CN105144642A - DNS server device, network machine, communication system, and communication method - Google Patents

DNS server device, network machine, communication system, and communication method Download PDF

Info

Publication number
CN105144642A
CN105144642A CN201480016873.XA CN201480016873A CN105144642A CN 105144642 A CN105144642 A CN 105144642A CN 201480016873 A CN201480016873 A CN 201480016873A CN 105144642 A CN105144642 A CN 105144642A
Authority
CN
China
Prior art keywords
net machine
domain name
mailing address
net
dns server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201480016873.XA
Other languages
Chinese (zh)
Other versions
CN105144642B (en
Inventor
荻野秀岳
广濑良太
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Yamaha Corp
Original Assignee
Yamaha Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Yamaha Corp filed Critical Yamaha Corp
Publication of CN105144642A publication Critical patent/CN105144642A/en
Application granted granted Critical
Publication of CN105144642B publication Critical patent/CN105144642B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The purpose is to make it possible to achieve highly confidential data communication by using a VPN without forcing an excessive workload on a network machine user or a network manager. A DNS server device is made to execute a process in which network machines that store domain names and communication addresses in the managing table of a host device are grouped in upper domains, and each of the network machines in a group belonging to the plurality of network machines is notified of the communication addresses of other network machines belonging to the same group, the communication addresses being the communication addresses of a destination for establishing a virtual communication path.

Description

Dns server device, net machine, communication system and communication means
Technical field
The present invention relates to one utilizes virtual private net (VPN) to ensure the technology of the confidentiality of data communication.
Background technology
VPN refers to foundation between the net machine (such as router) on public network (such as internet) and is used for the virtual communication path of coded communication to ensure the communication technology of the confidentiality of data communication.Compared with special line being used for the situation of the connection between net machine, by using VPN, the confidentiality of data communication can be ensured while suppressing cost.
When by setting up VPN and ensureing the confidentiality of data communication, the work that will be arranged on omitting as the mailing address setting up the net machine of other positions of destination of virtual communication path in each net machine should be performed.In addition, before setting up VPN, also must carry out selecting to each net machine the work that makes it add the work in VPN or check the mailing address of net machine.These work of the prior art are manually performed by network manager, thus add the live load of network manager.Therefore, proposed the multiple different technology for reducing network manager's live load in prior art, and its example comprises patent documentation 1 and the technology disclosed in patent documentation 2.
In the technology disclosed in patent documentation 1, VPN jockey information be registered in VPN connection management device by performing and self certification is carried out to described VPN jockey, automatically establishing interior location (inter-location) VPN.More detailed description will be provided below.By by the network address of VPN jockey and identifier registration in VPN connection management device, even if when Internet protocol (IP) address of VPN jockey changes, VPN connection management device also disconnects process from the VPN connection of having set up to VPN jockey notice and the information needed for process using new IP address to reconnect, and automatically set up VPN connection.In the technology disclosed in patent documentation 2, utilize the IPsec between router and the Control Server being arranged on ad-hoc location to set up control VPN, obtain to be connected with the VPN of the router being arranged on another location from described Control Server via described control VPN and arrange, and be arranged in each router according to described VPN connection and set up VPN.
Reference listing
Patent documentation
Patent documentation 1:JP-A-2006-166028
Patent documentation 2:JP-A-2005-012485
Summary of the invention
Technical problem
In the technology disclosed in patent documentation 1, should the net machine (VPN jockey) adding VPN be selected, and the information of VPN jockey should be registered in VPN connection management device in advance.Therefore, the time and efforts needed for selection work does not reduce.In addition, in the technology disclosed in patent documentation 2, need to set up the control VPN be arranged between the router of each position and Control Server.Therefore, should pre-set in the router of each position for setting up the multiple different information (such as, password) of control VPN from Control Server.In addition, the information for setting up control VPN should be set in Control Server.Also, namely, in the technology disclosed in patent documentation 2, create new live load, therefore about network manager live load entirety whether alleviate still there is query.
Propose the present invention in view of the above problems, and the object of the invention is while reducing network manager's live load, utilize VPN to realize the technology of high confidentiality data communication.
The scheme of dealing with problems
For solving described problem, the invention provides a kind of domain name system (DNS) server unit, it comprises the management table wherein one or more domain name being assigned to net machine and the mailing address being assigned to described net machine being carried out explicitly storing, and provide domain name service by reference to described management table, described dns server device comprises apparatus for grouping, it is for for each the advanced field be included in the domain name of each net machine, the net machine that domain name and mailing address are stored in described management table is divided into groups, to produce multiple groups; And set up destination notifying device, it sets up destination notifier processes for performing, and each net machine notice in the group among described process produce to described apparatus for grouping multiple groups belonging to multiple net machine is as the mailing address belonging to another net machine of this group setting up destination of virtual communication path.
About performing the arrangement of time of setting up destination notifier processes, multiple different aspect is considered.Such as, such aspect can be considered: when being registered in management table in a group communication address and domain name at every turn, perform and set up destination notifier processes.According to such aspect, even if when network manager does not perform any particular job, by means of only registering the domain name of each net machine and mailing address that add VPN in the dns server, just can set up the virtual communication path between each net machine and setting up VPN.In addition, performing when registering a group communication address and domain name in management table except (or replacement) is each sets up except the notifier processes of destination, set up destination notifying device and in response to the request from net machine, the mailing address setting up another net machine of the mailing address of destination as described virtual communication path can also be notified to each net machine in the group belonging to this net machine.As another aspect of the present invention, such aspect can be considered, provide the program making computer serve as dns server and each device wherein.
Here, when establishing the whole network lattice VPN, can to the mailing address that belong to other all-network machines of this group of setting up destination of each net machine notice as virtual communication path belonging to the group including multiple net machines with identical the advanced field, described the advanced field is obtained by the device unique identifier removed from domain name specific to device.When establishing center radiation type VPN, can any one having in multiple net machines of identical the advanced field be elected as central site network machine, to the mailing address of setting up other all-network machines of destination of central site network machine notice as virtual communication path, and can notify the mailing address of central site network machine to each in other net machines.In addition, about the selection of central site network machine can consider multiple different in.Such as, can consider the net machine with up-to-date mailing address elected as the aspect of central site network machine or the net machine with highest point reason ability or minimum processing load elected as the aspect of central site network machine.
In order to solve described problem, the invention provides a kind of net machine, it comprises: device information transmitting device, it is for transferring to domain name system (DNS) server unit by the mailing address and domain name that are assigned to described net machine, thus makes described mailing address and domain name be stored in dns server device; And virtual communication path apparatus for establishing, it, based on the mailing address of another net machine notified by described dns server device, sets up the virtual communication path between described net machine and another net machine.When such net machine be arranged on each location point and be connected to the public network of such as the Internet and dns server device of the present invention is connected to described public network time, to the mailing address that belong to another net machine of this group of setting up the mailing address of destination of each net machine notice as virtual communication path belonging to the group comprising multiple net machine.
Accompanying drawing explanation
Fig. 1 is the diagram of the example of the configuration that communication system 1 is according to an embodiment of the invention shown.
Fig. 2 is the block diagram of the example of the configuration that the dns server device 10 that communication system 1 comprises is shown.
Fig. 3 A shows the example of the management table 144b be stored in the non-volatile memory cells 144 of dns server device 10.
Fig. 3 B shows another example of the management table 144b be stored in the non-volatile memory cells 144 of dns server device 10.
Fig. 4 A shows the example (grid type VPN) of the network topology structure of the VPN realized under the control of dns server device 10.
Fig. 4 B shows the example (center radiation type VPN) of the network topology structure of the VPN realized under the control of dns server device 10.
Fig. 5 is the block diagram of the example of the configuration of net machine 20A and the net machine 20B illustrating that communication system 1 comprises.
Fig. 6 is the flow chart of the flow process of the communication illustrated in communication system 1 and the operation of dns server device 10, net machine 20A and net machine 20B.
Fig. 7 shows the example of the management table 144b be stored in after the operations described above in the non-volatile memory cells 144 of dns server device 10.
Fig. 8 A is the diagram that modified example (3) are shown.
Fig. 8 B is the form that modified example (3) are shown.
Embodiment
Below, with reference to the accompanying drawings embodiments of the invention are described.
(A: configuration)
Fig. 1 is the diagram of the example of the configuration that communication system 1 is according to an embodiment of the invention shown.
Communication system 1 comprises dns server device 10, net machine 20A and net machine 20B.Dns server device 10, net machine 20A and net machine 20B are connected to the communication network 30 as common public (such as the Internet).
Dns server device 10 is undertaken operating and manage to provide domain name system (DNS by DNS supplier; Also namely, the domain name transmitted from client terminal device be converted to the IP address of the net machine that this domain name is assigned to and return the service of this IP address) computer installation.In addition; domain name is a character string; it is by utilizing predetermined delimiter (such as; fullstop) obtain representing the character string being such as assigned to the title of described net machine to each character string of the title of the tissue (such as, company, school or public organizations) that net machine operates, type or country and expression to carry out being connected.Below, in domain name, represent that the part of net machine title is referred to as device unique identifier, and other parts are referred to as the advanced field.
Net machine 20A and net machine 20B carries out by the tissue of the user as DNS (in the present embodiment for company) router that operates and manage, and they are installed in respective position, the general headquarters of such as described company or branch company.The local area network (LAN) (LAN, Fig. 1 are not shown) being positioned at the position of installing this net machine is connected to communication network 30 by each in net machine 20A and net machine 20B, thus the insider information system in the said firm in formation company.In the present embodiment, by the virtual communication path set up between net machine 20A and net machine 20B and set up VPN, ensure that the confidentiality of data communication in company internal information system.In the present embodiment, because the configuration of net machine 20A is identical with the configuration of net machine 20B, if therefore without the need to net machine 20A and net machine 20B is distinguished from each other out, then net machine 20A and net machine 20B is called " net machine 20 ".
Utilize PPPoE by communication network 30 uniquely the global ip address (being hereinafter called for short " IP address ") of indication network machine be dynamically assigned to the communications interface unit of communication network 30 side of net machine 20.In addition, domain name is assigned to net machine 20 by the network manager in company.As mentioned above, domain name comprise specific to net machine 20 device unique identifier and represent and have the advanced field of the title of the tissue of described net machine.Domain name and IP address registration are in dns server device 10 and be the application target of DNS.The feature of the present embodiment is: dns server device 10 and net machine 20 perform specific to process of the present invention, thus easily can set up the virtual communication path between net machine 20A and net machine 20B, and easily sets up VPN.Mainly describe to dns server device 10 and net machine 20 that the present embodiment feature is significantly shown below.
Fig. 2 is the block diagram of the example of the configuration that dns server device 10 is shown.
As shown in Figure 2, dns server device 10 comprises control unit 110, communication interface (being abbreviated as " I/F ") unit 120, user I/F unit 130, memory cell 140 below and the exchanges data between this class component is carried out to the bus 150 of relaying (relay).Control unit 110 is such as CPU (CPU).Control unit 110 carries out the control centre performing to serve as dns server device 10 to the server program 144a be stored in memory cell 140 (more accurately, non-volatile memory cells 144).Set forth to the process of control unit 110 performed by server program 144a below.
Communication I/F unit 120 is such as network interface unit (NIC), and it is connected to communication network 30.Communication I/F unit 120 receives the data block transmitted from communication network 30, and described data block is passed to control unit 110, and by the transmission of data blocks transmitted from control unit 110 to communication network 30.In addition, the example of described data block comprises the bag (packet) according to IP transmission or reception.User I/F unit 130 comprises display unit (such as liquid crystal display) and input unit (such as keyboard or mouse).The display unit of user I/F unit 130 shows as the domain name of the net machine of DNS application target or the entr screen of IP address for inputting.Many different instructions, domain name or IP address are inputed to Action Manager by the input unit of user I/F unit 130.In the present embodiment, although both display unit and input unit are all included in user I/F unit 130, but should be understood that, any one (or both) in input unit and display unit is for being connected to the self-contained unit of dns server device 10.
As shown in Figure 2, memory cell 140 comprises volatile memory cell 142 and non-volatile memory cells 144.Volatile memory cell 142 is such as random access memory (RAM).Volatile memory cell 142 uses as working region when performing multiple different program by control unit 110.Non-volatile memory cells 140 is such as hard disk.Server program 144a and management table 144b is stored in non-volatile memory cells 144.
Fig. 3 A shows the example of management table 144b.As shown in Figure 3A, for each the advanced field, carry out dividing into groups by the IP address of device unique identifier included in the domain name of net machine and the advanced field, described net machine and at the password whether used for the certification moment of the application target of DNS about described net machine and be stored in management table 144b.In the present embodiment, the regulation of DNS as above is performed based on the content stored in management table 144b.Such as, when receiving the bag for inquiring about the IP address of the net machine with domain name " router1.company.example.jp " from client terminal device, dns server device 10 returns a bag, will be stored in IP address (" A.A.A.A " in the example shown in Fig. 3 A) in management table 144b explicitly and device unique identifier " router1 " is write in the Payload part in this bag with the advanced field " company.example.jp ".
The registration of the multiple different information (the advanced field, device unique identifier, IP address and password) to the net machine of in management table 144b is progressively performed according to following steps.When receiving the application for registration to the advanced field from DNS user, DNS supplier performs the inspection to predetermined register request, the advanced field of whether not yet registering the advanced field identical with the advanced field applied for registration of and apply for registration of whether runs counter to public order and morals judge, and produces the password that will be distributed to user when meeting register request.In addition, described password and the advanced field are write management table 144b by DNS supplier associated with each other, by described password write to completing the document of registering and notifying, and the document are returned to application for registration person.Then, in dns server device 10, each from application for registration person (namely, the user of DNS) net machine final controlling element information registration process when receiving registration request bag, the domain name writing net machine in Payload part in described registration request bag and the encrypted characters string (hereinafter, authentication string) produced according to domain name and password by predetermined one-way hash function (hash) function.In device information registration process, first control unit 110 reads the domain name write in the Payload part of the registration request bag received and authentication string, and utilizes this domain name and the certification of authentication string execution to transmission sources.The detailed content of this authentication processing will be set forth in the description to server program 144a.In addition, when obtaining the authentication result relevant to DNS application target, the transmission sources address of the device unique identifier be included in domain name and bag writes in management table 144b with the advanced field be included in domain name by control unit 110 explicitly.Therefore, obtain full detail (device unique identifier, the advanced field and IP address) required when DNS is provided, and DNS can be utilized provide the net machine with described information.
Fig. 3 B shows another concrete example of management table 144b.The difference of the management table 144b shown in Fig. 3 B and the management table 144b shown in Fig. 3 A is that the IP address of the net machine of the application target as DNS and the domain name of encrypted message and described net machine store explicitly, is similar to the management table in general dns server.Although the management table and any one having in the management table of structure shown in Fig. 3 B with structure shown in Fig. 3 A can be used as management table 144b, use the management table with structure shown in Fig. 3 A in the present embodiment.In addition, although be not shown specifically in Fig. 3 A, Address range information is also stored in management table 144b explicitly with the information (that is, the advanced field, device unique identifier, IP address and password) about described net machine.Address range information refers to such information, and it represents the IP address range of uniquely being specified by dns server as the IP address range used in the LAN controlled at net machine.
Server program 144a is the software for making control unit 110 realize DNS.Server program 144a, in response to the power supply (not shown) to dns server device 10, is read to volatile memory cell 142 from non-volatile memory cells 144 by control unit 110, then starts to perform server program 144a.The control unit 110 carrying out operating according to server program 144a performs the process of Four types: domain registry reason, device information registration process, address solution process and set up destination notifier processes.
Domain registry reason is the process that an operation manager etc. is registered the advanced field applied for registration of and the above-mentioned password from DNS user.Carry out the control unit 110 that operates to start domain registry according to server program 144a manage in response to starting to perform instruction manage via the domain registry of user I/F unit 130.In this domain registry reason, the input of the advanced field and encrypted message on the display apparatus to requiring that the entr screen inputting the advanced field and encrypted message shows, and is write in management table 144b via user I/F unit 130 by control unit 110 associated with each other.In addition, when the management table with structure shown in Fig. 3 B uses as management table 144, control unit 110 can be made to perform such process and to be used as domain registry reason, it requires that DNS user registers the domain name instead of the advanced field that comprise device unique identifier, and this domain name and encrypted message is write associated with each other in management table 144b.
As mentioned above, device information registration process is in response to and receives registration request bag via communication I/F unit 120 and the process that performs.When control unit 110 receives registration request bag via communication I/F unit 120, whether control unit 110 reads the domain name of Payload part of this bag of write and authentication string, and be to perform certification as the device of the application target of DNS about the net machine of the transmission sources as this bag.
Particularly, the advanced field be included in the domain name that reads from the Payload part of the registration request bag received is retrieved as search key management table 144b, to obtain the password corresponding to described the advanced field by control unit 110.Subsequently, control unit 110 produces authentication string by above-mentioned one-way hash function (hash) function (that is, identical with the one-way Hash function in described net machine one-way Hash function) according to domain name and password.The authentication string produced in this way and the authentication string read from the live part of the registration request bag received compare by control unit 110, and are the application target of DNS when both match by the transmission sources certification of registration request bag.In addition, when obtain represent that transmission sources is the authentication result of the application target of DNS time, the source address and the device unique identifier be included in domain name that write the header portion (headerportion) of registration request bag received are write management table 144b with corresponding one group of the advanced field and password by control unit 110 explicitly.In the present embodiment, due to the management table with structure shown in Fig. 3 A is used as management table 144b, therefore, by final controlling element information registration process, for each the advanced field the domain name of net machine and mailing address divided into groups and be stored in management table 144b.Also namely, the server program 144b in the present embodiment makes control unit 110 serve as apparatus for grouping for performing division operation.In addition, when the management table with structure shown in Fig. 3 B uses as management table 144b, only have IP address can register according to authentication result, and perform below will describe set up destination notifier processes time, above-mentioned division operation can be used as preliminary treatment and performs.
Address solution process is the process providing DNS (also namely, the domain name transmitted is converted to the IP address of the net machine that this domain name is assigned to from client terminal device, and by service that this IP address returns) based on the storage content of management table 144b.Because the process in this address solution process and existing dns server is not distinguished especially, therefore will omit it and describe in detail.
Setting up destination notifier processes is the process that (in the present embodiment, during each final controlling element information registration process) performs when registering one group of domain name and IP address in management table 144b at every turn.Set up in the notifier processes of destination this, group (group that this group increases or reduces for the quantity belonging to the net machine of this group or include the group of the net machine that device information has changed) belonging to multiple net machine uses as processing target by control unit 110, and to each net machine notice belonged to as this group of processing target as the mailing address belonging to another net machine of this group setting up the mailing address of destination of virtual communication path.Also namely, the server program 144a in the present embodiment make control unit 110 serve as significantly illustrate the present embodiment feature set up that destination notifier processes performs set up destination notifying device.In addition, when the management table with structure shown in Fig. 3 B uses as management table 144, the grouping based on the advanced field can be performed after final controlling element information registration process, then can perform and set up destination notifier processes.
Such as, when the storage content of management table 144b is the result of executive address registration process as shown in Figure 3A, control unit 110 only to have the advanced field " university.example.jp " net machine notice virtual communication path set up destination.This is because the net machine with the advanced field " company.example.jp " is only 1 with the quantity of each had in the net machine of the advanced field " club.example.jp ".
Here, the multiple different aspect of the method for destination of setting up that subtend has a net machine notice virtual communication path of the advanced field " university.example.jp " is considered.Such as, when setting up grid type VPN as shown in Figure 4 A, IP address and the Address range information of other all-network machines of same group can be belonged to each net machine notice.On the other hand, when setting up center radiation type VPN as shown in Figure 4 B, IP address and the Address range information of other all-network machines of same group can be belonged to the net machine at the center as VPN (device unique identifier is the net machine of place1 in the example shown in Fig. 4 B) notice, and can to each notice in other net machines as the IP address of the net machine at center and Address range information.
In addition, can consider about the net machine at the center as center radiation type VPN is selected multiple different in.Such as, consider the aspect that the net machine with up-to-date IP address is selected, or to the aspect that the net machine of the device unique identifier with last lexicographic order is selected.In addition, net machine 20 can be made to perform such process, its except user name or encrypted message also by represent the disposal ability of described net machine information or represent described net machine processing load information write registration request bag Payload part in, and described registration request bag to be transmitted.In device information registration process, can will represent in the information write management table 144b of disposal ability (or processing load), and the net machine (or having the net machine of minimum disposal ability) with highest point reason ability can be chosen as the center of center radiation type VPN.
It is more than the configuration of dns server device 10.
Next, with reference to Fig. 5, the configuration of net machine 20 is described.
As shown in Figure 5, net machine 20 comprises control unit 210, first communication I/F unit 220, second communication I/F unit 230, memory cell 240 and the exchanges data between these assemblies is carried out to the bus 150 of relaying.Similar with control unit 110, control unit 210 is CPU, and serves as the control centre of net machine 20.I/F unit 120 is similar with communicating, and the first communication I/F unit 220 and second communication I/F unit 230 are NIC.First communication I/F unit 220 is connected to communication network 30, and second communication I/F unit 230 is connected to the LAN being positioned at the position of installing net machine 20.Similar with memory cell 140, memory cell 240 comprises volatile memory cell 242 and non-volatile memory cells 244.
Client-side program 244a is stored in non-volatile memory cells 244.Client-side program 244a is such program, it makes control unit 210 to realizing the original function of net machine 20 (in the present embodiment, make network manager etc. support process to arranging of arranging of the multiple different parameter for performing data communication on communication network 30, and based on the transmission control treatment of bag transmission destination address) process perform.In addition, the concrete example for the multiple different parameter performing data communication on communication network 30 comprises the IP address of dns server device 10, the domain name (device unique identifier and the advanced field) being assigned to net machine 20 and password.These parameters arranged by arranging support process are stored in non-volatile memory cells 244.In response to the power supply (not shown) of net machine 20, client-side program 244a is read to volatile memory cell 242 from non-volatile memory cells 244 by control unit 210, then starts to perform client-side program 244a.Except setting operation process and transmission control treatment, go back final controlling element information transmission processing and virtual communication path foundation process according to the control unit 210 that client-side program 244a carries out operating.
Arrange and support that process is in response to another computer installation of being connected from the LAN be connected with net machine 20 (such as, personal computer) parameter setting instruction and the process that performs, and transmit control treatment be in response to via the first communication I/F unit 220 or second communication I/F unit 230 to wrapping the reception carried out and the process performed.Support that process and these two kinds of transmitting in control treatment and generic router process not very large difference owing to arranging, therefore will omit it and describe in detail.
Device information transmission process is in response to the instruction and the process performed transmitted above-mentioned registration request bag.Another computer installation that can be connected from the LAN be connected with net machine 20 provides this transfer instruction via described LAN.In this device information transmission process, control unit 210 produces registration request bag as above, and utilizes the first communication I/F unit 220 that described registration request bag is transferred to communication network 30.Using the IP address of the dns server device 10 as transmission destination address and the header portion writing registration request bag as the IP address utilizing PPPoE etc. to be assigned to the first communication I/F unit 220 of transmission sources address.The Payload part that registration request bag write by the string data of the domain name of net machine 20 and password is assigned to by representing.
It is such process that virtual communication path sets up process, network manager is presented to as the destination of setting up of virtual communication path in its IP address notified by dns server device 10, network manager is arranged the multiple different parameter used when utilizing and set up destination to set up virtual communication path, and sets up virtual communication path according to described parameter.Each by dns server device 10 notify virtual communication path set up the IP address of destination time, performing this virtual communication path and set up process, and performing this process when being notified of multiple IP address for each IP address.
It is more than the configuration of net machine 20.
(B: operation)
Next, be described to the operation of the present embodiment.In the operation example be described below, suppose the advanced field (company.example.jp) of the company having net machine 20A and net machine 20B have been carried out to registration, also carried out registration to the device information of net machine 20A and the management table shown in Fig. 3 A is stored in the non-volatile memory cells 144 of dns server device 10.Below, be described to the example of the device information of registering net machine 20B in this case.In addition, suppose to support that process is arranged the password (" password ") that the IP address of dns server device 10, the domain name (router2.company.example.jp) being assigned to net machine 20B and DNS supplier distribute in net machine 20B by above-mentioned setting, and utilized PPPoE " B.B.B.B " to be set to the IP address of the first communication I/F unit 220.
As shown in Figure 6, the control unit 210 of net machine 20B in response to the instruction transmitted the registration request bag from network manager etc., final controlling element information transmission processing (step SA100).In this device information transmission process, the control unit 210 of net machine 20B reads the domain name of the net machine be stored in non-volatile memory cells 244 and dns server device 10, password and IP address, produce above-mentioned registration request bag, and utilize the first communication I/F unit 220 that registration request bag is transferred to communication network 30.As mentioned above, using the IP address of the dns server device 10 as transmission destination address and the header portion writing registration request bag as the IP address " B.B.B.B " of transmission sources address, and the character string (router2.company.example.jp) representing the domain name of net machine 20B and the authentication string that utilizes domain name and password (" password ") by one-way Hash function and produce are write the Payload part of registration request bag.Another net machine utilizing communication network 30 to comprise sends the registration request bag transmitted from net machine 20B by this way, and makes it arrive dns server device 10.
When the control unit 110 of dns server device 10 receives registration request bag via communication I/F unit 120, control unit 110 utilizes the domain name included by Payload part of registration request bag and encrypted message to perform certification (step SB100) to transmission sources.As mentioned above, in this authentication processing, control unit 100 is compared by the authentication string produced utilizing one-way Hash function and the authentication string be included in the Payload part of the registration request bag received, perform the certification of the transmission sources to registration request bag, described one-way Hash function utilizes the domain name that is included in the Payload part of the registration request bag received and carries out with the advanced field be included in domain name the password that stores explicitly, produces described authentication string.
In this operation example, the domain name be included in the Payload part of the registration request bag that control unit 110 receives from net machine 20B is " router2.company.example.jp ", and the advanced field be included in this domain name is " company.example.jp ".In addition, by being utilized domain name and password " password " by one-way Hash function, the authentication string be included in described Payload part is produced.Meanwhile, the password be stored in explicitly in management table 144b with the advanced field " company.example.jp " is " password ", as shown in Figure 3A.In the present embodiment, in dns server device 10 and net machine 20B, same one-way Hash function is used.Therefore, in this operation example, the authentication string be included in the Payload part of the registration request bag that control unit 110 receives from net machine 20B matches with the authentication string produced in authentication processing.Therefore, the result of determination in step SB100 is "Yes" (also namely, by certification), and control unit 110 final controlling element information registration process (step SB110).Therefore, be the content shown in Fig. 7 by the storage content update of management table 144b.
In addition, control unit 110 performs and sets up destination notifier processes (step SB120) as above.As the result being content shown in Fig. 7 by the storage content update of management table 144b, a group network machine and each having in a group network machine of the advanced field " company.example.jp " with domain name " university.example.jp " consist of one " comprising the group of multiple net machine ".But, as Fig. 3 A and Fig. 7 relatively in apparent, in last group, the quantity belonging to the net machine of this group does not increase or reduces, and device information does not change.Therefore, after only having, one consists of processing target group, and performs the notice setting up destination of virtual communication path.More detailed description will be provided below.As shown in Figure 6, to IP address and the Address range information of net machine 20A informing network machine 20B, and to the IP address of net machine 20B informing network machine 20A and Address range information.In addition, net machine 20A and net machine 20B each in, the information notified based on dns server device 10 performs virtual communication path foundation process (step SA110A and SA110B), and sets up virtual communication path between net machine 20A and net machine 20B.
As the result performing aforesaid operations, between net machine 20A and net machine 20B, set up virtual communication path, and set up VPN.Here, it should be noted that, even if when introducing new net machine, network manager also without the need to perform such as the net machine setting up destination as virtual communication path is selected or to be assigned to be in each net machine control under the work to check and so on of the address realm of communicator, as in aforesaid operations example.Therefore, even if when new installation net machine 20, environment also can be set up by network manager entrust to user's (such as, in the domestic consumer that each position works) with finite element network knowledge.In addition, because the setting of existing position also can change automatically, therefore when new installation net machine, network manager is without the need to going to another place and changing setting.
In addition, even if when changing due to such as pppoe session time-out in the IP address of net machine 20, also can transmit registration request bag in response to the change of IP address from net machine 20, and again perform in response to the renewal of management table 144b and set up destination notifier processes.Therefore, VPN automatic Reconstruction and perform special work without the need to network manager.
(C: amendment)
Although be described above embodiments of the invention, should be appreciated that and can revise as follows embodiment.(1) although in the above-described embodiments, communication system 1 comprises two net machines (net machine 20A and net machine 20B), should be appreciated that the net machine that can comprise more than three.In addition, although in the above-described embodiments, to utilizing the advanced field eliminating device unique identifier from the domain name being assigned to each net machine to be described the situation that net machine divides into groups, but the domain name that also can only utilize expression to have the organization name of described net machine is divided into groups to net machine.In brief, in one aspect, domain name included in the domain name being assigned to net machine can be utilized to divide into groups to net machine.
(2) although in the above-described embodiments, group (it is the group that net machine quantity increases or reduces or the group including the net machine that device information has changed) belonging to multiple net machine is processing target group, but the group belonging to described multiple net machine can always be processing target group, and whether the quantity no matter belonging to the net machine of this group increases or reduce or whether device information changes.In addition, although in the above-described embodiments, control unit 110 is made in response to final controlling element information registration process (to be also, the content of management table 144b is upgraded) and perform and set up destination notifier processes, but can make control unit 110, in response to the request of receiving from net machine 20 performs the bag of setting up destination notifier processes, the group belonging to net machine 20 is used as processing target group performs and sets up destination notifier processes.In this case, instruction from the described bag of transmission of network manager etc. can be utilized as triggering, the control unit 210 of net machine 20 is made to perform the transmission of bag, and the control unit 210 of net machine 20 can be made in the transmission of each (also namely, periodically) execution bag after special time.
(3) in the above-described embodiments, the situation that a domain name is assigned to a net machine 20 is described.But, multiple domain name can be assigned to a net machine 20, and an IP address and described multiple domain name (or forming the advanced field of each domain name and the combination of device unique identifier) can be stored in management table 144b explicitly.Even if when multiple domain name is assigned to a net machine 20, in DNS clause (conversion yet namely, from domain name to mailing address), there is not any problem yet.In addition, by carrying out new appointment to the domain name including the advanced field different from the advanced field included in the domain name of specifying, between the VPN with different the advanced field, establishing virtual communication path, and achieve the effect that can obtain new VPN.
Such as, be content shown in Fig. 7 in the storage content of management table 144b, and when having established the center radiation type VPN shown in Fig. 8 A, in response to the registration request bag receiving the encrypted message comprising domain name " place5.university.example.jp " and correspond to the advanced field " university.example.jp " from net machine 20A, as shown in Figure 8 B the storage content of management table 144b is upgraded, and based on the storage content be stored in after the updating in management table 144b, VPN is rebuild, additionally set up virtual communication path represented by dashed line in Fig. 8 A.In addition, such domain name registration is allowed (such as in the predetermined cycle, make control unit 110 in the process performing deletion domain name after registration in the past certain hour), thus only within the predetermined cycle, the data communication that ensure that confidentiality can be performed between the tissue with the advanced field " university.example.jp " and the tissue with the advanced field " company.example.jp ".
(4) in the above-described embodiments, such situation is described: domain name and IP address to be stored in table 144b and the identical net machine of the advanced field divides into groups, and founds VPN for each establishment.But, when setting up center radiation type VPN, can divide into groups to the advanced field for each subdomain name, first can set up VPN when each subdomain name is identical, and the virtual communication path can set up between each VPN is to be integrated into a VPN by each VPN.
(5) in the above-described embodiments, will the control unit 110 of dns server device 10 be made significantly illustrating that the server program that the process of feature of the present invention performs is stored in advance in non-volatile memory cells 144.But, described program can be write computer readable recording medium storing program for performing (such as read-only optical disc (CD-ROM)) and it is distributed.In addition, the mode by downloading via electric communication line (such as the Internet) is distributed described program.By operating computer according to the program of distributing by this way, all-purpose computer can be made to serve as dns server device 10 in the present embodiment.Similarly, client-side program 244a can be write computer readable recording medium storing program for performing and it is distributed.In addition, the mode by downloading via electric communication line (such as the Internet) is distributed client-side program 244a.
The Japanese patent application No.2013-055744 that the application submitted to based on March 18th, 2013, the full content of this application is incorporated herein by reference.
Commercial Application
According to the present invention, can while alleviating network manager's live load, VPN be utilized to realize the data communication of high confidentiality.
Reference numerals list
10:DNS server unit
20A and 20B: network equipment
110 and 210: control unit
Unit 120: communication I/F
220: the first communication I/F unit
Unit 230: second communication I/F
140 and 240: memory cell
142 and 242: volatile memory cell
144 and 244: non-volatile memory cells
150 and 250: bus
30: communication network

Claims (9)

1. domain name system (DNS) server unit, it comprises the management table wherein one or more domain name being assigned to net machine and the mailing address being assigned to described net machine being carried out explicitly storing, and provide domain name service by reference to described management table, described dns server device comprises:
Apparatus for grouping, it, for for each the advanced field be included in the domain name of each net machine, divides into groups to the net machine that domain name and mailing address are stored in described management table, to produce multiple groups; And
Set up destination notifying device, it sets up destination notifier processes for performing, and each net machine notice in the group among described process produce to described apparatus for grouping multiple groups belonging to multiple net machine is as the mailing address belonging to another net machine of this group setting up the mailing address of destination of virtual communication path.
2. dns server device according to claim 1, wherein said destination notifying device of setting up, in response to the request from net machine, notifies the mailing address setting up another net machine of the mailing address of destination as described virtual communication path to each net machine in the group belonging to this net machine.
3. dns server device according to claim 1 and 2, wherein in described management table be assigned to mailing address and the domain name memory priority DBMS explicitly of described net machine, higher priority is indicated when described priority data processing load that is higher in the disposal ability of described net machine or described net machine is lower, and
Described set up that destination notifying device determines the virtual communication path of each net machine set up destination, in each net machine belonging to making in the group performing the setting relevant to setting up virtual private net (VPN), the net machine with the limit priority indicated by described priority data becomes the center of hub and spoke topology structure.
4. a net machine, comprising:
Device information transmitting device, it makes described mailing address and domain name be stored in dns server device for the mailing address and domain name that are assigned to described net machine are transferred to domain name system (DNS) server unit; And
Virtual communication path apparatus for establishing, it, based on the mailing address of another net machine notified by described dns server device, sets up the virtual communication path between described net machine and another net machine.
5. net machine according to claim 4, described mailing address and domain name add in registration request by wherein said device information transmitting device, and described registration request is transferred to described dns server device, and
Described virtual communication path apparatus for establishing receives the mailing address of another net machine as the response to described registration request.
6. the net machine according to claim 4 or 5, the disposal ability of described mailing address and domain name and described net machine or processing load are added in described registration request by wherein said device information transmitting device, and described registration request is transferred to described dns server device.
7. a communication system, comprising:
Dns server device according to any one in claims 1 to 3; And
Multiple net machine according to any one in claim 4 to 6.
8. the communication means in domain name system (DNS) server unit, domain name system service apparatus comprises the management table wherein one or more domain name being assigned to net machine and the mailing address being assigned to described net machine being carried out explicitly storing, and provide domain name service by reference to described management table, described communication means comprises:
For each the advanced field be included in the domain name of each net machine, the net machine that domain name and mailing address are stored in described management table is divided into groups, to produce multiple groups; And
Each net machine notice in a group among produced multiple groups belonging to multiple net machine is as the mailing address belonging to another net machine of this group setting up the mailing address of destination of virtual communication path.
9. the communication means in net machine, comprising:
The mailing address and domain name that are assigned to described net machine are transferred to domain name system (DNS) server unit, makes described mailing address and domain name be stored in dns server device; And
Based on the mailing address of another net machine notified by described dns server device, set up the virtual communication path between described net machine and another net machine.
CN201480016873.XA 2013-03-18 2014-03-18 Dns server device, net machine, communication system and communication means Active CN105144642B (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2013055744A JP6127622B2 (en) 2013-03-18 2013-03-18 DNS server device, network device, and communication system
JP2013-055744 2013-03-18
PCT/JP2014/057310 WO2014148483A1 (en) 2013-03-18 2014-03-18 Dns server device, network machine, communication system, and communication method

Publications (2)

Publication Number Publication Date
CN105144642A true CN105144642A (en) 2015-12-09
CN105144642B CN105144642B (en) 2018-06-15

Family

ID=51580161

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201480016873.XA Active CN105144642B (en) 2013-03-18 2014-03-18 Dns server device, net machine, communication system and communication means

Country Status (3)

Country Link
JP (1) JP6127622B2 (en)
CN (1) CN105144642B (en)
WO (1) WO2014148483A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108183896A (en) * 2017-12-26 2018-06-19 珠海市君天电子科技有限公司 Page acquisition methods, device and the electronic equipment of browser

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102015205406A1 (en) * 2015-03-25 2016-09-29 Siemens Aktiengesellschaft Apparatus, method and system for collecting and resolving time information of different administrative domains
US9769193B2 (en) * 2015-06-18 2017-09-19 Microsoft Technology Licensing, Llc Advanced security for domain names
US9930004B2 (en) 2015-10-13 2018-03-27 At&T Intellectual Property I, L.P. Method and apparatus for expedited domain name system query resolution

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1701573A (en) * 2003-07-04 2005-11-23 日本电信电话株式会社 Remote access vpn mediation method and mediation device
JP2008034983A (en) * 2006-07-26 2008-02-14 Matsushita Electric Works Ltd Remote supervisory control system
CN101197856A (en) * 2007-12-27 2008-06-11 北京交通大学 IP address space planning-free and private domain name access method in VPN network
CN101238453A (en) * 2003-09-19 2008-08-06 摩托罗拉公司 Setting up a name resolution system for home-to-home communications
JP4339234B2 (en) * 2004-12-07 2009-10-07 株式会社エヌ・ティ・ティ・データ VPN connection construction system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1701573A (en) * 2003-07-04 2005-11-23 日本电信电话株式会社 Remote access vpn mediation method and mediation device
CN101238453A (en) * 2003-09-19 2008-08-06 摩托罗拉公司 Setting up a name resolution system for home-to-home communications
JP4339234B2 (en) * 2004-12-07 2009-10-07 株式会社エヌ・ティ・ティ・データ VPN connection construction system
JP2008034983A (en) * 2006-07-26 2008-02-14 Matsushita Electric Works Ltd Remote supervisory control system
CN101197856A (en) * 2007-12-27 2008-06-11 北京交通大学 IP address space planning-free and private domain name access method in VPN network

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108183896A (en) * 2017-12-26 2018-06-19 珠海市君天电子科技有限公司 Page acquisition methods, device and the electronic equipment of browser

Also Published As

Publication number Publication date
JP6127622B2 (en) 2017-05-17
WO2014148483A1 (en) 2014-09-25
JP2014183415A (en) 2014-09-29
CN105144642B (en) 2018-06-15

Similar Documents

Publication Publication Date Title
CN112087312B (en) Method, device and equipment for providing edge service
CN114374581B (en) Enterprise Virtual Private Network (VPN) to Virtual Private Cloud (VPC) adhesion
JP5582344B2 (en) Connection management system and connection management server linkage method in thin client system
CN102473114B (en) Dynamically migrating computer networks
CN102752137B (en) The apparatus and method of virtual machine network parameter are initiatively set
CN103001965B (en) Server certificate update method and server
CN104429028B (en) Network collocating method, apparatus and system based on SDN
JP5174747B2 (en) Computer system and management device
US11539672B2 (en) Private virtual network replication of cloud databases
EP3491801A1 (en) Identifying a network node to which data will be replicated
CN112671580A (en) QAR data management method based on block chain technology
EP1548614B1 (en) Storage service
CN110537354B (en) System and method for configuring virtual private gateway
US20050160183A1 (en) Tunnel broker management
CN105144642A (en) DNS server device, network machine, communication system, and communication method
CN103905572A (en) Domain name resolution request processing method and device
CN105956143A (en) Database access method and database proxy node
CN108965036A (en) Configure across public network equipment exchanging visit method, system, server and storage medium
CN104023022A (en) Method and device of obtaining IPSec SA (Internet Protocol Security Association)
JP2003051056A (en) Automatic vending machine management system
JP2016019270A (en) Communication method and communication program
WO2010109767A1 (en) Data synchronization system, data synchronization method, and synchronization control server
CN103209127A (en) Method and device for achieving virtual routing and forwarding on basis of Linux system
JP4229288B2 (en) Distribution information generation system and distribution information generation method
EP2891270B1 (en) Method and apparatus for updating personal information in communication system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant