Restricting communication over an encrypted network connection to internet domains that share common IP addresses and shared SSL certificates

US 9,537,823 B2
Filed: 04/08/2016
Issued: 01/03/2017
Est. Priority Date: 04/24/2012
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method executed by one or more hardware processors, the method comprising:

receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding Internet Protocol (IP) address;

determining that the corresponding IP address corresponds to the domain name and at least one other domain name;

in response to receiving the request to resolve the domain name and in response to determining that the corresponding IP address corresponds to the domain name and the at least one other domain name, associating, by the domain name server, a spoofed IP address with the domain name, wherein the spoofed IP address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed IP address is different than the corresponding IP address;

in response to associating the spoofed IP address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name to the client, the response including the spoofed IP address;

receiving, at the particular server, an encrypted request for a resource, the encrypted request directed to the spoofed IP address; and

determining, by the particular server, that the encrypted request is directed to the domain name based on the association between the spoofed IP address and the domain name, wherein the determination by the particular server is made without decrypting the encrypted request.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus prevents communication by a client device to a domain that cannot be uniquely identified by relocating the DNS mapping of the domain to a destination IP Address that is uniquely identifiable and that represents a location of an apparatus that provides a data path to the domain.

13 Citations

21 Claims

1. A computer-implemented method executed by one or more hardware processors, the method comprising:
- receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding Internet Protocol (IP) address;
  
  determining that the corresponding IP address corresponds to the domain name and at least one other domain name;
  
  in response to receiving the request to resolve the domain name and in response to determining that the corresponding IP address corresponds to the domain name and the at least one other domain name, associating, by the domain name server, a spoofed IP address with the domain name, wherein the spoofed IP address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed IP address is different than the corresponding IP address;
  
  in response to associating the spoofed IP address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name to the client, the response including the spoofed IP address;
  
  receiving, at the particular server, an encrypted request for a resource, the encrypted request directed to the spoofed IP address; and
  
  determining, by the particular server, that the encrypted request is directed to the domain name based on the association between the spoofed IP address and the domain name, wherein the determination by the particular server is made without decrypting the encrypted request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - selectively allowing the encrypted request based at least in part on determining that the encrypted request is directed to the domain name.
  - 3. The method of claim 2, wherein selectively allowing the encrypted request includes:
    - determining that the encrypted request should be blocked based at least in part on a rule associated with the domain name; and
      
      blocking the encrypted request.
  - 4. The method of claim 2, wherein selectively allowing the encrypted request includes:
    - determining that the encrypted request should be allowed based at least in part on a rule associated with the domain name; and
      
      forwarding the encrypted request to the corresponding IP address for the domain name.
  - 5. The method of claim 1, wherein:
    - the spoofed address includes an internet protocol (IP) address,receiving the request to resolve the domain name includes receiving a Domain Name System (DNS) request, andsending the response to the request to resolve the domain name includes sending a DNS response.
  - 6. The method of claim 1, wherein the domain name is a first domain name, the method further comprising:
    - receiving a request to resolve a second domain name different than the first domain name;
      
      determining that a corresponding IP address to the second domain name corresponds only to the second domain name; and
      
      sending a response to the request to resolve the second domain name, the response including the corresponding IP address for the second domain name.
  - 7. The method of claim 1, further comprising:
    - receiving a second request to resolve the domain name;
      
      determining that the domain name is associated with the spoofed IP address; and
      
      sending a response to the second request to resolve the domain name, the response including the spoofed IP address.
  - 8. The method of claim 1, wherein the spoofed IP address includes an IP port.
  - 9. The method of claim 1, wherein receiving the encrypted request for the resource includes receiving a request according to Hypertext Transfer Protocol Secure (HTTPS).

10. A non-transitory, computer-readable medium storing instructions operable when executed to cause at least one hardware processor to perform operations comprising:
- receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding Internet Protocol (IP) address;
  
  determining that the corresponding IP address corresponds to the domain name and at least one other domain name;
  
  in response to receiving the request to resolve the domain name and in response to determining that the corresponding IP address corresponds to the domain name and the at least one other domain name, associating, by the domain name server, a spoofed IP address with the domain name, wherein the spoofed IP address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed IP address is different than the corresponding IP address;
  
  in response to associating the spoofed IP address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name to the client, the response including the spoofed IP address;
  
  receiving, at the particular server, an encrypted request for a resource, the encrypted request directed to the spoofed IP address; and
  
  determining, by the particular server, that the encrypted request is directed to the domain name based on the association between the spoofed IP address and the domain name, wherein the determination by the particular server is made without decrypting the encrypted request.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The non-transitory computer-readable medium of claim 10, the operations further comprising:
    - selectively allowing the encrypted request based at least in part on determining that the encrypted request is directed to the domain name.
  - 12. The non-transitory computer-readable medium of claim 11, wherein selectively allowing the encrypted request includes:
    - determining that the encrypted request should be blocked based at least in part on a rule associated with the domain name; and
      
      blocking the encrypted request.
  - 13. The non-transitory computer-readable medium of claim 11, wherein selectively allowing the encrypted request includes:
    - determining that the encrypted request should be allowed based at least in part on a rule associated with the domain name; and
      
      forwarding the encrypted request to the corresponding IP address for the domain name.
  - 14. The non-transitory computer-readable medium of claim 10, wherein:
    - the spoofed address includes an internet protocol (IP) address,receiving the request to resolve the domain name includes receiving a Domain Name System (DNS) request, andsending the response to the request to resolve the domain name includes sending a DNS response.
  - 15. The non-transitory computer-readable medium of claim 10, wherein the domain name is a first domain name, the non-transitory computer-readable medium further comprising:
    - receiving a request to resolve a second domain name different than the first domain name;
      
      determining that a corresponding IP address to the second domain name corresponds only to the second domain name; and
      
      sending a response to the request to resolve the second domain name, the response including the corresponding IP address for the second domain name.
  - 16. The non-transitory computer-readable medium of claim 10, the operations further comprising:
    - receiving a second request to resolve the domain name;
      
      determining that the domain name is associated with the spoofed IP address; and
      
      sending a response to the second request to resolve the domain name, the response including the spoofed IP address.
  - 17. The non-transitory computer-readable medium of claim 10, wherein the spoofed IP address includes an IP port.
  - 18. The non-transitory computer-readable medium of claim 10, wherein receiving the encrypted request for the resource includes receiving a request according to Hypertext Transfer Protocol Secure (HTTPS).

19. A system comprising:
- memory for storing data; and
  
  one or more hardware processors operable to perform operations comprising;
  
  receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding Internet Protocol (IP) address;
  
  determining that the corresponding IP address corresponds to the domain name and at least one other domain name;
  
  in response to receiving the request to resolve the domain name and in response to determining that the corresponding IP address corresponds to the domain name and the at least one other domain name, associating, by the domain name server, a spoofed IP address with the domain name, wherein the spoofed IP address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed IP address is different than the corresponding IP address;
  
  in response to associating the spoofed IP address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name to the client, the response including the spoofed IP address;
  
  receiving, at the particular server, an encrypted request for a resource, the encrypted request directed to the spoofed IP address; and
  
  determining, by the particular server, that the encrypted request is directed to the domain name based on the association between the spoofed IP address and the domain name, wherein the determination by the particular server is made without decrypting the encrypted request.
- View Dependent Claims (20, 21)
- - 20. The system of claim 19, the operations further comprising:
    - selectively allowing the encrypted request based at least in part on determining that the encrypted request is directed to the domain name.
  - 21. The system of claim 20, wherein selectively allowing the encrypted request includes:
    - determining that the encrypted request should be blocked based at least in part on a rule associated with the domain name; and
      
      blocking the encrypted request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
iBoss
Original Assignee
iBoss
Inventors
Martini, Paul Michael
Primary Examiner(s)
SHAW, BRIAN F

Application Number

US15/094,900
Publication Number

US 20160226824A1
Time in Patent Office

270 Days
Field of Search

726/26, 726/28
US Class Current

1/1
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0209   Architectural arrangements,...

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0823   using certificates cryptogr...

H04L 63/10   for controlling access to d...

H04L 63/101   Access control lists [ACL]

H04L 63/166   at the transport layer

H04L 67/02   based on web technology, e....

Restricting communication over an encrypted network connection to internet domains that share common IP addresses and shared SSL certificates

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

13 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Restricting communication over an encrypted network connection to internet domains that share common IP addresses and shared SSL certificates

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

13 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links