CN114553827A - VPN client proxy DNS analysis method and device - Google Patents
VPN client proxy DNS analysis method and device Download PDFInfo
- Publication number
- CN114553827A CN114553827A CN202210171349.6A CN202210171349A CN114553827A CN 114553827 A CN114553827 A CN 114553827A CN 202210171349 A CN202210171349 A CN 202210171349A CN 114553827 A CN114553827 A CN 114553827A
- Authority
- CN
- China
- Prior art keywords
- vpn
- domain name
- dns
- resource domain
- query request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present disclosure relates to a method and a device for analyzing a VPN client proxy DNS, wherein the method comprises the following steps: receiving and analyzing a DNS query request message, and acquiring a destination domain name of the DNS query request message; querying a VPN resource domain name Map table based on the destination domain name of the DNS query request message, and determining whether the destination domain name of the DNS query request message is contained in the VPN resource domain name Map table, wherein the VPN resource domain name Map table contains a VPN resource domain name which can be subjected to DNS analysis by a DNS server at a VPN side; when the destination domain name of the DNS query request message is queried in the VPN resource domain name Map table, forwarding the DNS query request message to a VPN side DNS server, or when the destination domain name of the DNS query request message is not queried in the VPN resource domain name Map table, forwarding the DNS query request message to a user side DNS server; and responding by using a DNS query response message aiming at the DNS query request message received from the VPN side DNS server or the user side DNS server.
Description
Technical Field
The disclosure relates to the technical field of data communication, in particular to a VPN client proxy DNS analysis method and device.
Background
A DNS server is built in an office network of a general user, a host carries out DNS domain name resolution by configuring an internal network DNS address and a public network DNS, so that when the internal network DNS server goes wrong, the public network DNS server is adopted for resolution, and the internal network DNS server can resolve a private domain name and a public network domain name of a client network.
When a user uses a VPN, because part of VPN resources are issued in a domain name mode, a DNS server at a user side of an original network of the user cannot analyze the VPN domain name resources, and the domain name of the VPN resources requires to be analyzed by the DNS server at the VPN server side. The public domain name can be resolved through a DNS server at the VPN server side, or through a DNS server at the original network user side of the client, but the private domain name in the client needs to be resolved through the DNS server at the original network user side.
The method comprises the steps of configuring a user VPN virtual network card DNS server as a VPN side DNS server, modifying a registry, network card hop numbers and other conventional methods to modify the priority of a network card, and accordingly resolving a DNS request by preferentially using an intranet DNS server. However, part of the operating systems cannot modify the network card priority by using a conventional method, so that the priority of the original network side DNS server is higher than the priority of the VPN side DNS server after the VPN is normally connected, and thus the domain name of the VPN resource is resolved into a public network address or cannot be resolved, and the user cannot correctly access the VPN resource.
If the VPN DNS server does not support the resolution of the public network domain name, the original network DNS server is used for resolution after the VPN DNS server fails in resolution, and the domain name is resolved twice, so that the resolution speed is low, and the user experience is seriously influenced.
If the VPN side DNS server supports resolving the public network domain name, however, the geographic location and operator of the user are different from those of the VPN side DNS server, which may cause the resolved IP to have problems across operators and CDNs.
If all DNS requests sent by the terminal application program are sent to the DNS server at the VPN side, the DNS requests are encrypted through the virtual network card and sent to the DNS server at the VPN side through the tunnel, so that cross-network VPN flow is increased, and a large amount of DNS server resources are consumed.
Therefore, a need exists for a VPN client proxy DNS resolution method and apparatus that does not require modification of network card priorities.
Disclosure of Invention
In view of this, the present disclosure provides a method and an apparatus for VPN client proxy DNS resolution. According to an aspect of the present disclosure, a VPN client proxy DNS resolution method is provided, including: receiving and analyzing a DNS query request message, and acquiring a destination domain name of the DNS query request message; querying a VPN resource domain name Map table based on the destination domain name of the DNS query request message, and determining whether the destination domain name of the DNS query request message is contained in the VPN resource domain name Map table, wherein the VPN resource domain name Map table contains a VPN resource domain name which can be subjected to DNS analysis by a DNS server at a VPN side; when the destination domain name of the DNS query request message is queried in the VPN resource domain name Map table, forwarding the DNS query request message to a VPN side DNS server, or when the destination domain name of the DNS query request message is not queried in the VPN resource domain name Map table, forwarding the DNS query request message to a user side DNS server; and responding by using a DNS query response message aiming at the DNS query request message received from the VPN side DNS server or the user side DNS server.
According to the VPN client proxy DNS resolution method of the present disclosure, it further includes: the VPN client receives configuration containing a VPN resource domain name sent by a VPN side DNS server which is connected with the VPN client through authentication, wherein the VPN resource domain name is obtained by the VPN side DNS server through calculation based on VPN resources issued by a VPN user; and the VPN client analyzes the received configuration and generates a VPN resource domain name Map table based on the VPN resource domain name obtained by analysis.
According to the VPN client proxy DNS resolution method of the present disclosure, it further includes: the VPN client periodically receives new configuration containing VPN resource domain names sent from a VPN side DNS server, and updates the VPN resource domain name Map table based on the obtained VPN resource domain names after analyzing the new configuration containing VPN resource domain names.
According to the VPN client proxy DNS resolution method disclosed by the invention, the configuration containing the domain name of the VPN resource is synchronously pushed to the VPN client in a JSON format.
According to the VPN client proxy DNS analysis method, the new configuration containing the VPN resource domain name is the configuration after the VPN side DNS server adds, deletes or modifies part of the VPN resource domain name.
According to another aspect of the present disclosure, a VPN client proxy DNS resolution apparatus is provided, including: a DNS query request message receiving and analyzing component: the DNS query request message is received and analyzed, and a destination domain name of the DNS query request message is obtained; a query component, configured to query a VPN resource domain name Map table based on the destination domain name of the DNS query request packet, and determine whether the destination domain name of the DNS query request packet is included in the VPN resource domain name Map table, where the VPN resource domain name Map table includes a VPN resource domain name that can be DNS-resolved by a VPN-side DNS server; a forwarding component, configured to forward the DNS query request packet to a VPN side DNS server when a destination domain name of the DNS query request packet is queried in the VPN resource domain name Map table, or forward the DNS query request packet to a user side DNS server when a destination domain name of the DNS query request packet is not queried in the VPN resource domain name Map table; and the response component is used for responding by adopting a DNS query response message aiming at the DNS query request message and received from the VPN side DNS server or the user side DNS server.
The VPN client proxy DNS resolution apparatus according to the present disclosure further includes: the configuration receiving component is used for receiving configuration containing a VPN resource domain name sent by a VPN side DNS server which is subjected to connection authentication, wherein the VPN resource domain name is obtained by the VPN side DNS server through calculation based on VPN resources issued by a VPN user; and a configuration parsing component for parsing the received configuration; and the VPN resource domain name Map table generating component is used for generating a VPN resource domain name Map table based on the VPN resource domain name obtained by analysis.
According to the VPN client proxy DNS resolution apparatus of the present disclosure, the configuration receiving component further periodically receives a new configuration including a VPN resource domain name sent from a VPN side DNS server and the configuration resolution component further resolves the new configuration including the VPN resource domain name, so that the VPN resource domain name Map table generating component updates the VPN resource domain name Map table based on the VPN resource domain name acquired after resolving the new configuration including the VPN resource domain name.
According to the VPN client proxy DNS resolution device disclosed by the invention, the configuration containing the domain name of the VPN resource is synchronously pushed to the VPN client in a JSON format.
According to the VPN client proxy DNS resolution device disclosed by the invention, the new configuration containing the domain name of the VPN resource is the configuration after the domain name of part of the VPN resource is added, deleted or modified by the DNS server at the VPN side.
In summary, by using the method and the device for proxy DNS resolution of the VPN client, the network card priority is not required to be set, and the local port is monitored by the VPN client, all DNS query requests of the local machine are proxied, and DNS request resolution is completed. Specifically, when a user side initiates a DNS query request, a VPN client side receives a DNS request message, analyzes the request message, and only when a destination domain name analyzed by the DNS request is detected to be a VPN resource domain name, the destination domain name is forwarded to a VPN side DNS server through a VPN tunnel in a crossing mode to be analyzed, and a non-VPN resource domain name is directly analyzed through a user side DNS server, so that the DNS flow of the VPN tunnel is reduced, and the load of the VPN side DNS server is relieved. In addition, the non-VPN resource domain name does not need to be analyzed by a VPN side DNS server, and the analysis failure of the VPN side DNS server is not waited, but is directly analyzed by a user side DNS server, so that the public network domain name analysis speed is high, a user can quickly access a network, and the user experience is improved.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings. The drawings described below are merely some embodiments of the present disclosure, and other drawings may be derived from those drawings by those of ordinary skill in the art without inventive effort.
Fig. 1 is a schematic diagram illustrating an application example of the VPN client proxy DNS resolution method and apparatus according to the embodiment of the present disclosure.
Fig. 2 is a schematic flow chart illustrating a VPN client proxy DNS resolution method according to an embodiment of the present disclosure.
Fig. 3 is a schematic diagram of a process of issuing a VPN resource domain name by a VPN side DNS server in the embodiment of the present disclosure.
Fig. 4 is a schematic diagram of a VPN resource domain name Map table synchronous update process in the embodiment of the present disclosure.
Fig. 5 is a schematic diagram illustrating a VPN client proxy DNS resolution means according to an embodiment of the present disclosure.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The same reference numerals denote the same or similar parts in the drawings, and thus, a repetitive description thereof will be omitted.
Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the disclosure. One skilled in the relevant art will recognize, however, that the subject matter of the present disclosure can be practiced without one or more of the specific details, or with other methods, components, devices, steps, and so forth. In other instances, well-known methods, systems, implementations, or operations have not been shown or described in detail to avoid obscuring aspects of the present disclosure.
The block diagrams shown in the figures are functional entities only and do not necessarily correspond to physically separate entities. I.e. these functional entities may be implemented in the form of software, or in one or more hardware modules or integrated circuits, or in different networks and/or processor means and/or microcontroller means.
The flow charts shown in the drawings are merely illustrative and do not necessarily include all of the contents and operations/steps, nor do they necessarily have to be performed in the order described. For example, some operations/steps may be decomposed, and some operations/steps may be combined or partially combined, so that the actual execution sequence may be changed according to the actual situation.
It is to be understood by those skilled in the art that the drawings are merely schematic representations of exemplary embodiments, and that the blocks or processes shown in the drawings are not necessarily required to practice the present disclosure and are, therefore, not intended to limit the scope of the present disclosure.
Fig. 1 is a schematic diagram illustrating an application example of the VPN client proxy DNS resolution method and apparatus according to the embodiment of the present disclosure. As shown in fig. 1, in an application environment of VPN (virtual private network), since part of VPN resources are published in the form of domain names, a user accessing these resources needs to access a VPN side DNS (domain name system) server to resolve the VPN resource domain name. Accessing resources on the public network and the private network within the user requires accessing a DNS server on the user side of the original network to resolve the public network domain name and the private network domain name.
When configuring the DNS server, the host configures the address of a VPN side DNS server and the address of a public network DNS server. The domain name of the VPN resource requires to be resolved by a DNS server at the VPN side, and the DNS server at the user side cannot resolve. The public network domain name can be resolved through a VPN side DNS server, and also can be resolved through a user side DNS server, but the user private network domain name needs to be resolved through the user side DNS server.
When the VPN is used, the domain name of the internal network requires VPN DNS resolution, and the domain name of the public network requires public network DNS resolution. Therefore, in some VPN environments, people usually modify the priority of the network card by modifying a registry, network card hops, and other conventional methods, so as to implement resolution of the DNS request by preferentially using the intranet DNS server. The conventional method is difficult to modify the network card priority, after the VPN is normally connected, the public network DNS priority is higher than the VPN DNS priority, and the intranet domain name can be resolved into a public network address or cannot be resolved, so that a user cannot correctly access the intranet domain name. This brings bad experience to people, and modifying the network card priority is a technical obstacle that is difficult to overcome for ordinary users. Accordingly, the present disclosure proposes a VPN client proxy DNS resolution method.
Fig. 2 is a flow chart illustrating a VPN client proxy DNS resolution method according to an embodiment of the present disclosure. The domain name resolution can be totally divided into two steps: firstly, the local machine sends a DNS request message to a domain name server, and the message carries a domain name to be inquired; and then, the domain name server responds a DNS response message to the local machine, wherein the DNS response message contains the IP address corresponding to the domain name. Under the VPN environment, the VPN client can proxy the local machine to forward a DNS query request message to the domain name server and receive a DNS response message from the domain name server.
In the VPN environment, after the VPN client is started, since the default port number of the DNS protocol is 53, the VPN client starts to monitor the local 53 port to proxy all DNS resolution of the local. And the VPN client stores the DNS server address of the user side, and sets the DNS server addresses of the physical network card and the virtual network card to be 127.0.0.1 after the connection with the DNS server of the VPN side is authenticated.
Fig. 2 is a schematic flow chart illustrating a VPN client proxy DNS resolution method according to an embodiment of the present disclosure. As shown in fig. 2, in step S202, a DNS query request message is received and parsed. More specifically, after monitoring that the user-side application program sends a DNS query request message to the number 53 port of the local computer, the VPN client receives the DNS query request message through the newly-created UDP Socket 1. And then, the VPN client analyzes the DNS query request message to obtain a destination domain name to be analyzed contained in the DNS query request message.
If all DNS query requests sent by the user side application program are sent to the VPN side DNS server, the DNS query requests need to be encrypted through the virtual network card and then sent to the VPN side DNS server through the tunnel, cross-network VPN flow can be increased, and a large amount of DNS server resources are consumed. The VPN client proxy DNS analysis method only forwards DNS query requests which can be analyzed by the VPN side DNS server to the VPN side DNS server.
Because the Key in the Map table storage data structure is unique and duplication is not allowed, the speed of inquiring or modifying according to the Key in the Map table is very high. The VPN client proxy DNS analysis method of the embodiment stores the domain name of the VPN resource which can be analyzed by the DNS server at the VPN side in the Map table. More specifically, the Map table uses the VPN resource domain name as a Key, and the corresponding Value may be set to 1.
As shown in fig. 2, in step S204, a VPN resource domain name Map table is queried based on the destination domain name of the DNS query request packet, and it is determined whether the destination domain name of the DNS query request packet is included in the VPN resource domain name table.
In step S206, if the result of determining whether the destination domain name of the DNS query request packet is "yes" in the VPN resource domain name Map table, the process proceeds to step S208, and in step S208, the DNS query request packet is forwarded to the VPN side DNS server. More specifically, if the query is successful, it is indicated that the destination domain name of the DNS query request is the resource domain name issued by the VPN server, a UDP Socket2 is newly created, and the DNS request message is forwarded to the VPN side DNS server through the tunnel established by the VPN virtual network card through UDP Socket 2. In step S210, a response is made using the DNS query response message received from the VPN side DNS server. More specifically, in step S208, after the DNS request message is forwarded to the VPN side DNS server by the UDP Socket2, when the UDP Socket2 receives a DNS query response message returned by the VPN side DNS server, the DNS query response message is forwarded to the user side application program.
In step S206, it is determined whether the destination domain name of the DNS query request packet is queried in the VPN resource domain name Map table with the result of "no" entering step S212, and in step S212, the DNS query request packet is forwarded to the user-side DNS server. More specifically, if the query is unsuccessful, it is described that the domain name of the DNS query request destination is not the VPN resource domain name issued by the VPN side DNS server, and the user side DNS server is required to perform resolution, a new UDP Socket2 is created, and the DNS request packet is forwarded to the user side DNS server through UDP Socket 2. In step S214, a response is made using the DNS query response message received from the user-side DNS server. More specifically, in step S212, after the DNS request message is forwarded to the user side DNS server through the UDP Socket2, when the UDP Socket2 receives a DNS query response message returned by the user side DNS server, the DNS query response message is forwarded to the user side application.
In a VPN environment, there are two ways for a VPN side DNS server to publish VPN resources, one is an IP way and the other is a domain name, and since the domain name way requires DNS resolution, the domain name of the VPN resource published by the VPN side DNS server needs to be synchronized to a VPN client in real time.
According to the VPN client proxy DNS analysis method, the VPN client receives configuration containing VPN resource domain names sent by a VPN side DNS server which is connected with the VPN client and authenticated, and the VPN resource domain names are obtained by the VPN side DNS server through calculation based on VPN resources issued by VPN users.
Fig. 3 is a schematic diagram of a process of issuing a VPN resource domain name by a VPN side DNS server in the embodiment of the present disclosure. As shown in fig. 3, in step S302, t is equal to 0, and the timer starts counting time. In step S304, the user issues a VPN resource; in step S306, the VPN side DNS server calculates a VPN resource domain name based on the VPN resource issued by the user, and stores the VPN resource domain name; in step S308, the VPN side DNS server generates a configuration containing the VPN resource domain name; in step S310, sending a configuration including the VPN resource domain name to a VPN client; in step S312, it is determined whether T is equal to nT, where T is a preset periodic constant different from 0, and n is a positive integer; when the result of determining whether t is equal to nT is yes, go to step S314; in step S314, detecting whether the VPN resource domain name issued by the user is updated; if the result of detecting whether the VPN resource domain name issued by the user is updated in step S312 is yes, the VPN side DNS server transmits a new configuration including the VPN resource domain name to the VPN client through step S308 and step S310 in sequence.
After receiving the configuration containing the domain name of the VPN resource sent by the DNS server at the VPN side, the VPN client analyzes the received configuration and generates a domain name Map table of the VPN resource based on the domain name of the VPN resource obtained by analysis.
Fig. 4 is a schematic diagram of a VPN resource domain name Map table synchronous update process in the embodiment of the present disclosure. As shown in fig. 4, in step S402, the VPN client receives a configuration containing a VPN resource domain name transmitted from the VPN side DNS server. More specifically, after the VPN client is authenticated to connect with the VPN side DNS server, the VPN side DNS server sends the configuration to the VPN client, and the VPN client receives the configuration. In step S404, the VPN client parses the received configuration, and extracts a VPN resource domain name included in the configuration. In step S406, the VPN client generates a VPN resource domain name Map table based on the VPN resource domain name obtained by the parsing configuration. Specifically, the VPN resource domain name may be used as a Key of the Map table, and its corresponding Value is set to 1.
In step S408, the VPN client determines whether a new configuration containing a VPN resource domain name is received, and if the determination result indicates yes, the process proceeds to step S410. In step S410, the VPN resource domain name Map table is updated based on the update. More specifically, after receiving the new configuration, the VPN removes the data in the VPN resource domain name Map table, and adds the VPN resource domain name included in the new configuration to the VPN resource domain name Map table again.
According to the VPN client proxy DNS analysis method disclosed by the embodiment of the invention, the new configuration containing the VPN resource domain name is the configuration after the VPN side DNS server adds, deletes or modifies part of the VPN resource domain name. More specifically, when the VPN resource domain name issued by the user changes, for example, is added, modified, or deleted, the VPN side DNS server generates a new configuration including the VPN resource domain name based on the VPN resource domain name issued by the user update, and sends the new configuration including the VPN resource domain name to the VPN client.
Optionally, the VPN client periodically receives a new configuration including a VPN resource domain name sent from the VPN side DNS server, and updates the VPN resource domain name Map table based on the VPN resource domain name acquired after analyzing the new configuration including the VPN resource domain name.
Optionally, the configuration of the VPN resource domain name is synchronously pushed to the VPN client in JSON format. More specifically, when the VPN side DNS server sends the configuration including the VPN resource domain name to the VPN client, the configuration may include a plurality of VPN resource domain names. For example, if the VPN side DNS server issues 3 VPN resource domain names: ya.
Fig. 5 is a schematic diagram illustrating a VPN client proxy DNS resolution means according to an embodiment of the present disclosure. As shown in fig. 5, the VPN client proxy DNS resolving device includes: a DNS query request message receiving and parsing component 502, a query component 504, a forwarding component 506, and an acknowledgement component 508. The DNS query request receiving and analyzing component 502 is configured to receive and analyze a DNS query request message, and obtain a destination domain name of the DNS query request message; a query component 504, configured to query a VPN resource domain name Map table based on the destination domain name of the DNS query request packet, and determine whether the destination domain name of the DNS query request packet is included in the VPN resource domain name Map table, where the VPN resource domain name Map table includes a VPN resource domain name that can be DNS-resolved by a VPN-side DNS server; a forwarding component 506, configured to forward the DNS query request packet to a VPN side DNS server when a destination domain name of the DNS query request packet is queried in the VPN resource domain name Map table, or forward the DNS query request packet to a user side DNS server when a destination domain name of the DNS query request packet is not queried in the VPN resource domain name Map table; and a reply component 508 for replying with a DNS query response message for the DNS query request message received from the VPN side DNS server or the user side DNS server.
Optionally, the VPN client proxy DNS resolution apparatus according to the embodiment of the present disclosure further includes: a configuration receiving component 510, a configuration parsing component 512, and a VPN resource domain name Map table generating component 514. The configuration receiving component 510 is configured to receive a configuration containing a VPN resource domain name sent from a VPN side DNS server that is authenticated to be connected to the configuration receiving component, where the VPN resource domain name is obtained by the VPN side DNS server through calculation based on a VPN resource issued by a VPN user; a configuration parsing component 512 for parsing the received configuration; a VPN resource domain name Map table generating component 514, configured to generate a VPN resource domain name Map table based on the parsed VPN resource domain name.
Optionally, the configuration receiving component 510 further periodically receives a new configuration containing a VPN resource domain name sent from a VPN side DNS server, and the configuration analyzing component 512 further analyzes the new configuration containing the VPN resource domain name, so that the VPN resource domain name Map table generating component 514 updates the VPN resource domain name Map table based on the obtained VPN resource domain name after analyzing the new configuration containing the VPN resource domain name.
Optionally, the configuration containing the VPN resource domain name in the VPN client proxy DNS resolution means in the embodiment of the present disclosure is synchronously pushed to the VPN client in JSON format.
Optionally, the new configuration including the VPN resource domain name in the VPN client proxy DNS resolution apparatus in the embodiment of the present disclosure is a configuration after the VPN side DNS server adds, deletes or modifies a part of the VPN resource domain name.
In summary, by using the method and the device for proxy DNS resolution of the VPN client, the network card priority is not required to be set, and the VPN client monitors the local port to proxy all DNS query requests of the local machine, thereby completing DNS request resolution. Specifically, when a user side initiates a DNS query request, a VPN client side receives a DNS request message, analyzes the request message, and only when a destination domain name analyzed by the DNS request is detected to be a VPN resource domain name, the destination domain name is forwarded to a VPN side DNS server through a VPN tunnel in a crossing mode to be analyzed, and a non-VPN resource domain name is directly analyzed through a user side DNS server, so that the DNS flow of the VPN tunnel is reduced, and the load of the VPN side DNS server is relieved. In addition, the non-VPN resource domain name does not need to be analyzed by a VPN side DNS server, and the analysis failure of the VPN side DNS server is not waited, but is directly analyzed by a user side DNS server, so that the public network domain name analysis speed is high, a user can quickly access a network, and the user experience is improved.
Generally, the problem solved by the present disclosure is that part of operating systems cannot modify the network card priority using a conventional method, and after a VPN is normally connected, the priority of an original network DNS server is higher than the priority of a DNS server on the VPN server side, so that a VPN resource domain name is resolved into a public network address or cannot be resolved, and thus a user cannot correctly access a VPN resource. If the VPN side DNS server does not support the resolution of the public network domain name, after the VPN side DNS server fails in resolution, the original network DNS server is used for resolution, the domain name is resolved twice, the resolution speed is low, and the user experience is seriously influenced. If the DNS server on the VPN side supports resolving the public network domain name, the resolved IP has problems of across operators and CDNs due to the fact that the geographic location of the user is different from that of the DNS server measured by the VPN, and the operators are different. All DNS requests sent by the terminal application program are sent to a DNS server at the VPN server side, and the DNS requests are sent to the DNS server at the VPN server side through a tunnel by virtue of virtual network card encryption, so that cross-network VPN flow is increased, and a large amount of DNS server resources are consumed. Therefore, after the VPN client is started, the client monitors a local 53 port proxy DNS request message, then stores a DNS address of a network DNS server at a user side, and sets a physical network card and a virtual network card DNS to be 127.0.0.1 after connection VPN server authentication is passed. The VPN server pushes the resource domain name issued by the VPN to the VPN client, supports a plurality of domain names, and the VPN client stores the domain name issued by the VPN in a domain name map table of the VPN client. When a user side application program initiates a DNS request, a VPN client process receives the DNS request message, analyzes the request message, searches the analyzed domain name in a domain name map table, and if the domain name is found, the DNS needs to be forwarded to a DNS server at a VPN server side for analysis. If not, resolution is required to the user side DNS server. And then the VPN client serves as a DNS client, the DNS request is forwarded to a corresponding DNS server, and if the DNS server returns a DNS response message, the DNS response message is forwarded to the client, so that DNS request analysis is realized.
Specifically, the present disclosure includes the following two flows, which are a resource domain synchronization flow and a DNS request resolution flow issued by the VPN server, respectively. Resource domain name synchronization process issued by VPN server: generally, there are two ways for a VPN to publish resources, one is an IP way and the other is a domain name, and since the domain name needs DNS resolution, the present patent needs to synchronize resources published by a VPN server to a VPN client in real time. And the VPN server calculates the issued resource domain name according to the resource issued by the user and stores the resource domain name to be issued. After the VPN client is connected with the VPN server and the authentication is passed, the VPN server pushes the resource domain name issued by the VPN to the VPN client. After receiving the push configuration, the VPN client analyzes the configuration and stores the domain name issued by the VPN in a domain name map table of the VPN client. Wherein the domain name is used as a key and the value is 1. Therefore, when receiving the DNS request message, the VPN client firstly searches in the domain name map table according to the domain name, and if the DNS request message is found, the DNS request message is forwarded to the VPN DNS server for analysis. If the VPN server issues 3 resource domain names oa.myvpn.com, mail.myvpn.com, hr.myvpn.com, the resources are synchronized to the client in JSON format. The method comprises the steps that a VPN server side program periodically detects issued resource domain names, if the resource domain names are changed, such as new addition, modification and deletion of partial resource domain names, the issued resource domain names are synchronized to a VPN client side in real time, the VPN client side removes data in a domain name map table after receiving configuration, the issued resource domain names are added to the domain name map table of the VPN client side again, the VPN client side starts the VPN client side and monitors a local 53 port proxy DNS request message, then a user side network DNS server DNS address is stored, a physical network card and a virtual network card DNS are set to be 127.0.0.1, when a user side application program initiates a DNS request, the DNS request message is sent to a local 53 port, and the VPN client side receives the DNS request message of the local 53 port through UDP Socket 1. The VPN client analyzes the DNS request message, analyzes DNS message data, extracts a domain name, searches the analyzed domain name in a domain name map table, if the domain name is found, the domain name is a domain name resource issued by the VPN server, a UDP Socket2 is newly built, then the DNS request message is sent to the DNS server on the VPN side through a tunnel established by the VPN virtual network card through a UDP Socket2, the DNS server on the VPN side replies a response message, and the VPN client receives the DNS reply message through the UDP Socket2 and sends the DNS reply message to a client application program through the UDP Socket 1. If the domain name is not found, the domain name is not a resource domain name issued by the VPN, the DNS server at the user side is needed to analyze, the VPN client serves as the DNS client, a UDP Socket2 is newly built, and the DNS request message is sent to the DNS server at the user side through a UDP Socket 2. And the user side DNS server replies the response message, and the VPN client receives the DNS reply message through the UDP Socket2 and sends the DNS reply message to the user side application program through the UDP Socket 1. According to the scheme, the network card priority is not required to be set, the port 53 of the local machine is monitored through the VPN client, all DNS requests of the local machine are replaced, and DNS request analysis is completed. The method avoids the error of accessing VPN intranet resources caused by a DNS server preference mechanism of part of operating systems, and does not influence the access of public network domain names. In addition, the domain name of the VPN resource is pushed to the VPN client, when a user side application program initiates a DNS request, the process of the VPN client receives a DNS request message, whether the domain name analyzed by the DNS request is the domain name of the VPN resource or other domain names is detected, only the domain name of the VPN resource is forwarded to the DNS server on the VPN server side through the VPN tunnel in a crossing mode to be analyzed, other domain names are directly analyzed through the DNS server on the user side, the DNS flow of the VPN tunnel is reduced, and the load of the DNS server on the VPN is relieved.
The non-VPN resource domain name such as the public network domain name is analyzed without a DNS server at the VPN server side, and the failure of the analysis of the DNS server at the VPN server side is not waited, but the analysis is directly carried out through a DNS server at the user side, so that the public network domain name analysis speed is high, a user can quickly access the network, and the user experience is improved.
The basic principles of the present disclosure have been described in connection with specific embodiments, but it should be noted that it will be understood by those skilled in the art that all or any of the steps or components of the method and apparatus of the present disclosure may be implemented in any computing device (including processors, storage media, etc.) or network of computing devices, in hardware, firmware, software, or a combination thereof, which can be implemented by those skilled in the art using their basic programming skills after reading the description of the present disclosure.
Thus, the objects of the present disclosure may also be achieved by running a program or a set of programs on any computing device. The computing device may be a general purpose device as is well known. Thus, the object of the present disclosure can also be achieved merely by providing a program product containing program code for implementing the method or apparatus. That is, such a program product also constitutes the present disclosure, and a storage medium storing such a program product also constitutes the present disclosure. It is to be understood that the storage medium may be any known storage medium or any storage medium developed in the future.
It is also noted that in the apparatus and methods of the present disclosure, it is apparent that individual components or steps may be disassembled and/or re-assembled. These decompositions and/or recombinations are to be considered equivalents of the present disclosure. Also, the steps of executing the series of processes described above may naturally be executed chronologically in the order described, but need not necessarily be executed chronologically. Some steps may be performed in parallel or independently of each other.
The above detailed description should not be construed as limiting the scope of the disclosure. Those skilled in the art will appreciate that various modifications, combinations, sub-combinations, and substitutions can occur, depending on design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present disclosure should be included in the scope of protection of the present disclosure.
Claims (10)
1. A VPN client proxy DNS resolution method includes:
receiving and analyzing a DNS query request message, and acquiring a destination domain name of the DNS query request message;
querying a VPN resource domain name Map table based on the destination domain name of the DNS query request message, and determining whether the destination domain name of the DNS query request message is contained in the VPN resource domain name Map table, wherein the VPN resource domain name Map table contains a VPN resource domain name which can be subjected to DNS analysis by a DNS server at a VPN side;
when the destination domain name of the DNS query request message is queried in the VPN resource domain name Map table, forwarding the DNS query request message to a VPN side DNS server, or when the destination domain name of the DNS query request message is not queried in the VPN resource domain name Map table, forwarding the DNS query request message to a user side DNS server; and
and responding by using a DNS query response message aiming at the DNS query request message received from the VPN side DNS server or the user side DNS server.
2. The VPN client proxy DNS resolution method according to claim 1, further comprising:
the VPN client receives configuration containing a VPN resource domain name sent by a VPN side DNS server which is connected with the VPN client through authentication, wherein the VPN resource domain name is obtained by the VPN side DNS server through calculation based on VPN resources issued by a VPN user; and
and the VPN client analyzes the received configuration and generates a VPN resource domain name Map table based on the VPN resource domain name obtained by analysis.
3. The VPN client proxy DNS resolution method according to claim 2, further comprising:
the VPN client periodically receives new configuration containing VPN resource domain names sent from a VPN side DNS server, and updates the VPN resource domain name Map table based on the obtained VPN resource domain names after analyzing the new configuration containing VPN resource domain names.
4. The VPN client proxy DNS resolution method according to claim 2 or 3, wherein said configuration containing VPN resource domain names is synchronously pushed to the VPN client in JSON format.
5. The VPN client proxy DNS resolution method according to claim 3, wherein said new configuration containing VPN resource domain names is a configuration after adding, deleting or modifying part of VPN resource domain names by the VPN side DNS server.
6. A VPN client proxy DNS resolution appliance comprising:
a DNS query request message receiving and analyzing component: the DNS query request message is received and analyzed, and a destination domain name of the DNS query request message is obtained;
a query component, configured to query a VPN resource domain name Map table based on the destination domain name of the DNS query request packet, and determine whether the destination domain name of the DNS query request packet is included in the VPN resource domain name Map table, where the VPN resource domain name Map table includes a VPN resource domain name that can be DNS-resolved by a VPN-side DNS server;
a forwarding component, configured to forward the DNS query request packet to a VPN side DNS server when a destination domain name of the DNS query request packet is queried in the VPN resource domain name Map table, or forward the DNS query request packet to a user side DNS server when a destination domain name of the DNS query request packet is not queried in the VPN resource domain name Map table; and
and the response component is used for responding by adopting a DNS query response message aiming at the DNS query request message and received from the VPN side DNS server or the user side DNS server.
7. The VPN client proxy DNS resolution device of claim 6, further comprising:
the configuration receiving component is used for receiving configuration containing a VPN resource domain name sent by a VPN side DNS server which is subjected to connection authentication, wherein the VPN resource domain name is obtained by the VPN side DNS server through calculation based on VPN resources issued by a VPN user; and
a configuration parsing component for parsing the received configuration;
and the VPN resource domain name Map table generating component is used for generating a VPN resource domain name Map table based on the VPN resource domain name obtained by analysis.
8. The VPN client proxy DNS resolution mechanism of claim 7,
the configuration receiving component also periodically receives new configuration containing VPN resource domain names sent from a VPN side DNS server and the configuration analyzing component also analyzes the new configuration containing VPN resource domain names, so that the VPN resource domain name Map table generating component updates the VPN resource domain name Map table based on the obtained VPN resource domain names after analyzing the new configuration containing VPN resource domain names.
9. The VPN client proxy DNS resolution means according to claim 7 or 8, wherein the configuration containing VPN resource domain names is synchronously pushed to the VPN client in JSON format.
10. The VPN client proxy DNS resolution means of claim 8, wherein said new configuration containing VPN resource domain names is a configuration after adding, deleting or modifying part of VPN resource domain names by the VPN side DNS server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210171349.6A CN114553827B (en) | 2022-02-24 | 2022-02-24 | VPN client proxy DNS analysis method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210171349.6A CN114553827B (en) | 2022-02-24 | 2022-02-24 | VPN client proxy DNS analysis method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114553827A true CN114553827A (en) | 2022-05-27 |
| CN114553827B CN114553827B (en) | 2023-10-20 |
Family
ID=81676824
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210171349.6A Active CN114553827B (en) | 2022-02-24 | 2022-02-24 | VPN client proxy DNS analysis method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114553827B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115297088A (en) * | 2022-08-03 | 2022-11-04 | 中电云数智科技有限公司 | Domain name resolution system and method in cloud computing environment |
| CN115378906A (en) * | 2022-08-16 | 2022-11-22 | 北京轻网科技股份有限公司 | VPN framework-based local DNS proxy method, device, equipment and medium |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101238453A (en) * | 2003-09-19 | 2008-08-06 | 摩托罗拉公司 | Setting up a name resolution system for home-to-home communications |
| CN103067417A (en) * | 2011-10-19 | 2013-04-24 | 华耀(中国)科技有限公司 | Web service mapping method and system of security agent in virtual private network (VPN) |
| CN107995321A (en) * | 2017-11-17 | 2018-05-04 | 杭州迪普科技股份有限公司 | A kind of VPN client acts on behalf of the method and device of DNS |
| CN108093098A (en) * | 2018-01-31 | 2018-05-29 | 杭州迪普科技股份有限公司 | A kind of domain name mapping request sending method and device |
| CN108270881A (en) * | 2018-01-23 | 2018-07-10 | 杭州迪普科技股份有限公司 | A kind of method and device of domain name mapping |
| US20180336109A1 (en) * | 2017-05-22 | 2018-11-22 | Synology Incorporated | Method for providing network-based services to user of network storage server, associated network storage server and associated storage system |
| EP3557822A1 (en) * | 2018-04-20 | 2019-10-23 | Pulse Secure, LLC | Fully qualified domain name-based traffic control for virtual private network access control |
| CN112887444A (en) * | 2021-01-19 | 2021-06-01 | 网宿科技股份有限公司 | VPN (virtual private network) request processing method, client device and system |
| CN114050943A (en) * | 2022-01-13 | 2022-02-15 | 北京安博通科技股份有限公司 | Threat information matching method and system based on DNS proxy mode |
-
2022
- 2022-02-24 CN CN202210171349.6A patent/CN114553827B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101238453A (en) * | 2003-09-19 | 2008-08-06 | 摩托罗拉公司 | Setting up a name resolution system for home-to-home communications |
| CN103067417A (en) * | 2011-10-19 | 2013-04-24 | 华耀(中国)科技有限公司 | Web service mapping method and system of security agent in virtual private network (VPN) |
| US20180336109A1 (en) * | 2017-05-22 | 2018-11-22 | Synology Incorporated | Method for providing network-based services to user of network storage server, associated network storage server and associated storage system |
| CN107995321A (en) * | 2017-11-17 | 2018-05-04 | 杭州迪普科技股份有限公司 | A kind of VPN client acts on behalf of the method and device of DNS |
| CN108270881A (en) * | 2018-01-23 | 2018-07-10 | 杭州迪普科技股份有限公司 | A kind of method and device of domain name mapping |
| CN108093098A (en) * | 2018-01-31 | 2018-05-29 | 杭州迪普科技股份有限公司 | A kind of domain name mapping request sending method and device |
| EP3557822A1 (en) * | 2018-04-20 | 2019-10-23 | Pulse Secure, LLC | Fully qualified domain name-based traffic control for virtual private network access control |
| CN112887444A (en) * | 2021-01-19 | 2021-06-01 | 网宿科技股份有限公司 | VPN (virtual private network) request processing method, client device and system |
| CN114050943A (en) * | 2022-01-13 | 2022-02-15 | 北京安博通科技股份有限公司 | Threat information matching method and system based on DNS proxy mode |
Non-Patent Citations (2)
| Title |
|---|
| MAZIAR JANBEGLOU; MAZDAK ZAMANI; SUHAIMI IBRAHIM: "Redirecting network traffic toward a fake DNS server on a LAN", 2010 3RD INTERNATIONAL CONFERENCE ON COMPUTER SCIENCE AND INFORMATION TECHNOLOGY * |
| 欧阳凯;周敬利;夏涛;余胜生;: "基于虚拟服务的SSL VPN研究", 小型微型计算机系统, no. 02 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115297088A (en) * | 2022-08-03 | 2022-11-04 | 中电云数智科技有限公司 | Domain name resolution system and method in cloud computing environment |
| CN115378906A (en) * | 2022-08-16 | 2022-11-22 | 北京轻网科技股份有限公司 | VPN framework-based local DNS proxy method, device, equipment and medium |
| CN115378906B (en) * | 2022-08-16 | 2024-02-13 | 北京轻网科技股份有限公司 | Local DNS proxy method, device, equipment and medium based on VPN framework |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114553827B (en) | 2023-10-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7228359B1 (en) | Methods and apparatus for providing domain name service based on a client identifier | |
| US8214537B2 (en) | Domain name system using dynamic DNS and global address management method for dynamic DNS server | |
| CN114553821B (en) | VPN client proxy DNS analysis method and device | |
| US7415536B2 (en) | Address query response method, program, and apparatus, and address notification method, program, and apparatus | |
| CN114553827A (en) | VPN client proxy DNS analysis method and device | |
| US9319377B2 (en) | Auto-split DNS | |
| CN107786678B (en) | Domain name resolution method, device and system | |
| CN101820432A (en) | Safety control method and device of stateless address configuration | |
| CN114363288A (en) | Message processing method and device, link load balancing equipment and storage medium | |
| KR20150046041A (en) | Method and apparatus for configuring dhcp client | |
| CN112583952A (en) | Redirection scheduling processing method, device and system, related equipment and storage medium | |
| KR20110063328A (en) | Remote procedure call(rpc) bind service with physical interface query and selection | |
| CN114374669B (en) | VPN client proxy DNS analysis method and system | |
| JP7285925B2 (en) | Method, system and program for Diameter signaling message external identifier address resolution and routing | |
| US7287192B1 (en) | Identifying a failed device in a network | |
| JP2016144186A (en) | Communication information controller, relay system, communication information control method, and communication information control program | |
| JP6378121B2 (en) | Gateway apparatus and communication method | |
| CN115118700A (en) | Communication method and communication system | |
| CN112866437A (en) | Data processing method and domain name resolution architecture | |
| JP3896361B2 (en) | Communication path setting device, communication path setting method, and communication path setting program | |
| CN109756543B (en) | Decoupling system and method for program association | |
| Ding et al. | Speeding up IPv6 transition: Discovering NAT64 and learning prefix for IPv6 address synthesis | |
| CN113438096B (en) | Method, system and application function entity for guaranteeing service quality | |
| CN113452800B (en) | Method for realizing load balance based on multiple Broker in MQTT protocol | |
| JP6487870B2 (en) | Name resolution device, name resolution method, and name resolution program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |