A domain name traffic processing method, system, medium and electronic device

By detecting the authentication type of user traffic and obtaining a list of domain name IP addresses, a traffic access policy is set, which solves the security and data leakage risks caused by full traffic access in network access authentication, realizes refined traffic management and security control, and improves the security and stability of the network system.

CN122394844APending Publication Date: 2026-07-14SHENZHEN SUNDRAY NETWORK SCI TECH

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
SHENZHEN SUNDRAY NETWORK SCI TECH
Filing Date
2026-04-01
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

In existing technologies, temporarily allowing full traffic during network access authentication increases the risk of network attacks, leading to security and data leakage risks, and cannot effectively prevent malicious activities and unverified users from accessing sensitive information.

Method used

By detecting the authentication type of user traffic, a list of corresponding domain name IP addresses is obtained, and traffic access policies are set based on this list, including network traffic access rules. Multi-source DNS, TTL awareness, and CNAME chain are used for resolution detection to generate fine-grained traffic management policies, and traffic control is performed using ACL rules and SDN controllers.

Benefits of technology

It enables fine-grained traffic management, improves the security and stability of the network system, prevents unauthorized traffic intrusion, protects the internal security of the network system, and optimizes network resource utilization and user experience.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122394844A_ABST
    Figure CN122394844A_ABST
Patent Text Reader

Abstract

The application further provides a domain name traffic processing method, system, medium and electronic equipment, relating to the technical field of network security, and the method comprises the steps of: when detecting that user traffic accesses a network, determining an authentication type corresponding to the user traffic; if the authentication type is a webpage authentication type or an application authentication type, obtaining a domain name IP address list corresponding to the authentication type; setting a traffic passing strategy for a corresponding IP address according to the domain name IP address list, and performing traffic processing based on the traffic passing strategy. Through strict management of the authentication type and the domain name IP address list, the application can effectively prevent unauthorized traffic from entering the network system. Through strict authentication and screening of the traffic, potential malicious traffic can be rejected, thereby protecting the safety inside the network system.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security technology, and in particular to a domain name traffic processing method, system, medium, and electronic device. Background Technology

[0002] Web authentication for advertising and marketing, and social app authentication for business promotion are common methods of network access authentication. These methods are very convenient, requiring no manual input of information; users can quickly complete the process with a few clicks on a page. Furthermore, users participate in business promotion during the authentication process, achieving the goal of real-name registration for network access, making them very popular.

[0003] Currently, for users who need to authenticate via the external network to access the network, all traffic is temporarily allowed for a period of time. Once authentication is complete, traffic rules are reset, or users who fail to authenticate are logged off. However, this increases the potential attack surface, as temporarily allowing all external network traffic significantly increases the risk of network attacks. Attackers could exploit this vulnerability for malicious activities such as DDoS attacks and malware propagation, impacting the overall security and availability of the network. Furthermore, there is a risk of data leakage; since all external traffic is allowed, unauthenticated users could accidentally access sensitive information or internal enterprise systems, leading to the leakage of sensitive data.

[0004] Therefore, how to achieve secure authentication for network access is a technical problem that urgently needs to be solved by those skilled in the art. Summary of the Invention

[0005] The purpose of this application is to provide a domain name traffic processing method, system, medium, and electronic device that can strictly authenticate and filter traffic to protect the security of the network system.

[0006] To address the aforementioned technical problems, this application provides a domain name traffic processing method, the specific technical solution of which is as follows:

[0007] When user traffic is detected accessing the network, the authentication type corresponding to the user traffic is determined;

[0008] If the authentication type is a web-based authentication type or an application-based authentication type, obtain the domain IP address list corresponding to the authentication type; the domain IP address list contains several IP addresses and the traffic access policy corresponding to each IP address;

[0009] Based on the list of domain name IP addresses, a traffic allowance policy is set for the corresponding IP address, and traffic processing is performed based on the traffic allowance policy; the traffic allowance policy includes network traffic allowance rules.

[0010] Optional, also includes:

[0011] Send a domain name resolution request to query the IP address corresponding to the domain name;

[0012] If the domain name resolution request response times out, a network error message will be generated;

[0013] If the domain name resolution request response does not time out, update the cached data of the control plane according to the response information; the cached data includes the association between domain names and IP addresses.

[0014] Optionally, after updating the control plane's cached data based on the response information, the following may also be included:

[0015] Periodically check whether the cached data in the control plane is updated;

[0016] If the cached data of the control plane has been updated, the latest cached data is sent to the cache space of the forwarding plane.

[0017] Optionally, obtaining the list of domain name IP addresses corresponding to the authentication type includes:

[0018] Obtain the list of domain name IP addresses corresponding to the authentication type from the cache space of the forwarding plane.

[0019] Optionally, after obtaining the list of domain name IP addresses associated with this authentication type, the following may also be included:

[0020] The whitelisted domains in the domain name IP address list are subjected to resolution detection to obtain the security information of the IP address; the security information is used to guide the generation of the traffic access policy; the resolution detection method includes at least one of multi-source DNS, TTL awareness and CNAME chain.

[0021] Optionally, setting traffic allowance policies for corresponding IP addresses based on the domain name IP address list includes:

[0022] Read the domain name information corresponding to the user traffic;

[0023] Filter the target IP addresses corresponding to the domain information in the domain IP address list;

[0024] The target IP address is used as the allowed address to generate a traffic allowance policy.

[0025] Optionally, the traffic allowance policy is generated by using the target IP address as the allowed address:

[0026] Determine the allowed access duration for each target IP address, and generate a traffic access policy based on the target IP address and its corresponding allowed access duration.

[0027] Optionally, traffic processing based on the traffic allowance strategy includes at least one of the following methods:

[0028] Add or modify ACL rules according to the traffic allowance policy to allow or deny traffic to the corresponding IP address;

[0029] The controller sends the flow table rules corresponding to the traffic allowance policy to the switch or router.

[0030] Configure or modify network firewall rules according to the traffic allowance policy.

[0031] This application also provides a domain name traffic processing system, including:

[0032] The traffic detection module is used to determine the authentication type corresponding to the user traffic when it detects user traffic accessing the network.

[0033] The list reading module is used to obtain a list of domain name IP addresses corresponding to the authentication type if the authentication type is a web-based authentication type or an application-based authentication type.

[0034] The traffic processing module is used to set the traffic access policy for the corresponding IP address according to the list of domain name IP addresses, and to process traffic based on the traffic access policy.

[0035] This application also provides a computer-readable storage medium having a computer program stored thereon, which, when executed by a processor, implements the steps of the method described above.

[0036] This application also provides an electronic device, including a memory and a processor, wherein the memory stores a computer program, and the processor implements the steps of the method described above when it invokes the computer program in the memory.

[0037] This application also provides a computer program product, including a computer program that, when executed, implements the steps of the method described above.

[0038] This application also provides a domain name traffic processing method, comprising: when user traffic is detected accessing the network, determining the authentication type corresponding to the user traffic; if the authentication type is a web-based authentication type or an application-based authentication type, obtaining a list of domain name IP addresses corresponding to the authentication type; the list of domain name IP addresses includes several IP addresses and traffic access policies corresponding to each IP address; setting a traffic access policy for the corresponding IP address according to the list of domain name IP addresses, and processing traffic based on the traffic access policy; the traffic access policy includes network traffic access rules.

[0039] This application detects the authentication type of user traffic as it accesses the network, enabling rapid and accurate identification of the traffic's source and nature. This avoids the delayed identification issues that may occur in traditional traffic processing, allowing the network system to address traffic in a targeted manner immediately. By obtaining corresponding domain name and IP address lists for different authentication types and setting traffic access policies accordingly, fine-grained traffic management is achieved. Obtaining these lists clearly identifies which IP addresses are authenticated and trustworthy, allowing for the setting of appropriate traffic access policies for these addresses. This refined traffic management not only improves user experience but also enhances the overall stability and security of the network. Traffic processing based on access policies allows the network system to respond more flexibly to different network environments and user needs. Furthermore, strict management of authentication types and domain name / IP address lists effectively prevents unauthorized traffic from entering the network system. Strict authentication and screening of traffic keeps potentially malicious traffic out, thereby protecting the internal security of the network system.

[0040] This application also provides a domain name traffic processing system, a computer-readable storage medium, and an electronic device, which have the above-mentioned beneficial effects, and will not be elaborated here. Attached Figure Description

[0041] To more clearly illustrate the technical solutions in the embodiments of this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only embodiments of this application. For those skilled in the art, other drawings can be obtained based on the provided drawings without creative effort.

[0042] Figure 1 A flowchart illustrating a domain name traffic processing method provided in this application embodiment;

[0043] Figure 2 This is a schematic diagram of the network structure corresponding to the domain name traffic processing provided in the embodiments of this application;

[0044] Figure 3 A schematic diagram of a domain name traffic processing system provided in this application embodiment:

[0045] Figure 4 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. Detailed Implementation

[0046] To make the objectives, technical solutions, and advantages of the embodiments of this application clearer, the technical solutions of the embodiments of this application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0047] See Figure 1 , Figure 1 A flowchart of a domain name traffic processing method provided in this application embodiment, the method including:

[0048] S101: When user traffic is detected accessing the network, determine the authentication type corresponding to the user traffic;

[0049] S102: If the authentication type is a web-based authentication type or an application-based authentication type, obtain the list of domain name IP addresses corresponding to the authentication type;

[0050] S103: Set the traffic allowance policy for the corresponding IP address according to the list of domain name IP addresses, and process the traffic based on the traffic allowance policy.

[0051] This embodiment can be applied to gateway devices and other network access devices. User traffic can access the forwarding plane device through the user terminal, and then the forwarding plane device forwards the data to meet network access requirements. The forwarding plane described in this application refers to network devices that perform high-speed processing and action execution on each data packet passing through the device, including forwarding, dropping, rewriting, classification, and counting. The control plane refers to network devices that calculate and maintain network status and policies, generate forwarding tables / flow tables and distribute them to the forwarding plane, and are also used for managing and processing events, topology changes, and session maintenance.

[0052] In step S101, when user traffic accesses the network, it is necessary to detect and determine the authentication type of the traffic. This can be achieved by analyzing the characteristics and protocols of the traffic. For example, for web-based authentication, the user traffic can be determined to belong to the web-based authentication type by detecting authentication information (such as username, password, token, etc.) in the HTTP or HTTPS protocol; for application-based authentication, it can be identified by analyzing the authentication token in the application layer protocol (such as OAuth, JWT, etc.). In addition, network device traffic analysis tools or middleware can be used to capture and parse the authentication information in the traffic.

[0053] By accurately identifying authentication types, traffic can be categorized and processed according to different authentication methods, ensuring that only legitimately authenticated users can access network resources, thereby preventing unauthorized access and potential security threats. Simultaneously, identifying authentication types provides a basis for subsequent traffic access policies, enabling granular traffic management based on user identity and permissions.

[0054] Once the authentication type of user traffic is determined, step S102 requires obtaining a list of domain name IP addresses related to that authentication type. In this embodiment, the list of domain name IP addresses includes at least several IP addresses and the traffic allowance policy corresponding to each IP address. Specifically, the list of domain name IP addresses can be obtained by querying a local database, configuration file, or through a network request from the authentication server. For example, for web-based authentication, the list of domain name IP addresses can be extracted from the locally stored HTTP authentication configuration; for application-based authentication, the list of IP addresses related to a specific application can be obtained by calling the authentication server's API interface. The obtained list may include information such as the allowed range of IP addresses, specific IP addresses, or domain names.

[0055] In one feasible implementation, after obtaining the list of domain name IP addresses related to the authentication type, the whitelisted domain names in the list can be resolving and probing to obtain the security information of the IP addresses, thereby detecting the health and security of the corresponding IP addresses and guiding the generation of the traffic release policy. Specifically, at least one of the following methods can be used: multi-source DNS, TTL awareness, and CNAME chain. When using multi-source DNS resolution, multiple DNS servers can be selected: multiple different DNS servers are used for domain name resolution, such as public DNS and local DNS servers. Domain names are then periodically selected from the whitelist and resolved through multiple DNS servers, recording the results of each resolution, including the resolved IP address and resolution time. When using TTL awareness, the TTL (Time To Live) value of the resolution result is recorded each time a resolution is performed. The TTL value represents the validity period of the resolution record. If the TTL value is short, the probing frequency is increased; if the TTL value is long, the probing frequency is appropriately reduced. When using CNAME chain tracing, if a CNAME record (alias record) is encountered during the resolution process, the target domain name pointed to by the CNAME is resolved until the final IP address is obtained. This records the entire CNAME chain resolution process, including the resolution result and corresponding TTL value for each CNAME. It records the response time for each resolution to analyze for abnormal delays. It compares the resolution results from different DNS servers to check for inconsistencies. Inconsistent resolution results from multiple DNS servers may indicate a problem with domain name resolution. Thresholds can also be set to trigger an alarm mechanism when the resolution time exceeds the threshold or when abnormal resolution results occur.

[0056] The specific content of the domain name IP address list is not limited here. In one feasible implementation, in addition to including the correspondence between domain names and IP addresses, it may also include the generation timestamp of the domain name IP address list, the TTL value of each IP address, and signature information. The signature method used is not limited here, and may include, but is not limited to, hash signatures.

[0057] Obtaining a list of domain names and IP addresses corresponding to authentication types provides specific targets for traffic access policies. By clearly identifying which IP addresses or domain names are associated with specific authentication types, targeted traffic access policies can be developed, improving the flexibility and accuracy of traffic management, enhancing network security, and ensuring that only traffic that meets authentication requirements can pass through the network. This provides support for resource isolation and access control in multi-tenant environments.

[0058] After obtaining the list of domain name IP addresses, a traffic allowance policy needs to be set based on this information. When processing traffic based on this policy, it can be implemented through access control lists (ACLs) of network devices, firewall rules, or policy configurations of software-defined networking (SDN) controllers. For example, in a hardware firewall, ACL rules can be added or modified to allow or deny traffic from specific IP addresses; in an SDN environment, flow table rules can be issued to switches or routers by the controller to achieve precise traffic control; or network firewall rules can be set or modified according to the traffic allowance policy. During traffic processing, the set policy is executed, allowing legitimate traffic to pass while blocking illegal or unauthorized traffic.

[0059] It is easy to understand that by setting a traffic access policy, only necessary access to the advertising page and authentication-related domains can be allowed before the user completes Web / social app authentication (which can be restricted by port / protocol). After authentication is completed, the normal access policy is switched. Similarly, if authentication is not completed, network traffic can be limited or network disconnection can be restricted according to the traffic access policy.

[0060] This embodiment enables fine-grained management and security control of network traffic by setting and executing traffic access policies. Through policy configuration based on a domain name and IP address list, it ensures that only legitimate and authenticated traffic can access target resources, thereby preventing malicious traffic intrusion and attacks. The policy-based traffic management approach implemented in this embodiment improves network security and reliability, helps optimize network resource utilization, and enhances overall network performance. Furthermore, it facilitates network monitoring and auditing, enabling the tracking and analysis of network traffic behavior patterns, and providing strong support for network operation and maintenance and security protection.

[0061] This application embodiment detects the authentication type as user traffic accesses the network, enabling rapid and accurate identification of the traffic source and nature. This avoids the delayed identification problems that may occur in traditional traffic processing, allowing the network system to handle traffic in a targeted manner immediately. By obtaining the corresponding domain name and IP address list for different authentication types and setting traffic access policies accordingly, fine-grained traffic management is achieved. Obtaining the domain name and IP address list clearly identifies which IP addresses are authenticated and trustworthy, allowing for the setting of reasonable traffic access policies for these IP addresses. This fine-grained traffic management not only improves user experience but also enhances the overall stability and security of the network. Traffic processing based on traffic access policies allows the network system to respond more flexibly to different network environments and user needs. Furthermore, strict management of authentication types and domain name and IP address lists effectively prevents unauthorized traffic from entering the network system. Strict authentication and screening of traffic keeps potentially malicious traffic out, thereby protecting the internal security of the network system.

[0062] Based on the above embodiments, the domain name traffic processing methods disclosed in the above embodiments will be further described below from the perspectives of control plane and forwarding plane:

[0063] The first step is to send a domain name resolution request to query the IP address corresponding to the domain name;

[0064] The second step is to generate a network error message if the domain name resolution request timeout occurs.

[0065] Third, if the domain name resolution request response does not time out, update the cached data of the control plane according to the response information; the cached data includes the association between domain names and IP addresses.

[0066] The main implementation entity in this embodiment is a control plane device. See also... Figure 2 , Figure 2 This is a schematic diagram of the network structure corresponding to the domain name traffic processing provided in the embodiments of this application. Figure 2 The system mainly comprises an egress gateway, forwarding plane devices, and control plane devices. The egress gateway connects to external networks, and users access the network through user terminals by connecting to the forwarding plane devices. Upon receiving user traffic, the forwarding plane devices forward the traffic to the egress gateway. The control plane devices perform the domain name detection process described in this embodiment and distribute the latest cached data to the forwarding plane's cache space based on the updated cached data.

[0067] In practice, the control plane device sends domain name resolution requests to gateway devices such as the egress gateway to probe for domain names. Specifically, various network protocols and tools can be used to send these requests. A common method is to utilize the DNS (Domain Name System) query protocol, sending a query request to the gateway device via UDP (User Datagram Protocol) or TCP (Transmission Control Protocol). Subsequently, the DNS server returns the IP address corresponding to the domain name based on records in its database, and this IP address is then relayed back to the control plane device via the gateway device.

[0068] DNS queries can quickly and efficiently translate user-readable domain names into IP addresses that network devices can recognize. This provides the foundation for subsequent network communication and traffic management, ensuring that network requests correctly reach the target server. At the same time, using standard DNS protocols and tools guarantees compatibility with existing network infrastructure, facilitating implementation in various network environments.

[0069] After sending a domain name resolution request, a timeout mechanism can be set to check if the response is returned within a reasonable time. Specifically, this can be achieved by setting a timeout parameter in the request, for example, using +time= in the dig command. <timeout>Options can be set, or a timeout period can be configured in the programming environment. When the timeout expires without a response, an exception handling mechanism can be triggered to generate a network exception message. This message can be a log entry, an error message, or a notification to inform system administrators or users of the current network status. This allows for timely detection and reporting of network anomalies. Network timeouts may be caused by DNS server failures, network connectivity issues, or other faults in the DNS resolution path. Generating network exception messages allows for quick problem location, facilitating troubleshooting and repair by network administrators. Furthermore, the timeout mechanism and exception message generation help improve system reliability and stability, avoiding the waste of system resources due to long response times.

[0070] When a domain name resolution request succeeds and does not time out, a response is received containing the association between the domain name and the IP address. At this point, the control plane cache data is updated based on the response information. Updating cache data can be achieved through programming interfaces or configuration commands, such as using API calls to write the new mapping to the cache database, or updating the cache file through configuration scripts. Cache data can be stored using in-memory databases, distributed caching systems (such as Redis), or local file systems. Updating control plane cache data improves the efficiency and response speed of domain name resolution. By storing the mapping between domain names and IP addresses in a local cache, subsequent queries for that domain name can directly retrieve results from the cache without sending another request to the DNS server.

[0071] For forwarding plane devices, they can periodically check whether the cached data in the control plane has been updated. If the cached data in the control plane has been updated, the forwarding plane device is requested to send the latest cached data to its own cache space. The forwarding plane device can periodically poll the cached data in the control plane to check if the cached data has been updated. If updated, it can send a cached data update request so that the control plane device can send the latest cached data to the forwarding plane's cache space. In another implementation, the control plane device itself can also periodically check whether the cache has been updated; if updated, it pushes the latest cached data to the forwarding plane's cache space.

[0072] To ensure the accuracy and timeliness of control plane cached data, it is necessary to periodically check whether the cached data has been updated. This can be achieved by setting up a scheduled task or using a polling mechanism. For example, the status of the cached data can be periodically checked using the operating system's scheduled task or a timer in a programming language, by checking the update timestamp, version number, or synchronizing with the DNS server.

[0073] Periodically checking the update status of cached data can effectively prevent issues such as expired or inconsistent cached data. Regular checks allow for the timely detection of changes in cached data and the implementation of appropriate update measures, helping to maintain the stability and reliability of the network system and ensuring that users can access the latest network resources.

[0074] When an update to the cached data in the control plane is detected, the latest cached data needs to be synchronized to the cache space in the forwarding plane. Data synchronization can be achieved in various ways, such as using message queues (like RabbitMQ) or distributed caching systems (like Redis's publish / subscribe functionality) to pass updated data from the control plane to the forwarding plane. In the forwarding plane, appropriate interfaces or configuration tools can be used to write the new cached data to its cache space, such as the memory of hardware devices or dedicated caching modules.

[0075] This embodiment ensures efficient processing and correct forwarding of network traffic. The forwarding plane directly participates in packet forwarding operations, and its up-to-date cached data allows it to quickly match domain names and IP addresses when processing traffic, thereby improving forwarding efficiency and accuracy. This data synchronization mechanism guarantees data consistency between the control plane and the forwarding plane, avoiding traffic corruption or forwarding errors caused by data inconsistency, further enhancing the performance and stability of the entire network system.

[0076] See Figure 3 , Figure 3 This is a schematic diagram of a domain name traffic processing system provided in an embodiment of this application. The system includes:

[0077] The traffic detection module is used to determine the authentication type corresponding to the user traffic when it detects user traffic accessing the network.

[0078] The list reading module is used to obtain a list of domain IP addresses corresponding to the authentication type if the authentication type is a web-based authentication type or an application-based authentication type; the list of domain IP addresses includes several IP addresses and traffic access policies corresponding to each IP address.

[0079] The traffic processing module is used to set the traffic access policy for the corresponding IP address according to the list of domain name IP addresses, and to process traffic based on the traffic access policy; the traffic access policy includes network traffic access rules.

[0080] Based on the above embodiments, as a preferred embodiment, it further includes:

[0081] The domain name detection module is used to send a domain name resolution request to query the IP address corresponding to the domain name; if the domain name resolution request response times out, a network error message is generated; if the domain name resolution request response does not time out, the cached data of the control plane is updated according to the response information; the cached data includes the association between the domain name and the IP address.

[0082] Based on the above embodiments, as a preferred embodiment, it further includes:

[0083] The cache update module is used to periodically check whether the cached data in the control plane has been updated; if the cached data in the control plane has been updated, the latest cached data is sent to the cache space of the forwarding plane.

[0084] Based on the above embodiments, as a preferred embodiment, it further includes:

[0085] The domain name resolution module is used to perform resolution detection on whitelisted domain names in the domain name IP address list to obtain the security information of the IP address; the security information is used to guide the generation of the traffic access policy; the resolution detection method includes at least one of multi-source DNS, TTL awareness and CNAME chain.

[0086] Based on the above embodiments, as a preferred embodiment, the list reading module includes:

[0087] The list retrieval unit is used to retrieve a list of domain name IP addresses corresponding to the authentication type from the cache space of the forwarding plane.

[0088] Based on the above embodiments, as a preferred embodiment, the traffic processing module includes:

[0089] The policy generation unit is used to read the domain name information corresponding to the user traffic; filter the target IP addresses corresponding to the domain name information in the domain name IP address list; and use the target IP addresses as allowed addresses to generate a traffic allowance policy.

[0090] Based on the above embodiments, as a preferred embodiment, the strategy generation unit includes:

[0091] The policy configuration subunit is used to determine the allowed allowance duration for each of the target IP addresses and generate a traffic allowance policy based on the target IP address and its corresponding allowed allowance duration.

[0092] Based on the above embodiments, as a preferred embodiment, the traffic processing module includes:

[0093] The traffic allowance policy application unit is used to execute at least one of the following methods:

[0094] Add or modify ACL rules according to the traffic allowance policy to allow or deny traffic to the corresponding IP address;

[0095] The controller sends the flow table rules corresponding to the traffic allowance policy to the switch or router.

[0096] Configure or modify network firewall rules according to the traffic allowance policy.

[0097] This application also provides a computer-readable storage medium and a computer program product, both of which store a computer program. When executed, the computer program can implement the steps of the methods provided in the above embodiments. The storage medium may include various media capable of storing program code, such as a USB flash drive, a portable hard drive, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk.

[0098] This application also provides an electronic device that may include a memory and a processor. The memory stores a computer program, and when the processor invokes the computer program in the memory, it can implement the steps of the method provided in the above embodiments. Of course, the electronic device may also include various network interfaces, power supplies, and other components. Please see [link to relevant documentation]. Figure 4 , Figure 4 This is a schematic diagram of the structure of an electronic device provided in an embodiment of this application. The electronic device in this embodiment may include: a processor 2101 and a memory 2102.

[0099] Optionally, the electronic device may also include a communication interface 2103, an input unit 2104, a display 2105, and a communication bus 2106.

[0100] The processor 2101, memory 2102, communication interface 2103, input unit 2104, and display 2105 all communicate with each other through the communication bus 2106.

[0101] In this embodiment of the application, the processor 2101 may be a central processing unit (CPU), an application-specific integrated circuit, a digital signal processor, an off-the-shelf programmable gate array, or other programmable logic devices.

[0102] The processor can call programs stored in memory 2102. Specifically, the processor can execute the operations performed by the electronic device in the above embodiments.

[0103] The memory 2102 is used to store one or more programs, which may include program code, including computer operation instructions. In this embodiment, the memory stores at least a program for implementing the following functions:

[0104] When user traffic is detected accessing the network, the authentication type corresponding to the user traffic is determined;

[0105] If the authentication type is a web-based authentication type or an application-based authentication type, obtain the domain IP address list corresponding to the authentication type; the domain IP address list contains several IP addresses and the traffic access policy corresponding to each IP address;

[0106] Based on the list of domain name IP addresses, a traffic allowance policy is set for the corresponding IP address, and traffic processing is performed based on the traffic allowance policy; the traffic allowance policy includes network traffic allowance rules.

[0107] In one possible implementation, the memory 2102 may include a program storage area and a data storage area, wherein the program storage area may store the operating system and applications required for at least one function; and the data storage area may store data created during the use of the computer.

[0108] In addition, memory 2102 may include high-speed random access memory, and may also include non-volatile memory, such as at least one disk storage device or other volatile solid-state storage device.

[0109] The communication interface 2103 can be an interface for a communication module, such as the interface for a GSM module.

[0110] This application may also include a display 2105 and an input unit 2104, etc.

[0111] Figure 4 The structure of the electronic device shown does not constitute a limitation on the electronic device in the embodiments of this application. In practical applications, the electronic device may include more than [other components]. Figure 4 More or fewer components as shown, or combinations of certain components.

[0112] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on its differences from other embodiments. Similar or identical parts between embodiments can be referred to interchangeably. As the system provided in the embodiments corresponds to the method provided in the embodiments, the description is relatively simple; relevant parts can be found in the method section.

[0113] This document uses specific examples to illustrate the principles and implementation methods of this application. The descriptions of the embodiments above are only for the purpose of helping to understand the method and core ideas of this application. It should be noted that those skilled in the art can make several improvements and modifications to this application without departing from the principles of this application, and these improvements and modifications also fall within the protection scope of the claims of this application.

[0114] It should also be noted that, in this specification, relational terms such as "first" and "second" are used only to distinguish one entity or operation from another, and do not necessarily require or imply any such actual relationship or order between these entities or operations. Furthermore, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.< / timeout>

Claims

1. A method for processing domain name traffic, characterized in that, include: When user traffic is detected accessing the network, the authentication type corresponding to the user traffic is determined; If the authentication type is a web-based authentication type or an application-based authentication type, obtain the domain IP address list corresponding to the authentication type; the domain IP address list contains several IP addresses and the traffic access policy corresponding to each IP address; Based on the list of domain name IP addresses, a traffic allowance policy is set for the corresponding IP address, and traffic processing is performed based on the traffic allowance policy; the traffic allowance policy includes network traffic allowance rules.

2. The domain name traffic processing method according to claim 1, characterized in that, Also includes: Send a domain name resolution request to query the IP address corresponding to the domain name; If the domain name resolution request response times out, a network error message will be generated; If the domain name resolution request response does not time out, update the cached data of the control plane according to the response information; the cached data includes the association between domain names and IP addresses.

3. The domain name traffic processing method according to claim 2, characterized in that, After updating the control plane's cached data based on the response information, the following is also included: Periodically check whether the cached data in the control plane is updated; If the cached data of the control plane has been updated, the latest cached data is sent to the cache space of the forwarding plane.

4. The domain name traffic processing method according to claim 3, characterized in that, Obtaining the list of domain name IP addresses corresponding to the authentication type includes: Obtain the list of domain name IP addresses corresponding to the authentication type from the cache space of the forwarding plane.

5. The domain name traffic processing method according to claim 4, characterized in that, After obtaining the list of domain names and IP addresses associated with this authentication type, the following is also included: The whitelisted domains in the domain name IP address list are subjected to resolution detection to obtain the security information of the IP address; the security information is used to guide the generation of the traffic access policy; the resolution detection method includes at least one of multi-source DNS, TTL awareness and CNAME chain.

6. The domain name traffic processing method according to claim 1, characterized in that, Setting traffic allowance policies for corresponding IP addresses based on the domain name IP address list includes: Read the domain name information corresponding to the user traffic; Filter the target IP addresses corresponding to the domain information in the domain IP address list; The target IP address is used as the allowed address to generate a traffic allowance policy.

7. The domain name traffic processing method according to claim 6, characterized in that, Using the target IP address as the allowed address, the traffic allowance policy is generated as follows: Determine the allowed access duration for each target IP address, and generate a traffic access policy based on the target IP address and its corresponding allowed access duration.

8. The domain name traffic processing method according to claim 1 or 6, characterized in that, Traffic processing based on the aforementioned traffic allowance strategy includes at least one of the following methods: Add or modify ACL rules according to the traffic allowance policy to allow or deny traffic to the corresponding IP address; The controller sends the flow table rules corresponding to the traffic allowance policy to the switch or router. Configure or modify network firewall rules according to the traffic allowance policy.

9. A domain name traffic processing system, characterized in that, include: The traffic detection module is used to determine the authentication type corresponding to the user traffic when it detects user traffic accessing the network. The list reading module is used to obtain a list of domain IP addresses corresponding to the authentication type if the authentication type is a web-based authentication type or an application-based authentication type; the list of domain IP addresses includes several IP addresses and traffic access policies corresponding to each IP address. The traffic processing module is used to set the traffic access policy for the corresponding IP address according to the list of domain name IP addresses, and to process traffic based on the traffic access policy; the traffic access policy includes network traffic access rules.

10. A computer-readable storage medium having a computer program stored thereon, characterized in that, When the computer program is executed by a processor, it implements the steps of the method as described in any one of claims 1-8.

11. An electronic device, characterized in that, The method includes a memory and a processor, wherein the memory stores a computer program, and the processor, when calling the computer program in the memory, implements the steps of the method as described in any one of claims 1-8.