Authenticated domain name resolution

US 7,299,491 B2
Filed: 04/30/2003
Issued: 11/20/2007
Est. Priority Date: 04/30/2003
Status: Expired due to Fees

First Claim

Patent Images

1. In an authoritative name server configured to resolve one or more domain names, a method of selectively resolving a domain name so that a client requesting resolution of the domain name receives a domain name system response based on the client'"'"'s authorization, the method comprising acts of:

at an authoritative name server, receiving, from a client, a first request to resolve a domain name into a corresponding domain name system response, the authoritative name server receiving the first request being capable of resolving the domain name into the corresponding domain name system response;

at the authoritative name server, sending, to the client, a first response identifying the authoritative name server sending the first response and indicating that the authoritative name server was unable to retrieve the requested domain name system response corresponding to the domain name;

at the authoritative name server, receiving, from the client, a subsequent request to resolve the domain name into a corresponding domain name system response, and the subsequent request having been sent by the client in response to the first response indicating that the authoritative name server was unable to retrieve the requested domain name system response;

at the authoritative name server, receiving client authentication from the client;

based on the received client authentication, determining at the authoritative name server that the client is authorized to receive the domain name response corresponding to the domain name; and

sending the corresponding domain name system response to the client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems, and computer program products for resolving domain name system records based on client authentication. Basing domain name resolution on client authentication provides remote clients with the convenience of domain names, without sacrificing the security of keeping potentially sensitive domain names private. An authoritative name server receives requests for domain name resolution from clients. For requests without client authentication, the authoritative name server responds that the domain name cannot be found. This response identifies the authoritative name server to the client so that the client can submit subsequent requests with client authentication. For requests with client authentication, the authoritative name server responds with the corresponding domain name addresses. Client may communicate domain name resolution requests directly to the authoritative name server or indirection, through one or more intermediate domain name servers. Client authentication may occur over a secure connection with the authoritative name server.

Citations

53 Claims

1. In an authoritative name server configured to resolve one or more domain names, a method of selectively resolving a domain name so that a client requesting resolution of the domain name receives a domain name system response based on the client'"'"'s authorization, the method comprising acts of:
- at an authoritative name server, receiving, from a client, a first request to resolve a domain name into a corresponding domain name system response, the authoritative name server receiving the first request being capable of resolving the domain name into the corresponding domain name system response;
  
  at the authoritative name server, sending, to the client, a first response identifying the authoritative name server sending the first response and indicating that the authoritative name server was unable to retrieve the requested domain name system response corresponding to the domain name;
  
  at the authoritative name server, receiving, from the client, a subsequent request to resolve the domain name into a corresponding domain name system response, and the subsequent request having been sent by the client in response to the first response indicating that the authoritative name server was unable to retrieve the requested domain name system response;
  
  at the authoritative name server, receiving client authentication from the client;
  
  based on the received client authentication, determining at the authoritative name server that the client is authorized to receive the domain name response corresponding to the domain name; and
  
  sending the corresponding domain name system response to the client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. The method of claim 1, wherein a plurality of domain name system responses correspond to the first resolution request received from the client, the method further comprising an act of selecting the domain name system response sent to the client based on the received client authentication.
  - 3. The method claim 1, wherein the authoritative name server receives client authentication over a secure connection with the client.
  - 4. The method of claim 1, wherein the first request to resolve a domain name comprises a request to resolve at least one domain name into at least one domain name address, and wherein the corresponding domain name system response sent to the client comprises one or more domain name addresses corresponding to the at least one domain name.
  - 5. The method of claim 4, wherein the first request to resolve the at least one domain name is received without client authentication.
  - 6. The method of claim 5, wherein the first request is received from the client through an intermediate domain name server capable of resolving one or more other domain names into one or more other domain name addresses.
  - 7. The method of claim 4, wherein the at least one domain name identifies at least one of router, a gateway, a firewall, or a proxy server for a private network.
  - 8. The method of claim 4, wherein the at least one domain name identifies at least one of a web server, a database server, a file server, or an email server for a private network.
  - 9. The method of claim 1, wherein the authoritative name server operates as one or more of a router, a firewall, a virtual private network gateway, a proxy server, a web server, a database server, a file server, or an email server.
  - 10. A computer program product comprising one or more computer readable storage media having stored thereon computer executable instructions that, when executed on suitable computing equipment, implement a method of selectively resolving a domain name so that a client requesting resolution of the domain name receives a domain name system response based on the client'"'"'s authorization, the method being that of claim 1.
  - 11. The computer program product of claim 10, wherein the authoritative name server receives the subsequent request from the client through a direct connection.
  - 12. The computer program product of claim 10, wherein the authoritative name server receives client authentication over a secure connection with the client.
  - 13. The computer program product of claim 10, wherein the initial request to resolve the domain name is received without client authentication.
  - 14. The computer program product of claim 13, wherein the initial request is received from the client through an intermediate domain name server capable of resolving one or more other domain names into one or more other domain name addresses.
  - 15. The computer program product of claim 10, wherein the authoritative name server operates as one or more of a router, a firewall, a virtual private network gateway, a proxy server, a web server, a database server, a file server, or an email server.
  - 16. The computer program product of claim 10, wherein the domain name identifies at least one of router, a gateway, a firewall, or a proxy server for a private network.
  - 17. The computer program product of claim 10, wherein the domain name identifies at least one of a web server, a database server, a file server, or an email server for a private network.
  - 18. The computer program product of claim 10, the method further comprising acts of:
    - at an authoritative name server, receiving, from another client, a request to resolve a public domain name into one or more corresponding domain name addresses, wherein the request fails to include client authentication for the other client;
      
      identifying the corresponding one or more domain name addresses corresponding to the public domain name; and
      
      sending the corresponding one or more domain name addresses to the other client.
  - 19. The computer program product of claim 18, wherein authoritative name server is not authoritative for the public domain name.

20. In an authoritative name server configured to resolve one or more domain name system records, a method of selectively resolving a domain name system record so that a client requesting resolution of the domain name system record receives a domain name system response based on the client'"'"'s authorization, the method comprising acts of:
- at an authoritative name server, receiving, from a client, a first request to resolve a domain name system record into a corresponding domain name system response, the authoritative name server receiving the first request being capable of resolving the domain name system record into the corresponding domain name system response, and the first request being received via a first communication path;
  
  at the authoritative name server, sending, to the client, a first response identifying the authoritative name server sending the first response and indicating that the authoritative name server was unable to retrieve the requested domain name system response corresponding to the domain name system record;
  
  at the authoritative name server, receiving, from the client, a second request to resolve the domain name system record into a corresponding domain name system response, the second request having been made via a second communication path, and the second request having been sent by the client in response to the first response indicating that the authoritative name server was unable to retrieve the requested domain name system response;
  
  at the authoritative name server, receiving client authentication from the client;
  
  based on the received client authentication, determining at the authoritative name server that the client is authorized to receive the domain name response corresponding to the domain name system record; and
  
  sending the corresponding domain name system response to the client;
  
  wherein the first communication path over which the authoritative name server receives the first request includes a path through one or more domain name cache servers, and wherein the second communication path bypasses the one or more domain name cache servers for a direct connection between the client and the authoritative name server.

21. In a client capable of establishing a connection with an authoritative name server that resolves at least one domain name into at least one domain name address, wherein the authoritative name server only resolves domain names into the corresponding domain name addresses for authorized clients, a method of requesting, from the authoritative name server, a domain name address that corresponds to a domain name, the method comprising acts of:
- a client sending an initial request, to resolve a domain name into a corresponding domain name address, to an authoritative name server capable of resolving the domain name into the domain name address, the initial request being sent without client authentication;
  
  the client receiving an initial response from the authoritative name server indicating that the domain name address is unknown to the authoritative name server;
  
  determining, by the client, that client authentication is needed to receive the domain name address from the authoritative name server;
  
  sending to the authoritative name server a subsequent request, the subsequent request including client authentication, to resolve the domain name into the corresponding domain name address; and
  
  in response to having sent the subsequent request including client authentication, receiving the corresponding domain name address in a subsequent response sent from the authoritative name server.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 22. The method of claim 21, wherein the subsequent request is sent through a secure connection.
  - 23. The method of claim 21, wherein determining that client authentication is needed comprises an act of the client receiving a request for the client authentication from the authoritative name server.
  - 24. The method of claim 21, wherein the client and the authoritative name server are connected to a common private network.
  - 25. The method of claim 21, wherein the authoritative name server functions as a gateway computer on one or more of a home, or an organizational network.
  - 26. The method of claim 25, wherein the gateway computer functions further as one or more of a router, a firewall, a virtual private network, a proxy server, a web server, a database server, a file server, or an email server.
  - 27. The method of claim 21, wherein the domain name identifies at least one of a router, a firewall, a virtual private network gateway, a proxy server, a web server, a database server, a file server, or an email server for a private network.
  - 28. A computer program product comprising one or more computer readable storage media having stored thereon computer executable instructions that, when executed on suitable computing equipment, implements a method of requesting, from an authoritative name server, a domain name address that corresponds to a domain name, the method being that of claim 21.
  - 29. The computer program product of claim 28, wherein the subsequent request is sent through a secure connection.
  - 30. The computer program product of claim 28, the method further comprising an act of the client receiving a request for the client authentication from the authoritative name server.
  - 31. The computer program product of claim 28, wherein the client and the authoritative name server are connected to a common private network.
  - 32. The computer program product of claim 28, wherein the authoritative name server functions as a gateway computer on one or more of a home, or an organizational network.
  - 33. The computer program product of claim 32, wherein the gateway computer functions further as one or more of a router, a firewall, a virtual private network, a proxy server, a web server, a database server, a file server, or an email server.
  - 34. The computer program product of claim 28, wherein the domain name identifies at least one of a router, a firewall, a virtual private network gateway, a proxy server, a web server, a database server, a file server, or an email server for a private network.
  - 35. The method of claim 21, wherein determining that client authentication is needed to receive the domain address from the authoritative server comprises the client determining that the received initial response was from an authoritative name server capable of translating the domain name into the domain name address.

36. In a client capable of establishing a connection with an authoritative name server that resolves at least one domain name into at least one domain name address, wherein the authoritative name server only resolves domain names into the corresponding domain name addresses for authorized clients, a method of requesting, from the authoritative name server, a domain name address that corresponds to a domain name, the method comprising acts of:
- a client sending an initial request, to resolve a domain name into a corresponding domain name address, to an authoritative name server capable of resolving the domain name into the domain name address, the initial request being sent without client authentication;
  
  the client receiving an initial response from the authoritative name server indicating that the domain name address is unknown to the authoritative name server;
  
  in response to receiving the initial response indicating that the domain name address is unknown to the authoritative name server, the client establishing a direct connection with the authoritative name server;
  
  determining, by the client, that client authentication is needed to receive the domain name address from the authoritative name server;
  
  sending, by the client, client authentication to the authoritative name server over the direct connection;
  
  sending a subsequent request, to resolve the domain name into the corresponding domain name address, to the authoritative name server; and
  
  in response to having sent client authentication, receiving the corresponding domain name address in a subsequent response sent from the authoritative name server;
  
  wherein the initial request is directed through a domain name server to the authoritative name server because the authoritative name server is unknown, the domain name server identifying the authoritative name server and directing the initial request to the authoritative name server, the method further comprising an act of the client discovering the authoritative name server from the initial response from the authoritative name server indicating that the domain name address is unknown.

37. In an authoritative name server configured for resolving domain name addresses, a method for selectively resolving one or more client-requested domain names so that the client receives one or more corresponding domain name addresses only if the client is authorized, the method comprising steps for:
- for one or more unauthenticated requests, originating from one or more unauthenticated clients, to resolve one or more domain names, an authoritative name server capable of resolving the one or more domain names into corresponding one or more domain name addresses responding to the one or more unauthenticated clients that the one or more domain name addresses are unknown because the one or more unauthenticated clients have not provided client authentication to the authoritative name server;
  
  in response to the one or more unauthenticated requests originating from the one or more unauthenticated clients, receiving one or more subsequent requests over a direct connection with the one or more unauthenticated clientsreceiving, by the authoritative name server, client authentication such that the one or more subsequent requests are one or more authenticated requests; and
  
  for the one or more authenticated requests originating from one or more authenticated clients, to resolve the one or more domain names, the authoritative name server responding to the one or more authenticated clients with one or more domain name addresses corresponding to the one or more domain names because the one or more authenticated clients provided client authentication to the authoritative name server.
- View Dependent Claims (38, 39, 40, 41, 42)
- - 38. The method of claim 37, further comprising a step for authenticating the authenticated clients over a secure connection.
  - 39. The method of claim 37, wherein the one or more unauthenticated clients and the one or more authenticated clients are the same one or more clients.
  - 40. The method of claim 37, wherein the one or more unauthenticated requests are received from the one or more unauthenticated clients through one or more intermediate domain name servers capable of resolving a plurality of other domain names into a plurality of other domain name addresses.
  - 41. The method of claim 37, wherein the one or more authenticated clients are external to a private network and the one or more domain names identify one or more servers internal to the private network.
  - 42. The method of claim 41, wherein the one or more domain names identify at least one a web server, a database server, a file server, or an email server within the private network.

43. For a client capable of establishing a connection with an authoritative name server that resolves at least one domain name into at least one domain name address, wherein the authoritative name server only resolves domain names into the corresponding domain name addresses for authorized clients, a computer program product comprising one or more computer readable storage media having stored thereon computer executable instructions that implement a method of requesting, from the authoritative name server, a domain name address that corresponds to a domain name, the method comprising acts of:
- a client sending an initial request, to resolve a domain name into a corresponding domain name address, to an authoritative name server capable of resolving the domain name into the domain name address, the initial request being sent without client authentication;
  
  the client receiving an initial response from the authoritative name server indicating that the domain name address is unknown to the authoritative name server capable of resolving the domain name into the domain name address;
  
  in response to receiving the initial response indicating that the domain name address is unknown to the authoritative name server, the client establishing a direct connection with the authoritative name server;
  
  determining, by the client, that client authentication is needed to receive the domain name address from the authoritative name server;
  
  sending, by the client, client authentication to the authoritative name server over the direct connection;
  
  sending a subsequent request;
  
  to resolve the domain name into the corresponding domain name address, to the authoritative name server; and
  
  in response to having sent client authentication, receiving the corresponding domain name address in a subsequent response sent from the authoritative name server;
  
  wherein the initial request is directed through a domain name server to the authoritative name server because the authoritative name server is unknown, the domain name server identifying the authoritative name server and directing the initial request to the authoritative name server, the method further comprising an act of the client discovering the authoritative name server from the initial response from the authoritative name server indicating that the domain name address is unknown.

44. In a client capable of establishing a connection with one or more name servers that resolve at least one domain name into at least one domain name address, wherein at least one name server resolves domain name system records based on client authentication, a method of requesting one or more domain name addresses for one or more domain names, the method comprising acts of:
- identifying an authoritative name server for a domain of interest, wherein the authoritative name server for the domain of interest is identified to the client in a message from the authoritative name server which indicates that the authoritative name server could not find a domain address for the domain of interest;
  
  in response to receiving the message indicating that the authoritative name server could not find the domain name address for the domain of interest, establishing a secure connection with the authoritative name server;
  
  sending client authentication to the authoritative name server over the secure connection;
  
  requesting, from the authoritative name server, one or more domain name addresses for one or more domain names; and
  
  based on the client authentication, receiving from the authoritative name server at least one domain name address for the one or more domain names.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 45. The method of claim 44, wherein the client authentication is sent with the request.
  - 46. The method of claim 44, wherein identifying the authoritative name server comprises an act of requesting a name server record for the domain of interest.
  - 47. The method of claim 46, wherein the domain of interest comprises a sub-domain of a higher-level domain, the method further comprising an act of requesting the name server record for the domain of interest from a name server for the higher-level domain.
  - 48. The method of claim 47, wherein the request to the name server for the higher-level domain occurs over a secure connection.
  - 49. The method of claim 48, further comprising an act of requesting a name server record for the higher-level domain to identify the name server for the higher-level domain.
  - 50. The method of claim 44, wherein identifying the authoritative name server comprises an act of requesting domain name resolution for a non-existent domain name.
  - 51. The method of claim 44, wherein the client is configured to request the one or more domain name addresses for the one or more domain names using a secure form of communication.
  - 52. The method of claim 51, wherein the client is configured to request one or more other domain name addresses for one or more other domain names using an insecure form of communication.
  - 53. The method of claim 52, wherein the client configuration to use a secure form of communication or an insecure form of communication is domain specific.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Shelest, Art, Gilroy, James M.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Powers; William S

Application Number

US10/427,458
Publication Number

US 20040250119A1
Time in Patent Office

1,665 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

H04L 63/08 for authentication of entit...

Authenticated domain name resolution

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

53 Claims

Specification

Solutions

Use Cases

Quick Links

Authenticated domain name resolution

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

53 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links