JP2007243356A - DNS server client system, DNS server device, cache server device, DNS query request control method, and DNS query request control program - Google Patents

Abstract

An object of the present invention is to control a response to a DNS query request for each DNS client.
An authority server includes an access control list in which not only the IP address of a cache server that rejects a response (cache server IP) but also the IP address of a DNS client that rejects a response (client IP) is listed. I manage. When the cache server 20 transmits the query request received from the DNS client 10 to the authoritative server 30, the cache server 20 transmits the client IP of the DNS client 10 included in the query request. On the other hand, when the authority server 30 receives a query request from the cache server 20, the authority server 30 refers to the access control list based on the client IP included in the addition part of the query request, and controls a response to the query request for each client IP. .
[Selection] Figure 1

Description

  The present invention relates to a DNS server client system, a DNS server apparatus, a cache server apparatus, a DNS query request control method, and a DNS query request control program, which are provided via a cache server apparatus between the DNS client apparatus and the DNS server apparatus.

  Conventionally, there is a system called DNS (Domain Name System) that associates a host name (domain name) on the Internet with an IP address (Internet Protocol Address). In such a DNS system, for example, as shown in FIG. 16, a plurality of authoritative servers and a plurality of subnets are connected to the Internet, and a cache server as a DNS full service resolver is installed in each subnet. A plurality of DNS clients are arranged in the subnet. In addition, FIG. 16 is a figure for demonstrating the DNS system based on a prior art.

  In the DNS system shown in FIG. 16, each authority server manages a conversion table (resource record file) in which a host name and an IP address are associated with each other. When a query request is transmitted from a DNS client in the subnet, the cache server that has received the query request transmits the query request to an authority server that manages an arbitrary domain. On the other hand, the authority server that has received such a query request searches the corresponding resource record from the conversion table (resource record file), sends the resource record as the search result to the cache server as a query response, and receives this query response. The cache server transmits a query response to the DNS client that has transmitted the query request. Here, the IP address of the query request transmitted from the DNS client to the cache server is the IP address (client IP) of the DNS client, while the query request transmitted from the cache server to the authoritative server. The source IP address is the IP address of the cache server (cache server IP).

  By the way, in a DNS system as shown in FIG. 16, it is generally performed to control a query response by an originating IP address, such as rejecting a query request from an unauthorized user based on the originating IP address of the query request. ing. More specifically, the authoritative server manages an access control list that prescribes response permission (or response rejection) for each query request source IP address (or network address) in units of systems or zones. When the query request is received from the cache server, the authority server refers to the access control list based on the IP address of the query request (here, the cache server IP), and permits or rejects the response. Also, depending on the authority server, different resource records are defined for each query request source IP address (or network address) for each zone, and differ based on the IP address (in this case, the cache server IP) of the query request. Some respond with a resource record (see, for example, Patent Document 1).

Japanese Patent Laying-Open No. 2005-210513

  By the way, the above-described conventional technique has a problem that a query response to a query request cannot be controlled for each DNS client when a cache server is interposed between the DNS client and the authoritative server.

  Specifically, for example, even if an unauthorized DNS client exists in a certain subnet and a Dos attack (Denial of Service attack) is being performed on a certain authority server, the authority server side Then, since it is only possible to acquire the cache server IP as the source IP address of the query request, it seems that a Dos attack is being carried out from the cache server in the subnet where the unauthorized DNS client exists. In the conventional technique described above, when a query request from such an unauthorized DNS client is to be rejected, access control is performed on the IP address of the cache server in the subnet where the unauthorized DNS client exists. Must be specified.

  However, when a predetermined cache server is defined as a response rejection in the access control list of a predetermined authoritative server in this way, all DNS clients in the subnet where the cache server exists (for regular DNS clients). The query response is rejected, and as a result, the query response to the query request cannot be controlled for each DNS client. On the other hand, when a predetermined cache server is specified as a response permission in the access control list of the predetermined authoritative server, for all DNS clients in the subnet where the cache server exists (to an unauthorized DNS client). Query responses will be allowed (as well) and as a result, query responses to query requests cannot be controlled on a per DNS client basis. In order to solve such a problem, a method of newly installing a cache server for an unauthorized DNS client in the subnet may be considered, but it cannot always be said to be an appropriate solution method in view of equipment costs. .

  Therefore, the present invention has been made to solve the above-described problems of the prior art, and even if the DNS server device via the cache server device is connected to the DNS client device, a response to the DNS query request is sent to the DNS server. An object is to provide a DNS server client system, DNS server apparatus, cache server apparatus, DNS query request control method, and DNS query request control program that can be controlled for each client apparatus.

  In order to solve the above-described problems and achieve the object, the invention according to claim 1 is a DNS server client system configured via a cache server device between a DNS client device and a DNS server device, When the cache server device transmits the DNS query request received from the DNS client device to the DNS server device, the DNS query request is transmitted by including a client address for identifying the DNS client device in the DNS query request. A DNS query response that controls a response to the DNS query request based on the client address included in the DNS query request when the DNS server request is transmitted from the cache server device when the DNS server request is received from the cache server device Control means, And said that there were pictures.

  The invention according to claim 2 is characterized in that, in the above invention, the DNS query request transmission means transmits the DNS query request including the client address in an additional part of the DNS query request.

  According to a third aspect of the present invention, in the above invention, the cache server device stores DNS server information storing information for identifying a DNS server device capable of responding to a DNS query request including the client address. The DNS query request transmitting means is provided only to a DNS server device that can respond to a DNS query request including the client address based on information stored in the DNS server information storage means. A DNS query request including a client address is transmitted.

  According to a fourth aspect of the present invention, in the above invention, the DNS server information storage means includes a transmission target of a DNS query request including the client address in addition to information for identifying the DNS server device. Further, information for identifying a DNS client device to be stored is stored, and the DNS query request transmission unit includes a DNS including the client address based on the information stored in the DNS server information storage unit. A DNS query request including the client address is transmitted only when a DNS query request is received from a DNS client device to be transmitted as a query request.

  In the invention according to claim 5, in the above invention, the DNS server device stores information for identifying a cache server device that is permitted to transmit a DNS query request including the client address. The DNS query response control means is further permitted to transmit a DNS query request including the client address in the DNS server information storage means for the cache server device that is the transmission source of the DNS query request. Only in the case where the response to the DNS query request is controlled based on the client address included in the DNS query request.

  The invention according to claim 6 is the above invention, wherein the DNS server device is associated with the client address, and any one of a non-response, a rejection response, and a resource record is set as a response control content for the DNS query request. Response control content storage means for storing one, and the DNS query response control means is associated with the client address included in the DNS query request from the response control content stored in the response control content storage means. The response control content is searched, and any one of the non-response, rejection response, and resource record response is performed.

  The invention according to claim 7 is the above invention, wherein the cache server device responds to a DNS query request transmitted including the client address among resource records received as a DNS query response from the DNS server device. Resource record storage means for storing only resource records received as a response to a DNS query request transmitted without including the client address, excluding resource records received as a response, further comprising: When a resource record corresponding to a DNS query request received from a DNS client device is not stored in the resource record storage unit, the DNS query request is transmitted to the DNS server device.

  The invention according to claim 8 is the above invention, in which the cache server device responds to a DNS query request transmitted including the client address among resource records received as a DNS query response from the DNS server device. The resource record received as a response is further provided with resource record storage means for storing the resource address in association with the resource record, and the DNS query request transmission means corresponds to the DNS query request received from the DNS client apparatus. When the resource record to be executed and the client address of the DNS client device are not stored in association with the resource record storage unit, the DNS query request is transmitted to the DNS server device. .

  The invention according to claim 9 is the above invention, wherein the DNS server device stores response control contents for the DNS query request for each system and / or for each zone in association with the client address. Response control content storage means for storing response control content for the DNS query request for each domain unit, wherein the DNS query response control means includes the system unit and / or the zone unit, and the domain unit, A response control content associated with the client address included in the DNS query request is retrieved from the response control content stored in the response control content storage means, and a response to the DNS query request is based on the retrieved response control content. It is characterized by controlling.

  The invention according to claim 10 is a DNS server apparatus that receives and controls a DNS query request transmitted from a DNS client apparatus via a cache server apparatus, and has a client address for identifying the DNS client apparatus. A DNS query request receiving means for receiving the included DNS query request from the cache server device, and when receiving a DNS query request from the cache server device, based on the client address included in the DNS query request, the DNS DNS query response control means for controlling a response to the query request.

  According to an eleventh aspect of the present invention, there is provided a cache server device that controls a DNS query request between a DNS client device and a DNS server device, wherein the DNS query request received from the DNS client device is sent to the DNS server device. When transmitting, a DNS query request transmitting means is included for transmitting a DNS query request including a client address for identifying the DNS client device.

  The invention according to claim 12 is a DNS query request control method applied to a DNS server client system configured via a cache server device between a DNS client device and a DNS server device, wherein the cache server When a device transmits a DNS query request received from the DNS client device to the DNS server device, a DNS query request is transmitted by including a client address for uniquely identifying the DNS client device in the DNS query request And a DNS query response for controlling a response to the DNS query request based on the client address included in the DNS query request when the DNS server device receives the DNS query request from the cache server device. Control worker And wherein the containing when the.

  The invention according to claim 13 is a DNS query request control program for causing a computer to execute a DNS query request control method for receiving and controlling a DNS query request transmitted from a DNS client device via a cache server device, A DNS query request receiving procedure for receiving a DNS query request including a client address for uniquely identifying the DNS client device from the cache server device, and a DNS query request when the DNS query request is received from the cache server device. A DNS query response control procedure for controlling a response to the DNS query request based on the client address included in the query request is executed by a computer.

  The invention according to claim 14 is a DNS query request control program for causing a computer to execute a DNS query request control method for controlling a DNS query request between a DNS client device and a DNS server device, wherein the DNS client device When the DNS query request received from the DNS server apparatus is transmitted to the DNS server apparatus, the computer is caused to execute a DNS query request transmission procedure in which a client address for identifying the DNS client apparatus is included in the DNS query request and transmitted. Features.

  According to the invention of claim 1 or 12, when the cache server device transmits the DNS query request received from the DNS client device to the DNS server device, the client address (client IP address) for identifying the DNS client device. When the DNS server apparatus receives the DNS query request from the cache server apparatus, the DNS server apparatus controls the response to the DNS query request based on the client address included in the DNS query request. Even in the case of a DNS server device via a cache server device with a client device, it is possible to control a response to a DNS query request for each DNS client device. This eliminates the need for an administrator of the subnet to install a cache server device for unauthorized users in the subnet, thereby reducing equipment costs, and not all users in the subnet. As a result of being able to reject only DNS query requests from users, it is possible to increase the security of the entire network.

  According to the invention of claim 2, since the cache server device transmits the DNS query request including the client address in the additional part, for example, the client address is additionally described in the DNS query adding part standardized by RFC1034. By sending a DNS query request, even if the DNS server device cannot perform response control based on the client address, it does not receive an illegally formatted DNS query request. As a result of ignoring and performing response control based on the IP address of the cache server device, the cache server device determines whether or not the DNS server device that is the transmission destination of the DNS query request performs response control for each client address. There is no need to recognize and It is possible to coexist the DNS server that does not perform response control based on the DNS server and the client address to be controlled.

  According to the invention of claim 3, the cache server device stores information (for example, IP address or host name) for identifying the DNS server device that can respond to the DNS query request including the client address. In addition, since the DNS query request including the client address is transmitted only to the DNS server apparatus that can respond to the DNS query request including the client address, the cache server apparatus cannot perform response control based on the client address. As a result of not sending a client address unnecessarily to a DNS server device, it is possible to suppress the amount of information of a DNS query request to be sent.

  According to the invention of claim 4, the cache server device identifies a DNS client device to be a transmission target of a DNS query request including a client address in addition to information for identifying the DNS server device. (For example, a client address and a network address) are stored in advance, and only when the DNS query request is received from the DNS client device to be transmitted of the DNS query request including the client address, the client address is set. Since the included DNS query request is transmitted, the cache server apparatus can also control whether or not the client address is included in the DNS query request for each DNS client apparatus.

  According to the invention of claim 5, the DNS server device is information for identifying a cache server device that is permitted to transmit a DNS query request including a client address (for example, the IP address of the cache server device). Is stored, and the response to the DNS query request is controlled based on the client address only when the transmission of the DNS query request including the client address is permitted for the cache server device that is the transmission source of the DNS query request. Therefore, even if the DNS server apparatus receives a DNS query request including the client address from a cache server apparatus that is not permitted to transmit a DNS query request including the client address, the DNS server apparatus ignores the client address. IP address The results can respond controlled based on the scan, etc., it is possible to response control cache server units (subnet units) to the DNS query requests that may have misrepresented a portion of the client address.

  According to the invention of claim 6, the DNS server device stores any one of non-response, rejection response, and resource record as response control content for the DNS query request in association with the client address. , The response control content associated with the client address included in the DNS query request is searched, and any one of no response, rejection response, and resource record response is performed. Therefore, in the DNS server device, according to the client address, No response, rejection response, resource record response (for example, one resource record prepared for all clients, resource record prepared for each client address, resource record prepared for each country, prepared for each company and outside A variety of responses such as resource records) It is possible to realize the answer control.

  According to the invention of claim 7, the cache server device receives the resource record received as a response to the DNS query request transmitted including the client address from among the resource records received as a DNS query response from the DNS server device. Except for storing only resource records received as a response to a DNS query request sent without including the client address, and only if no resource records corresponding to the DNS query request received from the DNS client device are stored. Since the DNS query request is transmitted to the DNS server device, the cache server device must transmit to the DNS server device a DNS query request to be subjected to response control based on the client address in the DNS server device. Ri, whereby it is possible to prevent a situation in which would respond with cache server apparatus to the DNS query request from an unauthorized user, it is possible to increase the security of the entire network.

  According to the invention of claim 8, the cache server device, among the resource records received as a DNS query response from the DNS server device, about the resource record received as a response to the DNS query request transmitted including the client address. Is stored in association with the client address in the resource record, and the resource record corresponding to the DNS query request received from the DNS client device and the client address of the DNS client device are not stored in association with each other. Since the DNS query request is transmitted to the DNS server device, the DNS server request is sent to the DNS server for the DNS query request for which the response control based on the client address has not yet been performed in the DNS server device. As a result, it is possible to avoid a situation in which the cache server device responds to a DNS query request from an unauthorized user, and as a result, it is possible to improve the security of the entire network. . In addition, in the cache server device, a DNS query request for which response control based on a client address in the DNS server device has been performed in the past is performed in the past without sending a DNS query request to the DNS server device again. As a result of performing the DNS query response as described above, it is possible to speed up the DNS query response.

  According to the invention of claim 9, the DNS server device stores the response control contents for the DNS query request for each system unit and / or zone unit in association with the client address, and for each domain unit. The response control content for the request is stored, and the response control content associated with the client address included in the DNS query request is retrieved in system units and / or zone units and domain units, and the retrieved response control is retrieved. Since the response to the DNS query request is controlled based on the content, the DNS server apparatus applies a combination of response control in units of systems and / or zones and response control in units of domains to the DNS query request. Results in system units and zones With simple and quick response control by position, it is possible to realize a fine response control by domain unit for each client address.

  According to the invention of claim 10 or 13, the DNS server apparatus receives a DNS query request including a client address (client IP address) for identifying the DNS client apparatus from the cache server apparatus, and receives the DNS query request. Since the response to the DNS query request is controlled based on the client address included in the DNS server, even if the DNS server device is connected to the DNS client device via the cache server device, the response to the DNS query request is controlled for each DNS client device. Is possible. This eliminates the need for an administrator of the subnet to install a cache server device for unauthorized users in the subnet, thereby reducing equipment costs, and not all users in the subnet. As a result of being able to reject only DNS query requests from users, it is possible to increase the security of the entire network.

  According to the invention of claim 11 or 14, when the cache server device transmits the DNS query request received from the DNS client device to the DNS server device, the client address (client IP for identifying the DNS client device). Address) is included in the DNS query request and transmitted, the DNS server apparatus controls the response to the DNS query request based on the client address included in the DNS query request when the DNS query request is received from the cache server apparatus. Accordingly, even for a DNS server device via a cache server device with a DNS client device, a response to a DNS query request can be controlled for each DNS client device. This eliminates the need for an administrator of the subnet to install a cache server device for unauthorized users in the subnet, thereby reducing equipment costs, and not all users in the subnet. As a result of being able to reject only DNS query requests from users, it is possible to increase the security of the entire network.

  Exemplary embodiments of a DNS server client system, a DNS server device, a cache server device, a DNS query request control method, and a DNS query request control program according to the present invention will be described below in detail with reference to the accompanying drawings.

  In the following, after describing the outline and features of the DNS system according to the first embodiment, the configuration of the cache server, the configuration of the authoritative server in the first embodiment, the flow of the query request control process according to the first embodiment, and finally, The effect by Example 1 is demonstrated. The “DNS system” appearing in the following examples corresponds to the “DNS client server system” described in the claims, the “DNS client” also corresponds to the “DNS client device”, and the “cache server”. "Corresponds to the" cache server apparatus ", and" authoritative server "also corresponds to the" DNS server apparatus ".

[Outline and features of DNS system]
First, the outline and features of the DNS system according to the first embodiment will be described with reference to FIG. FIG. 1 is a system configuration diagram illustrating the overall configuration of the DNS system according to the first embodiment.

  As shown in FIG. 1, in the DNS system according to the first embodiment, a plurality of authority servers 30 and a plurality of subnets are connected to the Internet, and a cache server 20 as a DNS full service resolver is installed in each subnet. In addition, a plurality of DNS clients 10 are arranged in each subnet.

  In such a DNS system, each authority server 30 manages a conversion table (resource record file) in which host names and IP addresses are associated with each other. When a query request is transmitted from the DNS client 10 in the subnet, the cache server 20 that has received the query request transmits the query request to the authority server 30 that manages an arbitrary domain. Here, the IP address (source IP) of the query request transmitted from the DNS client 10 to the cache server 20 is the IP address (client IP) of the DNS client 10, while the cache server 20 sends the authority server 30. The IP address (source IP) of the query request transmitted to is the IP address of the cache server 20 (cache server IP).

  On the other hand, the authority server 30 that has received such a query request transmits a resource record corresponding to the query request to the cache server 20 as a query response, or rejects a query request from an unauthorized user based on the originating IP address of the query request. Control the query response to the query request. Here, the DNS system according to the first embodiment has a main feature in such a query request control process. As described below, even with the authoritative server 30 via the cache server 20 with the DNS client 10, A response to the DNS query request can be controlled for each DNS client 10.

  This main feature will be described in detail. In FIG. 1, the authority server 30 not only has the IP address (cache server IP) of the cache server 20 that rejects the response, but also the IP address (client) of the DNS client 10 that rejects the response. IP) is managed (for example, in the first embodiment, a system-based denial response list) is managed. When the cache server 20 transmits the query request received from the DNS client 10 to the authoritative server 30, the cache server 20 includes the client IP of the DNS client 10 in the query request addition unit and transmits it.

  On the other hand, when the authority server 30 receives a query request from the cache server 20, the authority server 30 controls a response to the DNS query request based on the client IP included in the addition part of the query request. Specifically, the authority server 30 refers to the access control based on the client IP, and when the client IP is defined as a response rejection, the authority server 30 transmits a rejection response to the cache server 20 as a query response. , The cache server 20 transmits a rejection response query response to the DNS client 10 that has transmitted the query request (see, for example, the DNS client a shown in FIG. 1). On the contrary, if the client IP is not defined as a response rejection in the access control list, the authority server 30 searches the resource record file for the resource record corresponding to the query request, and the resource record as the search result Is transmitted to the cache server 20 as a query response, and the cache server 20 that has received this transmits a query response of the resource record to the DNS client 10 that has transmitted the query request (see, for example, the DNS client b shown in FIG. 1). ).

  As described above, the DNS system according to the first embodiment can individually reject the response to each DNS client 10 existing in the same subnet or perform a normal response. As described above, the DNS client 10 Even in the case of the authoritative server 30 via the cache server 20, the response to the DNS query request can be controlled for each DNS client 10. As a result, it becomes unnecessary for the administrator of the subnet to install the cache server 20 for unauthorized users in the subnet, so that the equipment cost can be suppressed, and not all users in the subnet are unauthorized. As a result of being able to reject only DNS query requests from users, it is possible to increase the security of the entire network.

[Cache server configuration]
Next, the configuration of the cache server 20 according to the first embodiment will be described with reference to FIGS. FIG. 2 is a block diagram illustrating the configuration of the cache server in the first embodiment, FIG. 3 is a diagram illustrating an example of information stored in the authoritative server list, and FIG. 4 is a query to which the client IP is added. It is a figure which shows the example of a request | requirement.

  As illustrated in FIG. 2, the cache server 20 according to the first embodiment includes a communication control IF unit 21, a storage unit 22, and a control unit 23. Among these, the communication control IF unit 21 is a means for controlling communication related to various information exchanged with the DNS client 10 and the authoritative server 30. For example, the communication control IF unit 21 receives a query request from the DNS client 10 and sends it to the authoritative server 30. A query request is transmitted, a query response is received from the authority server 30, and a query response is transmitted to the DNS client 10.

  The storage unit 22 is a storage unit (storage unit) that stores data and programs necessary for various processes performed by the control unit 23, and particularly as closely related to the present invention, as shown in FIG. A list 22a is provided. The authority server list 22a corresponds to “DNS server information storage unit” recited in the claims.

  The authoritative server list 22a should be information for identifying the authoritative server 30 that can respond to a query request including the client IP (hereinafter referred to as “extended query” as appropriate), and further, an extension query transmission target. This is a means for storing information for identifying the DNS client 10. Specifically, as shown in FIG. 3, the domain name of the authoritative server that can notify the client IP that is the originating terminal IP, or the originating terminal IP The IP addresses (or network addresses) of DNS clients 10 that allow notification of a certain client IP are listed and stored.

  Normally, the storage unit 22 in the cache server 20 caches and stores the resource record received as a query response from the authoritative server 30, but in the cache server 20 according to the first embodiment, from the authoritative server 30. The received resource record is not cached (so-called “TTL = 0” is set), and the query request received from the DNS client 10 is always transmitted to the authoritative server 30. The response to the query request can be controlled for each DNS client 10.

  The control unit 23 is a processing unit that has a control program such as an OS (Operating System), a program that defines various processing procedures, and an internal memory for storing necessary data, and executes various processes using these. In particular, as closely related to the present invention, as shown in FIG. 2, a query request transmission unit 23a and a query response transmission unit 23b are provided. The query request transmission unit 23a corresponds to “DNS query request transmission unit” recited in the claims.

  Among the control units 23, the query request transmission unit 23 a is a processing unit that receives a query request from the DNS client 10 and transmits the query request to the authority server 30. Specifically, when receiving the query request from the DNS client 10, the query request transmission unit 23a refers to the authority server list 22a and determines that the authority server 30 that is the transmission destination of the query request includes the extended query (including the client IP). It is determined whether or not the DNS client 10 that is the transmission source of the query request is a transmission target of the extended query.

  As a result of this determination, if the authority server 30 that is the transmission destination of the query request can receive the extended query and the DNS client 10 that is the source of the query request is the transmission target of the extended query, the query request is transmitted. As shown in FIG. 4, the unit 23a sets the client IP for identifying the DNS client 10 that is the source of the query request in the addition unit of the query request standardized by RFC 1034, and sets the source IP (cache server). IP) and an extended query to which the client IP is added is transmitted to the authority server 30. On the other hand, if the authority server 30 that is the destination of the query request cannot receive the extended query, or if the DNS client 10 that is the source of the query request is not the target of the extended query, the query request transmission unit 23a A query request in which only IP (cache server IP) is set is transmitted to the authority server 30.

  The query response transmission unit 23 b is a processing unit that receives a query response from the authority server 30 and transmits the query response to the DNS client 10. Specifically, when a query response (response rejection or resource record) is received from the authority server 30, the response rejection or resource record query response is transmitted to the DNS client 10 that has transmitted the query request. As described above, the cache server 20 according to the first embodiment does not cache the resource record received as a query response from the authority server 30.

  The cache server 20 described above can also be realized by mounting each function of each unit described above on a known personal computer or workstation.

[Configuration of the authoritative server]
Next, the configuration of the authority server 30 according to the first embodiment will be described with reference to FIGS. 5 and 6. FIG. 5 is a block diagram illustrating a configuration of the authority server in the first embodiment, and FIG. 6 is a diagram illustrating an example of information stored in the access control list.

  As shown in FIG. 5, the authority server 30 according to the first embodiment includes a communication control IF unit 31, a storage unit 32, and a control unit 33. Among these, the communication control IF unit 31 is a unit that controls communication regarding various information exchanged with the cache server 20. For example, the communication control IF unit 31 receives a query request from the cache server 20 and transmits a query response to the cache server 20. To do.

  The storage unit 32 is a storage unit (storage unit) that stores data and programs necessary for various processes performed by the control unit 33, and particularly as closely related to the present invention, as shown in FIG. A list 32a and a resource record file 32b are provided. The access control list 32a corresponds to “response control content storage unit” recited in the claims.

  The access control list 32a is a means for storing response control contents for a query request in association with a client IP or a cache server IP that is a source IP address of the query request. Specifically, as shown in FIG. The client IP and cache server IP that do not respond to the query request, and the client IP and cache server IP that perform the rejection response to the query request are listed and stored. The resource record file 32b is means for storing a host name (domain name) and an IP address (resource record) in association with each other.

  The control unit 33 is a processing unit that has a control program such as an OS (Operating System), a program that defines various processing procedures, and an internal memory for storing necessary data, and executes various processes using these. Particularly, as closely related to the present invention, as shown in FIG. 5, a query response control unit 33a is provided. The query response control unit 33a corresponds to “DNS query response control means” recited in the claims.

  The query response control unit 33a is a processing unit that receives a query request from the cache server 20 and controls the query response. Specifically, when the query response control unit 33a receives a query request from the cache server 20, the query response control unit 33a determines whether the client IP is added to the extension part of the query request (is an extended query), and is an extended query. In this case, the client IP is acquired from the extension unit, and if it is not the extension query, the cache server IP (source IP) is acquired as usual from the query request.

  After acquiring the IP address in this way, the query response control unit 33a refers to the access control list 32a based on the IP address, determines the response control content, and makes a query response. More specifically, an example is given. When “no response” is defined in the access control list 32a in association with the IP address (client IP or cache server IP) acquired above, a non-response query If a “rejection response” is defined in the access control list 32a in association with the acquired IP address (client IP or cache server IP), a query response of the rejection response is sent to the cache server 20. In response to a query request from the resource record file 32b when there is no “no response” or “rejection response” associated with the acquired IP address (client IP or cache server IP). Search for resource records to search and resources as search results It sends to the cache server 20 code as a query response.

  Note that the authority server 30 described above can also be realized by mounting each function of each unit described above on a known personal computer or workstation.

[Flow of query request control processing]
Subsequently, the flow of the query request control process according to the first embodiment will be described with reference to FIG. FIG. 7 is a flowchart illustrating the flow of the query request control process according to the first embodiment.

  As shown in FIG. 7, when a query request is transmitted from the DNS client 10 (step S701) and the query request is received from the cache server 20, the cache server 20 refers to the authority server list 22a and sends the query request destination. It is determined whether the authoritative server 30 can receive the extended query (query request including the client IP) (step S702), and if it can be received (Yes in step S702), the query request is transmitted. It is determined whether the original DNS client 10 is an extension query transmission target (step S703).

  With this determination, when the authority server 30 that is the transmission destination of the query request can receive the extended query (Yes in step S702), and the DNS client 10 that is the source of the query request is the transmission target of the extended query. (Yes in step S703), the cache server 20 sets the client IP of the DNS client 10 that is the source of the query request as an additional part of the query request (step S704), and in addition to the source IP (cache server IP), the client The extended query to which the IP is added is transmitted to the authority server 30 (step S705).

  On the other hand, if the authority server 30 that is the transmission destination of the query request cannot receive the extended query (No in step S702), or if the DNS client 10 that is the source of the query request is not the transmission target of the extended query (No in step S703). The cache server 20 transmits a query request in which only the source IP (cache server IP) is set to the authoritative server 30 (step S705).

  In this way, the authority server 30 that has received the query request transmitted from the cache server 20 determines whether or not the client IP is added to the extension part of the query request (is an extended query) (step S706). If it is a query (Yes at Step S706), the client IP is acquired from the extension unit (Step S707). If it is not an extension query (No at Step S706), the cache server IP (source IP) is obtained as usual from the query request. Obtain (step S708).

  After acquiring the IP address in this way, the authority server 30 refers to the access control list 32a based on the IP address, determines the response control content (step S709), and makes a query response (step S710). More specifically, an example is given. When “no response” is defined in the access control list 32a in association with the IP address (client IP or cache server IP) acquired above, a non-response query If a “rejection response” is defined in the access control list 32a in association with the acquired IP address (client IP or cache server IP), a query response of the rejection response is sent to the cache server 20. In response to a query request from the resource record file 32b when there is no “no response” or “rejection response” associated with the acquired IP address (client IP or cache server IP). Search for resource records to search and resources as search results It sends to the cache server 20 code as a query response.

  Thereafter, when the cache server 20 receives a query response (response rejection or resource record) from the authority server 30, the cache server 20 transmits a response rejection or resource record query response to the DNS client 10 that has transmitted the query request (step S711). .

  Even when the authority server 30 that cannot perform response control based on the client IP receives the extended query from the cache server 20, the extended query is additionally described in the DNS query addition unit standardized by RFC1034. Therefore, it does not mean that a query request with an illegal format has been received, and the response is controlled based on the cache server IP (source IP) ignoring the additional part.

[Effects of Example 1]
As described above, according to the first embodiment, when the cache server 20 transmits the query request received from the DNS client 10 to the authoritative server 30, the client address (client IP) for identifying the DNS client 10 is used. When the authority server 30 receives the query request from the cache server 20 and controls the response to the query request based on the client IP included in the query request, the authority server 30 communicates with the DNS client 10. Even with the authority server 30 via the cache server 20 in the meantime, the response to the query request can be controlled for each DNS client 10. As a result, it becomes unnecessary for the administrator of the subnet to install the cache server 20 for unauthorized users in the subnet, so that the equipment cost can be suppressed, and not all users in the subnet are unauthorized. As a result of rejecting only the query request from the user, it is possible to increase the security of the entire network.

  Further, according to the first embodiment, the cache server 20 transmits a client request including the client IP in the additional part of the query request. Therefore, for example, the client server IP is additionally described in the DNS query adding unit standardized in RFC 1034 and the query is performed. Even if the authoritative server 30 is unable to perform response control based on the client IP by transmitting the request, it does not receive an illegally formatted query request, and ignores the query addition unit and cache server 20 As a result, the cache server 20 does not need to recognize whether or not the authority server 30 that is the transmission destination of the query request performs response control for each client IP. Authoritative server 30 that performs response control based on IP and response system based on client IP It is possible to coexist and authority server 30 is not performed.

  According to the first embodiment, the cache server 20 stores information (for example, an IP address or a host name) for identifying the authoritative server 30 that can respond to a query request including the client IP, and stores the client Since the query request including the client IP is transmitted only to the authoritative server 30 that can respond to the query request including the IP, the cache server 20 provides the authority server 30 that cannot perform the response control based on the client IP. On the other hand, as a result of not sending the client IP unnecessarily, it is possible to suppress the information amount of the query request to be sent.

  In addition, according to the first embodiment, the cache server 20 includes information for identifying the DNS client 10 to be a transmission target of the query request including the client IP in addition to the information for identifying the authority server 30 ( For example, a client IP, a network address) is further stored, and only when a query request is received from the DNS client 10 that is a transmission target of a query request including the client IP, the query request including the client IP is transmitted. Since transmission is performed, the cache server 20 can also control whether or not the client IP is included in the query request for each DNS client 10.

  In the above-described first embodiment, the case where the client IP included in the extended query is always used for the query response control in the authoritative server 30 has been described. However, the present invention is not limited to this, and a reliable cache is used. Only the client IP included in the extended query received from the server 20 may be used for query response control.

  Therefore, in the following, a case where query response control is performed after determining whether an extended query has been transmitted from the reliable cache server 20 will be described as a second embodiment. However, the DNS system according to the second embodiment basically has the same configuration as the DNS system according to the first embodiment, except that the authority server 30 newly manages a cache server management list described later. Therefore, in the following, the cache server management list will be described with reference to FIG. 8, and then the flow of query response processing by the authority server in the second embodiment will be described with reference to FIG. FIG. 8 is a diagram illustrating an example of information stored in the cache server management list of the authoritative server in the second embodiment, and FIG. 9 is a flowchart illustrating a flow of query response processing by the authoritative server in the second embodiment. It is.

  The storage unit 32 of the authority server 30 according to the second embodiment includes a cache server management list as shown in FIG. This cache server management list is means for storing information for identifying the cache server 20 that is permitted to transmit a query request (extended query) including the client IP. Specifically, the cache server management list is shown in FIG. As described above, the cache server IPs of the cache server 20 that are permitted to transmit the extended query are listed and stored. The cache server management list corresponds to “cache server information storage unit” recited in the claims.

  Then, as shown in FIG. 9, the authority server 30 that has received the query request transmitted from the cache server 20 determines whether or not the client IP is added to the extended part of the query request (is an extended query) ( In step S901), if the query is an extended query (Yes in step S901), the cache server management list is further referred to based on the cache server IP that is the source IP of the query request, and the trust that is permitted for sending the extended query. It is determined whether or not the possible cache server 20 is a transmission source (step S902).

  As a result, when the source of the extended query is the reliable cache server 20 (Yes at Step S902), the authority server 30 acquires the client IP from the extended part of the query request (Step S903). On the other hand, when the source of the extended query is not the reliable cache server 20 (No at Step S902), or when the query request received from the cache server 20 is not the extended query (No at Step S901), the authority server 30 The cache server IP (source IP) is acquired from the query request as usual (step S904).

  After acquiring the IP address in this way, the authority server 30 determines the response control content by referring to the access control list 32a based on the IP address (step S905), as in the first embodiment, and the query response. Is performed (step S906).

  As described above, according to the second embodiment, the authoritative server 30 has information (for example, a cache server) for identifying the cache server 20 that is permitted to transmit a query request (extended query) including the client IP. 20) and only when the cache server 20 that is the transmission source of the query request is permitted to transmit the query request including the client IP, the response to the query request is made based on the client IP. Therefore, the authority server 30 ignores the client IP even when it receives a query request (extended query) including the client IP from the cache server 20 that is not permitted to transmit the query request including the client IP. Response control is performed based on the IP address or the like of the cache server 20 DOO can result, it is possible to response control cache server 20 units (subnet units) for a query request that may have misrepresented a portion of the client IP.

  In the above-described first embodiment, the case where the cache server 20 does not cache the query response of the resource record has been described. However, the present invention is not limited to this, and the cache server 20 caches the query response of the resource record. You may make it do.

  In the following, a case where the cache server 20 caches the query response of the resource record will be described as a third embodiment. However, the DNS system according to the third embodiment is basically the same configuration as the DNS system according to the first embodiment, and only the query request transmission process and the query response transmission process by the cache server 20 are different. Hereinafter, the flow of the query response transmission process performed by the cache server 20 in the third embodiment will be described with reference to FIG. 10, and then the flow of the query request transmission process performed by the cache server 20 in the third embodiment will be described with reference to FIG. To do. 10 is a flowchart showing the flow of query response transmission processing by the cache server in the third embodiment, and FIG. 11 is a flowchart showing the flow of query request transmission processing by the cache server in the third embodiment.

  First, the flow of query response transmission processing by the cache server 20 according to the third embodiment will be described with reference to FIG. As illustrated in FIG. 10, when the cache server 20 according to the third embodiment receives the query response of the resource record from the authority server 30 (Yes in step S1001), the query response is an extended query (the client IP is added to the extension part of the query request). It is determined whether the request is for a query request that has been added and transmitted to the authority server 30 (step S1002).

  If the query response is not for an extended query (No at Step S1002), the cache server 20 caches the resource record of the query response in the storage unit 22 (Step S1003), and then the DNS that has transmitted the query request. A resource record query response is transmitted to the client 10 (step S1004). In other words, if it is not a query response to the extended query, the resource record is not a target to be controlled for each DNS client 10, so even if this is cached and used for all DNS clients 10 in the subnet, it is not secure. This is because there is no problem.

  On the other hand, if the query response is for an extended query (Yes at step S1002), the cache server 20 does not cache the resource record of the query response as in the first embodiment, and does not cache the query request. A resource record query response is transmitted to the DNS client 10 that has transmitted (step S1004). In other words, if it is a query response to an extended query, the resource record is a target to be controlled for each DNS client 10, so it is considered to be a security problem to cache this and use it within the subnet. Because it is.

  Next, a flow of query request transmission processing by the cache server in the third embodiment will be described with reference to FIG. As shown in FIG. 11, the cache server 20 that has received the query request transmitted from the DNS client 10 refers to the authoritative server list 22a as in the above-described first embodiment to refer to the authoritative server that is the destination of the query request. 30 determines whether or not the extended query (query request including the client IP) can be received (step S1101), and if it can be received (Yes in step S1101), the DNS that is the source of the query request It is determined whether the client 10 is an extension query transmission target (step S1102).

  With this determination, when the authority server 30 that is the transmission destination of the query request can receive the extended query (Yes in step S1101), and the DNS client 10 that is the source of the query request is the transmission target of the extended query. (Yes in step S1102), the cache server 20 sets the client IP of the DNS client 10 that is the source of the query request as an addition part of the query request (step S1103), as in the first embodiment, and the source IP ( The extended query to which the client IP is added in addition to the cache server IP) is transmitted to the authority server 30 (step S1104).

  On the other hand, if the authority server 30 that is the transmission destination of the query request cannot receive the extended query (No at Step S1101), or if the DNS client 10 that is the source of the query request is not the transmission target of the extended query (No at Step S1102). The cache server 20 searches whether the resource record corresponding to the query request is cached in the storage unit 22 (step S1105). If the resource record corresponding to the query request is cached in the storage unit 22 (Yes in step S1105), the cache server 20 acquires the resource record from the cache without sending the query request to the authority server 30. Then, the resource record is transmitted as a query response to the DNS client 10 (step S1106).

  On the other hand, when the resource record corresponding to the query request is not cached in the storage unit 22 (No in step S1105), the cache server 20 uses the source IP (cache server IP) as in the first embodiment. ) Is set to the authority server 30 (step S1104).

  As described above, according to the third embodiment, the cache server 20 receives, as a response to a query request (extended query) transmitted including the client IP among resource records received as a query response from the authority server 30. In the case where only the resource record received as a response to the query request transmitted without including the client IP is stored, and the resource record corresponding to the query request received from the DNS client 10 is not stored. Only the query request is transmitted to the authoritative server 30, so that the cache server 20 always transmits to the authoritative server 30 a query request to be subjected to response control based on the client IP in the authoritative server 30. For query requests And whereby it is possible to prevent a situation in which would respond with the cache server 20, it is possible to increase the security of the entire network.

  In the above-described third embodiment, a case has been described in which the resource record received as a response to the extended query (a query request transmitted including the client IP) is not cached. However, the present invention is not limited to this. The resource record received as a response to the extended query may be cached in association with the client IP.

  Therefore, in the following, a case where the resource record received as a response to the extended query is cached in association with the client IP will be described as a fourth embodiment. However, the cache server 20 in the fourth embodiment is basically the same as the cache server 20 in the third embodiment, and only the query request transmission process and the query response transmission process are slightly different. 12, the flow of the query response transmission process by the cache server 20 in the fourth embodiment is described, and then the flow of the query request transmission process by the cache server 20 in the fourth embodiment is described with reference to FIG. 12 is a flowchart showing the flow of query response transmission processing by the cache server in the fourth embodiment, and FIG. 13 is a flowchart showing the flow of query request transmission processing by the cache server in the fourth embodiment.

  First, the flow of query response transmission processing by the cache server 20 in the fourth embodiment will be described with reference to FIG. As illustrated in FIG. 12, in the cache server 20 according to the fourth embodiment, when the query response of the resource record is received from the authority server 30 (Yes in step S1201), the query response is an extended query (the client IP is added to the extension part of the query request). It is determined whether the request is for a query request that has been added and transmitted to the authority server 30 (step S1202).

  If the query response is not for an extended query (No at Step S1202), the cache server 20 caches the resource record of the query response in the storage unit 22 (Step S1204), and then the DNS that has transmitted the query request. A resource record query response is transmitted to the client 10 (step S1205). In other words, if it is not a query response to the extended query, the resource record is not a target to be controlled for each DNS client 10, so even if this is cached and used for all DNS clients 10 in the subnet, it is not secure. This is because there is no problem.

  On the other hand, if the query response is for an extended query (Yes at step S1202), the cache server 20 caches the resource record of the query response in the storage unit 22 in association with the client IP of the DNS client 10. (Step S1203), a resource record query response is transmitted to the DNS client 10 that has transmitted the query request (Step S1205). In other words, if it is a query response to an extended query, the resource record is a target to be controlled for each DNS client 10, so that it is security to use this for all DNS clients 10 within a subnet. This is because it is considered that there is no problem in terms of security if this is cached and used only for the same DNS client 10.

  Next, a flow of query request transmission processing by the cache server in the fourth embodiment will be described with reference to FIG. As shown in FIG. 13, the cache server 20 that has received the query request transmitted from the DNS client 10 refers to the authoritative server list 22a as in the above-described first embodiment to refer to the authoritative server that is the destination of the query request. 30 determines whether or not the extended query (query request including the client IP) can be received (step S1301). If the query can be received (Yes in step S1301), the DNS that is the source of the query request It is determined whether the client 10 is an extension query transmission target (step S1302).

  As a result of the determination, the authority server 30 that is the transmission destination of the query request can receive the extended query (Yes in step S1301), and the DNS client 10 that is the source of the query request is the transmission target of the extended query. (Yes in step S1302), the cache server 20 searches whether the resource record corresponding to the query request is cached in the storage unit 22 (step S1303), and the resource record corresponding to the query request is cached in the storage unit 22. If YES in step S1303, it is further determined whether it is cached in association with the client IP of the DNS client 10 (matches the client IP of the DNS client 10 that is the source of the query request) (step S1303). S1304).

  Here, if the resource record corresponding to the query request is not cached in the storage unit 22 (No at Step S1303), or if it is cached but the source does not match (No at Step S1304), the first embodiment described above. Similarly, the client IP of the DNS client 10 that is the source of the query request is set in the query request adding unit (step S1305), and the extended query to which the client IP is added in addition to the source IP (cache server IP) is authoritative. It transmits to the server 30 (step S1306).

  On the other hand, if the resource record corresponding to the query request is cached in the storage unit 22 (Yes at Step S1303) and matches the client IP of the DNS client 10 that is the source of the query request (Yes at Step S1304). The cache server 20 acquires a resource record from the cache without transmitting a query request to the authoritative server 30, and transmits the resource record to the DNS client 10 as a query response (step S1308). That is, even if it is cached in association with the client IP, if the DNS client 10 that is the query request source is the same, it is considered that there is no problem in terms of security in using only the same DNS client 10. Because it is.

  Returning to steps S1301 and S1302 above, whether the authority server 30 that is the destination of the query request cannot receive the extended query (No in step S1301), or the DNS client 10 that is the source of the query request is the transmission target of the extended query If not (No at Step S1302), the cache server 20 searches whether the resource record corresponding to the query request is cached in the storage unit 22 (Step S1307). If the resource record corresponding to the query request is cached in the storage unit 22 (Yes in step S1307), the cache server 20 acquires the resource record from the cache without sending the query request to the authority server 30. Then, the resource record is transmitted as a query response to the DNS client 10 (step S1308).

  On the other hand, if the resource record corresponding to the query request is not cached in the storage unit 22 (No in step S1307), the cache server 20 uses the source IP (cache server IP) as in the first embodiment. ) Is set to the authority server 30 (step S1306).

  As described above, according to the fourth embodiment, the cache server 20 receives, as a response to the query request (extended query) transmitted including the client IP among the resource records received as a query response from the authority server 30. As for the resource record, the client IP is stored in association with the resource record, and the resource record corresponding to the query request received from the DNS client 10 and the client IP of the DNS client 10 are stored in association with each other. If there is not, the query request is transmitted to the authoritative server 30, so the cache server 20 always sends a query request to the authoritative server 30 for a query request for which response control based on the client IP is not yet performed in the authoritative server 30. To send Next, since it is possible to avoid a situation where would respond with the cache server 20 for a query request from an unauthorized user, it is possible to increase the security of the entire network. Further, in the cache server 20, a query request for which response control based on the client IP in the authoritative server 30 has been performed in the past is performed as it was in the past without sending a query request to the authoritative server 30 again. As a result, the DNS query response can be speeded up.

  Although the embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the first to fourth embodiments described above. Therefore, another embodiment included in the present invention will be described below as a fifth embodiment.

(1) Transmission Mode of Client IP For example, in the above embodiment, the case where the client IP is included in the additional part of the query request has been described. However, the present invention is not limited to this. The server 20 can similarly apply the present invention if the server 20 transmits the client IP together with the query request in some manner, such as separately transmitting the client IP to the query request.

(2) Client IP Transmission Conditions In the above embodiment, the authority server 30 that is the transmission destination of the query request can receive the extended query, and the DNS client 10 that is the source of the query request is the extended query. However, the present invention is not limited to this. For example, the cache server 20 can send the query request to the destination of the query request. The authoritative server 30 may be able to receive the extended query only, or may be only conditional on the DNS client 10 that is the source of the query request being the transmission target of the extended query. In addition, the client IP may always be transmitted in the query request (unconditionally).

(3) Different resource records for each IP address In the above embodiment, “no response” or “rejection response” is defined in the access control list 32a in association with the IP address (client IP or cache server IP). Otherwise, the case where the resource record corresponding to the query request is searched from the resource record file 32b and the query response is described has been described. However, the present invention is not limited to this. A different resource record may be stored for each client IP or cache server IP), and a different resource record may be returned as a query response based on the originating IP address of the query request.

  As described above, the authority server 30 stores one of no response, rejection response, and resource record as response control content for the query request in association with the client IP, and the client IP included in the query request. If the response control content associated with is searched, and any one of no response, rejection response, and resource record response is performed, the authority server 30 causes no response, rejection response, Resource record response (for example, one resource record prepared for all clients, a resource record prepared for each client IP, a resource record prepared for each country, a response such as a resource record prepared for each company) It is possible to realize various response controls that perform any one of the above.

(4) System unit, zone unit, domain unit In the above embodiment, the case where the query response is controlled in system units (each client IP, each cache server IP) has been described, but the present invention is not limited to this. For example, the authority server 30 further stores an access control list in units of zones (see FIG. 14) and an access control list in units of domains (see FIG. 15) to store the system units and / or zones. The query response may be controlled in units and domain units. 14 is a diagram illustrating an example of information stored in an access control list in another embodiment, and FIG. 15 is a diagram illustrating an example of information stored in an access control list in another embodiment. is there.

  That is, for example, the authority server 30 refers to the access control list in units of systems, the access control list in units of zones, and the access control list in units of domains in order based on the client IP included in the query request. A response control content corresponding to the client IP is searched, and a response to the query request is controlled based on the searched response control content.

  Thus, the authority server 30 stores the response control content for the query request for each system unit and / or zone unit in association with the client IP, and stores the response control content for the query request for each domain unit. In addition, the response control content associated with the client IP included in the query request is searched for in units of systems and / or zones, and domains, and the response to the query request is controlled based on the searched response control content. By doing so, the authority server 30 can apply the response control in units of systems and / or zones and the response control in units of domains to the query request in combination with each other. Simple and quick response control by By it can be implemented for each minor response control the client IP.

(5) DNS of ENUM
In the above embodiment, a case has been described in which the present invention is applied to a DNS that associates a host name (domain name) on the Internet with an IP address. However, the present invention is not limited to this, and a telephone The present invention can be similarly applied to an ENUM DNS that uses a number as an access means in association with an address or service on the network.

(6) System configuration etc. In addition, among the processes described in the above-described embodiments, all or a part of the processes described as being automatically performed can be performed manually or manually. All or part of the processing described as being performed can be automatically performed by a known method. In addition, the processing procedures, control procedures, specific names, and information including various data and parameters shown in the above-mentioned document and drawings (especially those shown in FIGS. 3, 6, 8, 14, and 15) Information) can be changed arbitrarily unless otherwise specified.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  In the above-described embodiments, each device (for example, the cache server 20 and the authority server 30) that implements the present invention has been described in terms of functions. However, each function of each device is programmed in a computer such as a personal computer or a workstation. It can also be realized by executing. That is, the various processing procedures described in the above embodiments can be realized by executing a program prepared in advance on a computer. These programs can be distributed via a network such as the Internet. Further, these programs can be recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD, and can be executed by being read from the recording medium by the computer. In other words, for example, a cache server program as shown in the first embodiment or a CD-ROM storing an authoritative server program (may be a separate CD-ROM for each device) is distributed. Each computer may read and execute the program stored in the CD-ROM.

  As described above, the DNS server client system, DNS server apparatus, cache server apparatus, DNS query request control method, and DNS query request control program according to the present invention provide a cache server apparatus between the DNS client apparatus and the DNS server apparatus. In particular, it is useful for controlling a response to a DNS query request for each DNS client device.

1 is a system configuration diagram illustrating an overall configuration of a DNS system according to Embodiment 1. FIG. 1 is a block diagram illustrating a configuration of a cache server in Embodiment 1. FIG. It is a figure which shows the example of the information memorize | stored in an authority server list. It is a figure which shows the example of the query request | requirement to which client IP was added. It is a block diagram which shows the structure of the authority server in Example 1. FIG. It is a figure which shows the example of the information memorize | stored in an access control list. 6 is a flowchart illustrating a flow of a query request control process according to the first embodiment. It is a figure which shows the example of the information memorize | stored in the cache server management list | wrist which the authority server in Example 2 has. 10 is a flowchart illustrating a flow of query response processing by an authority server in the second embodiment. 12 is a flowchart illustrating a flow of query response transmission processing by a cache server according to the third embodiment. 14 is a flowchart illustrating a flow of query request transmission processing by a cache server according to the third embodiment. 14 is a flowchart illustrating a flow of query response transmission processing by a cache server according to a fourth embodiment. 14 is a flowchart illustrating a flow of query request transmission processing by a cache server according to a fourth embodiment. It is a figure which shows the example of the information memorize | stored in the access control list in another Example. It is a figure which shows the example of the information memorize | stored in the access control list in another Example. It is a figure for demonstrating the DNS system which concerns on a prior art.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 DNS client 20 Cache server 21 Communication control IF part 22 Storage part 22a Authority server list 23 Control part 23a Query request transmission part 23b Query response transmission part 30 Authority server 31 Communication control IF part 32 Storage part 32a Access control list 32b Resource record file 33 control unit 33a query response control unit

Claims (14)

A DNS server client system configured via a cache server device between a DNS client device and a DNS server device,
The cache server device
DNS query request transmitting means for transmitting a DNS query request included in the DNS query request when transmitting a DNS query request received from the DNS client device to the DNS server device;
The DNS server device
DNS query response control means for controlling a response to the DNS query request based on the client address included in the DNS query request when a DNS query request is received from the cache server device;
A DNS server client system comprising:   2. The DNS server client system according to claim 1, wherein the DNS query request transmission unit transmits the DNS query request including the client address in an additional portion of the DNS query request. The cache server device further includes a DNS server information storage unit that stores information for identifying a DNS server device that can respond to a DNS query request including the client address.
The DNS query request transmission means includes the client address only for the DNS server apparatus that can respond to the DNS query request including the client address, based on the information stored in the DNS server information storage means. The DNS server client system according to claim 1 or 2, wherein a DNS query request is transmitted. The DNS server information storage means further stores information for identifying a DNS client device to be sent as a DNS query request including the client address, in addition to information for identifying the DNS server device. And
The DNS query request transmission unit receives a DNS query request from a DNS client device to be transmitted as a DNS query request including the client address, based on information stored in the DNS server information storage unit. 4. The DNS server client system according to claim 3, wherein a DNS query request including the client address is transmitted only. The DNS server device further includes a cache server information storage unit that stores information for identifying a cache server device that is permitted to transmit a DNS query request including the client address,
The DNS query response control means is concerned only when the DNS server information storage means is permitted to transmit the DNS query request including the client address for the cache server device that is the transmission source of the DNS query request. 5. The DNS server client system according to claim 1, wherein a response to the DNS query request is controlled based on the client address included in the query request. The DNS server device further includes response control content storage means for storing any one of no response, rejection response, and resource record as response control content for the DNS query request in association with the client address,
The DNS query response control means searches the response control content associated with the client address included in the DNS query request from the response control content stored in the response control content storage means, and performs the no-response, rejection response. The DNS server client system according to claim 1, wherein any one of resource record responses is performed. The cache server device includes the client address except for the resource record received as a response to the DNS query request transmitted including the client address from among the resource records received as a DNS query response from the DNS server device. Resource record storage means for storing only resource records received as a response to a DNS query request transmitted without
The DNS query request transmission means transmits the DNS query request to the DNS server apparatus when a resource record corresponding to the DNS query request received from the DNS client apparatus is not stored in the resource record storage means. The DNS server client system according to any one of claims 1 to 6. Of the resource records received as a DNS query response from the DNS server device, the cache server device receives the resource record received as a response to the DNS query request transmitted including the client address in the resource record. It further comprises resource record storage means for storing addresses in association with each other,
The DNS query request transmitting means is configured to store the resource record corresponding to the DNS query request received from the DNS client apparatus and the client address of the DNS client apparatus in association with the resource record storage means. The DNS server client system according to claim 1, wherein a DNS query request is transmitted to the DNS server device. The DNS server device stores response control contents for the DNS query request for each system unit and / or zone unit in association with the client address, and stores response control contents for the DNS query request for each domain unit. Response control content storage means for
The DNS query response control unit corresponds to the client address included in the DNS query request from the response control content stored in the response control content storage unit in the system unit and / or the zone unit and the domain unit. 9. The DNS server client system according to claim 1, wherein the attached response control content is searched, and a response to the DNS query request is controlled based on the searched response control content. . A DNS server device that receives and controls a DNS query request transmitted from a DNS client device via a cache server device,
DNS query request receiving means for receiving a DNS query request including a client address for identifying the DNS client device from the cache server device;
DNS query response control means for controlling a response to the DNS query request based on the client address included in the DNS query request when a DNS query request is received from the cache server device;
A DNS server device comprising: A cache server device that controls a DNS query request between a DNS client device and a DNS server device,
When a DNS query request received from the DNS client device is transmitted to the DNS server device, a DNS query request transmitting unit is included that transmits a DNS query request including a client address for identifying the DNS client device. A cache server device. A DNS query request control method applied to a DNS server client system configured via a cache server device between a DNS client device and a DNS server device,
The cache server device
A DNS query request transmission step of transmitting a DNS query request including a client address for uniquely identifying the DNS client device when transmitting a DNS query request received from the DNS client device to the DNS server device; ,
The DNS server device
A DNS query response control step of controlling a response to the DNS query request based on the client address included in the DNS query request when a DNS query request is received from the cache server device;
A DNS query request control method comprising: A DNS query request control program for causing a computer to execute a DNS query request control method for receiving and controlling a DNS query request transmitted from a DNS client device via a cache server device,
A DNS query request reception procedure for receiving from the cache server device a DNS query request including a client address for uniquely identifying the DNS client device;
A DNS query response control procedure for controlling a response to the DNS query request based on the client address included in the DNS query request when a DNS query request is received from the cache server device;
A DNS query request control program for causing a computer to execute A DNS query request control program for causing a computer to execute a DNS query request control method for controlling a DNS query request between a DNS client device and a DNS server device,
When transmitting a DNS query request received from the DNS client device to the DNS server device, a DNS query request transmission procedure for transmitting a DNS query request including a client address for identifying the DNS client device to the computer A DNS query request control program that is executed.

Images