[go: up one dir, main page]

WO2018141172A1 - Procédé de commande de navigation web sur un terminal et de navigation web sur un terminal, dispositif routeur et terminal - Google Patents

Procédé de commande de navigation web sur un terminal et de navigation web sur un terminal, dispositif routeur et terminal Download PDF

Info

Publication number
WO2018141172A1
WO2018141172A1 PCT/CN2017/113957 CN2017113957W WO2018141172A1 WO 2018141172 A1 WO2018141172 A1 WO 2018141172A1 CN 2017113957 W CN2017113957 W CN 2017113957W WO 2018141172 A1 WO2018141172 A1 WO 2018141172A1
Authority
WO
WIPO (PCT)
Prior art keywords
domain name
name resolution
terminal
router device
response message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2017/113957
Other languages
English (en)
Chinese (zh)
Inventor
翟景亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2018141172A1 publication Critical patent/WO2018141172A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/03Protecting confidentiality, e.g. by encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/02Protecting privacy or anonymity, e.g. protecting personally identifiable information [PII]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Definitions

  • the present disclosure relates to, but is not limited to, the field of communications, and in particular, a method for controlling a terminal to access the Internet and a terminal, a router device and a terminal.
  • DNS Domain Name System
  • TCP Transmission Control Protocol
  • IP Internet Protocol
  • the user equipment can transmit data related to the domain name resolution process by means of two-way resolution and encryption:
  • the terminal monitors and receives the domain name resolution request data of the local device; encrypts the domain name resolution request data and sends the data to the preset network address; receives the encrypted domain name resolution result data fed back by the network address through the router; the terminal decrypts the domain name resolution The result data is in response to the domain name resolution request data of the local machine.
  • the home router has no relevant network early warning function and related processing mechanism, and the user cannot know the state of the home router at a certain moment.
  • the terminal encryption and decryption process is cumbersome.
  • the embodiments of the present disclosure provide a method for controlling a terminal to access the Internet and a terminal to access the Internet, a router device and a terminal, and a system for controlling the terminal to access the Internet, which can simplify the process of encrypting and decrypting the terminal.
  • the embodiment of the present disclosure provides a method for controlling a terminal to access the Internet, including: the router device receives an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request to be accessed by the terminal.
  • the domain name resolution result corresponding to the domain name; the router device obtains the domain name resolution response message to be sent to the terminal and carries the domain name resolution result; and encrypts the domain name resolution response message, and the encrypted domain name is encrypted.
  • the parsing response message is sent to the terminal.
  • the encrypting the domain name resolution response message includes:
  • the router device encrypts part of the data in the domain name resolution response message.
  • the router device generates a domain name resolution response message that is to be delivered to the terminal and carries the domain name resolution result, and includes any one of the following:
  • the router device When the router device detects that the domain name resolution result is in the local cache of the router device, the router device carries the domain name resolution result in the domain name resolution response packet;
  • the router device When the router device detects that the domain name resolution result is not in the local cache of the router device, the router device requests the domain name resolution result from the server device, and carries the domain name resolution in the domain name resolution response packet. result.
  • the method further includes:
  • the router device updates the locally stored dynamic information table, wherein the dynamic information table stores the number of accesses by the terminal to access the domain name corresponding to the domain name resolution result within a preset time.
  • the router device determines that the terminal is an illegal connection.
  • the router device After the router device determines that the terminal is an illegal connection, the router device sends an alarm signal, and records the terminal identifier of the terminal for the user to check. read.
  • the key of the router device encrypting the partial data is manually set in advance on the router device and the terminal.
  • the embodiment of the present disclosure further provides a method for a terminal to access the Internet, including:
  • the terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the terminal receives the encrypted domain name resolution response message carrying the domain name resolution result
  • the terminal parses the domain name resolution response packet according to the preset key, and accesses the server corresponding to the IP address in the domain name resolution result.
  • the receiving, by the terminal, the encrypted domain name resolution response message carrying the domain name resolution result includes:
  • the terminal parses the domain name resolution response message according to the preset key, including:
  • the DNS client plug-in of the terminal decrypts part of the data in the domain name resolution response message according to the preset key.
  • the key that the terminal parses the domain name resolution response message is manually set in advance on the terminal and the router device.
  • the embodiment of the present disclosure further provides a router device, including:
  • the first communication device is configured to: receive an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal; Transmitting the encrypted domain name resolution response message to the terminal;
  • the first processor is configured to: generate the domain name resolution response message to be sent to the terminal and carry the domain name resolution result, and encrypt the domain name resolution response message.
  • the first processor is further configured to: encrypt part of the data in the domain name resolution response message.
  • the manner in which the first processor acquires the domain name resolution result in the domain name resolution response report includes any one of the following:
  • the first processor is configured to: detect that the router device has the domain in a local cache Carrying the domain name resolution result in the domain name resolution response packet;
  • the first processor is configured to: when it is detected that the domain name resolution result is not in the local cache of the router device, request the domain name resolution result from the server device, and carry the domain name resolution response message in the domain name resolution response message Domain name resolution results.
  • the first processor is further configured to: after sending the encrypted domain name resolution response message to the terminal,
  • the dynamic information table of the local storage is updated, wherein the dynamic information table stores the number of accesses by the terminal to access the domain name corresponding to the domain name resolution result within a preset time.
  • the first processor is further configured to: if it is detected that the number of accesses of the terminal exceeds a preset value, determine that the terminal is an illegal connection.
  • the key that the first processor encrypts the partial data is manually set in advance on the router device and the terminal.
  • the embodiment of the present disclosure further provides a terminal, including:
  • the second communication device is configured to: send an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the to-be-accessed domain name of the terminal;
  • the encrypted domain name resolution response message carrying the domain name resolution result;
  • the second processor is configured to: parse the domain name resolution response message according to the preset key, and access a server corresponding to the IP address in the domain name resolution result.
  • the second processor is further configured to: parse the domain name resolution response message that is encrypted by the partial data according to the preset key.
  • the second processor is further configured to: decrypt, by using a DNS client plug-in of the terminal, the encrypted data portion in the domain name resolution response message according to the preset key.
  • the second processor parses the key of the domain name resolution response message to be manually set in advance on the terminal and the router device.
  • the embodiment of the present disclosure further provides a system for controlling a terminal to access the Internet, including:
  • the terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the router device generates a domain name solution that is to be delivered to the terminal and carries the domain name resolution result.
  • the response packet is parsed, and the domain name resolution response message is encrypted, and the encrypted domain name resolution response message is sent to the terminal.
  • the encrypting, by the router device, the domain name resolution response message includes:
  • the router device encrypts part of the data in the domain name resolution response message.
  • the system further includes:
  • the router device updates the locally stored dynamic information table, where the dynamic information table stores the number of access times that the terminal accesses the domain name corresponding to the domain name resolution result within a preset time;
  • the router device determines that the terminal is an illegal connection.
  • Embodiments of the present disclosure also provide a storage medium.
  • the storage medium is arranged to store program code for performing the following steps:
  • the router device receives the unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the router device generates a domain name resolution response message to be sent to the terminal and carries the domain name resolution result
  • the domain name resolution response packet is encrypted, and the encrypted domain name resolution response message is sent to the terminal.
  • the storage medium is further configured to store program code for performing the following steps:
  • the terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the terminal receives the encrypted domain name resolution response message carrying the domain name resolution result
  • the terminal parses the domain name resolution response packet according to the preset key, and accesses the server corresponding to the IP address in the domain name resolution result.
  • Embodiments of the present disclosure also provide a computer readable storage medium storing a computer executable And an instruction, when the computer executable instruction is executed, implementing the method for controlling the terminal to access the Internet.
  • the embodiment of the present disclosure further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • the terminal sends a message for requesting domain name resolution to the router device, and the router device feeds back the encrypted response message carrying the domain name resolution result to the terminal, and the terminal parses the response message after parsing the response message. Access the server corresponding to the domain name resolution result.
  • FIG. 1 is a flowchart of a method for controlling a terminal to access the Internet according to an embodiment of the present disclosure
  • FIG. 2 is a network architecture diagram of a half-duplex domain name encryption mechanism in accordance with an embodiment of the present disclosure
  • FIG. 3 is a flow chart of adding and deleting device nodes in accordance with an alternative embodiment of the present disclosure
  • FIG. 4 is a functional block diagram of a network mechanism in accordance with an alternative embodiment of the present disclosure.
  • FIG. 5 is a schematic diagram of an overall flow of a network detection mechanism according to an alternative embodiment of the present disclosure.
  • the method and system of the present disclosure can operate on at least one of a router device and a terminal.
  • FIG. 1 is a flowchart of a method for controlling a terminal to access the Internet according to an embodiment of the present disclosure. As shown in FIG. 1 , the process may include the following steps:
  • Step S102 The router device receives an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • Step S104 The router device generates a domain name resolution response message that is to be sent to the terminal and carries the domain name resolution result, and encrypts the domain name resolution response message, and sends the encrypted domain name resolution response message to the terminal. It can be added that the domain name resolution result may include an IP address, and may also include several IP addresses.
  • the terminal sends a packet requesting the domain name resolution data to the router device, and the router device feeds back the encrypted response message carrying the domain name resolution result to the terminal. After the terminal parses the response packet, the terminal may Access the server corresponding to the domain name resolution result.
  • the router device encrypts part of the data in the domain name resolution response message.
  • the router device can select an important part of the domain name resolution response packet for encryption, such as the domain name resolution result, the data related to the domain name resolution result, the IP address, or the data related to the IP address. It is not possible to encrypt all messages.
  • the router device generates a domain name resolution response packet that is to be sent to the terminal and carries the domain name resolution result, and may include any one of the following:
  • the router device When the router device detects that the domain name resolution result is obtained in the local cache of the router device, the router device carries the domain name resolution result in the domain name resolution response packet;
  • the router device When the router device detects that the domain name resolution result is not in the local cache of the router device, the router device requests the domain name resolution result from the server device, and carries the domain name resolution result in the domain name resolution response packet.
  • the domain name parsing packet may be generated by the router device through the group package, and the packet may include data corresponding to the domain name resolution result, and the data may be obtained by using the foregoing two methods. It can be added that the domain name resolution result can be sent to the terminal after requesting the domain name resolution result from the server device.
  • the server device may be a domain name resolution server, and may store a correspondence between a domain name and an IP address.
  • the router device may update the locally stored dynamic information table, where the dynamic information table stores the terminal accessing within a preset time.
  • the domain name resolution result corresponds to the number of accesses of the domain name.
  • the router device may determine that the terminal is an illegal connection. Determining a terminal on the router device After the connection is illegal, the terminal can be blacked out, and the terminal is not allowed to access the Internet through the router device.
  • the router device may send an alarm signal and record the terminal identifier of the terminal.
  • the router device can record the illegal terminal for user access and subsequent processing, such as by other means to prohibit the terminal from accessing the router device local area network.
  • the key that the router device encrypts the part of the data may be manually set in advance on the router device and the terminal.
  • the key can be a key set by the user in advance on the router device and the user's own terminal device, without using the router device and the terminal to negotiate the key, thereby effectively avoiding interception during the key negotiation process.
  • a "symmetric key" encryption algorithm relative to a simple encryption algorithm can be selected when manually setting the key.
  • the embodiment of the present disclosure further provides a method for a terminal to access the Internet, and the method may include the following steps:
  • Step 1 The terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • Step 2 The terminal receives the encrypted domain name resolution response message carrying the domain name resolution result.
  • Step 3 The terminal parses the domain name resolution response message according to the preset key, and accesses the server corresponding to the IP address in the domain name resolution result, and the domain name resolution result is obtained by parsing the domain name resolution message.
  • part of the data in the domain name resolution response message is encrypted.
  • the part of data includes, for example, domain name resolution results, data related to domain name resolution results, IP addresses, data related to IP addresses, and the like.
  • the DNS client plug-in of the terminal may decrypt part of the data in the domain name resolution response message according to the preset key.
  • the DNS client device can intercept the domain name resolution response packet, and after decrypting, the packet can be submitted to an upper layer application, such as an IE.
  • the key that the terminal parses the domain name resolution response packet may be manually set in advance on the terminal and the router device.
  • An optional embodiment of the present disclosure provides an effective Wi-Fi management method, and proposes a new detection method for the network, which ensures that legitimate users can use the Wi-Fi network efficiently and safely. Keep track of the current status of your wireless router.
  • An alternative embodiment of the present disclosure first provides a method for managing a Wi-Fi network, that is, a half-duplex domain name encryption mechanism, including:
  • the wireless router After obtaining the domain name resolution result data, the wireless router encrypts the part of the data to generate a domain name resolution response message, and sends the message to the host of the domain name request.
  • the domain name resolution result data obtained by the wireless router may be sent by the domain name resolution server.
  • the access host requesting the domain name After receiving the domain name resolution response message, the access host requesting the domain name first decrypts the key data part of the message, and then submits the decrypted data to the process of requesting the upper layer domain name;
  • the foregoing method further has the following feature: the encryption and decryption key used by the wireless router and the access host may be pre-set by the user on the wireless router and the access host, and not on both sides of the wireless network.
  • the wireless router and the access host negotiate to complete, thereby effectively avoiding the risk of being intercepted during the key negotiation process;
  • the encryption operation may only be for the domain name resolution response message, and not for the entire domain name request process
  • the encryption process other than the domain name resolution response message in the key agreement and the domain name request can be reduced, and the limited resources of the wireless router can be alleviated.
  • the half-duplex domain name encryption mechanism can contain a tight fit of two parts:
  • the domain name resolution packet detection and encryption module on the wireless router side the processing of this part generally includes two cases:
  • the domain name resolution cache of the router can find the domain name to be requested by the downstream access device, the key data is encrypted and the group packet is sent to the domain name requesting device;
  • the DNS client plug-in measured by the user's Internet terminal the module can substantially intercept the packet after receiving the domain name resolution response message, and decrypt the decrypted data after decrypting the key data of the packet. Submit to upper-level applications, such as IE.
  • FIG. 2 is a network architecture diagram of a half-duplex domain name encryption mechanism according to an embodiment of the present disclosure.
  • it may include: a domain name resolution server in a host, a router, and an Internet (Internet) network.
  • a DNS domain name resolution plug-in may be installed in the entire network architecture.
  • the host device P1 can also be installed with a router R1 including functions such as encryption and detection.
  • the P1 can access the Wi-Fi LAN of the device R1, and the R1 device can communicate with the internet network.
  • Step 1 The device P1 is to access a certain website, and the upper layer application, such as a web browser (IE), may initiate a domain name resolution request including the website to the router device R1;
  • the upper layer application such as a web browser (IE)
  • IE web browser
  • Step 2 After the device R1 receives the domain name resolution request of the P1, the R1 may first search for the domain name resolution cache. If the domain name resolution record is not found, the domain name resolution server may be sent to the remote domain name resolution server on the internet network.
  • Step 3 After the device R1 finds the related domain name resolution data packet or after receiving the domain name resolution response packet sent by the remote domain name resolution server, the R1 device may encrypt the key data portion of the domain name response message, and then Sending the packet to the domain name resolution requesting device P1;
  • Step 4 After receiving the domain name resolution response packet, the device P1 can intercept the packet and decrypt the key data part in the packet before submitting the data to the upper application process. The subsequent data is submitted to the upper application process;
  • Step 5 in this way, the device P1 can get the correct domain name resolution result, and the P1 device can access the Internet normally.
  • a network early warning method which may generally include:
  • the wireless router dynamically maintains a list of access devices in the Wi-Fi LAN, and the dynamic information of each access device node is recorded in the list;
  • the dynamic information of the access device node can roughly include the following information:
  • IP address of the access device
  • the access device requests dynamic data of each domain name node within a certain period of time
  • Pointer to the next access device node (this pointer can be used to go to the dynamic statistics table of other terminals);
  • the dynamic data of the request domain name node may include the following parts of data:
  • the next request domain name node pointer (this pointer can be used to transfer to the dynamic data table of other domain names, where the number of times other domain names are requested by the terminal is stored);
  • the update of the dynamic data of the access device node can roughly include data update in three cases:
  • FIG. 3 is a new and deleted device node according to an alternative embodiment of the present disclosure.
  • the flow chart may add a device node record when a new user accesses; if a user disconnects, the device node record corresponding to the user may be deleted;
  • the device requests the update of the domain name dynamic data, that is, the number of requests for the domain name, and the request for the addition of the domain name node.
  • the update of the data may be substantially updated after confirming that the encrypted domain name resolution response message has been successfully sent by the router;
  • the domain name request data of one or more access device nodes may be emptied;
  • the rule of the illegal user may include: if the number of times the user requests a certain domain name exceeds the specified pre-production (for example, 3 times), the access device cannot correctly decrypt the received encrypted domain name resolution response message, thereby determining that the user The user is an illegal access user. Because the normal access user, after receiving the correct domain name resolution data in a relatively short period of time, the domain name resolution is generally It is temporarily stored locally, so that it can be used directly afterwards, and the same domain name may not be requested multiple times.
  • the early warning mechanism can be set up with an independent indicator light on the wireless router.
  • the indicator light flashes for a period of time to warn the wireless router device user to illegally access the user.
  • the method for detecting the network in the present disclosure may generally include the following modules:
  • the device connection management module dynamically maintains a list of Wi-Fi LAN access devices of the wireless router device, where the device information of the access device and the information of the domain name access of the device for a period of time are recorded;
  • the domain name resolution response packet detection module the module listens to the domain name resolution response message in the domain name resolution server or the wireless router kernel, so as to perform data encryption, information statistics or other actions to trigger;
  • Network detection module determines the access device node according to the information recorded in the wireless router dynamic access list according to the rules described above, distinguishes whether the device node is illegal, and establishes and dynamically maintains the illegal device list.
  • the data structure of the illegal access device node may include the following information:
  • This module triggers the blinking behavior of the indicator light according to the result of the detection module, thereby alerting the wireless router user.
  • FIG. 4 is a functional module relationship diagram in a network mechanism according to an alternative embodiment of the present disclosure. As shown in FIG. 4, a relationship between a plurality of modules is shown.
  • the domain name resolution response packet detection module can detect that the wireless router receives or sends a domain name resolution response data packet
  • the domain name resolution response packet detection module confirms that the domain name response packet has succeeded.
  • the device connection management module may be triggered to update the device node information sent by the domain name response message;
  • the domain name resolution response packet detecting module may immediately trigger the network detection module to determine whether the device node is illegal;
  • the network detection module can record the illegal user information to the nonsense user list, and can trigger the network warning module to alert the wireless router user.
  • the domain name resolution one-way encryption mechanism can roughly include the following two aspects: domain name resolution client plug-in and router domain name resolution agent.
  • the domain name resolution client may be: receiving and storing the encryption key set by the user, and decrypting the data part of the corresponding domain name received by the host device and then handing it over to the corresponding application process.
  • the wireless router domain name resolution server can also accept and save the encryption key set by the user, and then encrypt the result data of the domain name resolution according to the key set by the user, and send the encrypted data to the domain name requesting host;
  • both the domain name resolution client and the router domain name resolution agent may have a user input key requirement, wherein the key format is similar to a dotted decimal IP address, but Users can enter any 12 digits;
  • the encryption process may be that the domain name resolution response packet detection module detects the domain name resolution response message, intercepts the message, and takes out the domain name resolution address in the packet, and converts it into a dotted decimal IP address, and the user.
  • the input key is used for packet encryption.
  • the encryption method is: each IP address block is added to the key block of the corresponding order, and then the remainder is 255, and finally the bit is inverted.
  • the domain name resolution response IP address in the message can be extracted and converted into a dotted decimal format, which is divided into four groups, and at the same time, the user is input.
  • the 12-bit key is also divided into four groups, and then according to the order of domain name resolution agent encryption, firstly, the four groups of data in the domain name parsing data packet are inverted by bit, and each group is added with appropriate data (such as 1020). Then, each group of data is subtracted from the user's 12-key grouping data in the corresponding order, and finally, the result of each grouping data operation is 255, and the correct result is obtained. Domain name resolution results.
  • the device connection management module of the router device is
  • the module can roughly perform the following functions:
  • one or more access devices of the wireless router use the data structure to establish an access device node, where the data structure includes the MAC address, the IP address, and the access domain name resolution list and the next access device node pointer of the device;
  • a domain name resolution node is established for each domain name accessed by the access device, and the data structure includes the accessed domain name, the number of times the same domain name is accessed within a specified time period, and the next domain name pointer; the data structure is embedded The domain name resolution list of the device node data structure.
  • the basic information of one or more devices in the wireless router's wireless fidelity Wi-Fi local area network may be obtained by acquiring the MAC address of the access device through the wireless network card, and combining the Dynamic Host Configuration Protocol (Dynamic Host Configuration Protocol, The method of obtaining the IP address information corresponding to each device by means of the bootses file and the arpping method corresponding to the DHCP process; each access device can correspond to a node in the access device list; at the same time, to ensure the device After the update of the access list information, the update of the access device node in the access device list may be completed by means of starting a timer;
  • Dynamic Host Configuration Protocol Dynamic Host Configuration Protocol
  • a timer of the listening period can be started. When the time period ends, the domain name resolution list information of the access device node used is cleared.
  • the domain name resolution response packet detection module of the router device is
  • the module can roughly perform the following functions:
  • the device connection management module is notified to update the domain name resolution list information of the corresponding user
  • the trigger network detection module performs an illegal determination on the domain name requesting user.
  • the corresponding steps may include: first, listening to the domain name resolution response message, and substantially modifying the domain name resolution response function of the domain name resolution agent process, or by using the HOOK function to fetch the domain name resolution response message from the kernel.
  • the domain name response request device or the packet capture function can effectively obtain the domain name resolution request device information and the request domain name information. After confirming that the encrypted domain name response message is successfully sent, the message can be notified by the message or directly invoke the access device list update function. The method triggers the update of the domain name resolution list;
  • the network detection function can also be triggered by means of message notification or function call.
  • the network detection module of the router device is configured to detect the network detection module of the router device.
  • the module can roughly perform the following functions:
  • the corresponding steps may include:
  • determining whether the device in the device access list is illegal may be substantially for the access domain name node in the newly updated access device node, and extracting the number of times the device accesses each domain name is compared with a specific threshold condition, if it is greater than a threshold The access device is determined to be illegal. Otherwise, the access device is legal.
  • the latest update device node can be implemented by transmitting parameters.
  • the establishment and dynamic maintenance of the illegal user list may be performed by integrating the basic information of the illegal access device node into the illegal user linked list when the illegal access device is detected in the previous step, which may be substantially through a list of similar access device lists.
  • the notification network warning module performs the warning, which can be completed by setting the wireless router device node. For example, when there is a value in the illegal user list, when the system detects that there is an illegal user or the system time is full, the value of the specific device node is set to 1, and the indicator light flashes and can be set. The timer (30s) turns off the indicator after the timer expires.
  • the network device early warning module of the router device, related processing may include:
  • GPIO usable pin
  • a timer program is set in the underlying baseband code to periodically raise the level of the pin connected to the indicator light on the microprocessor, so that the switch in the circuit loop is periodically turned on, thereby realizing the blinking event of the indicator light. control;
  • the interface for the upper layer and the underlying baseband is encapsulated in the baseband program so that the upper layer or the bottom layer can effectively control the indicator light after detecting the relevant event, such as the device node value change.
  • the user can log in to the device management page to view and process the abnormal access device information.
  • FIG. 5 is a schematic diagram of an overall process of a network detection mechanism according to an alternative embodiment of the present disclosure. As shown in FIG. 5, the process includes the following steps:
  • Step 1 The user may pre-mand the same key in the router and the legal access device installed with the domain name resolution client.
  • Step 2 When a device on the downstream access device initiates a domain name resolution request, after the resolution is successful, the router may receive the domain name resolution response data packet.
  • Step 3 After receiving the domain name resolution response packet, the router may extract the data in the packet, such as the destination IP address, the requested domain name information, and the domain name resolution result.
  • Step 4 First, the result data of the domain name resolution may be encrypted by using a user pre-made key. After the encryption is completed, the encrypted data may be sent to the domain name requesting host.
  • Step 5 If the downstream access device is a legal access device, the user can use the pre-made key to decrypt the correct domain name resolution and initiate a normal data request. If it is an illegal user, the device will not obtain the correct data.
  • the domain name resolution request may send a request to the wrong address, and generally cannot achieve the purpose of the network;
  • Step 6 After the domain name requesting host successfully sends the response packet, the device may update the access device information list according to the information obtained from the domain name resolution message, otherwise the update operation is not performed;
  • Step 7 After the update of the access device node information is completed, the updated data node information may be transmitted to the network detection module, and the detection module may determine, according to the statistics of the requested domain name of the access device, whether the user is Internet users who are illegally connected;
  • Step 8 If the network detection module detects that an illegal user accesses the device, the network early warning module may be triggered periodically, and the network early warning module may periodically prompt the user to flash the user through the flashing indicator. Access, prompting the user to process the user of the network;
  • Step 9 After the entire processing mechanism is completed, you can return to step 2 to perform loop detection again.
  • the technical solution in the optional embodiment of the present disclosure has many advantages of ensuring network security through domain name encryption, and provides a convenient, fast, simple, and flexible way to complete domain name encryption key setting and downstream access device deployment. Moreover, only encrypting the domain name response result to some extent reduces the occupation of the limited resources of the wireless router; in addition, the user can clearly know the status of the wireless router at any time, whether it is being accessed by the illegal user, and then Time to pay attention to understand whether your home router is regular or occasionally illegal users try to access.
  • the embodiment of the present disclosure further provides a router device, including:
  • the first communication device is configured to: receive an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the encrypted domain name resolution response message is sent to the terminal;
  • the first processor is configured to: generate the domain name resolution response message to be sent to the terminal and carry the domain name resolution result, and encrypt the domain name resolution response message.
  • the first processor is further configured to: encrypt part of the data in the domain name resolution response message.
  • the part of data includes, for example, domain name resolution results, data related to domain name resolution results, IP addresses, data related to IP addresses, and the like.
  • the manner in which the first processor obtains the data portion of the domain name resolution response packet includes any one of the following:
  • the first processor is configured to: when detecting the domain name resolution result in the local cache of the router device, the first processor carries the domain name resolution result in the domain name resolution response message;
  • the first processor is configured to: when detecting that the domain name resolution result is not in the local cache of the router device, the first processor requests the domain name resolution result from the server device, and carries the domain name in the domain name resolution response packet Analyze the results.
  • the first processor is further configured to: after the encrypted domain name resolution response message is sent to the terminal, update the locally stored dynamic information table, where the dynamic information table stores the terminal in the The number of accesses to the domain name corresponding to the domain name resolution result during the preset time.
  • the first processor is further configured to: if it is detected that the number of accesses of the terminal exceeds a preset value, determine that the terminal is an illegal connection.
  • the key that the first processor encrypts the partial data is manually set in advance on the router device and the terminal.
  • the embodiment of the present disclosure further provides a terminal, including:
  • the second communication device is configured to: send an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal; and receive the encrypted A domain name resolution response message carrying the domain name resolution result;
  • the second processor is configured to: parse the domain name resolution response message according to the preset key, and access the server corresponding to the IP address in the domain name resolution result. It can be added that after obtaining the domain name resolution result, the second processor uploads the domain name resolution result to an application of the upper layer requesting the domain name request, such as a browser, by the specific application, and the domain name is accessed by the specific application.
  • the second processor is further configured to: parse the domain name resolution response message that is encrypted by the partial data according to the preset key.
  • the part of data includes, for example, domain name resolution results, data related to domain name resolution results, IP addresses, data related to IP addresses, and the like.
  • the second processor is further configured to: decrypt, by using the DNS client plug-in of the terminal, part of the data in the domain name resolution response message according to the preset key.
  • the second processor parses the key of the domain name resolution response message to be manually set in advance on the terminal and the router device.
  • the embodiment of the present disclosure further provides a system for controlling a terminal to access the Internet, including:
  • the terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the router device generates a domain name resolution response message to be sent to the terminal, and the domain name resolution response message is encrypted, and the encrypted domain name resolution response message is sent to the terminal.
  • the encrypting, by the router device, the domain name resolution response packet includes:
  • the router device encrypts part of the data in the domain name resolution response message.
  • the part of data includes, for example, domain name resolution results, data related to domain name resolution results, IP addresses, data related to IP addresses, and the like.
  • the system further includes:
  • the router device updates the dynamically stored dynamic information table, where the dynamic information table stores the number of access times that the terminal accesses the domain name corresponding to the domain name resolution result within a preset time;
  • the router device determines that the terminal is an illegal connection.
  • Embodiments of the present disclosure also provide a storage medium.
  • the foregoing storage medium may be configured to store program code for performing the following steps:
  • the router device receives an unencrypted domain name resolution request message sent by the terminal, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal.
  • the router device generates a domain name resolution response message that is sent to the terminal and carries the domain name resolution result.
  • S3 Encrypt the domain name resolution response message, and send the encrypted domain name resolution response message to the terminal.
  • the storage medium is further arranged to store program code for performing the following steps:
  • the terminal sends an unencrypted domain name resolution request message to the router device, where the domain name resolution request message is used to request a domain name resolution result corresponding to the domain name to be accessed of the terminal;
  • the terminal receives the encrypted domain name resolution response message carrying the domain name resolution result.
  • S6 The terminal parses the domain name resolution response packet according to the preset key, and accesses the server corresponding to the IP address in the domain name resolution result.
  • the foregoing storage medium may include, but not limited to, a USB flash drive, a Read-Only Memory (ROM), a Random Access Memory (RAM), a mobile hard disk, and a magnetic memory.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • a mobile hard disk e.g., a hard disk
  • magnetic memory e.g., a hard disk
  • the processor performs the method steps in the foregoing embodiments according to the stored program code in the storage medium.
  • the embodiment of the present disclosure further provides a computer readable storage medium storing computer executable instructions, where the computer executable instructions are executed to implement the method for controlling the terminal to access the Internet.
  • the embodiment of the present disclosure further provides a computer readable storage medium storing computer executable instructions, which are implemented when the computer executable instructions are executed.
  • computing devices which may be centralized on a single computing device or distributed over a network of computing devices, optionally implemented in program code executable by the computing device, such that they may be
  • the storage is performed by the computing device in a storage device, and in some cases, the steps shown or described may be performed in an order different than that herein, or they may be separately fabricated into different integrated circuit modules, or Multiple modules or steps are made into a single integrated circuit module.
  • the disclosure is not limited to any specific combination of hardware and software.
  • computer storage medium includes volatile and nonvolatile, implemented in any method or technology for storing information, such as computer readable instructions, data structures, program modules or other data. Sex, removable and non-removable media.
  • Computer storage media include, but are not limited to, Random Access Memory (RAM), Read-Only Memory (ROM), and Electrically Erasable Programmable Read-only Memory (EEPROM). Flash memory or other memory technology, compact disc read-only memory (CD-ROM), digital versatile disc (DVD) or other optical disc storage, magnetic cassette, magnetic tape, disk storage or other magnetic storage device, or Any other medium used to store the desired information and that can be accessed by the computer.
  • communication media typically includes computer readable instructions, data structures, program modules, or other data in a modulated data signal, such as a carrier wave or other transport mechanism, and can include any information delivery media. .
  • the terminal sends a message for requesting domain name resolution to the router device, and the router device feeds back the encrypted response message carrying the domain name resolution result to the terminal, and the terminal parses the response message after parsing the response message. Access the server corresponding to the domain name resolution result.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne un procédé de commande de navigation Web sur un terminal, comprenant les étapes suivantes : un dispositif routeur reçoit un paquet de demande de résolution de nom de domaine non crypté transmis par un terminal, le paquet de demande de résolution de nom de domaine étant utilisé pour demander un résultat de la résolution de nom de domaine correspondant à un nom de domaine devant être visité par le terminal ; le dispositif routeur génère un paquet de réponse de résolution de nom de domaine à délivrer au terminal et transportant le résultat de la résolution de nom de domaine, crypte le paquet de réponse de résolution de nom de domaine, et transmet le paquet de réponse de résolution de nom de domaine crypté au terminal.
PCT/CN2017/113957 2017-02-06 2017-11-30 Procédé de commande de navigation web sur un terminal et de navigation web sur un terminal, dispositif routeur et terminal Ceased WO2018141172A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201710066140.2 2017-02-06
CN201710066140.2A CN108400953A (zh) 2017-02-06 2017-02-06 控制终端上网及终端上网的方法,路由器设备及终端

Publications (1)

Publication Number Publication Date
WO2018141172A1 true WO2018141172A1 (fr) 2018-08-09

Family

ID=63039349

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2017/113957 Ceased WO2018141172A1 (fr) 2017-02-06 2017-11-30 Procédé de commande de navigation web sur un terminal et de navigation web sur un terminal, dispositif routeur et terminal

Country Status (2)

Country Link
CN (1) CN108400953A (fr)
WO (1) WO2018141172A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113726917A (zh) * 2020-05-26 2021-11-30 网神信息技术(北京)股份有限公司 域名确定方法、装置和电子设备
CN116056126A (zh) * 2022-12-20 2023-05-02 哲库科技(上海)有限公司 仿真测试方法、装置、计算机设备和计算机可读存储介质
CN116319675A (zh) * 2023-05-15 2023-06-23 阿里云计算有限公司 域名解析方法、系统、电子设备及存储介质
CN116545981A (zh) * 2023-04-24 2023-08-04 奇安信科技集团股份有限公司 一种基于网闸的dns请求处理方法、网闸
CN117278211A (zh) * 2023-09-27 2023-12-22 北京火山引擎科技有限公司 基于内容分发网络的域名加密方法、解密方法和装置

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114205236B (zh) * 2020-09-18 2025-04-08 中兴通讯股份有限公司 网络配置方法、终端、系统及存储介质
CN112491838B (zh) * 2020-11-17 2022-05-10 北京航空航天大学杭州创新研究院 工业互联网安全发送报文的方法和系统
CN112671779B (zh) * 2020-12-25 2022-10-18 赛尔网络有限公司 基于DoH服务器的域名查询方法、装置、设备及介质

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1494795A (zh) * 2001-02-28 2004-05-05 ի���� 提供含有特殊字符的互联网地址的方法
CN101088245A (zh) * 2004-12-07 2007-12-12 思科技术公司 在网络元件中对消息有效载荷执行安全性功能
CN102075589A (zh) * 2009-11-19 2011-05-25 国际商业机器公司 基于用户的dns服务器访问控制的方法和系统
US20130103784A1 (en) * 2011-02-02 2013-04-25 3Crowd Technologies, Inc. Routing client requests

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7418504B2 (en) * 1998-10-30 2008-08-26 Virnetx, Inc. Agile network protocol for secure communications using secure domain names
US7188180B2 (en) * 1998-10-30 2007-03-06 Vimetx, Inc. Method for establishing secure communication link between computers of virtual private network
CN104052829A (zh) * 2013-03-14 2014-09-17 弗里塞恩公司 自适应名字解析
CN104144123B (zh) * 2013-05-10 2017-06-16 中国电信股份有限公司 访问互联网的方法、系统与路由型网关装置
CN103634307A (zh) * 2013-11-19 2014-03-12 北京奇虎科技有限公司 一种对网页内容进行认证的方法和浏览器
CN105141612A (zh) * 2015-09-01 2015-12-09 中国互联网络信息中心 一种dns数据包隐私保护方法
CN105282047B (zh) * 2015-09-25 2020-04-14 小米科技有限责任公司 访问请求处理方法及装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1494795A (zh) * 2001-02-28 2004-05-05 ի���� 提供含有特殊字符的互联网地址的方法
CN101088245A (zh) * 2004-12-07 2007-12-12 思科技术公司 在网络元件中对消息有效载荷执行安全性功能
CN102075589A (zh) * 2009-11-19 2011-05-25 国际商业机器公司 基于用户的dns服务器访问控制的方法和系统
US20130103784A1 (en) * 2011-02-02 2013-04-25 3Crowd Technologies, Inc. Routing client requests

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113726917A (zh) * 2020-05-26 2021-11-30 网神信息技术(北京)股份有限公司 域名确定方法、装置和电子设备
CN113726917B (zh) * 2020-05-26 2024-04-12 奇安信网神信息技术(北京)股份有限公司 域名确定方法、装置和电子设备
CN116056126A (zh) * 2022-12-20 2023-05-02 哲库科技(上海)有限公司 仿真测试方法、装置、计算机设备和计算机可读存储介质
CN116545981A (zh) * 2023-04-24 2023-08-04 奇安信科技集团股份有限公司 一种基于网闸的dns请求处理方法、网闸
CN116319675A (zh) * 2023-05-15 2023-06-23 阿里云计算有限公司 域名解析方法、系统、电子设备及存储介质
CN117278211A (zh) * 2023-09-27 2023-12-22 北京火山引擎科技有限公司 基于内容分发网络的域名加密方法、解密方法和装置

Also Published As

Publication number Publication date
CN108400953A (zh) 2018-08-14

Similar Documents

Publication Publication Date Title
WO2018141172A1 (fr) Procédé de commande de navigation web sur un terminal et de navigation web sur un terminal, dispositif routeur et terminal
US11765585B2 (en) Techniques for enabling computing devices to identify when they are in proximity to one another
US9282084B2 (en) Method and apparatus for provisioning a temporary identity module using a key-sharing scheme
US10970699B2 (en) Point of sale pairing to wireless networks
CN114697945B (zh) 发现响应消息的生成方法及装置、发现消息的处理方法
CN112866981B (zh) 一种签约数据的管理方法、装置
US10750369B2 (en) Method, apparatus, and platform for sharing wireless local area network
WO2015188440A1 (fr) Procédé et dispositif de traitement d'abonnement à une ressource
CN108990062B (zh) 智能安全Wi-Fi管理方法和系统
CN103095861A (zh) 确定设备是否处于网络内部
US20150143486A1 (en) Simplified Wi-Fi Setup
WO2012113329A1 (fr) Procédé et dispositif de gestion de dispositifs
CN112311769A (zh) 安全认证的方法、系统、电子设备及介质
US10172003B2 (en) Communication security processing method, and apparatus
TW201517668A (zh) 網路共用裝置、系統及方法
WO2018018780A1 (fr) Procédé et appareil d'accès pour la commande de dispositif d'accès wifi, et support de stockage
US11330038B2 (en) Systems and methods for utilizing blockchain for securing browsing behavior information
CN109729000B (zh) 一种即时通信方法及装置
CN109429225A (zh) 消息接收、发送方法及装置、终端、网络功能实体
CN110866288B (zh) 一种基于区块链的数据保护方法、系统及终端
CN118250090B (zh) 物联网平台信息处理方法及装置
CN119848952B (zh) 一种一体化测试服务平台的数据安全保护方法及平台
JP2012138729A (ja) データ処理装置、プログラム、およびデータ処理システム
CN111585748B (zh) 数据传输方法及装置
JP6920614B2 (ja) 本人認証装置、本人認証システム、本人認証プログラム、および、本人認証方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17895369

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17895369

Country of ref document: EP

Kind code of ref document: A1