CN107332813A - A kind of ACL collocation methods, ACL configuration equipment and server - Google Patents
A kind of ACL collocation methods, ACL configuration equipment and server Download PDFInfo
- Publication number
- CN107332813A CN107332813A CN201610289565.5A CN201610289565A CN107332813A CN 107332813 A CN107332813 A CN 107332813A CN 201610289565 A CN201610289565 A CN 201610289565A CN 107332813 A CN107332813 A CN 107332813A
- Authority
- CN
- China
- Prior art keywords
- network resource
- domain name
- dns
- acl
- address list
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 146
- 238000004458 analytical method Methods 0.000 claims description 107
- 208000033748 Device issues Diseases 0.000 claims description 7
- 238000004891 communication Methods 0.000 abstract description 46
- 230000008569 process Effects 0.000 abstract description 13
- 230000005540 biological transmission Effects 0.000 abstract description 4
- 230000004048 modification Effects 0.000 abstract description 3
- 238000012986 modification Methods 0.000 abstract description 3
- 230000006870 function Effects 0.000 description 65
- 238000010586 diagram Methods 0.000 description 18
- 238000012545 processing Methods 0.000 description 16
- 230000004044 response Effects 0.000 description 12
- 230000003287 optical effect Effects 0.000 description 10
- 230000000694 effects Effects 0.000 description 7
- 230000003068 static effect Effects 0.000 description 6
- 230000008859 change Effects 0.000 description 5
- 238000012544 monitoring process Methods 0.000 description 5
- 230000006399 behavior Effects 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 235000019800 disodium phosphate Nutrition 0.000 description 3
- 239000000470 constituent Substances 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0876—Aspects of the degree of configuration automation
- H04L41/0886—Fully automatic configuration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/255—Maintenance or indexing of mapping tables
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Automation & Control Theory (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of ACL collocation methods, ACL configuration equipment and server, it is related to the communications field, solve when the corresponding IP address list of domain name of Internet resources changes, the problem of ACL caused due to easily there is the situation of modification acl list not in time controls mistake.Concrete scheme is:ACL configuration equipment obtains the configuration order for the domain name for including Internet resources, configuration order is used to obtain the IP address list accessed needed for Internet resources corresponding with the domain name of Internet resources, and for being controlled to Internet resources, the first dns resolution request message of the domain name including Internet resources of generation is sent to dns server, receive dns server transmission includes the domain name of Internet resources, the first dns resolution success message of the first IP address list corresponding with the domain name of Internet resources, the first IP address list is issued in acl list.The present invention is in the configuration process of acl list.
Description
Technical Field
The present invention relates to the field of communications, and in particular, to an ACL configuration method, an ACL configuration device, and a server.
Background
Communication between information points and communication between an internal network and an external network are indispensable business requirements in an enterprise network, but in order to ensure the safety of an intranet, a security strategy is needed to ensure that an unauthorized user can only access specific network resources, so that the aim of controlling access is fulfilled, and along with the development of communication technology and the continuous deepening of network technology application, the requirement of people on safety monitoring is further strengthened. Because the Access Control List (ACL) rule can effectively realize the Control of network flow and network Access authority, the Access Control List is more and more widely applied to the aspect of security monitoring.
In the prior art, when a user needs to be controlled to access only some specific network resources or not, an ACL function may be manually configured based on an Internet Protocol (IP) address list corresponding to a Domain Name of the network resources. For example, taking network resources as a website as an example, assuming that it is necessary to control a company employee to only access the website in the company, an operator may obtain an IP address list corresponding to a domain name of the website in the company, and manually configure the obtained IP address list into an ACL list, and after the configuration is successful, the company employee only can access the website in the company.
It can be obtained that, in the prior art, the IP address list corresponding to the domain name of the network resource to be controlled is manually configured in the ACL list by an operator, so that when the IP address list corresponding to the domain name of the network resource changes, the operator is required to manually modify the ACL list according to the changed IP address list, which is easy to cause a situation of untimely modification, thereby causing an ACL control error.
Disclosure of Invention
The invention provides an ACL configuration method, ACL configuration equipment and a server, which solve the problem of ACL control error caused by the condition that the ACL list is not timely modified easily when an IP address list corresponding to a domain name of a network resource is changed.
In order to achieve the purpose, the invention adopts the following technical scheme:
in a first aspect of the present invention, an ACL configuration method is provided, including:
the ACL configuration equipment acquires a configuration command of a domain name comprising network resources, the configuration command is used for acquiring an IP address list required by accessing the network resources corresponding to the domain name of the network resources and controlling the network resources, after the configuration command of the domain name comprising the network resources is acquired, the ACL configuration equipment generates a first Domain Name System (DNS) resolution request message of the domain name comprising the network resources and sends the first DNS resolution request message to a DNS server, so that the DNS server resolves the domain name of the network resources according to the first DNS resolution request message after receiving the first DNS resolution request message, and if the DNS server succeeds in resolving the domain name of the network resources, the first DNS resolution success message is sent to the ACL configuration equipment, therefore, the ACL configuration equipment can receive the domain name comprising the network resources from the DNS server, and a first DNS analysis success message of a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, wherein the first IP address list can comprise at least one IP address, and the first IP address list is issued to an ACL list of ACL configuration equipment so as to realize the control of the network resource.
According to the ACL configuration method provided by the invention, ACL configuration equipment acquires a configuration command comprising a domain name of a network resource, then a first DNS analysis request message which is generated according to the configuration command and comprises the domain name of the network resource is sent to a DNS server, the domain name of the network resource from the DNS server and a first DNS analysis success message of a first IP address list which is corresponding to the domain name of the network resource and is required for accessing the network resource are received, and finally the received first IP address list is issued to an ACL list of the ACL configuration equipment so as to realize the control of the network resource. The IP address list corresponding to the domain name of the network resource can be automatically configured into the ACL list through the configuration command, so that the ACL list can be timely modified according to the IP address list after change when the IP address list corresponding to the domain name of the network resource changes, and the problem of ACL control error is avoided.
With reference to the first aspect, in a possible implementation manner, the domain name of the network Resource may be included in a Uniform Resource Locator (URL) of the network Resource, and correspondingly, before the ACL configuration device generates the first DNS resolution request packet, the ACL configuration method may further include: and the ACL configuration equipment acquires the domain name of the network resource according to the URL of the network resource.
With reference to the first aspect and the foregoing possible implementation manners, in another possible implementation manner, after the DNS server resolves the domain name of the network resource according to the first DNS resolution request message, if the DNS server fails to resolve the domain name of the network resource, the first DNS resolution failure message may be sent to the ACL configuration device, and at this time, the ACL configuration method may further include: the ACL configuration equipment receives a first DNS analysis failure message which is used for informing that the domain name of the network resource is analyzed to be failed from the DNS server, so that the ACL configuration equipment can know that the domain name of the network resource is analyzed to be failed by the DNS server. Or, after the DNS server resolves the domain name of the network resource according to the first DNS resolution request packet, if the DNS server fails to resolve the domain name of the network resource, the DNS server does not respond to the first DNS resolution request packet, and at this time, the ACL configuration method may further include: and if the ACL configuration equipment determines that the response message of the DNS server is not received within the preset time, the ACL configuration equipment can know that the DNS server fails to analyze the domain name of the network resource.
With reference to the first aspect and the foregoing possible implementation manners, in another possible implementation manner, in order to determine whether an IP address list corresponding to a domain name of a network resource changes in real time, after the ACL configuration device issues the first IP address list to an ACL list of the ACL configuration device, the ACL configuration method may further include: the ACL configuration equipment starts a timer, and when the timer times out, the ACL configuration equipment generates a second DNS resolution request message comprising the domain name of the network resource, and then sends the second DNS resolution request message to the DNS server, so that the DNS server can resolve the domain name of the network resource according to the second DNS resolution request message after receiving the second DNS resolution request message, if the DNS server resolves the domain name of the network resource successfully, the second DNS resolution success message is sent to the ACL configuration equipment, thus, the ACL configuration equipment can receive the domain name comprising the network resource from the DNS server and a second DNS resolution success message of a second IP address list corresponding to the domain name of the network resource and required for accessing the network resource, wherein the second IP address list can comprise at least one IP address, and after the ACL configuration equipment receives the second IP address list, whether the second IP address list is the same as the first IP address list or not can be judged, and if the second IP address list is judged to be different from the first IP address list, the ACL configuration device can update the ACL list according to the second IP address list. If the second IP address list is determined to be the same as the first IP address list, the ACL configuration device may not perform any processing.
With reference to the first aspect and the foregoing possible implementation manners, in another possible implementation manner, the domain name of the network resource may be included in a URL of the network resource, and correspondingly, before the ACL configuration device generates the second DNS resolution request packet, the ACL configuration method may further include: and the ACL configuration equipment acquires the domain name of the network resource according to the URL of the network resource.
With reference to the first aspect and the foregoing possible implementation manners, in another possible implementation manner, after the DNS server resolves the domain name of the network resource according to the second DNS resolution request message, if the DNS server fails to resolve the domain name of the network resource, the second DNS resolution failure message may be sent to the ACL configuration device, and at this time, the ACL configuration method may further include: and the ACL configuration equipment receives a second DNS analysis failure message which is used for informing that the domain name of the network resource is analyzed to be failed from the DNS, so that the ACL configuration equipment can know that the domain name of the network resource is analyzed to be failed by the DNS. Or, after the DNS server resolves the domain name of the network resource according to the second DNS resolution request message, if the DNS server fails to resolve the domain name of the network resource, the DNS server does not respond to the second DNS resolution request message, and at this time, the ACL configuration method may further include: and if the ACL configuration equipment determines that the response message of the DNS server is not received within the preset time, the ACL configuration equipment can know that the DNS server fails to analyze the domain name of the network resource.
With reference To the first aspect and the foregoing possible implementation manners, in another possible implementation manner, since an IP address list corresponding To a domain name of a network resource may change after a Time To Live (TTL) of the domain name of the network resource expires, the ACL configuration method may further include: the ACL configuration device configures TTL of the domain name of the network resource to the timing period of the timer.
In a second aspect of the present invention, an ACL configuration method is provided, including:
when a certain network resource needs to be controlled, the ACL configuration device may send a first DNS resolution request message including the domain name of the network resource to the DNS server, and at this time, the DNS server may receive the first DNS resolution request message including the domain name of the network resource sent by the ACL configuration device, then the domain name of the network resource included in the received first DNS resolution request message is resolved, and judging whether the domain name of the network resource is successfully resolved, if the domain name of the network resource is successfully resolved, the DNS server sends a first DNS resolution success message including the domain name of the network resource and the first IP address list required for accessing the network resource corresponding to the domain name of the network resource obtained by resolution to the ACL configuration device, the first IP address list includes at least one IP address, so that the ACL configuration device can control the network resource according to the first DNS resolution success packet.
According to the ACL configuration method provided by the invention, a DNS server receives a first DNS analysis request message which is sent by ACL configuration equipment and comprises a domain name of a network resource, then analyzes the domain name of the network resource contained in the received first DNS analysis request message, and sends the domain name comprising the network resource and a first DNS analysis success message of a first IP address list which is obtained by analysis and corresponds to the domain name of the network resource and is required for accessing the network resource to the ACL configuration equipment when the analysis is successful, so that the ACL configuration equipment can issue the received first IP address list to the ACL list of the ACL configuration equipment, and the network resource can be controlled. By sending a domain name including network resources to the ACL configuration device and analyzing the obtained DNS resolution success message of the IP address list required for accessing the network resources corresponding to the domain name of the network resources, the ACL configuration device can automatically configure the IP address list corresponding to the domain name of the network resources into the ACL list, thereby ensuring that the ACL list can be modified in time according to the changed IP address list when the IP address list corresponding to the domain name of the network resources changes, and avoiding the occurrence of an ACL control error problem.
With reference to the second aspect, in a possible implementation manner, the ACL configuration method may further include: if the DNS server fails to analyze the domain name of the network resource, a first DNS analysis failure message for informing the ACL configuration equipment that the domain name of the network resource is analyzed by the ACL configuration equipment fails is sent to the ACL configuration equipment. Or if the DNS fails to resolve the domain name of the network resource, the first DNS resolving request message is not responded.
With reference to the second aspect and the foregoing possible implementation manners, in another possible implementation manner, in order to determine whether an IP address list corresponding to a domain name of a network resource changes in real time, an ACL configuration device starts a timer, and sends a second DNS resolution request packet including the domain name of the network resource to a DNS server when the timer expires, so that the ACL configuration method may further include: the DNS server receives a second DNS analysis request message which is sent by the ACL configuration equipment and comprises the domain name of the network resource, then analyzes the domain name of the network resource and is included in the second DNS analysis request message, judges whether the domain name of the network resource is successfully analyzed, if the domain name of the network resource is successfully analyzed, the DNS server sends the domain name of the network resource to the ACL configuration equipment, and a second DNS analysis success message which is obtained through analysis and corresponds to the domain name of the network resource and is used for accessing a second IP address list required by the network resource is obtained, wherein the second IP address list comprises at least one IP address, so that whether the IP address list corresponding to the domain name of the network resource changes is determined through the second IP address list and the first IP address list included in the second DNS analysis success message received by the ACL configuration equipment.
With reference to the second aspect and the foregoing possible implementation manners, in another possible implementation manner, the ACL configuration method may further include: and if the DNS server fails to analyze the domain name of the network resource, sending a second DNS analysis failure message for informing the ACL configuration equipment that the domain name of the network resource is analyzed by the ACL configuration equipment fails to the ACL configuration equipment. Or if the DNS server fails to analyze the domain name of the network resource, the second DNS analysis request message is not responded.
In a third aspect of the present invention, an ACL configuration method is provided, including:
the network management server acquires a configuration command of a domain name comprising network resources, the configuration command is used for acquiring an IP address list required for accessing the network resources corresponding to the domain name of the network resources and controlling the network resources, after the configuration command of the domain name comprising the network resources is acquired, the network management server generates a first DNS resolution request message of the domain name comprising the network resources and sends the first DNS resolution request message to the DNS server, so that the DNS server resolves the domain name of the network resources according to the first DNS resolution request message after receiving the first DNS resolution request message, if the DNS server resolves the domain name of the network resources successfully, the first DNS resolution success message is sent to the network management server, and therefore the network management server can receive the domain name comprising the network resources from the DNS server, and a first DNS analysis success message of a first IP address list required for accessing the network resources corresponding to the domain name of the network resources, wherein the first IP address list comprises at least one IP address, and the first IP address list is sent to ACL configuration equipment, so that the ACL configuration equipment issues the first IP address list to the ACL list, and the control of the network resources is realized.
According to the ACL configuration method provided by the invention, a network management server acquires a configuration command of a domain name comprising network resources, then a first DNS analysis request message which is generated according to the configuration command and comprises the domain name of the network resources is sent to a DNS server, the domain name comprising the network resources from the DNS server and a first DNS analysis success message of a first IP address list which is corresponding to the domain name of the network resources and is required for accessing the network resources are received, and finally the received first IP address list is sent to ACL configuration equipment, so that the ACL configuration equipment can issue the first IP address list to the ACL list to realize the control of the network resources. The automatic acquisition of the IP address list corresponding to the domain name of the network resource is realized through the configuration command, and the IP address list is sent to the ACL configuration equipment, so that the ACL configuration equipment can automatically configure the IP address fence corresponding to the domain name of the network resource into the ACL list, and the ACL list can be timely modified according to the changed IP address list when the IP address list corresponding to the domain name of the network resource is changed, thereby avoiding the problem of ACL control error.
With reference to the third aspect, in a possible implementation manner, the domain name of the network resource may be included in a URL of the network resource, and correspondingly, before the network management server generates the first DNS resolution request packet, the ACL configuration method may further include: and the network management server acquires the domain name of the network resource according to the URL of the network resource.
With reference to the third aspect and the foregoing possible implementation manners, in another possible implementation manner, after the DNS server resolves the domain name of the network resource according to the first DNS resolution request message, if the DNS server fails to resolve the domain name of the network resource, the first DNS resolution failure message may be sent to the network management server, and at this time, the ACL configuration method may further include: the network management server receives a first DNS analysis failure message which is used for informing that the domain name of the network resource is analyzed to be failed from the DNS server, so that the network management server can send the first DNS analysis failure message to the ACL configuration equipment, and the ACL configuration equipment can know that the domain name of the network resource is analyzed to be failed. Or, after the DNS server resolves the domain name of the network resource according to the first DNS resolution request packet, if the DNS server fails to resolve the domain name of the network resource, the DNS server does not respond to the first DNS resolution request packet, and at this time, the ACL configuration method may further include: if the network management server determines that the response message of the DNS server is not received within the preset time, the network management server may send a response message for notifying that the domain name analyzing the network resource fails to the ACL configuration device, so that the ACL configuration device knows that the domain name analyzing the network resource by the DNS server fails.
With reference to the third aspect and the foregoing possible implementation manners, in another possible implementation manner, in order to determine whether an IP address list corresponding to a domain name of a network resource changes in real time, after the network management server sends the first IP address list to the ACL configuration device, the ACL configuration method may further include: the network management server starts a timer, and when the timer times out, the network management server generates a second DNS resolution request message including the domain name of the network resource, and then sends the second DNS resolution request message to the DNS server, so that the DNS server can resolve the domain name of the network resource according to the second DNS resolution request message after receiving the second DNS resolution request message, and if the DNS server succeeds in resolving the domain name of the network resource, the DNS server sends a second DNS resolution success message to the network management server, so that the network management server can receive the domain name including the network resource from the DNS server and a second DNS resolution success message of a second IP address list corresponding to the domain name of the network resource and required for accessing the network resource, wherein the second IP address list can include at least one IP address, and after the network management server receives the second IP address list, the network management server may determine whether the second IP address list is the same as the first IP address list, and if it is determined that the second IP address list is different from the first IP address list, the network management server may send the second IP address list to the ACL configuration device, so that the ACL configuration device updates the ACL list according to the second IP address list. If the second IP address list is determined to be the same as the first IP address list, the network management server may not perform any processing.
With reference to the third aspect and the foregoing possible implementation manners, in another possible implementation manner, the domain name of the network resource may be included in a URL of the network resource, and correspondingly, before the network management server generates the second DNS resolution request packet, the ACL configuration method may further include: and the network management server acquires the domain name of the network resource according to the URL of the network resource.
With reference to the third aspect and the foregoing possible implementation manners, in another possible implementation manner, after the DNS server resolves the domain name of the network resource according to the second DNS resolution request message, if the DNS server fails to resolve the domain name of the network resource, the second DNS resolution failure message may be sent to the network management server, and at this time, the ACL configuration method may further include: the network management server receives a second DNS analysis failure message which is used for notifying that the domain name of the network resource is analyzed to be failed from the DNS server, so that the network management server can send the second DNS analysis failure message to the ACL configuration equipment, and the ACL configuration equipment can know that the domain name of the network resource is analyzed to be failed. Or, after the DNS server resolves the domain name of the network resource according to the second DNS resolution request message, if the DNS server fails to resolve the domain name of the network resource, the DNS server does not respond to the second DNS resolution request message, and at this time, the ACL configuration method may further include: if the network management server determines that the response message of the DNS server is not received within the preset time, the network management server may send a response message for notifying that the domain name analyzing the network resource fails to the ACL configuration device, so that the ACL configuration device knows that the domain name analyzing the network resource by the DNS server fails.
With reference to the third aspect and the foregoing possible implementation manners, in another possible implementation manner, since the IP address list corresponding to the domain name of the network resource may be changed after the TTL of the domain name of the network resource expires, the ACL configuration method may further include: the network management server configures TTL of domain name of network resource as timing period of timer.
In a fourth aspect of the present invention, an ACL configuration device is provided, including: the system comprises an acquisition unit, a generation unit, a sending unit, a receiving unit and a sending unit;
the acquiring unit is configured to acquire a configuration command, where the configuration command is used to acquire an internet protocol IP address list corresponding to a domain name of a network resource and required for accessing the network resource, and is used to control the network resource, and the configuration command includes the domain name of the network resource;
the generating unit is configured to generate a first domain name system DNS resolution request packet, where the first DNS resolution request packet includes the domain name of the network resource included in the configuration command acquired by the acquiring unit;
the sending unit is configured to send the first DNS resolution request packet generated by the generating unit to a DNS server;
the receiving unit is configured to receive a first DNS resolution success packet from the DNS server, where the first DNS resolution success packet includes a domain name of the network resource and a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and the first IP address list includes at least one IP address;
the issuing unit is configured to issue the first IP address list included in the first DNS resolution success message received by the receiving unit to an ACL list of the ACL configuration device, so as to implement control over the network resource.
A specific implementation manner may refer to a behavior function of the ACL configuration device in the ACL configuration method provided in the first aspect or the possible implementation manner of the first aspect.
In a fifth aspect of the present invention, an ACL configuration device is provided, including: an ACL module, a domain name system DNS module and a content addressable Memory (TCAM for short) module;
the ACL module is configured to obtain a configuration command, where the configuration command is used to obtain an internet protocol IP address list corresponding to a domain name of a network resource and required for accessing the network resource, and is used to control the network resource, and the configuration command includes the domain name of the network resource, and carries the domain name of the network resource in an IP address resolution message and transmits the IP address resolution message to the DNS module;
the DNS module is configured to generate a first DNS resolution request packet, send the first DNS resolution request packet to a DNS server, and receive a first DNS resolution success packet from the DNS server, where the first DNS resolution success packet includes a domain name of the network resource and a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and the first IP address list includes at least one IP address, and transmit the first IP address to the ACL module;
the ACL module is further configured to issue the first IP address list to the ACL list of the TCAM module, so as to implement control over the network resource.
A specific implementation manner may refer to a behavior function of the ACL configuration device in the ACL configuration method provided in the first aspect or the possible implementation manner of the first aspect.
In a sixth aspect of the present invention, there is provided a DNS server comprising: the device comprises a receiving unit, an analyzing unit, a judging unit and a sending unit;
the receiving unit is configured to receive a first DNS resolution request packet sent by an ACL configuration device, where the first DNS resolution request packet includes a domain name of a network resource;
the analyzing unit is configured to analyze the domain name of the network resource included in the first DNS resolution request packet received by the receiving unit;
a judging unit, configured to judge whether the domain name of the network resource is successfully analyzed by the analyzing unit;
the sending unit is configured to send a first DNS resolution success message to the ACL configuration device if the determining unit determines that the resolution unit succeeds in resolving the domain name of the network resource, where the first DNS resolution success message includes the domain name of the network resource and a first IP address list, corresponding to the domain name of the network resource, obtained through resolution and required for accessing the network resource, where the first IP address list includes at least one IP address.
Specific implementation manners may refer to the second aspect or behavior functions of the DNS server in the ACL configuration method provided in a possible implementation manner of the second aspect.
A seventh aspect of the present invention provides a network management server, including: the device comprises an acquisition unit, a generation unit, a sending unit and a receiving unit;
the acquiring unit is configured to acquire a configuration command, where the configuration command is used to acquire an internet protocol IP address list corresponding to a domain name of a network resource and required for accessing the network resource, and is used to control the network resource, and the configuration command includes the domain name of the network resource;
the generating unit is configured to generate a first domain name system DNS resolution request packet, where the first DNS resolution request packet includes a domain name of the network resource;
the sending unit is configured to send the first DNS resolution request packet generated by the generating unit to a DNS server;
the receiving unit is configured to receive a first DNS resolution success packet from the DNS server, where the first DNS resolution success packet includes a domain name of the network resource and a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and the first IP address list includes at least one IP address;
the sending unit is further configured to send the first IP address list included in the first DNS resolution success packet received by the receiving unit to an ACL configuration device, so that the ACL configuration device issues the first IP address list to an ACL list of the ACL configuration device, so as to implement control over the network resource.
For a specific implementation manner, reference may be made to the third aspect or a behavior function of the network management server in the ACL configuration method provided in a possible implementation manner of the third aspect.
An eighth aspect of the present invention provides an ACL configuration device, including: at least one processor, memory, at least one communication interface, and a communication bus;
the memory to store instructions;
the processor is configured to execute the ACL configuration method provided by the first aspect or a possible implementation manner of the first aspect, so as to implement the functions of the obtaining unit, the generating unit, and the issuing unit in the fourth aspect.
The communication interface is configured to execute the ACL configuration method provided in the first aspect or the possible implementation manner of the first aspect, so as to implement the functions of the sending unit and the receiving unit in the fourth aspect.
A ninth aspect of the present invention provides a DNS server, comprising: at least one processor, memory, at least one communication interface, and a communication bus;
the memory to store instructions;
the processor is configured to execute the ACL configuration method provided in the second aspect or the possible implementation manner of the second aspect, so as to implement the functions of the parsing unit and the determining unit in the sixth aspect.
The communication interface is configured to execute the ACL configuration method provided in the second aspect or the possible implementation manner of the second aspect, so as to implement the functions of the sending unit and the receiving unit in the sixth aspect.
A tenth aspect of the present invention provides a network management server, comprising: at least one processor, memory, at least one communication interface, and a communication bus;
the memory to store instructions;
the processor is configured to execute the ACL configuration method provided by the third aspect or a possible implementation manner of the third aspect, so as to implement the functions of the obtaining unit and the generating unit in the seventh aspect.
The communication interface is configured to execute the ACL configuration method provided by the third aspect or a possible implementation manner of the third aspect, so as to implement the functions of the sending unit and the receiving unit in the seventh aspect.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a simplified diagram of a system architecture to which the present invention is applied according to an embodiment of the present invention;
FIG. 2 is a simplified diagram of another system architecture to which the present invention is applied;
fig. 3 is a flowchart of an ACL configuration method according to an embodiment of the present invention;
FIG. 4 is a flowchart of another ACL configuration method provided in the embodiment of the present invention;
FIG. 5 is a flowchart of another ACL configuration method provided in the embodiment of the present invention;
FIG. 6 is a flowchart of another ACL configuration method provided in the embodiment of the present invention;
FIG. 7 is a flowchart of another ACL configuration method provided in the embodiment of the present invention;
FIG. 8 is a schematic diagram of an ACL configuration device according to an embodiment of the present invention;
FIG. 9 is a schematic diagram of an ACL configuration device according to another embodiment of the present invention;
FIG. 10 is a schematic diagram of an ACL configuration device according to another embodiment of the present invention;
fig. 11 is a schematic diagram illustrating a DNS server according to an embodiment of the present invention;
fig. 12 is a schematic diagram illustrating a network management server according to an embodiment of the present invention;
fig. 13 is a schematic diagram of a hardware structure of an ACL configuration device according to an embodiment of the present invention;
fig. 14 is a schematic diagram of a hardware structure of a DNS server according to an embodiment of the present invention;
fig. 15 is a schematic diagram of a hardware structure of a network management server according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the prior art, when a certain network resource needs to be controlled, an operator can manually configure an IP address list corresponding to a domain name of the network resource in an ACL list, and when the IP address list corresponding to the domain name of the network resource changes, the operator also needs to manually modify the ACL list according to the changed IP address list, so that the condition that the ACL list is not modified timely is easily generated, and an ACL control error is caused.
For example, taking network resources as a website as an example, assuming that it is necessary to control a company employee to only access the website in the company, an operator may obtain an IP address list corresponding to a domain name of the website in the company, and manually configure the obtained IP address list into an ACL list, and after the configuration is successful, the company employee only can access the website in the company. If the IP address list corresponding to the domain name of the website in the company changes, at this time, the operator needs to manually modify the ACL list according to the changed IP address list. However, if the operator cannot modify the ACL list in time, the company staff cannot access the website in the company, and ACL control errors are caused.
In order to avoid the problem of ACL control error caused by untimely ACL list modification, the invention provides an ACL configuration method, which has the basic principle that: when a certain network resource needs to be controlled, the ACL configuration device may obtain a configuration command including a domain name of the network resource, then generate a first DNS resolution request message including the domain name of the network resource, and send the first DNS resolution request message to the DNS server, so that the DNS server responds, after the DNS server successfully resolves the domain name of the network resource according to the first DNS resolution request message, the ACL configuration device may receive the domain name including the network resource from the DNS server and a first DNS resolution success message corresponding to the domain name of the network resource and used for accessing a first IP address list required by the network resource, and send the first IP address list included in the received first DNS resolution success message to an ACL list of the ACL configuration device, so as to implement control of the network resource. Therefore, the IP address list corresponding to the domain name of the network resource can be automatically configured into the ACL list through the configuration command, and thus, when the IP address list corresponding to the domain name of the network resource changes, the ACL list can be timely modified according to the changed IP address list, and the problem of ACL control error is avoided.
It should be noted that the IP addresses included in the first IP address list and the second IP address list in the present invention may be IP addresses constructed by using an Internet Protocol version four (IPv 4) Protocol, or may be IP addresses constructed by using a next version of Internet Protocol version six (IPv 6) Protocol, and the present invention is not limited in this respect.
Embodiments of the present invention will be described in detail below with reference to the accompanying drawings.
As shown in fig. 1, fig. 1 is a simplified schematic diagram of a system architecture to which the present invention may be applied. The system architecture may include an ACL configuration device 101, a terminal 102, and a DNS server 103.
The ACL configuration device 101 is configured to configure ACL functions to control access to network resources.
In the embodiment of the present invention, the ACL configuration device 101 may be a device having an ACL configuration function, such as a switch or a router. In a specific implementation, as shown in fig. 1, the ACL configuration device 101 is a router, as an example.
A user may access network resources in a network through terminal 102. The terminal 102 may be a mobile phone, a desktop Computer, a tablet Computer, a notebook Computer, a super mobile Personal Computer (UMPC), a netbook, a Personal Digital Assistant (PDA), and so on. In a specific implementation, as shown in fig. 1, the terminal 102 is a notebook computer.
The DNS server 103 is a server that stores domain names of all network resources in a network and an IP address list corresponding to the domain name of the network resource, and has a function of resolving the domain name of the network resource to obtain an IP address corresponding to the domain name of the network resource.
Further, as shown in fig. 2, the system architecture may further include a network management server 104.
The network management server 104 is a server for performing operations such as configuration, management, and monitoring of the ACL configuration device 101.
Fig. 3 is a flowchart of an ACL configuration method according to an embodiment of the present invention, as shown in fig. 3, the method may include:
201. the ACL configuration device obtains the configuration command.
The configuration command includes a domain name of the network resource. Specifically, an operator may add a new configuration command to the ACL configuration device, where the configuration command is used to obtain an IP address list corresponding to the domain name of the network resource to be controlled and required to access the network resource, and is used to control the network resource, so that when a certain network resource needs to be controlled, the operator may input the configuration command including the domain name of the network resource into the ACL configuration device, and at this time, the ACL configuration device may obtain the configuration command including the domain name of the network resource. The domain name of the network resource is unique in the network.
In addition, in the embodiment of the present invention, an operator may also input a configuration command to a device connected to the ACL configuration device, and the device transmits the configuration command to the ACL configuration device, where the ACL configuration device may also obtain the configuration command.
202. And the ACL configuration equipment generates a first DNS analysis request message.
The first DNS resolution request packet includes a domain name of a network resource. After obtaining the configuration command including the domain name of the network resource, the ACL configuration device may generate a first DNS resolution request packet including the domain name of the network resource.
203. And the ACL configuration equipment sends a first DNS analysis request message to the DNS server.
After the ACL configuration device generates the first DNS resolution request packet, the generated first DNS resolution request packet including the domain name of the network resource may be sent to the DNS server, so that the DNS server resolves the domain name of the network resource according to the received first DNS resolution request packet and the pre-stored correspondence between the domain name of the network resource and the IP address list to obtain a first IP address list corresponding to the domain name of the network resource, and carries the obtained first IP address list corresponding to the domain name of the network resource and the domain name of the network resource to the first DNS resolution success packet to be sent to the ACL configuration device.
204. And the ACL configuration equipment receives a first DNS analysis success message from the DNS server.
The first DNS resolution success packet includes a domain name of the network resource and a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, where the first IP address list includes at least one IP address.
205. And the ACL configuration equipment issues the first IP address list to an ACL list of the ACL configuration equipment so as to realize the control of network resources.
After the ACL configuration device receives a first DNS resolution success message, which is sent by the DNS server and includes the domain name of the network resource and a first IP address list required for accessing the network resource corresponding to the domain name of the network resource, the ACL configuration device may issue the first IP address list to the ACL list of the ACL configuration device, at this time, the ACL function is successfully configured, that is, the network resource can be controlled.
According to the ACL configuration method provided by the invention, ACL configuration equipment acquires a configuration command comprising a domain name of a network resource, then a first DNS analysis request message which is generated according to the configuration command and comprises the domain name of the network resource is sent to a DNS server, the domain name of the network resource from the DNS server and a first DNS analysis success message of a first IP address list which is corresponding to the domain name of the network resource and is required for accessing the network resource are received, and finally the received first IP address list is issued to an ACL list of the ACL configuration equipment so as to realize the control of the network resource. The IP address list corresponding to the domain name of the network resource can be automatically configured into the ACL list through the configuration command, so that the ACL list can be timely modified according to the IP address list after change when the IP address list corresponding to the domain name of the network resource changes, and the problem of ACL control error is avoided.
Fig. 4 is a flowchart of another ACL configuration method according to an embodiment of the present invention, as shown in fig. 4, the method may include:
301. the DNS server receives a first DNS analysis request message sent by ACL configuration equipment.
The first DNS analysis request message comprises a domain name of a network resource; when a certain network resource needs to be controlled, the ACL configuration device may send a first DNS resolution request packet including the domain name of the network resource to the DNS server, and at this time, the DNS server may receive the first DNS resolution request packet including the domain name of the network resource sent by the ACL configuration device.
302. And the DNS server analyzes the domain name of the network resource included in the first DNS analysis request message.
303. The DNS server judges whether the resolution is successful.
After receiving the first DNS resolution request message, the DNS server may resolve the domain name of the network resource included in the received first DNS resolution request message, and determine whether resolution of the domain name of the network resource is successful.
304. And if the analysis is successful, the DNS server sends a first DNS analysis success message to the ACL configuration equipment.
The first DNS analysis success message comprises a domain name of the network resource and a first IP address list which is obtained through analysis and corresponds to the domain name of the network resource and is required for accessing the network resource, and the first IP address list comprises at least one IP address. If the domain name of the network resource is successfully analyzed, the DNS server may send a first DNS analysis success packet including the domain name of the network resource and a first IP address list required for accessing the network resource corresponding to the domain name of the network resource, which is obtained through analysis, to the ACL configuration device, so that the ACL configuration device realizes control over the network resource according to the first DNS analysis success packet.
According to the ACL configuration method provided by the invention, a DNS server receives a first DNS analysis request message which is sent by ACL configuration equipment and comprises a domain name of a network resource, then analyzes the domain name of the network resource contained in the received first DNS analysis request message, and sends the domain name comprising the network resource and a first DNS analysis success message of a first IP address list which is obtained by analysis and corresponds to the domain name of the network resource and is required for accessing the network resource to the ACL configuration equipment when the analysis is successful, so that the ACL configuration equipment can issue the received first IP address list to the ACL list of the ACL configuration equipment, and the network resource can be controlled. By sending a domain name including network resources to the ACL configuration device and analyzing the obtained DNS resolution success message of the IP address list required for accessing the network resources corresponding to the domain name of the network resources, the ACL configuration device can automatically configure the IP address list corresponding to the domain name of the network resources into the ACL list, thereby ensuring that the ACL list can be modified in time according to the changed IP address list when the IP address list corresponding to the domain name of the network resources changes, and avoiding the occurrence of an ACL control error problem.
Fig. 5 is a flowchart of another ACL configuration method according to an embodiment of the present invention, as shown in fig. 5, the method may include:
401. the network management server obtains the configuration command.
In this way, when a certain network resource needs to be controlled, the operator can input the configuration command including the domain name of the network resource into the network management server, and at this time, the network management server can acquire the configuration command including the domain name of the network resource.
In addition, in the embodiment of the present invention, an operator may also input a configuration command to a device connected to the network management server, and the device transmits the configuration command to the network management server, where the network management server may obtain the configuration command.
402. The network management server generates a first DNS analysis request message.
The first DNS resolution request packet includes a domain name of a network resource. After obtaining the configuration command including the domain name of the network resource, the network management server may generate a first DNS resolution request packet including the domain name of the network resource.
403. The network management server sends a first DNS analysis request message to the DNS server.
After the network management server generates the first DNS resolution request message, the network management server may send the generated first DNS resolution request message including the domain name of the network resource to the DNS server, so that the DNS server resolves the domain name of the network resource according to the received first DNS resolution request message and a pre-stored correspondence between the domain name of the network resource and the IP address list to obtain a first IP address list corresponding to the domain name of the network resource, and carries the obtained first IP address list corresponding to the domain name of the network resource and the domain name of the network resource into a first DNS resolution success message to send to the network management server.
404. The network management server receives a first DNS analysis success message from the DNS server.
The first DNS resolution success packet includes a domain name of the network resource and a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, where the first IP address list includes at least one IP address.
405. The network management server sends the first IP address list to the ACL configuration equipment.
After the network management server receives a domain name including network resources sent by the DNS server and a first DNS resolution success message of a first IP address list required for accessing the network resources corresponding to the domain name of the network resources, the network management server may send the first IP address list to the ACL configuration device, so that the ACL configuration device issues the first IP address list to an ACL list of the ACL configuration device, at this time, the ACL function is successfully configured, that is, the network resources can be controlled.
According to the ACL configuration method provided by the invention, a network management server acquires a configuration command of a domain name comprising network resources, then a first DNS analysis request message which is generated according to the configuration command and comprises the domain name of the network resources is sent to a DNS server, the domain name comprising the network resources from the DNS server and a first DNS analysis success message of a first IP address list which is corresponding to the domain name of the network resources and is required for accessing the network resources are received, and finally the received first IP address list is sent to ACL configuration equipment, so that the ACL configuration equipment can issue the first IP address list to the ACL list to realize the control of the network resources. The automatic acquisition of the IP address list corresponding to the domain name of the network resource is realized through the configuration command, and the IP address list is sent to the ACL configuration equipment, so that the ACL configuration equipment can automatically configure the IP address fence corresponding to the domain name of the network resource into the ACL list, and the ACL list can be timely modified according to the changed IP address list when the IP address list corresponding to the domain name of the network resource is changed, thereby avoiding the problem of ACL control error.
Fig. 6 is a flowchart of another ACL configuration method according to an embodiment of the present invention, as shown in fig. 6, the method may include:
in the embodiment of the present invention, an exemplary ACL configuration device for executing the ACL configuration method includes an ACL module, a DNS module, and a TCAM module, which are used as an example to specifically describe the ACL configuration method of the present invention.
501. The ACL configuration device obtains the configuration command.
The configuration command is used for acquiring an IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and is used for controlling the network resource, and the configuration command comprises the domain name of the network resource, and the domain name of the network resource is unique in the network. Specifically, when a certain network resource needs to be controlled, an operator may input a configuration command including the domain name of the network resource into the ACL configuration device, and at this time, an ACL module of the ACL configuration device may obtain the configuration command including the domain name of the network resource.
Exemplary types of control over network resources may include, but are not limited to: the user is allowed access to the network resource and is not allowed access to the network resource.
It should be noted that, the embodiment of the present invention is only an example of the control type, and the control of the network resource implemented by the ACL function includes, but is not limited to, the above listed control types.
As a further alternative, for the case that the control type is to allow the user to access the network resource, the "configuration command is used to control the network resource" may specifically be the "configuration command is used to allow the user to access the network resource", for example, the configuration command specifically includes: a rule is represented by a rule, a limit represents that a user is allowed to access, www.xxx.com is a domain name of a network resource, and an IP destination url w.xxx.com represents a destination IP address corresponding to the domain name of the network resource, after the ACL device obtains the rule limit IP destination url www.xxx.com, the ACL device can request a destination IP address list corresponding to the network resource with the domain name www.xxx.com from the DNS server according to the command, and can know that the command is used for allowing the user to access the network resource with the domain name www.xxx.com. For the case that the control type is not to allow the user to access the network resource, the "configuration command is used to control the network resource" may be specifically a "configuration command is used to prohibit the user from accessing the network resource", for example, the configuration command is specifically: a rule is represented by rule www.xxx.com, the rule represents that the user is not allowed to access, www.xxx.com is a domain name of the network resource, IP destination url www.xxx.com represents a destination IP address corresponding to the domain name of the network resource, and after the ACL device obtains rule default IP destination www.xxx.com, the ACL device can request a destination IP address list corresponding to the network resource with the domain name www.xxx.com from the DNS server according to the command, and can know that the command is used for prohibiting the user from accessing the network resource with the domain name www.xxx.com.
In addition, on the basis of the configuration command described in the present invention, a command for controlling the highest or lowest priority when the user accesses the network resource, a command for controlling the user to adopt a specified transmission path when the user accesses the network resource, a command for controlling the bandwidth when the user accesses the network resource, and the like may be further configured on the ACL configuration device, so as to further control the network resource. For the command for further controlling the network resource, reference may be made to a corresponding configuration command in the prior art, and details of the embodiment of the present invention are not described herein again.
In the following steps, the configuration command acquired in step 501 is a rule permit ipdestination url www.xxx.com, for example.
502. And the ACL configuration equipment generates a first DNS analysis request message.
The first DNS resolution request packet includes a domain name of a network resource. After an ACL module of the ACL configuration device obtains a configuration command including a domain name of a network resource, the obtained domain name of the network resource can be carried in an IP address resolution message and transmitted to a DNS module of the ACL configuration device, at this time, the DNS module of the ACL configuration device can receive the IP address resolution message including the domain name of the network resource sent by the ACL module, and generate a first DNS resolution request message including the domain name of the network resource according to the IP address resolution message.
For example, after the ACL module of the ACL configuration device acquires the configuration command rule permit destination url www.xxx.com, www.xxx.com may be carried in an IP address resolution message and transmitted to the DNS module of the ACL configuration device, at this time, the DNS module of the ACL configuration device may receive the IP address resolution message including www.xxx.com sent by the ACL module, and generate a first DNS resolution request message including www.xxx.com according to the IP address resolution message.
In this embodiment of the present invention, the domain name of the network resource may be included in a URL of the network resource, so that before the ACL configuration device generates the first DNS resolution request packet, the ACL module of the ACL configuration device may first obtain the domain name of the network resource according to the URL of the network resource, and then transmit the obtained domain name of the network resource to the DNS module of the ACL configuration device by carrying the domain name in the IP address resolution message, so that the DNS module of the ACL configuration device generates the first DNS resolution request packet.
503. And the ACL configuration equipment sends a first DNS analysis request message to the DNS server.
After the DNS module of the ACL configuration device generates the first DNS resolution request packet including the domain name of the network resource, the first DNS resolution request packet may be sent to the DNS server.
Illustratively, the DNS module of the ACL configuration device sends a first DNS resolution request message including www.xxx.com to the DNS server.
504. The DNS server receives a first DNS analysis request message sent by ACL configuration equipment.
The DNS server may receive a first DNS resolution request packet including a domain name of a network resource, which is sent by a DNS module of the ACL configuration device.
505. And the DNS server analyzes the domain name of the network resource included in the first DNS analysis request message.
After receiving a first DNS resolution request packet including a domain name of a network resource sent by a DNS module of an ACL configuration device, the DNS server may resolve the domain name of the network resource according to a correspondence between the first DNS resolution request packet and a pre-stored domain name and IP address list of the network resource.
For example, after receiving a first DNS resolution request message including www.xxx.com sent by a DNS module of an ACL configuration device, the DNS server may resolve www.xxx.com according to a correspondence between the first DNS resolution request message and a pre-stored domain name and IP address list of a network resource.
506. The DNS server judges whether the resolution is successful.
After the DNS server resolves the domain name of the network resource included in the first DNS resolution request message, it may be determined whether resolution of the domain name of the network resource is successful, and if the resolution of the domain name of the network resource is successful, step 507 is executed; if the resolution of the domain name of the network resource fails, then step 508 or 509 is performed.
507. And the DNS server sends a first DNS analysis success message to the ACL configuration equipment.
When the DNS server successfully resolves the domain name of the network resource, the DNS server may carry the domain name of the network resource and a first IP address list, which is obtained by the resolution and corresponds to the domain name of the network resource and is required to access the network resource, in a first DNS resolution success message, and send the first DNS resolution success message to the DNS module of the ACL configuration device. At least one IP address may be included in the first list of IP addresses.
Illustratively, after the DNS server parses www.xxx.com according to the correspondence between the first DNS resolution request packet and the domain name and IP address list of the network resource stored in advance, if the resolution is successful, the first IP address list required for accessing www.xxx.com corresponding to www.xxx.com may be obtained, and at this time, www.xxx.com and the first IP address list required for accessing www.xxx.com corresponding to www.xxx.com obtained by the resolution may be carried in the first DNS resolution success packet and sent to the DNS module of the ACL configuration device.
508. And the DNS server sends a first DNS analysis failure message to the ACL configuration equipment.
When the DNS server fails to resolve the domain name of the network resource, in a possible implementation manner, the DNS server may send a first DNS resolution failure message for notifying the ACL configuration device that the domain name of the network resource was resolved to the DNS module of the ACL configuration device.
For example, after the DNS server resolves www.xxx.com according to the correspondence between the first DNS resolution request message and the domain name and IP address list of the network resource stored in advance, if the resolution fails, a first DNS resolution failure message for notifying that the ACL configuration device resolution www.xxx.com fails may be sent to the DNS module of the ACL configuration device.
509. The DNS server does not respond to the first DNS resolution request message.
When the DNS server fails to resolve the domain name of the network resource, in another possible implementation manner, the DNS server may not respond to the first DNS resolution request packet.
510. And the ACL configuration equipment receives a first DNS analysis success message from the DNS server.
When the DNS server successfully resolves the domain name of the network resource, corresponding to step 507, the DNS module of the ACL configuration device may receive a first DNS resolution success packet including the domain name of the network resource from the DNS server and a first IP address list required for accessing the network resource corresponding to the domain name of the network resource.
511. And the ACL configuration equipment issues the first IP address list to an ACL list of the ACL configuration equipment so as to realize the control of network resources.
After receiving the first DNS resolution success message from the DNS server, the DNS module of the ACL configuration device may transmit the first DNS resolution success message to the ACL module of the ACL configuration device, and the ACL module of the ACL configuration device issues the first IP address list included in the first DNS resolution success message to the ACL list of the TCAM module of the ACL configuration device to complete configuration, thereby implementing control over network resources.
For example, after the DNS module of the ACL configuration device receives the first DNS resolution success packet including www.xxx.com and the first IP address list required by the access www.xxx.com corresponding to www.xxx.com obtained through resolution from the DNS server, the "permit" in the first IP address list and the configuration command included in the first DNS resolution success packet may be sent to the ACL list of the TCAM module of the ACL configuration device according to the configuration command to complete the configuration, so as to implement control over the network resource with the domain name of www.xxx.com, that is, control that the user can access the network resource with the domain name of www.xxx.com.
512. And the ACL configuration equipment receives a first DNS analysis failure message sent by the DNS server.
When the DNS server fails to resolve the domain name of the network resource, corresponding to the implementation manner of step 508, the DNS module of the ACL configuration device receives a first DNS resolution failure message sent by the DNS server and used to notify the ACL configuration device that resolving the domain name of the network resource fails, and at this time, the DNS module of the ACL configuration device may return an invalid IP address to the ACL module of the ACL configuration device.
513. And determining that the response message of the DNS server is not received within the preset time by the ACL configuration equipment.
When the DNS server fails to resolve the domain name of the network resource, corresponding to the implementation manner of step 509, the DNS module of the ACL configuration device determines that the response message of the DNS server is not received within the preset time, and at this time, the DNS module of the ACL configuration device may return an invalid IP address to the ACL module of the ACL configuration device.
In order that after an IP address corresponding to a domain name of a network resource changes, an ACL configuration device can timely and synchronously modify an ACL list, the ACL configuration method further includes the following steps:
514. the ACL configuration device starts a timer.
The timing period of the timer may be set according to the requirements of the actual application scenario. The following step 515 may preferably be performed.
515. The ACL configuration device configures TTL of the domain name of the network resource to the timing period of the timer.
516. And when the timer is over time, the ACL configuration equipment generates a second DNS analysis request message.
The second DNS resolution request packet includes a domain name of the network resource.
Illustratively, upon timer timeout, the DNS module of the ACL configuration device may generate a second DNS resolution request message including www.xxx.com.
In the embodiment of the present invention, the domain name of the network resource may be included in a URL of the network resource, so that before the ACL configuration device generates the second DNS resolution request message, the ACL configuration device may first obtain the domain name of the network resource according to the URL of the network resource, and then generate the second DNS resolution request message.
517. And the ACL configuration equipment sends a second DNS analysis request message to the DNS server.
Illustratively, the DNS module of the ACL configuration device sends a second DNS resolution request message including www.xxx.com to the DNS server.
518. And the DNS server receives a second DNS analysis request message sent by the ACL configuration equipment.
519. And the DNS server analyzes the domain name of the network resource included in the second DNS analysis request message.
For example, after receiving the second DNS resolution request message including www.xxx.com sent by the DNS module of the ACL configuration device, the DNS server may resolve www.xxx.com according to a correspondence between the second DNS resolution request message and a pre-stored domain name and IP address list of the network resource.
520. The DNS server judges whether the resolution is successful.
After the DNS server resolves the domain name of the network resource included in the second DNS resolution request message, it may be determined whether the resolution of the domain name of the network resource is successful, and if the resolution of the domain name of the network resource is successful, step 521 is executed; if the resolution of the domain name of the network resource fails, step 522 or 523 is performed.
521. And the DNS server sends a second DNS analysis success message to the ACL configuration equipment.
The second DNS resolution success message includes the domain name of the network resource and a second IP address list required for accessing the network resource corresponding to the domain name of the network resource obtained by the resolution. At least one IP address may be included in the second list of IP addresses.
Illustratively, after the DNS server parses www.xxx.com according to the correspondence between the second DNS resolution request message and the domain name and IP address list of the network resource stored in advance, if the resolution is successful, the second IP address list required for accessing www.xxx.com corresponding to www.xxx.com may be obtained, at this time, www.xxx.com and the second IP address list required for accessing www.xxx.com corresponding to www.xxx.com obtained by the resolution may be carried in the second DNS resolution success message and sent to the DNS module of the ACL configuration device.
522. And the DNS server sends a second DNS analysis failure message to the ACL configuration equipment.
For example, after the DNS server resolves www.xxx.com according to the correspondence between the second DNS resolution request message and the domain name and IP address list of the network resource stored in advance, if the resolution fails, a second DNS resolution failure message for notifying that the ACL configuration device resolution www.xxx.com fails may be sent to the DNS module of the ACL configuration device.
Correspondingly, after the DNS server sends the second DNS resolution failure message to the ACL configuration device, the ACL configuration device may receive the second DNS resolution failure message from the DNS server for notifying that the domain name for resolving the network resource fails.
523. The DNS server does not respond to the second DNS resolution request message.
If the DNS server does not respond to the second DNS resolution request message, the ACL configuration device may determine that the response message sent by the DNS server is not received within the predetermined time.
524. And the ACL configuration equipment receives a second DNS analysis success message from the DNS server.
The second DNS resolution success packet includes a domain name of the network resource and a second IP address list corresponding to the domain name of the network resource and required for accessing the network resource, where the second IP address list includes at least one IP address.
525. And the ACL configuration equipment judges whether the second IP address list is the same as the first IP address list or not.
After the ACL module of the ACL configuration device receives the second DNS resolution success message, it may determine whether the second IP address list is the same as the first IP address list according to the second DNS resolution success message, if the second IP address list is different from the first IP address list, the following step 526 is executed, and if the second IP address list is the same as the first IP address list, no processing may be performed.
For example, after the DNS module of the ACL configuration device receives the second DNS resolution success message including www.xxx.com and the resolved second IP address list required for accessing www.xxx.com corresponding to www.xxx.com from the DNS server, it may be determined whether the second IP address list is the same as the first IP address list.
526. The ACL configuration device updates the ACL list according to the second IP address list.
Specifically, the ACL module of the ACL configuration device may issue all the second IP address lists to the TCAM module, so as to update the ACL lists, or may issue IP addresses in the second IP address lists, which are different from those in the first IP address lists, to the TCAM module, so as to update the ACL lists.
It should be noted that, in order to periodically determine whether the IP address list corresponding to the domain name of the network resource changes, steps 514 to 526 may be repeatedly executed.
It should be noted that, in the embodiment of the present invention, the specific descriptions of steps 516 to 524 are similar to the specific descriptions of corresponding contents in steps 502 to 513 in the embodiment of the present invention, and details of specific implementation of steps 516 to 524 are not repeated here.
It should be noted that the ACL configuration method provided by the present invention may also be applied to a firewall or a Data Processing Device (DPI) to achieve the purpose of controlling and monitoring access, and the implementation process thereof is similar to the above process, and the embodiments of the present invention are not described in detail herein.
According to the ACL configuration method provided by the invention, ACL configuration equipment acquires a configuration command comprising a domain name of a network resource, then a first DNS analysis request message which is generated according to the configuration command and comprises the domain name of the network resource is sent to a DNS server, the domain name of the network resource from the DNS server and a first DNS analysis success message of a first IP address list which is corresponding to the domain name of the network resource and is required for accessing the network resource are received, and finally the received first IP address list is issued to an ACL list of the ACL configuration equipment so as to realize the control of the network resource. The IP address list corresponding to the domain name of the network resource can be automatically configured into the ACL list through the configuration command, so that the ACL list can be timely modified according to the IP address list after change when the IP address list corresponding to the domain name of the network resource changes, and the problem of ACL control error is avoided.
Moreover, the configuration efficiency is improved by automatically acquiring the IP address list corresponding to the domain name of the network resource and automatically configuring the ACL function, and the ACL configuration equipment can timely acquire the IP address list after the IP address list corresponding to the domain name of the network resource is changed by using the timer, so that the ACL list is ensured to be updated timely.
Fig. 7 is a flowchart of another ACL configuration method according to an embodiment of the present invention, where as shown in fig. 7, the method may include:
601. the network management server obtains the configuration command.
The configuration command is used for acquiring an IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and is used for controlling the network resource, and the configuration command comprises the domain name of the network resource, and the domain name of the network resource is unique in the network.
Exemplary types of control over network resources may include, but are not limited to: the user is allowed access to the network resource and is not allowed access to the network resource. As a further alternative, for the case that the control type is to allow the user to access the network resource, the "configuration command is used to control the network resource" may specifically be the "configuration command is used to allow the user to access the network resource", for example, the configuration command specifically includes: rule permit ip destination url w.xxx. For the case that the control type is not to allow the user to access the network resource, the "configuration command is used to control the network resource" may be specifically a "configuration command is used to prohibit the user from accessing the network resource", for example, the configuration command is specifically: rule dent ip destination www.xxx.com. The specific explanation of the configuration command is similar to the explanation of the configuration command in step 501 in another embodiment of the present invention, and the specific explanation of the configuration command may refer to the specific description in step 501 in another embodiment of the present invention, which is not repeated here.
602. The network management server generates a first DNS analysis request message.
The first DNS resolution request packet includes a domain name of a network resource.
In the embodiment of the present invention, the domain name of the network resource may be included in the network resource, so that before the network management server generates the first DNS resolution request packet, the network management server may first obtain the domain name of the network resource according to the URL of the network resource, and then generate the first DNS resolution request packet.
603. The network management server sends a first DNS analysis request message to the DNS server.
604. The DNS server receives a first DNS analysis request message sent by the network management server.
605. And the DNS server analyzes the domain name of the network resource included in the first DNS analysis request message.
After receiving a first DNS resolution request packet including a domain name of a network resource sent by a network management server, the DNS server may resolve the domain name of the network resource according to a correspondence between the first DNS resolution request packet and a pre-stored domain name and IP address list of the network resource.
606. The DNS server judges whether the resolution is successful.
After the DNS server resolves the domain name of the network resource included in the first DNS resolution request message, it may be determined whether resolution of the domain name of the network resource is successful, and if the resolution of the domain name of the network resource is successful, step 607 is executed; if the resolution of the domain name of the network resource fails, then step 608 or 609 is performed.
607. And the DNS server sends a first DNS analysis success message to the network management server.
The first DNS analysis success message comprises a domain name of the network resource and a first IP address list which is obtained through analysis and corresponds to the domain name of the network resource and is needed for accessing the network resource. At least one IP address may be included in the first list of IP addresses.
608. The DNS server sends a first DNS analysis failure message to the network management server.
When the DNS server fails to resolve the domain name of the network resource, in a possible implementation manner, the DNS server may send a first DNS resolution failure message for notifying that the domain name of the network resource is resolved.
609. The DNS server does not respond to the first DNS resolution request message.
When the DNS server fails to resolve the domain name of the network resource, in another possible implementation manner, the DNS server may not respond to the first DNS resolution request packet.
610. The network management server receives a first DNS analysis success message from the DNS server.
When the DNS server successfully resolves the domain name of the network resource, corresponding to step 607, the network management server may receive a first DNS resolution success message from the DNS server, where the first DNS resolution success message includes the domain name of the network resource and a first IP address list required for accessing the network resource corresponding to the domain name of the network resource.
611. The network management server sends the first IP address list to the ACL configuration equipment.
After the network management server receives the first DNS resolution success message from the DNS server, the first IP address list may be transmitted to the ACL configuration device, so that the ACL configuration device issues the first IP address list to the ACL list of the ACL configuration device to complete configuration, thereby implementing control over network resources.
612. The network management server receives a first DNS analysis failure message sent by the DNS server.
When the DNS server fails to resolve the domain name of the network resource, corresponding to the implementation manner of step 608, the network management server receives a first DNS resolution failure message sent by the DNS server and used for notifying that the domain name of the network resource is resolved, and at this time, the network management server may send the first DNS resolution failure message to the ACL configuration device, so that the ACL configuration device knows that the domain name of the network resource is resolved by the DNS server fails.
613. The network management server determines that the response message of the DNS server is not received within the preset time.
When the DNS server fails to resolve the domain name of the network resource, corresponding to the implementation manner of step 609, the network management server determines that the response packet of the DNS server is not received within the preset time, and at this time, the network management server may send a response packet for notifying that the domain name of the network resource is resolved by the network management server to the ACL configuration device, so that the ACL configuration device knows that the domain name of the network resource is resolved by the DNS server fails.
In order that after an IP address corresponding to a domain name of a network resource changes, an ACL configuration device can timely and synchronously modify an ACL list, the ACL configuration method further includes the following steps:
614. the network management server starts a timer.
The timing period of the timer may be set according to the requirements of the actual application scenario. The following step 615 may preferably be performed.
615. The network management server configures TTL of domain name of network resource as timing period of timer.
616. And when the timer is overtime, the network management server generates a second DNS analysis request message.
The second DNS resolution request packet includes a domain name of the network resource.
In the embodiment of the present invention, the domain name of the network resource may be included in the network resource, so that before the network management server generates the second DNS resolution request packet, the network management server may first obtain the domain name of the network resource according to the URL of the network resource, and then generate the second DNS resolution request packet.
617. And the network management server sends a second DNS analysis request message to the DNS server.
618. And the DNS server receives a second DNS analysis request message sent by the network management server.
619. And the DNS server analyzes the domain name of the network resource included in the second DNS analysis request message.
620. The DNS server judges whether the resolution is successful.
After the DNS server resolves the domain name of the network resource included in the second DNS resolution request message, it may be determined whether the resolution of the domain name of the network resource is successful, and if the resolution of the domain name of the network resource is successful, step 621 is executed; if the resolution of the domain name of the network resource fails, step 622 or 623 is performed.
621. And the DNS server sends a second DNS analysis success message to the network management server.
The second DNS resolution success message includes the domain name of the network resource and a second IP address list required for accessing the network resource corresponding to the domain name of the network resource obtained by the resolution. At least one IP address may be included in the second list of IP addresses.
622. And the DNS server sends a second DNS analysis failure message to the network management server.
623. The DNS server does not respond to the second DNS resolution request message.
624. And the network management server receives a second DNS analysis success message from the DNS server.
The second DNS resolution success packet includes a domain name of the network resource and a second IP address list corresponding to the domain name of the network resource and required for accessing the network resource, where the second IP address list includes at least one IP address.
625. The network management server judges whether the second IP address list is the same as the first IP address list or not.
After receiving the second DNS resolution success message, the network management server may determine whether the second IP address list is the same as the first IP address list according to the second DNS resolution success message, and if the second IP address list is different from the first IP address list, execute the following step 626, and if the second IP address list is the same as the first IP address list, may not perform any processing.
626. The network management server sends the second IP address list to the ACL configuration device.
Specifically, when the second IP address list is different from the first IP address list, the network management server may send the second IP address list to the ACL configuration device, so that the ACL configuration device updates the ACL list according to the second IP address list.
It should be noted that, in the embodiment of the present invention, the detailed description of steps 601 to 626 is similar to the detailed description of the corresponding contents in steps 501 to 526 in the embodiment of the present invention, and the detailed description of the embodiment of the present invention for the specific implementation of steps 601 to 626 is not repeated here.
It should be noted that the ACL configuration method provided by the present invention may also be applied to a firewall or a DPI to achieve the purpose of controlling and monitoring access, and the implementation process thereof is similar to the above process, and the embodiments of the present invention are not described in detail herein.
According to the ACL configuration method provided by the invention, a network management server acquires a configuration command of a domain name comprising network resources, then a first DNS analysis request message which is generated according to the configuration command and comprises the domain name of the network resources is sent to a DNS server, the domain name comprising the network resources from the DNS server and a first DNS analysis success message of a first IP address list which is corresponding to the domain name of the network resources and is required for accessing the network resources are received, and finally the received first IP address list is sent to ACL configuration equipment, so that the ACL configuration equipment can issue the first IP address list to the ACL list to realize the control of the network resources. The automatic acquisition of the IP address list corresponding to the domain name of the network resource is realized through the configuration command, and the IP address list is sent to the ACL configuration equipment, so that the ACL configuration equipment can automatically configure the IP address fence corresponding to the domain name of the network resource into the ACL list, and the ACL list can be timely modified according to the changed IP address list when the IP address list corresponding to the domain name of the network resource is changed, thereby avoiding the problem of ACL control error.
Moreover, the configuration efficiency is improved by automatically acquiring the IP address list corresponding to the domain name of the network resource and automatically configuring the ACL function, and the network management server can timely acquire the IP address list after the change of the IP address list corresponding to the domain name of the network resource by using the timer, thereby ensuring the timely update of the ACL list by the ACL configuration equipment.
Fig. 8 is a schematic diagram illustrating a configuration of an ACL configuration device according to an embodiment of the present invention, as shown in fig. 8, including: an acquisition unit 71, a generation unit 72, a transmission unit 73, a reception unit 74, and a distribution unit 75.
The obtaining unit 71 is configured to obtain a configuration command, where the configuration command is used to obtain an internet protocol IP address list corresponding to a domain name of a network resource and required for accessing the network resource, and is used to control the network resource, and the configuration command includes the domain name of the network resource.
The generating unit 72 is configured to generate a first domain name system DNS resolution request packet, where the first DNS resolution request packet includes the domain name of the network resource included in the configuration command acquired by the acquiring unit 71.
The sending unit 73 is configured to send the first DNS resolution request packet generated by the generating unit 72 to a DNS server.
The receiving unit 74 is configured to receive a first DNS resolution success packet from the DNS server, where the first DNS resolution success packet includes a domain name of the network resource and a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and the first IP address list includes at least one IP address.
The issuing unit 75 is configured to issue the first IP address list included in the first DNS resolution success message received by the receiving unit 74 to an ACL list of the ACL configuration device, so as to implement control on the network resource.
In this embodiment of the present invention, further, the domain name of the network resource is included in a uniform resource locator URL of the network resource.
The obtaining unit 71 is further configured to obtain the domain name of the network resource according to the URL of the network resource.
In this embodiment of the present invention, as shown in fig. 9, the ACL configuration device may further include: a timing unit 76 and a judgment unit 77.
The timing unit 76 is used for starting a timer.
The generating unit 72 is further configured to generate a second DNS resolution request packet when the timer expires, where the second DNS resolution request packet includes the domain name of the network resource.
The sending unit 73 is further configured to send the second DNS resolution request packet generated by the generating unit 72 to the DNS server.
The receiving unit 74 is further configured to receive a second DNS resolution success packet from the DNS server, where the second DNS resolution success packet includes the domain name of the network resource and a second IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and the second IP address list includes at least one IP address.
The determining unit 77 is configured to determine whether the second IP address list included in the second DNS resolution success packet received by the receiving unit 74 is the same as the first IP address list.
The issuing unit 75 is further configured to update the ACL list according to the second IP address list if the determining unit 77 determines that the second IP address list is different from the first IP address list.
In this embodiment of the present invention, further, the timing unit 76 is configured to configure a time-to-live TTL of the domain name of the network resource to a timing period of the timer.
It should be noted that, for the specific working process of each functional module in the ACL configuration device provided in the embodiment of the present invention, reference may be made to the specific description of the corresponding process in the method embodiment, and details of the embodiment of the present invention are not described herein again.
The ACL configuration device provided in the embodiment of the present invention is used to execute the ACL configuration method, so that the same effect as the ACL configuration method can be achieved.
Fig. 10 is a schematic diagram illustrating a component of an ACL configuration device according to an embodiment of the present invention, as shown in fig. 10, including: ACL module 81, DNS module 82, TCAM module 83.
The ACL module 81 is configured to obtain a configuration command, where the configuration command is used to obtain an internet protocol IP address list corresponding to a domain name of a network resource and required for accessing the network resource, and is used to control the network resource, where the configuration command includes the domain name of the network resource, and the domain name of the network resource is carried in an IP address resolution message and transmitted to the DNS module 82.
The DNS module 82 is configured to generate a first DNS resolution request packet, where the first DNS resolution request packet includes a domain name of the network resource, send the first DNS resolution request packet to a DNS server, and receive a first DNS resolution success packet from the DNS server, where the first DNS resolution success packet includes the domain name of the network resource and a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, where the first IP address list includes at least one IP address, and transmit the first IP address to the ACL module 81.
The ACL module 81 is further configured to issue the first IP address list to the ACL list of the TCAM module 83, so as to implement control over the network resource.
In this embodiment of the present invention, further, the domain name of the network resource is included in a uniform resource locator URL of the network resource.
The ACL module 81 is further configured to obtain the domain name of the network resource according to the URL of the network resource.
In this embodiment of the present invention, further, the ACL module 81 is further configured to start a timer.
The DNS module 82 is further configured to generate a second DNS resolution request message when the timer times out, where the second DNS resolution request message includes the domain name of the network resource, send the second DNS resolution request message to the DNS server, receive a second DNS resolution success message from the DNS server, where the second DNS resolution success message includes the domain name of the network resource and a second IP address list corresponding to the domain name of the network resource and required for accessing the network resource, where the second IP address list includes at least one IP address, and transmit the second IP address to the ACL module 81.
The ACL module 81 is further configured to determine whether the second IP address list is the same as the first IP address list, and update the ACL list of the TCAM module 83 according to the second IP address list if the second IP address list is different from the first IP address list.
In this embodiment of the present invention, further, the ACL module 81 is further configured to configure a time to live TTL of a domain name of the network resource as a timing period of the timer.
It should be noted that, for the specific working process of each functional module in the ACL configuration device provided in the embodiment of the present invention, reference may be made to the specific description of the corresponding process in the method embodiment, and details of the embodiment of the present invention are not described herein again.
The ACL configuration device provided in the embodiment of the present invention is used to execute the ACL configuration method, so that the same effect as the ACL configuration method can be achieved.
Fig. 11 is a schematic composition diagram of a DNS server according to an embodiment of the present invention, as shown in fig. 11, including: receiving section 91, analyzing section 92, determining section 93, and transmitting section 94.
The receiving unit 91 is configured to receive a first DNS resolution request packet sent by an ACL configuration device, where the first DNS resolution request packet includes a domain name of a network resource.
The analyzing unit 92 is configured to analyze the domain name of the network resource included in the first DNS resolution request packet received by the receiving unit 91.
A determining unit 93, configured to determine whether the domain name of the network resource is successfully resolved by the resolving unit 92.
The sending unit 94 is configured to send a first DNS resolution success message to the ACL configuration device if the determining unit 93 determines that the domain name of the network resource is successfully resolved by the resolving unit 92, where the first DNS resolution success message includes the domain name of the network resource and a first IP address list, which is obtained by resolution and corresponds to the domain name of the network resource and is required to access the network resource, and the first IP address list includes at least one IP address.
In this embodiment of the present invention, the sending unit 94 is further configured to send a first DNS resolution failure message to the ACL configuration device if the determining unit 93 determines that the analyzing unit 92 fails to analyze the domain name of the network resource, where the first DNS resolution failure message is used to notify the ACL configuration device that the domain name of the network resource is failed to be analyzed.
Or,
the sending unit 94 is further configured to not respond to the first DNS resolution request packet if the determining unit 93 determines that the domain name resolution of the network resource by the resolution unit 92 fails.
In this embodiment of the present invention, the receiving unit 91 is further configured to receive a second DNS resolution request packet sent by the ACL configuration device, where the second DNS resolution request packet includes a domain name of the network resource.
The analyzing unit 92 is further configured to analyze the domain name of the network resource included in the second DNS resolution request packet received by the receiving unit 91.
The determining unit 93 is further configured to determine whether the domain name of the network resource is successfully resolved by the resolving unit 92.
The sending unit 94 is further configured to send a second DNS resolution success message to the ACL configuration device if the determining unit 93 determines that the domain name of the network resource is successfully resolved by the resolving unit 92, where the second DNS resolution success message includes the domain name of the network resource and a second IP address list, corresponding to the domain name of the network resource, obtained through resolution and required for accessing the network resource, and the second IP address list includes at least one IP address.
It should be noted that, for the specific working process of each functional module in the DNS server provided in the embodiment of the present invention, reference may be made to the specific description of the corresponding process in the method embodiment, and details are not described here in the embodiment of the present invention.
The DNS server provided in the embodiment of the present invention is configured to execute the ACL configuration method, and therefore, the same effect as the ACL configuration method can be achieved.
Fig. 12 is a schematic composition diagram of a network management server according to an embodiment of the present invention, as shown in fig. 12, including: acquisition section 1001, generation section 1002, transmission section 1003, and reception section 1004.
The obtaining unit 1001 is configured to obtain a configuration command, where the configuration command is used to obtain an internet protocol IP address list corresponding to a domain name of a network resource and required for accessing the network resource, and is used to control the network resource, and the configuration command includes the domain name of the network resource.
The generating unit 1002 is configured to generate a first domain name system DNS resolution request packet, where the first DNS resolution request packet includes a domain name of the network resource.
The sending unit 1003 is configured to send the first DNS resolution request packet generated by the generating unit 1002 to a DNS server.
The receiving unit 1004 is configured to receive a first DNS resolution success packet from the DNS server, where the first DNS resolution success packet includes a domain name of the network resource and a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and the first IP address list includes at least one IP address.
The sending unit 1003 is further configured to send the first IP address list included in the first DNS resolution success message received by the receiving unit 1004 to an ACL configuration device, so that the ACL configuration device issues the first IP address list to an ACL list of the ACL configuration device, so as to implement control over the network resource.
In this embodiment of the present invention, further, the domain name of the network resource is included in a uniform resource locator URL of the network resource.
The obtaining unit 1001 is further configured to obtain a domain name of the network resource according to the URL of the network resource.
It should be noted that, for the specific working process of each functional module in the network management server provided in the embodiment of the present invention, reference may be made to the specific description of the corresponding process in the method embodiment, and details are not described here in the embodiment of the present invention.
The network management server provided by the embodiment of the invention is used for executing the ACL configuration method, so that the same effect as the ACL configuration method can be achieved.
Fig. 13 is a schematic diagram of a hardware structure of an ACL configuration device according to an embodiment of the present invention, and as shown in fig. 13, the ACL configuration device may include at least one processor 1101, a memory 1102, at least one communication interface 1103, and a communication bus 1104.
The following describes each component of the ACL configuration device in detail with reference to fig. 13:
processor 1101 may be a single processor or a plurality of processing elements. For example, the processor 1101 is a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement embodiments of the present invention, such as: one or more microprocessors (digital signal processors, DSP for short), or one or more field programmable Gate arrays (FPGA for short).
Processor 1101 may perform, among other things, various functions of the ACL configuration device by running or executing software programs stored in memory 1102 and invoking data stored in memory 1102.
In particular implementations, processor 1101 may include one or more CPUs, such as CPU0 and CPU1 shown in fig. 13, for example, as an example.
In a particular implementation, as an embodiment, an ACL configuration device may include multiple processors, such as processor 1101 and processor 1105 shown in fig. 13. Each of these processors may be a single-core (single-CPU) processor or a multi-core (multi-CPU) processor. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
Memory 1102 may be a Read-Only Memory (ROM) or other type of static storage device that can store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that can store information and instructions, an Electrically Erasable Programmable Read-Only Memory (EEPROM), a Compact Disc Read-Only Memory (CD-ROM) or other optical disk storage, optical disk storage (including Compact Disc, laser Disc, optical Disc, digital versatile Disc, blu-ray Disc, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited thereto. The memory may be self-contained and coupled to the processor via a bus. The memory may also be integral to the processor.
The memory 1102 is used for storing software programs for implementing the present invention, and is controlled by the processor 1101 for execution.
The communication interface 1103 uses any means, such as a transceiver, for communicating with other devices. The communication interface 1103 may include a receiving unit implementing a receiving function and a transmitting unit implementing a transmitting function.
The communication bus 1104 may be an Industry Standard Architecture (ISA) bus, an external device interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 13, but this is not intended to represent only one bus or type of bus.
The device structure shown in fig. 13 does not constitute a definition of an ACL configuration device, and may include more or fewer components than shown, or some components in combination, or a different arrangement of components.
In a specific implementation:
the processor 1101 is configured to execute the ACL configuration method provided in fig. 3 or fig. 6, so as to implement the functions of the obtaining unit 71, the generating unit 72, and the issuing unit 75 in the ACL configuration device shown in fig. 8 and fig. 9.
For example, the processor 1101 is configured to execute step 201 in the ACL configuration method provided in fig. 3 to implement the function of the obtaining unit 71 in the ACL configuration device shown in fig. 8 and 9. The processor 1101 is also configured to execute step 202 in the ACL configuration method provided in fig. 3 to implement the functions of the generation unit 72 in the ACL configuration device shown in fig. 8 and 9. Processor 1101 is also configured to execute step 205 in the ACL configuration method provided in fig. 3 to implement the function of issuing unit 75 in the ACL configuration device shown in fig. 8 and 9.
As another example, the processor 1101 is configured to execute step 501 in the ACL configuration method provided in fig. 6 to implement the function of the obtaining unit 71 in the ACL configuration device shown in fig. 8 and 9. The processor 1101 is further configured to execute step 502 or step 516 in the ACL configuration method provided in fig. 6 to implement the functions of the generation unit 72 in the ACL configuration device shown in fig. 8 and 9. Processor 1101 is also configured to execute step 511 or step 526 in the ACL configuration method provided in fig. 6 to implement the function of issuing unit 75 in the ACL configuration device shown in fig. 8 and 9.
The communication interface 1103 is configured to execute the ACL configuration method provided in fig. 3 or fig. 6, so as to implement the functions of the sending unit 73 and the receiving unit 74 in the ACL configuration device shown in fig. 8 and fig. 9.
For example, communication interface 1103 is used to execute step 203 in the ACL configuration method provided in fig. 3 to implement the function of sending unit 73 in the ACL configuration device shown in fig. 8 and 9. Communication interface 1103 is also used to execute step 204 in the ACL configuration method provided in fig. 3 to implement the functions of receiving unit 74 in the ACL configuration device shown in fig. 8 and 9.
As another example, the communication interface 1103 is configured to execute step 503 or step 517 in the ACL configuration method provided in fig. 6 to implement the function of the sending unit 73 in the ACL configuration device shown in fig. 8 and 9. Processor 1101 is also configured to execute step 510, step 512 or step 524 in the ACL configuration method provided in fig. 6 to implement the function of receiving unit 74 in the ACL configuration device shown in fig. 8 and 9.
In the embodiment of the present invention, further, the processor 1101 is further configured to execute the ACL configuration method provided in fig. 6, so as to implement the functions of the timing unit 76 and the judging unit 77 in the ACL configuration device shown in fig. 9.
For example, processor 1101 is configured to execute step 514 or step 515 of the ACL configuration method provided in fig. 6 to implement the functions of timing unit 76 in the ACL configuration device shown in fig. 8 and 9. Processor 1101 is also configured to execute step 525 in the ACL configuration method provided in fig. 6 to implement the function of the determination unit 77 in the ACL configuration device shown in fig. 8 and 9.
The ACL configuration device provided in the embodiment of the present invention is used to execute the ACL configuration method, so that the same effect as the ACL configuration method can be achieved.
Fig. 14 is a schematic diagram of a hardware structure of a DNS server according to an embodiment of the present invention, and as shown in fig. 14, the DNS server may include at least one processor 1201, a memory 1202, at least one communication interface 1203, and a communication bus 1204.
The following specifically describes each constituent component of the DNS server with reference to fig. 14:
the processor 1201 may be a single processor or may be a collective term for a plurality of processing elements. For example, the processor 1201 is a CPU, or may be an ASIC, or one or more integrated circuits configured to implement embodiments of the present invention, such as: one or more DSPs, or one or more FPGAs.
Among other things, the processor 1201 can perform various functions of the DNS server by running or executing software programs stored in the memory 1202 and calling data stored in the memory 1202.
In particular implementations, processor 1201 may include one or more CPUs such as CPU0 and CPU1 shown in fig. 14 for one embodiment.
In particular implementations, as an embodiment, the DNS server may include multiple processors, such as processor 1201 and processor 1205 shown in fig. 14. Each of these processors may be a single-CPU or a multi-CPU. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
Memory 1202 may be, but is not limited to, a ROM or other type of static storage device that can store static information and instructions, a RAM or other type of dynamic storage device that can store information and instructions, an EEPROM, a CD-ROM or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), a magnetic disk storage medium or other magnetic storage device, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be self-contained and coupled to the processor via a bus. The memory may also be integral to the processor.
The memory 1202 is used for storing software programs for implementing the present invention, and is controlled by the processor 1201 for execution.
The communication interface 1203 is used for communication with other devices, such as any transceiver. The communication interface 1203 may include a receiving unit implementing a receiving function and a transmitting unit implementing a transmitting function.
The communication bus 1204 may be an ISA bus, a PCI bus, an EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 14, but this is not intended to represent only one bus or type of bus.
The device architecture shown in fig. 14 does not constitute a definition of a DNS server and may include more or fewer components than shown, or some components may be combined, or a different arrangement of components.
In a specific implementation:
the processor 1201 is configured to execute the ACL configuration method provided in fig. 4 or fig. 6, so as to implement the functions of the resolution unit 92 and the determination unit 93 in the DNS server shown in fig. 11.
For example, the processor 1201 is configured to execute step 302 in the ACL configuration method provided in fig. 4 to implement the function of the resolution unit 92 in the DNS server shown in fig. 11. The processor 1201 is further configured to execute step 303 in the ACL configuration method provided in fig. 4 to implement the function of the determination unit 93 in the DNS server shown in fig. 11.
For another example, the processor 1201 is configured to execute step 505 or step 519 in the ACL configuration method provided in fig. 6 to implement the function of the resolution unit 92 in the DNS server shown in fig. 11. Processor 1101 is also configured to execute step 506 or step 520 in the ACL configuration method provided in fig. 6 to implement the function of determining unit 93 in the DNS server shown in fig. 11.
The communication interface 1203 is configured to execute the ACL configuration method provided in fig. 4 or fig. 6, so as to implement the functions of the sending unit 94 and the receiving unit 91 in the DNS server shown in fig. 11.
For example, the communication interface 1203 is used to execute step 301 in the ACL configuration method provided in fig. 4 to implement the function of the receiving unit 91 in the DNS server shown in fig. 11. The communication interface 1203 is further configured to execute step 304 in the ACL configuration method provided in fig. 4 to implement the function of the receiving unit 94 in the DNS server shown in fig. 11.
As another example, the communication interface 1203 is configured to execute steps 504 or 518 in the ACL configuration method provided in fig. 6 to implement the function of the receiving unit 91 in the DNS server shown in fig. 11. The communication interface 1203 is further configured to execute step 507, step 508, step 521 or step 522 in the ACL configuration method provided in fig. 6 to implement the function of the sending unit 94 in the DNS server shown in fig. 11.
The DNS server provided in the embodiment of the present invention is configured to execute the ACL configuration method, and therefore, the same effect as the ACL configuration method can be achieved.
Fig. 15 is a schematic diagram of a hardware structure of a network management server according to an embodiment of the present invention, and as shown in fig. 15, the network management server may include at least one processor 1301, a memory 1302, at least one communication interface 1303, and a communication bus 1304.
The following specifically describes each constituent element of the network management server with reference to fig. 15:
processor 1301 may be a single processor or may be a collective term for multiple processing elements. For example, processor 1301 is a CPU, may also be an ASIC, or one or more integrated circuits configured to implement embodiments of the present invention, such as: one or more DSPs, or one or more FPGAs.
The processor 1301 may perform various functions of the network management server by running or executing software programs stored in the memory 1302 and calling data stored in the memory 1302, among other things.
In particular implementations, processor 1301 may include one or more CPUs, such as CPU0 and CPU1 shown in fig. 15, as one embodiment.
In particular implementations, network management server may include multiple processors, such as processor 1301 and processor 1305 shown in fig. 15, for example. Each of these processors may be a single-CPU or a multi-CPU. A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
The memory 1302 may be, but is not limited to, ROM or other type of static storage device that can store static information and instructions, RAM or other type of dynamic storage device that can store information and instructions, EEPROM, CD-ROM or other optical disk storage, optical disk storage (including compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory may be self-contained and coupled to the processor via a bus. The memory may also be integral to the processor.
The memory 1302 is used for storing software programs for implementing the present invention, and is controlled by the processor 1301.
Communication interface 1303, using any transceiver or the like, is used for communicating with other devices. The communication interface 1303 may include a receiving unit implementing a receiving function and a transmitting unit implementing a transmitting function.
The communication bus 1304 can be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 15, but this is not intended to represent only one bus or type of bus.
The device architecture shown in fig. 15 does not constitute a limitation of the network management server and may include more or fewer components than those shown, or some of the components may be combined, or a different arrangement of components.
In a specific implementation:
the processor 1301 is configured to execute the ACL configuration method provided in fig. 5 or fig. 7, so as to implement the functions of the obtaining unit 1001 and the generating unit 1002 in the network management server shown in fig. 12.
For example, the processor 1301 is configured to execute step 401 in the ACL configuration method provided in fig. 5 to implement the function of the obtaining unit 1001 in the network management server shown in fig. 12. The processor 1301 is further configured to execute step 402 in the ACL configuration method provided in fig. 5 to implement the function of the generating unit 1002 in the network management server shown in fig. 12.
For another example, the processor 1301 is configured to execute step 601 in the ACL configuration method provided in fig. 7 to implement the function of the obtaining unit 1001 in the network management server shown in fig. 12. The processor 1301 is further configured to execute step 602 or step 616 in the ACL configuration method provided in fig. 7 to implement the function of the generating unit 1002 in the network management server shown in fig. 12.
The communication interface 1303 is configured to execute the ACL configuration method provided in fig. 5 or fig. 7, so as to implement the functions of the sending unit 1003 and the receiving unit 1004 in the network management server shown in fig. 12.
For example, the communication interface 1303 is configured to execute step 403 or step 405 in the ACL configuration method provided in fig. 5 to implement the function of the transmitting unit 1003 in the network management server shown in fig. 12. The communication interface 1303 is also used to execute step 404 in the ACL configuration method provided in fig. 5 to implement the function of the receiving unit 1004 in the network management server shown in fig. 12.
For another example, the communication interface 1303 is configured to execute step 603, step 611, step 617, or step 626 in the ACL configuration method provided in fig. 7 to implement the function of the sending unit 1003 in the network management server shown in fig. 12. The communication interface 1303 is also used to execute step 610, step 612 or step 624 in the ACL configuration method provided in fig. 7 to implement the function of the receiving unit 1004 in the network management server shown in fig. 12.
The network management server provided by the embodiment of the invention is used for executing the ACL configuration method, so that the same effect as the ACL configuration method can be achieved.
Through the above description of the embodiments, it is clear to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be completed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to complete all or part of the above described functions.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described device embodiments are merely illustrative, and for example, the division of the modules or units is only one logical functional division, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another device, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may be one physical unit or a plurality of physical units, that is, may be located in one place, or may be distributed in a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a readable storage medium. Based on such understanding, the technical solution of the present invention may be substantially implemented or contributed to by the prior art, or all or part of the technical solution may be embodied in the form of a software product, where the software product is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U disk, a removable hard disk, a Read-only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other media capable of storing program codes.
The above description is only for the specific embodiments of the present invention, but the scope of the present invention is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present invention, and all the changes or substitutions should be covered within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.
Claims (20)
1. An access control list ACL configuration method, comprising:
the ACL configuration equipment acquires a configuration command, wherein the configuration command is used for acquiring an Internet Protocol (IP) address list corresponding to a domain name of a network resource and required for accessing the network resource and controlling the network resource, and the configuration command comprises the domain name of the network resource;
the ACL configuration equipment generates a first domain name system DNS analysis request message, and the first DNS analysis request message comprises the domain name of the network resource;
the ACL configuration equipment sends the first DNS analysis request message to a DNS server;
the ACL configuration equipment receives a first DNS analysis success message from the DNS server, wherein the first DNS analysis success message comprises a domain name of the network resource and a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and the first IP address list comprises at least one IP address;
and the ACL configuration equipment issues the first IP address list to an ACL list of the ACL configuration equipment so as to realize the control of the network resources.
2. The method of claim 1,
the domain name of the network resource is included in a uniform resource locator, URL, of the network resource;
before the ACL configuration device generates the first domain name system DNS resolution request packet, the method further includes:
and the ACL configuration equipment acquires the domain name of the network resource according to the URL of the network resource.
3. The method according to claim 1 or 2, wherein after the ACL configuration device issues the first IP address list to the ACL list of the ACL configuration device, the method further comprises:
the ACL configuration equipment starts a timer;
when the timer is over time, the ACL configuration equipment generates a second DNS analysis request message, wherein the second DNS analysis request message comprises the domain name of the network resource;
the ACL configuration equipment sends the second DNS analysis request message to the DNS server;
the ACL configuration equipment receives a second DNS analysis success message from the DNS server, wherein the second DNS analysis success message comprises a domain name of the network resource and a second IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and the second IP address list comprises at least one IP address;
the ACL configuration equipment judges whether the second IP address list is the same as the first IP address list or not;
and if the second IP address list is different from the first IP address list, the ACL configuration equipment updates the ACL list according to the second IP address list.
4. The method of claim 3,
and the ACL configuration equipment configures the time-to-live TTL of the domain name of the network resource as the timing period of the timer.
5. An access control list ACL configuration method, comprising:
a Domain Name System (DNS) server receives a first DNS analysis request message sent by ACL configuration equipment, wherein the first DNS analysis request message comprises a domain name of a network resource;
the DNS server analyzes the domain name of the network resource included in the first DNS analysis request message;
the DNS server judges whether the analysis is successful;
if the resolution is successful, the DNS server sends a first DNS resolution success message to the ACL configuration equipment, wherein the first DNS resolution success message comprises the domain name of the network resource and a first IP address list which is obtained by resolution and corresponds to the domain name of the network resource and is required for accessing the network resource, and the first IP address list comprises at least one IP address.
6. The method of claim 5, further comprising:
if the resolution fails, the DNS server sends a first DNS resolution failure message to the ACL configuration equipment, wherein the first DNS resolution failure message is used for informing the ACL configuration equipment that the domain name of the network resource is resolved unsuccessfully;
or,
and if the analysis fails, the DNS server does not respond to the first DNS analysis request message.
7. An access control list ACL configuration method, comprising:
a network management server acquires a configuration command, wherein the configuration command is used for acquiring an Internet Protocol (IP) address list corresponding to a domain name of a network resource and required for accessing the network resource, and is used for controlling the network resource, and the configuration command comprises the domain name of the network resource;
the network management server generates a first domain name system DNS analysis request message, wherein the first DNS analysis request message comprises a domain name of the network resource;
the network management server sends the first DNS analysis request message to a DNS server;
the network management server receives a first DNS analysis success message from the DNS server, wherein the first DNS analysis success message comprises a domain name of the network resource and a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and the first IP address list comprises at least one IP address;
and the network management server sends the first IP address list to ACL configuration equipment.
8. The method of claim 7,
the domain name of the network resource is included in a uniform resource locator, URL, of the network resource;
before the network management server generates a first domain name system DNS resolution request message, the method includes:
and the network management server acquires the domain name of the network resource according to the URL of the network resource.
9. An access control list ACL configuration device, comprising: the system comprises an acquisition unit, a generation unit, a sending unit, a receiving unit and a sending unit;
the acquiring unit is configured to acquire a configuration command, where the configuration command is used to acquire an internet protocol IP address list corresponding to a domain name of a network resource and required for accessing the network resource, and is used to control the network resource, and the configuration command includes the domain name of the network resource;
the generating unit is configured to generate a first domain name system DNS resolution request packet, where the first DNS resolution request packet includes the domain name of the network resource included in the configuration command acquired by the acquiring unit;
the sending unit is configured to send the first DNS resolution request packet generated by the generating unit to a DNS server;
the receiving unit is configured to receive a first DNS resolution success packet from the DNS server, where the first DNS resolution success packet includes a domain name of the network resource and a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and the first IP address list includes at least one IP address;
the issuing unit is configured to issue the first IP address list included in the first DNS resolution success message received by the receiving unit to an ACL list of the ACL configuration device, so as to implement control over the network resource.
10. The ACL configuration device according to claim 9, wherein the domain name of the network resource is included in a uniform resource locator, URL, of the network resource;
the acquiring unit is further configured to acquire the domain name of the network resource according to the URL of the network resource.
11. The ACL configuration device according to claim 9 or 10, characterized by further comprising: a timing unit and a judgment unit;
the timing unit is used for starting a timer;
the generating unit is further configured to generate a second DNS resolution request packet when the timer times out, where the second DNS resolution request packet includes the domain name of the network resource;
the sending unit is further configured to send the second DNS resolution request packet generated by the generating unit to the DNS server;
the receiving unit is further configured to receive a second DNS resolution success packet from the DNS server, where the second DNS resolution success packet includes a domain name of the network resource and a second IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and the second IP address list includes at least one IP address;
the determining unit is configured to determine whether the second IP address list included in the second DNS resolution success packet received by the receiving unit is the same as the first IP address list;
the issuing unit is further configured to update the ACL list according to the second IP address list if the determining unit determines that the second IP address list is different from the first IP address list.
12. The ACL configuration device of claim 11,
the timing unit is further configured to configure a time to live, TTL, of the domain name of the network resource to a timing period of the timer.
13. An access control list ACL configuration device, comprising: the device comprises an ACL module, a domain name system DNS module and a TCAM module;
the ACL module is configured to obtain a configuration command, where the configuration command is used to obtain an internet protocol IP address list corresponding to a domain name of a network resource and required for accessing the network resource, and is used to control the network resource, and the configuration command includes the domain name of the network resource, and carries the domain name of the network resource in an IP address resolution message and transmits the IP address resolution message to the DNS module;
the DNS module is configured to generate a first DNS resolution request packet, send the first DNS resolution request packet to a DNS server, and receive a first DNS resolution success packet from the DNS server, where the first DNS resolution success packet includes a domain name of the network resource and a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and the first IP address list includes at least one IP address, and transmit the first IP address to the ACL module;
the ACL module is further configured to issue the first IP address list to the ACL list of the TCAM module, so as to implement control over the network resource.
14. The ACL configuration device according to claim 13, wherein the domain name of the network resource is included in a uniform resource locator, URL, of the network resource;
the ACL module is also used for acquiring the domain name of the network resource according to the URL of the network resource.
15. The ACL configuration apparatus of claim 13 or 14,
the ACL module is also used for starting a timer;
the DNS module is further configured to generate a second DNS resolution request message when the timer times out, where the second DNS resolution request message includes the domain name of the network resource, send the second DNS resolution request message to the DNS server, receive a second DNS resolution success message from the DNS server, where the second DNS resolution success message includes the domain name of the network resource and a second IP address list corresponding to the domain name of the network resource and required for accessing the network resource, where the second IP address list includes at least one IP address, and transmit the second IP address to the ACL module;
the ACL module is further configured to determine whether the second IP address list is the same as the first IP address list, and update the ACL list of the TCAM module according to the second IP address list if the second IP address list is different from the first IP address list.
16. The ACL configuration device of claim 15,
the ACL module is further configured to configure a time to live TTL of a domain name of the network resource to a timing period of the timer.
17. A domain name system, DNS, server, comprising: the device comprises a receiving unit, an analyzing unit, a judging unit and a sending unit;
the receiving unit is configured to receive a first DNS resolution request packet sent by an ACL configuration device, where the first DNS resolution request packet includes a domain name of a network resource;
the analyzing unit is configured to analyze the domain name of the network resource included in the first DNS resolution request packet received by the receiving unit;
a judging unit, configured to judge whether the domain name of the network resource is successfully analyzed by the analyzing unit;
the sending unit is configured to send a first DNS resolution success message to the ACL configuration device if the determining unit determines that the resolution unit succeeds in resolving the domain name of the network resource, where the first DNS resolution success message includes the domain name of the network resource and a first IP address list, corresponding to the domain name of the network resource, obtained through resolution and required for accessing the network resource, where the first IP address list includes at least one IP address.
18. The DNS server of claim 17,
the sending unit is further configured to send a first DNS resolution failure message to the ACL configuration device if the determining unit determines that the analyzing unit fails to analyze the domain name of the network resource, where the first DNS resolution failure message is used to notify the ACL configuration device that the domain name of the network resource is failed to be analyzed;
or,
the sending unit is further configured to not respond to the first DNS resolution request packet if the determining unit determines that the resolution unit fails to resolve the domain name of the network resource.
19. A network management server, comprising: the device comprises an acquisition unit, a generation unit, a sending unit and a receiving unit;
the acquiring unit is configured to acquire a configuration command, where the configuration command is used to acquire an internet protocol IP address list corresponding to a domain name of a network resource and required for accessing the network resource, and is used to control the network resource, and the configuration command includes the domain name of the network resource;
the generating unit is configured to generate a first domain name system DNS resolution request packet, where the first DNS resolution request packet includes a domain name of the network resource;
the sending unit is configured to send the first DNS resolution request packet generated by the generating unit to a DNS server;
the receiving unit is configured to receive a first DNS resolution success packet from the DNS server, where the first DNS resolution success packet includes a domain name of the network resource and a first IP address list corresponding to the domain name of the network resource and required for accessing the network resource, and the first IP address list includes at least one IP address;
the sending unit is further configured to send the first IP address list included in the first DNS resolution success packet received by the receiving unit to an ACL configuration device.
20. The network management server of claim 19, wherein the domain name of the network resource is included in a uniform resource locator, URL, of the network resource;
the acquiring unit is further configured to acquire the domain name of the network resource according to the URL of the network resource.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610289565.5A CN107332813A (en) | 2016-04-29 | 2016-04-29 | A kind of ACL collocation methods, ACL configuration equipment and server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610289565.5A CN107332813A (en) | 2016-04-29 | 2016-04-29 | A kind of ACL collocation methods, ACL configuration equipment and server |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107332813A true CN107332813A (en) | 2017-11-07 |
Family
ID=60193382
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610289565.5A Pending CN107332813A (en) | 2016-04-29 | 2016-04-29 | A kind of ACL collocation methods, ACL configuration equipment and server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107332813A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108769045A (en) * | 2018-06-07 | 2018-11-06 | 深圳市风云实业有限公司 | Acl rule configuration method, device and the network equipment |
| CN110213400A (en) * | 2019-06-11 | 2019-09-06 | 四川长虹电器股份有限公司 | A kind of method of fast automatic building DNS scheduling ACL |
| CN112910919A (en) * | 2021-02-26 | 2021-06-04 | 北京百度网讯科技有限公司 | Analysis method, analysis device, electronic device, and storage medium |
| CN114050925A (en) * | 2021-11-09 | 2022-02-15 | 京东科技信息技术有限公司 | Access control list matching method and device, electronic equipment and storage medium |
| CN116582362A (en) * | 2023-07-11 | 2023-08-11 | 建信金融科技有限责任公司 | Network access control method and device, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1852263A (en) * | 2006-05-23 | 2006-10-25 | 杭州华为三康技术有限公司 | Message access controlling method and a network apparatus |
| CN103546434A (en) * | 2012-07-13 | 2014-01-29 | 中国电信股份有限公司 | Network access control method, device and system |
| CN103812770A (en) * | 2012-11-12 | 2014-05-21 | 华为技术有限公司 | Cloud service message redirecting method and system and cloud gateway |
-
2016
- 2016-04-29 CN CN201610289565.5A patent/CN107332813A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1852263A (en) * | 2006-05-23 | 2006-10-25 | 杭州华为三康技术有限公司 | Message access controlling method and a network apparatus |
| CN103546434A (en) * | 2012-07-13 | 2014-01-29 | 中国电信股份有限公司 | Network access control method, device and system |
| CN103812770A (en) * | 2012-11-12 | 2014-05-21 | 华为技术有限公司 | Cloud service message redirecting method and system and cloud gateway |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108769045A (en) * | 2018-06-07 | 2018-11-06 | 深圳市风云实业有限公司 | Acl rule configuration method, device and the network equipment |
| CN108769045B (en) * | 2018-06-07 | 2020-09-29 | 深圳市风云实业有限公司 | ACL rule configuration method, device and network equipment |
| CN110213400A (en) * | 2019-06-11 | 2019-09-06 | 四川长虹电器股份有限公司 | A kind of method of fast automatic building DNS scheduling ACL |
| CN110213400B (en) * | 2019-06-11 | 2021-06-22 | 四川长虹电器股份有限公司 | Method for quickly and automatically constructing DNS (Domain name Server) scheduling ACL (Access control List) |
| CN112910919A (en) * | 2021-02-26 | 2021-06-04 | 北京百度网讯科技有限公司 | Analysis method, analysis device, electronic device, and storage medium |
| CN112910919B (en) * | 2021-02-26 | 2023-04-07 | 北京百度网讯科技有限公司 | Analysis method, analysis device, electronic device, and storage medium |
| CN114050925A (en) * | 2021-11-09 | 2022-02-15 | 京东科技信息技术有限公司 | Access control list matching method and device, electronic equipment and storage medium |
| CN114050925B (en) * | 2021-11-09 | 2024-03-01 | 京东科技信息技术有限公司 | Access control list matching method, device, electronic equipment and storage medium |
| CN116582362A (en) * | 2023-07-11 | 2023-08-11 | 建信金融科技有限责任公司 | Network access control method and device, electronic equipment and storage medium |
| CN116582362B (en) * | 2023-07-11 | 2023-09-26 | 建信金融科技有限责任公司 | Network access control method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109561141B (en) | CDN node selection method and equipment | |
| CN116302719B (en) | System and method for enabling high availability managed failover services | |
| US10785216B2 (en) | Method for accessing network by internet of things device, apparatus, and system | |
| CN110677405B (en) | Data processing method and device, electronic equipment and storage medium | |
| CN108965203B (en) | Resource access method and server | |
| CN111460460B (en) | Task access method, device, proxy server and machine-readable storage medium | |
| CN107332813A (en) | A kind of ACL collocation methods, ACL configuration equipment and server | |
| US9648033B2 (en) | System for detecting the presence of rogue domain name service providers through passive monitoring | |
| CN107786621B (en) | User information management method, access processing method, device and system | |
| CN111262839A (en) | Vulnerability scanning method, management equipment, node and storage medium | |
| JP6641067B1 (en) | Detection system, method and related device | |
| CN108429739B (en) | Method, system and terminal equipment for identifying honeypots | |
| CN104852919A (en) | Method and apparatus for realizing portal authentication | |
| CN104079683A (en) | Domain name resolution method and system authorizing direct response of domain name server | |
| CN112311722A (en) | Access control method, device, equipment and computer readable storage medium | |
| CN115250234A (en) | Method, device, equipment, system and storage medium for deploying network equipment | |
| CN104618388A (en) | Quick registration and login method and corresponding reset server and information server | |
| CN115189897A (en) | Access processing method and device for zero trust network, electronic equipment and storage medium | |
| CN110278558B (en) | Message interaction method and WLAN system | |
| CN112398796B (en) | Information processing method, device, equipment and computer readable storage medium | |
| CN111600769A (en) | Site detection method and device and storage medium | |
| CN116723029A (en) | Access control method, device, equipment and storage medium | |
| US20170195426A1 (en) | Maintaining session across plural providing devices | |
| CN113014610A (en) | Remote access method, device and system | |
| US9571447B2 (en) | System and method for accessing information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20171107 |