[go: up one dir, main page]

CN106330708A - System and method for local DNS service - Google Patents

System and method for local DNS service Download PDF

Info

Publication number
CN106330708A
CN106330708A CN201610685617.0A CN201610685617A CN106330708A CN 106330708 A CN106330708 A CN 106330708A CN 201610685617 A CN201610685617 A CN 201610685617A CN 106330708 A CN106330708 A CN 106330708A
Authority
CN
China
Prior art keywords
dns
openflow
openflow switch
terminal
dns request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610685617.0A
Other languages
Chinese (zh)
Inventor
张骏
张广兴
谢高岗
张聪平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute of Computing Technology of CAS
Original Assignee
Institute of Computing Technology of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute of Computing Technology of CAS filed Critical Institute of Computing Technology of CAS
Priority to CN201610685617.0A priority Critical patent/CN106330708A/en
Publication of CN106330708A publication Critical patent/CN106330708A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供一种本地DNS服务的系统和方法。根据本发明的系统,包括:终端,用于向互联网发送数据包,所述数据包中包含DNS请求;OpenFlow交换机,用于接收来自所述终端的DNS请求并转发所述DNS请求;本地DNS服务装置,用于接收来自所述OpenFlow交换机的所述DNS请求,以及根据所述DNS请求生成DNS响应并传送到所述OpenFlow交换机;其中,所述OpenFlow交换机还用于将自本地DNS服务装置接收到的DNS响应转发给所述终端。通过本发明,能够提供透明的本地DNS服务,可以避免由串接设备而造成的安全问题,并且由于DNS请求不会被发往互联网,从而避免来自互连网的DNS响应与由DNS服务装置所产生的DNS响应之间的竞争。

The invention provides a system and method for local DNS service. The system according to the present invention includes: a terminal, used to send a data packet to the Internet, and the data packet contains a DNS request; an OpenFlow switch, used to receive the DNS request from the terminal and forward the DNS request; a local DNS service A device for receiving the DNS request from the OpenFlow switch, and generating a DNS response according to the DNS request and sending it to the OpenFlow switch; wherein the OpenFlow switch is also used for receiving the DNS request from the local DNS service device The DNS response is forwarded to the endpoint. Through the present invention, transparent local DNS service can be provided, which can avoid security problems caused by cascading devices, and because the DNS request will not be sent to the Internet, the DNS response from the Internet and the DNS service device can be avoided. Race between DNS responses.

Description

一种本地DNS服务的系统和方法System and method for local DNS service

技术领域technical field

本发明涉及网络通信,尤其涉及DNS服务。The present invention relates to network communication, in particular to DNS service.

背景技术Background technique

DNS(Domain Name System,域名系统)是因特网上域名和IP地址相互映射的系统,其能够方便用户通过域名访问互联网,而不用记住期望访问的IP地址。DNS是互联网中绝大多数应用所实际采用的寻址方式。DNS (Domain Name System, Domain Name System) is a system for mapping domain names and IP addresses on the Internet, which can facilitate users to access the Internet through domain names without remembering the desired IP address. DNS is the actual addressing method used by most applications on the Internet.

在企业内网或运营商内部部署的DNS服务被称作为本地DNS,本地DNS主要提供以下三种功能:(1)提供DNS缓存,加速域名解析,提升用户网络体验;(2)流量牵引,配合CDN(Content Delivery Network,内容分发网络)技术实现网络传输的优化和本地差异化服务;(3)DNS过滤,基于黑名单实现恶意网站防护,并对钓鱼网站进行拦截。The DNS service deployed in the enterprise intranet or within the operator is called local DNS. Local DNS mainly provides the following three functions: (1) providing DNS caching, accelerating domain name resolution, and improving user network experience; (2) traffic traction, coordinating CDN (Content Delivery Network, content distribution network) technology realizes the optimization of network transmission and local differentiated services; (3) DNS filtering, based on the blacklist, realizes the protection of malicious websites and intercepts phishing websites.

然而,尽管本地DNS能够提供许多有效的功能,但是在部署本地DNS时存在很大的障碍。这是由于,现有的本地DNS服务往往采用“非透明”的方式来实现,也就是需要所有终端都配置DNS服务器地址才能生效。这样的配置过程非常繁琐,并且在一些终端不可控的场景下,无法采用非透明的方式来实现本地DNS服务。However, although local DNS can provide many effective functions, there are significant obstacles in the deployment of local DNS. This is because the existing local DNS service is often implemented in a "non-transparent" manner, that is, all terminals need to be configured with a DNS server address to take effect. Such a configuration process is very cumbersome, and in some scenarios where the terminal is uncontrollable, it is impossible to implement the local DNS service in a non-transparent manner.

还有一部分现有的本地DNS服务采用“透明”方式而实现,采用“透明”的方式指的是不针对终端进行配置,也就是在不让终端知道本地DNS服务存在的情况下,使得DNS服务生效。然而,透明DNS服务通常需要在终端的流量必经之路上串接一个DNS服务器,通过捕获DNS请求报文并拼装相应的DNS响应报文实现,并且拼装的DNS响应报文还需要采用原IP欺骗技术让终端认为该响应来自其配置的DNS服务器。对于现有的透明DNS的方式而言,由于其配置简单不需要对客户端进行修改,因而具有广泛的应用场景,然而其串接部署方式却给网络的可靠性带来了隐患。这是由于在实施网络运营时,原则上应尽可能地减少串接的网络功能设备,以降低网络故障率。There are also some existing local DNS services that are implemented in a "transparent" way. The "transparent" way means that the terminal is not configured, that is, the DNS service is enabled without the terminal knowing the existence of the local DNS service. take effect. However, the transparent DNS service usually needs to connect a DNS server in series on the only way of terminal traffic, which is realized by capturing the DNS request message and assembling the corresponding DNS response message, and the assembled DNS response message also needs to use the original IP spoofing technology to make the terminal think that the response is from its configured DNS server. For the existing transparent DNS method, since its configuration is simple and does not need to modify the client, it has a wide range of application scenarios. However, its serial deployment method brings hidden dangers to the reliability of the network. This is because when implementing network operations, in principle, the number of network function devices connected in series should be reduced as much as possible to reduce the network failure rate.

