example that the key information and the authentication identification information of each sub-authentication time period in the day of 10 months and 2 days are generated, if the preset first time period is 60 minutes, determining that all the authentication identification information and the key information are invalid after the preset first time period at 11 points after the day of 10 months and 2 days. The method comprises the steps of determining a second authentication time period, determining each sub-authentication time period in the second authentication time period according to a preset time interval, generating authentication identification information and key information of the sub-authentication time period of a user according to user identification information for each sub-authentication time period, and respectively sending the authentication identification information and the key information of each sub-authentication time period to gateway equipment and a DNS server. If the first authentication period is a 24-hour period within the day of 10 months and 2 days, the second authentication period may be a 24-hour period within the day of 10 months and 3 days, and so on, the authentication identification information and key information of each sub-authentication period of the next day may be dynamically determined. Further ensuring the security of the data.

In the present application, the key information includes encryption information, decryption information, and a random number. Optionally, the encryption information, the decryption information, and the random number are different for each sub-authentication period. In the same key information, the random number has a corresponding relation with the encryption information and the decryption information in the random number. The DNS request sent by the gateway device to the DNS server may carry ciphertext data obtained by encrypting the authentication identifier information based on the encryption information and a random number corresponding to the current time. The subsequent DNS server can determine encryption information and decryption information corresponding to the random number sent to the DNS server by the authentication server according to the random number in the DNS request.

The gateway equipment sends a DNS request to a DNS server, wherein the DNS request carries ciphertext data corresponding to authentication identification information of a user in a first sub-authentication time period to which the current moment belongs and a random number in key information of the first sub-authentication time period, and the ciphertext data is obtained by encrypting the authentication identification information of the user in the first sub-authentication time period based on the encryption information in the key information of the first sub-authentication time period;

The DNS server receives the DNS request, acquires a random number carried in the DNS request, and then determines the effective time of the key information corresponding to the random number according to the random number, wherein the effective time refers to the starting time of a second sub-authentication time period corresponding to the key information. Judging whether the effective time belongs to a second sub-authentication time period to which the current time belongs, and if so, decrypting the ciphertext data according to decryption information in key information of the second sub-authentication time period of the user. And further carrying out the consistency judgment process of the authentication identification information.

The DNS server is specifically configured to decrypt the ciphertext data according to decryption information in key information of a previous sub-authentication period of the user if the effective time belongs to the previous sub-authentication period of a second sub-authentication period to which the current time belongs;

The DNS server is specifically configured to decrypt the ciphertext data according to decryption information in key information of a next sub-authentication period of the user if the effective time belongs to the next sub-authentication period of the second sub-authentication period to which the current time belongs.

Optionally, the DNS server is specifically configured to obtain a clock error between the gateway device and the DNS server if the effective time belongs to a previous sub-authentication time period of a second sub-authentication time period to which the current time belongs, and decrypt the ciphertext data according to decryption information in key information of the previous sub-authentication time period of the user if the clock error is less than a preset second duration;

the DNS server is specifically configured to obtain a clock error between the gateway device and the DNS server if the effective time belongs to a next sub-authentication time period of a second sub-authentication time period to which the current time belongs, and decrypt the ciphertext data according to decryption information in key information of the next sub-authentication time period of the user if the clock error is less than a preset second duration.

The preset second period of time is, for example, 3 minutes, 4 minutes, or the like. If the clock error is not less than the preset second duration, the DNS request may be directly discarded.

Fig. 2 is a schematic diagram of a first DNS user identification process provided by the present application, including the following steps:

S101, gateway equipment sends a DNS request to the DNS server, wherein the DNS request carries ciphertext data corresponding to authentication identification information of a user, and the ciphertext data is obtained by encrypting the authentication identification information according to key information;

S102, a DNS server acquires the ciphertext data carried in the DNS request, decrypts the ciphertext data according to key information, determines that the user is a DNS user if authentication identification information obtained through decryption is consistent with authentication identification information of the user sent to the DNS server by the authentication server, wherein the authentication server generates authentication identification information and key information of the user when the user is registered, and sends the authentication identification information and the key information to the gateway equipment and the DNS server respectively.

