CN112769970A - Method and system for DNS ECS intelligent transparent transmission - Google Patents

Method and system for DNS ECS intelligent transparent transmission Download PDF

Info

Publication number
CN112769970A
CN112769970A CN202011486318.7A CN202011486318A CN112769970A CN 112769970 A CN112769970 A CN 112769970A CN 202011486318 A CN202011486318 A CN 202011486318A CN 112769970 A CN112769970 A CN 112769970A
Authority
CN
China
Prior art keywords
ecs
dns server
client
address
field
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202011486318.7A
Other languages
Chinese (zh)
Other versions
CN112769970B (en
Inventor
程俊
汪凌
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Yamu Communication Technology Co ltd
Original Assignee
Shanghai Yamu Communication Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Yamu Communication Technology Co ltd filed Critical Shanghai Yamu Communication Technology Co ltd
Priority to CN202011486318.7A priority Critical patent/CN112769970B/en
Publication of CN112769970A publication Critical patent/CN112769970A/en
Application granted granted Critical
Publication of CN112769970B publication Critical patent/CN112769970B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a method and a system for DNS ECS intelligent transparent transmission. In the invention, a mapping hash table from the source IP address of the client to the IP address to be exposed is configured at the side of the local DNS server, and the IP address to be exposed is used as an ECS field to be transmitted to the authoritative DNS server, so that the possibility is provided for the accurate scheduling of the authoritative DNS server, the access delay of the client is reduced while the risk of directly exposing the source IP of the client is avoided, and the client experience is improved.

Description

Method and system for DNS ECS intelligent transparent transmission
Technical Field
The invention relates to the field of domain name resolution, in particular to a method and a system for intelligent transparent transmission of DNS ECS.
Background
The Domain Name System (DNS) is a service of the internet. It acts as a distributed database that maps domain names and IP addresses to each other, enabling a person to more conveniently access the internet without having to remember IP strings that can be read directly by a machine.
Generally, when a client makes a DNS request to a Local DNS (i.e., Local DNS) server, if the Local DNS server cannot resolve, the DNS request is forwarded to other DNS servers, thus recursing layer by layer until the authoritative server returns an IP address.
The current authorized operator takes the received message request source IP as a key, deploys different IP records in different pre-configured areas and operator views, and the records are located in the corresponding areas and operators, so when the router in the area and the operator forwards the DNS request, the records in the DNS request are returned to the router in the area and the operator, thereby completing one-time scheduling.
The network route from the client DNS request to the final authoritative server is forwarded through various routers, and when arriving, the authoritative server simply knows the source IP address of the nearest previous hop. In general, "last hop" refers to the source IP address of the message that reaches the final authorization server. For example, when the authorization server is on a device in the intranet, the DNS message requested by the network will pass through the WAN port and then reach the LAN port, and at this time, the source IP of the DNS request message received by the authorization server may be the gateway address in the local area network. So "last hop" refers to the last hop device that eventually reaches the network under which the authorization server is located, which is simply the gateway device on the route. Therefore, the real source IP of the client and the information of the source IP address, the operator, etc. of the client cannot be found, which means that the authorization server uses such IP address to schedule, the accuracy is lost, and even the adverse effect is played.
The unvarnished transmission technology of the friend Infoblox can unvarnished the source IP of the client, and the final authorization server can really avoid the scheduling distortion problem, but directly exposes the source IP information of the client in the network, so that huge potential safety hazards exist, and the client can be subjected to DDOS attack, tunnel attack, DNS poisoning, commercial fraud and the like.
From the above, whether the source IP of the client is passed through or not, the IP information reaching the final authorization server is uncontrollable or fixed, for example, the technology of the impermissible transmission may change due to the adjustment of the network route, and the technology of the impermissible transmission of the friend Infoblox always passes through the fixed IP of the client, which means that the scheduling is uncontrollable and not customized, and it becomes impossible and difficult to control and adjust the scheduling of a certain sector.
Therefore, it is desirable to provide a solution that can not only avoid directly exposing the source IP of the client on the network, but also can reasonably divide the application servers according to the source IP of the client.
Disclosure of Invention
This summary is provided to introduce a selection of concepts in a simplified form that are further described below in the detailed description. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
According to an embodiment of the present invention, there is provided a domain name system DNS server including: a processor; a memory; a mapping hash table configured to include a mapping of a source IP address of a client to a virtual IP address; an extended DNS client subnet ECS field generation module configured to generate an ECS field from the virtual IP address and append the generated ECS field to the domain name resolution request; and a switch module configured to control the pass-through of the ECS field.
According to another embodiment of the present invention, there is provided a system for domain name resolution, including: a client configured to send a resolution request for a domain name; a local domain name system, DNS, server, the local DNS server being a DNS server as described above; a recursive DNS server configured to forward the resolution request appended with the ECS field to pass through the ECS field; and an authoritative DNS server configured to return a resolution result for the ECS field based on the received ECS field.
According to still another embodiment of the present invention, there is provided a method for domain name resolution, including: receiving, by a local Domain Name System (DNS) server from a client, a domain name resolution request, the domain name resolution including a source IP address of the client, the local DNS server including a mapping hash table configured to include a mapping of the source IP address of the client to a virtual IP address; the local DNS server searches a mapping hash table for a virtual IP address of a source IP address mapped to the client; the local DNS server generates an ECS field based on the searched virtual IP address and transmits the ECS field to the recursive DNS server; the recursive DNS server transparently transmits the ECS field to an authoritative DNS server; and the authoritative DNS server returns a resolution result aiming at the virtual IP address contained in the ECS field based on the received ECS field.
These and other features and advantages will become apparent upon reading the following detailed description and upon reference to the accompanying drawings. It is to be understood that both the foregoing general description and the following detailed description are explanatory only and are not restrictive of aspects as claimed.
Drawings
So that the manner in which the above recited features of the present invention can be understood in detail, a more particular description of the invention, briefly summarized above, may be had by reference to embodiments, some of which are illustrated in the appended drawings. It is to be noted, however, that the appended drawings illustrate only some typical aspects of this invention and are therefore not to be considered limiting of its scope, for the description may admit to other equally effective aspects.
Fig. 1 shows a schematic diagram of a prior art system 100 for domain name resolution and a corresponding domain name resolution scheme;
FIG. 2 shows a schematic diagram of a system 200 for domain name resolution and a corresponding domain name resolution scheme, according to one embodiment of the invention;
FIG. 3 shows a flow diagram of a method 300 for domain name resolution in accordance with one embodiment of the invention;
FIG. 4 illustrates a schematic diagram of a specific domain name resolution example 400 employing the DNS ECS pass-through scheme of the present invention, according to one embodiment of the present invention; and
FIG. 5 illustrates a block diagram 500 of an exemplary computing device, according to an embodiment of the invention.
Detailed Description
The present invention will be described in detail below with reference to the attached drawings, and the features of the present invention will be further apparent from the following detailed description.
The following detailed description refers to the accompanying drawings that illustrate exemplary embodiments of the invention. The scope of the invention is not, however, limited to these embodiments, but is defined by the appended claims. Accordingly, embodiments other than those shown in the drawings, such as modified versions of the illustrated embodiments, are encompassed by the present invention.
References in the specification to "one embodiment," "an example embodiment," etc., indicate that the embodiment may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the relevant art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
In the context of the present invention, the following terms have the ordinary meaning as understood by those skilled in the art. For clarity, further description is provided herein.
(1) Local DNS Server (Local DNS Server): and the server is used for receiving the resolution request from the client and providing domain name information caching and resolution request recursive services.
(2) Recursive DNS Server (Recursive DNS Server): a DNS server providing domain name resolution services and forwarding resolution requests received from a local DNS server.
(3) An authoritative DNS server: a server that maintains authoritative domains and records. Where an authority domain represents the authority response of some records, such as the authority domain of yamu.com, which takes over the resolution results of all domain names ending with yamu.com, and a record is the resolution result under the authority domain, such as www.yamu.com is a record in the authority domain of yamu.com.
(4) View: each view defines a DNS namespace that is seen by a particular subset of clients, allowing DNS servers to answer DNS queries differently depending on the client.
(5) Scheduling records by view: the view is actually a split of DNS traffic, and the partition of the view is generally partitioned by attributes such as geographical location, operator, etc. using the request source address, such as assuming:
the address field of the Shanghai telecom of the operator is as follows: 1.32.230.0/24
The address field of the operator Beijing mobile is as follows: 39.155.128.0/17
At this point the authoritative DNS server may have two views divided, such as:
shanghai telecommunication View: source IP 1.32.230.0/24
Beijing mobile view: source IP 39.155.128.0/17
Com authority domain, there is www.yamu.com this record in both views above:
shanghai telecommunication View: www.yamu.com A1.32.130.100
Beijing mobile view: www.yamu.com A39.155.128.100
When the shanghai telecom client 1.32.230.1 requests www.yamu.com records from the authoritative DNS server, 1.32.130.100 can be obtained; 39.155.128.100 is available to Beijing Mobile client 39.155.128.1 when an authoritative DNS server requests www.yamu.com records. The results obtained are different since different users use different operators, and since the local lines speed up, the delay in using the application will be very low.
(6) ECS (English: EDNS-Client-Subnet, Chinese: extended DNS Client Subnet): the ECS is a DNS extension that allows recursive DNS servers to specify network subnets for hosts when making DNS queries for them. Generally, this is intended to help speed up the transfer of data from a content delivery network by allowing better use of DNS-based load balancing to select service addresses. The theoretical basis of ECS can be found in Client Subnet in DNS Queries,https:// tools.ietf.org/html/rfc7871and BIND9 official Manual,https://bind9.readthedocs.io/ en/latest/reference.html
fig. 1 shows a schematic diagram of a prior art system 100 for domain name resolution and a corresponding domain name resolution scheme. The DNS domain name system is the basic core service of the Internet, maps and resolves domain names and IP addresses, and supports the normal operation of the Internet; according to the function role, the DNS can be divided into a recursive DNS and an authoritative DNS, and when a user initiates a domain name resolution request, recursive query is carried out step by step through the recursive DNS; if the query record is in the cache of the recursive DNS, returning the analysis result to the user; if the cache of the recursive DNS does not have the corresponding query record, the recursive DNS initiates a query request to the authoritative DNS and updates the resolution result.
Referring to fig. 1, a schematic diagram of a client requesting DNS resolution without transparently passing the client source IP address is shown. In general, the system 100 for domain name resolution includes a client 101, a local DNS server 102, one or more recursive DNS servers 103, and an authoritative DNS server 104. It is well understood by those skilled in the art that these components may be connected and data transferred via a network in a manner not within the present discussion.
Firstly, a client 101 sends an analysis request to a local DNS server 102, the local DNS server 102 sends the analysis request to recursive DNS servers 103-1 and … …, a last-stage recursive DNS server 103-N, and then the last-stage recursive DNS server 103-N sends the analysis request to an authoritative DNS server 104; authoritative DNS server 104 returns the domain name resolution result for the requestor's IP (i.e., the IP of last-level recursive DNS server 103-N) and through last-level recursive DNS servers 103-N, … …, recursive DNS server 103-1, local DNS server 102, and finally back to client 101.
A problem in this flow is that, assuming that the client 101 is a customer of a certain operator (e.g., shanghai telecommunications) and the operator of the last level recursive DNS server 103-N is not shanghai telecommunications (e.g., beijing mobile), the authoritative DNS server 104 will return the server address closest to the last level recursive DNS server 103-N instead of the server address closest to the client 101, resulting in a delay or degradation of the client 101 access.
Fig. 2 shows a schematic diagram of a system 200 for domain name resolution and a corresponding domain name resolution scheme according to an embodiment of the invention. Similar to the example in fig. 1, the client 201 sends a DNS resolution request to the local DNS server 202 and requests resolution from the authoritative DNS server 204 via the recursive DNS server 203.
Unlike the example in fig. 1, according to one embodiment of the present invention, a mapping hash table 205 including a mapping of a client source IP address to an IP address that needs to be exposed is configured on the local DNS server 202 side, and the mapping hash table 205 is a segmented high-speed hash (IPV4 is level 4, IPV6 is level 16). The IP address to be exposed is generally a virtual IP address, but the virtual IP address has address and operator attributes, and through configuration, the IP address can achieve the purposes of transparent transmission and non-exposure of the real IP of the client. In a specific implementation, the present invention follows the RFC 7871 specification, using ECS techniques. The ECS as an extension field of the DNS can be used to carry additional user source addresses, typically requests with ECS addresses, which the DNS server will hit and use as the source IP of the user request. The EDNS client subnet mechanism is specified in RFC 7871, the message of which is shown in code segment 208. According to one embodiment of the invention, the ECS field (client subnet location) carries the IP which is expected to be exposed, and the ECS carries the IP which is generally matched in an authoritative DNS server in preference to the source IP, which is a direct technical theory basis.
According to one embodiment of the invention, the mapping hash table 205 on the local DNS server 202 is configurable and/or modifiable. For example, for a certain client source IP address a, an administrator of the local DNS server 202 may configure the virtual IP address mapped to the address a to embody a virtual IP address having the same operator or the same geographical location as the client, so that the authoritative DNS server may provide a resolution result that is faster accessible to the client. For another example, for a certain client source IP address a, if it is detected that traffic in the region for the operator used by the client has been abnormal or saturated, the administrator of the local DNS server 202 may configure the virtual IP address mapped to the address a to embody a virtual IP address having a similar geographical location as the client or other operators in the region, thereby adjusting the user traffic for the client in the region.
Of course, it is fully understood by those skilled in the art that the above configuration of the mapping hash table 205 is merely illustrative, and in practice, an administrator of the local DNS server 202 may configure any virtual IP address for the client source IP address in the mapping hash table 205.
According to an embodiment of the present invention, instead of human configuration by an administrator, the virtual IP address in the mapping hash table 205 may also be automatically generated by the program based on the client source IP address based on the operator used by the client, the traffic status of the operator used by the client, the address location of the client, and the like.
According to one embodiment of the invention, the client 201 includes an ECS field generation module 206. Based on the above improvement on the local DNS server 202, after the local DNS server 202 receives the resolution request of the client 201, the ECS field generation module 206 may search the mapping hash table 205 for the virtual IP address corresponding to the source IP of the client 201, generate an ECS field according to the searched virtual IP address, and attach the generated ECS field to the resolution request, whereby the ECS field may be passed through to the recursive DNS server 203 until the authoritative DNS server 204. According to one embodiment of the invention, if there are multiple recursive DNS servers 203 (e.g., 203-1 to 203-N), the ECS field may be passed through with the resolution request among the multiple recursive DNS servers 203. In this manner, the authoritative DNS server 204 may return a resolution result for the virtual IP address carried in the ECS field. Meanwhile, the source IP address of the client 201 is not directly exposed to the recursive DNS server 203 and the authoritative DNS server 204, so that a potential security risk is avoided, but the returned resolution result can be suitable for the source IP address of the client 201, so that the access of the client 201 is not degraded.
According to another embodiment of the invention, the local DNS server 202 is configured with a switch module 207. The switch module 207 is configured to control the transparent transmission of ECS fields. If the switch module 207 is configured to be in the open state, it indicates that the ECS transparent channel of the local DNS server can be opened, and if the switch module 207 is configured to be in the closed state, the transparent transmission of the ECS field is not allowed.
Since the ECS transparent mechanism is a high-end option on the DNS deployment scenario, in accordance with an embodiment of the present invention, for users who are not familiar with the ECS transparent mechanism, the wrong configuration may cause scheduling distortion and even reveal the private IP network location, so the switch module 207 defaults to the off state on the local DNS server.
According to another embodiment of the present invention, when the configuration of the local DNS server is upgraded or adjusted, particularly when the network adjustment causes the ECS to need to be adjusted, the switch module 207 is first set to the off state and then set to the on state after the configuration review is passed.
According to another embodiment of the present invention, due to the increase of the hash matching mechanism and the message load, it is likely to affect the performance of the local DNS server in the bandwidth-sensitive environment, that is, turning on the ECS transparent switch theoretically reduces the resolution performance of the local DNS server, and therefore, in the deployment environment with high load, the switch module 207 may be set to the off state.
It is fully understood by those skilled in the art that the ECS field generation module 206 and the switch module 207 may be implemented as software or hardware or a combination thereof, and data transmission between components within the local DNS server 201 may be implemented in various ways.
Fig. 3 shows a flow diagram of a method 300 for domain name resolution according to one embodiment of the invention. At step 301, a mapping hash table is configured on the local DNS server. According to one embodiment of the invention, the mapping hash table comprises a mapping of client source IP addresses to virtual IP addresses. And, the mapping hash table may be configured by an administrator of the local DNS server or according to a program.
At step 302, the local DNS server receives a domain name resolution request from a client. According to one embodiment of the invention, the domain name resolution request includes the source IP address of the client.
In step 303, the local DNS server determines whether ECS pass-through is allowed. According to one embodiment of the invention, whether ECS pass-through is allowed is determined according to a switch module on the local DNS server.
At step 304, if ECS pass-through is allowed, the local DNS server looks up the virtual IP address mapped to the source IP-site of the client in the mapping hash table. According to one embodiment of the invention, if there are multiple virtual IP addresses that map to the source IP address of the client, the appropriate virtual IP address may be chosen according to one or more rules. The one or more rules may include, but are not limited to, the operator used by the client, the current traffic status of the operator used by the client, the geographic location where the client is located, and the like.
At step 305, the local DNS server generates an ECS field based on the found virtual IP address and passes the ECS field through to the recursive DNS server.
At step 306, the recursive DNS server passes through the ECS field to the authoritative DNS server.
According to one embodiment of the present invention, in case multiple recursive DNS servers participate in the recursive resolution, the ECS field may be passed through by the local DNS server to a first recursive DNS server, and the first recursive DNS server may further pass through the ECS field to a second recursive DNS server, forwarding layer by layer, up to the authoritative DNS server. During this transit process, the ECS field will eventually be passed through to the authoritative DNS server with the DNS resolution request.
In step 307, the authoritative DNS server returns a resolution result for the virtual IP address contained in the ECS field based on the received ECS field. According to one embodiment of the invention, in the case that a plurality of recursive DNS servers participate in recursive resolution, the authoritative DNS server returns the resolution result to the final recursive DNS server to which the resolution request is sent, and the final recursive DNS server forwards the resolution result to the local DNS server and then the local DNS server sends the resolution result to the client.
Fig. 4 shows a schematic diagram of a specific domain name resolution example 400 employing the DNS ECS pass-through scheme of the present invention, according to one embodiment of the present invention. This example 400 is merely to illustrate the effects that the invention can achieve and is not intended to limit any aspect of the invention.
In this example 400, assume that both a research and development department client and a sales department client within a company attempt to access the domain name "www.yamu.com". Wherein, the source IP address of the client of the research and development department is 192.168.1/24, and the source IP address of the client of the sales department is 192.168.2/24. In the mapping hash table of the local DNS server, it can be seen that "192.168.1/24" has been mapped in advance to the virtual IP address "1.32.230.0/24" (address field of shanghai telecom) to be exposed, and "192.168.2/24" has been mapped in advance to the virtual IP address "39.155.128.0/17" (address field of beijing mobile) to be exposed. The local DNS server sends the needed virtual IP address as an ECS field out of the Ethernet of a company along with a DNS resolution request, recursive query is carried out through a recursive DNS server, and the final authoritative DNS server returns a resolution result '1.32.230.100' (namely, the IP address of the operator Shanghai telecom for www.yamu.com) aiming at '1.32.230.0/24' and a resolution result '39.155.128.100' (namely, the IP address of the operator Beijing Mobile for www.yamu.com) aiming at '39.155.128.0/17' according to the virtual IP address carried by the ECS field. Therefore, the virtual IP address to be exposed can be successfully transmitted to the authoritative DNS server through the ECS field, and the resolution result aiming at the virtual IP address to be exposed can be obtained.
By the scheme of the invention, ECS and IP addresses can be carried between the recursive DNS server and the authoritative DNS server, so that the possibility is provided for accurate scheduling of the authoritative DNS server, the access delay of the client is reduced, and the customer experience is improved. In addition, the transparent transmission scheme avoids the risk of directly exposing the IP of the client source by reasonably configuring the mapping hash table, protects the privacy of the client and reduces the possibility of being attacked. In addition, the local DNS server side administrator can adjust the user traffic of the parcel client by adjusting the mapping hash table.
Fig. 5 illustrates a block diagram 500 of an exemplary computing device that is one example of a hardware device (e.g., client 201, local DNS server 202, recursive DNS server 203, authoritative DNS server 204) that may be applied to aspects of the invention, according to one embodiment of the invention.
With reference to FIG. 5, a computing device 500 will now be described, which is one example of a hardware device that may be applied to aspects of the present invention. Computing device 500 may be any machine that may be configured to implement processing and/or computing, and may be, but is not limited to, a workstation, a server, a desktop computer, a laptop computer, a tablet computer, personal digital processing, a smart phone, an in-vehicle computer, or any combination thereof. The various methods/apparatus/servers/client devices described above may be implemented in whole or at least in part by computing device 500 or similar devices or systems.
Computing device 500 may include components that may be connected or communicate via one or more interfaces and bus 502. For example, computing device 500 may include a bus 502, one or more processors 504, one or more input devices 506, and one or more output devices 508. The one or more processors 504 may be any type of processor and may include, but are not limited to, one or more general purpose processors and/or one or more special purpose processors (e.g., dedicated processing chips). Input device 506 may be any type of device capable of inputting information to a computing device and may include, but is not limited to, a mouse, a keyboard, a touch screen, a microphone, and/or a remote controller. Output device 508 can be any type of device capable of presenting information and can include, but is not limited to, a display, speakers, a video/audio output terminal, a vibrator, and/or a printer. Computing device 500 may also include or be connected to non-transitory storage device 510, which may be any storage device that is non-transitory and that enables data storage, and which may include, but is not limited to, a disk drive, an optical storage device, a solid-state memory, a floppy disk, a flexible disk, a hard disk, a tape, or any other magnetic medium, an optical disk or any other optical medium, a ROM (read only memory), a RAM (random access memory), a cache memory, and/or any memory chip or cartridge, and/or any other medium from which a computer can read data, instructions, and/or code. Non-transitory storage device 510 may be detached from the interface. The non-transitory storage device 510 may have data/instructions/code for implementing the above-described methods and steps. Computing device 500 may also include a communication device 512. The communication device 512 may be any type of device or system capable of communicating with internal apparatus and/or with a network and may include, but is not limited to, a modem, a network card, an infrared communication device, a wireless communication device, and/or a chipset, such as a bluetooth device, an IEEE 1302.11 device, a WiFi device, a WiMax device, a cellular communication device, and/or the like.
The bus 502 may include, but is not limited to, an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an enhanced ISA (eisa) bus, a Video Electronics Standards Association (VESA) local bus, and a Peripheral Component Interconnect (PCI) bus.
Computing device 500 may also include a working memory 514, which working memory 514 may be any type of working memory capable of storing instructions and/or data that facilitate the operation of processor 504 and may include, but is not limited to, random access memory and/or read only memory devices.
Software components may be located in the working memory 514 including, but not limited to, an operating system 516, one or more application programs 518, drivers, and/or other data and code. Instructions for implementing the above-described methods and steps of the invention may be contained within the one or more applications 518, and the instructions of the one or more applications 518 may be read and executed by the processor 504 to implement the above-described method 300 of the invention.
It should also be appreciated that variations may be made according to particular needs. For example, customized hardware might also be used, and/or particular components might be implemented in hardware, software, firmware, middleware, microcode, hardware description speech, or any combination thereof. In addition, connections to other computing devices, such as network input/output devices and the like, may be employed. For example, some or all of the disclosed methods and apparatus can be implemented with logic and algorithms in accordance with the present invention through programming hardware (e.g., programmable logic circuitry including Field Programmable Gate Arrays (FPGAs) and/or Programmable Logic Arrays (PLAs)) having assembly language or hardware programming languages (e.g., VERILOG, VHDL, C + +).
Although the various aspects of the present invention have been described thus far with reference to the accompanying drawings, the above-described methods, systems, and apparatuses are merely examples, and the scope of the present invention is not limited to these aspects but only by the appended claims and equivalents thereof. Various components may be omitted or may be replaced with equivalent components. In addition, the steps may also be performed in a different order than described in the present invention. Further, the various components may be combined in various ways. It is also important that as technology develops that many of the described components can be replaced by equivalent components appearing later.
The above embodiments are only used for illustrating the technical solutions of the present application, and not for limiting the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; such modifications and substitutions do not depart from the spirit and scope of the present disclosure, and the present disclosure should be construed as being covered by the claims and the specification.

Claims (10)

1. A domain name system, DNS, server comprising:
a processor;
a memory;
a mapping hash table configured to include a mapping of a source IP address of a client to a virtual IP address;
an extended DNS client subnet ECS field generation module configured to generate an ECS field from a virtual IP address and append the generated ECS field to a domain name resolution request; and
a switch module configured to control passthrough of ECS fields.
2. The DNS server of claim 1, wherein the virtual IP address can embody an operator attribute.
3. The DNS server of claim 1, wherein the mapping hash table is configurable to configure a virtual IP address that maps to a source IP address of a client requesting domain name resolution based on an operator used by the client, a current traffic status of the operator used by the client, or a geographic location in which the client is located.
4. A system for domain name resolution, comprising:
a client configured to send a resolution request for a domain name;
a local domain name system, DNS, server, the local DNS server being the DNS server of claim 1;
one or more recursive DNS servers configured to forward resolution requests appended with ECS fields to pass through the ECS fields; and
an authoritative DNS server configured to return a resolution result for the ECS field based on the received ECS field.
5. The system of claim 4, wherein in the case where there are multiple recursive DNS servers, a first recursive DNS server transparently passes the ECS field to a second recursive DNS server and a final recursive DNS server transparently passes the ECS field to the authoritative DNS server.
6. A method for domain name resolution, comprising:
receiving a domain name resolution request from a client by a local Domain Name System (DNS) server, wherein the domain name resolution request comprises a source IP address of the client, the local DNS server comprises a mapping hash table, and the mapping hash table is configured to comprise mapping from the source IP address of the client to a virtual IP address;
the local DNS server searches a mapping hash table for a virtual IP address of a source IP address mapped to the client;
the local DNS server generates an ECS field based on the searched virtual IP address and transmits the ECS field to the recursive DNS server;
the recursive DNS server transparently transmits the ECS field to an authoritative DNS server; and
and the authoritative DNS server returns a resolution result aiming at the virtual IP address contained in the ECS field based on the received ECS field.
7. The method of claim 6, wherein the virtual IP address can embody an operator attribute.
8. The method of claim 6, wherein the mapping hash table is configurable to configure a virtual IP address that maps to a source IP address of the client based on an operator used by the client, a current traffic status of the operator used by the client, or a geographic location in which the client is located.
9. The method of claim 6, further comprising:
and the local DNS server judges whether the ECS transparent transmission is allowed or not, and if the ECS transparent transmission is allowed, the ECS field is transmitted to the recursive DNS server.
10. The method of claim 6, wherein the recursive DNS server passing through the ECS field to an authoritative DNS server further comprises, in the case that there are multiple recursive DNS servers, a first recursive DNS server passing through the ECS field to a second recursive DNS server and a final recursive DNS server passing through the ECS field to the authoritative DNS server.
CN202011486318.7A 2020-12-16 2020-12-16 Method and system for DNS ECS intelligent transparent transmission Active CN112769970B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011486318.7A CN112769970B (en) 2020-12-16 2020-12-16 Method and system for DNS ECS intelligent transparent transmission

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011486318.7A CN112769970B (en) 2020-12-16 2020-12-16 Method and system for DNS ECS intelligent transparent transmission

Publications (2)

Publication Number Publication Date
CN112769970A true CN112769970A (en) 2021-05-07
CN112769970B CN112769970B (en) 2023-04-07

Family

ID=75695402

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011486318.7A Active CN112769970B (en) 2020-12-16 2020-12-16 Method and system for DNS ECS intelligent transparent transmission

Country Status (1)

Country Link
CN (1) CN112769970B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114827083A (en) * 2022-04-14 2022-07-29 中国电信股份有限公司 Domain name resolution method, system and ECS recursive server

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020087707A1 (en) * 2000-12-29 2002-07-04 Stewart Daniel B. Network protocols for distributing functions within a network
CN111327714A (en) * 2018-12-17 2020-06-23 中国电信股份有限公司 Domain name recursive query method and system, server and DNS system
CN111771364A (en) * 2018-01-10 2020-10-13 爱维士软件有限责任公司 Cloud-based anomaly traffic detection and protection in remote networks via DNS attributes
US10812442B1 (en) * 2019-09-23 2020-10-20 Citrix Systems, Inc. Intelligent redirector based on resolver transparency

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020087707A1 (en) * 2000-12-29 2002-07-04 Stewart Daniel B. Network protocols for distributing functions within a network
CN111771364A (en) * 2018-01-10 2020-10-13 爱维士软件有限责任公司 Cloud-based anomaly traffic detection and protection in remote networks via DNS attributes
CN111327714A (en) * 2018-12-17 2020-06-23 中国电信股份有限公司 Domain name recursive query method and system, server and DNS system
US10812442B1 (en) * 2019-09-23 2020-10-20 Citrix Systems, Inc. Intelligent redirector based on resolver transparency

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
宗序梅: "运营商部署ECS关键技术研究与实践", 《江苏通信》 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114827083A (en) * 2022-04-14 2022-07-29 中国电信股份有限公司 Domain name resolution method, system and ECS recursive server

Also Published As

Publication number Publication date
CN112769970B (en) 2023-04-07

Similar Documents

Publication Publication Date Title
US11362987B2 (en) Fully qualified domain name-based traffic control for virtual private network access control
JP4592184B2 (en) Method and apparatus for accessing device with static identifier and intermittently connected to network
US10122677B2 (en) Delegation of content delivery to a local service
US9712422B2 (en) Selection of service nodes for provision of services
US10356040B2 (en) System and method for suppressing DNS requests
US8606926B2 (en) Recursive DNS nameserver
US8689277B2 (en) Method and system for providing location of target device using stateless user information
US20160164826A1 (en) Policy Implementation at a Network Element based on Data from an Authoritative Source
US11025584B2 (en) Client subnet efficiency by equivalence class aggregation
US10530659B2 (en) Identifier-based resolution of identities
CN106797410A (en) Domain name analytic method and device
US20120290724A1 (en) System and method for network redirection
US20130336221A1 (en) Method and Apparatus for Enabling DNS Redirection in Mobile Telecommunication Systems
US20100064047A1 (en) Internet lookup engine
US20160218978A1 (en) System and method for suppressing dns requests
CN107360270B (en) DNS (Domain name Server) analysis method and device
CN108337257B (en) Authentication-free access method and gateway equipment
WO2017177437A1 (en) Domain name resolution method, device, and system
US20230198987A1 (en) Systems and methods for controlling accessing and storing objects between on-prem data center and cloud
WO2021253301A1 (en) Method and apparatus for providing server discovery information
CN112769970B (en) Method and system for DNS ECS intelligent transparent transmission
CN114025009B (en) Method, system, proxy server and device for forwarding request
US11956302B1 (en) Internet protocol version 4-to-version 6 redirect for application function-specific user endpoint identifiers
CN111371915B (en) IP address list maintenance method and device and gateway equipment
US20230254278A1 (en) Management of domain name system (dns) queries in computing systems

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: Room 401, building 1, No. 180, Yizhou Road, Xuhui District, Shanghai 200030

Applicant after: Yamu Technology Co.,Ltd.

Address before: 200030 4th floor, building B3, Huaxin Huixiang City, 180 Yizhou Road, Xuhui District, Shanghai

Applicant before: SHANGHAI YAMU COMMUNICATION TECHNOLOGY Co.,Ltd.

GR01 Patent grant
GR01 Patent grant