Best Practices of HTTPS Services Updated and DNS-free Solution Released
Jul 30 2019
Content
Problem: The goal of Game Shield is to avoid using the DNS. The DNS may be hijacked and cause business interruption. In the earlier version, HTTPS services used the DNS, which may cause your business to be hijacked. For example, the domain 127.0.0.1 may be determined as an abnormal domain by the ISP's local DNS server and cannot be resolved. This may cause your business to be unavailable. Solution: Check whether your network protocol library supports custom DNS resolution. If the library supports custom DNS resolution, save the IP address 127.0.0.1 of the domain www-yxd.test.com that provides HTTPS service to a local server. In this case, the domain does not need to be resolved by the ISP's local DNS server. This protects your business against DNS pollution and hijacking attacks. For example, the OkHttp library provides a DNS service interface. In this case, you can specify a custom IP address for the domain www-yxd.test.com. The domain is not resolved by the ISP's local DNS server. This solution saves the IP address of a domain to a local server and avoids DNS hijacking attacks by using the DNS interface. It is an easy solution that can be applied in multiple scenarios. For example, the solution can be applied in scenarios that involve HTTPS certificate verification, cookies, and SNI. For more information, see https://helpcdn.aliyun.com/document_detail/127762.html.