Fig. 3 is a schematic diagram of a second DNS user identification process provided by the present application, including the following steps:

s201, a DNS server receives a DNS request sent by gateway equipment, wherein the DNS request carries ciphertext data corresponding to authentication identification information of a user, and the ciphertext data is obtained by encrypting the authentication identification information according to key information by the gateway equipment;

S202, a DNS server acquires the ciphertext data carried in the DNS request, decrypts the ciphertext data according to the key information, determines that the user is a DNS user if authentication identification information obtained by decryption is consistent with authentication identification information of the user sent to the DNS server by the authentication server, generates authentication identification information and key information of the user when the user is registered by the authentication server, and sends the authentication identification information and the key information to the gateway equipment and the DNS server respectively.

Fig. 4 is a schematic diagram of a third DNS user identification process provided by the present application, including the following steps:

S301, when an authentication server registers a user, generating authentication identification information and key information of the user, and respectively transmitting the authentication identification information and the key information to gateway equipment and a DNS server;

S302, the gateway equipment sends a DNS request to the DNS server, wherein the DNS request carries ciphertext data corresponding to authentication identification information of the user, and the ciphertext data is obtained by encrypting the authentication identification information according to the key information;

And S303, the DNS server acquires the ciphertext data carried in the DNS request, decrypts the ciphertext data according to the key information, and determines that the user is a DNS user if authentication identification information obtained by decryption is consistent with authentication identification information of the user sent to the DNS server by the authentication server.

The DNS user identification process provided by the application mainly comprises user registration, key information and random number update, DNS user request communication and error processing.

When the user registration is that the user opens a service, a DNS address for providing service is allocated to the user, and a corresponding user UUID, namely authentication identification information of the user, is generated. In addition, key information and a random number of the user are also generated. The key information and the random number are issued to ensure that the DNS server and the gateway device encrypt key information by using the same random number and key information, and ensure the identification and encryption of data. Critical information includes, but is not limited to, authentication identification information.

The DNS request is divided into an end-side part and a service-side part, where the end-side part uses the assigned key information to encrypt the UUID of the user and other key information, and the service-side uses the same key information to decrypt the data and match the UUID of the user. Thereby identifying whether the user is a DNS user.

The user registration flow is as follows:

The internet gateway equipment uses https to request to carry user identification information, user client identification information and the like, and initiates a user registration request to the authentication server.

After receiving the request, the authentication server generates a user UUID, key information and a random number, and synchronously transmits the generated user UUID, key information and random number to the DNS server and the gateway device by using https.

The DNS server receives the UUID of the user, the key information and the random number to store, and replies a response related to the authentication server.

And the authentication server receives the DNS request and then sends the generated UUID to the Internet gateway equipment.

The https request is used to ensure that the UUID of the user, the key information and the random number are transmitted in an encrypted manner when being issued to the user and synchronized with the DNS server, and the related key is not stolen.

The key information and random number updating flow is as follows:

The authentication server generates key information and random numbers which need to be used the next time every day at 23:00, and when the authentication server generates the key information and the random numbers, https requests are used for timely transmitting the key information and the random numbers to the DNS server for storage.

The DNS server stores the received key information and random number, and returns the result to the authentication server.

After receiving all key information and random numbers sent by the authentication server, the DNS side gateway equipment inquires whether new key information and random numbers exist in the authentication server from 23:00 every 5 minutes by using https requests. If the authentication server has re-issued the related key information and the random number, the new key information and the random number are issued to the gateway equipment at the DNS user side through the established https channel, so that confidentiality in the transmission process of the key information and the random number is ensured.

The DNS-side request flow is as follows:

The gateway equipment obtains the current time, and inquires key information and random numbers corresponding to the current time according to the time;

encrypting the UUID by using the key information, and splicing the random number and the encrypted UUID into DNS authentication information;

the DNS authentication information is added to the DNS extension protocol field OPT (EDNS) to send out the request.

