Restricting communication over an encrypted network connection to internet domains that share common IP addresses and shared SSL certificates
First Claim
Patent Images
1. A computer-implemented method executed by one or more hardware processors, the method comprising:
- receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding Internet Protocol (IP) address;
determining that the corresponding IP address corresponds to the domain name and at least one other domain name;
in response to receiving the request to resolve the domain name and in response to determining that the corresponding IP address corresponds to the domain name and the at least one other domain name, associating, by the domain name server, a spoofed IP address with the domain name, wherein the spoofed IP address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed IP address is different than the corresponding IP address;
in response to associating the spoofed IP address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name to the client, the response including the spoofed IP address;
receiving, at the particular server, an encrypted request for a resource, the encrypted request directed to the spoofed IP address; and
determining, by the particular server, that the encrypted request is directed to the domain name based on the association between the spoofed IP address and the domain name, wherein the determination by the particular server is made without decrypting the encrypted request.
7 Assignments
0 Petitions
Accused Products
Abstract
An apparatus prevents communication by a client device to a domain that cannot be uniquely identified by relocating the DNS mapping of the domain to a destination IP Address that is uniquely identifiable and that represents a location of an apparatus that provides a data path to the domain.
13 Citations
21 Claims
-
1. A computer-implemented method executed by one or more hardware processors, the method comprising:
-
receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding Internet Protocol (IP) address; determining that the corresponding IP address corresponds to the domain name and at least one other domain name; in response to receiving the request to resolve the domain name and in response to determining that the corresponding IP address corresponds to the domain name and the at least one other domain name, associating, by the domain name server, a spoofed IP address with the domain name, wherein the spoofed IP address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed IP address is different than the corresponding IP address; in response to associating the spoofed IP address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name to the client, the response including the spoofed IP address; receiving, at the particular server, an encrypted request for a resource, the encrypted request directed to the spoofed IP address; and determining, by the particular server, that the encrypted request is directed to the domain name based on the association between the spoofed IP address and the domain name, wherein the determination by the particular server is made without decrypting the encrypted request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A non-transitory, computer-readable medium storing instructions operable when executed to cause at least one hardware processor to perform operations comprising:
-
receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding Internet Protocol (IP) address; determining that the corresponding IP address corresponds to the domain name and at least one other domain name; in response to receiving the request to resolve the domain name and in response to determining that the corresponding IP address corresponds to the domain name and the at least one other domain name, associating, by the domain name server, a spoofed IP address with the domain name, wherein the spoofed IP address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed IP address is different than the corresponding IP address; in response to associating the spoofed IP address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name to the client, the response including the spoofed IP address; receiving, at the particular server, an encrypted request for a resource, the encrypted request directed to the spoofed IP address; and determining, by the particular server, that the encrypted request is directed to the domain name based on the association between the spoofed IP address and the domain name, wherein the determination by the particular server is made without decrypting the encrypted request. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system comprising:
-
memory for storing data; and one or more hardware processors operable to perform operations comprising; receiving, at a domain name server, a request from a client to resolve a domain name into a corresponding Internet Protocol (IP) address; determining that the corresponding IP address corresponds to the domain name and at least one other domain name; in response to receiving the request to resolve the domain name and in response to determining that the corresponding IP address corresponds to the domain name and the at least one other domain name, associating, by the domain name server, a spoofed IP address with the domain name, wherein the spoofed IP address is configured to uniquely identify the domain name and is associated with a particular server, and wherein the spoofed IP address is different than the corresponding IP address; in response to associating the spoofed IP address with the domain name, sending, by the domain name server, a response to the request to resolve the domain name to the client, the response including the spoofed IP address; receiving, at the particular server, an encrypted request for a resource, the encrypted request directed to the spoofed IP address; and determining, by the particular server, that the encrypted request is directed to the domain name based on the association between the spoofed IP address and the domain name, wherein the determination by the particular server is made without decrypting the encrypted request. - View Dependent Claims (20, 21)
-
Specification