CN107332813A - A kind of ACL collocation methods, ACL configuration equipment and server - Google Patents

Abstract

The invention discloses a kind of ACL collocation methods, ACL configuration equipment and server, it is related to the communications field, solve when the corresponding IP address list of domain name of Internet resources changes, the problem of ACL caused due to easily there is the situation of modification acl list not in time controls mistake.Concrete scheme is：ACL configuration equipment obtains the configuration order for the domain name for including Internet resources, configuration order is used to obtain the IP address list accessed needed for Internet resources corresponding with the domain name of Internet resources, and for being controlled to Internet resources, the first dns resolution request message of the domain name including Internet resources of generation is sent to dns server, receive dns server transmission includes the domain name of Internet resources, the first dns resolution success message of the first IP address list corresponding with the domain name of Internet resources, the first IP address list is issued in acl list.The present invention is in the configuration process of acl list.

Description

A kind of ACL collocation methods, ACL configuration equipment and server

Technical field

The present invention relates to the communications field, more particularly to a kind of ACL collocation methods, ACL configuration equipment And server.

Background technology

Communicated between information point, the communication of internal-external network is all essential business need in enterprise network Ask, however, to ensure that the security of Intranet by security strategy, it is necessary to ensure unauthorized user only Specific Internet resources can be accessed, so that the purpose being controlled to access is reached, and with communication skill Art develops and application of net deepens continuously, and people further add to the demand of security monitoring By force.Due to accesses control list (English：Access Control List, referred to as：ACL it is) regular The control of network traffics and network access authority can be effectively realized, therefore is obtained in terms of security monitoring Increasingly it is widely applied.

In the prior art, when need control certain user can only access or can not access some specific nets During network resource, domain name that can be based on these Internet resources is (English：Domain Name) correspondence Internet protocol (English：Internet Protocol, referred to as：IP) address list manual configuration Acl feature.For example, so that Internet resources are website as an example, it is assumed that need Heat ＆ Control Pty Ltd. employee to visit Ask the website in company, then can by the website in operating personnel's acquisition company the corresponding IP of domain name Address list, and the IP address list got is manually configured into acl list, it is being configured to After work(, the website that company personnel just can only be in access company.

It is achieved that, the corresponding IP of domain name of Internet resources being controlled is needed in the prior art Address list is that operating personnel are manually configured into acl list, so, in the domain of Internet resources When the corresponding IP address list of name changes, then operating personnel are needed according to the IP address after change List manual modification acl list, this just easily occurs changing situation not in time, so as to cause ACL Control mistake.

The content of the invention

The present invention provides a kind of ACL collocation methods, ACL configuration equipment and server, solves When the corresponding IP address list of domain name of Internet resources changes, due to easily there is modification ACL The problem of ACL control mistakes that the situation of list not in time is caused.

To reach above-mentioned purpose, the present invention is adopted the following technical scheme that：

The first aspect of the present invention there is provided a kind of ACL collocation methods, including：

ACL configuration equipment obtains the configuration order for the domain name for including Internet resources, and the configuration order is used for Obtain the IP address list accessed needed for Internet resources corresponding with the domain name of Internet resources, Yi Jiyong It is controlled in Internet resources, after the configuration order of the domain name including Internet resources is got, ACL configuration equipment generations include the first domain name system (English of the domain name of Internet resources：Domain Name System, referred to as：DNS) analysis request message, and to dns server send this One dns resolution request message, so that dns server is receiving the first dns resolution request report After text, the domain name of Internet resources is parsed according to the first dns resolution request message, if DNS The domain name success of server parsing Internet resources, then can send the first DNS solutions to ACL configuration equipment Successfully message is analysed, so, ACL configurations equipment just can be received includes network from dns server The domain name of resource, and first IP that accesses Internet resources needed for corresponding with the domain name of Internet resources It can include at least in the first dns resolution success message of address list, first IP address list One IP address, and the first IP address list is issued in the acl list of ACL configuration equipment, To realize the control to Internet resources.

The ACL collocation methods that the present invention is provided, ACL configuration equipment, which is obtained, includes the domain of Internet resources The configuration order of name, then by the first of the domain name including Internet resources generated according to configuration order Dns resolution request message is sent to dns server, and receives including from dns server First needed for the domain name of Internet resources, and access Internet resources corresponding with the domain name of Internet resources The first dns resolution success message of IP address list, finally by the first IP address list received In the acl list for being issued to ACL configuration equipment, to realize the control to the Internet resources.Pass through Configuration order allows the corresponding IP address list of the domain name of Internet resources to automatically configure ACL row In table, ensure that when the corresponding IP address list of domain name of Internet resources changes, energy It is enough that timely acl list is modified according to the IP address list after change, so as to avoid The problem of ACL control mistakes, occurs.

With reference in a first aspect, in a kind of possible implementation, the domain name of described Internet resources can To be included in the URL (English of Internet resources：Uniform Resource Locator, Referred to as：URL in), accordingly, the first dns resolution request message is generated in ACL configuration equipment Before, described ACL collocation methods can also include：ACL configures equipment according to Internet resources URL obtains the domain name of Internet resources.

With reference to first aspect and above-mentioned possible implementation, in alternatively possible implementation, Parsing is carried out to the domain name of Internet resources according to the first dns resolution request message in dns server Afterwards, if the domain name failure of dns server parsing Internet resources, it can be sent to ACL configuration equipment First dns resolution failure message, now, described ACL collocation methods can also include：ACL Configure equipment receives being used for from dns server and notifies the domain name failure of parsing Internet resources the One dns resolution failure message, such ACL configurations equipment just would know that dns server parses net The domain name failure of network resource.Or, in dns server according to the first dns resolution request message pair After the domain name of Internet resources is parsed, if the domain name failure of dns server parsing Internet resources, Dns server will not be responded to the first dns resolution request message, now, described ACL Collocation method can also include：ACL configuration equipment determines not receiving DNS clothes in preset time It is engaged in the back message of device, then ACL configures equipment and just would know that dns server parsing Internet resources Domain name fails.

With reference to first aspect and above-mentioned possible implementation, in alternatively possible implementation, In order to judge whether IP address list corresponding with the domain name of Internet resources changes in real time, Equipment is configured in ACL to be issued to the first IP address list in the acl list of ACL configuration equipment Afterwards, described ACL collocation methods can also include：ACL configuration equipment starts timer, and In timer expiry, ACL configuration equipment generations include the 2nd DNS solutions of the domain name of Internet resources Request message is analysed, then the second dns resolution request message is sent to dns server, so as to Dns server is after the second dns resolution request message is received, according to the second dns resolution Request message is parsed to the domain name of Internet resources, if dns server parses the domain of Internet resources Name success, then can send the second dns resolution success message, so, ACL to ACL configuration equipment Configuration equipment just can be received includes the domain name of Internet resources, and and network from dns server Second dns resolution of the second IP address list needed for the corresponding access Internet resources of domain name of resource At least one IP address can be included in success message, second IP address list, in ACL configurations Equipment is received after the second IP address list, it can be determined that the second IP address list and the first IP Whether address list is identical, if judging to obtain the second IP address list different from the first IP address list, Then ACL, which configures equipment, to update acl list according to the second IP address list.If judgement obtains the Two IP address lists are identical with the first IP address list, then ACL, which configures equipment, can not do any place Reason.

With reference to first aspect and above-mentioned possible implementation, in alternatively possible implementation, The domain name of described Internet resources can be included in the URL of Internet resources, accordingly, in ACL Configure before equipment generates the second dns resolution request message, described ACL collocation methods can be with Including：ACL configures the domain name that equipment obtains Internet resources according to the URL of Internet resources.

With reference to first aspect and above-mentioned possible implementation, in alternatively possible implementation, Parsing is carried out to the domain name of Internet resources according to the second dns resolution request message in dns server Afterwards, if the domain name failure of dns server parsing Internet resources, it can be sent to ACL configuration equipment Second dns resolution failure message, now, described ACL collocation methods can also include：ACL Configure equipment receives being used for from dns server and notifies the domain name failure of parsing Internet resources the Two dns resolution failure messages, such ACL configurations equipment just would know that dns server parses net The domain name failure of network resource.Or, in dns server according to the second dns resolution request message pair After the domain name of Internet resources is parsed, if the domain name failure of dns server parsing Internet resources, Dns server will not be responded to the second dns resolution request message, now, described ACL Collocation method can also include：ACL configuration equipment determines not receiving DNS clothes in preset time It is engaged in the back message of device, then ACL configures equipment and just would know that dns server parsing Internet resources Domain name fails.

With reference to first aspect and above-mentioned possible implementation, in alternatively possible implementation, Due to the time-to-live (English of the domain name in Internet resources：Time To Live, referred to as：TTL) After expiring, IP address list corresponding with the domain name of Internet resources is possible to change, because ACL collocation methods described in this can also include：ACL configures equipment by the domain name of Internet resources TTL is configured to the timing cycle of timer.

The second aspect of the present invention there is provided a kind of ACL collocation methods, including：

When needing to be controlled certain Internet resources, ACL configuration equipment can be to dns server Send the first dns resolution request message of the domain name for including Internet resources, now, dns server Just the first dns resolution that the domain name including Internet resources that ACL configuration equipment is sent can be received please Message is sought, the domain of the Internet resources then included to the first dns resolution request message received Name is parsed, and judges whether the parsing to the domain name of Internet resources succeeds, if to Internet resources The successfully resolved of domain name, then dns server is sent to ACL configuration equipment includes the domain of Internet resources Name, and first IP that accesses Internet resources needed for corresponding with the domain name of Internet resources that parsing is obtained The first dns resolution success message of address list, first IP address list includes at least one IP address, realizes according to the first dns resolution success message so as to ACL configuration equipment and the network is provided The control in source.

The ACL collocation methods that the present invention is provided, dns server receives what ACL configuration equipment was sent First dns resolution request message of the domain name including Internet resources, then to receive first The domain name for the Internet resources that dns resolution request message includes is parsed, and in successfully resolved, Being sent to ACL configuration equipment includes the domain name of Internet resources, and parses obtain and Internet resources Domain name it is corresponding access Internet resources needed for the first IP address list the first dns resolution success Message, so that the first IP address list received is issued to ACL with installing by ACL configuration equipment In standby acl list, to realize the control to the Internet resources.Sent out by configuring equipment to ACL Send the domain name including Internet resources, and the access net corresponding with the domain name of Internet resources that parsing is obtained The dns resolution success message of IP address list needed for network resource so that ACL configuration equipment can So that the corresponding IP address list of the domain name of Internet resources is automatically configured in acl list, so that really Protect when the corresponding IP address list of domain name of Internet resources changes, being capable of timely basis IP address list after change is modified to acl list, so as to avoid ACL control mistakes Problem occurs.

With reference to second aspect, in a kind of possible implementation, described ACL collocation methods are also It can include：If parsing of the dns server to the domain name of Internet resources fails, configured to ACL Equipment is sent for notifying ACL to configure the first DNS solutions of the domain name failure of equipment parsing Internet resources Analyse failure message.Or, if parsing of the dns server to the domain name of Internet resources fails, no First dns resolution request message is responded.

With reference to second aspect and above-mentioned possible implementation, in alternatively possible implementation, In order to judge whether IP address list corresponding with the domain name of Internet resources changes in real time, ACL configurations equipment can start a timer, and in timer expiry, be sent to dns server Second dns resolution request message of the domain name including Internet resources, it is therefore, accordingly, described ACL collocation methods can also include：What dns server reception ACL configuration equipment was sent includes institute The second dns resolution request message of the domain name of Internet resources is stated, then the second dns resolution is asked The domain name for the Internet resources that message includes is parsed, and judges the parsing to the domain name of Internet resources Whether succeed, if the successfully resolved of the domain name to Internet resources, dns server is configured to ACL Equipment, which is sent, includes the domain name of Internet resources, and parses obtain corresponding with the domain name of Internet resources The second dns resolution success message of the second IP address list needed for access Internet resources, this second IP address list includes at least one IP address, so that ACL configures equipment is received second The second IP address list and the first IP address list that dns resolution success message includes are determined and net Whether the corresponding IP address list of domain name of network resource changes.

With reference to second aspect and above-mentioned possible implementation, in alternatively possible implementation, Described ACL collocation methods can also include：If dns server is to the solution of the domain name of Internet resources Analysis failure, then configure equipment to ACL and send for notifying ACL to configure equipment parsing Internet resources Second dns resolution failure message of domain name failure.Or, if dns server is to Internet resources The parsing failure of domain name, then do not respond to the second dns resolution request message.

The third aspect of the present invention there is provided a kind of ACL collocation methods, including：

Network management server obtains the configuration order for the domain name for including Internet resources, and the configuration order is used IP address list needed for access Internet resources corresponding with the domain name of Internet resources are obtained, and For being controlled to Internet resources, get the domain name including Internet resources configuration order it Afterwards, network management server generation includes the first dns resolution request message of the domain name of Internet resources, And the first dns resolution request message is sent to dns server, so that dns server is connecing Receive after the first dns resolution request message, network is provided according to the first dns resolution request message The domain name in source is parsed, can be to net if the domain name success of dns server parsing Internet resources Network management server sends the first dns resolution success message, and so, network management server just may be used Reception includes the domain name of Internet resources, and the domain name pair with Internet resources from dns server The first dns resolution success message of the first IP address list needed for the access Internet resources answered, should First IP address list includes at least one IP address, and by the first IP address list send to ACL configures equipment, so that the first IP address list is issued to acl list by ACL configurations equipment In, to realize the control to Internet resources.

The ACL collocation methods that the present invention is provided, network management server, which is obtained, includes Internet resources The configuration order of domain name, then by the first of the domain name including Internet resources generated according to configuration order Dns resolution request message is sent to dns server, and receives including from dns server First needed for the domain name of Internet resources, and access Internet resources corresponding with the domain name of Internet resources The first dns resolution success message of IP address list, finally by the first IP address list received Send to ACL and configure equipment, so that the first IP address list is issued to ACL by ACL configurations equipment In list, to realize the control to the Internet resources.Realized by configuration order to Internet resources The automatic acquisition of the corresponding IP address list of domain name, and by the way that IP address list is sent to ACL Configure equipment so that ACL configuration equipment can be by the corresponding IP address hedge of the domain name of Internet resources Automatically configure in acl list, ensure that the corresponding IP address row of domain name in Internet resources When table changes, timely acl list can be repaiied according to the IP address list after change Change, so that the problem of avoiding ACL control mistakes occurs.

With reference to the third aspect, in a kind of possible implementation, the domain names of the Internet resources can be with It is included in the URL of Internet resources, accordingly, the first DNS solutions is generated in network management server Analyse before request message, described ACL collocation methods can also include：Network management server root The domain name of Internet resources is obtained according to the URL of Internet resources.

With reference to the third aspect and above-mentioned possible implementation, in alternatively possible implementation, Parsing is carried out to the domain name of Internet resources according to the first dns resolution request message in dns server Afterwards, if the domain name failure of dns server parsing Internet resources, can send out to network management server The first dns resolution failure message is sent, now, described ACL collocation methods can also include：Net Network management server receives the domain name failure for being used for from dns server notifying parsing Internet resources The first dns resolution failure message, such network management server can lose the first dns resolution Lose message to send to ACL configuration equipment, so that ACL configurations equipment knows that dns server is parsed The domain name failure of Internet resources.Or, in dns server according to the first dns resolution request message After being parsed to the domain names of Internet resources, if the domain name of dns server parsing Internet resources is lost Lose, dns server will not be responded to the first dns resolution request message, now, described ACL collocation methods can also include：Network management server determines not receive in preset time The back message of dns server, then network management server can be to ACL configuration equipment transmission use In the back message for the domain name failure for notifying parsing Internet resources, so that ACL configurations equipment is known The domain name failure of dns server parsing Internet resources.

With reference to the third aspect and above-mentioned possible implementation, in alternatively possible implementation, In order to judge whether IP address list corresponding with the domain name of Internet resources changes in real time, The first IP address list is sent to ACL configuration equipment in network management server, it is described ACL collocation methods can also include：Network management server starts timer, and in timer expiry When, network management server generation includes the second dns resolution request message of the domain name of Internet resources, Then the second dns resolution request message is sent to dns server, so that dns server exists After receiving the second dns resolution request message, according to the second dns resolution request message to network The domain name of resource is parsed, can be to if the domain name success of dns server parsing Internet resources Network management server sends the second dns resolution success message, and so, network management server is just Can receive includes the domain name of Internet resources, and the domain name with Internet resources from dns server The second dns resolution success message of the second IP address list needed for corresponding access Internet resources, At least one IP address can be included in second IP address list, received in network management server To after the second IP address list, it can be determined that the second IP address list is with the first IP address list It is no identical, if judging to obtain the second IP address list, network pipe different from the first IP address list Reason server, which can send the second IP address list to ACL, configures equipment, is installed so that ACL matches somebody with somebody It is standby that acl list is updated according to the second IP address list.If judgement obtains the second IP address list and the One IP address list is identical, then network management server can be with without any processing.

With reference to the third aspect and above-mentioned possible implementation, in alternatively possible implementation, The domain name of described Internet resources can be included in the URL of Internet resources, accordingly, in network Management server is generated before the second dns resolution request message, and described ACL collocation methods may be used also With including：Network management server obtains the domain name of Internet resources according to the URL of Internet resources.

With reference to the third aspect and above-mentioned possible implementation, in alternatively possible implementation, Parsing is carried out to the domain name of Internet resources according to the second dns resolution request message in dns server Afterwards, if the domain name failure of dns server parsing Internet resources, can send out to network management server The second dns resolution failure message is sent, now, described ACL collocation methods can also include：Net Network management server receives the domain name failure for being used for from dns server notifying parsing Internet resources The second dns resolution failure message, such network management server can lose the second dns resolution Lose message to send to ACL configuration equipment, so that ACL configurations equipment knows that dns server is parsed The domain name failure of Internet resources.Or, in dns server according to the second dns resolution request message After being parsed to the domain names of Internet resources, if the domain name of dns server parsing Internet resources is lost Lose, dns server will not be responded to the second dns resolution request message, now, described ACL collocation methods can also include：Network management server determines not receive in preset time The back message of dns server, then network management server can be to ACL configuration equipment transmission use In the back message for the domain name failure for notifying parsing Internet resources, so that ACL configurations equipment is known The domain name failure of dns server parsing Internet resources.

With reference to the third aspect and above-mentioned possible implementation, in alternatively possible implementation, After being expired due to the TTL of the domain name in Internet resources, IP corresponding with the domain name of Internet resources Location list is possible to change, therefore described ACL collocation methods can also include：Network The TTL of the domain name of Internet resources is configured to the timing cycle of timer by management server.

The fourth aspect of the present invention configures equipment there is provided a kind of ACL, including：Acquiring unit, life Into unit, transmitting element, receiving unit and issuance unit；

The acquiring unit, for obtaining configuration order, the configuration order is used to obtain to be provided with network The corresponding internet protocol address list accessed needed for the Internet resources of domain name in source, and For being controlled to the Internet resources, the configuration order includes the domain name of the Internet resources；

The generation unit, for generating the first domain name system DNS analysis request message, described the One dns resolution request message includes including the configuration order that the acquiring unit is got The domain name of the Internet resources；

The transmitting element, for sending described the of generation unit generation to dns server One dns resolution request message；

The receiving unit, for receiving the first dns resolution success from the dns server Message, first dns resolution success message includes the domain name of the Internet resources, and with institute State corresponding the first IP address list accessed needed for the Internet resources of domain name of Internet resources, institute Stating the first IP address list includes at least one IP address；

The issuance unit, for first dns resolution that receives the receiving unit into First IP address list that work(message includes is issued to the ACL that the ACL configures equipment In list, to realize the control to the Internet resources.

Concrete implementation mode may be referred to first aspect or the possible implementation of first aspect is carried ACL configures the behavioral function of equipment in the ACL collocation methods of confession.

The fifth aspect of the present invention configures equipment there is provided a kind of ACL, including：ACL modules, domain Name system DNS modules, Content Addressable Memory (English：Ternary Content Addressable Memory, referred to as：TCAM) module；

The ACL modules, for obtaining configuration order, the configuration order is used to obtain and network The corresponding internet protocol address list accessed needed for the Internet resources of domain name of resource, with And for being controlled to the Internet resources, the configuration order includes the domain of the Internet resources Name, the domain name of the Internet resources is carried and transmitted in IP address parses message to the DNS moulds Block；

The DNS modules, for generating the first dns resolution request message, the first DNS Analysis request message includes the domain name of the Internet resources, and described first is sent to dns server Dns resolution request message, and receive the first dns resolution success from the dns server Message, first dns resolution success message includes the domain name of the Internet resources, and with institute State corresponding the first IP address list accessed needed for the Internet resources of domain name of Internet resources, institute Stating the first IP address list includes at least one IP address, and first IP address is transmitted to institute State ACL modules；

The ACL modules, are additionally operable to first IP address list being issued to the TCAM moulds In the acl list of block, to realize the control to the Internet resources.

Concrete implementation mode may be referred to first aspect or the possible implementation of first aspect is carried ACL configures the behavioral function of equipment in the ACL collocation methods of confession.

The sixth aspect of the present invention there is provided a kind of dns server, including：Receiving unit, parsing Unit, judging unit and transmitting element；

The receiving unit, report is asked for receiving the first dns resolution that ACL configuration equipment is sent Text, the first dns resolution request message includes the domain name of Internet resources；

The resolution unit, first dns resolution for being received to the receiving unit please The domain name for the Internet resources that message includes is asked to be parsed；

Judging unit, for judge the resolution unit parse the Internet resources domain name whether into Work(；

The transmitting element, if judging to obtain described in the resolution unit parsing for the judging unit The domain name success of Internet resources, then send the first dns resolution to ACL configuration equipment and successfully report Text, the first dns resolution success message includes the domain name of the Internet resources, and parses The first IP address needed for the access Internet resources corresponding with the domain name of the Internet resources arrived List, first IP address list includes at least one IP address.

Concrete implementation mode may be referred to second aspect or the possible implementation of second aspect is carried The behavioral function of dns server in the ACL collocation methods of confession.

The seventh aspect of the present invention there is provided a kind of network management server, including：Acquiring unit, life Into unit, transmitting element and receiving unit；

The acquiring unit, for obtaining configuration order, the configuration order is used to obtain to be provided with network The corresponding internet protocol address list accessed needed for the Internet resources of domain name in source, and For being controlled to the Internet resources, the configuration order includes the domain name of the Internet resources；

The generation unit, for generating the first domain name system DNS analysis request message, described the One dns resolution request message includes the domain name of the Internet resources；

The transmitting element, for sending described the of generation unit generation to dns server One dns resolution request message；

The receiving unit, for receiving the first dns resolution success from the dns server Message, first dns resolution success message includes the domain name of the Internet resources, and with institute State corresponding the first IP address list accessed needed for the Internet resources of domain name of Internet resources, institute Stating the first IP address list includes at least one IP address；

The transmitting element, is additionally operable to first dns resolution for receiving the receiving unit First IP address list that success message includes, which is sent to ACL, configures equipment, so as to described ACL configures equipment and first IP address list is issued into the ACL that the ACL configures equipment In list, to realize the control to the Internet resources.

Concrete implementation mode may be referred to the third aspect or the possible implementation of the third aspect is carried The behavioral function of network management server in the ACL collocation methods of confession.

The eighth aspect of the present invention configures equipment there is provided a kind of ACL, including：At least one processing Device, memory, at least one communication interface and communication bus；

The memory, for store instruction；

The processor, is provided for performing the possible implementation of first aspect or first aspect ACL collocation methods, to realize acquiring unit in fourth aspect, generation unit and the function of issuance unit.

The communication interface, the possible implementation for performing first aspect or first aspect is provided ACL collocation methods, to realize the function of transmitting element and receiving unit in fourth aspect.

The ninth aspect of the present invention there is provided a kind of dns server, including：At least one processor, Memory, at least one communication interface and communication bus；

The memory, for store instruction；

The processor, is provided for performing the possible implementation of second aspect or second aspect ACL collocation methods, to realize resolution unit and the function of judging unit in the 6th aspect.

The communication interface, the possible implementation for performing second aspect or second aspect is provided ACL collocation methods, with realize the 6th aspect in transmitting element and receiving unit function.

The tenth aspect of the present invention there is provided a kind of network management server, including：At least one processing Device, memory, at least one communication interface and communication bus；

The memory, for store instruction；

The processor, is provided for performing the possible implementation of the third aspect or the third aspect ACL collocation methods, to realize the function of acquiring unit and generation unit in the 7th aspect.

The communication interface, the possible implementation for performing the third aspect or the third aspect is provided ACL collocation methods, with realize the 7th aspect in transmitting element and receiving unit function.

Brief description of the drawings

In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be right The accompanying drawing used required in embodiment or description of the prior art is briefly described, it should be apparent that, Drawings in the following description are only some embodiments of the present invention, for those of ordinary skill in the art For, without having to pay creative labor, it can also obtain other according to these accompanying drawings Accompanying drawing.

Fig. 1 illustrates for a kind of simplifying for system architecture for applying the present invention provided in an embodiment of the present invention Figure；

Fig. 2 simplifies signal for the system architecture of another application present invention provided in an embodiment of the present invention Figure；

Fig. 3 is a kind of flow chart of ACL collocation methods provided in an embodiment of the present invention；

Fig. 4 is the flow chart of another ACL collocation methods provided in an embodiment of the present invention；

Fig. 5 is the flow chart of another ACL collocation method provided in an embodiment of the present invention；

Fig. 6 is the flow chart of another ACL collocation method provided in an embodiment of the present invention；

Fig. 7 is the flow chart of another ACL collocation method provided in an embodiment of the present invention；

Fig. 8 provides the composition schematic diagram that a kind of ACL configures equipment for the embodiment of the present invention；

Fig. 9 provides the composition schematic diagram that another ACL configures equipment for the embodiment of the present invention；

Figure 10 provides the composition schematic diagram that another ACL configures equipment for the embodiment of the present invention；

Figure 11 provides a kind of composition schematic diagram of dns server for the embodiment of the present invention；

Figure 12 provides a kind of composition schematic diagram of network management server for the embodiment of the present invention；

Figure 13 provides the hardware architecture diagram that a kind of ACL configures equipment for the embodiment of the present invention；

Figure 14 provides a kind of hardware architecture diagram of dns server for the embodiment of the present invention；

Figure 15 provides a kind of hardware architecture diagram of network management server for the embodiment of the present invention.

Embodiment

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is entered Row is clearly and completely described, it is clear that described embodiment is only a part of embodiment of the invention, Rather than whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not having There is the every other embodiment made and obtained under the premise of creative work, belong to what the present invention was protected Scope.

In the prior art when needing to be controlled certain Internet resources, operating personnel can be by the net The corresponding IP address list manual configuration of domain name of network resource is in acl list, in Internet resources When the corresponding IP address list of domain name changes, operating personnel are needed also exist for according to the IP after change Address list is modified to acl list manually, modification acl list so just easily occurs too late When situation so that cause ACL control mistake.

For example, so that Internet resources are website as an example, it is assumed that need Heat ＆ Control Pty Ltd. employee to access company Interior website, then can by the website in operating personnel's acquisition company the corresponding IP address of domain name List, and the IP address list got is manually configured into acl list, configuration successful it Afterwards, the website that company personnel just can only be in access company.If the corresponding IP of the domain name of the website in company Address list changes, now, it is necessary to which operating personnel are according to the IP address list pair after change Acl list carries out manual modification.If but operating personnel fail timely to repair acl list Change, so that the website that company personnel can not be in access company, causes ACL to control mistake.

The problem of causing ACL control mistakes not in time in order to avoid modification acl list occurs, this hair Bright to provide a kind of ACL collocation methods, its general principle is：When needing that certain Internet resources is controlled When processed, ACL configurations equipment can obtain the configuration order of the domain name including the Internet resources, Ran Housheng Solved into the first dns resolution request message of the domain name including the Internet resources, and by the first DNS Analysis request message is sent to dns server, so that dns server is responded, in DNS clothes After business device succeeds according to the first dns resolution request message to the domain name mapping of Internet resources, ACL Configuration equipment can be received includes the domain name of Internet resources, and and network from dns server First dns resolution of the first IP address list needed for the corresponding access Internet resources of domain name of resource Success message, and the first IP address list that the first dns resolution success message includes will be received In the acl list for being issued to ACL configuration equipment, to realize the control to the Internet resources.So, By configuration order the corresponding IP address list of the domain name of Internet resources is automatically configured In acl list, so, when the corresponding IP address list of the domain name of Internet resources changes, Just timely acl list can be modified according to the IP address list after change, so as to avoid The problem of ACL control mistakes, occurs.

It should be noted that heretofore described the first IP address list and the second IP address list The IP address included can be using Internet protocol fourth edition (English：Internet Protocol Version 4, referred to as：IPv4) the IP address of protocol construction or using next version Internet protocol sixth version sheet (English：Internet Protocol version 6, referred to as：IPv6) The IP address of protocol construction, the present invention herein and is not particularly limited.

Embodiments of the present invention are described in detail below in conjunction with accompanying drawing.

As shown in figure 1, Fig. 1, which is illustrated that, can apply the rough schematic view of the system architecture of the present invention. The system architecture can include ACL configurations equipment 101, terminal 102 and dns server 103.

Wherein, ACL configures equipment 101 and is used to configure acl feature, in order to Internet resources Access is controlled.

In embodiments of the present invention, it can be to possess configuration acl feature that ACL, which configures equipment 101, Equipment, for example, interchanger, router.In the specific implementation, being used as a kind of embodiment, such as Fig. 1 Shown, ACL configuration equipment 101 is router.

User can access the Internet resources in network by terminal 102.Terminal 102 can for mobile phone, Desktop computer, tablet personal computer, notebook computer, Ultra-Mobile PC's (English： Ultra-mobile Personal Computer, referred to as：UMPC), net book, individual digital are helped Reason (English：Personal Digital Assistant, referred to as：PDA) etc..Specific real In existing, as a kind of embodiment, as shown in figure 1, terminal 102 is notebook computer.

Dns server 103 refer to preserving in network the domain name of all-network resource and with the net The corresponding IP address list of domain name of network resource, and with the domain name of Internet resources is parsed, With the server for the function of obtaining IP address corresponding with the domain name of the Internet resources.

Further, as shown in Fig. 2 the system architecture can also include network management server 104.

Network management server 104 be used to ACL configurations equipment 101 is configured, managed, The server of the operations such as monitoring.

Fig. 3 is a kind of flow chart of ACL collocation methods provided in an embodiment of the present invention, such as Fig. 3 institutes Show, this method can include：

201st, ACL configures equipment and obtains configuration order.

Wherein, configuration order includes the domain name of Internet resources.Specifically, operating personnel can be Increase by a new configuration order in ACL configuration equipment, the configuration order is used to obtain what need to be controlled The domain names of Internet resources is corresponding access IP address list needed for the Internet resources and for pair Internet resources are controlled, so, and when needing to be controlled certain Internet resources, operating personnel can Configured so that the configuration order of the domain name including the Internet resources is input into ACL in equipment, now ACL Configuration equipment just can get the configuration order of the domain name including the Internet resources.The Internet resources Domain name it is unique in a network.

In addition, in embodiments of the present invention, configuration order can also be input to and ACL by operating personnel In the equipment for configuring equipment connection, and configuration order is transmitted to ACL configuration equipment by the equipment, Now ACL, which configures equipment, also can just get configuration order.

202nd, ACL configures equipment and generates the first dns resolution request message.

Wherein, the first dns resolution request message includes the domain name of Internet resources.Getting bag After the configuration order for the domain name for including Internet resources, ACL configurations equipment can be generated including network money First dns resolution request message of the domain name in source.

203rd, ACL configures equipment and sends the first dns resolution request message to dns server.

Wherein, can be by life after ACL configuration equipment generates the first dns resolution request message Into the first dns resolution request message of the domain name including the Internet resources send to DNS service Device, so that dns server is according to the first dns resolution request message received, and is prestored Internet resources domain name and the corresponding relation of IP address list, the domain name to Internet resources solves Analysis, with corresponding first IP address list of the domain name for obtaining the Internet resources, and by the obtained net Corresponding first IP address list of domain name of network resource and the domain name of Internet resources are carried to the first DNS Sent in successfully resolved message to ACL and configure equipment.

204th, ACL configures equipment and receives the first dns resolution success message from dns server.

Wherein, the first dns resolution success message includes the domain name of Internet resources, and is provided with network Corresponding first IP address list accessed needed for Internet resources of domain name in source, first IP address row Table includes at least one IP address.

205th, ACL configures equipment and the first IP address list is issued into the ACL that ACL configures equipment In list, to realize the control to Internet resources.

Wherein, ACL configure equipment receive dns server transmission include the domain of Internet resources Name, and the first IP address list accessed needed for Internet resources corresponding with the domain name of Internet resources The first dns resolution success message after, ACL configuration equipment just can be by the first IP address list In the acl list for being issued to ACL configuration equipment, now acl feature just configuration successful, that is, Say, you can to realize the control to the Internet resources.

The ACL collocation methods that the present invention is provided, ACL configuration equipment, which is obtained, includes the domain of Internet resources The configuration order of name, then by the first of the domain name including Internet resources generated according to configuration order Dns resolution request message is sent to dns server, and receives including from dns server First needed for the domain name of Internet resources, and access Internet resources corresponding with the domain name of Internet resources The first dns resolution success message of IP address list, finally by the first IP address list received In the acl list for being issued to ACL configuration equipment, to realize the control to the Internet resources.Pass through Configuration order allows the corresponding IP address list of the domain name of Internet resources to automatically configure ACL row In table, ensure that when the corresponding IP address list of domain name of Internet resources changes, energy It is enough that timely acl list is modified according to the IP address list after change, so as to avoid The problem of ACL control mistakes, occurs.

Fig. 4 is the flow chart of another ACL collocation methods provided in an embodiment of the present invention, such as Fig. 4 Shown, this method can include：

301st, dns server receives the first dns resolution request message that ACL configuration equipment is sent.

Wherein, the first dns resolution request message includes the domain name of Internet resources；When needing to certain net When network resource is controlled, ACL configurations equipment can be sent to dns server includes Internet resources Domain name the first dns resolution request message, now, dns server just can receive ACL Configure the first dns resolution request message of the domain name including Internet resources that equipment is sent.

302nd, the domain for the Internet resources that dns server includes to the first dns resolution request message Name is parsed.

303rd, dns server judges whether parsing succeeds.

Wherein, after dns server receives the first dns resolution request message, it can dock The domain name for the Internet resources that the first dns resolution request message received includes is parsed, and is sentenced Whether the disconnected parsing to the domain name of Internet resources succeeds.

If the 304, successfully resolved, dns server sends the first DNS to ACL configuration equipment and solved Analyse successfully message.

Wherein, the first dns resolution success message includes the domain name of Internet resources, and parsing is obtained It is corresponding with the domain name of Internet resources access Internet resources needed for the first IP address list, first IP address list includes at least one IP address.If the successfully resolved of the domain name to Internet resources, Then dns server can be sent to ACL configuration equipment includes the domain name of Internet resources, and parsing First IP address list accessed needed for Internet resources corresponding with Internet resources domain names that is obtaining First dns resolution success message, so that ACL configurations equipment is successfully reported according to the first dns resolution Text realizes the control to the Internet resources.

The ACL collocation methods that the present invention is provided, dns server receives what ACL configuration equipment was sent First dns resolution request message of the domain name including Internet resources, then to receive first The domain name for the Internet resources that dns resolution request message includes is parsed, and in successfully resolved, Being sent to ACL configuration equipment includes the domain name of Internet resources, and parses obtain and Internet resources Domain name it is corresponding access Internet resources needed for the first IP address list the first dns resolution success Message, so that the first IP address list received is issued to ACL with installing by ACL configuration equipment In standby acl list, to realize the control to the Internet resources.Sent out by configuring equipment to ACL Send the domain name including Internet resources, and the access net corresponding with the domain name of Internet resources that parsing is obtained The dns resolution success message of IP address list needed for network resource so that ACL configuration equipment can So that the corresponding IP address list of the domain name of Internet resources is automatically configured in acl list, so that really Protect when the corresponding IP address list of domain name of Internet resources changes, being capable of timely basis IP address list after change is modified to acl list, so as to avoid ACL control mistakes Problem occurs.

Fig. 5 is the flow chart of another ACL collocation method provided in an embodiment of the present invention, such as Fig. 5 Shown, this method can include：

401st, network management server obtains configuration order.

Wherein, operating personnel can increase by a new configuration order in network management server, and this is matched somebody with somebody Put order be used for obtain the corresponding access Internet resources institute of the domain names of Internet resources that need to be controlled The IP address list that needs and for being controlled to Internet resources, so, when needing to certain net When network resource is controlled, operating personnel can be defeated by the configuration order of the domain name including the Internet resources Enter into network management server, now network management server, which just can get this, includes the network The configuration order of the domain name of resource.

In addition, in embodiments of the present invention, configuration order can also be input to and network by operating personnel In the equipment of management server connection, and configuration order is transmitted to network management services by the equipment Device, now network management server also can just get configuration order.

402nd, network management server generates the first dns resolution request message.

Wherein, the first dns resolution request message includes the domain name of Internet resources.Get including After the configuration order of the domain name of Internet resources, network management server can be generated including network money First dns resolution request message of the domain name in source.

403rd, network management server sends the first dns resolution request message to dns server.

Wherein, can be by life after the first dns resolution request message of network management server generation Into the first dns resolution request message of the domain name including the Internet resources send to DNS service Device, so that dns server is according to the first dns resolution request message received, and is prestored Internet resources domain name and the corresponding relation of IP address list, the domain name to Internet resources solves Analysis, with corresponding first IP address list of the domain name for obtaining the Internet resources, and by the obtained net Corresponding first IP address list of domain name of network resource and the domain name of Internet resources are carried to the first DNS Sent in successfully resolved message to network management server.

404th, network management server receives the first dns resolution from dns server and successfully reported Text.

Wherein, the first dns resolution success message includes the domain name of Internet resources, and is provided with network Corresponding first IP address list accessed needed for Internet resources of domain name in source, the first IP address list Include at least one IP address.

405th, the first IP address list is sent to ACL and configures equipment by network management server.

Wherein, Internet resources are included what network management server received dns server transmission Domain name, and the first IP address row accessed needed for Internet resources corresponding with the domain name of Internet resources After the first dns resolution success message of table, network management server just can be by the first IP address List sends to ACL and configures equipment, so that the first IP address list is issued to by ACL configurations equipment In the acl list of ACL configuration equipment, now acl feature just configuration successful, that is to say, that i.e. The control to the Internet resources can be realized.

The ACL collocation methods that the present invention is provided, network management server, which is obtained, includes Internet resources The configuration order of domain name, then by the first of the domain name including Internet resources generated according to configuration order Dns resolution request message is sent to dns server, and receives including from dns server First needed for the domain name of Internet resources, and access Internet resources corresponding with the domain name of Internet resources The first dns resolution success message of IP address list, finally by the first IP address list received Send to ACL and configure equipment, so that the first IP address list is issued to ACL by ACL configurations equipment In list, to realize the control to the Internet resources.Realized by configuration order to Internet resources The automatic acquisition of the corresponding IP address list of domain name, and by the way that IP address list is sent to ACL Configure equipment so that ACL configuration equipment can be by the corresponding IP address hedge of the domain name of Internet resources Automatically configure in acl list, ensure that the corresponding IP address row of domain name in Internet resources When table changes, timely acl list can be repaiied according to the IP address list after change Change, so that the problem of avoiding ACL control mistakes occurs.

Fig. 6 is the flow chart of another ACL collocation method provided in an embodiment of the present invention, such as Fig. 6 Shown, this method can include：

Wherein, in embodiments of the present invention, it is exemplary, to perform the ACL of ACL collocation methods Configure equipment include ACL modules, DNS modules and TCAM modules exemplified by the present invention ACL Collocation method is specifically described.

501st, ACL configures equipment and obtains configuration order.

Wherein, described configuration order is used to obtain access network money corresponding with the domain name of Internet resources IP address list needed for source, and for being controlled to Internet resources, and configuration order includes The domain name of Internet resources, the domain name of the Internet resources is unique in a network.Specifically, working as needs to certain When Internet resources are controlled, operating personnel can be by the configuration order of the domain name including the Internet resources It is input in ACL configuration equipment, the ACL modules of now ACL configurations equipment just can get bag Include the configuration order of the domain name of the Internet resources.

Exemplary, the Control Cooling being controlled to Internet resources can include but is not limited to：Allow User accesses the Internet resources, does not allow user to access the Internet resources.

Carried out it should be noted that the embodiment of the present invention is only Control Cooling herein for example, logical The control to Internet resources for crossing acl feature realization includes but is not limited to the above-mentioned Control Cooling enumerated.

Wherein, it is further alternative, when Control Cooling is to allow customer access network resource, Described " configuration order is used to be controlled Internet resources " is specifically as follows that " configuration order is used for User is allowed to conduct interviews Internet resources ", for example, configuration order is specially：rule permit ip Destination url www.xxx.com, wherein, rule represents rule, and permit represents to allow to use Family is accessed, and www.xxx.com is the domain name of Internet resources, ip destination url Www.xxx.com represents the corresponding purpose IP address of the domain name of Internet resources, and ACL equipment is got , just can be according to the order to DNS after rule permit ip destination url www.xxx.com The corresponding purpose IP address list of Internet resources that server request domain name is www.xxx.com, and It can know that the order is used to allow the entitled www.xxx.com of user's access domain Internet resources.It is right It is not allow the situation of customer access network resource in Control Cooling, described " configuration order is used for pair Internet resources are controlled " be specifically as follows " configuration order be used for forbid user to Internet resources carry out Access ", for example, configuration order is specially：Rule deny ip destination url www.xxx.com, Rule represents rule, and deny represents not allow user to access, and www.xxx.com is Internet resources Domain name, ip destination url www.xxx.com represent the corresponding purpose IP of the domain name of Internet resources Address, ACL equipment is got after rule deny ip destination url www.xxx.com, just The Internet resources that to dns server domain name can be asked to be www.xxx.com according to the order are corresponding Purpose IP address list, it is possible to know that the order is used to forbid user's access domain entitled Www.xxx.com Internet resources.

In addition, on the basis of configuration order of the present invention, can also be further in ACL The highest priority or minimum when user accesses the Internet resources is arranged for controlling in configuration equipment Order, for order when controlling the user to access the Internet resources using the transmission path specified, be used for Control user accesses order of bandwidth of the Internet resources etc., to enter traveling one to the Internet resources The control of step.Phase in the prior art is may be referred to for the order further controlled Internet resources The configuration order answered, in this not go into detail for the embodiment of the present invention.

Wherein, in following step by the configuration order obtained using in step 501 as rule permit ip It is introduced exemplified by destination url www.xxx.com.

502nd, ACL configures equipment and generates the first dns resolution request message.

Wherein, the first dns resolution request message includes the domain name of Internet resources.In ACL configurations The ACL modules of equipment are got after the configuration order of the domain name including Internet resources, will can be obtained The domain name for the Internet resources got, which carries to transmit to ACL in IP address parses message, configures equipment DNS modules, now, the DNS modules of ACL configuration equipment can receive the transmission of ACL modules The IP address parsing message of domain name including Internet resources, and message generation is parsed according to the IP address First dns resolution request message of the domain name including Internet resources.

Exemplary, get configuration order rule permit in the ACL ACL modules for configuring equipment After ip destination url www.xxx.com, with www.xxx.com being carried in IP The DNS modules for configuring equipment are transmitted to ACL in location parsing message, now, ACL configuration equipment The parsing of the IP address including www.xxx.com that DNS modules can receive the transmission of ACL modules disappears Breath, and www.xxx.com the first dns resolution is included according to IP address parsing message generation Request message.

Wherein, in embodiments of the present invention, the domain name of described Internet resources can be included in network money In the URL in source, so before ACL configuration equipment generates the first dns resolution request message, The ACL modules of ACL configuration equipment can first obtain the domain of Internet resources according to the URL of Internet resources Name, then the domain name of the Internet resources got is carried transmitted in IP address parses message to ACL The DNS modules of equipment are configured, so that the ACL DNS modules for configuring equipment generate the first DNS solutions Analyse request message.

503rd, ACL configures equipment and sends the first dns resolution request message to dns server.

Wherein, the first of the domain name of Internet resources is included in the ACL DNS modules generations for configuring equipment After dns resolution request message, the first dns resolution request message can be sent to DNS clothes Business device.

Exemplary, the DNS modules of ACL configuration equipment are by first including www.xxx.com Dns resolution request message is sent to dns server.

504th, dns server receives the first dns resolution request message that ACL configuration equipment is sent.

Wherein, dns server can receive including for the DNS modules transmission of ACL configuration equipment First dns resolution request message of the domain name of Internet resources.

505th, the domain for the Internet resources that dns server includes to the first dns resolution request message Name is parsed.

Wherein, what the DNS modules for receiving ACL configuration equipment in dns server were sent includes , can be according to the first dns resolution after first dns resolution request message of the domain name of Internet resources The domain name and the corresponding relation of IP address list of request message and the Internet resources prestored are right The domain name of Internet resources is parsed.

Exemplary, dns server receives the bag that the DNS modules of ACL configuration equipment are sent After the first dns resolution request message for including www.xxx.com, it can be solved according to the first DNS The domain name and the corresponding relation of IP address list of analysis request message and the Internet resources prestored, Www.xxx.com is parsed.

506th, dns server judges whether parsing succeeds.

Wherein, the Internet resources included in dns server to the first dns resolution request message After domain name is parsed, it can be determined that whether the parsing to the domain name of Internet resources succeeds, if to net The successfully resolved of the domain name of network resource, then perform step 507；If the parsing of the domain name to Internet resources Failure, then perform step 508 or 509.

507th, dns server sends the first dns resolution success message to ACL configuration equipment.

Wherein, when successfully resolved of the dns server to the domain name of Internet resources, dns server Can be by the domain name of Internet resources, and the access net corresponding with the domain name of Internet resources that parsing is obtained The first IP address list needed for network resource carry sent in the first dns resolution success message to ACL configures the DNS modules of equipment.At least one IP can be included in first IP address list Location.

Exemplary, dns server is according to the first dns resolution request message and the net prestored The domain name of network resource and the corresponding relation of IP address list, parsing is carried out to www.xxx.com Afterwards, if successfully resolved, access www.xxx.com corresponding with www.xxx.com can be obtained The first required IP address list, now, just can obtain www.xxx.com, and parsing Access www.xxx.com corresponding with www.xxx.com needed for the first IP address list take Band sends to ACL the DNS modules for configuring equipment in the first dns resolution success message.

508th, dns server sends the first dns resolution failure message to ACL configuration equipment.

Wherein, when dns server fails to the parsing of the domain name of Internet resources, a kind of possible Implementation in, dns server can send and be used for the ACL DNS modules for configuring equipment Notify the first dns resolution failure message of the domain name failure of ACL configuration equipment parsing Internet resources.

Exemplary, dns server is according to the first dns resolution request message and the net prestored The domain name of network resource and the corresponding relation of IP address list, parsing is carried out to www.xxx.com Afterwards, if parsing failure, it can be sent to the ACL DNS modules for configuring equipment for notifying ACL Configure the first dns resolution failure message of equipment parsing www.xxx.com failures.

509th, dns server is not responded to the first dns resolution request message.

Wherein, when dns server fails to the parsing of the domain name of Internet resources, it is another can In the implementation of energy, dns server can not be responded to the first dns resolution request message.

510th, ACL configures equipment and receives the first dns resolution success message from dns server.

Wherein, when successfully resolved of the dns server to the domain name of Internet resources, corresponding to step The DNS modules of 507, ACL configuration equipment can be received includes network money from dns server The domain name in source, and first IP that accesses Internet resources needed for corresponding with the domain name of Internet resources The first dns resolution success message of location list.

511st, ACL configures equipment and the first IP address list is issued into the ACL that ACL configures equipment In list, to realize the control to Internet resources.

Wherein, first from dns server is received in the ACL DNS modules for configuring equipment After dns resolution success message, the first dns resolution success message transmissions to ACL can be matched somebody with somebody Standby ACL modules are installed, the ACL modules of ACL configuration equipment are just by the first dns resolution success The first IP address list that message includes is issued to the ACL of the TCAM modules of ACL configuration equipment In list, to complete configuration, so as to realize the control to Internet resources.

Exemplary, received in the ACL DNS modules for configuring equipment from dns server Including www.xxx.com, and the access corresponding with www.xxx.com that parsing is obtained After the first dns resolution success message of the first IP address list needed for www.xxx.com, Can according to configuration order by the first dns resolution the first IP address list that include of success message and " permit " in configuration order is issued to the acl list of the TCAM modules of ACL configuration equipment In, to complete configuration, so that the control to domain name for www.xxx.com Internet resources is realized, I.e. control user can be with the entitled www.xxx.com of access domain Internet resources.

512nd, ACL configures equipment and receives the first dns resolution failure message that dns server is sent.

Wherein, when dns server fails to the parsing of the domain name of Internet resources, corresponding to step 508 implementation, the DNS modules of ACL configuration equipment receive being used for for dns server transmission The first dns resolution failure message of the domain name failure of ACL configuration equipment parsing Internet resources is notified, The ACL modules that the DNS modules of now ACL configurations equipment can configure equipment to ACL return to nothing Imitate IP address.

513rd, ACL configures equipment and determines not receiving the response of dns server in preset time Message.

Wherein, when dns server fails to the parsing of the domain name of Internet resources, corresponding to step 509 implementation, the DNS modules of ACL configuration equipment determine not receive in preset time The back message of dns server, the DNS modules of now ACL configurations equipment can match somebody with somebody to ACL Install standby ACL modules and return to invalid IP address.

In order to which after the corresponding IP address of the domain name of Internet resources changes, ACL configures equipment energy Enough that modification is timely synchronized to acl list, further, ACL collocation methods can also be wrapped Include following steps：

514th, ACL configures equipment startup timer.

Wherein, the timing cycle of timer can be configured according to the demand of practical application scene 's.It is preferred that can perform following steps 515.

515th, ACL configures the timing week that the TTL of the domain name of Internet resources is configured to timer by equipment Phase.

516th, in timer expiry, ACL configuration equipment generates the second dns resolution request message.

Wherein, the second dns resolution request message includes the domain name of Internet resources.

Exemplary, in timer expiry, the DNS modules of ACL configuration equipment can generate bag Include www.xxx.com the second dns resolution request message.

In embodiments of the present invention, the domain name of described Internet resources can be included in Internet resources In URL, so before ACL configuration equipment generates the second dns resolution request message, ACL The domain name of Internet resources can first be obtained according to the URL of Internet resources by configuring equipment, then be regenerated Second dns resolution request message.

517th, ACL configures equipment and sends the second dns resolution request message to dns server.

Exemplary, the DNS modules of ACL configuration equipment are by second including www.xxx.com Dns resolution request message is sent to dns server.

518th, dns server receives the second dns resolution request message that ACL configuration equipment is sent.

519th, the domain for the Internet resources that dns server includes to the second dns resolution request message Name is parsed.

Exemplary, dns server receives the bag that the DNS modules of ACL configuration equipment are sent After the second dns resolution request message for including www.xxx.com, it can be solved according to the 2nd DNS The domain name and the corresponding relation of IP address list of analysis request message and the Internet resources prestored, Www.xxx.com is parsed.

520th, dns server judges whether parsing succeeds.

Wherein, the Internet resources included in dns server to the second dns resolution request message After domain name is parsed, it can be determined that whether the parsing to the domain name of Internet resources succeeds, if to net The successfully resolved of the domain name of network resource, then perform step 521；If the parsing of the domain name to Internet resources Failure, then perform step 522 or 523.

521st, dns server sends the second dns resolution success message to ACL configuration equipment.

Wherein, the second dns resolution success message includes the domain name of Internet resources, and parses The second IP address list accessed needed for Internet resources corresponding with Internet resources domain names that is arriving.The At least one IP address can be included in two IP address lists.

Exemplary, dns server is according to the second dns resolution request message and the net prestored The domain name of network resource and the corresponding relation of IP address list, parsing is carried out to www.xxx.com Afterwards, if successfully resolved, access www.xxx.com corresponding with www.xxx.com can be obtained The second required IP address list, now, just can obtain www.xxx.com, and parsing Access www.xxx.com corresponding with www.xxx.com needed for the second IP address list take Band sends to ACL the DNS modules for configuring equipment in the second dns resolution success message.

522nd, dns server sends the second dns resolution failure message to ACL configuration equipment.

Exemplary, dns server is according to the second dns resolution request message and the net prestored The domain name of network resource and the corresponding relation of IP address list, parsing is carried out to www.xxx.com Afterwards, if parsing failure, it can be sent to the ACL DNS modules for configuring equipment for notifying ACL Configure the second dns resolution failure message of equipment parsing www.xxx.com failures.

Wherein, accordingly, the second dns resolution is sent to ACL configuration equipment in dns server After failure message, ACL configurations equipment, which can be fetched from dns server, is used for notice parsing net Second dns resolution failure message of the domain name failure of network resource.

523rd, dns server is not responded to the second dns resolution request message.

Wherein, if dns server is not responded to the second dns resolution request message, accordingly , ACL configurations equipment can determine not receiving the response of dns server transmission in the scheduled time Message.

524th, ACL configures equipment and receives the second dns resolution success message from dns server.

Wherein, the second dns resolution success message includes the domain name of Internet resources, and is provided with network Corresponding second IP address list accessed needed for Internet resources of domain name in source, the second IP address list Include at least one IP address.

525th, ACL configure equipment judge the second IP address list and the first IP address list whether phase Together.

Wherein, the second dns resolution success message is received in the ACL ACL modules for configuring equipment Afterwards, the second IP address list and the first IP can be judged according to the second dns resolution success message Whether address list is identical, if the second IP address list is different from the first IP address list, performs Following steps 526, if the second IP address list is identical with the first IP address list, can not do Any processing.

Exemplary, received in the ACL DNS modules for configuring equipment from dns server Including www.xxx.com, and the access corresponding with www.xxx.com that parsing is obtained After the second dns resolution success message of the second IP address list needed for www.xxx.com, It may determine that whether the second IP address list is identical with the first IP address list.

526th, ACL configures equipment according to the second IP address list renewal acl list.

Specifically, the ACL modules of ACL configuration equipment can all issue the second IP address list , can also be by the second IP address list to be updated to acl list into TCAM modules In the IP address different from the first IP address list be issued in TCAM modules, so as to ACL List is updated.

It should be noted that in order to the corresponding IP address list of domain name to Internet resources whether Change and periodically judged, step 514- steps 526 can be repeated.

It should be noted that in embodiments of the present invention, the specific descriptions of step 516- steps 524 It is similar with the specific descriptions of corresponding contents in step 502- steps 513 in the embodiment of the present invention, for This is no longer going to repeat them for the embodiment of the present invention that implements of step 516- steps 524.

It should be noted that the ACL collocation methods that provide of the present invention be also applied to fire wall or Data processing equipment (English：Data Processing Installation, referred to as：DPI in), with The purpose that control and monitoring are accessed is realized, its implementation process is similar with said process, the embodiment of the present invention This is no longer going to repeat them.

The ACL collocation methods that the present invention is provided, ACL configuration equipment, which is obtained, includes the domain of Internet resources The configuration order of name, then by the first of the domain name including Internet resources generated according to configuration order Dns resolution request message is sent to dns server, and receives including from dns server First needed for the domain name of Internet resources, and access Internet resources corresponding with the domain name of Internet resources The first dns resolution success message of IP address list, finally by the first IP address list received In the acl list for being issued to ACL configuration equipment, to realize the control to the Internet resources.Pass through Configuration order allows the corresponding IP address list of the domain name of Internet resources to automatically configure ACL row In table, ensure that when the corresponding IP address list of domain name of Internet resources changes, energy It is enough that timely acl list is modified according to the IP address list after change, so as to avoid The problem of ACL control mistakes, occurs.

Also, by the automatic acquisition of the corresponding IP address list of domain name to Internet resources, and Acl feature is automatically configured, allocative efficiency is improved, and by using timer so that After the corresponding IP address list of domain name of Internet resources changes, ACL configuration equipment can be timely The IP address list got after change, and then ensure that acl list is upgraded in time.

Fig. 7 is the flow chart of another ACL collocation method provided in an embodiment of the present invention, wherein, As shown in fig. 7, this method can include：

601st, network management server obtains configuration order.

Wherein, described configuration order is used to obtain access network money corresponding with the domain name of Internet resources IP address list needed for source, and for being controlled to Internet resources, and configuration order includes The domain name of Internet resources, the domain name of the Internet resources is unique in a network.

Exemplary, the Control Cooling being controlled to Internet resources can include but is not limited to：Allow User accesses the Internet resources, does not allow user to access the Internet resources.It is wherein, further alternative, When Control Cooling is to allow customer access network resource, described " configuration order is used for pair Internet resources are controlled " be specifically as follows " configuration order be used for allow user to Internet resources carry out Access ", for example, configuration order is specially：rule permit ip destination url www.xxx.com.It is described when Control Cooling is not allow customer access network resource " configuration order be used for be controlled to Internet resources " is specifically as follows that " configuration order is used to forbid using Family conducts interviews to Internet resources ", for example, configuration order is specially：rule deny ip destination url www.xxx.com.Wherein, for the specific explanations and another embodiment of the present invention of configuration order Step 501 in it is similar to the explanation of configuration order, the specific explanations of configuration order may be referred to this hair Specific descriptions in the step 501 of bright another embodiment, the embodiment of the present invention is no longer gone to live in the household of one's in-laws on getting married one by one herein State.

602nd, network management server generates the first dns resolution request message.

Wherein, the first dns resolution request message includes the domain name of Internet resources.

In embodiments of the present invention, the domain name of described Internet resources can be included in Internet resources In, so before network management server generates the first dns resolution request message, network management Server can first obtain the domain name of Internet resources according to the URL of Internet resources, then generate first Dns resolution request message.

603rd, network management server sends the first dns resolution request message to dns server.

604th, the first dns resolution request report that dns server receiving network managing server is sent Text.

605th, the domain for the Internet resources that dns server includes to the first dns resolution request message Name is parsed.

Wherein, Internet resources are included what dns server received network management server transmission After first dns resolution request message of domain name, can according to the first dns resolution request message and The domain name of the Internet resources prestored and the corresponding relation of IP address list, to Internet resources Domain name is parsed.

606th, dns server judges whether parsing succeeds.

Wherein, the Internet resources included in dns server to the first dns resolution request message After domain name is parsed, it can be determined that whether the parsing to the domain name of Internet resources succeeds, if to net The successfully resolved of the domain name of network resource, then perform step 607；If the parsing of the domain name to Internet resources Failure, then perform step 608 or 609.

607th, dns server sends the first dns resolution success message to network management server.

Wherein, the first dns resolution success message includes the domain name of Internet resources, and parsing is obtained It is corresponding with the domain name of Internet resources access Internet resources needed for the first IP address list.First At least one IP address can be included in IP address list.

608th, dns server sends the first dns resolution failure message to network management server.

Wherein, when dns server fails to the parsing of the domain name of Internet resources, a kind of possible Implementation in, dns server can be sent to network management server for notify parsing network First dns resolution failure message of the domain name failure of resource.

609th, dns server is not responded to the first dns resolution request message.

Wherein, when dns server fails to the parsing of the domain name of Internet resources, it is another can In the implementation of energy, dns server can not be responded to the first dns resolution request message.

610th, network management server receives the first dns resolution from dns server and successfully reported Text.

Wherein, when successfully resolved of the dns server to the domain name of Internet resources, corresponding to step 607, network management server can be received includes the domain name of Internet resources from dns server, And it is corresponding with the domain name of Internet resources access the first IP address list needed for Internet resources the One dns resolution success message.

611st, the first IP address list is sent to ACL and configures equipment by network management server.

Wherein, network management server receive the first dns resolution from dns server into After work(message, the first IP address list can be transmitted to ACL and configure equipment, so as to ACL First IP address list is issued in the acl list of ACL configuration equipment by configuration equipment, to complete Configuration, so as to realize the control to Internet resources.

612nd, the first dns resolution that network management server reception dns server is sent unsuccessfully is reported Text.

Wherein, when dns server fails to the parsing of the domain name of Internet resources, corresponding to step 608 implementation, the notice that is used for that network management server receives dns server transmission is parsed First dns resolution failure message of the domain name failure of Internet resources, now network management server can Equipment is configured so that the first dns resolution failure message is sent to ACL, so that ACL configures equipment Know the domain name failure of dns server parsing Internet resources.

613rd, network management server determines not receiving the response of dns server in preset time Message.

Wherein, when dns server fails to the parsing of the domain name of Internet resources, corresponding to step 609 implementation, network management server determines not receive DNS service in preset time The back message of device, now network management server can be sent to ACL configurations equipment for notifying The back message of the domain name failure of Internet resources is parsed, so that ACL configurations equipment knows DNS service The domain name failure of device parsing Internet resources.

In order to which after the corresponding IP address of the domain name of Internet resources changes, ACL configures equipment energy Enough that modification is timely synchronized to acl list, further, ACL collocation methods can also be wrapped Include following steps：

614th, network management server starts timer.

Wherein, the timing cycle of timer can be configured according to the demand of practical application scene 's.It is preferred that can perform following steps 615.

615th, the TTL of the domain name of Internet resources is configured to the timing of timer by network management server Cycle.

616th, in timer expiry, network management server generates the second dns resolution request message.

Wherein, the second dns resolution request message includes the domain name of Internet resources.

In embodiments of the present invention, the domain name of described Internet resources can be included in Internet resources In, so before network management server generates the second dns resolution request message, network management Server can first obtain the domain name of Internet resources according to the URL of Internet resources, then regenerate the Two dns resolution request messages.

617th, network management server sends the second dns resolution request message to dns server.

618th, the second dns resolution request report that dns server receiving network managing server is sent Text.

619th, the domain for the Internet resources that dns server includes to the second dns resolution request message Name is parsed.

620th, dns server judges whether parsing succeeds.

Wherein, the Internet resources included in dns server to the second dns resolution request message After domain name is parsed, it can be determined that whether the parsing to the domain name of Internet resources succeeds, if to net The successfully resolved of the domain name of network resource, then perform step 621；If the parsing of the domain name to Internet resources Failure, then perform step 622 or 623.

621st, dns server sends the second dns resolution success message to network management server.

Wherein, the second dns resolution success message includes the domain name of Internet resources, and parses The second IP address list accessed needed for Internet resources corresponding with Internet resources domain names that is arriving.The At least one IP address can be included in two IP address lists.

622nd, dns server sends the second dns resolution failure message to network management server.

623rd, dns server is not responded to the second dns resolution request message.

624th, network management server receives the second dns resolution from dns server and successfully reported Text.

Wherein, the second dns resolution success message includes the domain name of Internet resources, and is provided with network Corresponding second IP address list accessed needed for Internet resources of domain name in source, the second IP address list Include at least one IP address.

625th, network management server judges whether are the second IP address list and the first IP address list It is identical.

Wherein, can be with after network management server receives the second dns resolution success message Judge that the second IP address list is with the first IP address list according to the second dns resolution success message It is no identical, if the second IP address list is different from the first IP address list, following steps 626 are performed, , can be with without any processing if the second IP address list is identical with the first IP address list.

626th, the second IP address list is sent to ACL and configures equipment by network management server.

Specifically, when the second IP address list is different from the first IP address list, network management clothes Business device, which can send the second IP address list to ACL, configures equipment, so that ACL configures equipment root Acl list is updated according to the second IP address list.

It should be noted that in embodiments of the present invention, the specific descriptions of step 601- steps 626 It is similar with the specific descriptions of corresponding contents in step 501- steps 526 in the embodiment of the present invention, for This is no longer going to repeat them for the embodiment of the present invention that implements of step 601- steps 626.

It should be noted that the ACL collocation methods that provide of the present invention be also applied to fire wall or In DPI, to realize the purpose of control and monitoring access, its implementation process is similar with said process, this This is no longer going to repeat them for inventive embodiments.

The ACL collocation methods that the present invention is provided, network management server, which is obtained, includes Internet resources The configuration order of domain name, then by the first of the domain name including Internet resources generated according to configuration order Dns resolution request message is sent to dns server, and receives including from dns server First needed for the domain name of Internet resources, and access Internet resources corresponding with the domain name of Internet resources The first dns resolution success message of IP address list, finally by the first IP address list received Send to ACL and configure equipment, so that the first IP address list is issued to ACL by ACL configurations equipment In list, to realize the control to the Internet resources.Realized by configuration order to Internet resources The automatic acquisition of the corresponding IP address list of domain name, and by the way that IP address list is sent to ACL Configure equipment so that ACL configuration equipment can be by the corresponding IP address hedge of the domain name of Internet resources Automatically configure in acl list, ensure that the corresponding IP address row of domain name in Internet resources When table changes, timely acl list can be repaiied according to the IP address list after change Change, so that the problem of avoiding ACL control mistakes occurs.

Also, by the automatic acquisition of the corresponding IP address list of domain name to Internet resources, and Acl feature is automatically configured, allocative efficiency is improved, and by using timer so that After the corresponding IP address list of domain name of Internet resources changes, network management server can and When get change after IP address list, and then ensure that ACL configure equipment to acl list Upgrade in time.

Fig. 8 provides the composition schematic diagram that a kind of ACL configures equipment, such as Fig. 8 for the embodiment of the present invention It is shown, including：Acquiring unit 71, generation unit 72, transmitting element 73, the and of receiving unit 74 Issuance unit 75.

The acquiring unit 71, for obtaining configuration order, the configuration order is used to obtain and net The corresponding internet protocol address list accessed needed for the Internet resources of domain name of network resource, And for being controlled to the Internet resources, the configuration order includes the domain of the Internet resources Name.

The generation unit 72, it is described for generating the first domain name system DNS analysis request message First dns resolution request message includes wrapping in the configuration order that the acquiring unit 71 is got The domain name of the Internet resources included.

The transmitting element 73, for sending what the generation unit 72 was generated to dns server The first dns resolution request message.

The receiving unit 74, for receiving the first dns resolution from the dns server Success message, the first dns resolution success message includes the domain name of the Internet resources, and The first IP address list accessed needed for the Internet resources corresponding with the domain name of the Internet resources, First IP address list includes at least one IP address.

The issuance unit 75, for the first DNS for receiving the receiving unit 74 First IP address list that successfully resolved message includes is issued to the ACL configurations equipment In acl list, to realize the control to the Internet resources.

In embodiments of the present invention, further, the domain name of the Internet resources is included in the network In the uniform resource position mark URL of resource.

The acquiring unit 71, is additionally operable to obtain the network money according to the URL of the Internet resources The domain name in source.

In embodiments of the present invention, further, as shown in figure 9, ACL configurations equipment can also be wrapped Include：Timing unit 76 and judging unit 77.

The timing unit 76, for starting timer.

The generation unit 72, is additionally operable in the timer expiry, generates the second dns resolution Request message, the second dns resolution request message includes the domain name of the Internet resources.

The transmitting element 73, is additionally operable to send the generation unit 72 to the dns server The second dns resolution request message of generation.

The receiving unit 74, is additionally operable to receive the 2nd DNS solutions from the dns server Successfully message is analysed, the second dns resolution success message includes the domain name of the Internet resources, with And the second IP address row accessed needed for the Internet resources corresponding with the domain name of the Internet resources Table, second IP address list includes at least one IP address.

The judging unit 77, for judging the 2nd DNS that the receiving unit 74 is received Second IP address list that successfully resolved message includes and first IP address list whether phase Together.

The issuance unit 75, judges to obtain the 2nd IP if being additionally operable to the judging unit 77 Address list is different from first IP address list, then is updated according to second IP address list The acl list.

In embodiments of the present invention, further, the timing unit 76, for by the network The time-to-live TTL of the domain name of resource is configured to the timing cycle of the timer.

It should be noted that each functional module in ACL configurations equipment provided in an embodiment of the present invention Specific work process may be referred to the specific descriptions of corresponding process in embodiment of the method, the embodiment of the present invention In this not go into detail.

ACL provided in an embodiment of the present invention configures equipment, for performing above-mentioned ACL collocation methods, Therefore it can reach and above-mentioned ACL collocation methods identical effect.

Figure 10 provides the composition schematic diagram that another ACL configures equipment for the embodiment of the present invention, such as schemes Shown in 10, including：ACL modules 81, DNS modules 82, TCAM modules 83.

The ACL modules 81, for obtaining configuration order, the configuration order is used to obtain and net The corresponding internet protocol address list accessed needed for the Internet resources of domain name of network resource, And for being controlled to the Internet resources, the configuration order includes the domain of the Internet resources Name, the domain name of the Internet resources is carried and transmitted in IP address parses message to the DNS moulds Block 82.

The DNS modules 82, for generating the first dns resolution request message, the first DNS Analysis request message includes the domain name of the Internet resources, and described first is sent to dns server Dns resolution request message, and receive the first dns resolution success from the dns server Message, first dns resolution success message includes the domain name of the Internet resources, and with institute State corresponding the first IP address list accessed needed for the Internet resources of domain name of Internet resources, institute Stating the first IP address list includes at least one IP address, and first IP address is transmitted to institute State ACL modules 81.

The ACL modules 81, are additionally operable to first IP address list being issued to the TCAM In the acl list of module 83, to realize the control to the Internet resources.

In embodiments of the present invention, further, the domain name of the Internet resources is included in the network In the uniform resource position mark URL of resource.

The ACL modules 81, are additionally operable to obtain the network money according to the URL of the Internet resources The domain name in source.

In embodiments of the present invention, further, the ACL modules 81, are additionally operable to start timing Device.

The DNS modules 82, are additionally operable in the timer expiry, generation the 2nd DNS solutions Request message is analysed, the second dns resolution request message includes the domain name of the Internet resources, to The dns server sends the second dns resolution request message, receives and comes from the DNS The second dns resolution success message of server, the second dns resolution success message includes described The domain name of Internet resources, and the access Internet resources institute corresponding with the domain name of the Internet resources The second IP address list needed, second IP address list includes at least one IP address, will Second IP address is transmitted to the ACL modules 81.

The ACL modules 81, are additionally operable to judge second IP address list and the first IP Whether address list is identical, if second IP address list is different from first IP address list, The acl list of the TCAM modules 83 is then updated according to second IP address list.

In embodiments of the present invention, further, the ACL modules 81, are additionally operable to the net The time-to-live TTL of the domain name of network resource is configured to the timing cycle of the timer.

It should be noted that each functional module in ACL configurations equipment provided in an embodiment of the present invention Specific work process may be referred to the specific descriptions of corresponding process in embodiment of the method, the embodiment of the present invention In this not go into detail.

ACL provided in an embodiment of the present invention configures equipment, for performing above-mentioned ACL collocation methods, Therefore it can reach and above-mentioned ACL collocation methods identical effect.

Figure 11 provides a kind of composition schematic diagram of dns server, such as Figure 11 for the embodiment of the present invention It is shown, including：Receiving unit 91, resolution unit 92, judging unit 93 and transmitting element 94.

The receiving unit 91, please for receiving the first dns resolution that ACL configuration equipment is sent Message is sought, the first dns resolution request message includes the domain name of Internet resources.

The resolution unit 92, for the first DNS received to the receiving unit 91 The domain name for the Internet resources that analysis request message includes is parsed.

Judging unit 93, for judging that the domain name that the resolution unit 92 parses the Internet resources is No success.

The transmitting element 94, if judging to obtain the resolution unit 92 for the judging unit 93 The domain name success of the Internet resources is parsed, then sends the first DNS solutions to ACL configuration equipment Successfully message is analysed, the first dns resolution success message includes the domain name of the Internet resources, with And the needed for obtained access corresponding with the domain name of the Internet resources Internet resources of parsing One IP address list, first IP address list includes at least one IP address.

In embodiments of the present invention, further, the transmitting element 94, if being additionally operable to described sentence Disconnected unit 93 judges to obtain the domain name failure that the resolution unit 92 parses the Internet resources, then to The ACL configurations equipment sends the first dns resolution failure message, and first dns resolution is lost Lose the domain name failure that message is used to notify the ACL configurations equipment to parse the Internet resources.

Or,

The transmitting element 94, judges to obtain the resolution unit if being additionally operable to the judging unit 93 The domain name failure of the 92 parsing Internet resources, then do not enter to the first dns resolution request message Row response.

In embodiments of the present invention, further, the receiving unit 91, is additionally operable to receive described The second dns resolution request message that ACL configuration equipment is sent, the second dns resolution request Message includes the domain name of the Internet resources.

The resolution unit 92, is additionally operable to the 2nd DNS received to the receiving unit 91 The domain name for the Internet resources that analysis request message includes is parsed.

The judging unit 93, is additionally operable to judge that the resolution unit 92 parses the Internet resources Whether domain name succeeds.

The transmitting element 94, judges to obtain the resolution unit if being additionally operable to the judging unit 93 The domain name success of the 92 parsing Internet resources, then send the 2nd DNS to ACL configuration equipment Successfully resolved message, the second dns resolution success message includes the domain name of the Internet resources, And needed for obtained access corresponding with the domain name of the Internet resources Internet resources of parsing Second IP address list, second IP address list includes at least one IP address.

It should be noted that in dns server provided in an embodiment of the present invention each functional module tool Body running process may be referred to the specific descriptions of corresponding process in embodiment of the method, and the embodiment of the present invention exists This is no longer described in detail.

Dns server provided in an embodiment of the present invention, for performing above-mentioned ACL collocation methods, because This can reach and above-mentioned ACL collocation methods identical effect.

Figure 12 provides a kind of composition schematic diagram of network management server for the embodiment of the present invention, such as schemes Shown in 12, including：Acquiring unit 1001, generation unit 1002, transmitting element 1003 and reception Unit 1004.

The acquiring unit 1001, for obtaining configuration order, the configuration order be used to obtaining with The corresponding internet protocol address list accessed needed for the Internet resources of domain name of Internet resources, And for being controlled to the Internet resources, the configuration order includes the domain of the Internet resources Name.

The generation unit 1002, for generating the first domain name system DNS analysis request message, institute Stating the first dns resolution request message includes the domain name of the Internet resources.

The transmitting element 1003, gives birth to for sending the generation unit 1002 to dns server Into the first dns resolution request message.

The receiving unit 1004, for receiving the first DNS solutions from the dns server Successfully message is analysed, the first dns resolution success message includes the domain name of the Internet resources, with And the first IP address row accessed needed for the Internet resources corresponding with the domain name of the Internet resources Table, first IP address list includes at least one IP address.

The transmitting element 1003, is additionally operable to receive the receiving unit 1004 described first First IP address list that dns resolution success message includes, which is sent to ACL, configures equipment, with Toilet states ACL configuration equipment and first IP address list is issued into the ACL configurations equipment In acl list, to realize the control to the Internet resources.

In embodiments of the present invention, further, the domain name of the Internet resources is included in the network In the uniform resource position mark URL of resource.

The acquiring unit 1001, is additionally operable to obtain the network according to the URL of the Internet resources The domain name of resource.

It should be noted that each functional module in network management server provided in an embodiment of the present invention Specific work process may be referred to the specific descriptions of corresponding process in embodiment of the method, the embodiment of the present invention In this not go into detail.

Network management server provided in an embodiment of the present invention, for performing above-mentioned ACL collocation methods, Therefore it can reach and above-mentioned ACL collocation methods identical effect.

Figure 13 provides the hardware architecture diagram that a kind of ACL configures equipment for the embodiment of the present invention, such as Shown in Figure 13, ACL configuration equipment can include at least one processor 1101, memory 1102, At least one communication interface 1103 and communication bus 1104.

ACL each component parts for configuring equipment is specifically introduced with reference to Figure 13：

Processor 1101 can be the general designation of a processor or multiple treatment elements.Example Such as, processor 1101 is a central processing unit (English：Central processing unit, letter Claim：CPU) or specific integrated circuit (English：Application Specific Integrated Circuit, referred to as：ASIC), or be arranged to implement the embodiment of the present invention it is one or more Integrated circuit, for example：One or more microprocessors (English：Digital signal processor, Referred to as：), or, one or more field programmable gate array (English DSP：Field Programmable Gate Array, referred to as：FPGA).

Wherein, processor 1101 can be stored in soft in memory 1102 by operation or execution Part program, and the data being stored in memory 1102 are called, perform each of ACL configuration equipment Plant function.

In concrete implementation, as a kind of embodiment, processor 1101 can include one or many Individual CPU, such as CPU0 and CPU1 shown in Figure 13.

In the specific implementation, as a kind of embodiment, ACL configurations equipment can include multiple processors, Processor 1101 and processor 1105 for example shown in Figure 13.Each in these processors Can be monokaryon (single-CPU) processor or a multinuclear (multi-CPU) Processor.Here processor can refer to one or more equipment, circuit, and/or for processing data The process cores of (such as computer program instructions).

Memory 1102 can be read-only storage (English：Read-only memory, English： ROM) or the other kinds of static storage device of static information and instruction can be stored, arbitrary access deposits Reservoir (English：Random access memory, English：RAM) or storage information and it can refer to Other kinds of dynamic memory or the EEPROM (English of order： Electrically Erasable Programmable Read-Only Memory, English： EEPROM), read-only optical disc (English：Compact Disc Read-Only Memory, English Text：CD-ROM) or other optical disc storages, laser disc storage (including compression laser disc, laser disc, light Dish, Digital Versatile Disc, Blu-ray Disc etc.), magnetic disk storage medium or other magnetic storage apparatus, Or can be used in carrying or store the desired program code with instruction or data structure form simultaneously Can by computer access any other medium, but not limited to this.Memory can be individually present, It is connected by bus with processor.Memory can also be integrated with processor.

Wherein, software program of the memory 1102 for storing execution the present invention program, and by Processor 1101 come control perform.

Communication interface 1103, using the device of any class of transceiver one, for being communicated with other equipment. Communication interface 1103 can realize that receive capabilities, and transmitting element are realized and sent including receiving unit Function.

Communication bus 1104 can be industry standard architecture (English full name：Industry Standard Architecture, English abbreviation：ISA) bus, external equipment interconnection (English full name： Peripheral Component, English abbreviation：PCI) bus or extended industry-standard architecture (English full name：Extended Industry Standard Architecture, English abbreviation：EISA) Bus etc..The bus can be divided into address bus, data/address bus, controlling bus etc..For ease of representing, Only represented in Figure 13 with a thick line, it is not intended that only one bus or a type of bus.

The device structure shown in Figure 13 does not constitute the restriction that equipment is configured to ACL, can include Than illustrating more or less parts, some parts or different parts arrangement are either combined.

In implementing：

Processor 1101, for performing the ACL collocation methods that Fig. 3 or Fig. 6 is provided, to realize figure Acquiring unit 71, generation unit 72 and issuance unit in ACL configuration equipment shown in 8 and Fig. 9 75 function.

For example, processor 1101 is used to perform the step 201 in the ACL collocation methods of Fig. 3 offers To realize the function of acquiring unit 71 in the ACL configuration equipment shown in Fig. 8 and Fig. 9.Processor 1101 are additionally operable to perform the step 202 in the ACL collocation methods that Fig. 3 is provided to realize Fig. 8 and figure The function of generation unit 72 in ACL configuration equipment shown in 9.Processor 1101 is additionally operable to perform Step 205 in the ACL collocation methods that Fig. 3 is provided is to realize that the ACL shown in Fig. 8 and Fig. 9 matches somebody with somebody Install the function of standby middle issuance unit 75.

For another example processor 1101 is used to perform the step in the ACL collocation methods of Fig. 6 offers 501 with realize shown in Fig. 8 and Fig. 9 ACL configuration equipment in acquiring unit 71 function.Processing Device 1101 is additionally operable to perform the step 502 or step 516 in the ACL collocation methods that Fig. 6 is provided To realize the function of generation unit 72 in the ACL configuration equipment shown in Fig. 8 and Fig. 9.Processor 1101 be additionally operable to perform Fig. 6 provide ACL collocation methods in step 511 or step 526 with reality The function of issuance unit 75 in ACL configuration equipment shown in existing Fig. 8 and Fig. 9.

The communication interface 1103, for performing the ACL collocation methods that Fig. 3 or Fig. 6 is provided, with Realize the work(of transmitting element 73 and receiving unit 74 in the ACL configuration equipment shown in Fig. 8 and Fig. 9 Energy.

For example, communication interface 1103 is used to perform the step in the ACL collocation methods of Fig. 3 offers 203 with realize shown in Fig. 8 and Fig. 9 ACL configuration equipment in transmitting element 73 function.Communication Interface 1103 is additionally operable to perform the step 204 in the ACL collocation methods that Fig. 3 is provided to realize Fig. 8 With the function of receiving unit 74 in the ACL configuration equipment shown in Fig. 9.

For another example communication interface 1103 is used to perform the step in the ACL collocation methods of Fig. 6 offers 503 or step 517 to realize transmitting element 73 in the ACL configuration equipment shown in Fig. 8 and Fig. 9 Function.Processor 1101 be additionally operable to perform Fig. 6 provide ACL collocation methods in step 510, Step 512 or step 524 are to realize receiving unit in the ACL configuration equipment shown in Fig. 8 and Fig. 9 74 function.

In embodiments of the present invention, further, processor 1101, are additionally operable to perform Fig. 6 offers ACL collocation methods, timing unit 76 and sentenced in the ACL configuration equipment shown in Fig. 9 with realizing The function of disconnected unit 77.

For example, processor 1101 is used to perform the step 514 in the ACL collocation methods of Fig. 6 offers Or step 515 with realize shown in Fig. 8 and Fig. 9 ACL configuration equipment in timing unit 76 function. Processor 1101 is additionally operable to perform the step 525 in the ACL collocation methods that Fig. 6 is provided to realize The function of judging unit 77 in ACL configuration equipment shown in Fig. 8 and Fig. 9.

ACL provided in an embodiment of the present invention configures equipment, for performing above-mentioned ACL collocation methods, Therefore it can reach and above-mentioned ACL collocation methods identical effect.

Figure 14 provides a kind of hardware architecture diagram of dns server for the embodiment of the present invention, such as schemes Shown in 14, dns server can include at least one processor 1201, memory 1202, extremely A few communication interface 1203 and communication bus 1204.

Each component parts of dns server is specifically introduced with reference to Figure 14：

Processor 1201 can be the general designation of a processor or multiple treatment elements.Example Such as, processor 1201 is a CPU or ASIC, or is arranged to implement this One or more integrated circuits of inventive embodiments, for example：One or more DSP, or, one or The multiple FPGA of person.

Wherein, processor 1201 can be stored in soft in memory 1202 by operation or execution Part program, and the data being stored in memory 1202 are called, perform the various of dns server Function.

In concrete implementation, as a kind of embodiment, processor 1201 can include one or many Individual CPU, such as CPU0 and CPU1 shown in Figure 14.

In the specific implementation, as a kind of embodiment, dns server can include multiple processors, Processor 1201 and processor 1205 for example shown in Figure 14.Each in these processors Can be single-CPU or multi-CPU.Here processor can refer to One or more equipment, circuit, and/or the place for processing data (such as computer program instructions) Manage core.

Memory 1202 can be ROM or can store static information and instruction it is other kinds of quiet State storage device, RAM or can storage information and instruction other kinds of dynamic memory, Can also be EEPROM, CD-ROM or other optical disc storages, laser disc storage (including squeezed light Dish, laser disc, laser disc, Digital Versatile Disc, Blu-ray Disc etc.), magnetic disk storage medium or its His magnetic storage apparatus or it can be used in carrying or store the expectation with instruction or data structure form Program code and can by computer access any other medium, but not limited to this.Memory can To be to be individually present, it is connected by bus with processor.Memory can also be integrated in processor Together.

Wherein, software program of the memory 1202 for storing execution the present invention program, and by Processor 1201 come control perform.

Communication interface 1203, using the device of any class of transceiver one, for being communicated with other equipment. Communication interface 1203 can realize that receive capabilities, and transmitting element are realized and sent including receiving unit Function.

Communication bus 1204 can be isa bus, pci bus or eisa bus etc..The bus Address bus, data/address bus, controlling bus etc. can be divided into.For ease of representing, only used in Figure 14 One thick line is represented, it is not intended that only one bus or a type of bus.

The device structure shown in Figure 14 does not constitute the restriction to dns server, can include than More or less parts are illustrated, some parts or different parts arrangement is either combined.

In implementing：

The processor 1201, for performing the ACL collocation methods that Fig. 4 or Fig. 6 is provided, with reality Resolution unit 92 and the function of judging unit 93 in dns server shown in existing Figure 11.

For example, processor 1201 is used to perform the step 302 in the ACL collocation methods of Fig. 4 offers To realize the function of resolution unit 92 in the dns server shown in Figure 11.Processor 1201 is also The step 303 in ACL collocation methods for performing Fig. 4 offers is to realize the DNS shown in Figure 11 The function of judging unit 93 in server.

For another example processor 1201 is used to perform the step in the ACL collocation methods of Fig. 6 offers 505 or step 519 to realize the function of resolution unit 92 in the dns server shown in Figure 11. Processor 1101 is additionally operable to perform the step 506 or step in the ACL collocation methods that Fig. 6 is provided 520 to realize the function of judging unit 93 in the dns server shown in Figure 11.

The communication interface 1203, for performing the ACL collocation methods that Fig. 4 or Fig. 6 is provided, with Realize the function of transmitting element 94 and receiving unit 91 in the dns server shown in Figure 11.

For example, communication interface 1203 is used to perform the step in the ACL collocation methods of Fig. 4 offers 301 to realize the function of receiving unit 91 in the dns server shown in Figure 11.Communication interface 1203 It is additionally operable to perform the step 304 in the ACL collocation methods that Fig. 4 is provided to realize shown in Figure 11 The function of receiving unit 94 in dns server.

For another example communication interface 1203 is used to perform the step in the ACL collocation methods of Fig. 6 offers 504 or 518 to realize the function of receiving unit 91 in the dns server shown in Figure 11.Communication Interface 1203 be additionally operable to perform Fig. 6 provide ACL collocation methods in step 507, step 508, Step 521 or step 522 are to realize the work(of transmitting element 94 in the dns server shown in Figure 11 Energy.

Dns server provided in an embodiment of the present invention, for performing above-mentioned ACL collocation methods, because This can reach and above-mentioned ACL collocation methods identical effect.

Figure 15 provides a kind of hardware architecture diagram of network management server for the embodiment of the present invention, As shown in figure 15, network management server can include at least one processor 1301, memory 1302nd, at least one communication interface 1303 and communication bus 1304.

Each component parts of network management server is specifically introduced with reference to Figure 15：

Processor 1301 can be the general designation of a processor or multiple treatment elements.Example Such as, processor 1301 is a CPU or ASIC, or is arranged to implement this One or more integrated circuits of inventive embodiments, for example：One or more DSP, or, one or The multiple FPGA of person.

Wherein, processor 1301 can be stored in soft in memory 1302 by operation or execution Part program, and the data being stored in memory 1302 are called, perform network management server Various functions.

In concrete implementation, as a kind of embodiment, processor 1301 can include one or many Individual CPU, such as CPU0 and CPU1 shown in Figure 15.

In the specific implementation, as a kind of embodiment, network management server can include multiple processing Device, such as processor 1301 and processor 1305 shown in Figure 15.It is every in these processors One can be single-CPU or multi-CPU.Here processor can To refer to one or more equipment, circuit, and/or for processing data (such as computer program instructions) Process cores.

Memory 1302 can be ROM or can store static information and instruction it is other kinds of quiet State storage device, RAM or can storage information and instruction other kinds of dynamic memory, Can also be EEPROM, CD-ROM or other optical disc storages, laser disc storage (including squeezed light Dish, laser disc, laser disc, Digital Versatile Disc, Blu-ray Disc etc.), magnetic disk storage medium or its His magnetic storage apparatus or it can be used in carrying or store the expectation with instruction or data structure form Program code and can by computer access any other medium, but not limited to this.Memory can To be to be individually present, it is connected by bus with processor.Memory can also be integrated in processor Together.

Wherein, software program of the memory 1302 for storing execution the present invention program, and by Processor 1301 come control perform.

Communication interface 1303, using the device of any class of transceiver one, for being communicated with other equipment. Communication interface 1303 can realize that receive capabilities, and transmitting element are realized and sent including receiving unit Function.

Communication bus 1304 can be isa bus, pci bus or eisa bus etc..The bus Address bus, data/address bus, controlling bus etc. can be divided into.For ease of representing, only used in Figure 15 One thick line is represented, it is not intended that only one bus or a type of bus.

The device structure shown in Figure 15 does not constitute the restriction to network management server, can wrap Include than illustrating more or less parts, either combine some parts or different parts arrangement.

In implementing：

The processor 1301, for performing the ACL collocation methods that Fig. 5 or Fig. 7 is provided, with reality The function of acquiring unit 1001 and generation unit 1002 in network management server shown in existing Figure 12.

For example, processor 1301 is used to perform the step 401 in the ACL collocation methods of Fig. 5 offers To realize the function of acquiring unit 1001 in the network management server shown in Figure 12.Processor 1301 It is additionally operable to perform the step 402 in the ACL collocation methods that Fig. 5 is provided to realize the net shown in Figure 12 The function of generation unit 1002 in network management server.

For another example processor 1301 is used to perform the step in the ACL collocation methods of Fig. 7 offers 601 to realize the function of acquiring unit 1001 in the network management server shown in Figure 12.Processor 1301 be additionally operable to perform Fig. 7 provide ACL collocation methods in step 602 or step 616 with reality The function of generation unit 1002 in network management server shown in existing Figure 12.

The communication interface 1303, for performing the ACL collocation methods that Fig. 5 or Fig. 7 is provided, with Realize the work(of transmitting element 1003 and receiving unit 1004 in the network management server shown in Figure 12 Energy.

For example, communication interface 1303 is used to perform the step in the ACL collocation methods of Fig. 5 offers 403 or step 405 to realize transmitting element 1003 in the network management server shown in Figure 12 Function.Communication interface 1303 is additionally operable to perform the step 404 in the ACL collocation methods that Fig. 5 is provided To realize the function of receiving unit 1004 in the network management server shown in Figure 12.

For another example communication interface 1303 is used to perform the step in the ACL collocation methods of Fig. 7 offers 603rd, step 611, step 617 or step 626 are to realize the network management services shown in Figure 12 The function of transmitting element 1003 in device.Communication interface 1303 is additionally operable to perform the ACL that Fig. 7 is provided Step 610, step 612 or step 624 in collocation method are to realize the network pipe shown in Figure 12 Manage the function of receiving unit 1004 in server.

Network management server provided in an embodiment of the present invention, for performing above-mentioned ACL collocation methods, Therefore it can reach and above-mentioned ACL collocation methods identical effect.

Through the above description of the embodiments, those skilled in the art can be understood that Arrive, for convenience and simplicity of description, only carried out with the division of above-mentioned each functional module for example, real In the application of border, it can as needed and by above-mentioned functions distribute and be completed by different functional modules, will The internal structure of device is divided into different functional modules, described above all or part of to complete Function.

In several embodiments provided herein, it should be understood that disclosed apparatus and method, It can realize by another way.For example, device embodiment described above is only schematic , for example, the division of the module or unit, only a kind of division of logic function is actual to realize When can have other dividing mode, such as multiple units or component can be combined or are desirably integrated into Another device, or some features can be ignored, or not perform.It is another, it is shown or discussed Coupling each other or direct-coupling or communication connection can be by some interfaces, device or unit INDIRECT COUPLING or communication connection, can be electrical, machinery or other forms.

The unit illustrated as separating component can be or may not be it is physically separate, The part shown as unit can be a physical location or multiple physical locations, you can with positioned at one Individual place, or multiple different places can also be distributed to.It can select according to the actual needs wherein Some or all of unit realize the purpose of this embodiment scheme.

In addition, each functional unit in each embodiment of the invention can be integrated in a processing unit In or unit be individually physically present, can also two or more units be integrated in In one unit.Above-mentioned integrated unit can both be realized in the form of hardware, it would however also be possible to employ soft The form of part functional unit is realized.

If the integrated unit is realized using in the form of SFU software functional unit and is used as independent product Sale in use, can be stored in a read/write memory medium.Understood based on such, this Part or the technical side that the technical scheme of invention substantially contributes to prior art in other words The all or part of case can be embodied in the form of software product, and the software product is stored in one In storage medium, including some instructions are to cause an equipment (can be single-chip microcomputer, chip etc.) Or processor (processor) performs all or part of step of each embodiment methods described of the invention Suddenly.And foregoing storage medium includes：USB flash disk, mobile hard disk, read-only storage (English：Read-Only Memory, referred to as：ROM), random access memory (English：Random Access Memory, Referred to as：RAM), magnetic disc or CD etc. are various can be with the medium of store program codes.

The foregoing is only a specific embodiment of the invention, but protection scope of the present invention not office Be limited to this, any one skilled in the art the invention discloses technical scope in, can Change or replacement are readily occurred in, should be all included within the scope of the present invention.Therefore, it is of the invention Protection domain should be based on the protection scope of the described claims.

Claims (20)

1. a kind of access control list ACL collocation method, it is characterised in that including：

ACL configuration equipment obtains configuration order, and the configuration order is used to obtain the domain name with Internet resources The corresponding internet protocol address list accessed needed for the Internet resources, and for described Internet resources are controlled, and the configuration order includes the domain name of the Internet resources；

The ACL configurations equipment generates the first domain name system DNS analysis request message, described first Dns resolution request message includes the domain name of the Internet resources；

The ACL configures equipment and sends the first dns resolution request message to dns server；

The ACL configurations equipment receives the first dns resolution from the dns server and successfully reported Text, first dns resolution success message includes the domain name of the Internet resources, and with the net Corresponding the first IP address list accessed needed for the Internet resources of domain name of network resource, described first IP address list includes at least one IP address；

First IP address list is issued to the ACL and configures equipment by the ACL configuration equipment Acl list in, to realize the control to the Internet resources.

2. according to the method described in claim 1, it is characterised in that

The domain name of the Internet resources is included in the uniform resource position mark URL of the Internet resources；

It is described before ACL configuration equipment generates the first domain name system DNS analysis request message Method also includes：

The ACL configuration equipment obtains the domain of the Internet resources according to the URL of the Internet resources Name.

3. method according to claim 1 or 2, it is characterised in that match somebody with somebody in the ACL and install After first IP address list is issued in the acl list of the ACL configurations equipment, Methods described also includes：

The ACL configurations equipment starts timer；

In the timer expiry, the ACL configurations equipment generates the second dns resolution request message, The second dns resolution request message includes the domain name of the Internet resources；

The ACL configures equipment and sends the second dns resolution request report to the dns server Text；

The ACL configurations equipment receives the second dns resolution from the dns server and successfully reported Text, second dns resolution success message includes the domain name of the Internet resources, and with the net Corresponding the second IP address list accessed needed for the Internet resources of domain name of network resource, described second IP address list includes at least one IP address；

The ACL configurations equipment judges second IP address list and first IP address list It is whether identical；

If second IP address list is different from first IP address list, the ACL matches somebody with somebody Install standby according to second IP address list renewal acl list.

4. method according to claim 3, it is characterised in that

The time-to-live TTL of the domain name of the Internet resources is configured to described by the ACL configuration equipment The timing cycle of timer.

5. a kind of access control list ACL collocation method, it is characterised in that including：

Domain name system DNS server receives the first dns resolution request report that ACL configuration equipment is sent Text, the first dns resolution request message includes the domain name of Internet resources；

The Internet resources that the dns server includes to the first dns resolution request message Domain name parsed；

The dns server judges whether parsing succeeds；

If successfully resolved, the dns server sends the first DNS to ACL configuration equipment Successfully resolved message, the first dns resolution success message includes the domain name of the Internet resources, with And first needed for obtained access corresponding with the domain name of the Internet resources Internet resources of parsing IP address list, first IP address list includes at least one IP address.

6. method according to claim 5, it is characterised in that methods described also includes：

If parsing failure, the dns server sends the first DNS to ACL configuration equipment Failure message is parsed, the first dns resolution failure message is used to notify the ACL configurations equipment solution Analyse the domain name failure of the Internet resources；

Or,

If parsing failure, the dns server is not carried out to the first dns resolution request message Response.

7. a kind of access control list ACL collocation method, it is characterised in that including：

Network management server obtains configuration order, and the configuration order is used to obtain the domain with Internet resources The corresponding internet protocol address list accessed needed for the Internet resources of name, and for institute State Internet resources to be controlled, the configuration order includes the domain name of the Internet resources；

The network management server generates the first domain name system DNS analysis request message, described first Dns resolution request message includes the domain name of the Internet resources；

The network management server sends the first dns resolution request message to dns server；

The network management server receives the first dns resolution from the dns server and successfully reported Text, first dns resolution success message includes the domain name of the Internet resources, and with the net Corresponding the first IP address list accessed needed for the Internet resources of domain name of network resource, described first IP address list includes at least one IP address；

First IP address list is sent to ACL and configures equipment by the network management server.

8. method according to claim 7, it is characterised in that

The domain name of the Internet resources is included in the uniform resource position mark URL of the Internet resources；

Before the network management server generates the first domain name system DNS analysis request message, institute The method of stating includes：

The network management server obtains the domain of the Internet resources according to the URL of the Internet resources Name.

9. a kind of access control list ACL configures equipment, it is characterised in that including：Acquiring unit, Generation unit, transmitting element, receiving unit and issuance unit；

The acquiring unit, for obtaining configuration order, the configuration order is used to obtain and Internet resources The corresponding internet protocol address list accessed needed for the Internet resources of domain name, and be used for The Internet resources are controlled, the configuration order includes the domain name of the Internet resources；

The generation unit, for generating the first domain name system DNS analysis request message, described first It is described that dns resolution request message includes that the configuration order that gets of the acquiring unit includes The domain name of Internet resources；

The transmitting element, for sending described the first of the generation unit generation to dns server Dns resolution request message；

The receiving unit, is successfully reported for receiving the first dns resolution from the dns server Text, first dns resolution success message includes the domain name of the Internet resources, and with the net Corresponding the first IP address list accessed needed for the Internet resources of domain name of network resource, described first IP address list includes at least one IP address；

The issuance unit, for first dns resolution success for receiving the receiving unit First IP address list that message includes is issued to the acl list that the ACL configures equipment In, to realize the control to the Internet resources.

10. ACL according to claim 9 configures equipment, it is characterised in that the network money The domain name in source is included in the uniform resource position mark URL of the Internet resources；

The acquiring unit, is additionally operable to obtain the Internet resources according to the URL of the Internet resources Domain name.

11. the ACL configuration equipment according to claim 9 or 10, it is characterised in that also include： Timing unit and judging unit；

The timing unit, for starting timer；

The generation unit, is additionally operable in the timer expiry, generation the second dns resolution request Message, the second dns resolution request message includes the domain name of the Internet resources；

The transmitting element, is additionally operable to send the institute of the generation unit generation to the dns server State the second dns resolution request message；

The receiving unit, is additionally operable to receive the second dns resolution success from the dns server Message, second dns resolution success message includes the domain name of the Internet resources, and with it is described Corresponding the second IP address list accessed needed for the Internet resources of the domain names of Internet resources, described the Two IP address lists include at least one IP address；

The judging unit, for judge second dns resolution that the receiving unit receives into Whether second IP address list that work(message includes is identical with first IP address list；

The issuance unit, judges to obtain second IP address list if being additionally operable to the judging unit It is different from first IP address list, then the ACL is updated according to second IP address list List.

12. ACL according to claim 11 configures equipment, it is characterised in that

The timing unit, is additionally operable to the time-to-live TTL of the domain name of the Internet resources being configured to The timing cycle of the timer.

13. a kind of access control list ACL configures equipment, it is characterised in that including：ACL modules, Domain name system DNS module, content addressable memory TCAM module；

The ACL modules, for obtaining configuration order, the configuration order is used to obtain to be provided with network The corresponding internet protocol address list accessed needed for the Internet resources of domain name in source, Yi Jiyong It is controlled in the Internet resources, the configuration order includes the domain name of the Internet resources, by institute The domain name carrying for stating Internet resources is transmitted to the DNS modules in IP address parsing message；

The DNS modules, for generating the first dns resolution request message, the first DNS solutions Analysis request message includes the domain name of the Internet resources, and the first DNS is sent to dns server Analysis request message, and receive the first dns resolution success message from the dns server, institute Stating the first dns resolution success message includes the domain name of the Internet resources, and with the Internet resources Corresponding the first IP address list accessed needed for the Internet resources of domain name, first IP address List includes at least one IP address, and first IP address is transmitted to the ACL modules；

The ACL modules, are additionally operable to first IP address list being issued to the TCAM modules Acl list in, to realize the control to the Internet resources.

14. ACL according to claim 13 configures equipment, it is characterised in that the network money The domain name in source is included in the uniform resource position mark URL of the Internet resources；

The ACL modules, are additionally operable to obtain the Internet resources according to the URL of the Internet resources Domain name.

15. the ACL configuration equipment according to claim 13 or 14, it is characterised in that

The ACL modules, are additionally operable to start timer；

The DNS modules, are additionally operable in the timer expiry, generation the second dns resolution request Message, the second dns resolution request message includes the domain name of the Internet resources, to the DNS Server sends the second dns resolution request message, receives second from the dns server Dns resolution success message, the second dns resolution success message includes the domain name of the Internet resources, And the second IP address row accessed needed for the Internet resources corresponding with the domain name of the Internet resources Table, second IP address list includes at least one IP address, and second IP address is passed Transport to the ACL modules；

The ACL modules, are additionally operable to judge second IP address list and first IP address Whether list is identical, if second IP address list is different from first IP address list, root The acl list of the TCAM modules is updated according to second IP address list.

16. ACL according to claim 15 configures equipment, it is characterised in that

The ACL modules, are additionally operable to the time-to-live TTL of the domain name of the Internet resources being configured to The timing cycle of the timer.

17. a kind of domain name system DNS server, it is characterised in that including：Receiving unit, parsing Unit, judging unit and transmitting element；

The receiving unit, for receiving the first dns resolution request message that ACL configuration equipment is sent, The first dns resolution request message includes the domain name of Internet resources；

The resolution unit, for first dns resolution request received to the receiving unit The domain name for the Internet resources that message includes is parsed；

Judging unit, for judging whether the domain name of the resolution unit parsing Internet resources succeeds；

The transmitting element, if judging that obtaining the resolution unit parses the net for the judging unit The domain name success of network resource, then send the first dns resolution success message to ACL configuration equipment, First dns resolution success message includes the domain name of the Internet resources, and parse obtain with Corresponding the first IP address list accessed needed for the Internet resources of domain name of the Internet resources, institute Stating the first IP address list includes at least one IP address.

18. dns server according to claim 17, it is characterised in that

The transmitting element, judges to obtain described in the resolution unit parsing if being additionally operable to the judging unit The domain name failure of Internet resources, then send the first dns resolution failure message to ACL configuration equipment, The first dns resolution failure message is used to notify the ACL configurations equipment to parse the Internet resources Domain name failure；

Or,

The transmitting element, judges to obtain described in the resolution unit parsing if being additionally operable to the judging unit The domain name failure of Internet resources, then do not respond to the first dns resolution request message.

19. a kind of network management server, it is characterised in that including：Acquiring unit, generation unit, Transmitting element and receiving unit；

The acquiring unit, for obtaining configuration order, the configuration order is used to obtain and Internet resources The corresponding internet protocol address list accessed needed for the Internet resources of domain name, and be used for The Internet resources are controlled, the configuration order includes the domain name of the Internet resources；

The generation unit, for generating the first domain name system DNS analysis request message, described first Dns resolution request message includes the domain name of the Internet resources；

The transmitting element, for sending described the first of the generation unit generation to dns server Dns resolution request message；

The receiving unit, is successfully reported for receiving the first dns resolution from the dns server Text, first dns resolution success message includes the domain name of the Internet resources, and with the net Corresponding the first IP address list accessed needed for the Internet resources of domain name of network resource, described first IP address list includes at least one IP address；

The transmitting element, be additionally operable to first dns resolution that receives the receiving unit into First IP address list that work(message includes sends to ACL and configures equipment.

20. network management server according to claim 19, it is characterised in that the network The domain name of resource is included in the uniform resource position mark URL of the Internet resources；

The acquiring unit, is additionally operable to obtain the Internet resources according to the URL of the Internet resources Domain name.