| As one of the world's largest distributed database systems,Domian Name System(DNS)is the basic component of the current Internet which connects users with the Internet routing infrastructure by providing people with conversion services between domain names and network addresses section.Domain name systems provide support for services such as mail services,Web services,Content Delivery Network(CDN)services,and also play a very important role in the Internet.DNS log contains a large number of application server IP address and domain name server IP address of the interaction information,this paper analyze the DNS log from the IP attribute point of view.IP attributes consists of service attributes and security attributes.The analysis of the service attributes identifies the service IP that appears in the DNS log,including the mail service IP,the domain name service IP,the CDN service IP and the Web service IP.On the other hand,this article will analyze the IP security attributes and identify the IP addresses that behaved abnormal.To analyze the service attributes of IP,this paper designs and implements different methods to identify.The modules that analyze the IP service attributes in the system including the mail service IP analysis module,the domain name service IP analysis module,the CDN service IP analysis module and the Web service IP analysis module.The mail service IP module uses the MX records of the DNS log to obtain the mail server name,and then finds the mail server IP address by name.Domain Name Service IP module design and implementation of the four methods to identify the domain name service IP,including the analysis of IP access activity identification,analysis of AA and analytical domain name identification,analysis of data direction identification and active detection.Analysis of IP activity identification method mainly analyzes the recursive domain name server to the domain name server access frequency.Analysis of AA and analysis of the number of domain name identification method analysis and analysis of the main authority to answer domain name IP resolution domain name information.Analysis of data direction identification method mainly analyzes the domain IP and other IP interaction process.The active detection method sends the domain name query request to the IP address,constructs the reverse domain name query packet according to the request result,and obtains the result after the query.Analysis of the results can determine the specific type of domain IP.The CDN service IP analysis module includes three methods:First,the CDN service IP can be obtained by analyzing the geographic information of the corresponding domain name,and then the CDN name is included in the CDN name and the number of times it is an alias.Finally,by analyzing the domain name The number of aliases to identify the CDN service IP.The Web service IP module uses the port scanning method to detect whether the 80 port of the IP address is open.If the port is open,it should be the Web service IP.This paper designs and implements the correlation analysis of IP security attributes.IP security attribute analysis implements the module to achieve the existence of abnormal behavior of the IP address of the identification process.This module mainly analyzes the same IP address abnormality by analyzing the IP address in the unit time corresponding to the excess domain name exception and the excess domain name,and then captures the abnormal IP address.Identifying anomalous IP does well in further monitor and research.In summary,this paper deeply not only studies the DNS log,but alose designs and implements the method of analyzing IP attributes.This papar also completes the IP attribute recognition system based on DNS log.The test shows that the system meets the design goals. |
PDF Full Text Request