A trigger type transparent proxy monitoring system and method based on DNS strategy hijacking for IPv4 / IPv6 hybrid network

By employing strategic DNS hijacking technology and intelligent DNS servers, and dynamically allocating proxy IPs for transparent proxy monitoring, the problems of high monitoring costs, poor compliance, and privacy infringement in the IPv6 environment are solved, achieving efficient, economical, and compliant network monitoring.

CN122247967APending Publication Date: 2026-06-19HUBEI LITTLE UMBRELLA TECHNOLOGY CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
HUBEI LITTLE UMBRELLA TECHNOLOGY CO LTD
Filing Date
2026-01-06
Publication Date
2026-06-19

AI Technical Summary

Technical Problem

Existing technologies in the IPv6 environment are costly to monitor, have poor legal compliance and regulatory blind spots, are difficult to effectively monitor non-HTTP traffic, and pose risks of privacy infringement and uncontrollable supply chain risks.

Method used

It employs strategic DNS hijacking technology, dynamically allocates proxy IPs through an intelligent DNS server, triggers monitoring only when access behavior occurs, generates minimal connection metadata logs, and achieves transparent proxy monitoring.

Benefits of technology

It achieves full monitoring coverage of the TCP/UDP protocol stack, reduces hardware and maintenance costs, is legally compliant, avoids privacy infringement risks, supports transparency reporting, and improves the economic feasibility and social acceptance of regulation.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure FT_1
    Figure FT_1
  • Figure FT_2
    Figure FT_2
  • Figure FT_3
    Figure FT_3
Patent Text Reader

Abstract

This invention discloses a trigger-based transparent proxy monitoring system and method for IPv4 / IPv6 hybrid networks based on DNS policy hijacking, belonging to the field of computer network and information security technology. The system includes a policy management platform, an intelligent DNS server, a multi-IP transparent proxy cluster, and an audit center. The core of the method is as follows: the intelligent DNS server judges the domain name resolution requests initiated by the terminal based on a pre-set policy. For requests requiring monitoring, it hijacks the resolution result and points it to a specific IP address of the internal network proxy cluster, simultaneously recording the session association of "client-proxy IP-target domain name." The proxy server reconstructs the access intent based on this association, completes compliance checks, and establishes a transparent forwarding channel to the real IPv6 target. This invention fundamentally abandons the costly and privacy-infringing full-network active detection or deep packet inspection modes in IPv6 environments, innovatively realizing the "access behavior-triggered supervision" paradigm. It achieves a unity of supervision effectiveness, legal compliance, and economic cost, providing an engineering solution for secure and controllable deployment of IPv6.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention relates to the fields of computer network and information security technology, and specifically to a system and method for compliance monitoring of an enterprise's or organization's internal network access to external resources in a hybrid network environment where IPv4 and IPv6 protocols coexist. Background Technology

[0002] The global internet is strategically migrating from IPv4 to IPv6. While IPv6 solves the address exhaustion problem, its "end-to-end direct communication" design principle completely undermines the natural network boundaries established by Network Address Translation (NAT) in the IPv4 era, rendering traditional "triggered" monitoring based on border gateways ineffective. To address this challenge, existing technologies are evolving along two main paths: one is to continuously and proactively probe and scan the massive IPv6 address space; the other is to employ deep packet inspection technology to mirror and analyze all network traffic.

[0003] However, the aforementioned existing technologies have significant drawbacks: First, they are economically costly. The hardware probes, storage, and computing power required for proactive detection and full-traffic analysis are increasing exponentially, making large-scale deployment difficult. Second, they pose significant legal compliance risks. Continuous and indiscriminate data collection fundamentally conflicts with the core principles of "minimum necessity" and "clear purpose" in laws and regulations such as the Personal Information Protection Law, posing a serious risk of privacy infringement. Furthermore, the technology lacks comprehensive coverage. Deep packet inspection technology heavily relies on parsing specific application-layer protocols (such as HTTP), making it difficult to effectively monitor critical non-HTTP traffic such as SSH, RDP, and industrial protocols, creating regulatory blind spots. The massive logs collected and stored from full-traffic analysis contain sensitive information such as the communication patterns, access frequencies, and target objects of state organs. If these logs are leaked or misused by internal personnel, hostile forces can use traffic analysis and graph computing to deduce the organizational structure, work priorities, and even the identities of key personnel of state organs, posing a serious national security threat. Finally, existing equipment is typically developed by commercial companies, and backdoors or maintenance personnel may have access to sensitive metadata and content data, posing uncontrollable supply chain risks.

[0004] Therefore, the industry urgently needs a new network monitoring paradigm that can balance regulatory effectiveness, legal compliance, and economic feasibility in an IPv6 environment. Summary of the Invention

[0005] The purpose of this invention is to overcome the aforementioned deficiencies of the prior art and provide a trigger-based transparent proxy monitoring system and method for IPv4 / IPv6 hybrid networks. This invention aims to shift the network monitoring model from the costly and risky "continuous proactive" approach in the IPv6 environment back to a more reasonable "behavior-triggered" approach, similar to the IPv4 era. This will achieve effective monitoring while fundamentally protecting privacy and controlling costs.

[0006] To achieve the above objectives, this invention adopts the following technical solution: a trigger-based network monitoring method, the core of which lies in: through policy-based Domain Name System (DNS) hijacking, precisely directing the network access traffic to be monitored to a controlled transparent proxy checkpoint, and triggering monitoring and logging only when such access behavior actually occurs. The system mainly consists of a policy management platform, an intelligent DNS server, a multi-IP transparent proxy server cluster, and an audit analysis center.

[0007] The key improvement of the method lies in: DNS layer policy triggering: Regulatory decisions are made at the application layer (DNS), and intervention is only applied to access that hits the policy, realizing "on-demand activation" and "precise guidance" of regulation, avoiding full traffic monitoring from the source.

[0008] Multi-IP Proxy Session Association: The proxy server cluster has multiple IP addresses. The intelligent DNS server dynamically assigns a dedicated proxy IP to each monitored session and uniquely associates it with the original access domain name through a tuple of "client IP + proxy IP", thus solving the problem of monitoring non-HTTP protocol traffic without domain name information.

[0009] Minimize data logging: The system only generates logs after access triggers proxy forwarding, and the log content is strictly limited to connection metadata (such as time, policy ID, anonymization identifier, domain name, and traffic size), explicitly excluding application layer content data, which naturally conforms to the principle of data minimization.

[0010] The beneficial effects of this invention include: Effectiveness of supervision: Through a protocol-agnostic transparent proxy mechanism, monitoring coverage of the entire TCP / UDP protocol stack is achieved, eliminating regulatory blind spots.

[0011] Legal compliance: The "access-triggered" mechanism and the "log minimization" design embed compliance into the regulatory actions themselves, effectively avoiding legal risks of privacy infringement.

[0012] Economic feasibility: The architecture is highly convergent, eliminating the need for distributed probes and full-traffic storage systems. Hardware and maintenance costs can be reduced by more than 70% compared to traditional solutions, providing an economic foundation for large-scale deployment.

[0013] Social acceptance: The system supports the generation of transparency reports, which helps to enhance trust between regulators and those being regulated. Attached Figure Description

[0014] Figure 1 This is a schematic diagram of the overall architecture of the system of the present invention.

[0015] Figure 2 This is a complete flowchart of the method of the present invention.

[0016] Figure 3 A flowchart for policy matching and session association for intelligent DNS servers.

[0017] Figure 4 A flowchart for handling connections and restoring domain names for a multi-IP transparent proxy server. Detailed Implementation

[0018] The following detailed description of the implementation of the present invention is based on an example of an enterprise with a pure IPv4 intranet (10.0.0.0 / 16) that needs to monitor employees' access to external IPv6 resources.

[0019] Deploy two smart DNS servers (primary / backup mode, IP: 10.0.1.10 / 11), install modified DNS software, and integrate the policy engine and session association database.

[0020] Deploy a transparent proxy cluster consisting of three servers. Each server has one network interface bound to 16 consecutive IPv4 addresses (e.g., 10.0.2.1 to 10.0.2.48), and another interface configured with a public IPv6 address.

[0021] Deploy an audit analysis server to receive and store logs.

[0022] Configure the network so that DNS queries for all internal network terminals (10.0.0.0 / 16) point to 10.0.1.10.

[0023] Step 2: Policy Configuration. Configure policies through the policy management platform (web interface). For example: The category is "Work Software," the domain name contains *.company-saas.com, and the action is monitoring.

[0024] The domain is classified as "high risk" and contains the characters *.gambling.*. Action taken: blocking.

[0025] The user group "R&D Department" is allowed to access commonly used development tool sites (such as github.com), but monitoring and logging are required.

[0026] Time strategy: Apply all strategies from 9:00 to 18:00 on weekdays, and apply only high-risk blocking strategies at other times.

[0027] Step 3: Workflow Example Suppose that an employee's host (IP: 10.0.0.100) attempts to connect to an external code server (domain name: code-ssh.example.com) via SSH during work hours.

[0028] DNS Query and Hijacking: The host queries the AAAA record for code-ssh.example.com. The intelligent DNS server (10.0.1.10) receives the query and, based on its matching policy, determines that monitoring is necessary. It selects an idle proxy IP (e.g., 10.0.2.15) from its address pool, records (10.0.0.100, 10.0.2.15) -> code-ssh.example.com in its memory table, and sets a 10-second timeout. It then returns a response to the host: the address of code-ssh.example.com is 10.0.2.15.

[0029] Connection Proxy and Intent Reversal: The host initiates an SSH connection (TCP port 22) to 10.0.2.15. The proxy server listening on 10.0.2.15 receives the connection and immediately sends an internal query to the smart DNS server: "What is the original domain name corresponding to the client 10.0.0.100 connecting to my 10.0.2.15?" The DNS server returns code-ssh.example.com after the table lookup.

[0030] Compliance Check and Transparent Forwarding: The proxy server performs a rapid compliance check based on the "R&D Department" policy (e.g., only identity association). Upon successful verification, it resolves code-ssh.example.com to obtain the real IPv6 address 2001:db8::1, and then establishes an IPv6 connection to [2001:db8::1]:22. Subsequently, it begins bidirectional, transparent data forwarding between the host's IPv4 connection and the target's IPv6 connection.

[0031] Audit Log: After the connection is established, the proxy server generates a log entry with the following information: [Timestamp] [Policy ID: R&D SSH] [Client Hash] [Domain: code-ssh.example.com] [Action: Allow] [Traffic: XXX bytes], and sends it to the audit center. After the session ends, the proxy IP 10.0.2.15 is released back into the address pool.

[0032] Protocol independence: The above process is equally effective for any TCP / UDP-based protocol, such as HTTP, RDP, and database connections, because the monitoring occurs at the transport layer.

[0033] Load balancing: The intelligent DNS server can dynamically allocate resources based on the current number of connections to each proxy IP, thereby achieving load balancing.

[0034] Troubleshooting: If a proxy IP is unresponsive, the DNS server can mark it as invalid and remove it from the address pool, ensuring that new connections are not assigned to the point of failure.

[0035] In summary, this invention, through its ingenious system architecture design, provides a complete, implementable, and multi-faceted IPv6 network monitoring engineering solution. Those skilled in the art can modify and adapt the above embodiments without departing from the principles of this invention, and such modifications and adaptations should also be considered within the scope of protection of this invention.

Claims

1. A trigger-based transparent proxy monitoring system and method for IPv4 / IPv6 hybrid networks, based on DNS policy hijacking, characterized in that... Includes the following steps: S1: The policy management platform has pre-defined domain classification, user identity, and time policies; S2: The intelligent DNS server receives a domain name resolution request from an internal IPv4 terminal; S3: The intelligent DNS server matches the request with a preset policy to determine whether monitoring is required; S4: If monitoring is required, the intelligent DNS server executes a hijacking response: dynamically allocates an address from the proxy IP address pool, records the mapping relationship between the address, client information, and the original target domain name in the session association table, and returns the proxy IP address to the terminal as the resolution result; S5: The terminal initiates a connection to the proxy IP address; S6: The multi-IP transparent proxy server receives the connection, extracts the client IP and its own connected IP, and queries the intelligent DNS server to obtain the corresponding original target domain name; S7: The proxy server performs a compliance check on this access. If the check passes, it resolves the original target domain name to obtain the real IPv6 address and establishes a two-way transparent forwarding channel. S8: The proxy server generates and saves audit logs with limited fields only for the monitoring event triggered in this instance.

2. The method according to claim 1, characterized in that, The proxy IP address pool contains multiple IPv4 addresses, which are used to assign different addresses to different monitoring sessions. The proxy server distinguishes and associates different access intentions by identifying the specific IP address to which the connection arrives.

3. The method according to claim 1, characterized in that, The policy matching factors in step S3 include at least one of the following: target domain name category, user identity attribute associated with terminal, and time period in which the request occurred.

4. The method according to claim 1, characterized in that, The method supports transparent monitoring of network protocols, including SSH, RDP, FTP, and custom TCP / UDP, that do not have explicit domain name identification at the application layer.

5. The method according to claim 1, characterized in that, The audit log generated in step S8 does not contain application layer content information obtained by performing deep packet inspection on network data packets; it only contains timestamp, policy ID, anonymized client identifier, target domain name, access result, and traffic size fields.

6. A trigger-based network monitoring system for implementing the method according to any one of claims 1 to 5, characterized in that, include: The policy management module is used to configure, manage, and distribute monitoring policies. The intelligent DNS service module is used to perform tasks such as receiving domain name resolution requests, policy matching, hijacking decisions, session association records, and response tampering. A multi-IP transparent proxy service cluster is configured with multiple IPv4 addresses for performing proxy connection reception, original domain name restoration, compliance checks, IPv4 / IPv6 protocol conversion, and transparent traffic forwarding. The audit analysis module is used to collect and store monitoring event logs generated by the agent service cluster, and provides query and analysis functions.

7. The system according to claim 6, characterized in that, The multi-IP transparent proxy service cluster interacts with the intelligent DNS service module through a secure internal communication interface to query session association information.

8. The system according to claim 6, characterized in that, The system also includes a high availability and load balancing module to ensure the continuous availability and elastic performance scaling of the intelligent DNS service module and the multi-IP transparent proxy service cluster.

9. The system according to claim 6, characterized in that, The audit analysis module can periodically generate privacy transparency reports for the regulated entities based on preset rules. The reports include at least an overview of the monitored events and the policy terms on which they are based.