JP5231513B2 - Resource record control system, resource record control method, application determination method and program - Google Patents

Description

  The present invention relates to a resource record control system, a resource record control method, a resource record control program, and a terminal device that avoids a state in which communication with a counterpart device cannot be performed when a communication terminal starts communication using the Internet protocol. The present invention relates to an application determination method and an application determination program.

  There are a large number of dual stack terminals such as personal computers and information appliances that implement both the Internet Protocol version 4 (IPv4) protocol and the Internet Protocol version 6 (IPv6) protocol as Internet protocols. Such a DNS resolver (Domain Name System resolver) in an OS (Operating System) of such a terminal generally inquires the DNS server for an A resource record and an AAAA resource record when determining an address from a name.

  Here, the A resource record is a DNS record that designates an IPv4 address for a fully qualified domain name. The AAAA resource record is different from the A resource record in that it supports a 128-bit IPv6 address.

  When both of these responses are obtained from the DNS server in response to the query of the A resource record and the AAAA resource record, the terminal normally responds by giving priority to the AAAA resource record over its running application program. . However, there are cases where the application program in operation of the terminal does not support IPv6. In this case, the AAAA resource record cannot be interpreted even if the application program attempts to start communication with the partner apparatus that has performed name resolution. As a result, there is a problem that communication cannot be started and the application program cannot be used.

  Further, in order to avoid such a problem, some communication terminals fall back to communication with IPv4 and attempt communication. However, in order to employ this method, it is necessary to first wait until time-out to confirm that communication by IPv6 cannot be performed. For this reason, there arises a problem that a communication delay occurs due to timeout waiting before communication by IPv4 starts.

  Therefore, as a related technique related to the present invention, it has been proposed to provide a translator device on the network that performs conversion from an IPv4 address to an IPv6 address or from an IPv6 address to an IPv4 address (for example, see Patent Document 1). With this related technology, the IPv4-IPv6 translator device receives an inquiry of IPv6 address resolution for a predetermined FQDN (Fully Qualified Domain Name) from a communication terminal (user terminal), and sends the IPv4 address of the FQDN to the DNS server. Queries for name resolution of IPv6 addresses.

  When the IPv6 address and the IPv4 address can be acquired as a result of the name resolution, a dummy IPv6 address in which the IPv4 address is embedded in a preset dummy prefix is returned to the communication terminal side together with the acquired IPv6 address. Then, it is determined which of the IPv4 address and the IPv6 address is prioritized as an address used for communication between the communication terminal and the communication partner. As a result, the global IPv6 address is given priority when the IPv4 address is given priority as an address used for communication between the communication terminal and the communication partner, and the unique local IPv6 unicast address is given when the IPv6 address is given priority. Use as

JP 2009-206562 A (paragraphs 0005 and 0021, FIG. 1)

  According to this related technology, when a communication terminal communicates with a dual stack host that supports both IPv4 address and IPv6 address, priority is given to communication using an IPv4 address, or priority is given to communication using an IPv6 address. This can be controlled by an IPv4-IPv6 translator. Therefore, it is possible to reduce the load on the IPv4-IPv6 translator device and maintain communication redundancy.

  However, this related technique requires a special device called an IPv4-IPv6 translator device on the network in addition to the DNS server. In addition, the communication terminal needs to receive two types of addresses related to IPv6 from the IPv4-IPv6 translator and select one of them using the longest match method. This complicates the processing on the communication terminal side.

  Even in a dual stack terminal, an application program applied in relation to a communication partner may not support IPv6. In such a case, the related technology described above cannot solve the problem that the AAAA resource record cannot be handled on the application program side of the communication terminal.

  Therefore, an object of the present invention is to provide a resource record control system, method, and program that allow a DNS server to respond with an appropriate resource record when a DNS response is made to a terminal in which an application program that does not support IPv6 is present. There is.

  Another object of the present invention is to provide an application determination method and program capable of determining whether an application program on the terminal side is compatible with IPv6.

  In the present invention, (a) a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, and (b) a name sent via a predetermined network. A DNS (Domain Name System) server that receives a resolution request and responds to the request destination with a resource record for the domain name of the corresponding communication partner, and (c) when a name resolution request is sent from the dual stack terminal described above And a resource for receiving a resource record sent as a response from the DNS server in response to the name resolution request sent by the name resolution request sending means. Record receiving means and resource records that are allowed to be used for each domain name of the communication partner The resource record control policy table in which resource records that are prohibited from being used or used are set as policies, and the resource record control policy table based on the resource records received by the resource record receiving means described above, The resource record control system includes a gateway including DNS response means for performing a DNS response for communicating with the communication partner domain to the performed dual stack terminal.

  In the present invention, (a) when a name resolution request is sent from a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, it is received. And (b) receiving a resource record sent from the DNS server as a response to the name resolution request sent in the name resolution request sending step. A resource record receiving step and (c) a resource based on the resource record received in this resource record receiving step and a resource record that is permitted for each domain name of a communication partner or a resource record that is prohibited to be used as a policy Refer to the record control policy table. Wherein the name resolution request resource record control method and a DNS response step of DNS responses to communicate with the domain of the communication partner with respect to a dual-stack terminal done by comprising.

  In the present invention, (i) when a name resolution request is sent from a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, it is received as a gateway. A name resolution request transmission step transmitted to a DNS (Domain Name System) server, and (b) an AAA resource record is sent as a DNS response from the DNS server in response to the name resolution request transmitted in the name resolution request transmission step. A DNS response reply step of returning this as a DNS response to the dual stack terminal when received, and (c) the dual stack terminal returning in the DNS response reply step Communicate to the AAAA resource record A communication presence / absence determination step for determining whether or not the communication addressed to the virtual AAAA resource record is not performed within the predetermined time in the communication presence / absence determination step; And (e) if there is communication addressed to the virtual AAAA resource record within the predetermined time in the communication presence / absence determination step described above, this is determined from IPv6 to IPv4. A fallback event occurrence determination step for determining whether or not a fallback event has occurred, and (f) the dual operation described above when it is determined in this fallback event occurrence determination step that no fallback event has occurred. IPv6-compatible applications on stack terminals Corresponding program exists determination step and an application determination method for determining a program exists is provided.

  Furthermore, in the present invention, name resolution is performed from a dual stack terminal in which both (i) IPv4 (Internet Protocol version 4) protocol stack and IPv6 (Internet Protocol version 6) protocol stack are installed in the gateway computer as a resource record control program. A name resolution request transmission process for receiving a request and sending it to a DNS (Domain Name System) server; and (b) a response from the DNS server as a response to the name resolution request transmitted in the name resolution request transmission process. Resource record receiving process that receives incoming resource records, and (c) Resource records that are permitted to be used for each domain name of the communication partner based on the resource records received in this resource record receiving process or prohibited from being used Resource record to be defined as a policy Was with reference to the resource record control policy table is characterized by executing a DNS response process for DNS response for communicating with the domain of the communication partner with respect to a dual-stack terminal performing the name resolution request described above.

  Further, in the present invention, a name resolution request is issued from a dual stack terminal in which both (i) IPv4 (Internet Protocol version 4) protocol stack and IPv6 (Internet Protocol version 6) protocol stack are installed in the gateway computer as an application determination program. And (b) the DNS server described above in response to the name resolution request transmitted in the name resolution request transmission process. When the AAAA resource record is sent as a DNS response from the DNS response reply process for returning the AAA resource record as a DNS response to the dual stack terminal, and (c) the dual stack terminal returned by the DNS response reply process Virtual AA within a predetermined time based on the reply A communication presence / absence determination process for determining whether or not a communication addressed to the A resource record is performed; and (d) when the communication addressed to the virtual AAAA resource record is not performed within the predetermined time in the communication presence / absence determination process. There is an unsupported program existence determination process for determining that an IPv6 unsupported application program exists in the stack terminal, and (e) the communication addressed to the virtual AAAA resource record within the predetermined time in the communication presence / absence determination process described above. Fallback event occurrence determination processing for determining whether this is due to the occurrence of a fallback event from IPv6 to IPv4, and (f) a fallback event has occurred in this fallback event occurrence determination processing If it is determined that there is no IPv6 compatible Publication program is characterized in that to execute a corresponding program exists determination process to determine that there.

  As described above, according to the present invention, when a name resolution request is sent from a dual stack terminal equipped with both the IPv4 protocol stack and the IPv6 protocol stack, the gateway that has received the name refers to the resource record control policy table. Then, the response result of the DNS server is limited as necessary and returned to the dual stack terminal. As a result, even when an application that does not support IPv6 is inherent in the corresponding dual stack terminal, it is possible to avoid a state in which communication is disabled by responding an appropriate resource record.

  In addition, according to the present invention, the dual stack terminal generates a fallback event from IPv6 to IPv4, so that even if it is apparently compatible with the IPv6 protocol, the gateway side determines whether or not a fallback event has occurred. Decided to determine. As a result, when it is determined that there is no IPv6-compatible application program in the dual stack terminal, it becomes possible to select a communication partner to be the target of IPv4 communication.

It is a claim correspondence diagram of the resource record control system of the present invention. It is a claim corresponding | compatible figure of the resource record control method of this invention. It is a claim corresponding | compatible figure of the application discrimination | determination method of this invention. It is a claim corresponding | compatible figure of the resource record control program of this invention. It is a claim corresponding | compatible figure of the application determination program of this invention. It is a system configuration figure showing composition of a resource record control system in DNS of an embodiment of the invention. It is a block diagram showing the fundamental structure of the gateway in this Embodiment. It is explanatory drawing which showed the mode of the resource record control in DNS in the resource record control system of this Embodiment. It is explanatory drawing showing an example of the RR control policy table in this Embodiment. It is explanatory drawing showing the structure of the RR control policy table in the 1st modification of this invention. It is explanatory drawing which showed the mode of the resource record control in DNS in the resource record control system of a 1st modification. It is a flowchart showing the mode of the registration process about the RR control policy table performed in the gateway in the 2nd modification of this invention. It is explanatory drawing which showed an example of the IPv6 communication impossibility detection table used by the 2nd modification.

  FIG. 1 shows a claim correspondence diagram of the resource record control system of the present invention. The resource record control system 10 of the present invention includes a dual stack terminal 11, a DNS (Domain Name System) server 12, and a gateway 13. Here, the dual stack terminal 11 is a terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack. A DNS (Domain Name System) server 12 receives a name resolution request sent via a predetermined network, and responds to the request destination with a resource record for the domain name of the corresponding communication partner. The gateway 13 includes a name resolution request transmission unit 13a, a resource record reception unit 13b, a resource record control policy table 13c, and a DNS response unit 13d. Here, when the name resolution request is sent from the dual stack terminal 11, the name resolution request transmission unit 13 a receives the name resolution request and transmits it to the DNS server 12. The resource record receiving unit 13b receives a resource record sent as a reply from the DNS server 12 in response to the name resolution request transmitted by the name resolution request transmitting unit 13a. The resource record control policy table 13c is a table in which a resource record that permits use or a resource record that prohibits use is defined as a policy for each domain name of a communication partner. The DNS response means 13d communicates with the communication partner's domain with respect to the dual stack terminal that has made the name resolution request with reference to the resource record control policy table 13c based on the resource record received by the resource record receiving means 13b. A DNS response is sent to

  FIG. 2 shows a claim correspondence diagram of the resource record control method of the present invention. The resource record control method 20 of the present invention includes a name resolution request transmission step 21, a resource record reception step 22, and a DNS response step 23. Here, in the name resolution request transmission step 21, when a name resolution request is sent from a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, the name resolution request is sent. Receive and send to DNS (Domain Name System) server. In the resource record reception step 22, the resource record sent from the DNS server is received as a response to the name resolution request transmitted in the name resolution request transmission step 21. In the DNS response step 23, based on the resource record received in the resource record receiving step 22, a resource record control policy in which a resource record that permits use or a resource record that prohibits use is defined as a policy for each domain name of the communication partner. A DNS response for communicating with the communication partner domain is sent to the dual stack terminal that has made the name resolution request with reference to the table.

  FIG. 3 shows a claim correspondence diagram of the application determination method of the present invention. The application determination method 30 of the present invention includes a name resolution request transmission step 31, a DNS response return step 32, a communication presence / absence determination step 33, an unsupported program presence determination step 34, a fallback event occurrence determination step 35, A corresponding program existence determination step 36 is provided. Here, in the name resolution request transmission step 31, when a name resolution request is sent from a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, the name resolution request is sent. It is received as a gateway and transmitted to a DNS (Domain Name System) server. In a DNS response reply step 32, when an AAAA resource record is sent as a DNS response from the DNS server in response to the name resolution request transmitted in the name resolution request transmission step 31, this is sent as a DNS response to the dual stack terminal described above. Send back. In the communication presence / absence determination step 33, it is determined whether or not the dual stack terminal returned in the DNS response return step 32 performs communication addressed to the virtual AAAA resource record within a predetermined time based on this response. In the unsupported program existence determination step 34, when the communication addressed to the virtual AAAA resource record is not performed within the predetermined time described in the communication presence / absence determination step 33, the IPv6 unsupported application program exists in the dual stack terminal. Judge. In the fallback event occurrence determination step 35, if there is communication addressed to the virtual AAAA resource record within the predetermined time described in the communication presence determination step 33, is this due to the occurrence of a fallback event from IPv6 to IPv4? Is determined. In the corresponding program existence determination step 36, when it is determined in the fallback event occurrence determination step 35 that no fallback event has occurred, it is determined that an IPv6-compatible application program exists in the dual stack terminal.

  FIG. 4 shows a claim correspondence diagram of the resource record control program of the present invention. The resource record control program 40 of the present invention causes the gateway computer to execute a name resolution request transmission process 41, a resource record reception process 42, and a DNS response process 43. Here, in the name resolution request transmission processing 41, when a name resolution request is sent from a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, this is processed. Receive and send to DNS (Domain Name System) server. In the resource record reception process 42, the resource record sent from the DNS server as a response to the name resolution request transmitted in the name resolution request transmission process 41 is received. In the DNS response process 43, based on the resource record received in the resource record reception process 42, a resource record control policy in which a resource record that is permitted to be used or a resource record that is prohibited to be used is defined as a policy for each domain name of the communication partner. A DNS response for communicating with the communication partner domain is sent to the dual stack terminal that has made the name resolution request with reference to the table.

  FIG. 5 shows a claim correspondence diagram of the application determination program of the present invention. The application determination program 50 of the present invention includes a name resolution request transmission process 51, a DNS response return process 52, a communication presence / absence determination process 53, an unsupported program presence determination process 54, and a fallback event occurrence presence / absence in a gateway computer. A determination process 55 and a corresponding program presence determination process 56 are executed. Here, in the name resolution request transmission process 51, when a name resolution request is sent from a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, this is processed. Receive and send to DNS (Domain Name System) server. In the DNS response reply process 52, when an AAAA resource record is sent as a DNS response from the DNS server in response to the name resolution request transmitted in the name resolution request transmission process 51, this is sent as a DNS response to the dual stack terminal described above. Send back. In the communication presence / absence determination processing 53, it is determined whether or not the dual stack terminal returned in the DNS response return processing 52 performs communication addressed to the virtual AAAA resource record within a predetermined time based on this response. In the unsupported program existence determination process 54, when the communication addressed to the virtual AAAA resource record is not performed within the predetermined time described in the communication presence / absence determination process 53, the IPv6 unsupported application program exists in the dual stack terminal. Judge. In the fallback event occurrence determination processing 55, if there is communication addressed to the virtual AAAA resource record within the predetermined time described in the communication presence determination processing 53, is this due to the occurrence of a fallback event from IPv6 to IPv4? Is determined. In the corresponding program presence determination processing 56, when it is determined in the fallback event occurrence determination processing 55 that no fallback event has occurred, it is determined that an IPv6-compatible application program exists in the dual stack terminal.

  <Embodiment of the Invention>

  Next, an embodiment of the present invention will be described.

  FIG. 6 shows the configuration of the resource record control system in the DNS according to the embodiment of the present invention. The resource record control system 100 includes first and second terminals 104 and 105 on a local network connected to the Internet 101 via a gateway 102. On the Internet 101, there are a first WWW (World Wide Web) server 106 for IPv6 (Internet Protocol version 6), a second WWW server 107 for IPv4 (Internet Protocol version 4), and a DNS (Domain Name System). ) A server 108 is arranged.

  The first terminal 104 and the second terminal 105 are so-called dual stack terminals equipped with both an IPv4 protocol stack and an IPv6 protocol stack. These first and second terminals 104 and 105 are realized, for example, as personal computers or information appliances that access a WWW (World Wide Web) server.

  The gateway 102 is installed in a local network environment and includes a router and a firewall (FireWall) that perform packet transfer processing between different interfaces.

  FIG. 7 shows the basic configuration of the gateway. This will be described with reference to FIG. The gateway 102 includes each component of a DNS resolver 111, a DNS cache table 112, a DNS server module 113, an RR (Resource Record) control policy table 114, an IPv6 communication failure detection table 115, and an IPv6 communication failure detection module 117. I have.

  Here, the DNS resolver 111 performs forward lookup processing (IP address response to the domain name) to the DNS server 108 shown in FIG. 6 in response to a name resolution request from the DNS server module 113 or the IPv6 communication inability detection module 117. It has a function to perform processing such as reverse lookup processing (domain name response to IP address). Also, the DNS resolver 111 refers to the DNS cache table 112 and does not query the DNS server 108 when information whose name has been resolved in the past is retained, and retrieves the information retained in the DNS cache table 112. respond.

  The DNS cache table 112 includes domain name information called FQDN (fully qualified domain name), RR (Resource Record) type, actual data such as an IP address, and TTL (Time To Live) information elements. Is a table that holds The DNS cache table 112 is used by the DNS resolver 111.

  The DNS server module 113 accepts name resolution requests from the first and second terminals 104 and 105 and requests the DNS resolver 111 to perform name resolution processing. Also, the DNS server module 113 refers to the response result obtained from the DNS resolver 111 with reference to the RR control policy table 114 prepared for realizing the policy. If there is a record corresponding to the FQDN, the DNS server module 113 responds by controlling the resource record according to the policy.

  The RR control policy table 114 is a table that holds information elements of a fully qualified domain name (FQDN), a permitted RR, a prohibited RR, a source MAC address, a source IPv4 address, and a source IPv6 address. The RR control policy table 114 is used by the DNS server module 113 or the IPv6 communication failure detection module 117.

  The IPv6 communication inability detection module 117 responds to the virtual AAAA resource record in response to the name resolution request from the first and second terminals 104 and 105. As a result, an IPv6 incompatible application is detected and a fallback event from IPv6 to IPv4 is detected, and the detection result is registered in the RR control policy table 114.

  The IPv6 communication inability detection table 115 holds information elements of a fully qualified domain name (FQDN), presence / absence of AAAA resource record (AAAAA presence / absence), virtual AAAA resource record (virtual AAAA RR), source IPv4 address, and source IPv6 address. It is a table to do. The IPv6 communication failure detection table 115 is used by the IPv6 communication failure detection module 117.

  Although not shown, the gateway 102 itself includes a CPU (Central Processing Unit) and a storage medium (memory) that stores a program executed by the CPU. Therefore, each functional component such as the DNS resolver 111 shown in FIG. 7 may be configured by hardware, but can also be realized by software by the CPU executing a program.

  On the other hand, the DNS server 108 disposed on the Internet 101 is a server that performs processing such as forward lookup processing and reverse lookup processing in response to name resolution requests from the first and second terminals 104 and 105 and the gateway 102. is there. The first WWW server 106 is equipped with an IPv6 protocol stack and provides a WWW service based on IPv6. The second WWW server 107 is equipped with an IPv4 protocol stack and provides a WWW service based on IPv4.

  FIG. 8 shows a state of resource record control in DNS in the resource record control system having the above configuration. Here, an operation in an operation sequence for suppressing IPv6 communication is shown. This will be described with reference to FIGS.

  Assume that the first or second terminal 104 or 105, which is a communication terminal on the local network 103, makes a name resolution request as a DNS query to the gateway 102 in order to check the IP address for the domain name (step S201). ). Here, the IP address for the domain name “www.ghi.example.jp” is examined.

  The DNS server module 113 in the gateway 102 requests the DNS resolver 111 to perform name resolution processing. In response to this request, the DNS resolver 111 requests the DNS server 108 for name resolution for the domain name “www.ghi.example.jp” (step S202).

  The DNS server 108 returns A and AAAA resource records as a DNS response to the gateway 102 (step S203). The DNS resolver 111 in the gateway 102 records the result in the DNS cache table 112 and returns the result to the DNS server module 113.

  The DNS server module 113 refers to the RR control policy table 114 based on this result. Then, the resource record is controlled according to the policy (step S204), and a response is made (step S205).

  FIG. 9 shows an example of the RR control policy table. In the RR control policy table 114, for each fully qualified domain name (FQDN), a permitted resource record (RR) that permits use and a prohibited resource record (RR) that prohibits use can be set. Yes. For the domain name “www.ghi.example.jp” that is the target of the current resource record control, the A resource record is set as the permitted resource record. “A” in the A resource record is an abbreviation for “Address”.

  In the RR control policy table 114 exemplified in the present embodiment, no AAA resource record is set in the permitted resource record for the fully qualified domain name “www.ghi.example.jp”.

  Thus, in the RR control policy table 114, only the A resource record is set as the permitted resource record for the fully qualified domain name “www.ghi.example.jp”. For this reason, the DNS server module 113 performs a process for responding only the A resource record to the first and second terminals 104 and 105 (step S204 in FIG. 9). The gateway 102 sends a DNS response as a result of the A resource record to the first and second terminals 104 and 105 (step S205).

  Since the obtained result is an A resource record, the first and second terminals 104 and 105 use the IPv4 protocol to request an HTTP (Hypertext Transfer Protocol) connection to the second WWW server 107 for IPv4. Is performed (step S206). Then, by obtaining an HTTP response from the second WWW server 107 for IPv4 (step S207), communication with the second WWW server 107 is performed.

  In the RR control policy table 114 shown in FIG. 9, there is a part indicated by “− (hyphen)”. There are many types of resource records (RR) used in the DNS response other than the A resource record, AAAA resource record, and PTR (PoinTeR) resource record shown in the RR control policy table 114. Therefore, in FIG. 9, the resource records other than the resource record displayed by the corresponding fully qualified domain name (FQDN) are collectively indicated by “−”.

  For example, in the field where the fully qualified domain name is “abc.example.jp”, the permitted resource record (RR) is an A resource record and a PTR resource record. Therefore, “-” in the prohibited resource record (RR) means all remaining resource records including the AAAA resource record and excluding the A resource record and the PTR resource record.

  As described above, in the present embodiment, the AAA resource record of the A resource record and the AAAA resource record obtained by the name resolution of the DNS server 108 may cause a problem in the second WWW server 107 for IPv4. The DNS server module 113 in the gateway 102 has been excluded under the policy that there is. In the resource record control system 100 in the DNS of this embodiment as described above, the occurrence of a problem can be avoided by the presence of an operation sequence that suppresses IPv6 communication.

  <First Modification of Invention>

  In the embodiment described above, the system has been described in which a common resource record is set in the application program of these terminals when there are a plurality of terminals in the local network. On the other hand, when there are a plurality of communication terminals in the local network, an appropriate resource record may be returned for each of these communication terminals in relation to the application program.

  FIG. 10 shows the configuration of the RR control policy table in the first modification of the present invention. Compared to the RR control policy table 114 of the previous embodiment shown in FIG. 9, the RR control policy table 114A of this modified example adds the source MAC address and the addresses of the source IPv4 and IPv6 as new items. Has been. This is in order to enable selection of a more appropriate counterpart communication device such as a server in consideration of whether the application program of the communication terminal on the transmission side can support IPv6. Since the policy for each transmission source terminal registered in advance is registered in the RR control policy table 114A, even if name resolution is performed for the same fully qualified domain name (FQDN), a different response is provided for each transmission source terminal. It becomes possible to return.

  FIG. 11 shows the state of resource record control in DNS in the resource record control system of the first modification. This will be described with reference to FIGS. 6, 7 and 10.

First, it is assumed that the first terminal 104 makes a name resolution request as a DNS inquiry to the gateway 102 to check the IP address for the domain name at time t ₁ (step S221). Here, the IP address for the domain name “www.example.com” is checked.

  The DNS server module 113 in the gateway 102 requests the DNS resolver 111 to perform name resolution processing. In response to this request, the DNS resolver 111 requests the DNS server 108 for name resolution for the domain name “www.example.com” (step S222).

  The DNS server 108 responds to the gateway 102 with the A and AAAA resource records as a DNS response (step S223). The DNS resolver 111 in the gateway 102 records the result in the DNS cache table 112 and returns the result to the DNS server module 113.

  The DNS server module 113 refers to the RR control policy table 114 based on this result. Then, the resource record is controlled according to the policy (step S224), and a response is made (step S225). Specifically, assuming that the communication terminal having “source IPv4 address” “192.168.1.1” in FIG. 10 is the first terminal 104, the fully qualified domain name (FQDN) is “www.example. The AAA resource record of the forbidden RR for “com” is applied. As a result, the DNS response from the gateway 102A becomes an A resource record by excluding the AAAA resource record (step S225).

  Since the obtained result is the A resource record, the first terminal 104 makes an HTTP connection request to the second WWW server 107 for IPv4 using the IPv4 protocol (step S226). Then, by obtaining an HTTP response from the second WWW server 107 for IPv4 (step S227), communication with the second WWW server 107 is performed.

Next, a second terminal 105 at time t ₂ it is assumed that the requesting name resolution for the gateway 102 to determine the IP address for the domain name (step S241). Here again, the IP address for the domain name “www.example.com” is examined.

  The DNS server module 113 in the gateway 102 requests the DNS resolver 111 to perform name resolution processing. In response to this request, the DNS resolver 111 requests the DNS server 108 for name resolution for the domain name “www.example.com” (step S242).

  The DNS server 108 returns the A and AAAA resource records to the gateway 102 as a DNS response (step S243). The DNS resolver 111 in the gateway 102 records the result in the DNS cache table 112 and returns the result to the DNS server module 113.

  The DNS server module 113 refers to the RR control policy table 114 based on this result. Then, the resource record is controlled according to the policy (step S244), and a response is made (step S245). Specifically, assuming that the communication terminal having the “source IPv4 address” of “192.168.1.2” in FIG. 10 is the second terminal 105, the fully qualified domain name (FQDN) is “www.example. A resource record, AAAA resource record, and PTR (PoinTeR) record of permission RR for “jp” are applied. The PTR record is a record for conversion from an IP address to a host name. As a result, the DNS response from the gateway 102A becomes an A resource record and an AAAA resource record (step S245).

  Since the obtained results are the A resource record and the AAAA resource record, the second terminal 105 makes an HTTP connection request to the first WWW server 106 for IPv6 using the IPv6 protocol (step S246). . Communication with the first WWW server 106 is performed by obtaining an HTTP response from the first WWW server 106 for IPv6 (step S247).

  As described above, according to the first modification of the present invention, the second terminal 105 can communicate with the first WWW server 106 for IPv6 unlike the previous embodiment.

  <Second Modification of Invention>

  In the embodiment and the first modification described above, the RR control policy tables 114 and 114A need to be prepared in advance by the system side. In the second modification of the present invention, detection of an application that does not support IPv6 and detection of a TCP fallback event are performed, and the detection result can be automatically registered in the RR control policy table.

  FIG. 12 shows the state of registration processing for the RR control policy table performed in the gateway. This will be described with reference to FIGS.

  The CPU of the gateway 102 waits for a request for name resolution to check the IP address for the domain name from the first or second terminal 104 or 105 (step S261). When there is an inquiry about this DNS (Y), in the gateway 102, the IPv6 communication inability detection module 117 requests the DNS resolver 111 to perform name resolution processing, and the DNS resolver 111 sends the name resolution to the DNS server 108. A request (inquiry) is made (step S262).

  In contrast, when a DNS is received from the DNS server 108 (step S263: Y), the gateway 102 executes a virtual AAAA response process (step S264). Specifically, the DNS resolver 111 in the gateway 102 records the result obtained from the DNS server 108 in the DNS cache table 112. Thereafter, the result is returned to the IPv6 communication inability detection module 117.

  The IPv6 communication failure detection module 117 records whether or not an AAAA resource record is included in the DNS response in the IPv6 communication failure detection table 115, and queries a virtual AAAA resource record (RR) (virtual IPv6 address). A response (DNS response) is made to the first or second terminal 104 or 105 that has performed (step S265).

  FIG. 13 shows an example of the IPv6 communication inability detection table used in the second modification. In the "AAA presence / absence" column of the IPv6 communication inability detection table 115, whether or not an AAAA resource record is included in the DNS response is recorded as "Yes" or "No". In the “virtual AAAA resource record (RR)” column, a virtual AAAA resource record corresponding to the fully qualified domain name (FQDN) is described in advance.

After the process of step S265 of FIG. 12 is performed, the IPv6 communication inability detection module 117 performs communication addressed to the virtual AAAA resource record by the first or second terminal 104 or 105 that has requested name resolution. (Step S266). This confirmation is checked based on whether communication addressed to the virtual AAAA resource record has started within a predetermined time t ₁ (step S266: N, step S267).

Assume that a request for name resolution is made by the first terminal 104. The application program of the first terminal 104 corresponds to IPv4. However, some of these application programs do not support IPv6. Therefore, when an application program that does not support IPv6 operates, communication addressed to the virtual AAAA resource record does not start. On the other hand, when a request for name resolution is made by the second terminal 105, an application program corresponding to IPv6 is operated, and communication addressed to the virtual AAAA resource record is likely to be performed within time t _1. Probability is high.

Therefore, if there is no communication addressed to the virtual AAAA resource record within time t ₁ (step S226: N, step S267: Y), the IPv6 communication inability detection module 117 has an IPv6 incompatible application program in the corresponding terminal. Judge that In this case, the IPv6 communication failure detection module 117 registers the AAAA resource record as a prohibited resource record (RR) in the corresponding fully qualified domain name (FQDN) of the RR control policy table 114 (step S268). Thereafter, the process returns to step S261 (return).

By the way, when there is communication addressed to the virtual AAAA resource record within time t ₁ (step S266: Y), it is necessary to confirm whether this is due to the occurrence of a fallback event from IPv6 to IPv4. Therefore, in this case, the IPv6 communication failure detection module 117 uses the same port number as the same protocol used for communication by the first or second terminal 104 or 105 that has requested the name resolution, and obtains it by name resolution. It is confirmed whether or not communication is possible with the IPv6 address of the AAAA resource record that has been received (step S269). If this communication is not possible (N), it is determined that the fallback event described above has occurred, and the AAAA resource record is prohibited from the corresponding fully qualified domain name (FQDN) in the RR control policy table 114. Register as a record (RR) (step S268). Thereafter, the process returns to step S261 (return).

  In the case of this example, if communication is possible to the IPv6 address of the AAAA resource record obtained by name resolution in step S269 (Y), the process returns to step S261 without particularly registering as an allowed RR ( return). Depending on the processing contents, the authorized resource record (RR) may be registered for the terminal that has requested the name resolution.

  As described above, according to the second modification of the present invention, the gateway includes the DNS server module 113, the RR control policy table 114, the IPv6 communication inability detection table 115, and the IPv6 communication inability detection module 117. As a result, even when the terminal application program is replaced, there is an advantage that the RR control policy table 114 can be changed without placing a burden on the system administrator.

  In the embodiment and the modification described above, the case where the terminals (dual stack terminals) 104 and 105 on the local network make a name resolution request has been described. Of course, it is not limited.

  The gateway that receives a DNS query sent from the terminals (dual stack terminals) 104 and 105 to the DNS server 108 is used in a broad sense as a relay device between networks, and has another name such as a router. Of course, the present invention is applicable if it has a function of relaying DNS inquiries.

  Some or all of the embodiments described above are described as in the following supplementary notes, but are not limited to the following descriptions.

(Appendix 1)
A dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack;
A DNS (Domain Name System) server that receives a name resolution request sent via a predetermined network and responds to the request destination with a resource record for the domain name of the corresponding communication partner;
Name resolution request transmission means for receiving a name resolution request from the dual stack terminal and transmitting it to the DNS server, and the DNS server for the name resolution request transmitted by the name resolution request transmission means A resource record receiving means for receiving a resource record sent as a reply from a resource record, a resource record control policy table in which a resource record that permits use or a resource record that prohibits use is defined as a policy for each domain name of a communication partner, A DNS response is made to communicate with the communication partner domain to the dual stack terminal that has made the name resolution request by referring to the resource record control policy table based on the resource record received by the resource record receiving means. Gate with response means Resource record control system characterized by comprising the E b.

(Appendix 2)
The resource record according to claim 1, wherein the resource record control policy table individually sets a resource record that permits use or a resource record that prohibits use for each domain name of the dual stack terminal and the communication partner. Record control system.

(Appendix 3)
The resource record control policy table is a content created by a policy that suppresses IPv6 communication on the assumption that an application program that operates when the dual stack terminal communicates with the communication partner is incompatible with IPv6. A resource record control system according to supplementary note 1 or supplementary note 2, characterized by:

(Appendix 4)
In the resource record control policy table, a permitted resource record that permits communication or a prohibited resource record that prohibits communication is described in association with a fully qualified domain name (FQDN) as a domain name of a communication partner. The resource record control system according to appendix 2, characterized in that:

(Appendix 5)
The gateway includes a virtual AAAA resource record response unit that responds to a virtual AAAA resource record in response to all name resolution requests from the dual stack terminal, and the dual stack terminal uses IPv6 to respond to the virtual AAAA resource record. IPv6 communication enable / disable determining means for determining whether or not to perform communication, and when the IPv6 communication enable / disable determining means determines that IPv6 communication is possible, it is determined that the corresponding application program of the dual stack terminal is compatible with IPv6 communication. The resource record control system according to appendix 1, further comprising: an application correspondence determination unit.

(Appendix 6)
In the resource record control policy table, a case where a fallback event has occurred with respect to what is determined that the corresponding application program of the dual stack terminal is compatible with IPv6 communication by the application correspondence determining means The resource record control system according to appendix 5, wherein a permitted resource record permitting IPv6 communication is described.

(Appendix 7)
In the resource record control policy table, a prohibited resource record for prohibiting IPv6 communication is described for the application program that has been determined by the application availability determination unit that the corresponding application program of the dual stack terminal does not support IPv6 communication. The resource record control system according to appendix 5, wherein

(Appendix 8)
Whether the gateway is able to communicate to the IPv6 address of the AAAA resource record obtained by name resolution using the same port number as the same protocol used for communication by the dual stack terminal that has requested name resolution. When the same protocol / same port number communication discriminating means and the same protocol / same port number communication discriminating means determine that communication addressed to the virtual AAAA resource record is not possible within a predetermined time, a fallback event occurs. 6. The resource record control system according to appendix 5, further comprising fallback event determination means for determining whether or not it has been performed.

(Appendix 9)
When a name resolution request is sent from a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, it is received and sent to a DNS (Domain Name System) server. A name resolution request sending step to send;
A resource record receiving step for receiving a resource record sent from the DNS server as a response to the name resolution request sent in the name resolution request sending step;
Based on the resource record received in this resource record receiving step, refer to the resource record control policy table in which the resource record that permits use or the resource record that prohibits use is defined as a policy for each domain name of the communication partner A resource record control method, comprising: a DNS response step of performing a DNS response for communicating with a communication partner domain to a dual stack terminal that has made a name resolution request.

(Appendix 10)
When a name resolution request is sent from a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, it is received as a gateway and DNS (Domain Name System) A name resolution request sending step to send to the server;
In response to the name resolution request transmitted in the name resolution request transmission step, when an AAAA resource record is sent as a DNS response from the DNS server, a DNS response reply step of returning the AAA resource record as a DNS response to the dual stack terminal;
A communication presence / absence determination step for determining whether the dual stack terminal returned in the DNS response return step performs communication addressed to the virtual AAAA resource record within a predetermined time based on the response;
An unsupported program presence determining step for determining that an IPv6 unsupported application program exists in the dual stack terminal when the communication addressed to the virtual AAAA resource record is not performed within the predetermined time in the communication presence / absence determining step;
A fallback event occurrence presence / absence judging step for judging whether or not the communication is addressed to the virtual AAAA resource record within the predetermined time in the communication presence / absence judgment step; ,
A corresponding program existence determining step for determining that an IPv6-compatible application program exists in the dual stack terminal when it is determined in the fallback event occurrence determining step that no fallback event has occurred. An application discrimination method characterized by the above.

(Appendix 11)
On the gateway computer,
When a name resolution request is sent from a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, it is received and sent to a DNS (Domain Name System) server. A name resolution request transmission process to be transmitted;
A resource record reception process for receiving a resource record sent from the DNS server as a response to the name resolution request transmitted in the name resolution request transmission process;
Based on the resource record received in this resource record reception process, refer to the resource record control policy table that defines the resource record that is permitted to use or the resource record that is prohibited to be used for each domain name of the communication partner as the policy. A resource record control program for causing a dual stack terminal that has made a name resolution request to execute a DNS response process for performing a DNS response for communicating with a communication partner domain.

(Appendix 12)
On the gateway computer,
When a name resolution request is sent from a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, it is received and sent to a DNS (Domain Name System) server. A name resolution request transmission process to be transmitted;
DNS response reply processing for returning an AAAA resource record as a DNS response from the DNS server as a DNS response to the name resolution request transmitted in the name resolution request transmission processing;
A communication presence / absence determination process for determining whether the dual stack terminal returned in the DNS response reply process performs communication addressed to the virtual AAAA resource record within a predetermined time based on the reply;
An unsupported program presence determining process for determining that an IPv6 unsupported application program exists in the dual stack terminal when communication addressed to the virtual AAAA resource record is not performed within the predetermined time in the communication presence / absence determining process;
A fallback event occurrence determination process for determining whether or not this is due to the occurrence of a fallback event from IPv6 to IPv4 when there is communication addressed to the virtual AAAA resource record within the predetermined time in the communication presence determination process; ,
When it is determined in this fallback event occurrence determination process that no fallback event has occurred, a corresponding program existence determination process for determining that an IPv6-compatible application program exists in the dual stack terminal is executed. An application discrimination program characterized by

DESCRIPTION OF SYMBOLS 10,100 Resource record control system 11 Dual stack terminal 12 DNS server 13, 102 Gateway 13a Name resolution request transmission means 13b Resource record reception means 13c Resource record control policy table 13d DNS response means 20 Resource record control method 21, 31 Name resolution request Transmission step 22 Resource record reception step 23 DNS response step 30 Application determination method 32 DNS response return step 33 Communication presence determination step 34 Unsupported program presence determination step 35 Fallback event occurrence presence determination step 36 Corresponding program presence determination step 40 Resource record control Programs 41, 51 Name resolution request transmission processing 42 Resource record reception processing 43 DNS response processing 0 Application determination program 52 DNS response reply processing 53 Communication presence / absence determination processing 54 Unsupported program presence determination processing 55 Fallback event occurrence determination processing 56 Corresponding program presence determination processing 101 Internet 103 Local network 104 First terminal 105 Second terminal 106 First WWW Server 107 Second WWW Server 111 DNS Resolver 112 DNS Cache Table 113 DNS Server Module 114, 114A RR Control Policy Table 115 IPv6 Communication Inability Detection Table 117 IPv6 Communication Inability Detection Module

Claims (10)

A dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack;
A DNS (Domain Name System) server that receives a name resolution request sent via a predetermined network and responds to the request destination with a resource record for the domain name of the corresponding communication partner;
Name resolution request transmission means for receiving a name resolution request from the dual stack terminal and transmitting it to the DNS server, and the DNS server for the name resolution request transmitted by the name resolution request transmission means A resource record receiving means for receiving a resource record sent as a reply from a resource record, a resource record control policy table in which a resource record that permits use or a resource record that prohibits use is defined as a policy for each domain name of a communication partner, A DNS response is made to communicate with the communication partner domain to the dual stack terminal that has made the name resolution request by referring to the resource record control policy table based on the resource record received by the resource record receiving means. Gate with response means Resource record control system characterized by comprising the E b.   2. The resource record control policy table is characterized in that a resource record that permits use or a resource record that prohibits use is individually set for each domain name of the dual stack terminal and communication partner. Resource record control system. The resource record control policy table, and wherein the application program in which the dual-stack terminal is running when communicating with said communication partner is the content created by suppressing the policy of I IPv6 communication Ru incompatible der in IPv6 The resource record control system according to claim 1 or 2, wherein:   The gateway includes a virtual AAAA resource record response unit that responds to a virtual AAAA resource record in response to all name resolution requests from the dual stack terminal, and the dual stack terminal uses IPv6 to respond to the virtual AAAA resource record. IPv6 communication enable / disable determining means for determining whether or not to perform communication, and when the IPv6 communication enable / disable determining means determines that IPv6 communication is possible, it is determined that the corresponding application program of the dual stack terminal is compatible with IPv6 communication. The resource record control system according to claim 1, further comprising: an application correspondence determination unit that performs processing.   In the resource record control policy table, a case where a fallback event has occurred with respect to what is determined that the corresponding application program of the dual stack terminal is compatible with IPv6 communication by the application correspondence determining means. 5. The resource record control system according to claim 4, wherein a permitted resource record permitting IPv6 communication is described.   Whether the gateway is able to communicate to the IPv6 address of the AAAA resource record obtained by name resolution using the same port number as the same protocol used for communication by the dual stack terminal that has requested name resolution. When the same protocol / same port number communication discriminating means and the same protocol / same port number communication discriminating means determine that communication addressed to the virtual AAAA resource record is not possible within a predetermined time, a fallback event occurs. 5. The resource record control system according to claim 4, further comprising fallback event discrimination means for discriminating from the above. When a name resolution request is sent from a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, it is received and sent to a DNS (Domain Name System) server. A name resolution request sending step to send;
A resource record receiving step for receiving a resource record sent from the DNS server as a response to the name resolution request sent in the name resolution request sending step;
Based on the resource record received in this resource record receiving step, refer to the resource record control policy table in which the resource record that permits use or the resource record that prohibits use is defined as a policy for each domain name of the communication partner A resource record control method, comprising: a DNS response step of performing a DNS response for communicating with a communication partner domain to a dual stack terminal that has made a name resolution request. When a name resolution request is sent from a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, it is received as a gateway and DNS (Domain Name System) A name resolution request sending step to send to the server;
In response to the name resolution request transmitted in the name resolution request transmission step, when an AAAA resource record is sent as a DNS response from the DNS server, a DNS response reply step of returning the AAA resource record as a DNS response to the dual stack terminal;
A communication presence / absence determination step for determining whether the dual stack terminal returned in the DNS response return step performs communication addressed to the virtual AAAA resource record within a predetermined time based on the response;
An unsupported program presence determining step for determining that an IPv6 unsupported application program exists in the dual stack terminal when the communication addressed to the virtual AAAA resource record is not performed within the predetermined time in the communication presence / absence determining step;
A fallback event occurrence presence / absence determination step for determining whether or not this is due to the occurrence of a fallback event from IPv6 to IPv4 when there is communication addressed to the virtual AAAA resource record within the predetermined time in the communication presence / absence determination step; ,
A corresponding program existence determining step for determining that an IPv6-compatible application program exists in the dual stack terminal when it is determined in the fallback event occurrence determining step that no fallback event has occurred. An application discrimination method characterized by the above. On the gateway computer,
IPv4 (Internet Protocol version 4) protocol stack and IPv6 (Internet
Protocol version 6) When a name resolution request is sent from a dual stack terminal equipped with both protocol stacks, a name resolution request sending process for receiving this and sending it to a DNS (Domain Name System) server;
A resource record reception process for receiving a resource record sent from the DNS server as a response to the name resolution request transmitted in the name resolution request transmission process;
Based on the resource record received in this resource record reception process, refer to the resource record control policy table that defines the resource record that is permitted to use or the resource record that is prohibited to be used for each domain name of the communication partner as the policy. A resource record control program for causing a dual stack terminal that has made a name resolution request to execute a DNS response process for performing a DNS response for communicating with a communication partner domain. The gateway of the computer,
When a name resolution request is sent from a dual stack terminal equipped with both an IPv4 (Internet Protocol version 4) protocol stack and an IPv6 (Internet Protocol version 6) protocol stack, it is received and sent to a DNS (Domain Name System) server. A name resolution request transmission process to be transmitted;
DNS response reply processing for returning an AAAA resource record as a DNS response from the DNS server as a DNS response to the name resolution request transmitted in the name resolution request transmission processing;
A communication presence / absence determination process for determining whether the dual stack terminal returned in the DNS response reply process performs communication addressed to the virtual AAAA resource record within a predetermined time based on the reply;
An unsupported program presence determination process for determining that an IPv6 unsupported application program exists in the dual stack terminal when communication for the virtual AAAA resource record is not performed within the predetermined time in the communication presence determination process;
A fallback event occurrence determination process for determining whether or not this is due to the occurrence of a fallback event from IPv6 to IPv4 when there is communication addressed to the virtual AAAA resource record within the predetermined time in the communication presence determination process; ,
When it is determined in this fallback event occurrence determination process that no fallback event has occurred, a corresponding program existence determination process for determining that an IPv6-compatible application program exists in the dual stack terminal is executed. An application discrimination program characterized by

Images