CN117220969A - Access control method, device, gateway equipment and storage medium - Google Patents
Access control method, device, gateway equipment and storage medium Download PDFInfo
- Publication number
- CN117220969A CN117220969A CN202311234772.7A CN202311234772A CN117220969A CN 117220969 A CN117220969 A CN 117220969A CN 202311234772 A CN202311234772 A CN 202311234772A CN 117220969 A CN117220969 A CN 117220969A
- Authority
- CN
- China
- Prior art keywords
- address
- white list
- address data
- dns server
- access
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 51
- 230000004083 survival effect Effects 0.000 claims description 21
- 230000004044 response Effects 0.000 claims description 15
- 238000010586 diagram Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 4
- 238000013507 mapping Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention relates to the technical field of network security, and discloses an access control method, an access control device, gateway equipment and a storage medium, wherein the method is applied to the gateway equipment and comprises the following steps: receiving a domain name white list input by a user; sending a DNS request to a DNS server to acquire IP address data sent by the DNS server, wherein the IP address data comprises IP addresses corresponding to all domain names in the domain name white list; generating an IP address white list according to the IP address data; and when an access request sent by the terminal equipment is received, controlling the terminal equipment to access a target website corresponding to the access request based on the IP address white list. By applying the technical scheme of the invention, the safety of the network system can be improved.
Description
Technical Field
The embodiment of the invention relates to the technical field of network security, in particular to an access control method, an access control device, gateway equipment and a storage medium.
Background
The development of internet technology brings great convenience to people's work. For example, an enterprise employee may access a website using the Internet to obtain information that it needs.
When a user accesses a website through the terminal, the terminal sends a DNS request to a DNS (Domain Name System ) server through gateway equipment, so that the DNS server returns an IP address corresponding to the website to the terminal through the gateway equipment, and when the terminal accesses the website, the terminal can directly use the IP address of the website to access the network resource of the website. In the process, in order to ensure the security, the gateway device can utilize the black-and-white list to carry out security check on the DNS request of the terminal and the response message of the DNS server, so as to realize security control.
However, some enterprises with high security requirements often configure a dedicated DNS server so as to process DNS requests when the terminal accesses the website, and at this time, the DNS requests of the terminal and response messages of the DNS server do not need to pass through the gateway device, so that a black-and-white list configured by the gateway device cannot be validated, and security verification cannot be performed on the DNS requests of the terminal and the response messages of the DNS server, so that potential safety hazards exist in the process of accessing the website by the terminal.
Disclosure of Invention
In view of the above problems, embodiments of the present invention provide an access control method, an access control device, a gateway device, and a storage medium, which are used to solve the problem in the prior art that the protocol parsing efficiency of a data packet is low.
According to an aspect of an embodiment of the present invention, there is provided an access control method applied to a gateway device, the method including: receiving domain name white list information input by a user; sending a DNS request to a DNS server to acquire IP address data sent by the DNS server, wherein the IP address data comprises IP addresses corresponding to all domain names in the domain name white list information; generating an IP address white list according to the IP address data; and when an access request sent by the terminal equipment is received, controlling the terminal equipment to access a target website corresponding to the access request based on the IP address white list.
In some embodiments, the sending a DNS request to a DNS server to obtain IP address data sent by the DNS server includes: and sending the DNS request to the DNS server according to a preset time interval until the IP address data sent by the DNS server is obtained.
In some embodiments, the IP address data further includes an validity period of an IP address corresponding to each domain name in the domain name whitelist information, and the generating an IP address whitelist according to the IP address data includes: determining the validity period of each IP address in the IP address data based on the IP address data; and adding each IP address in the IP address data and the validity period of each IP address to the IP address white list.
In some embodiments, when receiving an access request sent by a terminal device, based on the IP address white list, the controlling the terminal device to access a target web address corresponding to the access request includes: determining the target website and the target IP address of the target website according to the access request; matching the target IP address with the IP address in the IP address white list; allowing the terminal equipment to access the target website under the condition that the target IP address is matched with any IP address in the IP address white list; and prohibiting the terminal equipment from accessing the target website under the condition that the target IP address is not matched with each IP address in the IP address white list.
In some embodiments, the adding each IP address in the IP address data and the validity period of each IP address to the IP address whitelist includes: searching each IP address in the IP address data in the IP address white list; if any IP address in the IP address data exists in the IP address white list, stopping adding any IP address to the IP address white list; and if any IP address in the IP address data does not exist in the IP address white list, adding any IP address to the IP address white list.
