DNS-BASED DETERMINING WHETHER A DEVICE IS INSIDE A NETWORK

US 20120159636A1
Filed: 12/16/2010
Published: 06/21/2012
Est. Priority Date: 12/16/2010
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

generating a domain name system (DNS) query;

causing the DNS query to be sent;

checking whether a verified DNS response to the DNS query is received;

determining that a computing device is inside a particular network if the verified DNS response is received; and

determining that the computing device is outside the particular network if the verified DNS response is not received.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In a computing device a domain name system (DNS) query is generated and sent, and a check is made as to whether a verified DNS response to the DNS query is received. The computing device is determined to be inside a particular network if a verified DNS response is received, and is determined to be outside that particular network if a verified DNS response is not received. A DNS response can be determined to be verified if both the DNS response has an expected value and the DNS response is digitally signed by a trusted authority, and otherwise can be determined to be not verified.

61 Citations

View as Search Results

20 Claims

1. A method comprising:
- generating a domain name system (DNS) query;
  
  causing the DNS query to be sent;
  
  checking whether a verified DNS response to the DNS query is received;
  
  determining that a computing device is inside a particular network if the verified DNS response is received; and
  
  determining that the computing device is outside the particular network if the verified DNS response is not received.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as recited in claim 1, wherein causing the DNS query to be sent comprises causing the DNS query to be sent to a DNS service, and wherein the verified DNS response is received from the DNS service.
  - 3. A method as recited in claim 1, wherein the particular network comprises a corporate network.
  - 4. A method as recited in claim 1, wherein generating the DNS query includes generating the DNS query including a particular name, and wherein checking whether the verified DNS response is received comprises checking whether the DNS response has an expected value for the particular name.
  - 5. A method as recited in claim 1, wherein the verified DNS response is received from a DNS service supporting a DNS Security Extensions (DNSSEC) protocol.
  - 6. A method as recited in claim 1, wherein checking whether the verified DNS response is received comprises checking whether a received DNS response is digitally signed by a trusted authority.
  - 7. A method as recited in claim 6, wherein the trusted authority is a root certificate authority for the particular network.
  - 8. A method as recited in claim 1, wherein determining that the computing device is outside the particular network comprises determining that the computing device is outside the particular network if no DNS response to the DNS query is received within a threshold amount of time.
  - 9. A method as recited in claim 1, wherein generating the DNS query includes generating the DNS query including a particular name, wherein the verified DNS response is received from a DNS cache including a mapping of the particular name to an expected value, and wherein the mapping in the DNS cache has a time to live of less than five minutes.
  - 10. A method as recited in claim 1, further comprising repeating, at particular intervals, causing the DNS query to be sent, checking whether the verified DNS response is received, and determining that the computing device is inside the particular network or outside the particular network.
  - 11. A method as recited in claim 1, further comprising repeating, in response to the computing device being moved by greater than a threshold amount, causing the DNS query to be sent, checking whether the verified DNS response is received, and determining that the computing device is inside the particular network or outside the particular network.
  - 12. A method as recited in claim 1, wherein the generating the DNS query, the causing the DNS query to be sent and the checking whether the verified DNS response is received are performed by the computing device.

13. One or more computer storage media having stored thereon multiple instructions that, when executed by one or more processors of a computing device, cause the one or more processors to:
- receive a domain name system (DNS) response to a DNS query;
  
  check whether the DNS response has an expected value;
  
  check whether the DNS response is digitally signed by a trusted authority; and
  
  determine that the computing device is verified and inside a particular network if both the DNS response has the expected value and the DNS response is digitally signed by the trusted authority, otherwise determine that the computing device is unverified and is outside the particular network.
- View Dependent Claims (14, 15, 16, 17, 18, 19)
- - 14. One or more computer storage media as recited in claim 13, wherein to receive the DNS response is to receive the DNS response from a DNS service.
  - 15. One or more computer storage media as recited in claim 14, wherein the DNS service comprises a DNS service supporting a DNS Security Extensions (DNSSEC) protocol.
  - 16. One or more computer storage media as recited in claim 13, wherein the expected value is a value expected based on a mapping of a particular name in the DNS query to a particular value known by the computing device.
  - 17. One or more computer storage media as recited in claim 13, wherein the particular network comprises a corporate network, and wherein the trusted authority is a root certificate authority for the corporate network.
  - 18. One or more computer storage media as recited in claim 13, wherein to receive the DNS response is to receive the DNS response from a DNS cache including a mapping of a particular name in the DNS query to the expected value, and wherein the mapping in the DNS cache has a time to live of less than five minutes.
  - 19. One or more computer storage media as recited in claim 13, wherein the trusted authority is trusted by the computing device.

20. A method in a computing device, the method comprising:
- generating a domain name system (DNS) query that includes a particular name to be resolved;
  
  causing the DNS query to be sent to a DNS service;
  
  checking whether a verified DNS response to the DNS query is received from the DNS service by checking whether a received DNS response has an expected value for the particular name and checking whether the received DNS response is digitally signed by a root certificate authority for a corporate network, and determining that the received DNS response is the verified DNS response only if both the received DNS response has the expected value and the received DNS response is digitally signed by the root certificate authority;
  
  determining that the computing device is inside the corporate network if the verified DNS response is received; and
  
  determining that the computing device is outside the corporate network if the verified DNS response is not received.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Pandya, Raunak, Tiwari, Abhishek, Amaravadi, Rama Krishna

Granted Patent

US 9,313,085 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/26
CPC Class Codes

H04L 2101/69   using geographic informatio...

H04L 61/4511   using domain name system [DNS]

H04L 61/58   Caching of addresses or names

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 67/568   Storing data temporarily at...

DNS-BASED DETERMINING WHETHER A DEVICE IS INSIDE A NETWORK

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

61 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

DNS-BASED DETERMINING WHETHER A DEVICE IS INSIDE A NETWORK

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

61 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links