US20190124048A1 - System for providing dns-based policies for devices - Google Patents
System for providing dns-based policies for devices Download PDFInfo
- Publication number
- US20190124048A1 US20190124048A1 US16/170,399 US201816170399A US2019124048A1 US 20190124048 A1 US20190124048 A1 US 20190124048A1 US 201816170399 A US201816170399 A US 201816170399A US 2019124048 A1 US2019124048 A1 US 2019124048A1
- Authority
- US
- United States
- Prior art keywords
- dns
- engine
- individual device
- dns query
- control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/903—Querying
- G06F16/90335—Query processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
- G06F21/6263—Protecting personal data, e.g. for financial or medical purposes during internet communication, e.g. revealing personal data from cookies
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/02—Marketing; Price estimation or determination; Fundraising
- G06Q30/0241—Advertisements
- G06Q30/0251—Targeted advertisements
- G06Q30/0255—Targeted advertisements based on user history
-
- H04L61/1511—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2115—Third party
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2119—Authenticating web pages, e.g. with suspicious links
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2149—Restricted operating environment
Definitions
- the device identifier is easy for the gateway to obtain because the gateway has access to all of the headers and other control information in messages exchanged between the gateway and the individual devices under its control.
- the software that needs to be added to the gateway to enable the device control system is simple and has a small footprint.
- FIG. 4 shows a subscriber security application of the device control system in which a policy protects devices from malicious sites on an individualized basis.
- FIG. 6 shows a messaging application of the device control system in which a policy causes a message to be delivered to an individual device.
- FIG. 7 shows a mobile device tracking application of the device control system.
- FIG. 8 shows a device control application of the device control system in which a policy causes the system to exercise a control function on an individual device or an application that runs on an individual device.
- FIG. 9 shows an example of the device control system in which individual devices are classified into groups and policies are applied to groups.
- FIG. 10 shows a content selection application of the device control system in which a policy causes a policy-sensitive content server to select content to be delivered to an individual device in response to a content request.
- FIG. 11 shows the components of a system for providing DNS-based control of individual devices.
- the present disclosure describes a device control system which exercises control over individual devices which communicate with the Internet through a gateway.
- “Individual device” is used herein to refer to any computing device that is capable of communicating through the Internet and delivering communicated content to an individual user.
- An individual device may be a personal computer (PC), a smartphone, a gaming console, a tablet, or a phablet.
- Network control point is used herein to refer to any network which connects a gateway to the associated individual devices.
- a local area network is an example of a network control point.
- a network control point is not necessarily constrained to operate in a fixed location or a limited physical locality.
- FIG. 1 illustrates a device control system 100 designed according to an embodiment of the device control system and a DNS record utilized by the device control system 100 .
- At least one individual device 102 is connected through a network control point 104 to a gateway 106 .
- the gateway 106 is connected through a wide area network 108 to a dynamic policy enforcement engine 110 .
- the dynamic policy enforcement engine 110 communicates with a DNS engine 112 and with a memory device 114 which holds a plurality of policies 116 which may apply to different individual devices 102 .
- the dynamic policy enforcement engine 110 , the DNS engine 112 , and the memory device 114 may each run on a dedicated server, on a shared server, or in a computing cloud.
- An individual device 102 sends a DNS query 118 to the DNS engine 112 when it needs to resolve a domain name to an IP address.
- the DNS query 118 passes through the network control point 104 , the gateway 106 , the wide area network 108 , and the dynamic policy enforcement engine 110 .
- a unique device identifier 122 is associated with each individual device 102 that is associated with a given gateway 106 .
- the device identifier 122 may be permanently assigned when the individual device 102 is manufactured.
- the device identifier 122 may be derived from a property of the individual device 102 's location on the network control point 104 , such as an internal IP address or a MAC address.
- the dynamic policy enforcement engine 110 may pass the DNS query 118 to the DNS engine 112 , pass a modified version of the DNS query 118 to the DNS engine 112 , block the DNS query 118 from the DNS engine 112 and return its own response to the individual device 102 , or block the DNS query 118 from the DNS engine 112 and return no response to the individual device 102 . If the dynamic policy enforcement engine 110 passes the original DNS query 118 or a modified DNS query to the DNS engine 112 , it may return the DNS engine 112 's response, return a modified version of the DNS engine 112 's response, block the response and send its own response, or block the response and send no response.
- the dynamic policy enforcement engine 110 blocks the DNS query 118 , blocks the DNS engine 112 's response, or modifies the DNS query 118 or the DNS engine 112 's response, it may prevent the individual device 102 from obtaining the IP address of a site 132 which is the object of the DNS query 118 , effectively blocking the individual device 102 from access to content 134 of the site 132 .
- FIG. 2 shows an embodiment 200 of the device control system in which policies that control the dynamic policy enforcement engine may be created and maintained.
- At least one privileged user 202 uses an individual device 204 which is associated with a gateway 206 .
- One or more non-privileged users 208 may use individual devices 210 which are also associated with the gateway 206 .
- the privileged user 202 communicates with a policy control user interface 212 .
- the policy control user interface 212 may be implemented as an application on a web server operated by an Internet service provider (ISP) 214 .
- the policy control user interface 212 may communicate with the gateway 206 , the ISP 214 , or a dynamic policy enforcement engine 216 .
- ISP Internet service provider
- the policy control user interface 212 may permit the privileged user 202 to create and maintain policies 218 that apply to users of individual devices 204 , 210 associated with the gateway 206 , including the privileged user 202 him or herself, other privileged users 202 , and non-privileged users 208 .
- the policies 218 are stored in a memory device 220 .
- the policy control user interface 212 may create and maintain the policies 218 by operating directly on the memory device 220 , or by communicating with the dynamic policy enforcement engine 216 which operates on the memory device 220 .
- the dynamic policy enforcement engine 312 may operate on responses from the DNS engine 310 instead of or in addition to operating on DNS queries to the DNS engine 310 .
- the dynamic policy enforcement engine 312 may block responses that contain a certain IP address or an IP address in a certain range, instead of or in addition to blocking DNS queries that contain certain domain names.
- Parental control is exercised by one or more parents 324 using parent's devices 326 which communicate with a policy control user interface 328 .
- the policy control user interface 328 creates and maintains policies 314 for the parents 324 and stores them in the memory device 316 .
- FIG. 4 shows an embodiment 400 of the device control system which is adapted to provide security to users.
- One or more users 402 use one or more individual devices 404 to communicate through a gateway 406 .
- Each DNS query from an individual device 404 to a DNS engine 408 passes through a dynamic policy enforcement engine 410 , which selects a policy 412 which applies to that individual device 404 from a memory device 414 .
- the dynamic policy enforcement engine 410 uses the policy 412 to determine whether a site 416 , 418 that is the object of the DNS request is a benign site 416 or a malicious site 418 .
- a malicious site 418 may be characterized by content that includes malware, by phishing, or by executing attacks on users or on other sites.
- the dynamic policy enforcement engine 410 may pass the DNS query to the DNS engine 408 and return the DNS engine 408 's response to the individual device 404 .
- the individual device 404 may then request content from the benign site 416 .
- it may block the DNS query from the DNS engine 408 and send no response.
- FIG. 5 shows an embodiment 500 of the device control system which is adapted to deliver advertisement content to users.
- One or more users 502 use one or more individual devices 504 to communicate through a gateway 506 .
- An advertisement module 508 receives a first DNS query from an individual device 504 and selects an advertisement 510 from a memory device 512 , the selected advertisement 510 to be delivered to the individual device 504 .
- the advertisement module 508 may return a DNS response to the individual device 504 which causes the individual device 504 to load the advertisement 510 from a communication module 514 instead of loading the page requested by the first DNS query.
- the communication module 514 retrieves the advertisement 510 from the memory device 512 and returns it to the individual device 504 .
- the advertisement 510 may include a hyperlink or other control which the user 502 may select to load the page which the individual device 504 requested in the first DNS query.
- the individual device 504 may send a second DNS query to the advertisement module 508 .
- the second DNS query may contains a URL which the advertisement module 508 recognizes as a request originated by an advertising page as distinguished from a request originated by the user 502 .
- the advertisement module 508 accordingly passes a DNS query to a DNS engine 516 and returns the DNS engine 516 's response to the individual device 504 .
- the DNS query which the advertisement module 508 passes to the DNS engine 516 may be the first DNS query, or may be an equivalent of the first DNS query which the advertisement module 508 reconstructs from the second DNS query.
- the advertisement module 508 's selection of the advertisement 510 may be based at least in part on historical user actions 518 .
- Historical user actions 518 may include actions such as issuing DNS queries for particular types of content and indicating approval or disapproval of advertisements 510 by selecting hyperlinks or other controls which may be included in the advertisements 510 for that purpose.
- the advertisement module 508 may store historical user actions 518 in a historical memory device 520 and subsequently refer to them when selecting advertisements 510 .
- the messaging module 608 returns a DNS response to the individual device 604 which causes the individual device 604 to load the selected message 610 from a communication module 614 instead of loading the page requested by the first DNS query.
- the communication module 614 retrieves the selected message 610 from the memory device 612 and returns it to the individual device 604 .
- the user 602 may view the message via a browser 618 or via an application 620 associated with the individual device 604 .
- the message 610 may include a hyperlink or other control which the user 602 may select to load the page which the individual device 604 requested in the first DNS query.
- the hyperlink or other control may cause the individual device 604 to send a second DNS query to the messaging module 608 .
- the second DNS query may contain a URL which the messaging module 608 recognizes as a request originated by a message page as distinguished from a request originated by the user 602 .
- the messaging module 608 accordingly passes a DNS query to the DNS engine 616 and returns the DNS engine 616 's response to the individual device 604 .
- the DNS query which the messaging module 608 passes to the DNS engine 616 may be the first DNS query, or may be an equivalent of the first DNS query which the messaging module 608 reconstructs from the second DNS query.
- FIG. 7 shows an embodiment 700 of the device control system which is adapted to track mobile devices.
- One or more mobile devices 702 communicate through a wireless network 704 to a gateway 706 .
- the wireless network 704 may consist of one or more WiFi connections between the gateway 706 and the respective mobile devices 702 .
- the gateway 706 may be a mobile device such as a mobile hotspot.
- the gateway 706 is connected through a wide area network 708 to a dynamic policy enforcement engine 710 .
- the dynamic policy enforcement engine 710 communicates with a DNS engine 712 , and may also communicate with a memory device 714 which holds a plurality of policies 716 which apply to different mobile devices 702 .
- a mobile device 702 periodically reports its coordinates 718 to the gateway 706 .
- the coordinates 718 may be obtained from GPS data.
- a unique gateway identifier 722 is assigned to each gateway 706 that communicates with the dynamic policy enforcement engine 710 .
- the gateway identifier 722 may be permanently assigned when the gateway 706 is manufactured. Alternatively, the gateway identifier 722 may be derived from a property of the gateway 706 's location on the wide area network 708 .
- a unique device identifier 724 is associated with each mobile device 702 that is associated with the gateway 706 .
- the device identifier 724 may be permanently assigned when the mobile device 702 is manufactured. Alternatively, the device identifier 724 may be derived from a property of the mobile device 702 's location on the wireless network 704 .
- the gateway 706 inserts the gateway identifier 722 and the device identifier 724 into the pseudo-RR 730 , uniquely identifying the mobile device 702 which originated the DNS query 720 .
- the gateway 706 further inserts the mobile device 702 's coordinates 718 into the pseudo-RR 730 , identifying the mobile device 702 's location.
- the dynamic policy enforcement engine 710 When the dynamic policy enforcement engine 710 receives the DNS query 720 from the gateway 706 it selects a policy 716 which applies to the originating mobile device 702 from the memory device 714 .
- the dynamic policy enforcement engine 710 extracts the mobile device 702 's coordinates 718 from the DNS query 720 and passes them to a tracking module 734 , which stores them in a tracking database 736 .
- the dynamic policy enforcement engine 710 determines whether and when to store tracking data without reference to a policy 716 . This embodiment does not use a memory device 714 or policies 716 .
- FIG. 8 shows an embodiment 800 of the device control system which provides control of individual devices and applications that run on individual devices.
- At least one privileged user 802 uses an individual device 804 which is associated with a gateway 806 .
- Additional non-privileged users 808 may use individual devices 810 which are also associated with the gateway 806 .
- the individual devices 804 , 810 may each run an operating system 812 , 814 , and may each run one or more applications 816 , 818 .
- the policy control user interface 824 may permit the privileged user 802 to create and maintain policies 828 which apply to one or more individual devices 804 , 810 .
- the policies 828 are stored in a memory device 830 .
- the policy control user interface 824 may create and maintain the policies 828 by operating directly on the memory device 830 , or by communicating with the dynamic policy enforcement engine 822 which operates on the memory device 830 .
- the dynamic policy enforcement engine 822 controls aspects of the operation of an individual device 804 , 810 by selecting the policy 828 that applies to the individual device 804 , 810 . Aspects of the operation of an individual device 804 , 810 which the policy 828 may control include the operating system 812 , 814 of the individual device 804 , 810 , and the applications 816 , 818 which run on the individual device 804 , 810 .
- the dynamic policy enforcement engine 822 may exercise control over the operating system 812 , 814 by sending requests to the operating system 812 , 814 , by sending responses to requests made by the operating system 812 , 814 , or both.
- the dynamic policy enforcement engine 822 may exercise control over an application 816 , 818 by sending requests to the application 816 , 818 or to the operating system 812 , 814 , or by sending responses to requests made by the application 816 , 818 or by the operating system 812 , 814 , or both.
- the dynamic policy enforcement engine 822 may exercise control over the operating system 812 , 814 or the application 816 , 818 at any time, including times when the selected policy 828 is created or modified, times when the individual device 804 , 810 is started, and times when specified events occur.
- FIG. 9 shows an embodiment 900 of the device control system which associates a policy 902 with a device group 904 rather than with an individual device 906 , 908 .
