CN114401129A - Internet access behavior control method, DNS (Domain name Server), home gateway and storage medium - Google Patents
Internet access behavior control method, DNS (Domain name Server), home gateway and storage medium Download PDFInfo
- Publication number
- CN114401129A CN114401129A CN202210001900.2A CN202210001900A CN114401129A CN 114401129 A CN114401129 A CN 114401129A CN 202210001900 A CN202210001900 A CN 202210001900A CN 114401129 A CN114401129 A CN 114401129A
- Authority
- CN
- China
- Prior art keywords
- dns
- user terminal
- controlled
- internet
- domain name
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 63
- 238000013507 mapping Methods 0.000 claims abstract description 10
- 230000006399 behavior Effects 0.000 claims description 73
- 230000004044 response Effects 0.000 claims description 59
- 238000004590 computer program Methods 0.000 claims description 20
- 238000004891 communication Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 10
- 238000012545 processing Methods 0.000 description 10
- 230000006870 function Effects 0.000 description 8
- 230000008569 process Effects 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000004438 eyesight Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000006855 networking Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000002411 adverse Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000003247 decreasing effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/255—Maintenance or indexing of mapping tables
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The application relates to a control method of internet surfing behavior, a DNS server, a home gateway and a storage medium, relating to the technical field of communication and comprising the steps of receiving and analyzing a DNS request message sent by the home gateway to obtain a device identifier of a user terminal to be controlled and a domain name to be accessed corresponding to the device identifier; according to the equipment identification of the user terminal to be controlled, the domain name to be accessed and a preset internet access rule, if the user terminal to be controlled cannot access the domain name to be accessed, the domain name to be accessed is not analyzed. According to the method and the system, the Internet surfing behavior is controlled by the DNS server which is far away from the user terminal and based on the mapping relation between the equipment identifier of the user terminal and the Internet surfing rule, and the Internet surfing control failure caused by the fact that the home gateway is restored to factory settings can be avoided; the method and the system control the internet surfing behavior based on the internet surfing rules stored in the far end, and the internet surfing rules do not need to be reconfigured on a new home gateway, so that the problems that internet surfing configuration information cannot be shared and needs to be reconfigured are solved.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method for controlling an internet access behavior, a DNS server, a home gateway, and a storage medium.
Background
With the gradual improvement of family informatization level and the requirement of education informatization, the time for using electronic products by minors is more and more; however, the minor has poor self-control capability, and is prone to waste much time on software and websites irrelevant to learning, and to visit websites irrelevant to learning in a learning time period, which not only affects learning quality, but also has adverse effects on eyesight, so parents need to control the online behaviors of children, such as online time, website access authority, and the like.
However, at the present stage, not all electronic products have perfect parental control functions, and some products may even have unlimited use. Some products with parental control function usually implement Internet access control through a home gateway, that is, an Internet access rule is configured on the home gateway, when a user terminal sends an Internet access request, a domain name or an IP (Internet Protocol Address) Address corresponding to the Internet access request is intercepted through the home gateway, and access to the domain name or the IP Address is controlled based on the Internet access rule.
However, because the internet access rule is stored in the home gateway and the internet access behavior is controlled through the corresponding home gateway, once the user terminal switches to a new network to access the internet, the internet access rule needs to be reconfigured on the new home gateway, otherwise the internet access behavior cannot be controlled, and thus, the method has the problems that internet access configuration information between different home gateways cannot be shared and needs to be configured repeatedly; in addition, the home gateway product is easily set to restore factory configuration, and once the home gateway is restored to factory configuration, the internet access rule set on the home gateway is cracked, so that the internet access behavior cannot be controlled, and further the internet access control fails.
Disclosure of Invention
The application provides an internet access behavior control method, a DNS server, a home gateway and a storage medium, which are used for solving the problems that internet access configuration information cannot be shared, repeated configuration is needed and internet access control is prone to failure in the related technology.
In a first aspect, a method for controlling an internet behavior is provided, where the method is applied to a DNS server, and the method for controlling an internet behavior includes the following steps:
receiving and analyzing a second DNS request message sent by the home gateway to obtain a device identifier of the user terminal to be controlled and a domain name to be accessed corresponding to the device identifier;
and according to the equipment identifier of the user terminal to be controlled, the domain name to be accessed and a preset internet access rule, if the user terminal to be controlled is detected to be incapable of accessing the domain name to be accessed, the domain name to be accessed is not analyzed.
In some embodiments, after the step of not analyzing the domain name to be visited, the method further includes:
and writing the analysis failure information into a DNS response message, and sending the DNS response message to the home gateway.
In some embodiments, the preset internet access rule includes an accessible domain name corresponding to the device identifier and an accessible time period.
In a second aspect, a method for controlling an internet behavior is provided, where the method is applied to a home gateway, and the method includes the following steps:
acquiring a first DNS request message sent by a user terminal to be controlled, wherein the first DNS request message comprises an equipment IP address of the user terminal to be controlled;
determining the equipment identification of the user terminal to be controlled according to the equipment IP address of the user terminal to be controlled;
encoding the equipment identifier of the user terminal to be controlled to a DNS extension option message;
and adding the DNS extension option message into the first DNS request message to obtain a second DNS request message, and sending the second DNS request message to a DNS server.
