DNS tunnel detection method and device

Abstract

The invention discloses a DNS tunnel detection method. The DNS tunnel detection method includes the steps that whether a client side data package sent to a port of a DNS server is a DNS data package is detected; when the client side data package is the DNS data package, whether the format of the client side data package accords with preset format constraint conditions is detected, and if the detected result is yes, whether the query domain name of the client side data package accords with preset domain name constraint conditions is detected; when the format of the client side data package does not accord with the format constraint conditions, and / or the query domain name of the client side data package does not accord with the domain name constraint conditions, the client side data package is correspondingly processed according to preset DNS tunnel processing rules. The invention further discloses a corresponding DNS tunnel detection device. By means of the scheme of the DNS tunnel detection method and device, the normal DNS data package and a DNS tunnel data package can be distinguished, the problem of erroneous judgment of a normal DNS is effectively solved, a DNS tunnel is detected comprehensively, and therefore a firewall is effectively protected.

Description

Technical field [0001] The present invention relates to the field of Internet technology, in particular to a method and device for DNS tunnel detection. Background technique [0002] With the rapid development of the Internet, firewalls, as a barrier to protect information, have become an important field of communication technology research. Nowadays, there are some firewall penetration technologies on the Internet, which can allow data packets to pass through the network layer safely. DNS tunnel technology is one of the firewall penetration technologies. At present, there are two main methods of defending DNS tunnel technology: [0003] 1. Anti-unloading based on port blocking: This is the most commonly used method for traditional firewalls to defend against attacks. The firewall blocks DNS tunnel data by blocking port 53 to achieve the purpose of preventing DNS tunnel penetration. However, in this way, it is blocking DNS tunnel data At the same time, normal DNS data was also bl...

AI Technical Summary

Problems solved by technology

[0003] 1. Anti-dumping based on port blocking: This is the most commonly used method for traditional firewalls to defend against attacks. Firewalls block DNS tunnel data by blocking port 53 to achieve the purpose of preventing DNS tunnel penetration. However, in this way, when blocking DNS tunnel data At the same time, the normal DNS data is also blocked, which affects the normal business;

[0004] 2. Statistical analysis method based on request domain name length and request frequency: With this method, the DNS domain name requested by the client whose length is greater than the length threshold is recorded in the form of , and then the statistics of frequency. When the frequency is greater than the frequency alarm threshold, it is determined that the client uses DNS tunneling technology. However, it is difficult to accurately distinguish DNS tunneling data from normal DNS request data, because in normal DNS requests It is also possible to store a domain name with a very long length. It is difficult to grasp the value of the domain name length threshold and the frequency alarm threshold. Misjudgment

Images