Method and system for allowing the use of domain names in enforcing network policy

摘要

A method and a system for creating Internet Protocol address based network policy by using domain name based network policies is disclosed. The domain name based network policies are stored. When a network device receives an record Domain Name System look-up reply, the network device identifies one or more Interact Protocol addresses of one or more host names specified in the address record Domain Name System look-up reply, then determine whether the one or more host names contain a domain name used in one or more domain name based network policies and create one or more Internet Protocol address based network policies.

主权项

1. A method for creating Internet Protocol address based network policy (IPP) at a network device comprising the steps of:
(a) storing one or more domain name based network policies (DNNTP), wherein the DNNTPs contains parameters selected from a group consisting of address of source traffic, one or more domain names of traffic destination, protocol, and algorithm; (b) examining contents of network traffic passing through the network device; (c) receiving an address record Domain Name System look-up reply; (d) identifying one or more Internet Protocol addresses of one or more host names specified in the address record Domain Name System look-up reply; (e) determining whether the one or more host names contain a domain name used in the one or more DNNTPs; (f) if the one or more host names contain a domain name used in the one or more DNNTPs, creating one or more IPP with one or more IP addresses of the one or more host names; wherein the IPP contains parameters selected from a group consisting of the address of source traffic, one or more IP addresses of traffic destination, protocol, and algorithm; (g) if the one or more host names do not contain a domain name used in the one or more DNNTPs, not creating an IPP in relation to the one or more host names; (h) enforcing the one or more IPP on network traffic based on the IP address of the network traffic; (i) when more than one IPP is created for a first IP address, enforcing an IPP with higher priority on network traffic with the first IP address; (j) removing the one or more IPPs from storage after a pre-determined period of time; wherein the predetermined period of time is based on a time to live (TTL) associated with the address record Domain Name System look-up reply; wherein the address of source traffic is an TP address, IP address range, or Ethernet address; and wherein the protocol is transmission control protocol, or user datagram protocol; wherein the algorithm is selected from a group consisting of a-weight balance, least used, lowest latency or priority.