The DNS service side flow is as follows:

Resolving the OPT in the DNS request;

the OPT does not carry DNS authentication information, judges that the request is illegal, and discards the DNS request;

The OPT carries authentication information, and a random number of the authentication information and an encrypted UUID are obtained;

Inquiring user key information by using the random number, and discarding the DNS request if the key information does not exist;

If the key information exists, decoding the UUID by using the key information, and continuously inquiring the user by using the UUID;

discarding the DNS request if the UUID querying user fails;

And if the UUID inquires the user successfully, acquiring user-defined configuration of the user, analyzing the DNS according to the user-defined configuration, and returning an analysis result to the user.

The error processing flow is as follows:

because of the possible problem of clock asynchronism on the network, the method for processing the problem is that the DNS service side uses the key information of the current time, the key information of the last 10 minutes and the key information of the next 10 minutes to work, and the specific method is as follows:

the DNS server inquires key information according to the random number in the DNS request of the user;

the queried key information obtains the effective time of the key information;

If the time of the key information effective is within 10 minutes of the current system time of the DNS server, decrypting by using the current key information;

if the time of the key information effective is within 10 minutes of the last system time of the DNS server, judging whether the clock error of the gateway equipment and the DNS server is less than 3 minutes, normally resolving the clock error for less than three minutes, and discarding the DNS request if the clock error is more than three minutes.

If the time of the key information effective is within the next 10 minutes of the current system time of the DNS server, judging whether the clock error of the gateway equipment and the DNS server is less than 3 minutes, normally resolving the clock error for less than three minutes, and discarding the DNS request if the clock error is more than three minutes.

If the time for which the key information is validated is not at the current, last, next 10 minutes, the DNS request is directly discarded.

The server side processing can effectively ensure the continuity of the DNS service and prevent the failure of the DNS request caused by the asynchronous clock.

The DNS user identification scheme provided by the application solves the problem that the DNS user cannot be directly identified in the NAT scene in the prior DNS traffic, and solves the problem that the DNS user information is easy to leak and falsify.

The application can directly identify DNS users in DNS traffic and provide personalized services for users. The application can directly filter attack flow and reduce the risk of service abnormality caused by the DNS system after being subjected to DDOS. The application can effectively prevent the possibility of forging the DNS request and provide the security of the DNS request of the user. Compared with DOH/DOT, the DNS server based on TCP has low performance, the DOH/DOT uses TCP protocol and SSL protocol, the pressure on the DNS server is high, the scheme adopts UDP protocol transmission, only key user information is encrypted, the influence on the performance of the whole DNS server is relatively small while the user information is not leaked, and the high performance of the DNS server can be ensured.

When a user mobile phone side or a PC side logs on through gateway equipment, when a mechanism of the user purchases SASE type DNS security service for surfing the Internet, DNS traffic of the user needs to be found to a security DNS server to find a DNS request, and in the scene, the DNS server needs to use the scheme provided by the application in order to accurately identify the user.

The DNS user identifying process provided by the present application is described in detail below with reference to the accompanying drawings.

Fig. 5 is a flowchart of key information and random number issue management provided by the present application. As shown in fig. 5, when the user registers for the first time, using https request, the authentication server generates UUID, key information, and random number of the user, and typically generates key information and random number of one day at a time, a set of key information and random number every 10 minutes. The authentication server transmits the UUID of the user, the key information, and the random number to the DNS server. And after receiving the response of the DNS server, the authentication server sends the UUID, the key information and the random number of the user to the DNS side gateway equipment. The authentication server monitors the timeliness of the plurality of sets of key information and random numbers of the user, and when all the key information exceeds a period of time, which can be defined as 1 hour before the period of time, for example, one-day-old key information and random numbers are regenerated, and new key information and random numbers are sent to the DNS server. The DNS user gateway device periodically acquires key information and a random number from the authentication server, and the periodic time may be defined as 5 minutes. When the authentication server finds that the user has new key information and random number to generate, the authentication server issues the new key information and the random number to the DNS user gateway device.

Fig. 6 is a flowchart of gateway device side key information and random number usage provided in the present application. As shown in fig. 6, the gateway device obtains the current time, selects a set of key information and a random number from a plurality of sets of key information and random numbers generated by the authentication server according to the current time, encrypts the UUID of the user by using the selected key information to obtain ciphertext data, concatenates the ciphertext data, the random number and the like into authentication information, the authentication information being in a format of, for example, a random number-UUID ciphertext, adds the authentication information to the OPT of EDNS, and sends a DNS request.

