摘要 |
<p>Disclosed in the present invention is a method for reducing attacks on a DNS, comprising: a local recursive name server receiving a first request which carries no certificate and was sent by a resolver, generating a certificate for the first request, and sending the certificate to the resolver of the source IP address of the first request; the local recursive name server receiving the first request resent by the resolver with a certificate carried therein; if it is determined that the first request carries the correct certificate, continuing to process the first request; if the first request carries the wrong certificate, discarding the first request. Also disclosed in the present invention are a device and system for reducing attacks on a DNS. Using the method, device and system of the present invention enables attacks on a DNS to be reduced effectively at the local recursive name server side, thereby preventing large numbers of attacks from entering other recursive name servers or even an authoritative name server. Moreover, the use of the present invention does not alter the existing DNS specification, or changes it only slightly, and has such advantages as simplicity of implementation and low costs.</p> |