In some embodiments, the obtaining of the first DNS request packet sent by the user terminal to be controlled includes:
when a first DNS request message sent to a custom DNS server by a user terminal to be controlled is captured, the first DNS request message is redirected, and the first DNS request message is obtained.
In some embodiments, the determining the device identifier of the user terminal to be controlled according to the device IP address of the user terminal to be controlled includes:
and searching the equipment identifier corresponding to the user terminal to be controlled from a neighbor cache table according to the equipment IP address of the user terminal to be controlled, wherein the neighbor cache table stores the mapping relation between the equipment IP address of the user terminal and the equipment identifier of the user terminal.
In some embodiments, the method further comprises:
when the home gateway receives a DNS response message sent by the DNS server, detecting whether a DNS extension option message is stored in the DNS response message;
if so, deleting a DNS extension option message in the DNS response message to form a new DNS response message, and sending the new DNS response message to a user terminal to be controlled so that the user terminal to be controlled can control the internet surfing behavior based on the new DNS response message;
if not, the DNS response message is sent to the user terminal to be controlled, so that the user terminal to be controlled can control the internet surfing behavior based on the DNS response message.
In a third aspect, a DNS server is provided, including: the device comprises a memory, a processor and an internet behavior control program which is stored on the memory and can run on the processor, wherein the internet behavior control program realizes the steps of the internet behavior control method when being executed by the processor.
In a fourth aspect, there is provided a home gateway, comprising: the device comprises a memory, a processor and an internet behavior control program which is stored on the memory and can run on the processor, wherein the internet behavior control program realizes the steps of the internet behavior control method when being executed by the processor.
In a fifth aspect, a computer-readable storage medium is provided, which stores a computer program, and when the computer program is executed by a processor, the computer program implements the foregoing internet behavior control method.
The beneficial effect that technical scheme that this application provided brought includes: not only can share the internet access configuration information, but also can avoid the failure of internet access control.
The application provides a control method of internet surfing behavior, a DNS server, a home gateway and a storage medium, comprising the following steps: receiving and analyzing a DNS request message sent by a home gateway to obtain a device identifier of a user terminal to be controlled and a domain name to be accessed corresponding to the device identifier; according to the equipment identification of the user terminal to be controlled, the domain name to be accessed and a preset internet access rule, if the user terminal to be controlled cannot access the domain name to be accessed, the domain name to be accessed is not analyzed. According to the method and the system, the internet surfing behavior is controlled through the DNS server which is far away from the user terminal and based on the mapping relation between the equipment identifier of the user terminal and the internet surfing rule, the internet surfing behavior does not need to be controlled through the home gateway, and the problem that the internet surfing control is invalid due to the fact that the home gateway is restored to factory settings can be avoided; and the application controls the internet surfing behavior based on the internet surfing rules stored at the far end, so that the user terminal does not need to reconfigure the internet surfing rules on a new home gateway even if the user terminal is switched to a new network for surfing, and further, the problems that the internet surfing configuration information cannot be shared and needs to be reconfigured can be solved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flow chart of a method for controlling an internet access behavior according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of a DNS server according to an embodiment of the present application;
fig. 3 is a schematic workflow diagram of a DNS server according to an embodiment of the present application;
fig. 4 is a schematic flow chart of another internet access behavior control method according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a home gateway provided in an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiment of the application provides an internet behavior control method, a DNS (domain name system) server, a home gateway and a storage medium, which can solve the problems that internet configuration information cannot be shared, repeated configuration is required and internet control is easy to fail in the related technology.
Fig. 1 is a schematic flow diagram of a first embodiment of a method for controlling an internet surfing behavior provided in an embodiment of the present application, where the method for controlling an internet surfing behavior is applied to a DNS server, and the method for controlling an internet surfing behavior includes the following steps:
step S10: receiving and analyzing a DNS request message sent by a home gateway to obtain a device identifier of a user terminal to be controlled and a domain name to be accessed corresponding to the device identifier; further, the device identifier is an MAC address of the user terminal to be controlled;
exemplarily, based on the aspects of protecting the eyesight of a child and ensuring the learning quality, the parents are urgently required to control the internet behavior of the child, and under the ordinary condition, the parents control the internet behavior of the child in the following ways: configuring an internet surfing rule on a home gateway, intercepting a domain name or an IP address corresponding to an internet surfing request through the home gateway, and controlling access to the domain name or the IP address based on the internet surfing rule, thereby realizing control of internet surfing behaviors, however, an inventor finds that the method has the problems that internet surfing configuration information between different home gateways cannot be shared, repeated configuration is needed, and internet surfing control is easy to fail; therefore, in the present application, the internet access behavior of the user terminal is controlled by a Domain Name System (DNS) server that is disposed far away from the user terminal, so as to avoid the problem that the internet access control is disabled because the home gateway is restored to the factory setting.
When a user terminal needs to perform network access, a DNS request message is sent to network access equipment such as a home gateway and a router; and when the network access equipment receives the DNS request message, the related information of the user terminal is processed. In this embodiment, the control of the internet access behavior is realized in a manner that the domain name or the IP address is input by the user terminal, that is, after the domain name is resolved into the IP address by the DNS server, the browser can connect to the server, and if the DNS resolution fails, the web page corresponding to the domain name cannot be accessed.
In the embodiment, a first DNS request message which is sent by a user terminal to be controlled and stores an equipment IP address of the user terminal to be controlled is obtained through a home gateway, and an equipment identifier of the user terminal to be controlled is determined according to the equipment IP address of the user terminal to be controlled; the device identifier may be an MAC address of the user terminal to be controlled, or may be determined according to actual requirements, which is not limited herein; in this embodiment, taking the device identifier as the MAC address of the user terminal to be controlled as an example, when the home gateway obtains the first DNS request packet sent by the user terminal to be controlled, since the first DNS request packet includes the device IP address of the user terminal to be controlled, the MAC address of the user terminal to be controlled can be determined according to the mapping relationship between the device IP address and the MAC address of the user terminal to be controlled; encoding the MAC address into a DNS extension option message, specifically, encoding the MAC address to obtain encoded data, placing the encoded data into an OPT (Resource Record) of the DNS, and inserting the OPT into a first one of the Additional Resource records; and then adding the OPT into the first DNS request message to form a second DNS request message, and sending the second DNS request message containing the MAC address of the user terminal to be controlled and the domain name to be accessed to the DNS server.
And when the DNS server receives the second DNS request message, analyzing the second DNS request message to obtain a domain name to be accessed, and when the type of the read Additional RR is an OPT record, reading and decrypting the data coded in the OPT record to obtain the equipment identifier of the user terminal to be controlled in the DNS request message.
Step S20: and according to the equipment identifier of the user terminal to be controlled, the domain name to be accessed and a preset internet access rule, if the user terminal to be controlled is detected to be incapable of accessing the domain name to be accessed, the domain name to be accessed is not analyzed.
Exemplarily, in this embodiment, a parent may pre-configure an internet access rule of a plurality of controlled user terminals through a remote control platform, and the internet access rule has a mapping relationship with a device identifier of the controlled user terminal, where the internet access rule may be stored in the remote control platform or in a DNS server, and may be determined according to actual requirements, but both of these two ways may store a large amount of internet access rule configurations, so that the problem that the number of internet access rule configuration entries is limited due to the fact that the internet access rule is stored through a home gateway can be solved; the remote control platform may be an application program, may also be presented in a form of a database plus a foreground, and may be determined according to specific requirements, which is not limited herein. In the following embodiments, the above network rules are stored in the remote control platform, and the device identifier is a MAC address.
The internet access rule may be in the form of a white list, for example, the internet access rule includes an accessible domain name and an accessible time period corresponding to the device identifier, or may be in the form of a black list, for example, the internet access rule includes an inaccessible domain name corresponding to the device identifier and an inaccessible time period corresponding to the accessible domain name, or may be in the form of a white list and a black list, for example, the internet access rule includes an accessible domain name, an inaccessible domain name, an accessible time period, and an inaccessible time period corresponding to the device identifier; the specific presentation form of the internet access rule may be determined according to specific requirements, and is not limited herein.
This embodiment is exemplified in the form of a white list: setting a white list of internet surfing based on the time parameter, for example, taking the internet surfing rule of the controlled user terminal A (MAC address: 08: 00: 20: 0A: 8C: 6D) on Monday as an example: time T belongs to [0:00,8:00) in the time period, no website can be accessed, namely the website which can be accessed is allowed to be absent; when the time T belongs to the time interval [8:00,11:00], only the learning website can be accessed and the domain name of the learning website which can be accessed in the time interval is set; when the time T belongs to the time interval (11:00, 13:00), the news website and the learning website can be accessed, and the domain name of the learning website and the domain name of the news website which can be accessed in the time interval are set; when the time T belongs to the time interval of [13:00, 17:00], only the learning website can be accessed and the domain name of the learning website which can be accessed in the time interval is set; and when the time T belongs to the time period of 17:00 and 20:00, the news websites, the learning websites and the entertainment websites can be accessed, and the domain names of the corresponding websites which can be accessed in the time period are set, and when the time T belongs to the time period of 20:00 and 24:00, any websites cannot be accessed, namely the websites which can be accessed are allowed to be absent.
Referring to fig. 2, in this embodiment, a DNS server module, an equipment identifier decoding module, and an equipment identifier querying module are provided for a DNS server, and data interaction with a home gateway and a remote control platform is implemented based on the above three modules; the DNS server module is responsible for general DNS message processing, DNS record management, and the like, the device identifier decoding module is responsible for decoding a pseudo resource record in the DNS request message and decoding a device identifier, and the device identifier querying module is responsible for querying an internet access rule of the device identifier to the remote control platform through the device identifier, specifically referring to fig. 3, explaining a work flow of the DNS server:
step P10: after receiving the second DNS request message, the DNS server module analyzes the second DNS request message to obtain a domain name to be accessed, and forwards the second DNS request message to the device identifier decoding module;
step P20: after receiving the second DNS request message, the device identifier decoding module analyzes the second DNS request message, and when the type of the read Additional RR is an OPT record, reads and decrypts the encoded data in the OPT record to obtain the MAC address of the user terminal to be controlled in the second DNS request message, however, it should be noted that the device identifier decoding module may not decode the device identifier into the final MAC address, for example, when Hash coding is used, only a Hash value needs to be obtained, so long as the home gateway, the DNS server, and the remote control platform use the same coding and decoding method; the equipment identification decoding module sends the MAC address of the user terminal to be controlled to the equipment identification query module;
step P30: when receiving the MAC address of the user terminal to be controlled, the equipment identification query module sends the MAC address and the domain name to be accessed to the remote control platform, and queries whether the configuration for prohibiting the user terminal to be controlled corresponding to the MAC address from accessing the domain name to be accessed exists;
after receiving the MAC address, the remote control platform first determines whether an internet access rule for the user terminal to be controlled corresponding to the MAC address is configured, and if not, it indicates that the user terminal to be controlled corresponding to the MAC address is not the controlled user terminal, and then may return information allowing access to the device identifier query module, and certainly may also return information prohibiting access, where the returned information may be set according to actual requirements; if yes, the user terminal to be controlled corresponding to the MAC address is the controlled user terminal, whether the MAC address is allowed to access the domain name to be accessed at the current moment is further inquired based on the internet access rule, and if the access is not allowed, information for forbidding the access is returned to the equipment identification inquiry module; if the access is allowed, the information of the access is returned to the equipment identification query module.
Step P40: if the equipment identification query module receives the information of access prohibition, the equipment identification query module sends the information of access prohibition to the DNS server module; the DNS server module does not analyze the domain name to be accessed, writes analysis failure information into a DNS response message, and sends the DNS response message to the home gateway, wherein if the DNS Request message carries a DNS extension option message according to the specification of an RFC (Request For Comments) 6891 protocol, the DNS response message also carries the DNS extension option message, so the DNS response message sent to the home gateway carries the DNS extension option message; the analysis failure information may be "No Such Name" or an IP of a web portal, and is used to prompt that the user terminal is prohibited to access the internet at present, and it should be noted that the analysis failure information is only presented by way of example and can be set according to specific requirements;
step P50: if the equipment identification query module receives the information allowing access, the equipment identification query module sends the information allowing access to the DNS server module; and the DNS server module analyzes the domain name to be accessed to obtain the IP address to be accessed corresponding to the domain name to be accessed.
The DNS module analyzes the domain name to be accessed, and the process of analyzing the domain name to be accessed is as follows: the DNS server module firstly detects whether the domain name to be accessed exists in the local domain name record, and if the domain name to be accessed exists in the local domain name record, the IP address of the domain name to be accessed is directly found from the local domain name record; if the domain name to be accessed does not exist, the domain name to be accessed is possibly an illegal access domain name, at the moment, the analysis failure information can be directly written into a DNS response message, and the DNS response message is sent to the home gateway; certainly, if the domain name does not exist, the domain name server can also perform query to other DNS servers in a recursive query manner, further resolve the IP address corresponding to the domain name to be accessed, then write the IP address corresponding to the domain name to be accessed into the DNS response packet, and send the DNS response packet to the home gateway.
In this embodiment, the user terminal to be controlled determines whether to surf the internet according to the analysis result, so as to achieve the purpose of controlling the internet behavior. Specifically, if the DNS server returns an IP address that is normally resolved, it indicates that the user terminal to be controlled can access the domain name to be accessed at this time; if the returned analysis failure information Such as No Such Name and the like indicates that the user terminal to be controlled is limited by the internet access rule at the moment, and the user terminal to be controlled cannot access the webpage corresponding to the domain Name to be accessed.
According to the method and the system, the internet surfing behavior is controlled through the DNS server which is far away from the user terminal and based on the mapping relation between the equipment identifier of the user terminal and the internet surfing rule, the internet surfing behavior does not need to be controlled through the home gateway, and the problem that the internet surfing control is invalid due to the fact that the home gateway is restored to factory settings can be avoided; and the application controls the internet surfing behavior based on the internet surfing rules stored at the far end, so that the user terminal does not need to reconfigure the internet surfing rules on a new home gateway even if the user terminal is switched to a new network for surfing, and further, the problems that the internet surfing configuration information cannot be shared and needs to be reconfigured can be solved. Meanwhile, the application can be applied to the mechanisms such as operators, enterprises or schools and the like to control the internet surfing behaviors of employees, students and the like.
Fig. 4 is a schematic flow chart of a second embodiment of a method for controlling an internet behavior, where the method for controlling an internet behavior is applied to a home gateway, and the method for controlling an internet behavior includes the following steps:
step N10: acquiring a first DNS request message sent by a user terminal to be controlled, wherein the first DNS request message comprises an equipment IP address of the user terminal to be controlled;
step N20: determining the equipment identification of the user terminal to be controlled according to the equipment IP address of the user terminal to be controlled;
step N30: encoding the equipment identification of the user terminal to be controlled to the DNS extension option message;
step N40: and adding the DNS extension option message into the first DNS request message to obtain a second DNS request message, and sending the second DNS request message to a DNS server.
Referring to fig. 5, in this embodiment, a DNS proxy module, a DNS redirection module, a neighbor cache table module, and an equipment identifier processing module are provided for the home gateway, and based on the above four modules, data interaction between the home gateway and the DNS server and the user terminal is implemented, and the following details about the work flow of the home gateway are described in combination with the above four modules:
the DNS proxy module is responsible for monitoring a first DNS request message sent by the user terminal to be controlled to the DNS server, so that when the user terminal to be controlled sends the first DNS request message to the DNS server in the first embodiment, the DNS proxy module acquires the first DNS request message; however, when the user terminal to be controlled performs domain name resolution using the customized DNS server, the first DNS request packet sent by the user terminal to be controlled is sent to the customized DNS server (in this case, the user terminal to be controlled bypasses the parental control function, and the networking behavior is not limited by the networking rule), instead of being sent to the DNS server in the first embodiment, so the DNS redirection module captures the first DNS request packet sent to the customized DNS server and redirects the first DNS request packet to the DNS proxy module, that is, captures and redirects the first DNS request packet, which is not sent to the DNS server in the first embodiment, in all the first DNS request packets sent by the user terminal to be controlled.
The device identifier may be an MAC address of the user terminal to be controlled, or may be determined according to actual requirements, which is not limited herein; in this embodiment, taking the device identifier as the MAC address of the user terminal to be controlled as an example, when the DNS proxy module obtains the first DNS request packet sent by the user terminal to be controlled, because the first DNS packet request includes the device IP address of the user terminal to be controlled, the MAC address of the user terminal to be controlled can be determined according to the mapping relationship between the device IP address and the MAC address of the user terminal to be controlled.
Furthermore, the mapping relationship between the device IP address of the user terminal and the device identifier of the user terminal may be stored through the neighbor cache table module, and a search time threshold (the search time threshold may be set to 60 seconds, or may be set according to actual requirements, which is not limited herein) is set, if the search time exceeds the search time threshold, that is, the search is overtime, it indicates that the MAC address of the user terminal to be controlled may not exist in the neighbor cache table; therefore, the DNS proxy module can search the MAC address of the user terminal to be controlled in the neighbor cache table, and the processing speed of the DNS request message is improved; however, if the neighbor cache table does not have the MAC address corresponding to the device IP address or the lookup is overtime, the DNS proxy module will re-lookup the MAC address corresponding to the device IP address from the system neighbor table (normally, when the DNS proxy module receives the first DNS request packet, the DNS proxy module can successfully lookup the system neighbor table and return a record), and place the device IP address and the MAC address in the neighbor cache table, and reset the lookup time threshold.
After finding the MAC address of the user terminal to be controlled, the DNS proxy module sends the MAC address to the equipment identifier processing module; after receiving the MAC address, the device identifier processing module encodes the MAC address into a DNS extension option message, specifically encodes the MAC address to obtain encoded data, and places the encoded data into an OPT of a DNS, where the pseudo resource record does not contain any DNS data, the OPT cannot be cached, forwarded, or stored in a zone file, and inserts the OPT into a first one of the Additional RRs, and adds 1 to the number of the Additional RRs; the encoding method may use any one of algorithms such as 16-ary, hash, base64, etc., and is not limited herein.
The equipment identification processing module adds the OPT (namely the DNS extension option message) into the first DNS request message to form a second DNS request message, and sends the second DNS request message to the DNS proxy module; and the DNS proxy module forwards the second DNS request packet including the MAC address of the user terminal to be controlled and the domain name to be accessed to the DNS server in the first embodiment.
In this embodiment, the identification and processing of the device identifier of the user terminal to be controlled are completed on the home gateway, and the advantages of the pseudo resource records in the home gateway are fully utilized, so that the DNS server can obtain the device identifier of the user terminal to be controlled through the pseudo resource records, and thus, the DNS server is provided with possibility to control the internet surfing behavior based on the mapping relationship between the device identifier of the user terminal to be controlled and the internet surfing rule.
Furthermore, the internet surfing behavior control method further comprises the following steps: when the home gateway receives a DNS response message sent by the DNS server, detecting whether a DNS extension option message is stored in the DNS response message; if so, deleting a DNS extension option message in the DNS response message to form a new DNS response message, and sending the new DNS response message to a user terminal to be controlled so that the user terminal to be controlled can control the internet surfing behavior based on the new DNS response message; if not, the DNS response message is sent to the user terminal to be controlled, so that the user terminal to be controlled can control the internet surfing behavior based on the DNS response message.
Exemplarily, in this embodiment, after receiving a DNS response message sent by a DNS server, a home gateway first searches whether a DNS request message with the same xid is forwarded according to the xid of the DNS response message, and if not found, the DNS response message is illegal, and at this time, the DNS response may be directly discarded; if the DNS response message is found, the DNS response message is a DNS response message corresponding to the DNS request message sent by the controlled user terminal, and at the moment, according to the common operation, the home gateway directly sends the DNS response message to the user terminal to be controlled; however, according to the specification of the RFC6891 protocol, if the DNS request message carries the DNS extension option message, the DNS response message should also carry the DNS extension option message, so that the DNS response message received by the home gateway also carries the DNS extension option message; according to the specification of the RFC1035 protocol, the user terminal to be controlled does not support the extension option, that is, the DNS response message received by the user terminal to be controlled cannot carry the DNS extension option message, so the home gateway needs to ensure that the DNS response message sent to the user terminal to be controlled does not contain the DNS extension option message.
Therefore, when the DNS response message includes the DNS extension option message, the home gateway according to the present application needs to delete the DNS extension option message, but does not exclude the possibility that the DNS extension option message in the DNS response message is deleted by the DNS server along with the development of network technology or in a manner of using a custom protocol or the like.
Therefore, when the home gateway receives the DNS response message, it can be detected whether the DNS response message stores the DNS extension option message, if the DNS extension option message is detected, the device identifier processing module in the home gateway is responsible for deleting the DNS extension option message in the DNS response message, obtaining a new DNS response message, namely deleting the previously added pseudo resource record, stripping the device identifier from the DNS response message, subtracting 1 from the Additional RRs, and then forwarding the new DNS response message to the user terminal to be controlled by the DNS proxy module, wherein the DNS response message processed by the home gateway does not modify DNS records other than the OPT and the Additional RRs; if the DNS extension option message is not detected, the DNS extension option message is deleted by the DNS server, and at the moment, the DNS proxy module directly sends the DNS response message to the user terminal to be controlled so that the user terminal to be controlled can control the internet surfing behavior based on the DNS response message.
In addition, an embodiment of the present application further provides a DNS server, where the DNS server includes: the device comprises a memory, a processor and an internet behavior control program which is stored on the memory and can run on the processor, wherein the internet behavior control program realizes the steps of the internet behavior control method when being executed by the processor.
The specific embodiment of the DNS server of the present application is basically the same as each embodiment of the above-described internet behavior control method, and details are not described here.
In addition, an embodiment of the present application further provides a home gateway, where the home gateway includes: the internet behavior control method comprises a memory, a processor and an internet behavior control program which is stored on the memory and can run on the processor, wherein the steps of the internet behavior control method are realized when the internet behavior control program is executed by the processor.
The specific embodiment of the home gateway of the present application is basically the same as each embodiment of the above-mentioned internet behavior control method, and details are not described here.
The Processor may be a CPU, or may be another general-purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf Programmable Gate Array (FPGA) or another Programmable logic device, a discrete Gate, or a discrete hardware component of a transistor logic device, or the like. The general purpose processor may be a microprocessor or the processor may be any conventional processor or the like, the processor being the control center of the computer device and the various interfaces and lines connecting the various parts of the overall computer device.
The memory may be used to store computer programs and/or modules, and the processor may implement various functions of the computer device by executing or executing the computer programs and/or modules stored in the memory, as well as by invoking data stored in the memory. The memory may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required by at least one function (such as a video playing function, an image playing function, etc.), and the like; the storage data area may store data (such as video data, image data, etc.) created according to the use of the cellular phone, etc. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
The embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, all or part of the steps of the foregoing internet behavior control method are implemented.
The embodiments of the present application may implement all or part of the foregoing processes, or may be implemented by a computer program to instruct related hardware, where the computer program may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the computer program may implement the steps of the foregoing methods. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer readable medium may include: any entity or device capable of carrying computer program code, recording medium, U-disk, removable hard disk, magnetic disk, optical disk, computer memory, Read-Only memory (ROM), Random Access Memory (RAM), electrical carrier wave signals, telecommunications signals, software distribution media, and the like. It should be noted that the computer readable medium may contain other components which may be suitably increased or decreased as required by legislation and patent practice in jurisdictions, for example, in some jurisdictions, in accordance with legislation and patent practice, the computer readable medium does not include electrical carrier signals and telecommunications signals.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, server, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The above description is merely exemplary of the present application and is presented to enable those skilled in the art to understand and practice the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A method for controlling internet surfing behavior is applied to a DNS server, and comprises the following steps:
receiving and analyzing a second DNS request message sent by the home gateway to obtain a device identifier of the user terminal to be controlled and a domain name to be accessed corresponding to the device identifier;
and according to the equipment identifier of the user terminal to be controlled, the domain name to be accessed and a preset internet access rule, if the user terminal to be controlled is detected to be incapable of accessing the domain name to be accessed, the domain name to be accessed is not analyzed.
2. The internet behavior control method according to claim 1, further comprising, after the step of not analyzing the domain name to be accessed:
and writing the analysis failure information into a DNS response message, and sending the DNS response message to the home gateway.
3. The internet behavior control method of claim 1, wherein: the preset internet surfing rule comprises an accessible domain name corresponding to the equipment identification and an accessible time period.
4. A method for controlling internet behavior is applied to a home gateway, and comprises the following steps:
acquiring a first DNS request message sent by a user terminal to be controlled, wherein the first DNS request message comprises an equipment IP address of the user terminal to be controlled;
determining the equipment identification of the user terminal to be controlled according to the equipment IP address of the user terminal to be controlled;
encoding the equipment identifier of the user terminal to be controlled to a DNS extension option message;
and adding the DNS extension option message into the first DNS request message to obtain a second DNS request message, and sending the second DNS request message to a DNS server.
5. The method according to claim 4, wherein the obtaining of the first DNS request packet sent by the user terminal to be controlled includes:
when a first DNS request message sent to a custom DNS server by a user terminal to be controlled is captured, the first DNS request message is redirected, and the first DNS request message is obtained.
6. The internet behavior control method according to claim 4, wherein the determining the device identifier of the user terminal to be controlled according to the device IP address of the user terminal to be controlled comprises:
and searching the equipment identifier corresponding to the user terminal to be controlled from a neighbor cache table according to the equipment IP address of the user terminal to be controlled, wherein the neighbor cache table stores the mapping relation between the equipment IP address of the user terminal and the equipment identifier of the user terminal.
7. The internet behavior control method of claim 4, wherein the method further comprises:
when the home gateway receives a DNS response message sent by the DNS server, detecting whether a DNS extension option message is stored in the DNS response message;
if so, deleting a DNS extension option message in the DNS response message to form a new DNS response message, and sending the new DNS response message to a user terminal to be controlled so that the user terminal to be controlled can control the internet surfing behavior based on the new DNS response message;
if not, the DNS response message is sent to the user terminal to be controlled, so that the user terminal to be controlled can control the internet surfing behavior based on the DNS response message.
8. A DNS server, characterized in that the DNS server comprises: a memory, a processor and a network behavior control program stored on the memory and executable on the processor, the network behavior control program when executed by the processor implementing the steps of the network behavior control method according to any one of claims 1 to 3.
9. A home gateway, characterized in that the home gateway comprises: a memory, a processor and a network behavior control program stored on the memory and executable on the processor, the network behavior control program when executed by the processor implementing the steps of the network behavior control method according to any one of claims 4 to 7.
10. A computer-readable storage medium characterized by: the computer storage medium stores a computer program that, when executed by a processor, implements the internet behavior control method of any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210001900.2A CN114401129B (en) | 2022-01-04 | 2022-01-04 | Internet surfing behavior control method, DNS server, home gateway and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210001900.2A CN114401129B (en) | 2022-01-04 | 2022-01-04 | Internet surfing behavior control method, DNS server, home gateway and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114401129A true CN114401129A (en) | 2022-04-26 |
| CN114401129B CN114401129B (en) | 2024-02-13 |
Family
ID=81228310
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210001900.2A Active CN114401129B (en) | 2022-01-04 | 2022-01-04 | Internet surfing behavior control method, DNS server, home gateway and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114401129B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115051867A (en) * | 2022-06-22 | 2022-09-13 | 深信服科技股份有限公司 | Detection method and device for illegal external connection behaviors, electronic equipment and medium |
| CN115174248A (en) * | 2022-07-18 | 2022-10-11 | 天翼云科技有限公司 | Network access control method and device |
| CN115442159A (en) * | 2022-11-07 | 2022-12-06 | 深圳市华曦达科技股份有限公司 | Household routing-based risk management and control method, system and storage medium |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080134315A1 (en) * | 2004-12-21 | 2008-06-05 | Matsushita Electric Industrial Co., Ltd. | Gateway, Network Configuration, And Method For Conrtolling Access To Web Server |
| CN102025713A (en) * | 2010-02-09 | 2011-04-20 | 中国移动通信集团北京有限公司 | Access control method, system and DNS (Domain Name Server) server |
| CN104283895A (en) * | 2014-10-29 | 2015-01-14 | 上海斐讯数据通信技术有限公司 | Compulsive portal authentication control system and method used for wireless router |
| CN104994066A (en) * | 2015-05-22 | 2015-10-21 | 杭州华三通信技术有限公司 | Network access method and device |
| CN105704141A (en) * | 2016-03-17 | 2016-06-22 | 四川长虹电器股份有限公司 | WIFI-based advertisement push method |
| CN105763660A (en) * | 2014-12-17 | 2016-07-13 | 中兴通讯股份有限公司 | Domain name analysis method and device |
| CN106658496A (en) * | 2015-10-31 | 2017-05-10 | 东莞酷派软件技术有限公司 | WIFI access control method, related device and system |
| CN109167758A (en) * | 2018-08-07 | 2019-01-08 | 新华三技术有限公司 | A kind of message processing method and device |
| US20190327205A1 (en) * | 2018-04-20 | 2019-10-24 | Pulse Secure, Llc | Fully qualified domain name-based traffic control for virtual private network access control |
| US10992678B1 (en) * | 2015-09-15 | 2021-04-27 | Sean Gilman | Internet access control and reporting system and method |
-
2022
- 2022-01-04 CN CN202210001900.2A patent/CN114401129B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080134315A1 (en) * | 2004-12-21 | 2008-06-05 | Matsushita Electric Industrial Co., Ltd. | Gateway, Network Configuration, And Method For Conrtolling Access To Web Server |
| CN102025713A (en) * | 2010-02-09 | 2011-04-20 | 中国移动通信集团北京有限公司 | Access control method, system and DNS (Domain Name Server) server |
| CN104283895A (en) * | 2014-10-29 | 2015-01-14 | 上海斐讯数据通信技术有限公司 | Compulsive portal authentication control system and method used for wireless router |
| CN105763660A (en) * | 2014-12-17 | 2016-07-13 | 中兴通讯股份有限公司 | Domain name analysis method and device |
| CN104994066A (en) * | 2015-05-22 | 2015-10-21 | 杭州华三通信技术有限公司 | Network access method and device |
| US10992678B1 (en) * | 2015-09-15 | 2021-04-27 | Sean Gilman | Internet access control and reporting system and method |
| CN106658496A (en) * | 2015-10-31 | 2017-05-10 | 东莞酷派软件技术有限公司 | WIFI access control method, related device and system |
| CN105704141A (en) * | 2016-03-17 | 2016-06-22 | 四川长虹电器股份有限公司 | WIFI-based advertisement push method |
| US20190327205A1 (en) * | 2018-04-20 | 2019-10-24 | Pulse Secure, Llc | Fully qualified domain name-based traffic control for virtual private network access control |
| CN109167758A (en) * | 2018-08-07 | 2019-01-08 | 新华三技术有限公司 | A kind of message processing method and device |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115051867A (en) * | 2022-06-22 | 2022-09-13 | 深信服科技股份有限公司 | Detection method and device for illegal external connection behaviors, electronic equipment and medium |
| CN115051867B (en) * | 2022-06-22 | 2024-04-09 | 深信服科技股份有限公司 | Illegal external connection behavior detection method and device, electronic equipment and medium |
| CN115174248A (en) * | 2022-07-18 | 2022-10-11 | 天翼云科技有限公司 | Network access control method and device |
| CN115174248B (en) * | 2022-07-18 | 2023-08-04 | 天翼云科技有限公司 | Control method and device for network access |
| CN115442159A (en) * | 2022-11-07 | 2022-12-06 | 深圳市华曦达科技股份有限公司 | Household routing-based risk management and control method, system and storage medium |
| CN115442159B (en) * | 2022-11-07 | 2023-03-24 | 深圳市华曦达科技股份有限公司 | Household routing-based risk management and control method, system and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114401129B (en) | 2024-02-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114401129B (en) | Internet surfing behavior control method, DNS server, home gateway and storage medium | |
| US11652793B2 (en) | Dynamic firewall configuration | |
| CN108616490B (en) | Network access control method, device and system | |
| US7792994B1 (en) | Correlating network DNS data to filter content | |
| US8601084B2 (en) | Controlling, filtering, and monitoring of mobile device access to the internet, data, voice, and applications | |
| US20080209057A1 (en) | System and Method for Improved Internet Content Filtering | |
| US20150304272A1 (en) | Network accessing method, application server and system | |
| US20100281146A1 (en) | Dynamic domain name service system and automatic registration method | |
| GB2512954A (en) | Detecting and marking client devices | |
| CN104519020A (en) | Method, server and system for managing wireless network login password sharing function | |
| CN105338126A (en) | Method and server of remote information query | |
| CN108429739B (en) | Method, system and terminal equipment for identifying honeypots | |
| CN108156270A (en) | Domain name request treating method and apparatus | |
| CN114465791B (en) | Method and device for establishing white list in network management equipment, storage medium and processor | |
| CN114466054A (en) | Data processing method, device, equipment and computer readable storage medium | |
| CN103873456A (en) | Access control method of WiFi (wireless fidelity) equipment and WiFi equipment | |
| US11368424B2 (en) | Enhanced domain name system (DNS) server | |
| WO2016180223A1 (en) | Wireless communication device management method and wireless communication device | |
| CN112073366A (en) | Data processing method for railway financial system and data center | |
| CN109151085B (en) | Method and device for sending domain name query request | |
| US8239930B2 (en) | Method for controlling access to a network in a communication system | |
| CN111756673A (en) | Information processing method, server, terminal equipment and storage medium | |
| CN110555175A (en) | Two-dimensional code analyzing and generating method and equipment | |
| CN106912064B (en) | Network configuration detection and repair method and device for wireless network | |
| CN114338630A (en) | Domain name access method, device, electronic equipment, storage medium and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |