JP2002171286A - Network system and internet communication management method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a network system which easily controls the communication destination of a client. SOLUTION: A client 11 transmits a transmission destination mail address 'xyz jepr.co.jp' to a mail server 21 to inquire of a DNS server 31 the IP address of a transmission destination mail server 53. The DNS server 31 accesses a transmission destination DNS server 52 to acquire the IP address of the mail server 53 and returns it to the mail server 21. The mail server 21 adds a zone name '.junior.' of the client to this IP address and inquires of the DNS server 31 whether it has been registered in a DB file of a DNS server 41 or not. The DNS server 31 inquires of the DNS server 41, and the DNS server 41 permits the mail server 21 to transmit a mail through the DNS server 31 when discriminating that it has been registered.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a system for performing information communication using the Internet.

[0002]

2. Description of the Related Art Conventionally, as a method of limiting communication partners on the Internet, there is a firewall system as shown in FIG.

In this system, a firewall server 104 is provided between the Internet and an internal network to monitor all communication requests from clients 101 to 103, a mail server 105, and a proxy server 106 on the internal network. In the firewall server 104, "information for determining whether communication is permitted / not permitted" is registered in advance for a communication request.

[0004] For example, when the client 101 tries to communicate with the WWW server 107 via the proxy server 106, the firewall server 104 detects this and performs the above-mentioned " Based on the “information”, the permission / prohibition of the communication is determined.

Similarly, when the client 102 attempts to communicate with the mail server 108 via the mail server 105, the firewall server 104 detects this and determines whether or not to allow the communication.

If such a system is adopted, the communication partners of the clients 101 to 103 can be limited.

[0007]

However, the above-described method includes information for determining permission / non-permission of communication and software for determining permission / non-permission of communication based on the information. It is necessary to construct a network provided with the proxy server 104, which is very troublesome.

The above-mentioned firewall server 10
In order to limit the communication partner in step 4, it is necessary to incorporate a mechanism that allows or disallows communication for each communication protocol (for example, HTTP for a WWW server and SMTP for e-mail). This is not only very cumbersome, but also incapable of dealing with newly developed protocols in the future.

Therefore, by solving such a problem,
An object of the present invention is to provide a network system for easily and efficiently regulating a communication partner of a client.

[0010]

[Means for Solving the Problems and Effects of the Invention] (1)
A network system according to the present invention includes a terminal device connectable to the Internet, a communication relay device communicably connected to the terminal device, and a communication device communicably connected to the communication relay device. A destination search system including one or more destination search devices including an address table in which an IP address is recorded, wherein at least one of the destination search devices in the destination search system includes A communication information search device including a communication information table in which communication information is recorded in association with determination information, wherein the terminal device transmits a domain name to the communication relay device, wherein the communication relay device Transmitting the domain name received from the device to the destination search system,
Based on the address table, perform an IP address conversion process of converting a domain name received from the communication relay device into an IP address, and transmit the IP address to the communication relay device, wherein the communication relay device Generating the determination information based on the IP address received from the search system and transmitting the determination information to the destination search system, wherein the destination search system stores the determination information received from the communication relay device in the communication information table; If the information is recorded, a communication information conversion process for converting the determination information into the communication information is performed, and the communication information is transmitted to the communication relay device.

(2) The network system according to the present invention includes a terminal device that can be connected to the Internet, and an address table that is communicably connected to the terminal device and records an IP address in association with a domain name. And a destination search system including one or more destination search devices, wherein at least one of the destination search devices in the destination search system has communication information recorded in association with determination information in the address table. A communication information search device including a communication information table, wherein the terminal device transmits a domain name to the destination search system, and the destination search system receives from the terminal device based on the address table. Domain name to IP
Performing an IP address conversion process of converting the IP address into an address, transmitting the IP address to the terminal device, the terminal device generating the determination information based on the IP address received from the destination search system, and To the destination search system, and the destination search system converts the determination information into the communication information if the determination information received from the terminal device is recorded in the communication information table. The communication information is transmitted to the terminal device by performing a conversion process.

Therefore, if, for example, an existing DNS (Domain Name System) server is adopted as the destination search device and the determination information and the IP address for which communication is permitted as communication information are recorded in the address table, the terminal device can be used. In addition, the communication partner of the communication relay device can be restricted. Also, by recording an uncommunicable IP address as communication information in the address table, it is possible to regulate a communication partner such as a terminal device.

(6) In the network system according to the present invention, the communication information search device includes a communication information table that records determination information or communication information on a terminal device or a communication relay device in a plurality of internal networks. It is characterized by.

(7) The network system according to the present invention is characterized in that the communication information search device acquires the determination information from the destination search device and performs the communication information conversion process.

[0015] Therefore, the system administrator can collectively regulate communication destinations such as terminal devices in a plurality of internal networks by operating communication information and the like in the communication information table.

(8) In the network system of the present invention, the communication information includes an IP address permitting communication, and the communication relay device or the terminal
The communication is performed based on the P address.

(9) The network system according to the present invention is characterized in that the communication information includes an uncommunicable IP address.

Therefore, the system administrator can restrict the communication of the communication relay device or the like by recording the IP address or the like permitted to communicate in the communication information table.

(10) The network system according to the present invention is characterized in that the communication information includes text information, and the communication relay device or the terminal device presents the text information to an operator.

Therefore, by browsing the text information, the operator can obtain information on the communication information such as the fact that the communication is restricted and the period during which the communication is restricted.

(11) In the network system of the present invention, the destination search system, when the determination information is not recorded in the communication information table, transmits communication disable information to the communication relay device or the terminal device; The communication relay device or the terminal device does not perform communication when receiving the communication disable information.

Therefore, the system administrator can restrict communication destinations such as terminal devices that generate the determination information by not recording the determination information in the communication information table.

(12) The network system according to the present invention is characterized in that the communication relay device or the terminal device generates the determination information based on information of the terminal device.

Therefore, it is possible to regulate the communication partner for each terminal device.

(13) The network system according to the present invention is characterized in that the communication relay device or the terminal device generates the determination information based on user information.

Therefore, it is possible to regulate the communication destination of the terminal device for each user.

(14) In the network system of the present invention, the communication relay device or the terminal device may generate the determination information by adding predetermined information to an IP address received from the destination search system. Features.

Therefore, the communication relay device or the like can easily generate the determination information.

(15) The network system of the present invention includes a terminal device that can be connected to the Internet, and an address table that is communicably connected to the terminal device and records an IP address in association with a domain name. And a communication relay device communicably connected to the terminal device and the destination search device. The destination search device further includes an IP address for permitting or prohibiting communication. Comprising a communication permission / prohibition table, the terminal device transmits a domain name to the communication relay device, and the communication relay device transmits a domain name received from the terminal device to the destination search device,
The destination search device converts a domain name received from the communication relay device into an IP address based on the address table or inquiring of another destination search device on the Internet, and the destination search device performs
It is characterized in that the communication permission is determined by determining whether the address is recorded in the communication permission table.

Therefore, if an existing DNS server is adopted as a destination search device, a communication permission / prohibition table is stored in the DNS server, and communication permission / prohibition is determined, it is possible to regulate a communication partner such as a terminal device. it can.

(19) A network system according to the present invention is communicatively connected to an information transmitting device, and includes a destination searching device on the transmitting side having an address table in which an IP address is recorded in association with a domain name; A destination search device that is communicably connected to the information receiving device and has an address table in which an IP address is recorded in association with a domain name, and the destination search device on the reception side includes: Further, the communication apparatus includes a communication permission / prohibition table in which an IP address for permitting or prohibiting communication is recorded, and the destination search device on the transmission side transmits a domain name and an IP address of the information transmission device to the destination search device on the reception side. And inquiring about the IP address of the information receiving apparatus,
The destination search device on the reception side determines whether the IP address of the information transmission device received from the destination search device on the transmission side is recorded in the communication permission / prohibition table. It is characterized in that the communication permission / rejection is determined.

(20) In the network system according to the present invention, the destination search device on the receiving side may input the domain name received from the destination search device on the originating side based on the address table only when the communication is permitted. Address, and transmits the IP address to the destination search device on the transmitting side.

Therefore, it is possible to regulate the source of information such as e-mail sent to the information receiving device.

In the present invention, the "destination search device" converts a domain name into an IP address. In the following embodiment, the DNS server 31,
41, 52 (FIG. 1), DNS server 131 (FIG. 9), D
NS servers 131 and 152 (FIG. 13), DNS server 5
14, 521, 532 (FIG. 16).

The "communication information search device" is a destination search device having a communication information table. In the following embodiment, the DNS server 41 (FIG. 1) and the DNS server 13
1 (FIGS. 9 and 13) and the DNS server 521 (FIG. 16).

The "communication relay device" is communicably connected to a terminal device and a destination search device, and includes a mail server, a news server, a WWW server or a proxy server, a video server, an IRC (chat) server, and the like. This uses a destination search system. In the following embodiment, the mail server 21 (FIG. 1), the mail server 121 (FIG. 13), and the proxy server 513 (FIG. 1)
6) applies.

In the following embodiment, "terminal devices" refer to clients 11 to 13 (FIG. 1), clients 111 and 112 (FIGS. 9 and 13), and clients 511 to 511.
513 (FIG. 16).

The "destination search system" is a network provided with one or a plurality of destination search devices. In the following embodiment, a network (FIG. 1) constituted by DNS servers 31, 41, and 52 is applicable. I do. Also,
DNS server 131 (FIG. 9), DNS servers 131 and 152 (FIG. 13), DNS servers 514 and 52, respectively.
The “determination information”, which also applies to the network constituted by 1,532 (FIG. 16), is generated in a terminal device or the like, and in the following embodiment, a zone name is added to an IP address ( 192.168.222.1.junio
r.).

"Communication information" is recorded in a communication information table, and in the following embodiment,
An IP address (such as 192.168.222.1) that permits communication registered in the DB file corresponds to the IP address. It is to be noted that the concept includes a non-communicable IP address and text information.

The "IP address conversion process" is a process of converting a domain name into an IP address, and corresponds to ST15 in FIG. 6A and ST33 in FIG. 7A in the following embodiment.

The "communication information conversion process" is a process of converting the determination information into communication information, and corresponds to ST20 in FIG. 6B and ST39 in FIG. 7B in the following embodiment.

The "address table" is a table in which an IP address is recorded in association with a domain name. In the following embodiment, the D address of the DNS server 31 will be described.
B file etc. correspond.

The "communication information table" is a table in which communication information is recorded in association with the determination information in the address table. In the following embodiment, the DNS server 41 (FIG. 1) and the DNS server 131 (FIG. 9, FIG. 13),
This corresponds to the DB file of the DNS server 521 (FIG. 16).

The "communication permission / refusal table" is a table in which IP addresses for permitting or prohibiting communication are recorded. In the following embodiment, the communication address database of the DNS server corresponds to the IP address.

The "information transmitting device" is a device for transmitting information to the information receiving device, and corresponds to the mail server 153 in the following embodiment.

An "information receiving device" is a device that receives information from an information transmitting device, and corresponds to the mail server 121 in the following embodiment.

The “recording medium on which programs and data are recorded” is a concept including a flexible disk, a CD-ROM, a hard disk, a memory card, a ROM, a punch card, a tape, and the like. In addition, not only a recording medium on which a program that can be directly executed by a computer is recorded, but also a recording medium on which a program that can be executed once once installed on another recording medium (such as a hard disk), or an encrypted or recorded medium is recorded. This is a concept including a recording medium on which a compressed program is recorded.

[0048]

BEST MODE FOR CARRYING OUT THE INVENTION 1 First Embodiment An embodiment of a network system for restricting an e-mail destination will be described below.

1.1 Overview of Overall Configuration and Processing FIG. 1 shows the overall configuration of a network system according to an embodiment of the present invention.

The clients 11 to 13 belong to the junior zone and are communicably connected to the mail server 21. The mail server 21 is communicably connected to the destination mail server 53 via the Internet. The mail server 21 is a LAN (Local Area Network).
rk) via DNS (Domain Name System) server 3
1 and is connected via the Internet to a DNS server 41 having authority over the junior zone.
The DB file (table for converting a domain name into an IP address) stored in the DNS server 41 has an IP address (for example, 192.168.22) for which communication is permitted.
2.1) to which a zone name “.junior.” Is added (for example, 192.168.222.1.junior.). The outline of the processing of this system will be described below.

The client 11 is a mail server 21
Enter the destination e-mail address "xyz @ jepr"
o.co.jp "and the IP address of the destination mail server 53
Ask the DNS server 31 for the address. DNS server 3
1 accesses the transmission destination DNS server 52, acquires the IP address of the mail server 53, and returns this to the mail server 21.

The mail server 21 adds the zone name “.junior.” To this IP address, and determines whether or not this is registered in the DB file of the DNS server 41 by DNS.
Ask the server 31. The DNS server 31 is the DNS server 4
1 and determines that the DNS server 41 is registered, permits the mail server 21 to transmit the mail via the DNS server 31.

As described above, the system administrator can regulate the mail destinations of the clients 11 to 13 by changing the registered contents of the DB file of the DNS server 41.

The mail destination of the client 51 can also be regulated by the mail server 53 using the DNS server 41. That is, the destination of mail transmitted from a plurality of networks (or clients) on the Internet can be regulated using the DNS server 41.

1.2 DNS Server 31, DNS Server 4
FIG. 2 shows the DNS server 31 and the DNS server 4 shown in FIG.
1 shows a configuration example of hardware. In the CPU 41a,
The memory 41b and the hard disk 4 are connected via a bus line.
1c and a CD-ROM drive 41d are connected.
The memory 41b has an IP address search program, a DB
Files, system programs (OS), etc. are registered.

The IP address search program is a program that inquires of another DNS server on the Internet or searches for an IP address of a host name using its own DB file (so-called “name resolution”). .

The DB file describes an address record (A record) for converting a host name (left value) in a zone in which each DNS server has authority to an IP address (right value). Further, the DNS server 41
In the A record of the DB file described above, an IP address permitted as a communication destination with “.junior. (Zone name)” added (left value) and its IP address (right value) are described (FIG. 3). Note that the IP address search program executes the above functions in cooperation with the system program.

1.3 Hardware Configuration of Mail Server 21 FIG. 4 shows a hardware configuration example of the mail server 21 shown in FIG. The CPU 21a has a memory 21b, a hard disk 21c, and a CD-RO via a bus line.
The M drive 21d is connected. Hard disk 2
1c has a mail delivery program (MTA: Message Tran
sfer Agent), a spool file, a communication restriction program, a system program, and the like.

The mail delivery program is for delivering an electronic mail received from a client to a destination mail server. The received mail and the mail to be transmitted are written in the spool file.

The communication restriction program asks the DNS server for the IP address of the host name. In addition, a zone name is added to the IP address acquired from the DNS server, and the DNS server is asked whether communication is permitted or not.

Note that the mail delivery program and the communication regulation program execute the above functions in cooperation with the system program.

1.4 Hardware Configuration of Client FIG. 5 shows a hardware configuration example of the client 11 shown in FIG. The CPU 11a has a memory 11b, a display 11c, a keyboard 1 via a bus line.
1d, hard disk 11e, CD-ROM drive 1
1f is connected.

The hard disk 11e has a browser program (for example, Microsoft Internet Explorer), a mail program (for example, Microsoft Outlook Express), and a system program (for example, Microsoft Windows) for connecting to the WWW server. Etc.) are registered.

The browser program and the mail program execute the above functions in cooperation with the system program.

1.5 Flowchart FIGS. 6A and 6B show the client 11, the mail server 21, the DNS server 31, and the DNS server when the client 11 sends a mail to the destination terminal 51 (mail address: xyz@jepro.co.jp). 41 shows the processing of the DNS server 51.

The client 11 is connected to the mail server 21
Then, an e-mail addressed to "xyz@jepro.co.jp" input by the user is transmitted (ST11).

The mail server 21 writes the e-mail to the spool file, and also writes xyz@jepro.co.jp
Extract the domain name "jepro.co.jp" from
The message is sent to the NS server 31 to inquire about the IP address of the mail server 53 of the jepro.co.jp domain (ST12).

The DNS server 31 accesses the DNS server 52 of the jepro.co.jp domain and
3 is asked (ST13). DNS server 5
2 obtains the host name of the mail server 53 (ST1).
4) This is converted to an IP address “192.168.222.1” using its own DB file (not shown) (ST1).
5). When the DNS server 31 acquires this IP address, it transmits it to the mail server 21 (ST16).

Next, the mail server 21 checks "192.168.22
2.1) with the zone name ".junior."
68.222.1.junior.), DNS with authority over the junior zone
It inquires of the DNS server 41 via the DNS server 31 whether or not it is registered in the DB file (see FIG. 3) of the server 41 (ST17, ST18).

When the DNS server 41 determines that it has been registered (ST19), it sends 192.168.222.1.junior.
The address is converted to "192.168.222.1" (ST20) and transmitted to the mail server 21 via the DNS server 31 (ST21, ST22). Mail server 21 transmits an e-mail of the spool file to mail server 53 based on the IP address (ST25, ST26).

In ST19, the DNS server 4
When it is determined that No. 1 is not registered in the DB file,
A command to prohibit mail transmission is sent to the mail server 21 via the DNS server 31 (ST23, ST2).
4). Mail server 21 transmits to client 11 that mail transmission is not possible (ST25, 27). 1.6 In this embodiment, the communication restriction program is stored in the mail server 21, and the mail server 21 generates the determination information (192.168.222.1.junior.) (ST17). However, the communication restriction program may be stored in the client 11 and the client 11 may generate the determination information. FIGS. 7A and 7B illustrate a process when the client generates the determination information, taking as an example a case where the connection destination of the WWW server is regulated.

The client 11 extracts the host name “www.jepro.co.jp” from the connection destination URL “http://www.jepro.co.jp” input by the user, and transmits this to the DNS server 31. (ST31).

The DNS server 31 makes an inquiry to another DNS server on the Internet to have www.jepro.co.jp converted to an IP address (ST32). And
The DNS server 31 sends the IP address “192.168.222.2”
Is acquired (ST33, ST34), this is transmitted to the client 11 (ST35).

The client 11 sets "192.168.222.2"
(ST36), and determines whether or not this is registered in the DB file (see FIG. 3) of the DNS server 41 having authority in the junior zone. , The DNS via the DNS server 31
It inquires of S server 41 (ST36, 37).

When the DNS server 41 determines that it is registered, it registers 192.168.222.1.junior. With the IP address “19”.
2.168.222.2 "(ST38, ST38),
The data is transmitted to the client 11 via the NS server 31 (ST40, 41). The client 11 connects to the WWW server based on the IP address (ST4).
4, 45).

In ST38, the DNS server 4
When it is determined that No. 1 is not registered in the DB file,
A command to prohibit communication is sent to the client 11 via the DNS server 31 (ST42, 43). The client 11 displays on the display 11c that the connection is not possible (ST44, 46).

Note that a proxy server capable of communicating with the client may be provided, and the communication restriction program may be stored therein. In this case, the proxy server makes the above-mentioned ST36
And so on. 1.7 In this embodiment, the mail server 21
The zone name is added to the IP address of the communication destination, and the DNS server 31 is asked whether communication is permitted or not. However, the present invention is not limited to this. If the mail server 21 acquires the user information from the client 11 and adds a predetermined symbol to each of the user types, it sets the communication partner restriction on the user type. be able to. For example, predetermined symbols (administrator: manager, teacher: teacher, child: student) may be used depending on the manager, teacher, and child in the educational institution.
By setting t) and creating a DB file as shown in FIG. 8, it is possible to regulate communication partners for each administrator, teacher, and child. In this example, the communication to the IP address “192.161.112.1” is not permitted to the child, but the communication is permitted to the administrator and the teacher.

Further, a plurality of DNS servers each having a different restriction setting of the communication partner may be provided. In this case, if the client stores software that authenticates the user and determines a DNS server to be used, the restriction on the communication partner can be changed by the user even if the client is the same client.

In this embodiment, the mail server 21 adds the zone name to the IP address of the communication destination and asks the DNS server 31 whether or not to permit communication. However, the present invention is not limited to this. If the mail server 21 acquires the identification information of the client from the client 11 and adds a predetermined symbol to each client, it is possible to set restrictions on the communication partner in the type of the client. Can be.

Further, in this embodiment, the DNS server 41 on the Internet has a DB file in which IP addresses permitting communication with the clients 11 to 13 are recorded. However, the present invention is not limited to this, and the DB file may be provided in the DNS server 31 in the internal network.

In the above embodiment, the mail server 21 is described as an example of the communication relay device. However, the present invention is not limited to this, and the communication relay device may be an information providing server (news server, WW
W server) or a proxy server.

In this embodiment, the DNS server 4
In the DB file of No. 1, the judgment information (192.168.222.1.junio
r.) and the IP address (192.
168.222.1) is recorded (see Fig. 3). However, the present invention is not limited to this, and may record an uncommunicable IP address in association with the determination information. Further, text information may be recorded. This text information is, for example, “communication is not permitted” or “communication is not permitted from 月 / ○ to △ / △”. In this case, by displaying the text information on the display, the client can easily provide the user with the communication result.

2 Second Embodiment The following is a description of the case where the connection destination of the website device is regulated.
1 shows an embodiment of a network system.

2.1 Overall Configuration FIG. 9 shows the overall configuration of a network system according to an embodiment of the present invention.

Client 11 belonging to junior zone
1, 112 are mail servers 121,
It is connected to a DNS server 131 having authority over the junior zone. The DNS server 131 is connected to the website device 141 via the Internet. The DNS server 131 stores a DB file for converting a host name into an IP address and clients 111 and 11
2 stores a database in which IP addresses for which communication is permitted with respect to 2 are registered.

[0086] The DNS server 131
When the host 1 receives the host name of the web site device 141 to be connected to, it inquires of another DNS server on the Internet to obtain the IP address of the web site device 141.

Then, the DNS server 131 determines whether or not the IP address of the website device 141 is registered in the database. If registered, the DNS server 131 allows the client 111 to communicate with the website device 141.

Therefore, the system administrator can easily regulate the communication partners of the clients 111 and 112 by changing the IP address registered in the database of the DNS server 131.

2.2 Hardware Configuration of DNS Server 131 FIG. 10 shows an example of the hardware configuration of the DNS server 131 shown in FIG. The CPU 131a has a memory 131b, a hard disk 131c, a C
The D-ROM drive 131d is connected. In the memory 131b, an IP address search program, a communication determination program, a DB file, a communication address database, a system program (OS), and the like are registered.

The communication determination program determines whether or not the IP address searched by the IP address search program is registered in the communication address database. In the communication address database, IP addresses to which the system administrator permits communication are registered (FIG. 12).
reference). The IP address search program and the DB file are the same as above.

2.3 Hardware Configuration of Client 111 This is the same as 1.4 above.

2.4 Flowchart FIG. 11 shows that the client 111
1 JEPRO website (URL: http: //www.jepro.c
o.jp), the browser program of the client 111, the IP address search program of the DNS server 131, and the communication determination program.

The client 111 extracts the host name “www.jepro.co.jp” from the connection destination URL “http://www.jepro.co.jp” input by the user, and transmits this to the DNS server 131. (ST51).

The DNS server 131 makes an inquiry to another DNS server on the Internet to make a request to www.jepro.co.jp
Is converted to an IP address (ST52, 53).
Then, the DNS server 131 is connected to the website device 14.
1 obtains the IP address “192.168.222.2” (ST
54, 55).

Next, the DNS server 131 sets "192.168.
222.2 "is registered in the communication address database shown in FIG. 12 (ST56). DNS
When the server 131 determines that it has been registered, it proceeds to `` 192.
168.222.2 ”to the client 111 (ST5).
7). That is, connection to the website device 141 is permitted.

The client 111 sets "192.168.222.
2 ”to connect to the JEPRO website (ST5
9, 60).

[0097] If it is determined in ST56 that the DNS is not registered in the communication address database, DNS server 131 transmits a command to prohibit communication to client 111 (ST58). Client 11
1 displays on the display that connection to the website device 41 is not possible (ST59, 61).

In this embodiment, the client 111 directly requests the DNS server 131 for name resolution (ST51). However, the present invention is not limited to this, and a proxy server or the like that has obtained the URL from the client 111 may request the DNS server 131 to perform name resolution.

2.6 Restriction of Transmission Destination of E-mail In this embodiment, the case where the communication restriction to the website apparatus is performed is described as an example. However, the destination of the e-mail may be restricted. FIG. 13 is a diagram showing an example of a case where this is transmitted from the client 111 to the terminal 151 by mail.
This will be described with reference to the flowchart of FIG.

The client 111 is connected to the mail server 12
First, an e-mail addressed to "xyz@jepro.co.jp" input by the user is transmitted (ST71).

The mail server 121 writes the e-mail in the spool file, and executes xyz@jepro.co.j
Extract the domain name "jepro.co.jp" from p and put it in D
The message is sent to the NS server 131 to inquire about the IP address of the mail server 153 in the jepro.co.jp domain (ST7).
2).

The DNS server 131 accesses the DNS server 152 of the jepro.co.jp domain (ST7).
3) Ask for the IP address of mail server 153. DN
S server 152 obtains the host name of mail server 153 and converts it to an IP address “192.168.222.1” (ST74, 75).

The DNS server 131 is the DNS server 15
2 to the IP address of the mail server 153 "192.168.22
When "2.1" is acquired (ST76), it is determined whether or not this is registered in the communication address database shown in FIG. 12 (ST77).

If the DNS server 131 determines that the address is registered, it sends the IP address “192.168.222.1” of the destination mail server 153 to the mail server 121 (ST78). The mail server 121 transmits the e-mail of the spool file to the destination mail server 153.
(ST80, ST81).

Also, in ST77, the DNS server 1
If it is determined that it has not been registered, it sends a command to the mail server 121 to prohibit mail transmission (ST79). Mail server 121 transmits to client 111 that mail transmission is not possible (ST8).
0,82).

2.7 Restriction on Transmission Source of E-mail and the Like In the above-mentioned embodiment 2.6, the case where the transmission destination of the mail of the client is restricted is described. However, this system can also be used to regulate the source of a client's e-mail or the like. This will be described with reference to an entire configuration diagram of FIG. 13 and a flowchart of FIG. 15, as an example of a case where a mail is transmitted from the terminal 151 to the client 111.

When the DNS server 131 is asked for the IP address of the mail server 121 from the transmission DNS server 152 (ST91, 92), it obtains the IP address of the transmission mail server 153 (ST93). Then, it is determined whether or not the IP address of mail server 153 of the transmission source is registered in the communication address database shown in FIG. 12 (ST94).

When it is determined that the mail server 121 is registered, the DNS server 131 acquires the host name of the mail server 121, and
This is converted into an IP address based on the DB file (ST95, 96). And the DNS server 131
Sets the IP address of the mail server 121 to the source D
The message is transmitted to the NS server 152 (ST97).

The mail server 153 of the transmission source obtains the IP address of the mail server 121 of the transmission destination from the DNS server 152 (ST98), and sends the mail server 1 of the transmission destination.
An e-mail is transmitted to ST21 (ST100, 101).

In ST94, the DNS server 1
If it is determined that it has not been registered, it transmits to the sending mail server 153 that mail transmission is not possible (ST99). 2.8 Also, in this embodiment, the DNS server 131 is provided with a communication determination program and the like, and the DNS server 131
Judge whether communication is permitted or not. However, the present invention is not limited to this, and the mail server 121 may be provided with a communication determination program and a communication address database, and the mail server 121 may obtain an IP address from the DNS server 131 and determine whether to permit communication. Similarly, a proxy server communicably connected to the client may determine whether to permit communication.

In this embodiment, an IP address that permits communication is registered in the communication address database of the DNS server 131. However, the present invention is not limited to this, and an IP address for which communication is prohibited may be registered.

Also, in this embodiment, the existing D
The NS server is provided with a communication address database and the like.
The NS server 131 determines whether to permit communication. However, the present invention is not limited to this, and a device provided with a communication address database or the like, which is a separate device from the DNS server, may be used to determine whether communication is permitted. 3 Further, in the present invention, permission / non-permission of communication is determined based on the IP address of the communication partner, so that unknown communication protocols (newly developed communication protocols) can be used. The present invention can be applied. This is described in the system described in the first embodiment (see FIG. 16).
In the following, a case where a client using an unknown communication protocol attempts to communicate with an unknown function server will be described as an example.

First, the client 511 sends the domain name of the destination unknown function server 531 to the proxy server 513.
To the IP address of the unknown function server 531,
Ask the DNS server 514. The DNS server 514 uses D
The NS server 532 is accessed and the unknown function server 53 is accessed.
1 and obtains the IP address of the proxy server 51.
Return to 3.

The proxy server 513 adds a zone name to this IP address, and inquires of the DNS server 514 whether or not this is registered in the DB file of the DNS server 521. The DNS server 514 is the DNS server 52
When the DNS server 521 determines that it is registered, it permits the proxy server 513 to communicate via the DNS server 514.

Thus, if this system is used,
Since communication permission / non-permission is determined for each communication protocol, unlike a conventional firewall server that cannot handle unknown communication protocols, communication permission / non-permission can be determined even for unknown communication protocols. .

Note that even if the system described in the second embodiment is adopted, it is possible to determine whether communication is allowed or not for an unknown communication protocol.

[Brief description of the drawings]

FIG. 1 is a diagram illustrating an overall configuration of a network system according to an embodiment.

FIG. 2 is a diagram illustrating a hardware configuration of a DNS server 31 according to an embodiment.

FIG. 3 is a diagram illustrating a DB file of a DNS server 31 according to an embodiment.

FIG. 4 is a diagram illustrating a hardware configuration of a mail server 21 according to an embodiment.

FIG. 5 is a diagram illustrating a hardware configuration of a client 11 according to an embodiment.

FIG. 6A is a flowchart when restricting an e-mail transmission destination in one embodiment.

FIG. 6B is a flowchart when restricting a transmission destination of an e-mail in one embodiment.

FIG. 7A is a flowchart when restricting a connection destination of a WWW server in one embodiment.

FIG. 7B is a flowchart when restricting the connection destination of the WWW server in one embodiment.

FIG. 8 is a diagram illustrating a DB file of a DNS server 31 according to an embodiment.

FIG. 9 is a diagram illustrating an overall configuration of a network system according to an embodiment.

FIG. 10 is a diagram illustrating a hardware configuration of a DNS server 131 according to an embodiment.

FIG. 11 is a flowchart when restricting a connection destination of a web site device in one embodiment.

FIG. 12 is a diagram illustrating a communication address database of the DNS server 131 according to one embodiment.

FIG. 13 is a diagram illustrating an overall configuration of a network system according to an embodiment.

FIG. 14 is a flowchart when restricting a destination of an e-mail in one embodiment.

FIG. 15 is a flowchart when restricting the transmission source of an e-mail in one embodiment.

FIG. 16 shows a system configuration when determining whether to permit communication with an unknown function server in one embodiment.

FIG. 17 is a diagram showing a conventional firewall system.

[Explanation of symbols]

 11, 12, 13 ... Client 21 ... Mail server 31 ... DNS server 41 ... DNS server 111, 112 ... Client 121 ... Mail server 131 ... DNS server 521, 512, 513 client 513 proxy server 514 DNS server 521 DNS server

 ──────────────────────────────────────────────────続 き The continuation of the front page F term (reference) 5B089 GA11 GA21 GB02 HA10 JA22 JA31 JB01 JB02 KA17 KB06 KB13 KC52 5K030 GA04 GA15 HA06 HB11 HD03 HD09 JT02

Claims (28)

[Claims] 1. A terminal device that can be connected to the Internet, a communication relay device that is communicably connected to the terminal device, and that is communicably connected to the communication relay device, and has an IP address associated with a domain name. A destination search system provided with one or more destination search devices provided with an address table in which is stored the at least one destination search device in the destination search system. A communication information search device including a communication information table in which communication information is recorded in association with the determination information in an address table, wherein the terminal device transmits a domain name to the communication relay device; Transmitting the domain name received from the terminal device to the destination search system, wherein the destination search system The domain name received from the communication relay device based on the
Performing an IP address conversion process of converting the IP address into an address, transmitting the IP address to the communication relay device, the communication relay device generating the determination information based on the IP address received from the destination search system, The determination information is transmitted to the destination search system. If the determination information received from the communication relay device is recorded in the communication information table, the destination search system converts the determination information into the communication information. And transmitting the communication information to the communication relay device. 2. A terminal device connectable to the Internet, and one or a plurality of destination search devices provided with an address table communicably connected to the terminal device and recording an IP address in association with a domain name. A network system comprising: a destination search system comprising: a communication system in which at least one of the destination search devices in the destination search system stores communication information in which address information is associated with determination information; A communication information search device comprising a table, wherein the terminal device transmits a domain name to the destination search system, and the destination search system converts a domain name received from the terminal device based on the address table. By performing an IP address conversion process for converting the IP address into an IP address,
A P address is transmitted to the terminal device, and the terminal device receives the I address received from the destination search system.
The determination information is generated based on the P address, and the determination information is transmitted to the destination search system. In the destination search system, the determination information received from the terminal device is recorded in the communication information table. Then, a communication information conversion process for converting the determination information into the communication information is performed, and the communication information is transmitted to the terminal device. 3. A communication relay communicably connected to a terminal device, a destination search system including one or a plurality of destination search devices including an address table in which an IP address is recorded in association with a domain name. At least one of the destination search devices in the destination search system is a communication information search device including a communication information table in which communication information is recorded in association with determination information in the address table; Receiving a domain name from a terminal device, transmitting the domain name to the destination search system, obtaining an IP address obtained by an IP address conversion process by the destination search system from the destination search system, Generating the determination information based on the IP address received from the system, and transmitting the determination information to the destination A communication relay device that transmits to a search system and acquires the communication information obtained by the communication information conversion processing by the destination search system from the destination search system. 4. A terminal device communicably connected to a destination search system including one or a plurality of destination search devices having an address table in which an IP address is recorded in association with a domain name, At least one of the destination search devices in the destination search system is a communication information search device including a communication information table in which communication information is recorded by associating determination information with the address table. Transmitting the IP address obtained by the IP address conversion processing by the destination search system from the destination search system, generating the determination information based on the IP address received from the destination search system, Transmitting determination information to the destination search system, and converting communication information by the destination search system The communication information obtained by the management terminal device and acquires from the destination search system. 5. A destination search system comprising one or a plurality of destination search devices which are communicably connected to a terminal device or a communication relay device and have an address table in which an IP address is recorded in association with a domain name. Wherein at least one of the destination search devices is a communication information search device including a communication information table in which communication information is recorded in association with the determination information in the address table; , Obtain a domain name, and, based on the address table,
Perform IP address conversion processing to convert to P address,
Transmitting the IP address to the terminal device or the communication relay device; acquiring the determination information generated by the terminal device or the communication relay device based on the IP address from the terminal device or the communication relay device; In the case where the determination information is recorded, performing a communication information conversion process of converting the determination information into the communication information, and transmitting the communication information to the terminal device or the communication relay device, Destination search system. 6. The network system, communication relay device, terminal device, or destination search system according to claim 1, wherein said communication information search device includes determination information regarding terminal devices or communication relay devices in a plurality of internal networks. A communication information table storing communication information; 7. The network system, communication relay device, terminal device, or destination search system according to claim 1, wherein the communication information search device acquires the determination information from the destination search device and performs the communication. Characterized by performing information conversion processing. 8. The network system, communication relay device, terminal device or destination search system according to claim 1, wherein said communication information includes an IP address permitting communication, and said communication relay device or terminal. The apparatus performs communication based on the IP address. 9. The network system, communication relay device, terminal device, or destination search system according to claim 1, wherein said communication information includes an uncommunicable IP address. 10. The network system, communication relay device, terminal device or destination search system according to claim 1, wherein the communication information includes text information, It is characterized by presenting text information to an operator. 11. The network system, communication relay device, terminal device, or destination search system according to claim 1, wherein the destination search system is configured to execute the processing when the determination information is not recorded in the communication information table. The communication refusal information is transmitted to the communication relay device or the terminal device, and the communication relay device or the terminal device does not perform communication when receiving the communication refusal information. 12. The network system, communication relay device, terminal device or destination search system according to claim 1, wherein said communication relay device or terminal device transmits said determination information based on information of said terminal device. Characterized by generating. 13. The network system, communication relay device, terminal device or destination search system according to claim 1, wherein said communication relay device or terminal device generates said determination information based on user information. Characterized by: 14. The network system, communication relay device, terminal device or destination search system according to claim 1, wherein said communication relay device or terminal device transmits a predetermined IP address to said IP address received from said destination search system. The method according to claim 1, wherein the determination information is generated by adding information. 15. A terminal device that can be connected to the Internet, a destination search device that is communicably connected to the terminal device, and that has an address table in which an IP address is recorded in association with a domain name; A communication relay device communicably connected to the device and the destination search device, wherein the destination search device further includes a communication permission / rejection recording an IP address for permitting or prohibiting the communication. A table, the terminal device transmits a domain name to the communication relay device, the communication relay device transmits a domain name received from the terminal device to the destination search device, and the destination search device , Based on the address table or by inquiring of another destination search device on the Internet, Converting the received domain name into an IP address, the destination search device determines whether or not the IP address is recorded in the communication permission / prohibition table, thereby determining communication permission / prohibition. Network system. 16. A terminal device connectable to the Internet, and a destination search device communicably connected to the terminal device and having an address table in which an IP address is recorded in association with a domain name. The destination search device further comprises a communication permission / prohibition table in which an IP address for permitting or prohibiting communication is recorded, wherein the terminal device transmits a domain name to the destination search device. The destination search device may input the domain name received from the terminal device based on the address table or by inquiring another destination search device on the Internet.
A network system, wherein the network address is converted into an address, and the destination search device determines whether or not the communication is permitted by determining whether the IP address is recorded in the communication permission / prohibition table. 17. A destination search device which is communicably connected to a terminal device and a communication relay device and has an address table in which an IP address is recorded in association with a domain name. A communication permission / prohibition table in which a prohibited IP address is recorded; and an IP address for a domain name received from the communication relay device or the terminal device based on the address table or inquiring of another destination search device on the Internet. And determining whether or not the communication is permitted by determining whether the IP address is recorded in the communication permission / prohibition table. 18. The network system, communication relay device, terminal device, destination search system or destination search device according to claim 1, wherein said communication relay device is a mail server, a news server,
What is a WWW server or a proxy server. 19. A destination search device on the transmission side, which is communicably connected to an information transmission device and has an address table in which an IP address is recorded in association with a domain name, and is communicably connected to an information reception device. A destination search device provided with an address table in which an IP address is recorded in association with a domain name, wherein the destination search device further comprises a communication device. And a communication permission / prohibition table in which an IP address for permitting or prohibiting the communication is recorded. The IP address of the information receiving device is queried, and the destination searching device on the receiving side transmits the information transmitted from the destination searching device on the transmitting side. Network system IP address of the location is, by determining whether it is recorded in the communication acceptability table, and performs determination of the communication acceptability for said information receiving apparatus. 20. The network system according to claim 19, wherein the destination search device on the receiving side converts the domain name received from the destination search device on the transmission side into an IP address based on the address table only when the communication is permitted. Address, and transmit the IP address to the destination search device on the transmitting side. 21. A terminal device connectable to the Internet, a communication relay device communicably connected to the terminal device, and a destination search system communicably connected to the communication relay device. An Internet communication management method to be implemented, wherein the terminal device transmits a domain name to the communication relay device, and the communication relay device transmits the domain name to the destination search system. In, the domain name
And converting the IP address into an address, transmitting the IP address to the communication relay device, causing the communication relay device to generate determination information based on the IP address, transmitting the determination information to the destination search system, In the search system, the determination information is converted into communication information, and the communication information is transmitted to the communication relay device. 22. A terminal device connectable to the Internet, a communication relay device communicably connected to the terminal device, a destination search device communicably connected to the communication relay device, and a destination search device. An Internet communication management method realized by using a communication information search device connected to the device via the Internet, wherein the terminal device transmits a domain name to the communication relay device, and the communication relay device In the above, the domain name is transmitted to the destination search device, the destination search device converts the domain name into an IP address, and the IP address is transmitted to the communication relay device. The determination information is generated based on the IP address, and the determination information is transmitted to the destination search device. In the search device, the determination information is transmitted to the communication information search device. In the communication information search device, the determination information is converted into communication information, and the communication information is transmitted to the destination search device. An Internet communication management method, wherein the apparatus causes the communication relay apparatus to transmit the communication information. 23. A terminal device connectable to the Internet, a destination search device communicably connected to the terminal device and recording an IP address for permitting or prohibiting communication, the terminal device and the destination search. A communication relay device communicably connected to the device, an internet communication management method implemented using: wherein the terminal device transmits a domain name to the communication relay device; A network system for transmitting the domain name to the destination search device, causing the destination search device to convert the domain name into an IP address, and determining whether to permit or reject communication based on the IP address. . 24. A recording medium on which a program for causing a computer to function as a communication relay device or a terminal device is recorded, wherein the computer generates determination information based on an IP address received from a destination search system, and stores the determination information. A recording medium on which a program to be transmitted to the destination search system is recorded. 25. A recording medium on which the program according to claim 24 is recorded, wherein a program for causing a computer to generate the determination information based on information on the terminal device is recorded. 26. An area for recording judgment information in a recording medium recording IP address data, comprising: an area for recording a domain name; an area for recording an IP address in association with the domain name; A recording medium for recording IP address data, comprising: an area for recording an IP address permitted to communicate in association with information. 27. An area for recording judgment information in an IP address data recording medium comprising: an area for recording a domain name; an area for recording an IP address in association with the domain name; A recording medium for recording IP address data, comprising: an area for recording an uncommunicable IP address in association with information. 28. A recording medium recording the IP address data according to claim 26 or 27, further comprising an area for recording text information in association with said incommunicable IP address.