CN104754071A - Method for detecting DNS (Domain Name-implementation and Specification) tunnel data based on DNS protocol standard - Google Patents

The invention belongs to the technical field of computer networks, and discloses a method for distinguishing standard DNS (Domain Name-implementation and Specification) protocol data and DNS tunnel data. The system acquires a data packet of a DNS port. When the data packet reaches a detection system, 1, the system examines the length of data packet content and considers that the data is the DNS tunnel data if the length is greater than 512 bits; 2, the system examines the content of the data packet and judges whether the standard DNS protocol is met (for example, a client transmits DNS Query, and a server responds DNS Response). If the standard DNS protocol is met, the system considers that the data is the DNS protocol data, and otherwise considers that the data is the DNS tunnel data. By using the method, the DNS tunnel data can be recognized and differentiated service is performed, or the non-DNS protocol data is stopped from penetrating through the DNS port.

Based on the method for DNS Protocol standard detection DNS tunneling data

Technical field

The invention belongs to technical field of the computer network, is a kind of method distinguishing standard DNS Protocol data and DNS tunneling data.

Background technology

Along with the development of Internet technology, how to control Intranet user access the Internet and become the emphasis of network management.Traditional network management distinguishes various network service with port, is realized the control of extranet access by open or closedown certain port.DNS name resolution, as most basic Internet service, needs to open to use to user usually.Its DNS Protocol that uses, default port is UDP53.In view of DNS port is generally open, much software employs DNS tunneling technique one after another and outside connects.DNS Protocol data and DNS tunneling data all use identical port, therefore can not simply by close port control DNS tunneling data, otherwise user cannot resolve domain name.Traditional port controlling method cannot tackle DNS penetration tunnel technology, and the safety of internal network in unwarranted extranet access serious threat.

Summary of the invention

The object of the invention is to propose a kind of method distinguishing standard DNS Protocol data and DNS tunneling data, use the present invention can identify DNS tunneling data and differentiated services is carried out to it, or stoping non-DNS Protocol data to penetrate DNS port.

DNS tunneling data Cleaning Principle:

The DNS Protocol of standard defers to RFC1035 (Domain names-implementation and specification) standard.

Description according to RFC document:

1, the content size (not comprising IP head and UDP head) entrained by DNS packet must not more than 512 bytes.

2, DNS packet must comprise header information, and in header information, show that this packet is DNS Query or DNS is Response.

3, DNS client sends DNS Query inquiry of the domain name request to service end, after DNS service end receives client query request, will return the DNS Response response message of identical ID.

DNS tunneling data then adopts proprietary protocol, and it does not defer to DNS Protocol standard.In order to carry more data information, the content size of packet usually can more than 512 bytes.The packet content that client issues service end does not meet DNS Query inquiry of the domain name request format; The packet content that service end returns to client does not meet DNS Response response message format yet.

According to these difference, we can distinguish by the packet of DNS port is DNS Protocol packet or DNS tunneling data bag.

Accompanying drawing explanation

Fig. 1 is present system network design mode figure

Fig. 2 is DNS data packet header information format

Fig. 3 is that present system is to client data bag overhaul flow chart

Fig. 4 is that present system is to service end packet overhaul flow chart

Embodiment

Below in conjunction with accompanying drawing, the present invention is further described in detail.

Grid deployment way:

See Fig. 1, present system is deployed in the egress gateways place of local area network (LAN) connecting Internet usually, catches the packet of designated port from network.This port is generally UDP53, also can specify or increase other ports if desired.

Data packet detection method:

The standard detected is to judge whether the packet by this port meets DNS Protocol, as long as the packet not meeting RFC1035 document description can be judged to be DNS tunneling data bag, otherwise is DNS Protocol packet.

RFC1035 regulation DNS packet content length must not more than 512 bytes.If packet content length is greater than 512 bytes, then this packet can be judged to be DNS tunneling data bag.

Specify that DNS packet must comprise the header information of 12 bytes see Fig. 2, RFC1035.Header information the first two byte (totally 16) is No. ID, and the DNS query bag that client sends and the DNS respond packet that service end returns must have identical ID.Header information the 17th is QR flag bit, and QR flag bit is this packet of 0 expression is DNS Query packet, and QR flag bit is this packet of 1 expression is DNSResponse packet.Header information 26-28 position retains position (Z flag bit), and the Z flag bit of DNS packet is necessary for 0.

Here select for the efficient detection mode of one: by detecting packet content length, QR flag bit and Z flag bit, determine whether DNS Protocol packet.But and do not mean that the present invention can only in this, as unique detection method.

1, client data detects

See Fig. 3, system acquisition issues the packet of service end to client, first calculates the packet content length not containing IP head and UDP head.If packet content length is greater than 512 bytes, then judge that this packet is as DNS tunneling data bag.Then packet content the 17th (QR flag bit) is extracted.If QR flag bit is not 0, then judge that this packet is as DNS tunneling data bag.Then packet content 26-28 position (Z flag bit) is extracted.If Z flag bit is not 0, then judges that this packet is as DNS tunneling data bag, otherwise be DNS Protocol packet.

2, service end Data Detection

See Fig. 4, system acquisition issues the packet of client to service end, first calculates the packet content length not containing IP head and UDP head.If packet content length is greater than 512 bytes, then judge that this packet is as DNS tunneling data bag.Then packet content the 17th (QR flag bit) is extracted.If QR flag bit is not 1, then judge that this packet is as DNS tunneling data bag.Then packet content 26-28 position (Z flag bit) is extracted.If Z flag bit is not 0, then judges that this packet is as DNS tunneling data bag, otherwise be DNS Protocol packet.

The data communication of client and service end is two-way.Therefore can select only to detect client data, also can select only to detect service end data, can also select to detect client data and service end data simultaneously.

The advantage of this detection method is that it is simply efficient.Use the method to filter DNS port data, can ensure all DNS Protocol packets normal through, tackle most of non-DNS Protocol packet simultaneously, make it to form DNS tunnel.Want complete identification DNS Protocol packet or DNS tunneling data bag, suitably increase ID checking, the checking of other flag bits and inquiry response content format and verify.

Above embodiment is only unrestricted for illustration of the present invention.Those of ordinary skill in the art should be appreciated that and revise distortion to the present invention or equivalent to replace, and do not depart from scope of the present invention, and it all should be encompassed in the middle of claim of the present invention.