DNS SECURITY SYSTEM AND FAILURE PROCESSING METHOD

US 20170048187A1
Filed: 03/19/2015
Published: 02/16/2017
Est. Priority Date: 04/18/2014
Status: Active Grant

First Claim

Patent Images

1. A computing device, comprising:

a memory having instructions stored thereon;

a processor configured to execute the instructions to perform operations for DNS security, the operations comprising;

initiating a domain name system (DNS) request;

providing authorization information for the DNS request;

storing all DNS requests and corresponding authorization information in a designated area;

invoking corresponding authorization information from the authorization information database when a DNS resolution failure occurs on the root node, to provide a resolution service to a corresponding client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a DNS security system and failure processing method. The DNS security system comprises: at least one client, configured to initiate a DNS request; a root node, configured to provide authorization information to the DNS request; an authorization information database, configured to store all DNS requests and corresponding authorization information in a designated area; a virtual root node, configured to invoke corresponding authorization information from the authorization information database when a DNS resolution failure occurs on the root node, and to provide a resolution service to a corresponding client. Using the present invention enhances the security and stability of DNS resolution.

13 Citations

View as Search Results

21 Claims

1. A computing device, comprising:
- a memory having instructions stored thereon;
  
  a processor configured to execute the instructions to perform operations for DNS security, the operations comprising;
  
  initiating a domain name system (DNS) request;
  
  providing authorization information for the DNS request;
  
  storing all DNS requests and corresponding authorization information in a designated area;
  
  invoking corresponding authorization information from the authorization information database when a DNS resolution failure occurs on the root node, to provide a resolution service to a corresponding client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 2. The computing device according to claim 1, wherein the authorization information comprises DNS resolution record with a stored access amount exceeds a visit threshold, and/or a DNS resolution record of an important domain name.
  - 3. The computing device according to claim 1, wherein storing all DNS requests and corresponding authorization information in a designated area comprises the operation of forming a domain name level space according to the corresponding relation of the authorization information.
  - 4. The computing device according to claim 3, wherein the authorization information database is a mirror of the internet domain name level.
  - 5. The computing device according to claim 1, wherein invoking corresponding authorization information from the authorization information database when a DNS resolution failure occurs on the root node comprises the operation of using a distributed deployment to provide DNS resolution service for the client via a boundary gateway protocol (BGP) way.
  - 6. The computing device according to claim 5, wherein the BGP way comprises an anycast mode.
  - 7. The computing device according to claim 1, wherein invoking corresponding authorization information from the authorization information database when a DNS resolution failure occurs on the root node comprises the operation of performing a monitoring on a DNS datagram at an outlet of a critical region of the designated area at a backbone network, in order to determine whether the DNS resolution failure occurs.
  - 8. The computing device according to claim 1, wherein the operations further comprises:
    - modifying the root node address stored in the local to the address pointing to the virtual root node when the DNS resolution failure occurs in the root node;
      
      or, sending the local domain name resolution to the virtual root node.
  - 9. A failure processing method using DNS security system according to claim 1, comprising:
    - obtaining and storing all domain name system (DNS) requests in a designated area and corresponding authorization information, and generating a authorization information database;
      
      determining whether a DNS resolution failure occurs in a root node;
      
      if yes, initiating a virtual root node, and using the virtual root node to invoke authorization information stored in the authorization information database to provide DNS resolution service for a client.
  - 10. The method according to claim 9, wherein the authorization information comprises DNS resolution record with a stored access amount exceeds a visit threshold, and/or a DNS resolution record of an important domain name.
  - 11. The method according to claim 9, wherein the authorization information database is further configured to form a domain name level space according to the corresponding relation of the authorization information.
  - 12. The method according to claim 11, wherein the authorization information database is a mirror of the internet domain name level.
  - 13. The method according to claim 9, wherein the virtual root node is further configured to:
    - use a distributed deployment to provide DNS resolution service for the client via a boundary gateway protocol (BGP) way.
  - 14. The method according to claim 13, wherein the BGP way comprises an anycast mode.
  - 15. The method according to claim 9, wherein determining whether the DNS resolution failure occurs in the root node comprises:
    - performing a monitoring on a DNS datagram at an outlet of a critical region of the designated area at a backbone network, in order to determine whether the DNS resolution failure occurs.
  - 16. The method according to claim 9, further comprising:
    - at least one recursion DNS modifying the root node address stored in the local to the address pointing to the virtual root node when the DNS resolution failure occurs in the root node;
      
      or, sending the local domain name resolution to the virtual root node.

17. (canceled)

18. A non-transitory computer-readable medium having computer programs stored thereon that, when executed by one or more processors of an electronic device, cause the electronic device to perform operations for failure processing, the operations comprising:
- obtaining and storing all domain name system (DNS) requests in a designated area and corresponding authorization information, and generating a authorization information database;
  
  determining whether a DNS resolution failure occurs in a root node,if yes, initiating a virtual root node, and using the virtual root node to invoke authorization information stored in the authorization information database to provide DNS resolution service for a client.
- View Dependent Claims (19, 20, 21)
- - 19. The non-transitory computer-readable medium according to claim 18, wherein the authorization information comprises DNS resolution record with a stored access amount exceeds a visit threshold, and/or a DNS resolution record of an important domain name.
  - 20. The non-transitory computer-readable medium according to claim 18, wherein the authorization information database is further configured to form a domain name level space according to the corresponding relation of the authorization information.
  - 21. The non-transitory computer-readable medium according to claim 18, wherein the virtual root node is further configured to:
    - use a distributed deployment to provide DNS resolution service for the client via a boundary gateway protocol (BGP) way.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Original Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Inventors
TAN, Xiaosheng, QI, Xiangdong, PU, Can

Granted Patent

US 9,992,156 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 41/0654   using network fault recover...

H04L 41/0677   Localisation of faults

H04L 61/4511   using domain name system [DNS]

H04L 63/00   Network architectures or ne...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

DNS SECURITY SYSTEM AND FAILURE PROCESSING METHOD

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

13 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

DNS SECURITY SYSTEM AND FAILURE PROCESSING METHOD

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links