Security policy for HTTPS using DNS

US 10,375,020 B2
Filed: 01/18/2017
Issued: 08/06/2019
Est. Priority Date: 01/18/2017
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, at a browser operating on a host device, a request to access a web server, wherein the request comprises a Uniform Resource Locator (URL) associated with the web server;

sending, to a Domain Name System (DNS) server, a request for an Internet Protocol (IP) address correlated with a domain hosting the URL;

receiving, from the DNS server, a response to the request for the IP address correlated with the domain hosting the URL, wherein the response comprises a block policy IP address and an error code; and

based on the block policy IP address and the error code indicated in the response, rendering, by the browser, an access denied page indicating that access to the web server associated with the URL is not permitted, wherein at least a portion of the access denied page is stored in memory accessible to the browser prior to the sending of the request for the IP address correlated with the domain hosting the URL,wherein the block policy IP address comprises a subnet mask indicating a category of content hosted by the web server associated with the URL, wherein the category of content is prohibited by a rule or policy associated with an administrative domain to which the host device is connected.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a browser operating on a host device receives, from a user, a request to access a web server that includes a Uniform Resource Locator (URL) associated with the web server. In response, the browser sends, to a Domain Name System (DNS) server, a request for an Internet Protocol (IP) address correlated with the domain hosting the URL, and receives, from the DNS server, a response that comprises a block policy IP address and an appropriate error code. Based on this IP address and the error code indicated in the response, the browser renders an access denied page indicating that access to the web server associated with the URL is not permitted, wherein at least a portion of the access denied page is stored in memory accessible to the browser prior to sending the request for the IP address correlated with the domain that is hosting the URL.

17 Citations

View as Search Results

17 Claims

1. A method comprising:
- receiving, at a browser operating on a host device, a request to access a web server, wherein the request comprises a Uniform Resource Locator (URL) associated with the web server;
  
  sending, to a Domain Name System (DNS) server, a request for an Internet Protocol (IP) address correlated with a domain hosting the URL;
  
  receiving, from the DNS server, a response to the request for the IP address correlated with the domain hosting the URL, wherein the response comprises a block policy IP address and an error code; and
  
  based on the block policy IP address and the error code indicated in the response, rendering, by the browser, an access denied page indicating that access to the web server associated with the URL is not permitted, wherein at least a portion of the access denied page is stored in memory accessible to the browser prior to the sending of the request for the IP address correlated with the domain hosting the URL,wherein the block policy IP address comprises a subnet mask indicating a category of content hosted by the web server associated with the URL, wherein the category of content is prohibited by a rule or policy associated with an administrative domain to which the host device is connected.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the block policy IP address does not correspond to a reachable IP address.
  - 3. The method of claim 1, wherein an indication of the category is rendered in the access denied page.
  - 4. The method of claim 1, wherein the error code is indicated in a last octet of the block policy IP address.
  - 5. The method of claim 1, further comprising receiving, at the browser, a first configuration file, wherein the first configuration file includes a first set of error codes.
  - 6. The method of claim 5, wherein the host device receives the first configuration file in response to logging onto an administrative domain.
  - 7. The method of claim 5, wherein the first configuration file further includes a Time to Live (TTL) parameter associated with the first set of error codes, wherein the TTL parameter indicates a duration that the first set of error codes is valid.
  - 8. The method of claim 1, wherein the access denied page includes a selectable link, which when selected, causes the browser to render rules or policies associated with an administrative domain to which the host device is connected.
  - 9. The method of claim 1, further comprising determining, by the browser, that the response to the request for the IP address correlated with the domain hosting the URL is not a valid response, wherein the determining is made without using a root certificate associated with a security server.
  - 10. The method of claim 1, further comprising sending a message to a URL provided in the response, wherein the message comprises an indication notifying a server associated with the URL provided in the response of the request for the IP address correlated with the domain hosting the URL.
  - 11. The method of claim 1, wherein the rendering of the access denied page is triggered by a plug-in extension to the browser operating on the host device.

12. An apparatus comprising:
- a network interface unit configured to enable network communications;
  
  a memory; and
  
  a processor, coupled to the network interface unit and the memory, and configured to;
  
  receive a request to access a web server, wherein the request comprises a Uniform Resource Locator (URL) associated with the web server;
  
  send, to a Domain Name System (DNS) server, a request for an Internet Protocol (IP) address correlated with a domain hosting the URL;
  
  receive, from the DNS server, a response to the request for the IP address correlated with the domain hosting the URL, wherein the response comprises a block policy IP address and an error code; and
  
  based on the block policy IP address and the error code indicated in the response, render an access denied page indicating that access to the web server associated with the URL is not permitted, wherein at least a portion of the access denied page is stored in the memory prior to the sending of the request for the IP address correlated with the domain hosting the URL,wherein the block policy IP address comprises a subnet mask indicating a category of content hosted by the web server associated with the URL, wherein the category of content is prohibited by a rule or policy associated with an administrative domain to which the host device is connected.
- View Dependent Claims (13, 14)
- - 13. The apparatus of claim 12, wherein the processor is further configured to receive a first configuration file, wherein the first configuration file includes a first set of error codes.
  - 14. The apparatus of claim 13, wherein the processor is further configured to receive the first configuration file in response to the apparatus logging onto an administrative domain.

15. A non-transitory computer readable storage media storing executable instructions that are operable in a computing device, to perform operations to:
- receive a request to access a web server, wherein the request comprises a Uniform Resource Locator (URL) associated with the web server;
  
  send, to a Domain Name System (DNS) server, a request for an Internet Protocol (IP) address correlated with a domain hosting the URL;
  
  receive, from the DNS server, a response to the request for the IP address correlated with the domain hosting the URL, wherein the response comprises a block policy IP address and an error code; and
  
  based on the block policy IP address and the error code indicated in the response, render an access denied page indicating that access to the web server associated with the URL is not permitted, wherein at least a portion of the access denied page is stored in memory accessible to the browser prior to the sending of the request for the IP address correlated with the domain hosting the URL,wherein the block policy IP address comprises a subnet mask and an octet indicating a category of content hosted by the web server associated with the URL.
- View Dependent Claims (16, 17)
- - 16. The non-transitory computer readable storage media of claim 15, further comprising instructions that are operable to receive a first configuration file, wherein the first configuration file includes a first set of error codes.
  - 17. The non-transitory computer readable storage media of claim 16, further comprising instructions that are operable to receive the first configuration file in response to logging onto an administrative domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Wing, Daniel G., Reddy, K. Tirumaleswar, Patil, Prashanth
Primary Examiner(s)
Feild, Lynn D
Assistant Examiner(s)
South, Jessica J

Application Number

US15/408,616
Publication Number

US 20180205734A1
Time in Patent Office

930 Days
Field of Search
US Class Current
CPC Class Codes

H04L 2463/121   Timestamp cryptographic mec...

H04L 61/4511   using domain name system [DNS]

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/168   above the transport layer

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

H04L 67/10   in which an application is ...

Security policy for HTTPS using DNS

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Security policy for HTTPS using DNS

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links