CN114500094A - Access method and device - Google Patents
Access method and device Download PDFInfo
- Publication number
- CN114500094A CN114500094A CN202210177036.1A CN202210177036A CN114500094A CN 114500094 A CN114500094 A CN 114500094A CN 202210177036 A CN202210177036 A CN 202210177036A CN 114500094 A CN114500094 A CN 114500094A
- Authority
- CN
- China
- Prior art keywords
- dns
- module
- authentication
- addresses
- mapping table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 18
- 230000006855 networking Effects 0.000 claims abstract description 19
- 238000012545 processing Methods 0.000 claims abstract description 3
- 238000013507 mapping Methods 0.000 claims description 72
- 230000004044 response Effects 0.000 claims description 51
- 239000000126 substance Substances 0.000 claims description 2
- 230000003993 interaction Effects 0.000 abstract description 4
- 238000010586 diagram Methods 0.000 description 3
- 206010010071 Coma Diseases 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Abstract
The application provides an access method and device. In the access method, when the BRAS equipment in the Portal authentication networking configures the authentication-free rule corresponding to the authentication-free domain name, all IP addresses corresponding to the authentication-free domain name can be acquired from a DNS server cluster with a load balancing function in the Portal authentication networking through interaction among a Portal module, a DNS module and a transceiver module in a CPU (central processing unit), so that the corresponding authentication-free rule is configured.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to an access method and an access device.
Background
In a Portal authentication networking, some user equipments have a requirement for accessing some authentication-free Domain names, in order to meet the requirement, a Broadband Remote Access Server (BRAS) device in the networking usually obtains Internet Protocol (IP) addresses corresponding to these Domain names from a Domain Name System (DNS) Server cluster, and configures corresponding authentication-free rules based on the obtained IP addresses, so that a subsequent BRAS device can directly release an Access message when receiving an Access message carrying an authentication-free Domain Name corresponding to an IP address hit in a local authentication-free rule sent by any one of these user equipments.
However, in a situation where the DNS server cluster has a load balancing function and a plurality of IP addresses correspond to any one of the authentication-free domain names, the BRAS device can only obtain one IP address from the DNS server cluster for any one of the authentication-free domain names, and thus the BRAS device only releases the user device that sends the access packet using the IP address corresponding to the any one of the authentication-free domain names obtained by the BRAS device, and cannot release the user device that sends the access packet using another IP address corresponding to the any one of the authentication-free domain names that is not obtained by the BRAS device, which further results in poor user experience of the part of users that are not released.
Disclosure of Invention
In order to overcome the problems in the related art, the application provides an access method and device.
According to a first aspect of the embodiments of the present application, there is provided an access method, which is applied to a Central Processing Unit (CPU) in a BRAS device in a Portal authentication networking, the method including:
when receiving a configuration instruction which is input by an administrator and used for configuring an authentication-free rule corresponding to a specified authentication-free domain name, a Portal module in the CPU notifies the authentication-free domain name carried in the configuration instruction to a DNS module in the CPU;
the DNS module constructs a plurality of DNS request messages carrying the authentication-free domain name, wherein source ports of all the DNS request messages are different, source IP addresses, destination IP addresses and destination ports of all the DNS request messages are the same, the source IP addresses are IP addresses of the BRAS equipment, and the destination IP addresses are IP addresses of DNS server clusters with load balancing functions in the Portal authentication networking;
the DNS module respectively modifies a source IP address and a source port of each DNS request message into a pre-configured IP address and a port of a designated user equipment corresponding to the source IP address and the source port in a DNS mapping table corresponding to the authentication-free domain name, and sends each modified DNS request message to a receiving and sending module in the CPU;
the receiving and sending module sends each modified DNS request message to the DNS server cluster, acquires the DNS mapping table when receiving a DNS response message which is sent by the DNS server cluster and carries a destination IP address and a destination port and hits the DNS response message of the DNS mapping table, modifies the destination IP address and the destination port of the DNS response message into the IP address and the port of the BRAS device corresponding to the destination IP address and the destination port of the DNS response message in the DNS mapping table, and sends the modified DNS response message to the DNS module;
the DNS module determines the source IP addresses of all the received modified DNS response messages as the IP addresses corresponding to the authentication-free domain names and sends the IP addresses to the Portal module;
the Portal module configures authentication-free rules corresponding to all IP addresses based on all the received IP addresses, and sends the configured authentication-free rules to the transceiving module, wherein all the IP addresses are the IP addresses of all DNS servers which provide access service for the authentication-free domain name in the DNS server cluster;
and when receiving an access message carrying a target IP address and a target port hit a locally configured authentication-free rule sent by any user equipment, the transceiver module passes the access message.
According to a second aspect of the embodiments of the present application, there is provided an access apparatus, which is applied to a CPU in a BRAS device in a Portal authentication group network, the apparatus including a Portal module, a DNS module, and a transceiver module; wherein the content of the first and second substances,
the Portal module is used for notifying the DNS module of the authentication-free domain name carried in a configuration instruction when the configuration instruction which is input by an administrator and used for configuring the authentication-free rule corresponding to the specified authentication-free domain name is received;
the DNS module is used for constructing a plurality of DNS request messages carrying the authentication-free domain name, wherein source ports of all the DNS request messages are different, source IP addresses, destination IP addresses and destination ports of all the DNS request messages are the same, the source IP addresses are IP addresses of the BRAS equipment, and the destination IP addresses are IP addresses of DNS server clusters with a load balancing function in the Portal authentication networking; respectively modifying the source IP address and the source port of each DNS request message into the IP address and the port of the specified user equipment corresponding to the source IP address and the source port in the pre-configured DNS mapping table corresponding to the authentication-free domain name, and sending each modified DNS request message to the transceiving module;
the receiving and sending module is used for sending each modified DNS request message to the DNS server cluster, acquiring the DNS mapping table when receiving a DNS response message which is sent by the DNS server cluster and carries a destination IP address and a destination port and hits the DNS mapping table, modifying the destination IP address and the destination port of the DNS response message into an IP address and a port of the BRAS device corresponding to the destination IP address and the destination port of the DNS response message in the DNS mapping table, and sending the modified DNS response message to the DNS module;
the DNS module is also used for determining the source IP addresses of all the received modified DNS response messages as the IP addresses corresponding to the authentication-free domain names and sending the IP addresses to the Portal module;
the Portal module is further configured to configure an authentication-free rule corresponding to all the IP addresses based on all the received IP addresses, and send the configured authentication-free rule to the transceiver module, where all the IP addresses are IP addresses of all DNS servers in the DNS server cluster that provide access service for the authentication-free domain name;
the receiving and sending module is further configured to release the access message when receiving the access message carrying the authentication-free rule configured locally in the destination IP address and destination port hit sent by any user equipment.
The technical scheme provided by the embodiment of the application can have the following beneficial effects:
in the embodiment of the application, for BRAS equipment in a Portal authentication group network, when an authentication-free rule corresponding to an authentication-free domain name is configured, all IP addresses corresponding to the authentication-free domain name are acquired from a DNS server cluster with a load balancing function in the Portal authentication group network through interaction among a Portal module, a DNS module and a transceiver module in a CPU included in the Portal authentication group network, so that a corresponding authentication-free rule is configured.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the application.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this application, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
Fig. 1 is a schematic flowchart of an access method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of Portal authentication networking provided in an embodiment of the present application;
fig. 3 is a schematic structural diagram of an access device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The words "if" or "if" as used herein may be interpreted as "at … …" or "at … …" depending on the context.
Next, examples of the present application will be described in detail.
The embodiment of the application provides an access method, which is applied to a CPU in BRAS equipment in a Portal authentication networking, and as shown in fig. 1, the method may include the following steps:
and S11, when receiving a configuration instruction which is input by an administrator and used for configuring the authentication-free rule corresponding to the specified authentication-free domain name, a Portal module in the CPU notifies the DNS module in the CPU of the authentication-free domain name carried in the configuration instruction.
S12, the DNS module constructs a plurality of DNS request messages carrying authentication-free domain names.
In this step, the source ports of all DNS request messages are different, and the source IP addresses, the destination IP addresses, and the destination ports of all DNS request messages are the same, the source IP address is the IP address of the BRAS device, and the destination IP address is the IP address of a DNS server cluster with a load balancing function in the Portal authentication networking.
