Encrypted network addresses
First Claim
1. A system to provide digitally signed network addresses, the system comprising:
- a domain name system (DNS) computing device configured with computer-executable instructions to;
obtain a request to resolve a domain name into a network address;
determine a routing prefix of the network address, wherein the routing prefix is associated with a network including a content server associated with the domain name;
determine a time-to-live (TTL) value for the network address;
encrypt with a cryptographic public key (i) the TTL value and (ii) a time of generation of the network address to result in an encrypted portion;
generate the network address, wherein the network address includes at least the routing prefix and the encrypted portion, and wherein the network address is formatted to include the routing prefix as a first set of bits within the network address and the encrypted portion as a second set of bits within the network address; and
return the network address in response to the request; and
a router computing device associated with the network and configured with computer-executable instructions to;
obtain a data packet addressed to the network address;
decrypt the encrypted portion of the network address using a cryptographic private key, corresponding to the cryptographic public key, to result in the TTL value and the time of generation of the network address; and
route the data packet based at least in part on whether a current time exceeds an expiration time determined by incrementing the time of generation of the network address by the TTL value.
1 Assignment
0 Petitions
Accused Products
Abstract
Systems and methods are described to enable a DNS service to encode information into a network address to be advertised by the DNS service. Information encoded by a DNS service may include, for example, an identifier of a content set to which the network address corresponds (e.g., a domain name) and validity information, such as a digital signature, that verifies the validity of the network address. On receiving a request to communicate with the network address, a destination device associated with the network address may decode the encoded information within the network address to assist in processing the request. In some instances, the encoded information may be used to identify malicious network transmissions, such as transmissions forming part of a network attack, potentially without reliance on other data, such as separate mappings or contents of the data transmission.
1497 Citations
15 Claims
-
1. A system to provide digitally signed network addresses, the system comprising:
-
a domain name system (DNS) computing device configured with computer-executable instructions to; obtain a request to resolve a domain name into a network address; determine a routing prefix of the network address, wherein the routing prefix is associated with a network including a content server associated with the domain name; determine a time-to-live (TTL) value for the network address; encrypt with a cryptographic public key (i) the TTL value and (ii) a time of generation of the network address to result in an encrypted portion; generate the network address, wherein the network address includes at least the routing prefix and the encrypted portion, and wherein the network address is formatted to include the routing prefix as a first set of bits within the network address and the encrypted portion as a second set of bits within the network address; and return the network address in response to the request; and a router computing device associated with the network and configured with computer-executable instructions to; obtain a data packet addressed to the network address; decrypt the encrypted portion of the network address using a cryptographic private key, corresponding to the cryptographic public key, to result in the TTL value and the time of generation of the network address; and route the data packet based at least in part on whether a current time exceeds an expiration time determined by incrementing the time of generation of the network address by the TTL value. - View Dependent Claims (2, 3, 4)
-
-
5. A computer-implemented method comprising:
-
obtaining a DNS request to resolve a domain name into a network address; determining a routing prefix of the network address, wherein the routing prefix is associated with a network including a computing device associated with the domain name; determining a time-to-live (TTL) value for the network address; encrypting with a cryptographic public key (i) the TTL value and (ii) a time of generation of the network address to result in an encrypted portion; generating the network address, wherein the network address includes at least the routing prefix and the encrypted portion, and wherein the network address is formatted to include the routing prefix as a first set of bits within the network address and the encrypted portion as a second set of bits within the network address; returning the network address in response to the request; obtaining a data packet addressed to the network address; decrypting the encrypted portion of the network address using a cryptographic private key, corresponding to the cryptographic public key, to result in the TTL value and the time of generation of the network address; and routing the data packet based at least in part on whether a current time exceeds an expiration time determined by incrementing the time of generation of the network address by the TTL value. - View Dependent Claims (6, 7, 8, 9, 10)
-
-
11. Non-transitory computer-readable media comprising:
-
first computer-executable instructions that, when executed, cause a computing system to; obtain information corresponding to a DNS request to resolve a domain name into a network address; determine a routing prefix of the network address, wherein the routing prefix is associated with a network including a content server associated with the domain name; determine a time-to-live (TTL) value for the network address; encrypt with a cryptographic public key (i) the TTL value and (ii) a time of generation of the network address to result in an encrypted portion; generate the network address, wherein the network address includes at least the routing prefix and the encrypted portion, and wherein the network address is formatted to include the routing prefix as a first set of bits within the network address and the encrypted portion as a second set of bits within the network address; and return the network address in response to the request; and second computer executable instructions that, when executed by a router computing device, cause the router computing device to; obtain a data packet addressed to the network address; decrypt the encrypted portion of the network address using a cryptographic private key, corresponding to the cryptographic public key, to result in the TTL value and the time of generation of the network address; and route the data packet based at least in part on whether a current time exceeds an expiration time determined by incrementing the time of generation of the network address by the TTL value. - View Dependent Claims (12, 13, 14, 15)
-
Specification