Cross-Domain HTTP Requests Using DNS Rebinding
First Claim
1. A method, comprising the steps of:
- at a domain name server at a first domain name, receiving an initialization request from a user agent device, the initialization request designating a class of domain names to be resolved to an IP address belonging to a second domain name to which the user agent device seeks to issue a safe cross-domain request to be subsequently directed to the first domain name, the second domain name being a public domain name that is different than the first domain name;
establishing in a Domain Name System (DNS) address cache a binding of the first domain name to an IP address belonging to the second domain name, by;
sending one or more responses to the user agent device, the response(s) providing two or more IP address resource records resolving the designation of the class of domain names;
one of the IP address resource records having a first IP address belonging to a computer within the domain of the first domain name,other of the provided IP address resource records having IP addresses for computers within domains belonging to the designated class of domain names, and having been evaluated by the domain name server to be eligible to service the cross-domain request to be subsequently issued by the user agent;
ensuring that the first domain name is pinned to the first IP address in a DNS address cache of the user agent device, and that others of the IP addresses are stored in the user agent'"'"'s DNS address cache as alternative binding(s) to the first domain name;
sending a message to the user agent device to cause the user agent device to unpin the first IP address, and to bind the first domain name to an alternative one of the IP addresses from among the other stored IP addresses, andsending messages to enable the user agent device to issue an HTTP request addressed to the first domain name and to be routed to the IP address that belongs to or is to be resolved to a computer of the second domain name, to be serviced by a computer at the second domain name.
4 Assignments
0 Petitions
Accused Products
Abstract
Cross-domain requests by DNS name rebinding. A domain name server at a first domain name receives an initialization request from a user agent device. The request designates a class of domain names to be resolved to an IP address belonging to a second domain name to which the user agent device seeks to issue a safe cross-domain request. That request will be directed to the first domain name, but serviced by a server belonging to the second. In a DNS cache of the user agent, the first domain name is bound to an IP address belonging to the first domain, and to an IP address belonging to the second domain name. This binding is established by providing two or more IP address resource records resolving the designation of the class of domain names, having the relevant IP addresses, and ensuring that the first domain name is pinned to the first IP address in a DNS cache of the user agent device, and that others of the IP addresses are stored in the user agent'"'"'s DNS cache as alternative binding(s) to the first domain name, and then invalidating the first IP address, so that the binding falls through to an alternative one of the IP addresses.
9 Citations
54 Claims
-
1. A method, comprising the steps of:
-
at a domain name server at a first domain name, receiving an initialization request from a user agent device, the initialization request designating a class of domain names to be resolved to an IP address belonging to a second domain name to which the user agent device seeks to issue a safe cross-domain request to be subsequently directed to the first domain name, the second domain name being a public domain name that is different than the first domain name; establishing in a Domain Name System (DNS) address cache a binding of the first domain name to an IP address belonging to the second domain name, by; sending one or more responses to the user agent device, the response(s) providing two or more IP address resource records resolving the designation of the class of domain names; one of the IP address resource records having a first IP address belonging to a computer within the domain of the first domain name, other of the provided IP address resource records having IP addresses for computers within domains belonging to the designated class of domain names, and having been evaluated by the domain name server to be eligible to service the cross-domain request to be subsequently issued by the user agent; ensuring that the first domain name is pinned to the first IP address in a DNS address cache of the user agent device, and that others of the IP addresses are stored in the user agent'"'"'s DNS address cache as alternative binding(s) to the first domain name; sending a message to the user agent device to cause the user agent device to unpin the first IP address, and to bind the first domain name to an alternative one of the IP addresses from among the other stored IP addresses, and sending messages to enable the user agent device to issue an HTTP request addressed to the first domain name and to be routed to the IP address that belongs to or is to be resolved to a computer of the second domain name, to be serviced by a computer at the second domain name.
-
-
2. A computer system, comprising:
-
one or more processors designed to execute instructions; one or more nontransitory, machine-readable memories storing program instructions for execution by the processor(s), the instructions programmed to cause the processor(s) to; issue an initialization request to a domain name server at a first domain name, the initialization request designating a class of domain names to be resolved to an internet protocol (IP) address belonging to a second domain name, from which the user agent device is to seek to issue a safe cross-domain request to be subsequently directed to the first domain name, the second domain name being a public domain name that is different than the first domain name; in a Domain Name System (DNS) address cache, establish a binding of the first domain name to an IP address belonging to the second domain name; and send a cross-domain Hypertext Transfer Protocol (HTTP) request addressed to the first domain name and routed to the IP address that belongs to or is to be resolved to a computer of the second domain name, to be serviced by a computer at the second domain name. - View Dependent Claims (3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A method, comprising the steps of:
-
at a domain name server at a first domain name, receiving an initialization request from a user agent device, the initialization request designating a class of domain names to be resolved to an IP address belonging to a second domain name, to which the user agent device seeks to issue a safe cross-domain request to be subsequently directed to the first domain name, the second domain name being a public domain name that is different than the first domain name; establishing in a Domain Name System (DNS) address cache a binding of the first domain name to an IP address belonging to the second domain name, and sending messages to enable the user agent device to issue an Hypertext Transfer Protocol (HTTP) request addressed to the first domain name and to be routed to the IP address that belongs to or is to be resolved to a computer of the second domain name, to be serviced by a computer at the second domain name. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A domain name server, comprising:
-
one or more processors designed to execute instructions; an internet connection at which the domain name server is programmed to receive and send messages at a first domain name; one or more nontransitory, machine-readable memories storing program instructions for execution by the processor(s), the instructions programmed to cause the processor(s) to; receive an initialization request from a user agent device, the initialization request designating a class of domain names to be resolved to an IP address belonging to a second domain name, to which the user agent device seeks to issue a safe cross-domain request to be subsequently directed to the first domain name, the second domain name being a public domain name that is different than the first domain name; establish in a Domain Name System (DNS) address cache a binding of the first domain name to an IP address belonging to the second domain name, and to send messages to enable the user agent device to issue an Hypertext Transfer Protocol (HTTP) request addressed to the first domain name and to be routed to the IP address that belongs to or is to be resolved to a computer of the second domain name, to be serviced by a computer at the second domain name. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A method, comprising the steps of:
-
at a user agent device, issuing an initialization request to a domain name server at a first domain name, the initialization request designating a class of domain names to be resolved to an IP address belonging to a second domain name from which the user agent device seeks to request a safe cross-domain service, the second domain name being different than the first domain name; at the user agent device, receiving a response from the domain name server, the response returning to the user agent device two or more IP address resource records resolving the designation of the class of domain names; one of the returned IP address resource records having a first IP address belonging to a computer within the domain of the first domain name, other of the returned IP address resource records having IP addresses for computers within domains belonging to the designated class of domain names, and having been evaluated by the domain name server to be eligible to service the cross-domain service requested by the user agent; ensuring that the first domain name is pinned to the first IP address in a Domain Name System (DNS) address cache of the user agent device, and that others of the IP addresses are stored in the user agent'"'"'s DNS address cache as alternative binding(s) to the first domain name; at the user agent device, in response to a request to the first IP address, unpinning the first IP address and binding to the first domain name an alternative one of the IP addresses chosen from among the other stored IP addresses; and from the user agent device, issuing a request to a computer of the second domain name by sending a request addressed to the first domain name, and by the DNS address cache, resolving the first domain name to an IP address that belongs to or is to be resolved to a computer of the second domain name. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40)
-
-
41. A method, comprising the steps of:
-
at a domain name server at a first domain name, receiving an initialization request from a user agent device, the initialization request designating a class of domain names to be resolved to an IP address belonging to a second domain name to which the user agent device seeks to issue a safe cross-domain request, the second domain name being different than the first domain name; sending a response to the user agent device, the response providing two or more internet protocol (IP) address resource records resolving the designation of the class of domain names; one of the IP address resource records having a first IP address belonging to a computer within the domain of the first domain name, other of the provided IP address resource records having IP addresses for computers within domains belonging to the designated class of domain names, and having been evaluated by the domain name server to be eligible to service the cross-domain request to be subsequently issued by the user agent; ensuring that the first domain name is pinned to the first IP address in a Domain Name System (DNS) address cache of the user agent device, and that others of the IP addresses are stored in the user agent'"'"'s DNS address cache as alternative binding(s) to the first domain name; sending a message to the user agent device to cause the user agent device to unpin the first IP address, and to bind the first domain name to an alternative one of the IP addresses from among the other stored IP addresses, and sending messages to enable the user agent device to issue an HTTP request addressed to the first domain name and to be routed to the IP address that belongs to or is to be resolved to a computer of the second domain name, to be serviced by a computer at the second domain name. - View Dependent Claims (42, 43, 44, 45)
-
-
46. A domain name server, comprising:
-
one or more processors designed to execute instructions; an internet connection at which a domain name server is programmed to receive and send messages at a first domain name; one or more nontransitory, machine-readable memories storing program instructions for execution by the processor(s), the instructions programmed to cause the processor(s) to; receive an initialization request from a user agent device, the initialization request designating a class of domain names to be resolved to an internet protocol (IP) address belonging to a second domain name to which the user agent device seeks to issue a safe cross-domain request, the second domain name being different than the first domain name; send a response to the user agent device, the response providing two or more IP address resource records resolving the designation of the class of domain names; one of the IP address resource records having a first IP address belonging to a computer within the domain of the first domain name, other of the provided IP address resource records having IP addresses for computers within domains belonging to the designated class of domain names, and having been evaluated by the domain name server to be eligible to service the cross-domain request to be subsequently issued by the user agent; ensure that the first domain name is pinned to the first IP address in a Domain Name System (DNS) address cache of the user agent device, and that others of the IP addresses are stored in the user agent'"'"'s DNS address cache as alternative binding(s) to the first domain name; send a message to the user agent device to cause the user agent device to unpin the first IP address, and to bind the first domain name to an alternative one of the IP addresses from among the other stored IP addresses, and to send messages to enable the user agent device to issue an HTTP request addressed to the first domain name and to be routed to an IP address that belongs to or is to be resolved to a computer of the second domain name, to be serviced by a computer at the second domain name. - View Dependent Claims (47, 48, 49, 50, 51)
-
-
52. A method, comprising the steps of:
-
in a Domain Name System (DNS) address cache, establishing two or more internet protocol (IP) addresses for translation of a single domain name; sending a request over the internet to the domain name, including resolving the domain name of the request to a one of the IP addresses in the DNS address cache; receiving a reply to the request, and evaluating the source of the reply; and if the evaluation determines that the reply is received from an undesired node of the internet, invalidating the translation from the domain name to the undesired IP addresses from the DNS address cache. - View Dependent Claims (53, 54)
-
Specification