S13, DNS module modifies the source IP address and source port of each DNS request message into the IP address and port of the source IP address and the designated user device corresponding to the source port in the DNS mapping table corresponding to the pre-configured designated authentication-free domain name, and sends each modified DNS request message to the transceiver module in CPU.
In this step, the DNS mapping table may further include IP addresses and ports of DNS server clusters, protocol information, and the like, and different ports of the BRAS device in the DNS mapping 567 mapping table correspond to different user devices, and the ports of each user device in the DNS mapping table may be the same, may not be the same (i.e., partially the same), or may be completely different.
In addition, the number of the DNS request messages which are constructed by the DNS module and carry the authentication-free domain name is the same as the number of the IP addresses of the user equipment in the DNS mapping table; and the number of the IP addresses of the user equipment in the DNS mapping table may be set according to a requirement for acquiring all the IP addresses corresponding to the authentication-free domain name.
S14, the transceiver module sends each modified DNS request message to a DNS server cluster, when receiving a DNS response message which is sent by the DNS server cluster and carries a target IP address and a target port which hit a DNS mapping table, a DNS mapping table is obtained, the target IP address and the target port of the DNS response message are modified into the IP address and the port of BRAS equipment corresponding to the target IP address and the target port of the DNS response message in the DNS mapping table, and the modified DNS response message is sent to the DNS module.
S15, the DNS module determines the source IP addresses of all the received DNS response messages as the IP addresses corresponding to the authentication-free domain names and sends the IP addresses to the Portal module.
And S16, the Portal module configures the authentication-free rules corresponding to all the IP addresses based on all the received IP addresses, and sends the configured authentication-free rules to the transceiver module.
In this step, all the IP addresses are the IP addresses of all DNS servers in the DNS server cluster that provide access service for the authentication-free domain name.
And S17, when receiving the access message of the authentication-free rule which is locally configured and carried by the destination IP address and the destination port hit sent by any user equipment, the transceiver module releases the access message.
Specifically, in the above step S14, the transceiver module may obtain the DNS mapping table by:
in the first way, the transceiver module obtains the DNS map locally. Here, the DNS mapping table is sent by the DNS module when sending each modified DNS request message.
In a second mode, the transceiver module sends an acquisition request for acquiring the DNS mapping table to the DNS module, receives an acquisition response sent by the DNS module, and acquires the DNS mapping table from the acquisition response.
Of course, the transceiver module may also obtain the DNS mapping table in other manners, which are not listed here.
Further, in this embodiment of the application, after the transceiver module sends each modified DNS request packet to the DNS server cluster, if a DNS reply packet that carries a destination IP address and a destination port that do not hit the DNS mapping table and is sent by the DNS server cluster is received, the DNS reply packet is discarded.
The above access method is described in detail with reference to specific embodiments.
In the Portal authentication group network shown in fig. 2, assume that the IP address of the BRAS device is 2.2.2.2; assuming that the IP address of the DNS server cluster with the load balancing function is 114.114.114.114, DNS server 1, DNS server 2, and DNS server 3 in the DNS server cluster are all domain nameswww.AAA.comProviding access service, wherein the IP addresses of the three DNS servers are 1.1.1.1, 1.1.1.2 and 1.1.1.3 respectively; the IP address of user equipment 1 is 10.1.1.2, the IP address of user equipment 2 is 10.1.1.3, and the IP address of user equipment 3 is 10.1.1.4. Here, only three user equipments are shown in fig. 2, but other user equipments not shown may be included.
In addition, for the Authentication, Authorization, and Accounting (AAA) server, the Web/Portal server, and the Dynamic Host Configuration Protocol (DHCP) server in fig. 2, the related functions are the prior art and are not described herein again.
Suppose that the DNS module in the CPU in the BRAS device is configured with the configuration in advancewww.AAA.com corresponding DNSMapping table to facilitate BRAS device to simulate user equipment acquisitionwww.AAA.com corresponding IPThe contents of this DNS map, address, may be as shown in table one below.
Watch 1
Assume that the Portal module in the CPU in the BRAS device receives administrator input for configurationwww.AAA.comA corresponding authentication-free rule configuration instruction, at the moment, the Portal module carries the configuration instructionwww.AAA.comNotifying a DNS module in the CPU.
The DNS module constructs 3 DNS request messages carrying authentication-free domain names, namely a DNS request message 1, a DNS request message 2 and a DNS request message 3. Wherein, the source IP address of the DNS request message 1 is 2.2.2.2, the source port is 2000, the destination IP address is 114.114.114.114, and the destination port is 53; the source IP address of the DNS request message 2 is 2.2.2.2, the source port is 2001, the destination IP address is 114.114.114.114, and the destination port is 53; the source IP address of DNS request message 3 is 2.2.2.2, the source port is 2003, the destination IP address is 114.114.114.114, and the destination port is 53.
And the DNS module respectively modifies the source IP address and the source port of the DNS request message 1, the DNS request message 2 and the DNS request message 3 into the IP address and the port of the specified user equipment corresponding to the source IP address and the source port in the DNS mapping table, and sends the modified DNS request message 1, the modified DNS request message 2, the modified DNS request message 3 and the mapping table I to a receiving and sending module in the CPU.
Here, the source IP address of the modified DNS request message 1 is 10.1.1.2, and the source port is 10000; the source IP address of the modified DNS request message 2 is 10.1.1.3, and the source port is 10000; the source IP address of the modified DNS request message 3 is 10.1.1.4, and the source port is 10000.
And the transceiver module sends the modified DNS request message 1, the modified DNS request message 2 and the modified DNS request message 3 to the DNS server cluster.
Assuming that the DNS server cluster shares the modified DNS request message 1 to the DNS server, shares the modified DNS request message 2 to the DNS server 2, shares the modified DNS request message 3 to the DNS server 3, and the DNS server generates a DNS response message 1, a DNS response message 2, and a DNS response message 3 and sends them to the transceiver module.
Here, the source IP address of the DNS reply message 1 is 1.1.1.1, the source port is 53, the destination IP address is 10.1.1.2, and the destination port is 10000; the source IP address of the DNS reply message 2 is 1.1.1.2, the source port is 53, the destination IP address is 10.1.1.3, and the destination port is 10000; the source IP address of the DNS reply message 3 is 1.1.1.3, the source port is 53, the destination IP address is 10.1.1.4, and the destination port is 10000.
A subsequent transceiving module receives a DNS response message 1, a DNS response message 2 and a DNS response message 3 sent by a DNS server cluster; and then, the transceiver module acquires the DNS mapping table from the local, and for any DNS response message in the 3 DNS response messages, the transceiver module judges whether a target IP address and a target port carried in the DNS response message hit the DNS mapping table, because the judgment result is yes, the transceiver module modifies the target IP address and the target port of the DNS response message into the IP address and the port of the BRAS device corresponding to the target IP address and the target port of the DNS response message in the DNS mapping table, and sends the modified DNS response message to the DNS module.
Here, for the DNS reply message 1, the destination IP address of the modified DNS reply message 1 is 2.2.2.2, and the destination port is 2000; for the DNS reply message 2, the destination IP address of the modified DNS reply message 2 is 2.2.2.2, and the destination port is 2001; for the DNS reply message 3, the destination IP address of the modified DNS reply message 3 is 2.2.2.2, and the destination port is 2002.
The DNS module receives the modified response message 1, the modified response message 2 and the modified responseThe source IP address of message 3 is determined aswww.AAA.comCorresponding IP addresses, i.e. 1.1.1, 1.1.1.2 and 1.1.1.3 are determined aswww.AAA.comThe corresponding IP address and sends it to the Portal module.
The Portal module configures corresponding authentication-free rules of 1.1.1.1, 1.1.1.2 and 1.1.1.3 based on 1.1.1.1, 1.1.1.2 and 1.1.1.3, and sends the configured authentication-free rules to the transceiver module.
And subsequently, once the transceiver module receives an access message of any user equipment (the sent access message carrying the destination IP address and the destination port hit the authentication-free rule configured locally), the transceiver module releases the access message, for example, when receiving the access message 1 carrying the destination IP address of 1.1.1.1 and the destination port of 53 sent by the user equipment 1, the transceiver module directly releases the access message 1.
According to the technical scheme, in the embodiment of the application, for the BRAS equipment in the Portal authentication networking, when the authentication-free rule corresponding to the authentication-free domain name is configured, all IP addresses corresponding to the authentication-free domain name are acquired from a DNS server cluster with a load balancing function in the Portal authentication networking through interaction among the Portal module, the DNS module and the transceiver module in the CPU, so that the corresponding authentication-free rule is configured, and therefore, the BRAS equipment can release the user equipment which sends the access message by using any IP address corresponding to the authentication-free domain name acquired by the BRAS equipment, and further user experience of a user is improved.
Based on the same inventive concept, the application also provides an access device, which is applied to a CPU in BRAS equipment in a Portal authentication group network, and the structural schematic diagram of the access device is shown in fig. 3, and specifically comprises a Portal module 31, a DNS module 32 and a transceiver module 33; wherein, the first and the second end of the pipe are connected with each other,
the Portal module 31 is configured to notify the DNS module 32 of the authentication-free domain name carried in a configuration instruction when receiving the configuration instruction input by an administrator and used to configure the authentication-free rule corresponding to the specified authentication-free domain name;
the DNS module 32 is configured to construct a plurality of DNS request packets carrying the authentication-free domain name, where source ports of all DNS request packets are different, and source IP addresses, destination IP addresses, and destination ports of all DNS request packets are the same, the source IP address is an IP address of the BRAS device, and the destination IP address is an IP address of a DNS server cluster with a load balancing function in the Portal authentication networking; respectively modifying the source IP address and the source port of each DNS request packet to the IP address and the port of the specified user equipment corresponding to the source IP address and the source port in the preconfigured DNS mapping table corresponding to the authentication-free domain name, and sending each modified DNS request packet to the transceiver module 33;
the transceiver module 33 is configured to send each modified DNS request packet to the DNS server cluster, obtain the DNS mapping table when receiving a DNS reply packet that a destination IP address and a destination port carried by the DNS server cluster hit the DNS mapping table, modify the destination IP address and the destination port of the DNS reply packet into an IP address and a port of the BRAS device corresponding to the destination IP address and the destination port of the DNS reply packet in the DNS mapping table, and send the modified DNS reply packet to the DNS module 32;
the DNS module 32 is further configured to determine source IP addresses of all the received modified DNS reply messages as IP addresses corresponding to the authentication-free domain name, and send the IP addresses to the Portal module 31;
the Portal module 31 is further configured to configure an authentication-free rule corresponding to all IP addresses based on all received IP addresses, and send the configured authentication-free rule to the transceiver module 33, where all the IP addresses are IP addresses of all DNS servers in the DNS server cluster that provide access service for the authentication-free domain name;
the transceiver module 33 is further configured to release the access packet when receiving an access packet carrying a locally configured authentication-free rule for a destination IP address and a destination port hit sent by any user equipment.
Preferably, the transceiver module 33 is specifically configured to obtain the DNS mapping table in the following manner:
and the transceiver module locally acquires the DNS mapping table, wherein the DNS mapping table is sent by the DNS module when each modified DNS request message is sent.
Preferably, the transceiver module 33 is specifically configured to obtain the DNS mapping table in the following manner:
the transceiver module sends an acquisition request for acquiring the DNS mapping table to the DNS module;
and the transceiver module receives an acquisition response sent by the DNS module and acquires the DNS mapping table from the acquisition response.
Preferably, the transceiver module is further configured to discard the DNS reply message when receiving a DNS reply message that is sent by the DNS server cluster and carries a destination IP address and a destination port that do not hit the DNS mapping table after sending each modified DNS request message to the DNS server cluster.
Preferably, the ports of the user equipments in the DNS mapping table are the same; or, the ports of the user equipments in the DNS mapping table are not completely the same; or the ports of the user equipments in the DNS mapping table are completely different.
According to the technical scheme, in the embodiment of the application, for the BRAS equipment in the Portal authentication networking, when the authentication-free rule corresponding to the authentication-free domain name is configured, all IP addresses corresponding to the authentication-free domain name are acquired from a DNS server cluster with a load balancing function in the Portal authentication networking through interaction among the Portal module, the DNS module and the transceiver module in the CPU, so that the corresponding authentication-free rule is configured, and therefore, the BRAS equipment can release the user equipment which sends the access message by using any IP address corresponding to the authentication-free domain name acquired by the BRAS equipment, and further user experience of a user is improved.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. An access method is applied to a Central Processing Unit (CPU) in Broadband Remote Access Server (BRAS) equipment in a Portal authentication networking, and comprises the following steps:
when receiving a configuration instruction which is input by an administrator and used for configuring an authentication-free rule corresponding to a specified authentication-free domain name, a Portal module in the CPU informs the authentication-free domain name carried in the configuration instruction to a Domain Name System (DNS) module in the CPU;
the DNS module constructs a plurality of DNS request messages carrying the authentication-free domain name, wherein source ports of all the DNS request messages are different, source IP addresses, destination IP addresses and destination ports of all the DNS request messages are the same, the source IP addresses are IP addresses of the BRAS equipment, and the destination IP addresses are IP addresses of DNS server clusters with load balancing functions in the Portal authentication networking;
the DNS module respectively modifies a source IP address and a source port of each DNS request message into a pre-configured IP address and a port of a designated user equipment corresponding to the source IP address and the source port in a DNS mapping table corresponding to the authentication-free domain name, and sends each modified DNS request message to a receiving and sending module in the CPU;
the receiving and sending module sends each modified DNS request message to the DNS server cluster, acquires the DNS mapping table when receiving a DNS response message which is sent by the DNS server cluster and carries a destination IP address and a destination port and hits the DNS response message of the DNS mapping table, modifies the destination IP address and the destination port of the DNS response message into the IP address and the port of the BRAS device corresponding to the destination IP address and the destination port of the DNS response message in the DNS mapping table, and sends the modified DNS response message to the DNS module;
the DNS module determines the source IP addresses of all the received modified DNS response messages as the IP addresses corresponding to the authentication-free domain names and sends the IP addresses to the Portal module;
the Portal module configures authentication-free rules corresponding to all IP addresses based on all the received IP addresses, and sends the configured authentication-free rules to the transceiving module, wherein all the IP addresses are the IP addresses of all DNS servers which provide access service for the authentication-free domain name in the DNS server cluster;
and when receiving an access message carrying a target IP address and a target port hit a locally configured authentication-free rule sent by any user equipment, the transceiver module passes the access message.
2. The method of claim 1, wherein the transceiver module obtains the DNS mapping table by:
and the transceiver module locally acquires the DNS mapping table, wherein the DNS mapping table is sent by the DNS module when each modified DNS request message is sent.
3. The method of claim 1, wherein the transceiver module obtains the DNS mapping table by:
the transceiver module sends an acquisition request for acquiring the DNS mapping table to the DNS module;
and the transceiver module receives an acquisition response sent by the DNS module and acquires the DNS mapping table from the acquisition response.
4. The method of claim 1, further comprising:
after each modified DNS request message is sent to the DNS server cluster, if a DNS response message which is sent by the DNS server cluster and carries a destination IP address and a destination port and does not hit the DNS mapping table is received, the DNS response message is discarded.
5. The method of claim 1, wherein the ports of each user equipment in the DNS mapping table are the same; or, the ports of the user equipments in the DNS mapping table are not completely the same; or the ports of the user equipment in the DNS mapping table are completely different.
6. The access device is applied to a CPU in BRAS equipment of a broadband remote access server in a Portal authentication networking, and comprises a Portal module, a Domain Name System (DNS) module and a transceiving module; wherein the content of the first and second substances,
the Portal module is used for notifying the DNS module of the authentication-free domain name carried in a configuration instruction when the configuration instruction which is input by an administrator and used for configuring the authentication-free rule corresponding to the specified authentication-free domain name is received;
the DNS module is used for constructing a plurality of DNS request messages carrying the authentication-free domain name, wherein source ports of all the DNS request messages are different, source IP addresses, destination IP addresses and destination ports of all the DNS request messages are the same, the source IP addresses are IP addresses of the BRAS equipment, and the destination IP addresses are IP addresses of DNS server clusters with a load balancing function in the Portal authentication networking; respectively modifying the source IP address and the source port of each DNS request message into the IP address and the port of the specified user equipment corresponding to the source IP address and the source port in the pre-configured DNS mapping table corresponding to the authentication-free domain name, and sending each modified DNS request message to the transceiving module;
the receiving and sending module is used for sending each modified DNS request message to the DNS server cluster, acquiring the DNS mapping table when receiving a DNS response message which is sent by the DNS server cluster and carries a destination IP address and a destination port and hits the DNS mapping table, modifying the destination IP address and the destination port of the DNS response message into an IP address and a port of the BRAS device corresponding to the destination IP address and the destination port of the DNS response message in the DNS mapping table, and sending the modified DNS response message to the DNS module;
the DNS module is also used for determining the source IP addresses of all the received modified DNS response messages as the IP addresses corresponding to the authentication-free domain names and sending the IP addresses to the Portal module;
the Portal module is further configured to configure an authentication-free rule corresponding to all the IP addresses based on all the received IP addresses, and send the configured authentication-free rule to the transceiver module, where all the IP addresses are IP addresses of all DNS servers in the DNS server cluster that provide access service for the authentication-free domain name;
the receiving and sending module is further configured to release the access message when receiving the access message carrying the authentication-free rule configured locally in the destination IP address and destination port hit sent by any user equipment.
7. The apparatus according to claim 6, wherein the transceiver module is specifically configured to obtain the DNS mapping table by:
and the transceiver module locally acquires the DNS mapping table, wherein the DNS mapping table is sent by the DNS module when each modified DNS request message is sent.
8. The apparatus according to claim 6, wherein the transceiver module is specifically configured to obtain the DNS mapping table by:
the transceiver module sends an acquisition request for acquiring the DNS mapping table to the DNS module;
and the transceiver module receives an acquisition response sent by the DNS module and acquires the DNS mapping table from the acquisition response.
9. The apparatus according to claim 6, wherein the transceiver module is further configured to discard the DNS reply packet if a DNS reply packet that is sent by the DNS server cluster and carries a destination IP address and a destination port that do not hit the DNS mapping table is received after each modified DNS request packet is sent to the DNS server cluster.
10. The apparatus of claim 6, wherein the ports of the user equipments in the DNS mapping table are the same; or, the ports of the user equipments in the DNS mapping table are not completely the same; or the ports of the user equipments in the DNS mapping table are completely different.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210177036.1A CN114500094B (en) | 2022-02-24 | 2022-02-24 | Access method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210177036.1A CN114500094B (en) | 2022-02-24 | 2022-02-24 | Access method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114500094A true CN114500094A (en) | 2022-05-13 |
| CN114500094B CN114500094B (en) | 2024-03-12 |
Family
ID=81484424
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210177036.1A Active CN114500094B (en) | 2022-02-24 | 2022-02-24 | Access method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114500094B (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102572830A (en) * | 2012-01-19 | 2012-07-11 | 华为技术有限公司 | Method and customer premise equipment (CPE) for terminal access authentication |
| CN105491045A (en) * | 2015-12-09 | 2016-04-13 | 福建星网锐捷网络有限公司 | Authentication-free access control method, apparatus, device and system |
| CN105554170A (en) * | 2015-12-09 | 2016-05-04 | 福建星网锐捷网络有限公司 | DNS message processing method, device and system |
| WO2016066080A1 (en) * | 2014-10-28 | 2016-05-06 | Hangzhou H3C Technologies Co., Ltd. | Address allocation |
| CN105592046A (en) * | 2015-08-25 | 2016-05-18 | 杭州华三通信技术有限公司 | Authentication-free access method and device |
| CN108282537A (en) * | 2018-01-31 | 2018-07-13 | 新华三技术有限公司 | A kind of method that Portal User is offline and access device |
| CN108337257A (en) * | 2018-01-31 | 2018-07-27 | 新华三技术有限公司 | A kind of authentication-exempt access method and gateway device |
| CN112953962A (en) * | 2021-03-15 | 2021-06-11 | 杭州迪普科技股份有限公司 | Domain name access method and device |
| WO2021219104A1 (en) * | 2020-04-30 | 2021-11-04 | 华为技术有限公司 | Hybrid cloud system, gatekeeper, network access method and storage medium |
-
2022
- 2022-02-24 CN CN202210177036.1A patent/CN114500094B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102572830A (en) * | 2012-01-19 | 2012-07-11 | 华为技术有限公司 | Method and customer premise equipment (CPE) for terminal access authentication |
| WO2016066080A1 (en) * | 2014-10-28 | 2016-05-06 | Hangzhou H3C Technologies Co., Ltd. | Address allocation |
| CN105592046A (en) * | 2015-08-25 | 2016-05-18 | 杭州华三通信技术有限公司 | Authentication-free access method and device |
| CN105491045A (en) * | 2015-12-09 | 2016-04-13 | 福建星网锐捷网络有限公司 | Authentication-free access control method, apparatus, device and system |
| CN105554170A (en) * | 2015-12-09 | 2016-05-04 | 福建星网锐捷网络有限公司 | DNS message processing method, device and system |
| CN108282537A (en) * | 2018-01-31 | 2018-07-13 | 新华三技术有限公司 | A kind of method that Portal User is offline and access device |
| CN108337257A (en) * | 2018-01-31 | 2018-07-27 | 新华三技术有限公司 | A kind of authentication-exempt access method and gateway device |
| WO2021219104A1 (en) * | 2020-04-30 | 2021-11-04 | 华为技术有限公司 | Hybrid cloud system, gatekeeper, network access method and storage medium |
| CN112953962A (en) * | 2021-03-15 | 2021-06-11 | 杭州迪普科技股份有限公司 | Domain name access method and device |
Non-Patent Citations (2)
| Title |
|---|
| MOHAMMED ABDULRIDHA HUSSAIN: "Enc-DNS-HTTP: Utilising DNS Infrastructure to Secure Web Browsing", 《SECURITY AND COMMUNICATION NETWORKS》 * |
| 李汉斌;任翔;任博;: "一种基于BRAS的校园网接入认证模式研究", 电脑知识与技术, no. 07 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114500094B (en) | 2024-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9350815B2 (en) | System and method for supporting multicast domain name system device and service classification | |
| US9419940B2 (en) | IPv4 data center support for IPv4 and IPv6 visitors | |
| US8214537B2 (en) | Domain name system using dynamic DNS and global address management method for dynamic DNS server | |
| US8605582B2 (en) | IP network system and its access control method, IP address distributing device, and IP address distributing method | |
| US8706908B2 (en) | System, method and apparatus for media access control (MAC) address proxying | |
| US7567573B2 (en) | Method for automatic traffic interception | |
| US20200329360A1 (en) | Method and system for discovering user equipment in a network | |
| US20130089092A1 (en) | Method for preventing address conflict, and access node | |
| JP2004166002A (en) | Communication device, boundary router device, server device, system and method for communication, routing method, communication program, and routing program | |
| EP2765743A1 (en) | Layer 2 inter-connecting method, apparatus and system based on ipv6 | |
| US20120198091A1 (en) | Network system, control apparatus and network apparatus | |
| KR101682513B1 (en) | Dns proxy service for multi-core platforms | |
| JP3994412B2 (en) | Network system, network identifier setting method, network connection point, network identifier setting program, and recording medium | |
| US20060159087A1 (en) | Method for identifying personal information on a network | |
| KR20130130755A (en) | Dns forwarder for multi-core platforms | |
| CN102957755B (en) | A kind of address resolution method, device and information transferring method | |
| JP2005064936A (en) | PPPoE SESSION DISPERSING METHOD AND SYSTEM IN PLURALITY OF BRAS APPARATUS | |
| CN114500094B (en) | Access method and device | |
| CN106375489A (en) | Processing method and apparatus for MAC address | |
| JP4170649B2 (en) | Messenger server system, method of providing messenger service, connection destination determination server in messenger service | |
| CN112532502A (en) | Network system, network operation center, network device, and storage medium | |
| WO2006075823A1 (en) | Internet protocol address management system co-operated with authentication server | |
| US20220141177A1 (en) | Remote controller source address verification and retention for access devices | |
| CN111147345B (en) | Cloud environment network isolation device and method and cloud system | |
| CN108696506A (en) | Method, equipment, computer-readable medium and the system of connection are established between client and target device or terminal device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |