CN103634314B - A kind of service access control method and equipment based on virtual router VSR - Google Patents
A kind of service access control method and equipment based on virtual router VSR Download PDFInfo
- Publication number
- CN103634314B CN103634314B CN201310618818.5A CN201310618818A CN103634314B CN 103634314 B CN103634314 B CN 103634314B CN 201310618818 A CN201310618818 A CN 201310618818A CN 103634314 B CN103634314 B CN 103634314B
- Authority
- CN
- China
- Prior art keywords
- domain name
- address
- client
- dns
- source
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of service access control method and equipment based on virtual router VSR, it is applied on the DNS in the virtual data center VDC or virtual private clounds VPC being together deployed in public cloud with the VSR, technical scheme is:Domain name resolution server DNS receives the domain name mapping request message that client sends, and domain name analysis request message carries the domain-name information that the source IP address and the client request of client are accessed;The source IP address and domain-name information of the client that the dns resolution domain name analysis request message is carried, source IP address according to the client inquires about access rights of the source IP address to domain name, if allowing to access, then DNS further parses the IP address that domain name analysis request message obtains domain name, the IP address is carried in domain name mapping back message and is sent to client, if forbidding accessing, DNS transmissions domain name is parsed misrepresents deliberately text to the client.
Description
Technical field
The present invention relates to network communication and transmission technology, particularly a kind of service access control based on virtual router VSR
Method and apparatus.
Background technology
With virtualization and the continuous maturation of cloud computing technology, increasing cloud service provider and telecom operators open
Begin to provide publicly-owned cloud service, it is allowed to which resource and service are rented on demand by enterprise, create the virtual data center of enterprise oneself
(Virtual Data Center, VDC)Or virtual private clound(Virtual Private Cloud, VPC), help enterprise to save
Construction cost, raising business agility, therefore, more enterprises start to migrate service application to public cloud.But, public cloud
It is multi-tenant environment, its infrastructure and resource is that all tenants share, and enterprise cannot dispose oneself in public cloud
The network equipment, so as to bring challenge and the problem of many network facets to enterprise and service provider.
In addition, the dispersion of enterprise branch office region, deploying network devices and application server, the construction period is long, manpower dimension
Shield high cost, in the urgent need to simplifying branch's infrastructure, improves service deployment ability, reduces investment outlay and reduce maintenance.With should
With to high in the clouds migration and the fast development of server and Intel Virtualization Technology, network function and IT are provided simultaneously on a server
Using having turned into trend.
The IT information services of present medium-sized and small enterprises are all to rent Virtual Space or virtual server to build the net of oneself
Stand and application service, but always have some attackers or virus on network, they carry out website by scanning domain name
Ineffective access, general DNS(Domain Name)Third party is all deployed in, enterprise cannot be configured on a dns,
The access strategy to the service of this enterprise Web is controlled, causes the website of oneself or application server very fragile, anti-attack ability
It is particularly poor, while many invalid attacks occupy the server bandwidth of substantial amounts of preciousness so that medium-sized and small enterprises real service
The information service that user cannot enjoy.
The content of the invention
In view of this, the present invention proposes one kind and is based on virtual router VSR's (Virtual Services Router)
Service access control method and equipment, incorporate VSR and DNS, there is provided a kind of to be together deployed in public cloud with the VSR
DNS access control methods in virtual data center VDC or virtual private clounds VPC so that Web service strategy access control becomes
May.Can cause to parse control by the access to domain name, limitation website is accessed by the validated user of oneself, so as to suppress complete
Invalid access and attack in world wide, and then save bandwidth and computing capability.Technical scheme proposed by the present invention is:
A kind of service access control method based on virtual router VSR, the method is applied to together be disposed with the VSR
On the DNS in virtual data center VDC or virtual private clounds VPC in public cloud, the method includes:
The DNS receives the domain name mapping request message that client sends, and domain name analysis request message is carried
The domain-name information that the source IP address of client and the client request are accessed;
The source IP address and domain-name information of the client that the dns resolution domain name analysis request message is carried, according to
The source IP address of the client inquires about access rights of the source IP address to domain name, if allowing to access, DNS enters
One step parsing domain name analysis request message obtains the IP address of domain name, and the IP address is carried on into domain name mapping returns
Answer and be sent to client in message, if forbidding accessing, DNS sends domain name and parses and misrepresents deliberately text to the client.
In such scheme, the VSR and DNS is deployed on identical virtual machine or is deployed in each independent virtual machine
On.
In such scheme, when source IP address described in the DNS query is to the access rights of domain name, the method is further
Including:
The DNS according to the source IP address query region corresponding table of the client for parsing, and then according to inquiring
Matching area corresponding with the source IP address inquiry Web service access rights table, the region corresponding table be IP address with
The corresponding table in region, the Web service access rights table is list of access rights of the region to domain name.
In such scheme, when the DNS query is less than the region that the source IP address with the client is matched, the method is entered
One step includes:
The DNS transmissions domain name is parsed misrepresents deliberately text to the client.
In such scheme, when the DNS query is less than the access rights matched with the matching area, the method is further
Including:
The matching area is matched default rule by the DNS.
A kind of domain name server (DNS), the DNS and VSR is together deployed in the virtual data center or virtual private in public cloud
Have in cloud, the DNS includes:
Message receiver module, for receiving the domain name mapping request message that client sends, domain name analysis request
Message carries the website domain name information that the source IP address and the client request of client are accessed;
Parsing module, believes for parsing the source IP address of client of domain name analysis request message carrying with domain name
Breath, is additionally operable to parse the IP address of domain name.
Enquiry module, for inquiring about access of the source IP address to domain name according to the source IP address of the client
Authority.
Message sending module, if allowing to access, the IP address that will parse gained domain name is carried on domain name mapping
Client is sent in back message, if forbidding accessing, transmission domain name is parsed misrepresents deliberately text to the client.
In such scheme, the VSR and DNS is deployed on identical virtual machine or is deployed in each independent virtual machine
On.
In such scheme, the enquiry module further includes site polling submodule and access rights inquiry submodule,
The site polling submodule is used for, the source IP address query region correspondence according to the client for parsing
Table, the region corresponding table is the corresponding table of IP address and region;
The access rights inquiry submodule is used for, and is looked into according to matching area corresponding with the source IP address is inquired
Web service access rights table is ask, the Web service access rights table is list of access rights of the region to domain name.
In such scheme, the region that the site polling submodule inquiry is matched less than the source IP address with the client
When,
The message sending module is further used for, and transmission domain name is parsed misrepresents deliberately text to the client.
In such scheme, the access rights inquiry submodule inquiry is less than the access rights matched with the matching area
When,
The access rights inquiry submodule is further used for, and the matching area is matched into default rule.
In sum, technical scheme proposed by the present invention can make together to be deployed in the VSR virtual in public cloud
DNS on data center VDC or virtual private clounds VPC is parsed by the access to domain name and control effectively, and limits website quilt
The validated user of oneself is accessed, so as to suppress access and attack invalid in worldwide, and then is saved bandwidth and is calculated energy
Power.
Brief description of the drawings
Fig. 1 is the typical case's networking of VSR public clouds.
Fig. 2 is the flow chart of embodiment of the method one.
Fig. 3 is the flow chart of embodiment of the method two.
Fig. 4 is the flow chart of embodiment of the method three.
Fig. 5 is the DNS device structure schematic diagrams of the embodiment of the present invention.
Specific embodiment
It is becoming more apparent of expressing the object, technical solutions and advantages of the present invention, below in conjunction with the accompanying drawings and specifically
The present invention is further described in more detail for embodiment.
The technical scheme of one embodiment of the invention is:
The DNS receives the domain name mapping request message that client sends, and domain name analysis request message is carried
The domain-name information that the source IP address of client and the client request are accessed;
The source IP address and domain-name information of the client that the dns resolution domain name analysis request message is carried, according to
The source IP address of the client inquires about access rights of the source IP address to domain name, if allowing to access, DNS enters
One step parsing domain name analysis request message obtains the IP address of domain name, and the IP address is carried on into domain name mapping returns
Answer and be sent to client in message, if forbidding accessing, DNS sends domain name and parses and misrepresents deliberately text to the client.
For problems faced in complying with industry development trend and reply development, communications equipment vendor develops virtual flow-line
Device(Virtual Services Router, VSR)Series of products, it operates in the server virtual machine of data center or branch
On, there is provided and physical router identical function and experience, including route, fire wall, VPN(Virtual
Private Network, VPN), service quality(Quality of Service, QoS)And configuration management etc., help enterprise to build
Vertical safe, unified, expansible mixed cloud, while simplifying branch's infrastructure, Fig. 1 is that VSR public clouds typical case's networking structure shows
It is intended to.
As shown in figure 1, in cloud, VSR extends to the gateway device in high in the clouds as enterprise network, the void in public cloud is deployed in
Intend on data center VDC or virtual private clounds VPC, be to provide VPN between enterprise VPC and enterprise headquarters/branch, to ensure enterprise
The safety of tenant.
The value that VSR brings for enterprise:
1)It is managed enterprise VPC networks as a part for enterprise network, it is ensured that consistent network configuration, safe plan
Slightly, management strategy and IP address planning etc., realize unified enterprise network management;
2)As enterprise branch, implement unified flow control, dispose consistent Network(Such as:QoS, fire wall,
Load balancing, wide area network(Wide Area Network, WAN)Optimization etc.), there is provided consistent Network experience;
3)VPN connections end to end are set up between enterprise headquarters, branch and enterprise VPC so that public cloud application is accessed
It is safer, while access avoiding general headquarters' transfer end to end, the response time of cloud application is reduced, improve making for cloud application
With experience.
Dns server can be together deployed in VSR the virtual of the enterprise in public cloud for birth based on VSR, enterprise
In data center VDC or virtual private clounds VPC, to dns server deployment strategy, control is parsed by the access to domain name, from
And limit website and accessed by validated user, suppress access and attack invalid in worldwide, bandwidth and computing capability are saved,
So that access-controlled of the user to Web service.
DNS in the virtual data center VDC or virtual private clounds VPC being together deployed in public cloud with the VSR matches somebody with somebody
Web service access rights table is equipped with, access rights table includes following field:Rule number, zone name, Web service, access right
Limit, access rights of certain region to certain Web service can be obtained by inquiring about the access rights table, if permit then allows to visit
Ask, if deny then forbids accessing.As shown in table 1, a-quadrant matches the 1st article of access rights rule, represents that a-quadrant allows to visit
Ask Web service 1;The 2nd article of access rights rule of B Region Matchings, represents that B regions forbid accessing Web service 2;3rd article of access rights
Rule is default rule, and the 3rd article of default rule of other Region Matchings in addition to a-quadrant and B regions represents that this DNS forbids except A
Other regions outside region and B regions access any Web service.
Table 1
| Rule number | Zone name | Web service | Access rights |
| 1 | Site A | Web1 | permit |
| 2 | Site B | Web2 | deny |
| 3 | Any | Any | deny |
| … | … | … | … |
Except Web service access rights off-balancesheet, with the VSR be together deployed in virtual data center VDC in public cloud or
DNS in virtual private clound VPC also safeguards a region corresponding table, the source for detecting the client for proposing domain name mapping request
Region belonging to IP address, the rule of correspondence includes following field:Zone name, IP address, subnet mask.DNS receives client
After holding the domain name mapping request message for sending, source IP address and the domain of the client that domain name analysis request message is carried are parsed
Name information, the region corresponding table of self maintained is inquired about according to parsing gained source IP address, you can detect the source IP address institute
The region of category.As shown in table 2, network segment 10.1.1.1/255.255.255.0 belongs to a-quadrant, network segment 10.2.1.1/
255.255.255.0 B regions are belonged to.
Table 2
| Zone name | IP | Subnet mask |
| Site A | 10.1.1.1 | 255.255.255.0 |
| Site B | 10.2.1.1 | 255.255.255.0 |
| … | … | … |
Specifically access rights query process is:After DNS is connected to the domain name mapping request message that client is sent, domain is parsed
Source IP address and domain-name information that name analysis request message is carried, then search region corresponding table according to source IP address, inquire about institute
Source IP address affiliated area is stated, Web service access rights table is searched further according to the affiliated area obtained by inquiry, it is described so as to obtain
The access rights of domain name of the client to being carried in domain name mapping request message, if permit, then DNS further parses institute
The IP address of domain name is stated, is carried in domain name mapping back message and is sent to the client;If deny, then DNS
Transmission domain name is parsed misrepresents deliberately text to the client, means and forbids the client to access domain name.If Web service is accessed
The area field of authority list not with the source IP address affiliated area identical region, then by the source IP address affiliated area
Default rule in matching Web service access rights table, respective handling is made according to the corresponding access rights of default rule.
DNS according to source IP address search region corresponding table when, if in the corresponding table of region not with the source IP address
The region of matching, then DNS directly transmit domain name mapping error message to the client, mean that to forbid the client to access described
Domain name.
Embodiment of the method one
In the present embodiment, by taking a local service for life website as an example, the use that the local service for life website desires access to
Family is the people of local city.The site for service domain name is www.service.com, and the IP network section of local UNICOM is
10.10.1.1/255.255.0.0, local mobile IP network section is 20.10.1.1/255.255.0.0;It is deployed in public cloud
Virtual data center VDC or virtual private clounds VPC in DNS safeguard following two forms:Web service access rights table(Table
3)With region corresponding table(Table 4).
Table 3
| Rule number | Site | Web Service | Action |
| 1 | Site A | www.service.com | Permit |
| 2 | Site B | www.service.com | Permit |
| 3 | Any | Any | Deny |
Table 4
| Site | IP | Mask |
| Site A | 10.10.1.1 | 255.255.0.0 |
| Site B | 20.10.1.1 | 255.255.0.0 |
| Site C | 30.10.1.1 | 255.255.0.0 |
| Site D | 40.10.1.1 | 255.255.0.0 |
Fig. 2 is the flow chart of the present embodiment, with local UNICOM user(IP address is 10.10.1.88)Attempt to access that website
Technical solution of the present invention is illustrated as a example by www.service.com, is comprised the following steps:
Step 201:DNS receives the domain name mapping request message that client sends, domain name analysis request message
Carry the domain-name information that the source IP address and the client request of the client are accessed.
In this step, DNS receives local UNICOM user(IP address is 10.10.1.88)The domain name mapping for sending please
Message is sought, the source IP address 10.10.1.88 and the client that domain name analysis request message carries the client please
Seek the domain-name information www.service.com of access.
Step 202:Dns resolution goes out the source IP address and domain-name information of domain name analysis request message carrying.
In this step, dns resolution domain name analysis request message, obtain its carrying source IP address 10.10.1.88 and
Domain-name information www.service.com.
Step 203:DNS is according to the region corresponding table of source IP address look-up table 2.
In this step, DNS inquires the IP according to the source IP address 10.10.1.88 inquiry tables 2 parsed in step 202
Address affiliated area is Site A.
Step 204:DNS is according to source IP address affiliated area look-up table 1Web service access authority tables.
In this step, DNS is according to the source IP address 10.10.1.88 affiliated area Site A inquiries inquired in step 203
Table 1Web service access authority tables, correspondence first accesses rule, and Site A are to the access rights of www.service.com
Permit, then explanation allows the local UNICOM user(IP address is 10.10.1.88)Local service for life website is visited
Ask.
Step 205:DNS further parses domain name mapping request message, obtains the IP address of domain name, is carried on
Local UNICOM user is sent in domain name mapping back message.
In this step, DNS further parses domain name mapping request message, the www.service.com's that parsing is obtained
IP address is sent to local UNICOM user in being carried on domain name mapping back message(IP address is 10.10.1.88)So that the use
Family can access local service for life website.
Using the present embodiment technical scheme, the virtual data center VDC being deployed in public cloud or virtual can be made privately owned
DNS in cloud VPC is parsed by the access to domain name and control effectively, and only carries out domain name mapping to specific user so that from
Oneself bandwidth and computing capability is used by effective user.
Embodiment of the method two
Embodiment of the method one is so that local UNICOM user attempts to access that local service for life website as an example to the technology of the present invention side
Case is introduced, and the present embodiment is then from nonlocal UNICOM user(IP address is 30.10.1.88)Attempt to access that local service network
Www.service.com angles of standing are described further to technical solution of the present invention, still continue to use the area in embodiment of the method one
Domain corresponding table and Web service access rights table.Fig. 3 is the flow chart of the present embodiment, is comprised the following steps:
Step 301:DNS receives the domain name mapping request message that client sends, domain name analysis request message
Carry the domain-name information that the source IP address and the client request of the client are accessed.
In this step, DNS receives nonlocal UNICOM user(IP address is 30.10.1.88)The domain name mapping for sending please
Message is sought, the source IP address 30.10.1.88 and the client that domain name analysis request message carries the client please
Seek the domain-name information www.service.com of access.
Step 302:Dns resolution goes out the source IP address and domain-name information of domain name analysis request message carrying.
In this step, dns resolution domain name analysis request message, obtain its carrying source IP address 30.10.1.88 and
Domain-name information www.service.com.
Step 303:DNS is according to the region corresponding table of source IP address look-up table 2.
In this step, DNS inquires the IP according to the source IP address 30.10.1.88 inquiry tables 2 parsed in step 302
Address affiliated area is Site C.
Step 304:DNS is according to source IP address affiliated area look-up table 1Web service access authority tables.
In this step, DNS is according to the source IP address 30.10.1.88 affiliated area Site C inquiries inquired in step 303
Table 1Web service access authority tables, access rights rule not corresponding with Site C, then by the 3rd in Site C matching lists 1
Bar default rule, the default rule means access right of other any regions in addition to Site A and Site B to any website
Deny is limited to, then Site C are deny to the access rights of www.service.com, illustrate to forbid the nonlocal UNICOM user(IP
Address is 30.10.1.88)Local service for life website is conducted interviews.
Step 305:DNS transmissions domain name is parsed misrepresents deliberately text to nonlocal UNICOM user.
In this step, DNS transmissions domain name is parsed misrepresents deliberately text to nonlocal UNICOM user(IP address is 30.10.1.88), meaning
To forbid the nonlocal UNICOM user to conduct interviews local service for life website.
Using this real embodiment scheme, invalid access and attack access can be effectively masked, from the source for accessing domain name
Head has carried out attack and ineffective access control, saves the bandwidth and computing capability of DNS.Embodiment of the method three
Embodiment of the method one and embodiment of the method two can be inquired and carrying in domain name mapping request message in table 2
The corresponding region of source IP address, the present embodiment is then in the absence of the source IP address with carrying in domain name mapping request message from table 2
Corresponding regional perspective is illustrated to the embodiment of the present invention, with nonlocal UNICOM user(IP address is 50.10.1.88)Attempt to visit
Ask as a example by local service for life website www.service.com, still continue to use region corresponding table and the Web in embodiment of the method one
Service access authority table.Fig. 4 is the flow chart of the present embodiment, is comprised the following steps:
Step 401:DNS receives the domain name mapping request message that client sends, domain name analysis request message
Carry the domain-name information that the source IP address and the client request of the client are accessed.
In this step, DNS receives nonlocal UNICOM user(IP address is 50.10.1.88)The domain name mapping for sending please
Message is sought, the source IP address 50.10.1.88 and the client that domain name analysis request message carries the client please
Seek the domain-name information www.service.com of access.
Step 402:Dns resolution goes out the source IP address and domain-name information of domain name analysis request message carrying.
In this step, dns resolution domain name analysis request message, obtain its carrying source IP address 50.10.1.88 and
Domain-name information www.service.com.
Step 403:DNS is according to the region corresponding table of source IP address look-up table 2.
In this step, DNS according to the source IP address 50.10.1.88 inquiry tables 2 parsed in step 402, in discovery table 2
There is no the region belonging to IP address 50.10.1.88.
Step 404:DNS transmissions domain name is parsed misrepresents deliberately text to nonlocal UNICOM user.
Inquired about less than the region belonging to IP address 50.10.1.88 based on step 403, illustrate the user not in this DNS needs
Judge in the user scope of authority, then it is further known that forbidding the user to access local service for life website
Www.service.com, then DNS send domain name parse misrepresent deliberately text to nonlocal UNICOM user(IP address 50.10.1.88).
For the above method, invention additionally discloses a kind of domain name server (DNS), the DNS and VSR is together deployed in public cloud
In virtual data center or virtual private clound in.Equipment disclosed by the invention as shown in figure 5, including:
Message receiver module 510, for receiving the domain name mapping request message that client sends, domain name parsing please
Message is asked to carry the website domain name information that the source IP address and the client request of client are accessed.
Parsing module 520, source IP address and domain name for parsing the client of domain name analysis request message carrying
Information, is additionally operable to parse the IP address of domain name.
Enquiry module 530, for inquiring about the source IP address to domain name according to the source IP address of the client
Access rights.
Message sending module 540, if allowing to access, the IP address that will parse gained domain name is carried on domain name solution
Client is sent in analysis back message, if forbidding accessing, transmission domain name is parsed misrepresents deliberately text to the client.
The VSR and DNS are deployed on identical virtual machine or are deployed on each independent virtual machine.
The enquiry module 530 further includes site polling submodule 531 and access rights inquiry submodule 532,
The site polling submodule 531 is used for, according to the source IP address query region pair of the client for parsing
Table is answered, the region corresponding table is the corresponding table of IP address and region;
Access rights inquiry submodule 532 is used for, according to inquiring Matching band corresponding with the source IP address
Web service access rights table is inquired about in domain, and the Web service access rights table is list of access rights of the region to domain name.
It is described when the site polling submodule 531 inquires about the region matched less than the source IP address with the client
Message sending module 540 is further used for, and transmission domain name is parsed misrepresents deliberately text to the client.
The access rights inquiry submodule 532 is inquired about during less than the access rights matched with the matching area, described
Access rights inquiry submodule 532 is further used for, and the matching area is matched into default rule.
Presently preferred embodiments of the present invention is the foregoing is only, is not intended to limit the invention, it is all in essence of the invention
Any modification, equivalent substitution and improvements done within god and principle etc., should be included within the scope of protection of the invention.
Claims (8)
1. a kind of service access control method based on virtual router VSR, it is characterised in that the method be applied to it is described
VSR is together deployed on the DNS in the virtual data center VDC or virtual private clounds VPC in public cloud, and the method includes:
The DNS receives the domain name mapping request message that client sends, and domain name analysis request message carries client
The domain-name information that the source IP address at end and the client request are accessed;
The source IP address and domain-name information of the client that the dns resolution domain name analysis request message is carried, according to described
The source IP address of client inquires about access rights of the source IP address to domain name, if allowing to access, DNS is further
Parsing domain name analysis request message obtains the IP address of domain name, and the IP address is carried on into domain name mapping responds report
Client is sent in text, if forbidding accessing, DNS transmissions domain name is parsed misrepresents deliberately text to the client;
When source IP address described in the DNS query is to the access rights of domain name, the method is further included:
The DNS according to the source IP address query region corresponding table of the client for parsing, and then according to inquire with
The corresponding matching area inquiry Web service access rights table of the source IP address, the region corresponding table is IP address and region
Corresponding table, the Web service access rights table is region to the list of access rights of domain name.
2. method according to claim 1, it is characterised in that the VSR and DNS be deployed on identical virtual machine or
It is deployed on each independent virtual machine.
3. method according to claim 1, it is characterised in that the DNS query is less than the source IP ground with the client
During the region of location matching, the method is further included:
The DNS transmissions domain name is parsed misrepresents deliberately text to the client.
4. method according to claim 1, it is characterised in that the DNS query with the matching area less than matching
During access rights, the method is further included:
The matching area is matched default rule by the DNS.
5. a kind of domain name server (DNS), it is characterised in that the DNS and VSR is together deployed in the virtual data center in public cloud
Or in virtual private clound, the DNS includes:
Message receiver module, for receiving the domain name mapping request message that client sends, domain name analysis request message
Carry the website domain name information that the source IP address and the client request of client are accessed;
Parsing module, the source IP address and domain-name information of the client for parsing the carrying of domain name analysis request message, also
IP address for parsing domain name;
Enquiry module, for inquiring about access right of the source IP address to domain name according to the source IP address of the client
Limit;
Message sending module, if allowing to access, the IP address that will parse gained domain name is carried on domain name mapping response
Client is sent in message, if forbidding accessing, transmission domain name is parsed misrepresents deliberately text to the client;
The enquiry module further includes site polling submodule and access rights inquiry submodule,
The site polling submodule is used for, the source IP address query region corresponding table according to the client for parsing, institute
It is IP address and the corresponding table in region to state region corresponding table;
The access rights inquiry submodule is used for, and is inquired about according to matching area corresponding with the source IP address is inquired
Web service access rights table, the Web service access rights table is list of access rights of the region to domain name.
6. domain name server (DNS) according to claim 5, it is characterised in that it is empty that the VSR and DNS are deployed in identical
On plan machine or it is deployed on each independent virtual machine.
7. domain name server (DNS) according to claim 5, it is characterised in that the site polling submodule inquiry less than
During the region matched with the source IP address of the client,
The message sending module is further used for, and transmission domain name is parsed misrepresents deliberately text to the client.
8. domain name server (DNS) according to claim 5, it is characterised in that the access rights inquiry submodule inquiry
During less than the access rights matched with the matching area,
The access rights inquiry submodule is further used for, and the matching area is matched into default rule.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310618818.5A CN103634314B (en) | 2013-11-28 | 2013-11-28 | A kind of service access control method and equipment based on virtual router VSR |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310618818.5A CN103634314B (en) | 2013-11-28 | 2013-11-28 | A kind of service access control method and equipment based on virtual router VSR |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103634314A CN103634314A (en) | 2014-03-12 |
| CN103634314B true CN103634314B (en) | 2017-06-16 |
Family
ID=50214941
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310618818.5A Active CN103634314B (en) | 2013-11-28 | 2013-11-28 | A kind of service access control method and equipment based on virtual router VSR |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103634314B (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104219162A (en) * | 2014-09-10 | 2014-12-17 | 汉柏科技有限公司 | Grouping load balancing method, equipment and system based on DNS |
| CN105120010B (en) * | 2015-09-18 | 2019-01-22 | 华北电力科学研究院有限责任公司 | A kind of virtual machine Anti-theft method under cloud environment |
| CN108881501B (en) * | 2017-05-12 | 2021-07-06 | 阿里巴巴集团控股有限公司 | Method and device for realizing webpage application domain name skip |
| CN107689987B (en) * | 2017-08-11 | 2021-01-08 | 东软集团股份有限公司 | Virtual network service exposure method and device |
| CN107508739B (en) * | 2017-09-06 | 2020-08-11 | 成都佑勤网络科技有限公司 | Authentication method for transmitting data through VPN tunnel |
| CN111213348B (en) * | 2017-10-11 | 2021-07-16 | 华为技术有限公司 | Method, device and system for domain name resolution in data center system |
| CN111742524B (en) | 2018-02-20 | 2021-12-14 | 华为技术有限公司 | Enterprise Virtual Private Network (VPN) and Virtual Private Cloud (VPC) conglutination |
| CN108833424B (en) * | 2018-06-25 | 2020-11-03 | 哈尔滨工业大学 | System for acquiring all resource records of domain name |
| CN109192262B (en) * | 2018-09-17 | 2020-11-20 | 北京惠每云科技有限公司 | Data transmission method and device |
| CN109889621B (en) * | 2019-01-18 | 2021-07-16 | 北京百度网讯科技有限公司 | Configuration method and device of virtual private cloud service |
| CN109729189B (en) * | 2019-03-14 | 2021-11-12 | 北京百度网讯科技有限公司 | Method and device for configuring domain name |
| CN111277611B (en) * | 2020-02-25 | 2022-11-22 | 深信服科技股份有限公司 | Virtual machine networking control method and device, electronic equipment and storage medium |
| CN111405079A (en) * | 2020-03-06 | 2020-07-10 | 深圳市宝能投资集团有限公司 | Domain name resolution method and device, storage medium and electronic equipment |
| CN111385203B (en) * | 2020-03-19 | 2022-02-22 | 上海东普信息科技有限公司 | Data transmission method, device and equipment based on hybrid cloud and storage medium |
| CN112671579A (en) * | 2020-12-23 | 2021-04-16 | 安徽长泰信息安全服务有限公司 | Remote gateway management system based on cloud management |
| CN112968966B (en) * | 2021-02-26 | 2023-05-02 | 北京百度网讯科技有限公司 | Scheduling method, scheduling device, electronic equipment and storage medium |
| CN112910919B (en) * | 2021-02-26 | 2023-04-07 | 北京百度网讯科技有限公司 | Analysis method, analysis device, electronic device, and storage medium |
| CN114553821B (en) * | 2022-02-24 | 2023-06-27 | 杭州迪普科技股份有限公司 | VPN client proxy DNS analysis method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6961783B1 (en) * | 2001-12-21 | 2005-11-01 | Networks Associates Technology, Inc. | DNS server access control system and method |
| CN101084657A (en) * | 2004-12-21 | 2007-12-05 | 松下电器产业株式会社 | Gateway, network configuration, and method for controlling access to web server |
| CN101841521A (en) * | 2010-01-22 | 2010-09-22 | 中国科学院计算机网络信息中心 | Method, server and system for authenticating identify information in DNS message |
| CN102006286A (en) * | 2010-10-29 | 2011-04-06 | 北京星网锐捷网络技术有限公司 | Access management method, device and system as well as access device for information system |
| CN102075589A (en) * | 2009-11-19 | 2011-05-25 | 国际商业机器公司 | Method and system of user-based DNS server access control |
| CN102884764A (en) * | 2012-06-30 | 2013-01-16 | 华为技术有限公司 | Message receiving method, deep packet inspection device, and system |
| CN103152256A (en) * | 2013-02-22 | 2013-06-12 | 浪潮电子信息产业股份有限公司 | Virtual routing network design method based on cloud computing data center |
-
2013
- 2013-11-28 CN CN201310618818.5A patent/CN103634314B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6961783B1 (en) * | 2001-12-21 | 2005-11-01 | Networks Associates Technology, Inc. | DNS server access control system and method |
| CN101084657A (en) * | 2004-12-21 | 2007-12-05 | 松下电器产业株式会社 | Gateway, network configuration, and method for controlling access to web server |
| CN102075589A (en) * | 2009-11-19 | 2011-05-25 | 国际商业机器公司 | Method and system of user-based DNS server access control |
| CN101841521A (en) * | 2010-01-22 | 2010-09-22 | 中国科学院计算机网络信息中心 | Method, server and system for authenticating identify information in DNS message |
| CN102006286A (en) * | 2010-10-29 | 2011-04-06 | 北京星网锐捷网络技术有限公司 | Access management method, device and system as well as access device for information system |
| CN102884764A (en) * | 2012-06-30 | 2013-01-16 | 华为技术有限公司 | Message receiving method, deep packet inspection device, and system |
| CN103152256A (en) * | 2013-02-22 | 2013-06-12 | 浪潮电子信息产业股份有限公司 | Virtual routing network design method based on cloud computing data center |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103634314A (en) | 2014-03-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103634314B (en) | A kind of service access control method and equipment based on virtual router VSR | |
| CN113949573B (en) | Zero-trust service access control system and method | |
| CN101729531B (en) | Network security policy distribution method, Apparatus and system | |
| US8566474B2 (en) | Methods, systems, and computer readable media for providing dynamic origination-based routing key registration in a diameter network | |
| RU2517684C2 (en) | Access point, server and system for distributing unlimited number of virtual ieee 802,11 wireless networks through heterogeneous infrastructure | |
| CN103650436B (en) | Service path distribution method, router and business perform entity | |
| CN109587135A (en) | Service interaction plateform system based on tertiary-structure network | |
| CN104769909A (en) | Internetwork authentication | |
| CN107819732A (en) | The method and apparatus of user terminal access local network | |
| WO2012024202A1 (en) | A system and method for wi-fi roaming | |
| CN104135541B (en) | Resource share method and resource sharing system | |
| JP5157626B2 (en) | Access restriction method to web server, femtocell base station apparatus and access restriction determination apparatus | |
| CN105472613B (en) | Authentication request receiving method and system, user side and AP | |
| CN105187380A (en) | Secure access method and system | |
| CN104253798A (en) | Network security monitoring method and system | |
| CN103634289A (en) | Communication block apparatus and communication block method | |
| CN102238148B (en) | identity management method and system | |
| CN101426030B (en) | Method and terminal for acquiring network address | |
| CN114710388B (en) | Campus network security system and network monitoring system | |
| WO2005111826A1 (en) | Communication system | |
| CN107770745A (en) | A kind of wireless terminal method of network entry of wireless domain charging platform | |
| CN104468467A (en) | Dynamic host configuration protocol (DHCP) message transmitting method and device | |
| US20050216598A1 (en) | Network access system and associated methods | |
| Kuntz et al. | An improved network mobility service for intelligent transportation systems | |
| CN101222456A (en) | Network safety gateway product sharing method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Applicant before: Huasan Communication Technology Co., Ltd. |
|
| GR01 | Patent grant |