System for providing DNS-based control of individual devices

US 9,992,234 B2
Filed: 06/19/2015
Issued: 06/05/2018
Est. Priority Date: 03/18/2010
Status: Active Grant

First Claim

Patent Images

1. A system for providing a DNS-based device control system to provide security to users, the system comprising:

a gateway through which a user uses an individual device to communicate, the gateway uniquely identifying each of a plurality of individual devices in communication with the gateway via a unique device identifier for each of the plurality of individual devices;

a dynamic policy enforcement engine in communication with a DNS engine, wherein a DNS query from the individual device is transmitted to the gateway and then across a wide area network to the dynamic policy enforcement engine to a DNS engine; and

a memory device from which the dynamic policy enforcement engine selects a policy which applies to the individual device that originated the DNS query based on the unique device identifier of the individual device that originated the DNS query, the dynamic policy enforcement engine using the policy to determine whether a site that is the object of the DNS query is a benign site or a malicious site for the individual device, the dynamic policy enforcement engine passing the DNS query to the DNS engine and returning a response of the DNS engine to the individual device if the policy indicates that the individual device'"'"'s DNS query refers to the benign site.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device control system is associated with individual devices connected through a network control point to a gateway and thereby to the Internet. The gateway inserts an EDNS0 pseudo resource record into an additional data section in each DNS query initiated by an individual device, the EDNS0 pseudo resource record identifying the initiating device. A dynamic policy enforcement engine in front of the DNS engine intercepts the DNS query, identifies the initiating device, and selects a policy that applies to the device. The dynamic policy enforcement engine may provide parental control and security service to the individual device by blocking the DNS query or passing it to the DNS engine according to the policy. A component that intercepts DNS queries may provide several additional types of services to the individual devices, including advertising, messaging, mobile device tracking, individual device application control, and delivery of individualized content.

Citations

15 Claims

1. A system for providing a DNS-based device control system to provide security to users, the system comprising:
- a gateway through which a user uses an individual device to communicate, the gateway uniquely identifying each of a plurality of individual devices in communication with the gateway via a unique device identifier for each of the plurality of individual devices;
  
  a dynamic policy enforcement engine in communication with a DNS engine, wherein a DNS query from the individual device is transmitted to the gateway and then across a wide area network to the dynamic policy enforcement engine to a DNS engine; and
  
  a memory device from which the dynamic policy enforcement engine selects a policy which applies to the individual device that originated the DNS query based on the unique device identifier of the individual device that originated the DNS query, the dynamic policy enforcement engine using the policy to determine whether a site that is the object of the DNS query is a benign site or a malicious site for the individual device, the dynamic policy enforcement engine passing the DNS query to the DNS engine and returning a response of the DNS engine to the individual device if the policy indicates that the individual device'"'"'s DNS query refers to the benign site.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The system of claim 1, in which the malicious site may be characterized by content that includes malware, by phishing, or by executing attacks on users or on other sites.
  - 3. The system of claim 1, in which the individual device requests content from the benign site.
  - 4. The system of claim 1, in which the dynamic policy enforcement engine operates on the response from the DNS engine instead of or in addition to operating on the DNS query to the DNS engine.
  - 5. The system of claim 1, in which the dynamic policy enforcement engine blocks a DNS response that contains a certain IP address or an IP address in a certain range, instead of or in addition to blocking a DNS query that contains a certain domain name.
  - 6. The system of claim 1, wherein the unique device identifier is permanently assigned when the individual device is manufactured.
  - 7. The system of claim 1, wherein the plurality of individual devices comprises at least one device associated with a privileged user and at least one device associated with a non-privileged user.
  - 8. The system of claim 1, wherein the plurality of individual devices comprises at least one device associated with a child user and at least one device associated with a parent user.
  - 9. The system of claim 1, in which the dynamic policy enforcement engine takes an action which denies the user access to the malicious site if the policy indicates that the individual device'"'"'s DNS query refers to the malicious site.
  - 10. The system of claim 9, in which the dynamic policy enforcement engine returns a response to the DNS query which redirects the individual device to a web page that contains a blocked site message or a benign alternative site.
  - 11. The system of claim 9, in which the dynamic policy enforcement engine blocks the DNS query from the DNS engine and sends no response.
  - 12. The system of claim 1, wherein the gateway has a unique gateway identifier that identifies it to the dynamic policy enforcement engine.
  - 13. The system of claim 12, wherein the unique gateway identifier is permanently assigned to the gateway when it is manufactured.
  - 14. The system of claim 12, wherein the unique gateway identifier is dynamically assigned when the gateway is recognized by the dynamic policy enforcement engine.

15. A system for providing a DNS-based device control system to provide security to users, the system comprising:
- a gateway through which a user uses an individual device to communicate, the gateway uniquely identifying each of a plurality of individual devices in communication with the gateway via a unique device identifier for each of the plurality of individual devices;
  
  a dynamic policy enforcement engine in communication with a DNS engine, wherein a DNS query from the individual device is transmitted to the gateway and then across a wide area network to the dynamic policy enforcement engine to a DNS engine; and
  
  a memory device from which the dynamic policy enforcement engine selects a policy which applies to the individual device that originated the DNS query based on the unique device identifier of the individual device that originated the DNS query, the dynamic policy enforcement engine using the policy to determine whether an IP address in a response to the DNS query is a blocked IP address or an unblocked IP address for the individual device, the dynamic policy enforcement engine returning a response of the DNS engine to the individual device if the policy indicates that the DNS response to the individual device'"'"'s DNS query refers to an unblocked IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Akamai Technologies, Inc.
Original Assignee
Nominum Incorporated (Akamai Technologies, Inc.)
Inventors
Lemon, Edward, Wellington, Brian, Halley, Robert Thomas, Avirneni, Srinivas, Oborn, Keith
Primary Examiner(s)
Lipman, Jacob

Application Number

US14/745,183
Publication Number

US 20150288721A1
Time in Patent Office

1,082 Days
Field of Search

726 1
US Class Current
CPC Class Codes

G06F 16/90335   Query processing

G06F 21/6263   during internet communicati...

G06F 2221/2115   Third party

G06F 2221/2119   Authenticating web pages, e...

G06F 2221/2141   Access rights, e.g. capabil...

G06F 2221/2149   Restricted operating enviro...

G06Q 30/0255   based on user history

H04L 61/4511   using domain name system [DNS]

H04L 63/0263   Rule management

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

System for providing DNS-based control of individual devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

System for providing DNS-based control of individual devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links