Fig. 7 is a flowchart of using key information and random numbers on the side of a DNS server, as shown in fig. 7, where the DNS server receives a DNS request, analyzes authentication information in the DNS request, determines whether authentication information exists, if no authentication information exists, denies service, if authentication information exists, uses random numbers to query user key information, determines whether key information is queried, if key information is not queried, denies service, if key information is queried, decrypts encrypted UUID with key information, determines whether decrypted UUID is valid, if not, denies service, if valid, performs DNS analysis, and returns a DNS analysis result to the user.

Fig. 8 is a schematic diagram of a format of authentication information in a DNS data table provided in the present application, where, as shown in fig. 8, the format of the authentication information in the DNS data table includes two byte type, two byte length, issued random number, 1 byte separator and encrypted UUID.

Fig. 9 is a flowchart of a DNS server side error handling process provided by the present application, where as shown in fig. 9, a DNS server queries key information according to a random number in a user DNS request, obtains time when the queried key information is validated, decrypts with current key information if the time when the key information is validated is within 10 minutes of the current system time of the DNS server, and if the time when the key information is validated is within 10 minutes of the last 10 minutes of the current system time of the DNS server, determines whether a clock error between a gateway device and the DNS server is less than 3 minutes, normally analyzes the clock error for less than three minutes, and discards the DNS request if the clock error exceeds three minutes. If the time of the key information effective is within the next 10 minutes of the current system time of the DNS server, judging whether the clock error of the gateway equipment and the DNS server is less than 3 minutes, normally resolving the clock error for less than three minutes, and discarding the DNS request if the clock error is more than three minutes. If the time for which the key information is validated is not at the current, last, next 10 minutes, the DNS request is directly discarded.

In the application, in the process of issuing and managing the key information and the random number, the user requests the key information and issues the key information to the DNS server in the issuing, which are both requested in an https mode, so that the key information is not revealed in the issuing process;

in the key management process, the effective time of each key information and the random number is 10 minutes, so that the key information is prevented from being cracked, and meanwhile, the problem that a network man in the middle falsifies a DNS request by acquiring a network packet is prevented.

The DNS server uses two-stage filtering of random numbers and UUIDs to quickly remove illegal DNS requests.

The DNS server uses the UUID to query the user, and can identify the user more accurately in the presence of NAT in the network than in the conventional case of user identification via user source IP.

In the application, the random number of the user and the encrypted UUID are added in the OPT of the DNS request, so that the UUID of the user can be protected from leakage, and the problem that the user cannot be accurately identified through the source IP address in the NAT scene can be avoided. The plaintext random number is combined with the encrypted UUID, so that the request which does not meet the specification can be filtered out rapidly through the plaintext random number, the decryption performance consumption of the DNS request is reduced, the decoded UUID is subjected to secondary accurate matching, and the accuracy of user matching is ensured. The process of issuing the key information and the random number is a necessary condition for ensuring that the UUID of the user and the random number are not revealed, the key information issuing and the random number of the user and the encrypted UUID are added in the OPT of the DNS request, and the two steps jointly ensure the safety of the data and the accurate identification of the user.

Fig. 10 is a flow chart of service processing in a DNS user identification process provided by the present application, where as shown in fig. 10, an authentication server sends key information and a random number to a DNS server, the DNS server sends response information for characterizing that the key information and the random number are successfully acquired to the authentication server, a gateway device sends a registration request to the authentication server, the authentication server generates a UUID of a user, sends the UUID to the DNS server, the DNS server sends response information for characterizing that the UUID is successfully acquired to the authentication server, at this time, the user registration is successful, a gateway device requests multiple sets of key information and a random number to the authentication server, the authentication server sends multiple sets of key information and a random number to the gateway device, the gateway device selects a set of key information and a random number, uses the set of key information and the random number to make a DNS request to the DNS server, uses the set of key information and the random number to make user identification, and returns a DNS response to the gateway device.

Fig. 11 is a schematic diagram of an application scenario of DNS user identification provided by the present application, where, as shown in fig. 11, a home-wide router, a gateway router, a network terminal, an internet of things terminal, and other gateway devices are respectively connected to a mobile phone 1, a mobile phone 2, a PC1, a PC2, an authentication server, a secure DNS server, and other internet services. The secure DNS server is also connected to a public DNS service. The authentication server is, for example, a broadband access center or a user authentication center.

The format examples of DNS requests according to the present application are as follows:

v Additional records

v <Root>: type OPT

Mame: <Root>

Type: OPT(41)

UDP payload size: 1232

Higher bits in extended RCODE: 0x00

EDNS0 version:0

Z: 0x0000

0... ...=Do bit:Cannot handle DNssEc security RRs

.000 0000 0000 0000=Reserved:0x0000

Data length; 46

Option:COOKIE

v Option: Unknown(65500)

Option Code: Unknown(65500)

Option Length: 30

OptionData:

[Response In:2]

Fig. 12 is a schematic structural diagram of a first DNS user identifying device provided by the present application, applied to a gateway device, where the device includes:

An encryption module 121, configured to encrypt authentication identification information of a user sent by an authentication server according to key information of the user sent by the authentication server to obtain ciphertext data;

A first sending module 122, configured to send a DNS request to a DNS server, where the DNS request carries ciphertext data corresponding to authentication identifier information of a user;

Fig. 13 is a schematic structural diagram of a second DNS user identifying device provided by the present application, applied to a DNS server, where the device includes:

the receiving module 131 is configured to receive a DNS request sent by a gateway device, where the DNS request carries ciphertext data corresponding to authentication identification information of a user, where the ciphertext data is obtained by encrypting the authentication identification information by the gateway device according to key information;

The identification module 132 is configured to obtain the ciphertext data carried in the DNS request, decrypt the ciphertext data according to the key information, and determine that the user is a DNS user if authentication identification information obtained by decryption is consistent with authentication identification information of the user sent to the DNS server by the authentication server;

Fig. 14 is a schematic structural diagram of a third DNS user identifying device provided by the present application, applied to an authentication server, where the device includes:

A generating module 141, configured to generate authentication identification information and key information of a user when the user registers;

a second sending module 142, configured to send the authentication identification information and the key information to a gateway device and a DNS server, respectively;

The application also provides an electronic device which can be a gateway device, a DNS server and an authentication server. As shown in fig. 15, the device comprises a processor 151, a communication interface 152, a memory 153 and a communication bus 154, wherein the processor 151, the communication interface 152 and the memory 153 are communicated with each other through the communication bus 154;

the memory 153 has stored therein a computer program which, when executed by the processor 151, causes the processor 151 to perform any of the above method steps.

The communication bus mentioned above for the electronic device may be a peripheral component interconnect standard (PERIPHERAL COMPONENT INTERCONNECT, PCI) bus or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, etc. The communication bus may be classified as an address bus, a data bus, a control bus, or the like. For ease of illustration, the figures are shown with only one bold line, but not with only one bus or one type of bus.

The communication interface 152 is used for communication between the electronic device and other devices.

The Memory may include random access Memory (Random Access Memory, RAM) or may include Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the aforementioned processor.

The processor may be a general-purpose processor including a central Processing unit (cpu), a network processor (Network Processor, NP), etc., or may be a digital signal processor (DIGITAL SIGNAL Processing, DSP), an application specific integrated circuit (asic), a field programmable gate array or other programmable logic device, a discrete gate or transistor logic device, a discrete hardware component, etc.

The application also provides a computer-readable storage medium having stored thereon a computer program executable by an electronic device, which when run on the electronic device causes the electronic device to perform any of the above method steps.

The present application provides a computer program product which, when invoked by a computer, causes the computer to perform the DNS user identifying method.

While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the application.

It will be apparent to those skilled in the art that various modifications and variations can be made to the present application without departing from the spirit or scope of the application. Thus, it is intended that the present application also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.

Claims

1. A DNS user identification system, which is characterized by comprising gateway equipment, a DNS server and an authentication server;

The authentication server is specifically configured to, when a registration request is received, obtain user identification information carried in the registration request, determine a first authentication time period, and determine each sub-authentication time period in the first authentication time period according to a preset time interval; generating authentication identification information and key information of the sub-authentication time periods of the user according to the user identification information for each sub-authentication time period; the authentication identification information and the key information of each sub-authentication time period are respectively sent to the gateway equipment and the DNS server;

The key information comprises encryption information, decryption information and random numbers;

The gateway device is specifically configured to send a DNS request to the DNS server, where the DNS request carries ciphertext data corresponding to authentication identification information of the user in a first sub-authentication period to which the current moment belongs and a random number in key information of the first sub-authentication period;

The DNS server is specifically configured to determine an effective time of key information corresponding to a random number according to the random number carried in the DNS request when the DNS request is received, wherein the effective time refers to a start time of a second sub-authentication time period corresponding to the key information, and decrypt the ciphertext data according to decryption information in the key information of the second sub-authentication time period of the user if the effective time belongs to the second sub-authentication time period to which the current time belongs.

2. The system of claim 1, wherein the gateway device is specifically configured to determine a first sub-authentication time period to which the current time belongs when sending a DNS request to the DNS server, and encrypt authentication identification information of the first sub-authentication time period of the user according to key information of the first sub-authentication time period of the user to obtain the ciphertext data;

3. The system of claim 1, wherein the authentication server is further configured to determine a second authentication period when it is determined that all of the authentication identification information and the key information are invalid after a preset first time period, and determine each sub-authentication period within the second authentication period according to a preset time interval, generate, for each sub-authentication period, the authentication identification information and the key information of the sub-authentication period of the user according to the user identification information, and transmit the authentication identification information and the key information of each sub-authentication period to the gateway device and the DNS server, respectively.

4. The system of claim 1, wherein the DNS server is specifically configured to decrypt the ciphertext data according to decryption information in key information of a previous sub-authentication period to which the user belongs if the validation time belongs to the previous sub-authentication period of a second sub-authentication period to which the current time belongs;

5. The system of claim 4, wherein the DNS server is specifically configured to obtain a clock error between the gateway device and the DNS server if the effective time belongs to a last sub-authentication time period of a second sub-authentication time period to which the current time belongs, and decrypt the ciphertext data according to decryption information in key information of the last sub-authentication time period of the user if the clock error is less than a preset second duration;

6. A DNS user identifying method, applied to a gateway device, the method comprising:

The method comprises the steps of sending a DNS request to a DNS server, wherein the DNS request carries ciphertext data corresponding to authentication identification information of a user, the ciphertext data is obtained by encrypting the authentication identification information according to key information, obtaining the ciphertext data carried in the DNS request by the DNS server, decrypting the ciphertext data according to the key information, and determining the user as the DNS user if the authentication identification information obtained by decryption is consistent with the authentication identification information of the user sent to the DNS server by the authentication server, wherein the authentication identification information and the key information of the user are generated by the authentication server when the user is registered;

When receiving a registration request, an authentication server acquires user identification information carried in the registration request, determines a first authentication time period, and determines each sub-authentication time period in the first authentication time period according to a preset time interval; for each sub-authentication time period, generating authentication identification information and key information of the sub-authentication time period of the user according to the user identification information;

The gateway equipment sends a DNS request to the DNS server, wherein the DNS request carries ciphertext data corresponding to authentication identification information of the user in a first sub-authentication time period to which the current moment belongs and a random number in key information of the first sub-authentication time period;

The DNS server receives the DNS request, determines effective time of key information corresponding to the random number according to the random number carried in the DNS request, wherein the effective time refers to starting time of a second sub-authentication time period corresponding to the key information, and decrypts the ciphertext data according to decryption information in the key information of the second sub-authentication time period of the user if the effective time belongs to the second sub-authentication time period to which the current moment belongs.

7. A DNS user identifying method, applied to a DNS server, the method comprising:

Acquiring the ciphertext data carried in the DNS request; decrypting the ciphertext data according to the key information, and determining that the user is a DNS user if authentication identification information obtained by decryption is consistent with authentication identification information of the user sent to the DNS server by an authentication server; when the authentication server registers a user, generating authentication identification information and key information of the user; sending the authentication identification information and the key information to the gateway device and the DNS server respectively;

8. A DNS user identifying method, applied to an authentication server, comprising: