Authenticated domain name resolution

US 20040250119A1
Filed: 04/30/2003
Published: 12/09/2004
Est. Priority Date: 04/30/2003
Status: Active Grant

First Claim

Patent Images

1. In an authoritative name server configured to resolve one or more domain name system records, a method of selectively resolving a domain name system record so that a client requesting resolution of the domain name system record receives a domain name system response based on the client'"'"'s authorization, the method comprising acts of:

at an authoritative name server, receiving, from a client, a request to resolve a domain name system record into a corresponding domain name system response;

receiving client authentication from the client;

based on the received client authentication, determining that the client is authorized to receive the domain name response corresponding to the domain name system record; and

sending the corresponding domain name system response to the client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products for resolving domain name system records based on client authentication. Basing domain name resolution on client authentication provides remote clients with the convenience of domain names, without sacrificing the security of keeping potentially sensitive domain names private. An authoritative name server receives requests for domain name resolution from clients. For requests without client authentication, the authoritative name server responds that the domain name cannot be found. This response identifies the authoritative name server to the client so that the client can submit subsequent requests with client authentication. For requests with client authentication, the authoritative name server responds with the corresponding domain name addresses. Client may communicate domain name resolution requests directly to the authoritative name server or indirection, through one or more intermediate domain name servers. Client authentication may occur over a secure connection with the authoritative name server.

202 Citations

55 Claims

1. In an authoritative name server configured to resolve one or more domain name system records, a method of selectively resolving a domain name system record so that a client requesting resolution of the domain name system record receives a domain name system response based on the client'"'"'s authorization, the method comprising acts of:
- at an authoritative name server, receiving, from a client, a request to resolve a domain name system record into a corresponding domain name system response;
  
  receiving client authentication from the client;
  
  based on the received client authentication, determining that the client is authorized to receive the domain name response corresponding to the domain name system record; and
  
  sending the corresponding domain name system response to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein a plurality of domain name system responses correspond to the resolution request received from the client, the method further comprising an act of selecting the domain name system response sent to the client based on the received client authentication.
  - 3. The method of claim 1, wherein the authoritative name server receives the request from the client through a direct connection.
  - 4. The method claim 1, wherein the authoritative name server receives client authentication over a secure connection with the client.
  - 5. The method of claim 1, wherein the request to resolve a domain name system record comprises a request to resolve at least one domain name into at least one domain name address, and wherein the corresponding domain name system response sent to the client comprises one or more domain name addresses corresponding to the at least one domain name.
  - 6. The method of claim 5, further comprising:
    - receiving a prior request to resolve the at least one domain name without client authentication; and
      
      sending a response to the client that the at least one domain name is unknown to the authoritative name server.
  - 7. The method of claim 6, wherein the prior request is received from an intermediate domain name server capable of resolving one or more other domain names into one or more other domain name addresses.
  - 8. The method of claim 5, wherein the at least one domain name identifies at least one of router, a gateway, a firewall, and a proxy server for a private network.
  - 9. The method of claim 5, wherein the at least one domain name identifies at least one of a web server, a database server, a file server, and an email server for a private network.
  - 10. The method of claim 1, wherein the authoritative name server operates as one or more of a router, a firewall, a virtual private network gateway, a proxy server, a web server, a database server, a file server, and an email server.

11. In a client capable of establishing a connection with an authoritative name server that resolves at least one domain name into at least one domain name address, wherein the authoritative name server only resolves domain names into the corresponding domain name addresses for authorized clients, a method of requesting, from the authoritative name server, a domain name address that corresponds to a domain name, the method comprising acts of:
- sending an initial request, to resolve a domain name into a corresponding domain name address, to an authoritative name server without client authentication;
  
  receiving a response from the authoritative name server indicating that the domain name is unknown;
  
  establishing a direct connection with the authoritative name server;
  
  sending client authentication to the authoritative name server over the direct connection;
  
  sending a subsequent request, to resolve the domain name into the corresponding domain name address, to the authoritative name server; and
  
  in response to having sent client authentication, receiving the corresponding domain name address from the authoritative name server.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, wherein the client authentication is sent with the subsequent request.
  - 13. The method of claim 11, wherein the direct connection is a secure connection.
  - 14. The method of claim 11, further comprising an act of receiving a request for the client authentication from the authoritative name server
  - 15. The method of claim 11, wherein the initial request is directed to a domain name server because the authoritative name server is unknown, the method further comprising an act of discovering the authoritative name server from the response from the authoritative name server indicating that the domain name is unknown.
  - 16. The method of claim 11, wherein the client and the authoritative name server are connected to a common private network.
  - 17. The method of claim 11, wherein the authoritative name server functions as a gateway computer on one or more of a home, and an organizational network.
  - 18. The method of claim 17, wherein the gateway computer functions further as one or more of a router, a firewall, a virtual private network, a proxy server, a web server, a database server, a file server, and an email server.
  - 19. The method of claim 11, wherein the domain name identifies at least one of a router, a firewall, a virtual private network gateway, a proxy server, a web server, a database server, a file server, and an email server for a private network.

20. In an authoritative name server configured for resolving domain name addresses, a method for selectively resolving one or more client-requested domain names so that the client receives one or more corresponding domain name addresses only if the client is authorized, the method comprising steps for:
- for one or more unauthenticated requests, originating from one or more unauthenticated clients, to resolve one or more domain names, an authoritative name server responding to the one or more unauthenticated clients that the one or more domain names are unknown because the one or more unauthenticated clients have not provided client authentication to the authoritative name server; and
  
  for one or more authenticated requests, originating from one or more authenticated clients, to resolve the one or more domain names, the authoritative name server responding to the one or more authenticated clients with one or more domain name addresses corresponding to the one or more domain names because the one or more authenticated clients provided client authentication to the authoritative name server.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The method of claim 20, wherein the authoritative name server receives the one or more requests from the one or more authenticated clients through a direct connection.
  - 22. The method of claim 21, further comprising a step for authenticating the authenticated clients over a secure connection.
  - 23. The method of claim 20, wherein the one or more unauthenticated clients and the one or more authenticated clients are the same one or more clients.
  - 24. The method of claim 20, wherein the one or more unauthenticated requests are received from one or more intermediate domain name servers capable of resolving a plurality of other domain names into a plurality of other domain name addresses.
  - 25. The method of claim 20, wherein the one or more authenticated clients are external to a private network and the one or more domain names identify one or more servers internal to the private network.
  - 26. The method of claim 25, wherein the one or more domain names identify at least one a web server, a database server, a file server, and an email server within the private network.

27. For an authoritative name server configured to resolve at least one domain name into at least one domain name address, a computer program product comprising one or more computer readable media carrying computer executable instructions that implement a method of selectively resolving a received domain name request so that the client making the request receives a corresponding domain name address only if the client is authorized, the method comprising the acts of:
- at an authoritative name server, receiving, from a client, a request to resolve a private domain name into a corresponding domain name address;
  
  receiving client authentication from the client;
  
  based on the received client authentication, determining that the client is authorized to receive the domain name address corresponding to the private domain name; and
  
  sending the corresponding domain name address to the client.
- View Dependent Claims (28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 28. The computer program product of claim 27, wherein the authoritative name server receives the request from the client through a direct connection.
  - 29. The computer program product claim 27, wherein the authoritative name server receives client authentication over a secure connection with the client.
  - 30. The computer program product of claim 27, the method further comprising:
    - receiving a prior request to resolve the domain name without client authentication; and
      
      sending a response to the client that the domain name is unknown to the authoritative name server.
  - 31. The computer program product of claim 30, wherein the prior request is received from an intermediate domain name server capable of resolving one or more other domain names into one or more other domain name addresses.
  - 32. The computer program product of claim 27, wherein the authoritative name server operates as one or more of a router, a firewall, a virtual private network gateway, a proxy server, a web server, a database server, a file server, and an email server.
  - 33. The computer program product of claim 27, wherein the domain name identifies at least one of router, a gateway, a firewall, and a proxy server for a private network.
  - 34. The computer program product of claim 27, wherein the domain name identifies at least one of a web server, a database server, a file server, and an email server for a private network.
  - 35. The computer program product of claim 27, the method further comprising acts of:
    - at an authoritative name server, receiving, from another client, a request to resolve a public domain name into one or more corresponding domain name addresses, wherein the request fails to include client authentication for the other client;
      
      identifying the corresponding one or more domain name addresses corresponding to the public domain name; and
      
      sending the corresponding one or more domain name addresses to the other client.
  - 36. The computer program product of claim 35, wherein authoritative name server is not authoritative for the public domain name.

37. For a client capable of establishing a connection with an authoritative name server that resolves at least one domain name into at least one domain name address, wherein the authoritative name server only resolves domain names into the corresponding domain name addresses for authorized clients, a computer program product comprising one or more computer readable media carrying computer executable instructions that implement a method of requesting, from the authoritative name server, a domain name address that corresponds to a domain name, the method comprising acts of:
- sending an initial request, to resolve a domain name into a corresponding domain name address, to an authoritative name server without client authentication;
  
  receiving a response from the authoritative name server indicating that the domain name is unknown;
  
  establishing a direct connection with the authoritative name server;
  
  sending client authentication to the authoritative name server over the direct connection;
  
  sending a subsequent request;
  
  to resolve the domain name into the corresponding domain name address, to the authoritative name server; and
  
  in response to having sent client authentication, receiving the corresponding domain name address from the authoritative name server.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45)
- - 38. The computer program product of claim 37, wherein the client authentication is sent with the subsequent request.
  - 39. The computer program product of claim 37, wherein the direct connection is a secure connection.
  - 40. The computer program product of claim 37, the method further comprising an act of receiving a request for the client authentication from the authoritative name server.
  - 41. The computer program product of claim 37, wherein the initial request is directed to a domain name server because the authoritative name server is unknown, the method further comprising an act of discovering the authoritative name server from the response from the authoritative name server indicating that the domain name is unknown.
  - 42. The computer program product of claim 37, wherein the client and the authoritative name server are connected to a common private network.
  - 43. The computer program product of claim 37, wherein the authoritative name server functions as a gateway computer on one or more of a home, and an organizational network.
  - 44. The computer program product of claim 43, wherein the gateway computer functions further as one or more of a router, a firewall, a virtual private network, a proxy server, a web server, a database server, a file server, and an email server.
  - 45. The computer program product of claim 37, wherein the domain name identifies at least one of a router, a firewall, a virtual private network gateway, a proxy server, a web server, a database server, a file server, and an email server for a private network.

46. In a client capable of establishing a connection with one or more name servers that resolve at least one domain name into at least one domain name address, wherein at least one name server resolves domain name system records based on client authentication, a method of requesting one or more domain name addresses for one or more domain names, the method comprising acts of:
- identifying an authoritative name server for a domain of interest;
  
  establishing a secure connection with the authoritative name server;
  
  sending client authentication to the authoritative name server over the secure connection;
  
  requesting, from the authoritative name server, one or more domain name addresses for one or more domain names; and
  
  based on the client authentication, receiving from the authoritative name server at least one domain name address for the one or more domain names.
- View Dependent Claims (47, 48, 49, 50, 51, 52, 53, 54, 55)
- - 47. The method of claim 46, wherein the client authentication is sent with the request.
  - 48. The method of claim 46, wherein identifying the authoritative name server comprises an act of requesting a name server record for the domain of interest.
  - 49. The method of claim 48, wherein the domain of interest comprises a sub-domain of a higher-level domain, the method further comprising an act of requesting the name server record for the domain of interest from a name server for the higher-level domain.
  - 50. The method of claim 49, wherein the request to the name server for the higher-level domain occurs over a secure connection.
  - 51. The method of claim 50, further comprising an act of requesting a name server record for the higher-level domain to identify the name server for the higher-level domain.
  - 52. The method of claim 46, wherein identifying the authoritative name server comprises an act of requesting domain name resolution for a non-existent domain name.
  - 53. The method of claim 46, wherein the client is configured to request the one or more domain name addresses for the one or more domain names using a secure form of communication.
  - 54. The method of claim 53, wherein the client is configured to request one or more other domain name addresses for one or more other domain names using an insecure form of communication.
  - 55. The method of claim 54, wherein the client configuration to use a secure form of communication or an insecure form of communication is domain specific.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shelest, Art, Gilroy, James M.

Granted Patent

US 7,299,491 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/08 for authentication of entit...

Authenticated domain name resolution

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

202 Citations

55 Claims

Specification

Solutions

Use Cases

Quick Links

Authenticated domain name resolution

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

202 Citations

55 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links