DNS Domain Name System Domain name ip relationship.
The Hosts file stores the correspondence between domain names and IPs. The server internally points the domain name to the internal ip.
DNS protocol:
Domain name indicates that this fish applies to that domain name;
Time to live is used to record the life cycle of expressions, that is, how long can the soul village record at most;
Type: the type of record a record cname;
Value: a record is ip, cname is domain name
DNS resolution process First look for the local domain name server localserver [Telecom, China Unicom, etc.], if the localserver does not have it, look for the Root server. The root server returns the authoritative server address, and the localserver continues to search for the authoritative server. If it does not go to the root to request another authoritative server, it will be found at the end, and then a localserver will be returned to the user.
linux dig command to query A record dig www.baidu.com -t A+short
linux dig parsing path query dig www.baidu.com + trace query all domain name servers that may pass through from the root domain name to the specified domain name
What's wrong with traditional domain names
The regional domain name server is responsible for user resolution requests
There is no mechanism to ensure that the domain name mapping is correct
The resolution results of these domain names from the rogue domain name server
The regional domain name server was hacked and maliciously modified
Directs the user to a wrong log IP address
The above is DNS hijacking, the purpose is to prevent users from visiting certain specific websites and guide users to advertising pages.
Verify whether the nslookup has been hijacked. Command nslookup www.baidu.com whois website to check whether the ip xxx.xxx.xxx.xxx belongs to Baidu.
DNS spoofing
Use a fake DNS response to trick DSN requesting users. Make it believe the fake address returned, and throw a real DNS response. Specific steps:
The user host sends a DNS request and waits for a response
If there is a correct-looking reply packet at this time (with the same sequence number as the DNS request), the TA believes it to be true and discards the later arriving reply packet.
The key to this DNS spoofing is to forge a response packet with a specific sequence number, which is difficult for individuals and easy for backbone network organizations.
Verify whether the nslookup has been hijacked. Command nslookup www.baidu.com whois website to check whether the ip xxx.xxx.xxx.xxx belongs to Baidu.
DNS solution
Use IP directly, the client "android, ios" is responsible for balancing processing (select the server randomly from the server iplist, the iplist can have a version number, according to the version number to determine whether to update, each ip can be weighted, to do a strategic balance , or write a certain ip in iplist twice)
Use HttpDNS-->HTTP protocol (access your own server through an ip, the server stores the IP list, and then returns the ip to be interacted with). Use port 80 of the HTTP protocol instead of port 53 of the DNS protocol. Bypass DNS protocol requests to solve the problem of operating local DNS hijacking
Traffic hijacking: DSN hijacking, CDN hijacking, gateway hijacking
Best practice: Use HttpDNS as much as possible, direct IP connection, and monitor.