CN1204719C - Method for realizing domain name system address convertion applied gateway based on inner server - Google Patents
Method for realizing domain name system address convertion applied gateway based on inner server Download PDFInfo
- Publication number
- CN1204719C CN1204719C CN 02121267 CN02121267A CN1204719C CN 1204719 C CN1204719 C CN 1204719C CN 02121267 CN02121267 CN 02121267 CN 02121267 A CN02121267 A CN 02121267A CN 1204719 C CN1204719 C CN 1204719C
- Authority
- CN
- China
- Prior art keywords
- address
- message
- domain name
- internal server
- execution
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Lifetime
Links
Images
Abstract
The present invention relates to a method for realizing a domain name address conversion applied gateway based on an inner server. The method comprises the following steps: firstly, the related information of an inner server in a network is configured to a domain name address conversion applied gateway; when the domain name address conversion applied gateway receives an inquiry message, whether an examined network inner device by the message is an inner host machine according to the configured related information of the inner server and information in the inquiry message, if true, the inquiry message is discarded, otherwise, the domain name address conversion applied gateway correspondingly processes the inquiry message. The present invention guarantees the security of the inner host machine which does not provide service to outside and is capable of effectively preventing the inner host machine from being attacked by outer objects without influencing the inner server to provide service to outside; additionally, the present invention can guarantee mutual access between inner host machines by domain names without the influence of DNS ALG.
Description
Technical field
The present invention relates to a kind of network communications technology, relate in particular to a kind of implementation method of the domain name system address convertion applied gateway based on internal server.
Background technology
Domain name system address convertion applied gateway (DNS ALG) is used to realize domain name is converted to the mapping of domain name to outside publicly-owned address to the mapping of internal private address, perhaps, domain name is converted to the mapping of domain name to internal private address to the mapping of outside publicly-owned address, and the domain name that makes an internal host is in a privately owned territory and publicly-owned territory all corresponding correct Internet protocol (IP) address.
Referring to network environment shown in Figure 1, internal host (Host A, Host B, Host C) has an internal private address and the domain name that the whole network is unique, internal private address can be a static configuration, also can be dynamically to obtain, it be dynamically to obtain by the network address translation (nat) router that internal host and external network communicate the outside publicly-owned address that is applied to.If the main frame of external network will be by this internal host of domain name access of internal host, then need a domain name system (DNS) server be set at internal network, internal host is registered to its domain name and private IP address on the internal dns server, can also guarantee to exchange visits by domain name between internal host simultaneously.
When the external host of external network (Outside) side is visited the internal-internal main frame of internal network (Inside) side, the respective handling of on the NAT router, query message being carried out by DNS ALG, pass through dns server again, just the private IP address of internal host can be mapped to a public ip address, thereby realize the visit of external host internal host.Initiate a session when the external host desire, can obtain the IP address of this internal host by a dns server query requests to internal host.If the dns server of external host does not comprise the domain name of this internal host, then this query requests a bit can be directed to dns server in the private network of internal host place at certain, and DNS ALG will tackle this query message, and handles as follows:
(1) for the query requests by host domain name inquiry main frame private IP address, promptly the A query requests is disregarded, and directly is transmitted to dns server;
(2) for query requests by main frame public ip address inquiry host domain name, it is pointer (PTR) query requests, then with the quilt public ip address of the side of looking in the corresponding private IP address replacement request message, if this privately owned address is not set up as yet to the mapping of publicly-owned address, directly this request is transmitted to dns server.
For the response message that dns server internally sends, DNS ALG can tackle this message equally, and handles as follows:
(1) for the response message of A query requests, replace the private IP address of institute's nslookup correspondence in the response message load that dns server sends with a publicly-owned address, this publicly-owned address is distributed by the NAT router, if be not assigned to legal public ip address of this private IP address before this as yet, then create at this moment;
(2), use by the corresponding public ip address in the side of looking into and replace in the response message by the private IP address of the side of looking into for the response message of PTR query requests.If before this, the map bindings between this privately owned address and the publicly-owned address is because overtime and deleted, and then DNS ALG transmits this message.
By the description of above-mentioned prior art as can be seen, can be visited by external host easily although existing DNS ALG has realized the internal server of network, existing DNS ALG implementation method also makes the network internal main frame have hidden danger on safety.Because, for an internal host, as HostA, any one external host, as Host D, as long as know the domain name or the IP address of this internal host, just can visit internal host on one's own initiative by the Internet (Internet), and under normal conditions, most of network internal main frames do not provide service to the outside, should be " invisible " to the outside promptly, if by indirect internal host is placed on the public network of DNS ALG, breakneck beyond doubt, may be subjected to attack at any time from the outside.
Summary of the invention
The implementation method that the purpose of this invention is to provide a kind of domain name system address convertion applied gateway based on internal server, realized that external host only can visit accordingly to internal server, do not provide the fail safe of the internal host of service to be guaranteed the outside thereby make in the internal network.
The object of the present invention is achieved like this: the domain name addresses transformation applications gateway implementation method based on internal server comprises:
(1) is the information of internal server in the domain name system address convertion applied gateway configuration network;
(2) domain name system address convertion applied gateway receives query message;
(3) obtain loaded information in the query message that is received;
(4) information and the information in the query message according to the internal server that is disposed replaces with public network address with the private net address in the query message;
(5) transmit this query message.
The information of internal server comprises in the described configuration network: the inside and outside IP address information of the domain-name information of internal server, internal server.
Described query message comprises: the query requests message of Internet protocol (IP) address by internal host inquiry of the domain name main frame in the network, i.e. category-A type query requests message and by pointer (PTR) the query requests message of host IP address inquiry host domain name.
Described query message comprises: by the response message of the query requests message of Internet protocol (IP) address of host domain name inquiry main frame in the network, it is the response message of category-A type query requests message and by the PTR inquiry response message of host IP address inquiry host domain name.
Described step (4) comprising:
(51) judge that the query requests message is a category-A type query requests message, or PTR query requests message, if category-A type query requests message, execution in step (5), otherwise, execution in step (52);
(52) judge whether to exist with PTR query requests message in the corresponding internal server of public ip address, if having, execution in step (53), otherwise, execution in step (5);
(53) with the public ip address in the private IP address replacement PTR query requests message of this internal server.
Described step (4) comprising:
(61) judge that the inquiry response message is a category-A type inquiry response message, or PTR inquiry response message, if A inquiry response message, execution in step (62), if PTR inquiry response message, execution in step (63);
(62) judge whether private IP address according to the IP address that inquires in the category-A type inquiry response message into internal server, if, execution in step (65), otherwise, execution in step (5);
(63) judge whether to exist with PTR inquiry response message in the corresponding internal server of private IP address, if having, execution in step (64) then, otherwise, execution in step (5);
(64) private IP address with the internal server in the PTR inquiry response message replaces with corresponding public ip address, execution in step (5);
(65) with the private IP address in the response message of public ip address replacement category-A type inquiry.
By technical scheme that the invention described above provided as can be seen, by improvement to DNSALG of the prior art did, realized that external host only limits to externally provide the internal server of service to the visit of internal network, and other internal host is not placed on the public network, external host can't initiatively be initiated the session with these internal hosts, thereby guaranteed the outside not to be provided the safety of the internal host of service, prevented that effectively internal host from suffering the attack from the outside; Simultaneously, DNS ALG allows the inquiry of external host to internal server, thereby can not influence internal server service outwards is provided.Technical scheme provided by the present invention can limit external host obtains internal host by domain name IP address effectively, initiatively visit internal host to prevent external host, also can guarantee simultaneously to visit mutually by domain name between internal host, and not be subjected to the influence of DNS ALG.
Description of drawings
Fig. 1 is the applied environment schematic diagram of internal server in the network;
Fig. 2 handles the schematic diagram of query message for DNS ALG;
Fig. 3 is embodiment of the present invention flow chart.
Embodiment
The present invention is applicable to network environment shown in Figure 1, comprise the internal server that the internal host of service externally is not provided and service externally is provided in the internal network, wherein the internal host requirement is transparent to external host, and promptly external host does not allow by the domain name or the IP address of internal host internal host to be carried out the active visit; Simultaneously, need also to guarantee that internal server externally provides service, guarantee that promptly external host can be by domain name or corresponding IP address visit internal server.
In conjunction with above-mentioned network environment, referring to Fig. 2, DNS ALG is responsible for the query message that the network address translation (nat) module is received is handled, and DNS ALG handles needed necessary information to query message and provided by the NAT module; Then, the query message after DNS ALG will handle is returned the NAT module, by this message of NAT module forwards.The specific embodiments of the implementation method of the domain name system address convertion applied gateway based on internal server of the present invention is described below in conjunction with the accompanying drawings, referring to Fig. 3:
Step 1: at first going up at network address translation router (NAT Router) is the relevant information of internal server in the domain name addresses transformation applications gateway configuration network; Relevant information comprises the domain-name information of internal server, the inside and outside IP address information of internal server, this information is used to judge that external host sends makes a thorough investigation of to ask and ask message and corresponding inquiry response message is the inquiry internal host, still inquires about internal server;
Step 2: domain name addresses transformation applications gateway receives query message, execution in step 3 by the NAT module;
Query message comprises: query requests message and inquiry response message;
The query requests message comprises: by the query requests message of host domain name inquiry host IP address in the network, i.e. category-A type query requests message; And pointer (PTR) the query requests message of inquiring about host domain name by host IP address;
The inquiry response message comprises: category-A type inquiry response message and PTR inquiry response message;
Step 3: judge that the query message that is received is query requests message or inquiry response message, if the query requests message, execution in step 4, otherwise, execution in step 7;
Step 4: judge that the query requests message is a PTR query requests message, or category-A type query requests message, if PTR query requests message, execution in step 5, if category-A type query requests message, execution in step 12;
Step 5: judge whether the IP address of being inquired about in the PTR query requests message is the public ip address of internal server, promptly according to the relevant information of the internal server that is disposed judge whether to exist with PTR query requests message in the corresponding internal server of public ip address, if exist, then execution in step 6, otherwise, execution in step 12;
Step 6: with the public ip address in the private IP address replacement query requests message of this internal server, execution in step 12;
Step 7: judge that the inquiry response message is a category-A type inquiry response message, or PTR inquiry response message, if PTR inquiry response message, execution in step 8, if category-A type inquiry response message, execution in step 10;
Step 8: judge whether the private IP address in the PTR inquiry response message exists the internal server corresponding with it, if having, then execution in step 9, otherwise, execution in step 12;
Step 9: the private IP address of the internal server in the inquiry response message is replaced with public ip address, execution in step 12;
Step 10: according to the relevant information of the internal server that is disposed and the information in the inquiry response message, promptly according to the domain-name information and the private IP address information of being carried in the A query requests message, the relevant information of the internal server that is disposed in conjunction with the NAT router judges whether the network-internal apparatus that the response message of this category-A type inquiry is inquired about is internal server; Judge promptly whether the IP address that inquires in the category-A type inquiry response message is the private IP address of internal server, if, execution in step 11, otherwise, execution in step 12;
Step 11: domain name addresses transformation applications gateway uses the public ip address of the internal server that is disposed to replace the private IP address of this internal server in the response message of category-A type inquiry, execution in step 12;
Step 12: this message is returned the NAT module and transmitted this message.
The above-mentioned of the present invention concrete technical application scheme that provides has realized purpose of the present invention.Guaranteed that external host can't carry out the active visit to internal host by the domain name or the IP address of internal host, DNS ALG allows external host that the inquiry of internal server is normally carried out simultaneously, thereby the internal server that can not influence in the internal network externally provides service.
Claims (6)
1, a kind of domain name addresses transformation applications gateway implementation method based on internal server comprises:
(1) is the information of internal server in the domain name system address convertion applied gateway configuration network;
(2) domain name system address convertion applied gateway receives query message;
(3) obtain loaded information in the query message that is received;
(4), the private net address in the query message is replaced with public network address according to the information of the internal server that is disposed and the information in the query message;
(5) transmit this query message.
2, the domain name addresses transformation applications gateway implementation method based on internal server according to claim 1 is characterized in that the information of internal server in the described configuration network comprises: the inside and outside IP address information of the domain-name information of internal server, internal server.
3, the domain name addresses transformation applications gateway implementation method based on internal server according to claim 1, it is characterized in that described query message comprises: by the query requests message of the Internet protocol IP address of host domain name inquiry main frame in the network, it is category-A type query requests message and by the pointer PTR query requests message of host IP address inquiry host domain name.
4, the implementation method of the domain name system address convertion applied gateway based on internal server according to claim 1, it is characterized in that described query message comprises: by the response message of the query requests message of the Internet protocol IP address of host domain name inquiry main frame in the network, it is the response message of category-A type query requests message and by the PTR inquiry response message of host IP address inquiry host domain name.
5, the implementation method of the domain name system address convertion applied gateway based on internal server according to claim 3 is characterized in that described step (4) comprising:
(51) judge that the query requests message is a category-A type query requests message, or PTR query requests message, if category-A type query requests message, execution in step (5), otherwise, execution in step (52);
(52) judge whether to exist with PTR query requests message in the corresponding internal server of public ip address, if having, execution in step (53), otherwise, execution in step (5);
(53) with the public ip address in the private IP address replacement PTR query requests message of this internal server.
6, the implementation method of the domain name system address convertion applied gateway based on internal server according to claim 4 is characterized in that described step (4) comprising:
(61) judge that the inquiry response message is a category-A type inquiry response message, or PTR inquiry response message, if A inquiry response message, execution in step (62), if PTR inquiry response message, execution in step (63);
(62) judge whether private IP address according to the IP address that inquires in the category-A type inquiry response message into internal server, if, execution in step (65), otherwise, execution in step (5);
(63) judge whether to exist with PTR inquiry response message in the corresponding internal server of private IP address, if having, execution in step (64) then, otherwise, execution in step (5);
(64) private IP address with the internal server in the PTR inquiry response message replaces with corresponding public ip address, execution in step (5);
(65) with the private IP address in the response message of public ip address replacement category-A type inquiry.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02121267 CN1204719C (en) | 2002-06-12 | 2002-06-12 | Method for realizing domain name system address convertion applied gateway based on inner server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN 02121267 CN1204719C (en) | 2002-06-12 | 2002-06-12 | Method for realizing domain name system address convertion applied gateway based on inner server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1466343A CN1466343A (en) | 2004-01-07 |
| CN1204719C true CN1204719C (en) | 2005-06-01 |
Family
ID=34142156
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN 02121267 Expired - Lifetime CN1204719C (en) | 2002-06-12 | 2002-06-12 | Method for realizing domain name system address convertion applied gateway based on inner server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1204719C (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1312883C (en) * | 2004-12-02 | 2007-04-25 | 中国科学院计算技术研究所 | Method for external network access mobile self-forming network regional name |
| CN1863193B (en) * | 2005-05-10 | 2010-10-13 | 联想网御科技(北京)有限公司 | Method for implementing safety tactics of network safety apparatus |
| WO2008003239A1 (en) * | 2006-06-27 | 2008-01-10 | China Mobile Communications Corporation | A family gateway based on ims, configuring method thereof, terminal configuration server and detecting method of local entrance point |
| CN101567815B (en) * | 2009-05-27 | 2011-05-11 | 清华大学 | Method for effectively detecting and defending domain name server (DNS) amplification attacks |
| CN101841533B (en) * | 2010-03-19 | 2014-04-09 | 中国科学院计算机网络信息中心 | Method and device for detecting distributed denial-of-service attack |
| CN111865976A (en) * | 2020-07-17 | 2020-10-30 | 北京天融信网络安全技术有限公司 | Access control method, device and gateway |
-
2002
- 2002-06-12 CN CN 02121267 patent/CN1204719C/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| CN1466343A (en) | 2004-01-07 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1232080C (en) | Method of providing internal service apparatus in network for saving IP address | |
| JP4234482B2 (en) | Dynamic DNS registration method, domain name resolution method, proxy server, and address translation device | |
| US8805977B2 (en) | Method and system for address conflict resolution | |
| US7937471B2 (en) | Creating a public identity for an entity on a network | |
| US8902743B2 (en) | Distributed and scalable network address translation | |
| US9026676B1 (en) | Systems and methods for prepending nonce labels to DNS queries to enhance security | |
| CN1547828A (en) | Methods, systems and computer program products for accessing an embedded web server on a broadband access terminal | |
| CN1523848A (en) | SIP service method in a network having a NAT | |
| US20100217890A1 (en) | Using server type to obtain network address | |
| CN1216657A (en) | Internet protocol filter | |
| IES20050519A2 (en) | Network communications system and method | |
| CN1926840A (en) | Address and port number abstraction when setting up a connection between at least two computational devices | |
| US20050076141A1 (en) | Use of an autoconfigured namespace for automatic protocol proxying | |
| Huang et al. | Dual-stack hosts using" bump-in-the-host"(BIH) | |
| CN1272947C (en) | Method of carrying out preventing of refuse postal matter | |
| JP2007074172A (en) | Inter-private network connection system and address conversion device | |
| Komu et al. | Basic Socket Interface Extensions for the Host Identity Protocol (HIP) | |
| CN1204719C (en) | Method for realizing domain name system address convertion applied gateway based on inner server | |
| CN101030934A (en) | Method for spanning heterogeneous network mobile telecommunication based on two-way tunnel | |
| CN1863152A (en) | Method for transmitting various messages between internal network users | |
| JPH11252172A (en) | Packet generation method, information processor having its function and storage medium where packet generation program is recorded | |
| EP1919168B1 (en) | Global reachability in communication networks | |
| KR20050039880A (en) | Initiating communication sessions from a first computer network to a second computer network | |
| CN1249572C (en) | Plug-and-play ether net access system and method | |
| KR20060130811A (en) | Method for translation between ipv4 and ipv6 embedded dns proxy module of distributed data processing and apparatus thereof |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CX01 | Expiry of patent term |
Granted publication date: 20050601 |
|
| CX01 | Expiry of patent term |