考虑到串接DNS服务器而带来的隐患,一些现有技术将本地的DNS服务装置布置在通信的旁路。然而,在这些现有技术中,为了实现DNS服务装置的旁路部署,通常会在终端的流量必经之路上部署分光器或者其他支持端口镜像的设备,以将终端访问互联网的流量镜像给本地DNS服务装置。即使这样将DNS服务装置布置在旁路,然而仍然避免不了需要在流量的路径上串接其他用于镜像流量的设备,因而仍然难以保证网络的可靠性。Considering the hidden dangers caused by connecting DNS servers in series, some existing technologies arrange local DNS service devices in communication bypasses. However, in these existing technologies, in order to realize the bypass deployment of the DNS service device, an optical splitter or other devices supporting port mirroring are usually deployed on the path that the traffic of the terminal must pass through, so as to mirror the traffic of the terminal accessing the Internet to the local DNS service device. Even if the DNS service device is arranged in the bypass, it still cannot avoid the need to connect other devices for mirroring traffic in series on the traffic path, so it is still difficult to guarantee the reliability of the network.

发明内容Contents of the invention

因此,本发明的目的在于克服上述现有技术的缺陷,提供一种本地DNS服务的系统,包括:Therefore, the object of the present invention is to overcome the above-mentioned defective of prior art, provide a kind of system of local DNS service, comprise:

终端,用于向互联网发送数据包,所述数据包中包含DNS请求;The terminal is used to send a data packet to the Internet, and the data packet includes a DNS request;

OpenFlow交换机,用于接收来自所述终端的DNS请求并转发所述DNS请求;An OpenFlow switch, configured to receive a DNS request from the terminal and forward the DNS request;

本地DNS服务装置,用于接收来自所述OpenFlow交换机的所述DNS请求,以及根据所述DNS请求生成DNS响应并传送到所述OpenFlow交换机;A local DNS service device, configured to receive the DNS request from the OpenFlow switch, and generate a DNS response according to the DNS request and send it to the OpenFlow switch;

其中,所述OpenFlow交换机还用于将自本地DNS服务装置接收到的DNS响应转发给所述终端。Wherein, the OpenFlow switch is further configured to forward the DNS response received from the local DNS service device to the terminal.

优选地,根据所述的系统,其中还包括:Preferably, according to the system, it also includes:

OpenFlow控制器,用于向OpenFlow交换机下发流表项。The OpenFlow controller is used to deliver flow entries to the OpenFlow switch.

优选地,根据所述的系统,其中所述OpenFlow控制器,还用于根据所述DNS请求生成用于修改所述DNS响应的源IP的流表项。Preferably, according to the system, the OpenFlow controller is further configured to generate a flow entry for modifying the source IP of the DNS response according to the DNS request.

优选地,根据所述的系统,其中所述本地DNS服务装置集成在所述OpenFlow控制器中。Preferably, according to the system, the local DNS service device is integrated in the OpenFlow controller.

优选地,根据所述的系统,其中所述OpenFlow控制器,还用于根据所述DNS请求生成用于修改所述DNS请求的目的IP的流表项。Preferably, according to the system, the OpenFlow controller is further configured to generate a flow entry for modifying the destination IP of the DNS request according to the DNS request.

优选地,根据所述的系统,其中所述OpenFlow控制器,还用于向所述OpenFlow交换机下发用于将目的端口为53的数据包转发至所述OpenFlow控制器的流表项。Preferably, according to the system, the OpenFlow controller is further configured to deliver to the OpenFlow switch a flow entry for forwarding a data packet with a destination port of 53 to the OpenFlow controller.

优选地,根据所述的系统,其中所述OpenFlow控制器,还用于向所述OpenFlow交换机下发用于将源端口为53的数据包转发至所述终端的流表项。Preferably, according to the system, the OpenFlow controller is further configured to deliver to the OpenFlow switch a flow entry for forwarding a data packet whose source port is 53 to the terminal.

并且,本发明还提供了一种基于所述系统的本地DNS服务的方法,包括:Moreover, the present invention also provides a method for local DNS service based on the system, including:

1)所述OpenFlow交换机根据流表项,将来自终端的全部数据包中的DNS请求发送至所述本地DNS服务装置;1) The OpenFlow switch sends the DNS request in all data packets from the terminal to the local DNS service device according to the flow entry;

2)所述本地DNS服务装置将生成的DNS响应发送至所述OpenFlow交换机;2) The local DNS service device sends the generated DNS response to the OpenFlow switch;

3)所述OpenFlow交换机根据流表项,将所述DNS响应转发至所述终端。3) The OpenFlow switch forwards the DNS response to the terminal according to the flow entry.

优选地,根据所述的方法,其中步骤3)之前还包括:Preferably, according to the method, wherein step 3) also includes before:

2.5)所述OpenFlow交换机根据流表项,将所述DNS响应的源IP修改为所述DNS请求的目的IP。2.5) The OpenFlow switch modifies the source IP of the DNS response to the destination IP of the DNS request according to the flow entry.

优选地,根据所述的方法,其中步骤1)之前还包括:Preferably, according to the method, wherein step 1) also includes before:

所述OpenFlow交换机根据流表项,将所述DNS请求的目的IP修改为所述本地DNS服务装置的IP地址。The OpenFlow switch modifies the destination IP of the DNS request to the IP address of the local DNS service device according to the flow entry.

优选地,根据所述的方法,其中步骤1)包括:Preferably, according to the method, wherein step 1) comprises:

所述OpenFlow交换机根据流表项,将目的端口为53的数据包作为所述DNS请求转发至所述OpenFlow控制器。The OpenFlow switch forwards the data packet whose destination port is 53 to the OpenFlow controller as the DNS request according to the flow entry.

优选地,根据所述的方法,其中步骤3)包括:Preferably, according to the method, wherein step 3) comprises:

所述OpenFlow交换机根据流表项,将源端口为53的数据包转发至所述终端。The OpenFlow switch forwards the data packet whose source port is 53 to the terminal according to the flow entry.

与现有技术相比,本发明的优点在于:Compared with the prior art, the present invention has the advantages of:

相较于非透明的本地DNS服务,本发明无需对终端进行配置,其不必限制于为已经经过配置的终端提供DNS服务。Compared with the non-transparent local DNS service, the present invention does not need to configure the terminal, and it does not need to be limited to providing DNS service for the configured terminal.

相较于传统的透明的本地DNS服务,本发明基于软件定义技术,仅将DNS请求转发给DNS服务装置,而无需在终端的流量必经之路上串接一个设备以将来自终端的全部流量均镜像给DNS服务装置,由此避免了由串接设备而造成的安全问题;并且,在本发明中,DNS请求不会被发往互联网,因而阻断了来自互连网的DNS响应,从而避免其与由DNS服务装置所产生的DNS响应产生竞争。Compared with the traditional transparent local DNS service, the present invention is based on software-defined technology, and only forwards the DNS request to the DNS service device, without connecting a device in series on the only way of terminal traffic to average all traffic from the terminal. Mirrored to the DNS service device, thereby avoiding the security problem caused by the serial connection device; and, in the present invention, the DNS request will not be sent to the Internet, thus blocking the DNS response from the Internet, thereby avoiding its connection with the Internet. The DNS responses generated by the DNS server create contention.

附图说明Description of drawings

以下参照附图对本发明实施例作进一步说明,其中:Embodiments of the present invention will be further described below with reference to the accompanying drawings, wherein:

图1是现有技术中将DNS服务装置部署在旁路的透明DNS方案的场景示意图;FIG. 1 is a schematic diagram of a scenario of a transparent DNS solution in which a DNS service device is deployed in a bypass in the prior art;

图2是OpenFlow技术所支持的匹配项的示意图;Fig. 2 is a schematic diagram of matching items supported by OpenFlow technology;

图3是根据本发明的一个实施例的集成DNS服务方案的系统示意图;Fig. 3 is a system schematic diagram of an integrated DNS service solution according to an embodiment of the present invention;

图4是根据本发明的一个实施例的独立DNS服务方案的系统示意图。Fig. 4 is a system schematic diagram of an independent DNS service solution according to an embodiment of the present invention.

具体实施方式detailed description

下面结合附图和具体实施方式对本发明作详细说明。The present invention will be described in detail below in conjunction with the accompanying drawings and specific embodiments.

图1示出了现有技术中,将DNS服务装置部署在旁路的透明DNS方案的场景图。如图1所示,在此类现有技术中需要部署诸如分光器或者其他支持端口镜像的设备,以将终端访问互联网的流量镜像给被部署在旁路的DNS服务装置。参考图1,当终端向互联网发送包含域名信息的DNS请求时,用于镜像流量的分光器将DNS请求的流量复制一份给DNS服务装置,使得DNS服务装置可以采用透明方式向终端回复DNS响应,从而使得终端能够根据该DNS相应获知与域名相对应的IP地址。同时,原本发送给互联网的DNS请求也会通过互联网向终端返回一个响应(即图1中的原DNS响应)。然而,由于没有阻断原DNS响应,其会与由在本地的DNS服务装置所产生的DNS响应产生竞争,并让终端发觉。FIG. 1 shows a scene diagram of a transparent DNS solution in which a DNS service device is deployed in a bypass in the prior art. As shown in FIG. 1 , in this type of prior art, devices such as optical splitters or other devices supporting port mirroring need to be deployed, so as to mirror the traffic of terminals accessing the Internet to the DNS service device deployed on the bypass. Referring to Figure 1, when a terminal sends a DNS request containing domain name information to the Internet, the optical splitter used for mirroring traffic copies the traffic of the DNS request to the DNS service device, so that the DNS service device can transparently reply the DNS response to the terminal , so that the terminal can learn the IP address corresponding to the domain name according to the DNS. At the same time, the DNS request originally sent to the Internet will also return a response (ie, the original DNS response in Figure 1) to the terminal through the Internet. However, since the original DNS response is not blocked, it will compete with the DNS response generated by the local DNS service device, which will be noticed by the terminal.

在上述现有技术中,并没有考虑截断来自终端的DNS请求。发明人认为这是由于本领域技术人员认为终端可能会向互联网发送各种类型的数据包,而基于现有的大多数协议,只有在确定了数据包中的目的端口后才能够确定该数据包是不是DNS请求。并且,出于各种需求,终端常常需要发出大流量的各种数据包。因而,现有技术不会专门针对DNS服务而设置具有提取数据包端口功能的装置(这样的装置通常复杂度高,也容易发生故障),而仅是采用诸如分光器的装置来镜像流量,并将镜像得到的流量发送给DNS服务装置。In the above prior art, no consideration is given to intercepting the DNS request from the terminal. The inventor believes that this is because those skilled in the art believe that the terminal may send various types of data packets to the Internet, but based on most existing protocols, the data packet can only be determined after the destination port in the data packet is determined Is it a DNS request. Moreover, due to various needs, the terminal often needs to send various data packets with a large flow. Therefore, the prior art will not specifically set up a device with the function of extracting the data packet port for the DNS service (such a device is usually complex and prone to failure), but only uses a device such as an optical splitter to mirror the flow, and Send the mirrored flow to the DNS service device.

可以看出,传统的将DNS服务装置设置在旁路的方案是向网络中增加串接的设备,而串接设备会为网络的可靠性带来隐患。It can be seen that the traditional solution of setting the DNS service device in the bypass mode is to add serially connected devices to the network, and the serially connected devices will bring hidden dangers to the reliability of the network.

近年来迅速发展的SDN(Software Defined Network,软件定义网络)技术具有网络可编程和集中控制的优势。其中最为成熟的OpenFlow已经开始了大量应用,越来越多的网络部署了支持OpenFlow的交换机。The SDN (Software Defined Network, Software Defined Network) technology, which has developed rapidly in recent years, has the advantages of network programmability and centralized control. Among them, OpenFlow, which is the most mature, has been widely used, and more and more networks have deployed switches that support OpenFlow.

发明人发现可以将OpenFlow技术与本地DNS服务结合起来,从而利用OpenFlow技术以简单的方式来确定来自终端的流量是否属于DNS请求。此外,发明人还发现可以通过设置OpenFlow的流表项(即转发规则),阻断来自互联网的原DNS响应,以达到阻断来自互连网的响应的目的。为了实现上述过程,可以利用OpenFlow交换机和控制器以及用于提供DNS服务的装置,并且利用OpenFlow的流表设置专门的转发规则。The inventors found that the OpenFlow technology can be combined with the local DNS service, so that the OpenFlow technology can be used to determine whether the traffic from the terminal belongs to the DNS request in a simple manner. In addition, the inventor also found that the original DNS response from the Internet can be blocked by setting the OpenFlow flow entry (that is, the forwarding rule), so as to achieve the purpose of blocking the response from the Internet. In order to realize the above process, OpenFlow switches and controllers and devices for providing DNS services can be used, and special forwarding rules can be set using OpenFlow flow tables.

在OpenFlow技术中,每个流表项代表一个转发规则,包括:匹配项、计数项和操作项。OpenFlow交换机依次比较各个流表项的匹配项,若匹配命中则执行该流表项的操作项,并跳转到下一个流表直至结束。如图2所示,OpenFlow能支持七层网络模型中一至四层各字段的匹配,包括入端口(Ingress Port)、目的MAC地址(Dst MAC)、源MAC地址(Src MAC)、以太网类型(Ether Type)、VLAN标签(VLAN ID)、VLAN优先级(VLAN Priority)、源IP(SrcIP)、目的IP(Dst IP)、IP协议(IP Proto)、TCP/UDP源端口号(Src Port)、TCP/UDP目的端口号(Dst Port);计数项对匹配成功的包进行计数;操作项可以进行转发(Output)、上报控制器(Packet-in)、设置字段(Set-field)等操作。此外,OpenFlow控制器还可以采用Packet-out消息从OpenFlow交换机的特定端口发送数据包,以及Flow-mod消息对Openflow交换机的流表项进行添加、删除和修改。由此,发明人认为可以利用OpenFlow的这些流表项来实现旁路并且透明的DNS服务。In the OpenFlow technology, each flow entry represents a forwarding rule, including: matching item, counting item and operation item. The OpenFlow switch compares the matching items of each flow entry in turn, and if the match is matched, executes the operation item of the flow entry, and jumps to the next flow table until the end. As shown in Figure 2, OpenFlow can support the matching of fields from layer 1 to layer 4 in the seven-layer network model, including ingress port (Ingress Port), destination MAC address (Dst MAC), source MAC address (Src MAC), Ethernet type ( Ether Type), VLAN tag (VLAN ID), VLAN priority (VLAN Priority), source IP (SrcIP), destination IP (Dst IP), IP protocol (IP Proto), TCP/UDP source port number (Src Port), TCP/UDP destination port number (Dst Port); the count item counts the packets that match successfully; the operation item can perform operations such as forwarding (Output), reporting to the controller (Packet-in), and setting field (Set-field). In addition, the OpenFlow controller can also use the Packet-out message to send data packets from a specific port of the OpenFlow switch, and the Flow-mod message to add, delete and modify flow entries of the OpenFlow switch. Therefore, the inventor believes that these flow entries of OpenFlow can be used to realize bypass and transparent DNS service.

如前文所述,将DNS服务的装置设置在旁路可以改善网络的可靠性,因此在本发明中也将DNS服务装置设置在旁路。根据本发明的一个实施例,将DNS服务装置设置为OpenFlow控制器上的一个功能模块,其具体实现方式将在下文的实施例1中详细介绍。根据本发明的另一个实施例,将DNS服务装置部署在一个单独的设备上,其具体实现方式将在下文的实施例2中详细介绍。As mentioned above, setting the DNS service device to bypass can improve the reliability of the network, so in the present invention, the DNS service device is also set to bypass. According to an embodiment of the present invention, the DNS service device is set as a functional module on the OpenFlow controller, and its specific implementation will be described in detail in Embodiment 1 below. According to another embodiment of the present invention, the DNS service device is deployed on a separate device, and its specific implementation will be described in detail in Embodiment 2 below.

实施例1:集成DNS服务技术方案Embodiment 1: Integrated DNS service technical solution

图3示出了根据本发明的一个实施例将DNS服务装置集成在OpenFlow控制器中的系统。在该系统中,包括一个或者多个终端、一个或者多个OpenFlow交换机、以及通过局域网与OpenFlow交换机相连的OpenFlow控制器、以及集成在OpenFlow控制器中的DNS服务装置。其中,终端通过OpenFlow交换机将DNS请求发往集成在OpenFlow控制器中的DNS服务装置,一个OpenFlow控制器可以对应于多个OpenFlow交换机(在图3中仅示出了一对OpenFlow交换机和OpenFlow控制器)。其中,OpenFlow交换机提取来自终端的数据包的端口地址,根据端口地址判断该数据包是否为DNS请求,以将DNS请求发往DNS服务装置。由于合法DNS请求的目的端口为53,因此可以设置相应的OpenFlow流表项,使得目的端口为53时执行将该数据包转发至OpenFlow控制器的动作。例如,将流表项设置为:匹配项为Dst_Port=53,操作项为上报控制器(Packet-in)。Fig. 3 shows a system in which a DNS service device is integrated in an OpenFlow controller according to an embodiment of the present invention. The system includes one or more terminals, one or more OpenFlow switches, an OpenFlow controller connected to the OpenFlow switch through a local area network, and a DNS service device integrated in the OpenFlow controller. Among them, the terminal sends the DNS request to the DNS service device integrated in the OpenFlow controller through the OpenFlow switch, and one OpenFlow controller can correspond to multiple OpenFlow switches (only a pair of OpenFlow switches and OpenFlow controllers are shown in Figure 3 ). Wherein, the OpenFlow switch extracts the port address of the data packet from the terminal, judges whether the data packet is a DNS request according to the port address, and sends the DNS request to the DNS service device. Since the destination port of the legitimate DNS request is 53, a corresponding OpenFlow flow entry can be set, so that when the destination port is 53, the action of forwarding the data packet to the OpenFlow controller is performed. For example, the flow entry is set as follows: the matching item is Dst_Port=53, and the operation item is reporting to the controller (Packet-in).

下面参考图3,具体介绍本地DNS服务的方法,包括:Referring to Figure 3, the method of local DNS service is introduced in detail, including:

1.终端向互联网发送DNS请求(1)。1. The terminal sends a DNS request to the Internet (1).

例如,一个终端的IP地址为192.168.1.1,其所期望访问的存在于互联网中的DNS服务器的IP地址为8.8.8.8(即终端希望通过访问该DNS服务器的IP地址来获得DNS服务),终端通过端口1234发出DNS请求。此时,通过终端发出的DNS请求数据包应当为:For example, the IP address of a terminal is 192.168.1.1, and the IP address of the DNS server in the Internet that it expects to access is 8.8.8.8 (that is, the terminal hopes to obtain DNS services by accessing the IP address of the DNS server), the terminal Make DNS requests over port 1234. At this point, the DNS request packet sent by the terminal should be:

源IPsource IP 目的IPDestination IP 源端口source port 目的端口destination port 内容content 192.168.1.1192.168.1.1 8.8.8.88.8.8.8 12341234 5353 DNS请求DNS request

2.收到来自终端的数据包的OpenFlow交换机,根据流表项对所收到的数据包执行以下操作:如果数据包的目的端口为53,则将该数据包(即DNS请求)转发至集成有DNS服务装置的OpenFlow控制器(2)。此步骤可以通过OpenFlow的流表项来实现,从而拦截来自终端的全部数据包中的DNS请求数据包,并将拦截到的DNS请求数据包发往本地DNS服务装置。这里的本地DNS服务装置能够代替互联网中的DNS服务器提供DNS服务。2. The OpenFlow switch that receives the data packet from the terminal performs the following operations on the received data packet according to the flow entry: if the destination port of the data packet is 53, forward the data packet (ie DNS request) to the integrated OpenFlow controller (2) with DNS service device. This step can be realized through the flow entry of OpenFlow, thereby intercepting the DNS request data packet in all the data packets from the terminal, and sending the intercepted DNS request data packet to the local DNS service device. The local DNS service device here can provide DNS service instead of the DNS server in the Internet.

继续上述步骤1中的实例,收到数据包的OpenFlow交换机,根据流表项将所收到的数据包中的DNS请求数据包上报给OpenFlow控制器。此时的流表项1是预先由OpenFlow控制器设定并下发给OpenFlow交换机,其内容为:Continuing the example in the above step 1, the OpenFlow switch that receives the data packet reports the DNS request data packet in the received data packet to the OpenFlow controller according to the flow entry. At this time, the flow entry 1 is pre-set by the OpenFlow controller and sent to the OpenFlow switch, and its content is:

匹配项matches 操作项action item Dst_Port=53Dst_Port=53 Packet-inPacket-in

这里的Packet-in是指将数据包上报给OpenFlow控制器。Packet-in here refers to reporting data packets to the OpenFlow controller.

3.OpenFlow控制器上的DNS服务模块根据本地缓存生成与所收到的DNS请求相对应的DNS响应。如果本地缓存中不具有与DNS请求中的域名所对应的IP地址,则向互联网进行递归查询,如图3所示,向互联网进行寻址(i),以返回与DNS请求中的域名所对应的IP地址(ii)。3. The DNS service module on the OpenFlow controller generates a DNS response corresponding to the received DNS request according to the local cache. If there is no IP address corresponding to the domain name in the DNS request in the local cache, then a recursive query is made to the Internet, as shown in Figure 3, addressing (i) to the Internet to return the IP address corresponding to the domain name in the DNS request IP address of (ii).

继续上述实例,在本地缓存中具有相应的信息或者通过递归查询获得了相应的信息的情况下,DNS服务模块生成如下的DNS响应数据包,以避免终端察觉到DNS服务是由本地DNS服务装置提供,而不是由DNS服务器所提供:Continuing with the above example, if there is corresponding information in the local cache or the corresponding information is obtained through recursive query, the DNS service module generates the following DNS response data packet, so as to prevent the terminal from being aware that the DNS service is provided by the local DNS service device instead of being served by the DNS server:

源IPsource IP 目的IPDestination IP 源端口source port 目的端口destination port 内容content 8.8.8.88.8.8.8 192.168.1.1192.168.1.1 5353 12341234 DNS响应DNS response

并且,OpenFlow控制器向OpenFlow交换机下发Packet-out的控制消息,使得OpenFlow交换机向终端的指定端口发送DNS响应数据包。In addition, the OpenFlow controller sends a Packet-out control message to the OpenFlow switch, so that the OpenFlow switch sends a DNS response data packet to the designated port of the terminal.

4.OpenFlow交换机向所述终端返回DNS响应(4)。4. The OpenFlow switch returns a DNS response to the terminal (4).

继续上述实例,OpenFlow交换机通过指定端口(例如下联口)将收到的DNS响应数据包返回给终端。这里采用指定端口的目的在于,保证终端能够收到该DNS响应数据包。Continuing with the above example, the OpenFlow switch returns the received DNS response data packet to the terminal through a designated port (for example, a downlink port). The purpose of using the designated port here is to ensure that the terminal can receive the DNS response data packet.

实施例2:独立DNS服务技术方案Embodiment 2: Independent DNS service technical solution

图4示出了根据本发明的另一个实施例将DNS服务装置独立地设置的系统。在该系统中,包括一个或者多个终端、一个或者多个OpenFlow交换机、以及通过局域网与OpenFlow交换机相连的OpenFlow控制器和独立部署的DNS服务装置。其中,终端通过OpenFlow交换机将DNS请求发往DNS服务装置,在该终端首次发出DNS请求时(或者OpenFlow交换机中不存在相应的流表项时),需要通过OpenFlow控制器产生新的流表项并下发给OpenFlow交换机。并且,一个OpenFlow控制器可以对应于多个OpenFlow交换机。与实施例1中相类似地,OpenFlow交换机提取来自终端的数据包的端口地址,根据端口地址判断该数据包是否为DNS请求,以将DNS请求发往DNS服务装置。Fig. 4 shows a system in which DNS service devices are set independently according to another embodiment of the present invention. The system includes one or more terminals, one or more OpenFlow switches, an OpenFlow controller connected to the OpenFlow switch through a local area network, and an independently deployed DNS service device. Wherein, the terminal sends the DNS request to the DNS service device through the OpenFlow switch. When the terminal sends the DNS request for the first time (or when there is no corresponding flow entry in the OpenFlow switch), it needs to generate a new flow entry through the OpenFlow controller and Send it to the OpenFlow switch. Also, one OpenFlow controller may correspond to multiple OpenFlow switches. Similar to Embodiment 1, the OpenFlow switch extracts the port address of the data packet from the terminal, judges whether the data packet is a DNS request according to the port address, and sends the DNS request to the DNS service device.

下面参考图4,具体介绍根据本发明的独立设置DNS服务装置的本地DNS服务的方法,包括:Referring to Fig. 4 below, the method for independently setting the local DNS service of the DNS service device according to the present invention is specifically introduced, including:

1.终端向互联网发送DNS请求(a)。1. The terminal sends a DNS request (a) to the Internet.

例如,一个终端的IP地址为192.168.1.1,其所期望访问的存在于互联网中的DNS服务器的IP地址为8.8.8.8(即终端希望通过访问该DNS服务器的IP地址来获得DNS服务),终端通过端口1234发出DNS请求。此时,通过终端发出的DNS请求数据包应当为:For example, the IP address of a terminal is 192.168.1.1, and the IP address of the DNS server in the Internet that it expects to access is 8.8.8.8 (that is, the terminal hopes to obtain DNS services by accessing the IP address of the DNS server), the terminal Make DNS requests over port 1234. At this point, the DNS request packet sent by the terminal should be:

源IPsource IP 目的IPDestination IP 源端口source port 目的端口destination port 内容content 192.168.1.1192.168.1.1 8.8.8.88.8.8.8 12341234 5353 DNS请求DNS request

2.收到来自终端的数据包的OpenFlow交换机,根据流表项对所收到的数据包执行以下操作:如果数据包的目的端口为53,则将该数据包(即DNS请求)转发至OpenFlow控制器(b)。2. The OpenFlow switch that receives the data packet from the terminal performs the following operations on the received data packet according to the flow entry: if the destination port of the data packet is 53, the data packet (ie DNS request) is forwarded to OpenFlow controller (b).

继续上述步骤1中的实例,此时的流表项1是预先由OpenFlow控制器设定并下发给OpenFlow交换机,其内容为:Continuing with the example in the above step 1, the flow entry 1 at this time is pre-set by the OpenFlow controller and sent to the OpenFlow switch, and its content is:

匹配项matches 操作项action item Dst_Port=53Dst_Port=53 Packet-inPacket-in

这里将DNS请求数据包发送至OpenFlow控制器的目的在于,使得OpenFlow控制器可以在随后的步骤中根据DNS请求数据包的IP头来生成新的流表项(即后述流表项2’和3’),并将所生成的新的流表项下发至OpenFlow交换机,从而利用所述新的流表项将DNS请求数据包转发至DNS服务装置,以及将由DNS服务装置生成的DNS响应数据包发送回终端。The purpose of sending the DNS request packet to the OpenFlow controller here is to enable the OpenFlow controller to generate new flow entries (i.e. flow entry 2' and 3'), and send the generated new flow table item to the OpenFlow switch, thereby using the new flow table item to forward the DNS request packet to the DNS service device, and the DNS response data generated by the DNS service device The packet is sent back to the terminal.

3.OpenFlow控制器根据所收到的DNS请求数据包的IP头,向OpenFlow交换机下发用于设置字段(Set-field)操作的流表项,以实现DNS请求数据包和DNS响应数据包的重新定向(c),并通过Packet-out消息指定通过OpenFlow交换机的上联口来发送DNS请求数据包(d)。3. According to the IP header of the received DNS request packet, the OpenFlow controller sends the flow table item for setting the field (Set-field) operation to the OpenFlow switch, so as to realize the DNS request packet and the DNS response packet. Redirect (c), and send the DNS request packet (d) through the uplink port of the OpenFlow switch designated by the Packet-out message.

假设,在本发明的实施例中,被独立设置的DNS服务装置的IP地址为IPa。并且,根据TCP/IP协议,数据包的IP头中包含数据包的源地址和目的地址,因此根据DNS请求数据包的IP头可以确定发出请求的终端的IP地址(即DNS请求数据包的源地址IPc)以及终端所期望访问的DNS服务器的IP地址(即DNS请求数据包的目的地址IPb)。It is assumed that, in the embodiment of the present invention, the IP address of the independently configured DNS service device is IP a . And, according to the TCP/IP protocol, the IP header of the data packet contains the source address and the destination address of the data packet, so the IP address of the terminal that sends the request can be determined according to the IP header of the DNS request packet (that is, the source of the DNS request packet address IP c ) and the IP address of the DNS server that the terminal expects to access (ie, the destination address IP b of the DNS request data packet).

据此生成将发送DNS请求数据包的目的地址IPb重新定向到DNS服务装置IPa的如下流表项,并将该流表项2’下发给OpenFlow交换机:Accordingly, the following flow entry will be generated to redirect the destination address IP b of the DNS request packet to the DNS service device IP a , and the flow entry 2' will be sent to the OpenFlow switch:

匹配项matches 操作项action item Src_IP=IPc,Dst_Port=53Src_IP= IPc ,Dst_Port=53 Set-Field:Dst_IP=IPa,Output:上联口Set-Field: Dst_IP=IP a , Output: Uplink port

利用上述流表项,可以使得OpenFlow交换机的上联口发送重新定向的DNS请求数据包。Using the above flow entry, the uplink port of the OpenFlow switch can be used to send a redirected DNS request packet.

此外,为了不让终端察觉到DNS服务响应并非来自其所请求的DNS服务器的IP地址,还可以生成另一条相应的流表项并下发给OpenFlow交换机,以将由DNS服务装置生成的DNS响应数据包的源端口IPa重新定向为DNS请求数据包中的源地址IPb。据此生成的流表项 3’应为:In addition, in order to prevent the terminal from noticing that the DNS service response does not come from the IP address of the DNS server requested by it, another corresponding flow entry can be generated and sent to the OpenFlow switch, so that the DNS response data generated by the DNS service device The source port IP a of the packet is redirected to the source address IP b in the DNS request packet. The flow entry 3' generated accordingly should be:

匹配项matches 操作项action item Dst_IP=IPa,Src_Port=53Dst_IP=IP a , Src_Port=53 Set-Field:Src_IP=IPb,Output:下联口Set-Field: Src_IP=IP b , Output: Downlink port

利用上述流表项,可以使得OpenFlow交换机的下联口发送重新定向的DNS响应数据包。Using the above flow entry, the downlink interface of the OpenFlow switch can be used to send a redirected DNS response data packet.

4.OpenFlow交换机向被独立设置的DNS服务装置转发依照流表项进行修改后的DNS请求数据包(e)。4. The OpenFlow switch forwards the DNS request packet (e) modified according to the flow entry to the independently configured DNS service device.

继续上述实例,OpenFlow控制器所收到的DNS请求数据包的源地址IPc为192.168.1.1,目的地址IPb为8.8.8.8(应理解,这里解析DNS请求数据包IP头的步骤还可以在步骤2中进行)。即,从终端发出的原DNS请求数据包为:Continuing the above example, the source address IP c of the DNS request packet received by the OpenFlow controller is 192.168.1.1, and the destination address IP b is 8.8.8.8 (it should be understood that the step of parsing the IP header of the DNS request packet here can also be performed in carried out in step 2). That is, the original DNS request packet sent from the terminal is:

根据步骤3中的流表项2’,OpenFlow控制器将该DNS请求数据包重新定向到DNS服务装置,假设该DNS服务装置的IP地址IPa为192.168.1.2。此时,经过修改的DNS请求数据包为:According to the flow entry 2' in step 3, the OpenFlow controller redirects the DNS request packet to the DNS service device, assuming that the IP address IP a of the DNS service device is 192.168.1.2. At this point, the modified DNS request packet is:

源IPsource IP 目的IPDestination IP 源端口source port 目的端口destination port 内容content 192.168.1.1192.168.1.1 192.168.1.2192.168.1.2 12341234 5353 DNS请求DNS request

5.被独立设置的DNS服务装置接收来自OpenFlow控制器的DNS请求数据包,并且根据本地缓存生成与所收到的DNS请求相对应的DNS响应,以将生成的DNS响应发送回OpenFlow交换机(f)。如果本地缓存中不具有与DNS请求中的域名所对应的IP地址,则向互联网进行递归查询,如图4中(i)(ii)。5. The DNS service device that is set independently receives the DNS request packet from the OpenFlow controller, and generates a DNS response corresponding to the DNS request received according to the local cache, to send the generated DNS response back to the OpenFlow switch (f ). If the local cache does not have the IP address corresponding to the domain name in the DNS request, a recursive query is made to the Internet, as shown in (i)(ii) in Figure 4.

继续上述实例,在本地缓存中具有相应的信息或者通过递归查询获得了相应的信息的情况下,DNS服务装置生成如下的DNS响应数据包:Continuing with the above example, if there is corresponding information in the local cache or the corresponding information is obtained through recursive query, the DNS service device generates the following DNS response packet:

源IPsource IP 目的IPDestination IP 源端口source port 目的端口destination port 内容content 192.168.1.2192.168.1.2 192.168.1.1192.168.1.1 5353 12341234 DNS响应DNS response

6.OpenFlow交换机将来自DNS服务装置的DNS响应数据包发送给终端(g)。6. The OpenFlow switch sends the DNS response packet from the DNS service device to the terminal (g).

这里,为了使得终端察觉不到DNS响应并非来自所请求的DNS服务器的IP地址,即为了实现透明DNS服务,可以相对应地利用在步骤3中由OpenFlow控制器下发的流表项3’,将DNS响应数据包的源地址IPa修改为终端所请求的地址IPbHere, in order to make the terminal not aware that the DNS response is not from the IP address of the requested DNS server, that is, to realize transparent DNS service, the flow entry 3' issued by the OpenFlow controller in step 3 can be used correspondingly, Change the source address IP a of the DNS response data packet to the address IP b requested by the terminal.

继续上述实例,依据流表项,DNS响应数据包被修改为:Continuing with the above example, according to the flow entry, the DNS response packet is modified as:

源IPsource IP 目的IPDestination IP 源端口source port 目的端口destination port 内容content 8.8.8.88.8.8.8 192.168.1.1192.168.1.1 5353 12341234 DNS响应DNS response

当OpenFlow交换机已经具有相应终端的一对重新定向的流表项(即流表项2和3)后,后续DNS服务无需阶段(b、c、d),只需阶段(a、e、f、g)。When the OpenFlow switch already has a pair of redirected flow entries (i.e., flow entries 2 and 3) of the corresponding terminal, the subsequent DNS service does not need stages (b, c, d), only stages (a, e, f, g).

在本发明的实施例中,示出了基于OpenFlow的一种透明且旁路DNS服务的技术方案。可以看出,本发明不需要在终端的流量必经之路上串接一个设备,由此避免了由串接设备而造成的安全问题,并且,本发明还可以阻断来自互连网的DNS响应,以避免其与由DNS服务所产生的DNS响应产生竞争。In the embodiment of the present invention, a transparent and bypass DNS service technical solution based on OpenFlow is shown. It can be seen that the present invention does not need to connect a device in series on the necessary path for terminal traffic, thereby avoiding the security problems caused by the series connection of devices, and the present invention can also block DNS responses from the Internet to Avoid it competing with DNS responses generated by DNS services.

最后所应说明的是,以上实施例仅用以说明本发明的技术方案而非限制。尽管上文参照实施例对本发明进行了详细说明,本领域的普通技术人员应当理解,对本发明的技术方案进行修改或者等同替换,都不脱离本发明技术方案的精神和范围,其均应涵盖在本发明的权利要求范围当中。Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of the present invention rather than limit them. Although the present invention has been described in detail above with reference to the embodiments, those skilled in the art should understand that modifications or equivalent replacements to the technical solutions of the present invention do not depart from the spirit and scope of the technical solutions of the present invention, and all of them should be covered in Within the scope of the claims of the present invention.

Claims (12)

1. a system for local dns service, including:
Terminal, for sending packet to the Internet, comprises DNS request in described packet;
OpenFlow switch, from the DNS request of described terminal and forwards described DNS request for reception;
Local dns service unit, for receiving the described DNS request from described OpenFlow switch, and according to described DNS request generates DNS and responds and be sent to described OpenFlow switch;
Wherein, described OpenFlow switch is additionally operable to be transmitted to described by the DNS received from local dns service unit response Terminal.
System the most according to claim 1, the most also includes:
OpenFlow controller, for issuing stream list item to OpenFlow switch.
System the most according to claim 2, wherein said OpenFlow controller, it is additionally operable to according to described DNS request raw Become the stream list item for revising the source IP that described DNS responds.
System the most according to claim 2, wherein said local dns service unit is integrated in described OpenFlow controller In.
5. according to the system described in Claims 2 or 3, wherein said OpenFlow controller, it is additionally operable to according to described DNS request Generate the stream list item being used for revising purpose IP of described DNS request.
6. according to the system described in Claims 2 or 3, wherein said OpenFlow controller, it is additionally operable to described OpenFlow Switch issues the stream list item for the packet that destination interface is 53 is forwarded to described OpenFlow controller.
7. according to the system described in Claims 2 or 3, wherein said OpenFlow controller, it is additionally operable to described OpenFlow Switch issues the stream list item for the packet that source port is 53 is forwarded to described terminal.
8. a method for local dns based on system described in claim 1 service, including:
1) described OpenFlow switch is according to stream list item, and the DNS request in the entire packet of self terminal sends to institute in the future State local dns service unit;
2) the DNS response generated is sent to described OpenFlow switch by described local dns service unit;
3) described OpenFlow switch is according to stream list item, and described DNS response is forwarded to described terminal.
Method the most according to claim 8, wherein step 3) also include before:
2.5) described OpenFlow switch is according to stream list item, and the source IP responded by described DNS is revised as the mesh of described DNS request IP.
Method the most according to claim 8 or claim 9, wherein step 1) also include before:
Purpose IP of described DNS request, according to stream list item, is revised as described local dns service dress by described OpenFlow switch The IP address put.
11. method according to claim 8 or claim 9, wherein steps 1) including:
The packet that destination interface is 53, according to stream list item, is forwarded to by described OpenFlow switch as described DNS request Described OpenFlow controller.
12. method according to claim 8 or claim 9, wherein steps 3) including:
The packet that source port is 53, according to stream list item, is forwarded to described terminal by described OpenFlow switch.
CN201610685617.0A 2016-08-18 2016-08-18 System and method for local DNS service Pending CN106330708A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610685617.0A CN106330708A (en) 2016-08-18 2016-08-18 System and method for local DNS service

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610685617.0A CN106330708A (en) 2016-08-18 2016-08-18 System and method for local DNS service

Publications (1)

Publication Number Publication Date
CN106330708A true CN106330708A (en) 2017-01-11

Family

ID=57744099

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610685617.0A Pending CN106330708A (en) 2016-08-18 2016-08-18 System and method for local DNS service

Country Status (1)

Country Link
CN (1) CN106330708A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110730252A (en) * 2019-09-25 2020-01-24 南京优速网络科技有限公司 Address translation method by modifying linux kernel message processing function
CN114629823A (en) * 2022-05-16 2022-06-14 鹏城实验室 Server testing and monitoring method, device, terminal device and storage medium

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104734963A (en) * 2015-03-24 2015-06-24 电子科技大学 IPv4 and IPv6 network interconnection method based on SDN
CN104853002A (en) * 2015-04-29 2015-08-19 中国互联网络信息中心 DNS resolution system and DNS resolution method based on SDN
CN105119930A (en) * 2015-09-09 2015-12-02 南京理工大学 Malicious website protection method based on OpenFlow protocol
CN105554179A (en) * 2016-01-08 2016-05-04 中国联合网络通信集团有限公司 DNS resolution method and system in local area network, Openflow switch and controller

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104734963A (en) * 2015-03-24 2015-06-24 电子科技大学 IPv4 and IPv6 network interconnection method based on SDN
CN104853002A (en) * 2015-04-29 2015-08-19 中国互联网络信息中心 DNS resolution system and DNS resolution method based on SDN
CN105119930A (en) * 2015-09-09 2015-12-02 南京理工大学 Malicious website protection method based on OpenFlow protocol
CN105554179A (en) * 2016-01-08 2016-05-04 中国联合网络通信集团有限公司 DNS resolution method and system in local area network, Openflow switch and controller

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110730252A (en) * 2019-09-25 2020-01-24 南京优速网络科技有限公司 Address translation method by modifying linux kernel message processing function
CN114629823A (en) * 2022-05-16 2022-06-14 鹏城实验室 Server testing and monitoring method, device, terminal device and storage medium
CN114629823B (en) * 2022-05-16 2022-09-06 鹏城实验室 Server testing and monitoring method, device, terminal device and storage medium

Similar Documents

Publication Publication Date Title
CN113037500B (en) Network device and method for network communication
US9654395B2 (en) SDN-based service chaining system
US6147995A (en) Method for establishing restricted broadcast groups in a switched network
US10375193B2 (en) Source IP address transparency systems and methods
US9571382B2 (en) Method, controller, and system for processing data packet
US9807016B1 (en) Reducing service disruption using multiple virtual IP addresses for a service load balancer
CN104954245B (en) Business function chain processing method and device
US9031069B2 (en) Method, system, and apparatus for extranet networking of multicast virtual private network
US9401928B2 (en) Data stream security processing method and apparatus
EP3545655B1 (en) Routing in a hybrid network
EP2860882B1 (en) Service processing method, device and system
CN106936811B (en) Security device, system and method
CN105391635B (en) A kind of network virtualization method based on SDN
CN107181688A (en) A kind of system and method that the optimization of server end cross-domain data transmission is realized in SDN
US8839352B2 (en) Firewall security between network devices
US10237257B2 (en) Network service header used to relay authenticated session information
CN106375355B (en) Load balancing processing method and device
CN104113513B (en) A kind of detecting host method, apparatus and system
CN106330708A (en) System and method for local DNS service
CN105812272B (en) Processing method, device and the system of business chain
CN108833284B (en) Communication method and device for cloud platform and IDC network
EP4277211A1 (en) Interface management method for accessed user equipment, and accessed user equipment
CN111885068B (en) Bypass deployment traffic distribution method and system
US8402474B2 (en) Message sending method, message sending device and message transmission system
CN111464449A (en) A method for localized exchange of inter-domain traffic

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170111

RJ01 Rejection of invention patent application after publication