CN107454051A - Access control method and home gateway - Google Patents
Access control method and home gateway Download PDFInfo
- Publication number
- CN107454051A CN107454051A CN201610387240.0A CN201610387240A CN107454051A CN 107454051 A CN107454051 A CN 107454051A CN 201610387240 A CN201610387240 A CN 201610387240A CN 107454051 A CN107454051 A CN 107454051A
- Authority
- CN
- China
- Prior art keywords
- domain name
- target
- address
- home gateway
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Withdrawn
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
Abstract
The embodiment of the present invention provides a kind of access control method and home gateway, domain name white list configuration is carried out on home gateway, in the domain name white list configured each Lawful access equipment can be assigned to comprising the target domain name for being allowed to conduct interviews to home gateway, these target domain names;When each Lawful access equipment needs to conduct interviews to home gateway, no matter it is current somewhere, it need to obtain target ip address of the IP address as target domain name in current local IP address section, and be uploaded to name server and preserved.Home gateway gets each target domain name currently corresponding target ip address by name server can, and with this control that conducted interviews to each access equipment for accessing itself.So the physical location region of access equipment is not just limited, when being applied to Operation and Maintenance field, the convenience to home gateway Operation and Maintenance, flexibility and promptness can be lifted.
Description
Technical field
The present invention relates to the communications field, more particularly to a kind of access control method and home gateway.
Background technology
Various types of home network terminals, i.e. home gateway, pass through DHCP (Dynamic Host
Configuration Protocol, DHCP)/PPPOE (PPP over Ethernet, on Ethernet
Point-to-point protocol) dial mode obtain operator distribution public network IP v4 addresses.Family's disparate networks equipment,
Such as mobile phone, PC, ipad etc., it is connected by wired lan or wireless WLAN with home network terminal
After obtaining private net address, public network is accessed via NAT modes, completes disparate networks business.As ordinary terminal
User, the account number that operator provides are assigned with less authority, and user passes through private network registration terminal WEB page
Or TELNET ports carry out business function and the basic operation such as check;As operator Operation and Maintenance personnel,
Then possess the account number of more authority, can by private network either public network registration terminal WEB page or
TELNET ports carry out the complex operations such as business function configuration, diagnosis.Particularly when public network is safeguarded, family
Front yard gateway needs to provide access control function in itself, avoids attack, the register of disabled user, enhancing peace
Quan Xing.
Home gateway access control function at present, a kind of way are to close all public network to access, but this are done
Method causes attendant to be conducted interviews by public network to it.Therefore more than the comparison used at present is another
A kind of mode, i.e., controlled using the mode of IP address white list.Allowed by being configured in home gateway in public affairs
Net side accesses the IP address of itself, there is provided security.Way can have problems with this:IP address and thing
It is related to manage position networking, such as Shenzhen, then has the address field in corresponding Shenzhen, for this address field
IP address can only use in Shenzhen, just not all right elsewhere.Therefore, when configuring IP address white list,
It is as complete as possible comprising all IP address for allowing access for safeguarding with regard to needing.Namely before configuration
All IP address for having claim are predicted as far as possible.And IP address is inherently difficult to limit, and the scale of networking now
Expansion and networking mode flexible change, it is necessary to flexibly in different places by IP address to family
The demand that gateway is safeguarded is with regard to more and more.Such as assume IP address white list in only for Shenzhen, Shanghai,
Three, Beijing place has carried out the configuration of IP white lists.But according to networking requirements or other factors, it may be necessary to face
When in the place such as Chongqing, Chengdu home gateway accessed by IP address.Due to no pair in current IP white lists
Answer these local areas that IP address is set, can all be prohibited in the access that these places are initiated.
Therefore, existing home gateway by IP address white list conduct interviews control when, access equipment is only capable of
Local area corresponding to each IP address could be accessed normally in the IP address white list, to the physics of access equipment
Band of position limitation is big, it is impossible to meets flexibly the needs of safeguarding to home gateway.
The content of the invention
The embodiment of the present invention is solution:Home gateway by IP address white list conduct interviews control when, to visit
Ask the problem of physical location region limitation of the access equipment of home gateway is big, there is provided a kind of access control side
Method and home gateway.
The access control method that one embodiment of the invention provides includes:
Receive the configuration of domain name white list, domain name white list includes being allowed to visit the home gateway
The target domain name asked, the target domain name are assigned to Lawful access equipment;
The target domain name currently corresponding target ip address, domain name service are obtained by name server
Device preserves target domain name and the corresponding target ip address that the Lawful access equipment currently uploads;
Each IP address for accessing the home gateway is conducted interviews control according to the target ip address currently obtained
System.
The home gateway that one embodiment of the invention provides includes:
List dispensing unit, for receiving the configuration of domain name white list, domain name white list is included and is allowed to pair
Each target domain name that the home gateway conducts interviews, the target domain name are assigned to Lawful access equipment;
Address acquisition unit, for obtaining the target domain name currently corresponding Target IP by name server
Address, domain name server preserve the target domain name that the Lawful access equipment currently uploads and corresponding
Target ip address;
Access control unit, for according to the target ip address that currently obtains to accessing each IP of home gateway
Location conducts interviews control.
One embodiment of the invention additionally provides home gateway, including processor and memory;The processor is used
Module in control memory performs following act:
Receive the configuration of domain name white list, domain name white list includes and is allowed to visit the home gateway
The target domain name asked, the target domain name are assigned to Lawful access equipment;
The target domain name currently corresponding target ip address, domain name service are obtained by name server
Device preserves target domain name and the corresponding target ip address that the Lawful access equipment currently uploads;
Each IP address for accessing home gateway is conducted interviews control according to the target ip address currently obtained.
A technical scheme in above-mentioned technical proposal has the advantages that:
The configuration of domain name white list is received by home gateway, includes and is allowed to family in the domain name white list configured
The target domain name that front yard gateway conducts interviews, these target domain names can be assigned to each Lawful access equipment;It is each to close
When method access equipment needs to conduct interviews to home gateway, no matter it is current somewhere, such as Chongqing or
Chengdu, it need to obtain target ip address of the IP address as target domain name in current local IP address section,
And it is uploaded to name server and is preserved.Home gateway is got respectively by name server can
Target domain name currently corresponding target ip address, and with this control that conducted interviews to the orientation equipment for accessing itself.
So the physical location region of access equipment is not just limited, access equipment can be according to itself current place
Target ip address is set to pass to home gateway by name server.So when the embodiment of the present invention is applied to
During Operation and Maintenance field, the convenience to home gateway Operation and Maintenance, flexibility and promptness can be lifted.
Brief description of the drawings
Fig. 1 is the access control method schematic flow sheet that first embodiment of the invention provides;
Fig. 2 is the schematic flow sheet for the acquisition target ip address that first embodiment of the invention provides;
Fig. 3 is the home gateway structural representation that second embodiment of the invention provides;
Fig. 4 is the home gateway structural representation that third embodiment of the invention provides;
Fig. 5 is the communication system architecture schematic diagram that fourth embodiment of the invention provides;
Fig. 6 is the access control method schematic flow sheet that fourth embodiment of the invention provides.
Embodiment
The embodiment of the present invention is described in further detail below by embodiment combination accompanying drawing.
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear
Chu, it is fully described by, it is clear that described embodiment is part of the embodiment in the present invention, rather than
Whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art are not making creation
Property work under the premise of the every other embodiment that is obtained, belong to the scope of protection of the invention.
Further annotation explanation is now made to the present invention by way of embodiment combination accompanying drawing.
Embodiment one:
Shown in Figure 1, the access control method that the present embodiment provides includes:
S101:Receive the configuration of domain name white list.
Home gateway can be set according to the input of user or attendant progress domain name white list in the present embodiment
Put, domain name white list directly can also be completed by producer when dispatching from the factory and set, and set by the present embodiment
Domain name entry form such as supports to delete the target domain name of the inside, changes, increase at the renewal operation.This implementation
Domain name white list in example includes the target domain name for being allowed to conduct interviews to home gateway, namely legitimate domain name.
Each target domain name configured is assigned to each Lawful access equipment.Lawful access equipment in the present embodiment can
To be the maintained equipment of operating personnel, such as safeguard PC etc. or other equipment for accessing personnel, bag
Include but be not limited to mobile phone, PC, IPAD communication equipment.Certainly, domain name white list can include in the present embodiment
One target domain name, multiple target domain names can also be included according to the actual requirements.
S102:Each target domain name currently corresponding target ip address is obtained by name server.
In the present embodiment, being assigned with each Lawful access equipment of target domain name needs to conduct interviews to home gateway
When, IP address in the corresponding IP address section in itself current position side need to be obtained as the Target IP of target domain name
Location, then it is uploaded to name server and is preserved.So name server is just preserved each Lawful access and set
The standby target domain name currently uploaded and corresponding target ip address.Each Lawful access equipment in the present embodiment
Reporting for IP address specifically can be carried out using dynamic-dns function.Specifically, Lawful access equipment by oneself
The target domain name being assigned to is issued service provider's dynamic domain name server and preserved, and then it is getting currently
IP address after, then the IP address is issued into service provider's dynamic domain name server, such service provider's dynamic domain
Name server just saves the target domain name and the current corresponding IP of the target domain name of the Lawful access equipment
Location (namely target ip address).To name server, (name server is based on home gateway for home gateway
Operator domain name server corresponding to the public network being currently accessed) send target domain name parsed.The domain name takes
After business device receives target domain name, obtained for each domain name from corresponding service provider's dynamic domain name server
Complete to parse to corresponding target ip address, then feed back to home gateway.
After name server can wait all target domain name mappings complete in the present embodiment, to home gateway in the lump
Feed back all target ip address matched.Can also after the parsing of a target domain name is not completed,
The target ip address that parsing obtains just is fed back into home gateway in real time.
In addition, it is to be understood that the name server in the present embodiment solves to some target domain name
During analysis, effective IP address when its obtained target ip address is possible, it is also possible to for sky.
S103:The orientation equipment for accessing home gateway is conducted interviews control according to the target ip address currently obtained
System.
Conducted interviews control by the scheme shown in the present embodiment Fig. 1, to the physical location region of access equipment
Just do not limit, access equipment can set target ip address and the mesh for its distribution according to itself current place
Mark domain name reports name server after being bound, name server carries out domain name mapping and obtains corresponding mesh
Mark IP address feeds back to home gateway, and the target ip address is arranged to legal by such home gateway can
IP address and and then complete access rule configuration realize access control.The scheme of the present embodiment is particularly for behaviour
When making area of maintenance, the convenience to home gateway Operation and Maintenance, flexibility and promptness can be lifted.
In the present embodiment, home gateway obtains each target domain name currently corresponding Target IP by name server
The process of address is shown in Figure 2, including:
S201:Home gateway access public network IP address (such as IPv4 addresses or IPv6 addresses), and get
Corresponding name server, the name server are operator domain name server.
S202:Each target domain name in domain name white list is issued name server and carries out domain name solution by home gateway
Analysis.
Each target domain name one by one or can be issued name server in batches and entered by home gateway according to certain rule
Row parsing, disposably can also directly issue name server by domain name white list and be parsed.
S203:Home gateway receives the target fed back after name server currently parses to each target domain name
IP address.
After name server receives the target domain name of home gateway transmission, domain is carried out according to above-mentioned resolving
Name parsing simultaneously feeds back analysis result to home gateway.
In addition, in the present embodiment, the public network IP address that home gateway is accessed may change.Family
When gateway detects the public network IP address change being currently accessed, then corresponding new name server is got,
And each target domain name in domain name white list is issued into the new name server and carries out domain name mapping.
In the present embodiment, the physical location residing for each Lawful access equipment is probably dynamic change.On such as
Noon may in Chongqing, on the same day afternoon or the next morning arrived Chengdu or Shenzhen etc..Work as physical location
After changing, IP address can then be changed accordingly used by the Lawful access equipment.It is now legal
IP address in the IP address section in the current place of access equipment acquisition as target ip address and distributes to oneself
The binding of target domain name report corresponding to service provider dynamic domain name server.The now target of the access equipment
Target IP corresponding to domain name is just changed.For the situation, home gateway in the present embodiment is by domain
Each target domain name in name white list issues name server (operator domain name server) and carries out domain name mapping
When, by the way of poll sends parsing, namely it is spaced at preset timed intervals and each target domain name is issued into domain name clothes
Business device is parsed.Name server does not receive once just to be parsed once again.So can be timely right
Answer the change in location just corresponding adjustment of access equipment, can further be lifted access control accuracy,
Reliability and promptness.
It should be appreciated that the specific value of prefixed time interval can be according to trans-regional required in the present embodiment
Minimum time or other factors flexibly set.Such as when the most accurately controlled to pursue realization,
The time interval value can take the second or minute is unit, such as 10 seconds, 1 minute etc..In order to balance resource
Utilization rate and control precision, the time interval can hour, day be unit, such as 1 hour, 1 day etc..
In the present embodiment, home gateway is according to the target ip address currently obtained to accessing each IP address of itself
The control process that conducts interviews includes:
Home gateway each target ip address of acquisition is conducted interviews rule configuration obtain IP access list.
Each IP address for accessing itself is conducted interviews control according to obtained IP access list.
Access rule in the present embodiment includes the access rights for being singly not limited to each target ip address and corresponding ports
Set.Such as target ip address A, shown in its access control rule table 1 below configured:
Table 1
Because the home gateway in the present embodiment can be using to obtaining Target IP by the way of name server poll
Address, home gateway may receive multiple feedback result for each target domain name.Therefore, the present embodiment
In, it is right in a manner described when home gateway gets target ip address corresponding to each target domain name for the first time
Each target ip address conduct interviews rule configuration.When home gateway (refers to each time of acquisition for the first time below again
Obtain) when receiving target ip address corresponding to each target domain name, judge each target domain name currently corresponding target
Whether IP address has difference compared with the target ip address that the last time obtains, and in this way, then the target domain name is worked as
The access rule of each target ip address is updated configuration corresponding to preceding.Otherwise, keep constant.
It should be appreciated that in the present embodiment, when the physical location of a certain Lawful access equipment changes,
Then found in time by above-mentioned polling mechanism and get the newest target ip address of the equipment, and carried out correspondingly
Renewal.For example, it is assumed that the target domain name A in the entitled above-mentioned table 1 of aiming field of equipment distribution, in t1
Its corresponding target ip address of moment is target ip address B.Found by poll in t2 moment equipment
Target ip address becomes for target ip address B, then as shown in table 2 below to the access control list that it is updated.
Table 2
After home gateway has configured access rule control table, when there is WAN-side access, then the access is judged
IP address whether be one in target ip address, if not, forbidding its access.In this way, then one can be entered
Whether the content (such as port) of access required by step judges the access has permission, if any then allowing it
Access, otherwise, equally forbid its access.
It can be seen that the present embodiment does not have the domain name of High relevancy white by being configured on home gateway with physical region
List, it is allowed to which Lawful access equipment distributes to the target domain name pair of oneself according to physical region change is presently in
The target ip address answered timely is updated with passing to home gateway.Both the control of access safety had been ensure that,
Do not limited again by physical region.
Embodiment two:
A kind of home gateway is present embodiments provided, it is shown in Figure 3, including:
List dispensing unit 31, for carrying out domain name white list configuration.List dispensing unit 31 can according to
The input of family or attendant carry out domain name entry form setting, directly can also complete domain by producer when dispatching from the factory
Name white list is set, and domain name entry form set in the present embodiment is supported to carry out the target domain name of the inside
The renewal operation such as deletion, modification, increase.Domain name white list in the present embodiment, which includes, to be allowed to home network
Close the target domain name to conduct interviews, namely legitimate domain name.It is each legal that each target domain name configured is assigned to
Access equipment.It should be appreciated that the list dispensing unit 31 in the present embodiment specifically can be corresponding by home gateway
Man Machine Interface/interface and memory realize.
Address acquisition unit 32, for obtaining each target domain name currently corresponding Target IP by name server
Address.
When Lawful access equipment needs to conduct interviews to home gateway, the corresponding IP in itself current position side need to be obtained
Target ip address of the IP address as target domain name in the section of location, is then passed to name server.This implementation
Legal orientation equipment in example can specifically use dynamic-dns function to carry out reporting for IP address.Specifically, close
The target domain name that oneself is assigned to by method access equipment is issued service provider's dynamic domain name server and preserved, so
The IP address is then issued service provider's dynamic domain name server by it after current IP address is got afterwards,
So service provider's dynamic domain name server just saves the target domain name and the aiming field of the Lawful access equipment
IP address (namely target ip address) corresponding to name is current.Domain name service is received when carrying out domain name mapping
Device (name server is home gateway based on operator domain name server corresponding to the public network being currently accessed)
Analysis request when, you can by corresponding target ip address feed back to the name server complete to target domain name
Complete parsing.So name server can be got by domain name mapping in the current institute of each Lawful access equipment
The target domain name of biography and corresponding target ip address.Address acquisition unit 32 in the present embodiment can pass through house
Communication module combination processor in the gateway of front yard is realized.Processor in the present embodiment can be various hardware knots
The process chip of structure.
The public network IP address that address acquisition unit 32 is specifically used for being currently accessed in home gateway is waited, and gets phase
The name server of operator is answered, each target domain name in domain name white list is issued into name server carries out domain
Name parsing, and receive the target ip address fed back after name server currently parses to each target domain name.
And when being additionally operable to detect that the public network IP address that home gateway is currently accessed changes, get new domain name clothes
Business device, and each target domain name is issued into the new name server and carries out domain name mapping as implied above.
Because the physical location residing for each Lawful access equipment is probably dynamic change.Such as the morning may be
Guangzhou, Shenzhen etc. of having arrived afternoon on the same day.After physical location changes, the Lawful access equipment institute
The IP address of use can then be changed accordingly.Now Lawful access equipment obtains the IP address in current place
IP address in section reports domain name service as target domain name binding of the target ip address with distributing to oneself
Device.Now the Target IP corresponding to the target domain name of the access equipment is just changed.For the situation,
Each target domain name in domain name white list is issued name server and entered by the address acquisition unit 32 in the present embodiment
During row domain name mapping, by the way of poll sends parsing, namely it is spaced each target domain name at preset timed intervals
Name server is issued to be parsed.Name server does not receive once just to be parsed once again.So may be used
Timely to correspond to the just corresponding adjustment of the change in location of access equipment, access control can be further lifted
Accuracy, reliability and promptness.
Access control unit 33, for according to the target ip address that currently obtains to accessing the access equipment of itself
(each access equipment may be conducted interviews using different IP address) conduct interviews control.In the present embodiment
Access control unit 33 can also be realized by the processor of home gateway.
Access control unit 33 obtains IP for the rule configuration that conducted interviews to each target ip address of acquisition and visited
Ask control list.Each IP address for accessing itself is conducted interviews control according to obtained IP access list.
Access rule in the present embodiment includes the access rights for being singly not limited to each target ip address and corresponding ports
Set.
Because the address acquisition unit 32 in the present embodiment can be using to obtaining by the way of name server poll
Target ip address, access control unit 33 may receive multiple feedback result for each target domain name.
Therefore, in the present embodiment, access control unit 33 is used to get each target domain name for the first time in home gateway
During corresponding target ip address, the rule that conducted interviews in a manner described to each target ip address configuration.Work as access
Control unit 33 (refers to each acquisition obtained for the first time below) again below and receives mesh corresponding to each target domain name
When marking IP address, each target domain name currently corresponding target ip address and the last Target IP obtained are judged
Whether address is compared to having difference, in this way, then the access of corresponding each target ip address current to the target domain name
Rule is updated configuration.Otherwise, keep constant.
After access control unit 33 has configured access rule control table, when there is WAN-side access, then sentence
Whether the IP address of the fixed access is one in target ip address, if not, forbidding its access.In this way,
It then can further judge whether the content (such as port) of the access required by the access has permission, if any,
Then allow its access, otherwise, equally forbid its access.
It can be seen that the configuration of the present embodiment home gateway does not have the domain name white list of High relevancy with physical region, permit
Perhaps Lawful access equipment according to be presently in physical region change distribute to the target domain name of oneself corresponding to target
IP address is timely updated with passing to home gateway.Both the control of access safety had been can guarantee that, had been caused again
Access equipment is not limited by physical region.
It should be appreciated that each module or each step of the embodiments of the present invention can be filled with general calculating
Put to realize, they can be concentrated on single computing device, or are distributed in multiple computing device institutes group
Into network on, alternatively, they can be realized with the program code that computing device can perform, so as to,
It can be stored in storage medium (ROM/RAM, magnetic disc, CD) and be performed by computing device,
And in some cases, can to perform shown or described step different from order herein, or
They are fabricated to each integrated circuit modules respectively, or the multiple modules or step in them are fabricated to
Single integrated circuit module is realized.So the embodiment of the present invention is not restricted to any specific hardware and soft
Part combines.
Embodiment three:
It is shown in Figure 4, present embodiments provide a kind of home gateway, including processor 41 and memory
42;Memory is used to store various modules, including various software modules.Processor 41 is used for control memory
At least one module in 42 performs procedure below:
Domain name white list configuration is carried out, domain name white list includes the target for being allowed to conduct interviews to home gateway
Domain name, target domain name are assigned to Lawful access equipment;
Each target domain name currently corresponding target ip address is obtained by name server, name server preserves
There are the target domain name and corresponding target ip address that each Lawful access equipment currently uploads;
Each access equipment for accessing home gateway is conducted interviews control according to the target ip address currently obtained.
The control memory 42 of processor 41 realizes that the concrete mode of above steps is referred to shown in embodiment one,
It will not be repeated here.
Example IV:
A kind of communication system is present embodiments provided, it is shown in Figure 5, including home gateway 51, domain name clothes
Business device 52 and Lawful access equipment 53 and user equipment 54;Wherein Lawful access equipment 53 can be various dimensions
Protect equipment.
Home gateway 51 is used to carry out domain name white list configuration, and the domain name white list of configuration, which includes, to be allowed to institute
The target domain name that home gateway conducts interviews is stated, and these target domain names are assigned to Lawful access equipment 53,
Each target domain name is issued into name server 52 and obtains each target domain name currently corresponding target ip address;
Name server 52 is used for each target domain name for receiving the transmission of home gateway 51, and each target domain name is entered
Row is analyzed and acquired by corresponding target ip address, and is fed back to home gateway.
User equipment 54 can realize communication connection by the modes such as LAN, WLAN and home gateway 51,
Data interaction is completed by home gateway 51 and public network.
In order to be better understood from the scheme of the embodiment of the present invention, it is using Lawful access equipment to safeguard PC below
Example, further illustration is done to the embodiment of the present invention.Referring specifically to shown in Fig. 6, including:
S601:Home gateway normally starts, and first sets all access for forbidding WAN-side, completes the white name of domain name
Target domain name forexample.dtdns.com is included in single configuration, such as configuration domain name white list.By the target
Domain name, which is distributed to, safeguards PC;And set the prefixed time interval of poll.
S602:Home gateway accesses public network IP address, and gets the name server of corresponding operator;Example
As assumed to get public network IP address 111.111.111.111 and name server (8.8.8.8).
S603:Each target domain name in domain name white list is issued domain name by home gateway according to prefixed time interval
Server is parsed to obtain target ip address;Such as target domain name forexample.dtdns.com is issued into domain
Name server (8.8.8.8) is parsed, and now name server is from corresponding service provider's dynamic domain name server
Target ip address corresponding to upper inquiry target domain name forexample.dtdns.com, Query Result may be sky,
It also likely to be present effective volume IP address.
S604:The target ip address obtained for parsing is shown to be the IP address allowed access for, also
To be added into white list IP lists, and the access rule of each target ip address is arranged to access control
Rule list processed.
S605:When WAN-side has access, the IP address of access equipment user is white list IP lists in this way
In target ip address, it is allowed to access, it is accessed using to access rule be controlled.
S606:The public network IP address change that home gateway is connected with internet, then operation new corresponding to acquisition
The name server of business, goes to S603.
S607:After safeguarding that PC changes physical location region, the IP address in current region IP address section is obtained
Binding, which is carried out, as new target ip address and target domain name (such as forexample.dtdns.com) passes through clothes
Business business's dynamic domain name server passes to name server;
S608:Timing sends target domain name, domain to home gateway to name server at set time intervals
Name server often receives a target domain name and just completes one parsing, finds to safeguard PC mesh in resolving
When target ip address corresponding to mark domain name changes, home gateway is fed back to.
S609:Target ip address corresponding to the target domain name is updated to new target ip address by home gateway,
And the corresponding config update for completing access rule.So safeguard PC because place change cause IP address (
Safeguard PC public network IP address) when changing, also normally the home gateway can be conducted interviews.Cause
This access control scheme provided in an embodiment of the present invention can solve existing to be controlled by IP address white list
When existing the problem of having limited physical location where access equipment.During especially for use in area of maintenance,
The promptness, convenience and flexibility of maintenance can be lifted, lifts the satisfaction of Consumer's Experience.
Above content is to combine the further description that specific embodiment is made to the embodiment of the present invention,
The specific implementation of the invention is not to be limited to these illustrations.For the general of the technical field of the invention
For logical technical staff, without departing from the inventive concept of the premise, can also make it is some it is simple deduce or
Replace, should all be considered as belonging to protection scope of the present invention.
Claims (10)
1. a kind of access control method, including:
Receive the configuration of domain name white list, domain name white list includes being allowed to visit the home gateway
The target domain name asked, the target domain name are assigned to Lawful access equipment;
The target domain name currently corresponding target ip address, domain name service are obtained by name server
Device preserves target domain name and the corresponding target ip address that the Lawful access equipment currently uploads;
The access equipment for accessing the home gateway is conducted interviews control according to the target ip address currently obtained
System.
2. access control method as claimed in claim 1, it is characterised in that described to pass through name server
Obtaining the target domain name, currently corresponding target ip address includes:
After public network IP address is accessed, name server corresponding to acquisition;
The target domain name is issued into domain name server and carries out domain name mapping;
Receive the target ip address fed back after domain name server currently parses to the target domain name.
3. access control method as claimed in claim 2, it is characterised in that described to pass through name server
Obtaining the target domain name, currently corresponding target ip address also includes:
In the case where detecting the public network IP address being currently accessed change, corresponding new name server is obtained,
And the target domain name is issued into the new name server and carries out domain name mapping.
4. access control method as claimed in claim 2 or claim 3, it is characterised in that described by the target
Domain name, which issues the progress domain name mapping of domain name server, to be included:
It is spaced at preset timed intervals and the target domain name is issued into domain name server is parsed.
5. access control method as claimed in claim 4, it is characterised in that what the basis currently obtained
The target ip address control that conducted interviews to each IP address for accessing itself includes:
In the case of getting target ip address corresponding to each target domain name for the first time, to each Target IP of acquisition
The address rule configuration that conducts interviews obtains IP access list, and the access rule is with including each Target IP
The access rights of location and corresponding ports are set;
Each IP address for accessing itself is conducted interviews control according to the IP access list.
6. access control method as claimed in claim 5, it is characterised in that what the basis currently obtained
Target ip address conducts interviews to control to each IP address for accessing itself also to be included:
In the case of getting target ip address corresponding to each target domain name again, judge that each target domain name is current
Whether corresponding target ip address and the target ip address that the last time obtains are identical;
In the case where judged result is no, then the visit of corresponding each target ip address current to the target domain name
Ask that rule is updated configuration.
A kind of 7. home gateway, it is characterised in that including:
List dispensing unit, for receiving the configuration of domain name white list, domain name white list is included and is allowed to pair
The target domain name that the home gateway conducts interviews, the target domain name are assigned to Lawful access equipment;
Address acquisition unit, for obtaining the target domain name currently corresponding Target IP by name server
Address, domain name server preserve the target domain name that the Lawful access equipment currently uploads and corresponding
Target ip address;
Access control unit, for being set according to the target ip address currently obtained to the access for accessing home gateway
The standby control that conducts interviews.
8. home gateway as claimed in claim 7, it is characterised in that the address acquisition unit is in family
After the public network IP address of gateway accessing, corresponding name server is obtained, the target domain name is issued described
Name server carries out domain name mapping, and receives domain name server and currently each target domain name is parsed
The target ip address fed back afterwards.
9. home gateway as claimed in claim 8, it is characterised in that the address acquisition unit is additionally operable to
When detecting the public network IP address change that the home gateway is currently accessed, new domain name corresponding to reacquisition
Server, and the target domain name is issued into the new name server and carries out domain name mapping.
10. home gateway as claimed in claim 8 or 9, it is characterised in that the address acquisition unit
The target domain name is issued into the progress domain name mapping of domain name server includes:It is spaced institute at preset timed intervals
State target domain name and issue domain name server and parsed.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610387240.0A CN107454051A (en) | 2016-06-01 | 2016-06-01 | Access control method and home gateway |
PCT/CN2017/084310 WO2017206701A1 (en) | 2016-06-01 | 2017-05-15 | Access control method and home gateway |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610387240.0A CN107454051A (en) | 2016-06-01 | 2016-06-01 | Access control method and home gateway |
Publications (1)
Publication Number | Publication Date |
---|---|
CN107454051A true CN107454051A (en) | 2017-12-08 |
Family
ID=60479719
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610387240.0A Withdrawn CN107454051A (en) | 2016-06-01 | 2016-06-01 | Access control method and home gateway |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN107454051A (en) |
WO (1) | WO2017206701A1 (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111131538A (en) * | 2019-12-20 | 2020-05-08 | 国久大数据有限公司 | Access control method and access control system |
CN112073439A (en) * | 2020-10-13 | 2020-12-11 | 中国联合网络通信集团有限公司 | Secure Internet access control method, gateway equipment and storage medium |
CN114650216A (en) * | 2022-03-22 | 2022-06-21 | 阿里云计算有限公司 | Safety protection method and device |
CN115396398A (en) * | 2022-07-29 | 2022-11-25 | 中国电信股份有限公司 | Derived domain name access method, system, device, storage medium and program product |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112995046B (en) * | 2019-12-12 | 2023-05-26 | 上海云盾信息技术有限公司 | Content distribution network traffic management method and device |
CN113992414A (en) * | 2021-10-28 | 2022-01-28 | 马上消费金融股份有限公司 | Data access method, device and equipment |
CN114157555B (en) * | 2021-11-12 | 2023-05-26 | 杭州迪普科技股份有限公司 | Access information synchronization method |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060167871A1 (en) * | 2004-12-17 | 2006-07-27 | James Lee Sorenson | Method and system for blocking specific network resources |
CN101702724A (en) * | 2009-11-02 | 2010-05-05 | 中国农业大学 | Safe control method and device of network access |
CN102571956A (en) * | 2012-01-09 | 2012-07-11 | 华为技术有限公司 | Correlation identification table updating method, correlation identification method, device and system |
CN103546434A (en) * | 2012-07-13 | 2014-01-29 | 中国电信股份有限公司 | Network access control method, device and system |
CN104506525A (en) * | 2014-12-22 | 2015-04-08 | 北京奇虎科技有限公司 | Method for preventing malicious grabbing and protection device |
-
2016
- 2016-06-01 CN CN201610387240.0A patent/CN107454051A/en not_active Withdrawn
-
2017
- 2017-05-15 WO PCT/CN2017/084310 patent/WO2017206701A1/en active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060167871A1 (en) * | 2004-12-17 | 2006-07-27 | James Lee Sorenson | Method and system for blocking specific network resources |
CN101702724A (en) * | 2009-11-02 | 2010-05-05 | 中国农业大学 | Safe control method and device of network access |
CN102571956A (en) * | 2012-01-09 | 2012-07-11 | 华为技术有限公司 | Correlation identification table updating method, correlation identification method, device and system |
CN103546434A (en) * | 2012-07-13 | 2014-01-29 | 中国电信股份有限公司 | Network access control method, device and system |
CN104506525A (en) * | 2014-12-22 | 2015-04-08 | 北京奇虎科技有限公司 | Method for preventing malicious grabbing and protection device |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111131538A (en) * | 2019-12-20 | 2020-05-08 | 国久大数据有限公司 | Access control method and access control system |
CN112073439A (en) * | 2020-10-13 | 2020-12-11 | 中国联合网络通信集团有限公司 | Secure Internet access control method, gateway equipment and storage medium |
CN114650216A (en) * | 2022-03-22 | 2022-06-21 | 阿里云计算有限公司 | Safety protection method and device |
CN115396398A (en) * | 2022-07-29 | 2022-11-25 | 中国电信股份有限公司 | Derived domain name access method, system, device, storage medium and program product |
Also Published As
Publication number | Publication date |
---|---|
WO2017206701A1 (en) | 2017-12-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN107454051A (en) | Access control method and home gateway | |
US7904712B2 (en) | Service licensing and maintenance for networks | |
CN101090324B (en) | Network system and server | |
CN106936804B (en) | Access control method and authentication equipment | |
EP2733909B1 (en) | Terminal control method and device, and terminal | |
CN102316153B (en) | VPN network client for mobile device having dynamically constructed display for native access to web mail | |
US20130136126A1 (en) | Data center network system and packet forwarding method thereof | |
CN101141304B (en) | Management method and equipment of ACL regulation | |
US20090199291A1 (en) | Communication apparatus, a firewall control method, and a firewall control program | |
CN101039310B (en) | Link sharing service apparatus and communication method thereof | |
CN104158767B (en) | A kind of network admittance device and method | |
US20120173727A1 (en) | Internet Access Control Apparatus, Method and Gateway Thereof | |
WO2008045616A1 (en) | System and method for assigning virtual local area networks | |
CN103188107A (en) | Automatic finding and configured deployment system and method of terminal devices | |
CN104468619B (en) | A kind of method and authentication gateway for realizing double stack web authentications | |
CN100499590C (en) | Message access controlling method and a network apparatus | |
CN101674232A (en) | Server, method and system of access control | |
CN102035703A (en) | Family wireless network and implementation method thereof | |
CN105262800B (en) | A kind of authority control method and system applied to cluster NAS file system | |
ES2451269T3 (en) | Method and system to manage remote devices | |
CN101083594A (en) | Method and system for managing network appliance | |
CN101599834B (en) | Method for identification and deployment and management equipment thereof | |
EP2656590A1 (en) | Dns forwarder for multi-core platforms | |
CN100454825C (en) | Static user access network control method based on MAC address | |
EP2077018B1 (en) | Method for controlling access to a network in a communication system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
WW01 | Invention patent application withdrawn after publication | ||
WW01 | Invention patent application withdrawn after publication |
Application publication date: 20171208 |