In some embodiments, the method further comprises: and recording the survival time of each IP address in the IP address white list in the IP address data, so as to send an address update request to the DNS server when the survival time of any IP address in the IP address data is greater than a survival time threshold value, and acquire updated IP address data sent by the DNS server.
In some embodiments, the destination IP address is sent to the terminal device by the DNS server in response to an IP address acquisition request sent by the terminal device.
According to another aspect of the embodiment of the present invention, there is provided an access control apparatus applied to a gateway device, including: the receiving module is used for receiving the domain name white list information input by the user; the acquisition module is used for sending a DNS request to a DNS server so as to acquire IP address data sent by the DNS server, wherein the IP address data comprises IP addresses corresponding to all domain names in the domain name white list information; the generating module is used for generating an IP address white list according to the IP address data; and the control module is used for controlling the terminal equipment to access a target website corresponding to the access request based on the IP address white list when the access request sent by the terminal equipment is received.
In some embodiments, the obtaining module is configured to send the DNS request to the DNS server at a preset time interval until the IP address data sent by the DNS server is obtained.
In some embodiments, the IP address data further includes an validity period of an IP address corresponding to each domain name in the domain name whitelist information, and the generating module is configured to determine, based on the IP address data, a validity period of each IP address in the IP address data; and adding each IP address in the IP address data and the validity period of each IP address to the IP address white list.
In some embodiments, the control module is configured to determine the target web address and a target IP address of the target web address according to the access request; matching the target IP address with the IP address in the IP address white list; allowing the terminal equipment to access the target website under the condition that the target IP address is matched with any IP address in the IP address white list; and prohibiting the terminal equipment from accessing the target website under the condition that the target IP address is not matched with each IP address in the IP address white list.
In some embodiments, the generating module is configured to search the IP address whitelist for each IP address in the IP address data; if any IP address in the IP address data exists in the IP address white list, stopping adding any IP address to the IP address white list; and if any IP address in the IP address data does not exist in the IP address white list, adding any IP address to the IP address white list.
In some embodiments, the obtaining module is further configured to record a survival time of each of the IP addresses in the IP address data in the IP address whitelist, so as to send an address update request to the DNS server to obtain updated IP address data sent by the DNS server when the survival time of any one of the IP addresses in the IP address data is greater than a survival time threshold.
In some embodiments, the destination IP address is sent to the terminal device by the DNS server in response to an IP address acquisition request sent by the terminal device.
According to another aspect of an embodiment of the present invention, there is provided a gateway apparatus including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the operations of the access control method of any one of the above via execution of the executable instructions.
According to yet another aspect of an embodiment of the present invention, there is provided a computer readable storage medium having stored therein at least one executable instruction that, when executed on a gateway device, causes the gateway device to perform the operations of the access control method as set forth in any one of the above.
In summary, according to the access control method, the device, the gateway device and the storage medium provided by the embodiment of the invention, domain name white list information input by a user can be received, a DNS request is sent to a DNS server to obtain IP address data sent by the DNS server, and an IP address white list is generated according to the IP address data, so that when an access request sent by a terminal device is received, the terminal device is controlled to access a target website corresponding to the access request based on the IP address white list.
By the method, the gateway equipment can actively acquire the IP address data corresponding to the domain name white list information, realize the safety control of the access request of the terminal equipment according to the IP address data, and improve the safety of a network system.
The foregoing description is only an overview of the technical solutions of the embodiments of the present invention, and may be implemented according to the content of the specification, so that the technical means of the embodiments of the present invention can be more clearly understood, and the following specific embodiments of the present invention are given for clarity and understanding.
Drawings
The drawings are only for purposes of illustrating embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
FIG. 1 is a schematic diagram of a network architecture in the related art;
fig. 2 shows a flowchart of an access control method according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a configuration interface provided by an embodiment of the present invention;
FIG. 4 is a schematic diagram of a system architecture for access control according to an embodiment of the present invention;
FIG. 5 shows a sub-flowchart of an access control method provided by an embodiment of the present invention;
fig. 6 shows a flowchart of a processing method of IP address data according to an embodiment of the present invention;
FIG. 7 is a schematic diagram of an instruction interface provided by an embodiment of the present invention;
FIG. 8 is a schematic diagram of another configuration interface provided by an embodiment of the present invention;
FIG. 9 is a sub-flowchart of another access control method according to an embodiment of the present invention;
fig. 10 is a schematic structural diagram of an access control device according to an embodiment of the present invention;
fig. 11 shows a schematic structural diagram of a gateway device according to an embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be limited to the embodiments set forth herein.
In order to ensure network security, a user accesses the internet through a terminal and can complete the access through a gateway device, fig. 1 shows a schematic diagram of a network architecture in the related art, and as shown in fig. 1, when the user inputs an address of a website a in a browser of the terminal, the access to the website a is triggered, at this time, the terminal can send a DNS request to a public DNS server, so that the public DNS server can return a response message carrying an IP address of the website a to the terminal, and then the terminal can directly send an access request to the IP address of the website a, that is, the server of the website a, so as to obtain network resources of the website a. In the process, the DNS request and the response message are forwarded through the gateway equipment, so the gateway equipment can carry out security check on the access request sent by the terminal based on a security mechanism of the gateway equipment, such as a black-and-white list.
However, in some cases, the internal website used inside the enterprise does not need to be accessed by a person outside the enterprise, so that some enterprises can configure a dedicated DNS server inside the enterprise, and thus, the DNS request of the terminal and the response message of the DNS server cannot pass through the gateway device, so that the black-and-white list configured by the gateway device cannot be validated, and the DNS request of the terminal and the response message of the DNS server cannot be checked safely, which results in a security risk of the network system.
In view of one or more of the foregoing problems, fig. 2 illustrates a flowchart of an access control method provided by an embodiment of the present invention, which may be performed by a gateway device. The gateway equipment is a key component for connecting different networks, and can realize data forwarding and protocol conversion between the networks. As shown in fig. 2, the method comprises the steps of:
step 210: and receiving domain name white list information input by a user.
Wherein the domain name whitelist information is a tool for controlling access rights, and may include domain name addresses of one or more domain names. The domain name is a string used to identify and locate a particular web site or network resource on the internet, such as a web site address, for example www.123456.com, which is a web site that can be accessed by entering www.123456.com the domain name in a browser when the user wants to access the web site.
The domain name white list information refers to a list of domain names that are allowed to be accessed, and when the domain name white list information is used, only domain names listed in the list can be accessed or allowed to perform certain operation, and other domain names can be prevented or limited from being accessed.
Illustratively, a user may configure domain name whitelist information, such as setting a domain name address for one or more domain names, on a gateway device via a configuration interface as shown in fig. 3.
Step 220: and sending a DNS request to a DNS server to acquire the IP address data sent by the DNS server.
The IP address data comprises IP addresses corresponding to all domain names in the domain name white list information. For example, if m domain names are arranged in the domain name white list information, IP addresses corresponding to the m domain names constitute IP address data, and m is a positive integer. In this embodiment, one domain name may correspond to one IP address, or may correspond to a plurality of IP addresses.
The DNS server is a server providing a domain name service, and may be a DNS server configured internally by an enterprise and dedicated to processing internal access requests. The domain name service is an internet tool running a domain name system, which allocates a domain name address and an IP address to a host on the internet, and when the domain name address is used, the domain name system converts the domain name address into the IP address. DNS requests refer to requests in a computer network that send query information to DNS servers to obtain IP addresses corresponding to domain names. The DNS request contains domain name information to be queried, typically a domain name resolution request type.
When the gateway equipment receives the domain name white list information input by the user, a DNS request is sent to the DNS server, so that the DNS server searches according to the domain name requested to be inquired by the DNS request, and corresponding IP address data is returned. In this way, the gateway device can actively acquire the IP address data corresponding to the domain name white list information when receiving the domain name white list information input by the user, and the problem that the gateway device cannot acquire the IP address data because the DNS server is deployed in the internal network and the DNS request and response message do not pass through the gateway device is avoided.
Fig. 4 is a schematic diagram of a system architecture of access control provided by an embodiment of the present invention, as shown in fig. 4, when a user configures domain name whitelist information on a gateway device, it is assumed that the domain name whitelist information is added with a domain name "www.123456.com" and an IP address of a DNS server is configured in the gateway device, and the gateway device may start a DNS learning state, for example, a DNS request is sent to an IP address 10.1.0.3 by a user or an automatic operation instruction "private-DNS-request enable", the DNS request is forwarded to the DNS server through an intranet switch, and when the DNS server receives the DNS request, the DNS server searches an IP address corresponding to the domain name "www.123456.com" according to the DNS request, and encapsulates the IP address "www.123456.com" in a response message, and returns to the gateway device through the intranet switch.
Meanwhile, as shown in fig. 4, in order to access the website corresponding to the domain name "www.123456.com", the terminal device also sends a terminal DNS request to the DNS server through the intranet switch, so as to obtain the IP address corresponding to the domain name "www.123456.com". It can be seen that traffic of the terminal DNS request sent by the terminal device to the DNS server does not pass through the gateway device.
In some embodiments, in order to ensure that the gateway device can obtain the IP address data corresponding to the domain name white list information, the gateway device may send a DNS request to the DNS server at a preset time interval until the IP address data sent by the DNS server is obtained. The preset time interval may be defined by the operator, or may be set to a default value, for example, may be set to 3 seconds, 5 seconds, or the like.
For example, when the user configures the domain name "www.123456.com" as one domain name in the domain name whitelist information on the gateway device, the gateway device may immediately start sending DNS requests to the DNS server, and then actively send DNS requests to the DNS server once every 5 seconds, so that the DNS server may return IP address data corresponding to the domain name whitelist information in response to the received DNS requests. When receiving the IP address data returned by the DNS server, stopping sending the DNS request to the DNS server.
Because the data of the domain name and the IP address acquired by the DNS server can be updated at any time, the gateway equipment can continuously request the DNS server to return the IP address data when the IP address data corresponding to the domain name white list information is not acquired by the method, and the IP address data can be returned to the gateway equipment when the DNS server acquires the IP address data corresponding to the domain name white list information, so that the success rate of acquiring the IP address data can be improved.
In some embodiments, in order to reduce traffic consumption caused by the gateway device continuously sending DNS requests to the DNS server, to avoid the gateway device from malfunctioning, when the gateway device sends DNS requests to the DNS server at preset time intervals, the number of times the gateway device continuously sends DNS requests may be smaller than the preset number of times, that is, the gateway device may continuously send DNS requests to the DNS server at preset time intervals for a preset number of times, and if IP address data returned by the DNS server is not yet received after continuously sending DNS requests for the preset number of times, the sending is stopped. The preset times can be customized by an operator, for example, 10 times, 15 times, etc.
After a certain time of sending the DNS request, if the gateway device receives the IP address data returned by the DNS server, the sending of the DNS request to the DNS server is stopped.
Step 230: and generating an IP address white list according to the IP address data.
The IP address whitelist is an IP address tool for access control.
After obtaining the IP address data, the gateway device may generate an IP address whitelist for access control based on the IP address data. For example, the IP address in the IP address data may be determined as an IP address in the IP address whitelist.
In some embodiments, the IP address data may further include a validity period of the IP address corresponding to each domain name in the domain name whitelist information, where the validity period may represent a maximum available time of the IP address. Meanwhile, after the IP address data is acquired, since the IP address whitelist may have been generated in the previous configuration, for this case, in order to generate the IP address whitelist, as shown in fig. 5, the gateway device may perform the steps of:
step 510: based on the IP address data, validity periods of the respective IP addresses in the IP address data are determined.
For example, the gateway device may look up each IP address and a validity period corresponding to each IP address therein based on the IP address data.
Step 520: each IP address and the validity period of each IP address in the IP address data are added to an IP address white list.
Since the IP address data is the IP address of each domain name corresponding to the domain name whitelist information, in order to enable the user to normally access each domain name in the domain name whitelist information, each IP address in the IP address data and the validity period of each IP address may be added to the IP address whitelist after the IP address data is obtained.
By recording each IP address and the validity period of each IP address, the gateway device can acquire the mapping relation between the domain name returned by the DNS server and the IP address, after recording the validity period of each IP address, the available time of the IP address can be determined according to the validity period, and once a certain IP address is determined to expire, a DNS request can be sent to the DNS server again to update the IP address.
In some embodiments, if a certain IP address in the IP address data already exists in the IP address whitelist, the addition of the IP address to the IP address whitelist may be canceled. That is, the following method may be performed:
and searching each IP address in the IP address data in the IP address white list.
If any IP address in the IP address white list exists in the IP address data, the addition of any IP address to the IP address white list is stopped.
If any IP address in the IP address white list does not exist in the IP address data, adding any IP address to the IP address white list.
For example, each IP address in the IP address data may be compared with each IP address in the IP address whitelist to determine whether the same IP address as any one of the IP addresses in the IP address whitelist exists, and if so, to avoid duplication, the addition of any one of the IP addresses in the IP address data to the IP address whitelist may be stopped. If there is no IP address in the IP address white list that is the same as any IP address in the IP address data, it is indicated that any IP address is not added to the IP address white list, so any IP address can be added to the IP address white list.
In this way, it is possible to add the IP address in the IP address data to the IP address whitelist and ensure that there are no duplicate IP addresses in the IP address whitelist.
In fact, through the steps 510 to 520, the IP address whitelist may be generated according to the obtained IP address data, so that when the subsequent user accesses the website through the terminal device, the gateway device may perform access control according to the IP address whitelist, so as to ensure security of the terminal device.
In order to illustrate a method for processing IP address data by a gateway device, fig. 6 shows a flowchart of a method for processing IP address data according to an embodiment of the present invention, and as shown in fig. 6, the gateway device may perform the following method:
step 610: and starting a DNS active detection mode.
For example, the user may input "private-DNS-request enable" through the instruction interface shown in fig. 7 to turn on the DNS active probing mode of the gateway device.
Step 620: the user enters domain name whitelist information.
Step 630: and when receiving the domain name white list information input by the user, creating a timer.
Step 640: and sending a DNS request to the DNS server according to a preset time interval to acquire IP address data returned by the DNS server.
For example, the user may configure the IP address of the DNS server on the gateway device through the configuration interface shown in fig. 8 in advance, so when receiving the domain name white list information input by the user, the gateway device may actively send a DNS request to the IP address of the DNS server every 5 seconds, so that the DNS server returns the IP address data corresponding to the domain name white list information to the user.
Step 650: and determining whether the IP address data corresponding to the domain name white list information is acquired. If yes, step 660 is executed, if not, step 640 is continued to be executed to continue sending DNS requests to the DNS server at preset time intervals, and the IP address data returned by the DNS server is obtained.
Step 660: it is determined whether an IP address in the IP address data exists in the IP address whitelist. If not, step 670 is performed to store the IP address in the IP address whitelist, if so, step 680 is performed to delete the timer and discard the IP address data corresponding to the domain name whitelist information.
Step 670, storing the IP address in the IP address data in the IP address whitelist.
In step 680, the timer is deleted, and the IP address data corresponding to the domain name whitelist information is discarded.
By the method, the gateway equipment can acquire the IP address data corresponding to the domain name white list information, and update the IP address white list based on whether the IP address in the IP address data is stored in the IP address white list or not, so that the IP address in the IP address data is stored in the IP address white list, and no repeated IP address exists.
Further, in order to keep the IP addresses in the IP address whitelist up-to-date, in some embodiments, the gateway device may further perform the following method:
and recording the survival time of each IP address in the IP address white list in the IP address data, and sending an address update request to the DNS server when the survival time of any IP address in the IP address data is greater than a survival time threshold value so as to acquire updated IP address data sent by the DNS server.
Wherein the survival time of each IP address in the IP address white list in the IP address data can be remembered from the moment when the IP address is added to the IP address white list. The survival time threshold refers to the maximum survival time of the IP address in the IP address white list, and may be set by an operator according to the validity period of the IP address, or may be set to a default value, such as 3 days, 7 days, or the like. The address update request refers to a request sent by the gateway device to acquire updated address data of one or more IP addresses in the IP address data.
For example, when a certain IP address in the IP address data is added to the IP address white list, timing may be started to determine the survival time of the IP address, and then, when the survival time is greater than the survival time threshold, an address update request may be sent to the DNS server to obtain updated IP address data sent by the DNS server. The updated IP address data may include updated IP addresses for all IP addresses having a time-to-live greater than a time-to-live threshold.
By the method, the IP address of the IP address white list can be kept in the latest state, and the problem that safety control cannot be performed due to the fact that the IP address is not updated is avoided.
Step 240: when an access request sent by the terminal equipment is received, the terminal equipment is controlled to access a target website corresponding to the access request based on the IP address white list.
The access request refers to a request sent by the terminal device to access the target website.
When a user inputs a target website in a browser application program of the terminal equipment, the terminal equipment triggers an access request for the target website, and the gateway equipment can receive the access request and carry out security check on the access request by utilizing an IP address white list so as to realize security control on the access request for the terminal equipment to access the target website.
Specifically, in some embodiments, as shown in fig. 9, step 240 may be implemented by:
step 910: and determining the target website and the target IP address of the target website according to the access request.
Wherein the target IP address is sent to the terminal device by the DNS server in response to the IP address acquisition request sent by the terminal device. For example, when the user triggers an access request to the target web address through the terminal device, the terminal device may first send an IP address obtaining request to the DNS server to obtain the target IP address of the target web address returned by the DNS server.
When the gateway device receives the access request of the terminal device, the gateway device can analyze the access request, determine the target website requested to be accessed by the terminal device, and search the target IP address of the target website in the mapping table of the domain name and the IP address stored by the gateway device.
Step 920: and matching the target IP address with the IP address in the IP address white list.
For example, the target IP address may be compared to each IP address in the IP address whitelist to determine if there is an IP address in the IP address whitelist that matches the target IP address.
Step 930: and allowing the terminal equipment to access the target website under the condition that the target IP address is matched with any IP address in the IP address white list.
When the target IP address is matched with any IP address in the IP address white list, the target IP address is the IP address in the IP address white list, the terminal equipment is allowed to access the target website is determined, and the gateway equipment releases the flow of the terminal equipment to access the target website.
Meanwhile, when the gateway device matches the target IP address with the IP address in the IP address whitelist, in order to determine whether the target IP address is an illegal address, the gateway device may also match the target IP address with the IP address in the pre-configured blacklist, and if it is determined that the target IP address is any IP address in the pre-configured blacklist, it is indicated that the target IP address is an illegal address, and the access may be directly terminated.
Step 940: and under the condition that the target IP address is not matched with each IP address in the IP address white list, prohibiting the terminal equipment from accessing the target website.
When the target IP address is determined to be unmatched with each IP address in the IP address white list, the target IP address is an illegal IP address, the terminal equipment is determined to be forbidden to access the target website, and the gateway equipment refuses the flow of the terminal equipment to access the target website.
By the method, the access control based on the IP address white list can be realized, so that the traffic of the terminal equipment for accessing the target website is fully put through by the gateway equipment without passing through an authentication strategy, a security strategy and the like.
In summary, according to the access control method in this embodiment, domain name whitelist information input by a user may be received, and a DNS request may be sent to a DNS server to obtain IP address data sent by the DNS server, and an IP address whitelist may be generated according to the IP address data, and when an access request sent by a terminal device is received, based on the IP address whitelist, a target website corresponding to the access request is controlled to be accessed by the terminal device.
By the method, the gateway equipment can actively acquire the IP address data corresponding to the domain name white list information, realize the safety control of the access request of the terminal equipment according to the IP address data, and improve the safety of a network system.
In addition, in this embodiment, since the DNS server is configured as a DNS server dedicated to the intranet, when a user accesses a website through a terminal device in the internal network, IP address data may be obtained through the DNS server dedicated to the intranet, so that IP address data obtained by the DNS server in the intranet only needs to be obtained once from the public DNS server, and a part of network traffic may be intercepted in the intranet, so that network resources may also be saved.
Fig. 10 shows a schematic structural diagram of an access control device according to an embodiment of the present invention, where the access control device may be applied to a gateway apparatus. As shown in fig. 10, the access control apparatus 1000 includes: a receiving module 1010, configured to receive domain name whitelist information input by a user; an obtaining module 1020, configured to send a DNS request to a DNS server, so that IP address data sent by the DNS server is obtained, where the IP address data includes IP addresses corresponding to each domain name in the domain name whitelist information; a generating module 1030, configured to generate an IP address whitelist according to the IP address data; and the control module 1040 is configured to control, when receiving an access request sent by the terminal device, the terminal device to access a target website corresponding to the access request based on the IP address white list.
In some embodiments, the obtaining module 1020 is configured to send the DNS request to the DNS server at a preset time interval until the IP address data sent by the DNS server is obtained.
In some embodiments, the IP address data further includes a validity period of an IP address corresponding to each domain name in the domain name whitelist information, and the generating module 1030 is configured to determine, based on the IP address data, a validity period of each IP address in the IP address data; each IP address and the validity period of each IP address in the IP address data are added to an IP address white list.
In some embodiments, the control module 1040 is configured to determine, according to the access request, a target web address and a target IP address of the target web address; matching the target IP address with the IP address in the IP address white list; allowing the terminal equipment to access the target website under the condition that the target IP address is matched with any IP address in the IP address white list; and under the condition that the target IP address is not matched with each IP address in the IP address white list, prohibiting the terminal equipment from accessing the target website.
In some embodiments, the generating module 1030 is configured to search the IP address whitelist for each IP address in the IP address data; if any IP address in the IP address data exists in the IP address white list, stopping adding any IP address to the IP address white list; if any IP address in the IP address white list does not exist in the IP address data, adding any IP address to the IP address white list.
In some embodiments, the obtaining module 1020 is further configured to record a survival time of each IP address in the IP address data in the IP address white list, so as to send an address update request to the DNS server to obtain updated IP address data sent by the DNS server when the survival time of any IP address in the IP address data is greater than the survival time threshold.
In some embodiments, the destination IP address is sent to the terminal device by the DNS server in response to an IP address acquisition request sent by the terminal device.
The specific details of each module in the above apparatus are already described in the method section embodiments, and the details of the undisclosed solution may be referred to the method section embodiments, so that they will not be described in detail.
Fig. 11 is a schematic structural diagram of a gateway device according to an embodiment of the present invention, which is not limited to the specific implementation of the gateway device according to the embodiment of the present invention.
As shown in fig. 11, the gateway device may include: a processor 1102, a communication interface (Communications Interface), a memory 1106, and a communication bus 1108.
Wherein: processor 1102, communication interface 1104, and memory 1106 communicate with each other via a communication bus 1108. A communication interface 1104 for communicating with network elements of other devices, such as clients or other servers. The processor 1102 is configured to execute the program 1110, and may specifically perform relevant steps in the above-described embodiment of the access control method.
In particular, program 1110 may include program code comprising computer-executable instructions.
The processor 1102 may be a central processing unit CPU, or a specific integrated circuit ASIC (Application Specific Integrated Circuit), or one or more integrated circuits configured to implement embodiments of the present invention. The one or more processors comprised by the gateway device may be the same type of processor, such as one or more CPUs; but may also be different types of processors such as one or more CPUs and one or more ASICs.
Memory 1106 for storing program 1110. The memory 1106 may include high-speed RAM memory or may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The program 1110 may be specifically invoked by the processor 1102 to cause the gateway device to perform the access control method described above.
An embodiment of the present invention provides a computer readable storage medium storing at least one executable instruction that, when executed on a gateway device/access control apparatus, causes the gateway device/access control apparatus to perform an access control method in any of the above-described method embodiments.
The executable instructions may be specifically configured to cause the gateway device/access control apparatus to: receiving domain name white list information input by a user; sending a DNS request to a DNS server to acquire IP address data sent by the DNS server, wherein the IP address data comprises IP addresses corresponding to all domain names in domain name white list information; generating an IP address white list according to the IP address data; and when the access request sent by the terminal equipment is received, controlling the terminal equipment to access a target website corresponding to the access request based on the IP address white list.
The algorithms or displays presented herein are not inherently related to any particular computer, virtual system, or other apparatus. In addition, embodiments of the present invention are not directed to any particular programming language.
In the description provided herein, numerous specific details are set forth. It will be appreciated, however, that embodiments of the invention may be practiced without such specific details. Similarly, in the above description of exemplary embodiments of the invention, various features of embodiments of the invention are sometimes grouped together in a single embodiment, figure, or description thereof for the purpose of streamlining the disclosure and aiding in the understanding of one or more of the various inventive aspects. Wherein the claims following the detailed description are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate embodiment of this invention.
Those skilled in the art will appreciate that the modules in the apparatus of the embodiments may be adaptively changed and disposed in one or more apparatuses different from the embodiments. The modules or units or components of the embodiments may be combined into one module or unit or component and, furthermore, they may be divided into a plurality of sub-modules or sub-units or sub-components. Except that at least some of such features and/or processes or elements are mutually exclusive.
It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the unit claims enumerating several means, several of these means may be embodied by one and the same item of hardware. The use of the words first, second, third, etc. do not denote any order. These words may be interpreted as names. The steps in the above embodiments should not be construed as limiting the order of execution unless specifically stated.
Claims (10)
1. An access control method, applied to a gateway device, the method comprising:
receiving domain name white list information input by a user;
sending a DNS request to a DNS server to acquire IP address data sent by the DNS server, wherein the IP address data comprises IP addresses corresponding to all domain names in the domain name white list information;
generating an IP address white list according to the IP address data;
and when an access request sent by the terminal equipment is received, controlling the terminal equipment to access a target website corresponding to the access request based on the IP address white list.
2. The method of claim 1, wherein the sending a DNS request to a DNS server to obtain IP address data sent by the DNS server comprises:
and sending the DNS request to the DNS server according to a preset time interval until the IP address data sent by the DNS server is obtained.
3. The method according to claim 1, wherein the IP address data further includes a validity period of an IP address corresponding to each domain name in the domain name whitelist information, and the generating an IP address whitelist according to the IP address data includes:
determining the validity period of each IP address in the IP address data based on the IP address data;
and adding each IP address in the IP address data and the validity period of each IP address to the IP address white list.
4. The method according to claim 3, wherein when the access request sent by the terminal device is received, based on the IP address white list, the controlling the terminal device to access the target web address corresponding to the access request includes:
determining the target website and the target IP address of the target website according to the access request;
matching the target IP address with the IP address in the IP address white list;
allowing the terminal equipment to access the target website under the condition that the target IP address is matched with any IP address in the IP address white list;
and prohibiting the terminal equipment from accessing the target website under the condition that the target IP address is not matched with each IP address in the IP address white list.
5. The method of claim 3, wherein said adding each IP address in said IP address data and the validity period of each said IP address to said IP address whitelist comprises:
searching each IP address in the IP address data in the IP address white list;
if any IP address in the IP address data exists in the IP address white list, stopping adding any IP address to the IP address white list;
and if any IP address in the IP address data does not exist in the IP address white list, adding any IP address to the IP address white list.
6. A method according to claim 3, characterized in that the method further comprises:
and recording the survival time of each IP address in the IP address white list in the IP address data, so as to send an address update request to the DNS server when the survival time of any IP address in the IP address data is greater than a survival time threshold value, and acquire updated IP address data sent by the DNS server.
7. The method of claim 4, wherein the destination IP address is sent to the terminal device by the DNS server in response to an IP address acquisition request sent by the terminal device.
8. An access control apparatus for use with a gateway device, the apparatus comprising:
the receiving module is used for receiving the domain name white list information input by the user;
the acquisition module is used for sending a DNS request to a DNS server so as to acquire IP address data sent by the DNS server, wherein the IP address data comprises IP addresses corresponding to all domain names in the domain name white list information;
the generating module is used for generating an IP address white list according to the IP address data;
and the control module is used for controlling the terminal equipment to access a target website corresponding to the access request based on the IP address white list when the access request sent by the terminal equipment is received.
9. A gateway device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the operations of the access control method of any of claims 1-7 via execution of the executable instructions.
10. A computer readable storage medium, wherein at least one executable instruction is stored in the storage medium, which when run on a gateway device causes the gateway device to perform the operations of the access control method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311234772.7A CN117220969A (en) | 2023-09-21 | 2023-09-21 | Access control method, device, gateway equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311234772.7A CN117220969A (en) | 2023-09-21 | 2023-09-21 | Access control method, device, gateway equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117220969A true CN117220969A (en) | 2023-12-12 |
Family
ID=89044034
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311234772.7A Pending CN117220969A (en) | 2023-09-21 | 2023-09-21 | Access control method, device, gateway equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117220969A (en) |
-
2023
- 2023-09-21 CN CN202311234772.7A patent/CN117220969A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10911399B2 (en) | Robust domain name resolution | |
| US7415536B2 (en) | Address query response method, program, and apparatus, and address notification method, program, and apparatus | |
| US7529810B2 (en) | DDNS server, a DDNS client terminal and a DDNS system, and a web server terminal, its network system and an access control method | |
| US7680954B2 (en) | Proxy DNS for web browser request redirection in public hotspot accesses | |
| US10491561B2 (en) | Equipment for offering domain-name resolution services | |
| US20090217353A1 (en) | Method, system and device for network access control supporting quarantine mode | |
| CN109067936B (en) | Method and device for domain name resolution | |
| US20230198987A1 (en) | Systems and methods for controlling accessing and storing objects between on-prem data center and cloud | |
| CN112261172A (en) | Service addressing access method, device, system, equipment and medium | |
| CN107707683B (en) | A kind of method and apparatus for reducing DNS message lengths | |
| US20020133719A1 (en) | Method and apparatus for sharing authentication information between multiple servers | |
| CN115913583B (en) | Business data access method, device and equipment and computer storage medium | |
| US20070180090A1 (en) | Dns traffic switch | |
| CN113691646A (en) | Domain name service resource access method, device, electronic equipment and medium | |
| JP2002189646A (en) | Relay device | |
| JP3601526B2 (en) | Proxy registration device, network system and program | |
| US12267294B1 (en) | Nonexistant domain forwarding in authoritative zones | |
| CN113839938B (en) | Method and device for detecting domain name takeover vulnerability | |
| US9146789B2 (en) | Method and apparatus for generating and using location-independent distributed object references | |
| CN113271302A (en) | Identity authentication method and device and electronic equipment | |
| CN115001780B (en) | Access control method, device, equipment and readable storage medium | |
| CN113596105B (en) | Content acquisition method, edge node and computer readable storage medium | |
| CN117220969A (en) | Access control method, device, gateway equipment and storage medium | |
| JP2003163681A (en) | Packet transfer device, packet transfer method, and program | |
| US20250317475A1 (en) | System and method for securing software applications and computing networks |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |