Restricting communication over an encrypted network connection to internet domains that share common IP addresses and shared SSL certificates
First Claim
Patent Images
1. A computer-implemented method executed by one or more processors, the method comprising:
- receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding address;
determining that secure requests from the client directed to the domain name cannot be distinguished by the domain name server from secure requests from the client directed to at least one other domain name based on the corresponding address being shared between the domain name and the at least one other domain name;
in response to receiving the request to resolve the domain name and in response to determining that secure requests from the client directed to the domain name cannot be distinguished, associating, by the domain name server, a spoofed address with the domain name, wherein the spoofed address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed address is different than the corresponding address;
in response to associating the spoofed address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name, the response including the spoofed address;
receiving, at the particular server, a secure request for a resource, the secure request directed to the spoofed address;
determining, by the particular server, that the secure request is directed to the domain name based on the association between the spoofed address and the domain name, wherein the determination is made without decrypting the secure request; and
selectively allowing the secure request based at least in part on determining that the secure request is directed to the domain name.
7 Assignments
0 Petitions
Accused Products
Abstract
An apparatus prevents communication by a client device to a domain that cannot be uniquely identified by relocating the DNS mapping of the domain to a destination IP Address that is uniquely identifiable and that represents a location of an apparatus that provides a data path to the domain.
-
Citations
21 Claims
-
1. A computer-implemented method executed by one or more processors, the method comprising:
-
receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding address; determining that secure requests from the client directed to the domain name cannot be distinguished by the domain name server from secure requests from the client directed to at least one other domain name based on the corresponding address being shared between the domain name and the at least one other domain name; in response to receiving the request to resolve the domain name and in response to determining that secure requests from the client directed to the domain name cannot be distinguished, associating, by the domain name server, a spoofed address with the domain name, wherein the spoofed address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed address is different than the corresponding address; in response to associating the spoofed address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name, the response including the spoofed address; receiving, at the particular server, a secure request for a resource, the secure request directed to the spoofed address; determining, by the particular server, that the secure request is directed to the domain name based on the association between the spoofed address and the domain name, wherein the determination is made without decrypting the secure request; and selectively allowing the secure request based at least in part on determining that the secure request is directed to the domain name. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory, computer-readable medium storing instructions operable when executed to cause at least one processor to perform operations comprising:
-
receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding address; determining that secure requests from the client directed to the domain name cannot be distinguished by the domain name server from secure requests from the client directed to at least one other domain name based on the corresponding address being shared between the domain name and the at least one other domain name; in response to receiving the request to resolve the domain name and in response to determining that secure requests from the client directed to the domain name cannot be distinguished, associating, by the domain name server, a spoofed address with the domain name, wherein the spoofed address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed address is different than the corresponding address; in response to associating the spoofed address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name, the response including the spoofed address; receiving, at the particular server, a secure request for a resource, the secure request directed to the spoofed address; determining, by the particular server, that the secure request is directed to the domain name based on the association between the spoofed address and the domain name, wherein the determination is made without decrypting the secure request; and selectively allowing the secure request based at least in part on determining that the secure request is directed to the domain name. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
-
-
18. A system comprising:
-
memory for storing data; and one or more processors operable to perform operations comprising; receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding address; determining that secure requests from the client directed to the domain name cannot be distinguished by the domain name server from secure requests from the client directed to at least one other domain name based on the corresponding address being shared between the domain name and the at least one other domain name; in response to receiving the request to resolve the domain name and in response to determining that secure requests from the client directed to the domain name cannot be distinguished, associating, by the domain name server, a spoofed address with the domain name, wherein the spoofed address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed address is different than the corresponding address; in response to associating the spoofed address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name, the response including the spoofed address; receiving, at the particular server, a secure request for a resource, the secure request directed to the spoofed address; determining, by the particular server, that the secure request is directed to the domain name based on the association between the spoofed address and the domain name, wherein the determination is made without decrypting the secure request; and selectively allowing the secure request based at least in part on determining that the secure request is directed to the domain name. - View Dependent Claims (19, 20, 21)
-
Specification