DNS security system and failure processing method

US 9,992,156 B2
Filed: 03/19/2015
Issued: 06/05/2018
Est. Priority Date: 04/18/2014
Status: Active Grant

First Claim

Patent Images

1. A computing device, comprising:

a memory having instructions stored thereon;

a processor configured to execute the instructions to perform operations for domain name system (DNS security, the operations comprising;

initiating a DNS request;

providing authorization information for the DNS request;

storing all DNS requests and corresponding authorization information in a designated area and generating an authorization information database;

determining whether a DNS resolution failure occurs in a root node, wherein the determining whether a DNS resolution failure occurs in a root node further comprises performing a monitoring on a DNS datagram at an outlet of a critical region of the designated area at a backbone network;

initiating a virtue root node and using the virtual root node to invoke corresponding authorization information from the authorization information database when the DNS resolution failure occurs on the root node; and

providing a resolution service to a corresponding client.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides a DNS security system and failure processing method. The DNS security system comprises: at least one client, configured to initiate a DNS request; a root node, configured to provide authorization information to the DNS request; an authorization information database, configured to store all DNS requests and corresponding authorization information in a designated area; a virtual root node, configured to invoke corresponding authorization information from the authorization information database when a DNS resolution failure occurs on the root node, and to provide a resolution service to a corresponding client. Using the present invention enhances the security and stability of DNS resolution.

17 Citations

View as Search Results

18 Claims

1. A computing device, comprising:
- a memory having instructions stored thereon;
  
  a processor configured to execute the instructions to perform operations for domain name system (DNS security, the operations comprising;
  
  initiating a DNS request;
  
  providing authorization information for the DNS request;
  
  storing all DNS requests and corresponding authorization information in a designated area and generating an authorization information database;
  
  determining whether a DNS resolution failure occurs in a root node, wherein the determining whether a DNS resolution failure occurs in a root node further comprises performing a monitoring on a DNS datagram at an outlet of a critical region of the designated area at a backbone network;
  
  initiating a virtue root node and using the virtual root node to invoke corresponding authorization information from the authorization information database when the DNS resolution failure occurs on the root node; and
  
  providing a resolution service to a corresponding client.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing device according to claim 1, wherein the authorization information comprises DNS resolution record with a stored access amount exceeds a visit threshold, and/or a DNS resolution record of an important domain name.
  - 3. The computing device according to claim 1, wherein storing all DNS requests and corresponding authorization information in a designated area comprises the operation of forming a domain name level space according to the corresponding relation of the authorization information.
  - 4. The computing device according to claim 3, wherein the authorization information database is a mirror of the internet domain name level.
  - 5. The computing device according to claim 1, wherein invoking corresponding authorization information from the authorization information database when a DNS resolution failure occurs on the root node comprises the operation of using a distributed deployment to provide DNS resolution service for the client via a boundary gateway protocol (BGP) way.
  - 6. The computing device according to claim 5, wherein the BGP way comprises an anycast mode.
  - 7. The computing device according to claim 1, wherein the operations further comprises:
    - modifying the root node address stored in the local to the address pointing to the virtual root node when the DNS resolution failure occurs in the root node;
      
      or, sending the local domain name resolution to the virtual root node.

8. A failure processing method, comprising:
- obtaining and storing all domain name system (DNS) requests and corresponding authorization information in a designated area, and generating an authorization information database;
  
  determining whether a DNS resolution failure occurs in a root node, wherein the determining whether a DNS resolution failure occurs in a root node further comprises performing a monitoring on a DNS datagram at an outlet of a critical region of the designated area at a backbone network;
  
  initiating a virtual root node and using the virtual root node to invoke corresponding authorization information stored in the authorization information database in response to a determination that the DNS resolution failure occurs in the root node; and
  
  providing a DNS resolution service for a corresponding client.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The method according to claim 8, wherein the authorization information comprises DNS resolution record with a stored access amount exceeds a visit threshold, and/or a DNS resolution record of an important domain name.
  - 10. The method according to claim 8, wherein the authorization information database is further configured to form a domain name level space according to the corresponding relation of the authorization information.
  - 11. The method according to claim 10, wherein the authorization information database is a mirror of the internet domain name level.
  - 12. The method according to claim 8, wherein the virtual root node is further configured to:
    - use a distributed deployment to provide DNS resolution service for the client via a boundary gateway protocol (BGP) way.
  - 13. The method according to claim 12, wherein the BGP way comprises an anycast mode.
  - 14. The method according to claim 8, further comprising:
    - at least one recursion DNS modifying the root node address stored in the local to the address pointing to the virtual root node when the DNS resolution failure occurs in the root node;
      
      or, sending the local domain name resolution to the virtual root node.

15. A non-transitory computer-readable medium having computer programs stored thereon that, when executed by one or more processors of an electronic device, cause the electronic device to perform a failure processing method, the failure processing method comprising:
- obtaining and storing all domain name system (DNS) requests and corresponding authorization information in a designated area, and generating an authorization information database;
  
  determining whether a DNS resolution failure occurs in a root node, wherein the determining whether a DNS resolution failure occurs in a root node further comprises performing a monitoring on a DNS datagram at an outlet of a critical region of the designated area at a backbone network;
  
  initiating a virtual root node and using the virtual root node to invoke corresponding authorization information stored in the authorization information database in response to a determination that the DNS resolution failure occurs in the root node; and
  
  providing a DNS resolution service for a corresponding client.
- View Dependent Claims (16, 17, 18)
- - 16. The non-transitory computer-readable medium according to claim 15, wherein the authorization information comprises DNS resolution record with a stored access amount exceeds a visit threshold, and/or a DNS resolution record of an important domain name.
  - 17. The non-transitory computer-readable medium according to claim 15, wherein the authorization information database is further configured to form a domain name level space according to the corresponding relation of the authorization information.
  - 18. The non-transitory computer-readable medium according to claim 15, wherein the virtual root node is further configured to:
    - use a distributed deployment to provide DNS resolution service for the client via a boundary gateway protocol (BGP) way.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Original Assignee
Beijing Qihu Technology Co. Ltd. (360 Security Technology, Inc.)
Inventors
Tan, Xiaosheng, Qi, Xiangdong, Pu, Can
Primary Examiner(s)
Chen, Eric

Application Number

US15/305,091
Publication Number

US 20170048187A1
Time in Patent Office

1,174 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 41/0654   using network fault recover...

H04L 41/0677   Localisation of faults

H04L 61/4511   using domain name system [DNS]

H04L 63/00   Network architectures or ne...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

DNS security system and failure processing method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

DNS security system and failure processing method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links