- Each device group 904 contains one or more individual devices 906 , 908 .
- An individual device 906 , 908 operated by a user 910 , 912 , communicates with a DNS engine 914 through a gateway 916 and a dynamic policy enforcement engine 918 .
- Each DNS query 920 transmitted by the gateway 916 contains an additional data section 922 .
- the gateway 916 inserts an additional data section 922 in each DNS query 920 if none is present in the DNS query 920 received from the individual device 906 , 908 .
- the gateway 916 inserts a pseudo-RR 924 of type OPT into the additional data section 922 .
- the pseudo-RR 924 contains a gateway identifier 926 which identifies the gateway 916 and a device identifier 928 which identifies the device group 904 to which the individual device 906 , 908 belongs.
- the dynamic policy enforcement engine 918 uses the gateway identifier 926 and the device identifier 928 to identify the device group 904 to which the individual device 906 , 908 belongs.
- the dynamic policy enforcement engine 918 selects a policy 902 that applies to the device group 904 from a memory device 930 .
- FIG. 10 shows an embodiment 1000 of the device control system which delivers individualized content to individual devices.
- One or more users 1002 , 1004 use one or more individual devices 1006 , 1008 to communicate through a gateway 1010 .
- Each DNS query from an individual device 1006 , 1008 to a DNS engine 1012 passes through the gateway 1010 and a content module 1014 .
- the content module 1014 selects a policy 1016 which applies to the individual device 1006 , 1008 from a memory device 1018 .
- the selected policy 1016 may determine what content a communication module 1020 should present to the individual device 1006 , 1008 .
- the content module 1014 sends a DNS response to the individual device 1006 , 1008 which identifies the content that the communication module 1020 should present.
- the individual device 1006 , 1008 accordingly requests the content from the communication module 1020 , and the communication module 1020 presents the content.
- the content module 1014 may forward a DNS query that refers to policy-sensitive content to the DNS engine 1012 and modify the DNS engine 1012 's response according to the selected policy 1016 .
- the DNS response which the content module 1014 returns to the individual device 1006 , 1008 may identify the selected policy 1016 .
- the communication module 1020 may then retrieve the selected policy 1016 from the memory device 1018 and use it to determine what content to present to the individual device 1006 , 1008 .
- FIG. 11 shows the components of a system 1100 which implements the server side elements of a device control system.
- the system 1100 comprises one or more processors 1102 , main memory 1104 , static memory 1106 , a disk drive unit 1108 , and a network interface device 1110 , all of which are communicably attached to a bus 1112 .
- the bus may be any type of hardware or software which enables the attached components of the system 1100 to communicate with each other, such as a local area network or a wide area network.
- the network interface device 1110 is attached to a wide area network 1118 through which the system 1100 can communicate with gateways and individual devices.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- Finance (AREA)
- Health & Medical Sciences (AREA)
- Strategic Management (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Accounting & Taxation (AREA)
- Development Economics (AREA)
- Databases & Information Systems (AREA)
- Entrepreneurship & Innovation (AREA)
- Software Systems (AREA)
- Game Theory and Decision Science (AREA)
- Medical Informatics (AREA)
- Economics (AREA)
- Marketing (AREA)
- Computational Linguistics (AREA)
- Data Mining & Analysis (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
- The present application is a continuation of, and claims the priority benefit of, U.S. patent application Ser. No. 15/668,561 filed on Aug. 3, 2017 and entitled “System for Providing DNS-Based Policies for Devices,” which is a continuation of, and claims the priority benefit of, U.S. patent application Ser. No. 14/832,935 filed on Aug. 21, 2015 and entitled “System for Providing DNS-Based Control of Individual Devices,” which is a continuation of, and claims the priority benefit of, U.S. patent application Ser. No. 14/745,183 filed on Jun. 19, 2015 and entitled “System for Providing DNS-Based Control of Individual Devices,” the teachings of all which are incorporated by reference in their entirety herein.
- This disclosure relates generally to data processing, and more specifically to a system for providing DNS-based control of individual devices.
- Groups of Internet users such as households and offices often have several individual computing devices (“individual devices”) attached to the Internet through a gateway. The individual devices may be a variety of types, such as personal computers, gaming devices, and tablets.
- There is a need to exercise control over the users' devices for many purposes. One purpose is parental control, in which a household's parents regulate their children's Internet use. Another purpose is security, in which users are prevented from visiting sites or performing operations that are considered dangerous.
- One type of existing device control technology has utilized device control software that runs on each individual device. Such technology has several disadvantages. It complicates the task of installing and configuring the device control software by distributing it over many devices. It requires a provider to provide, and a user to install, a different implementation of device control software for each type of device. It has the potential for a user to evade control entirely by disabling the device control software on the user's own device, or by gaining access to the Internet through a device on which device control software has not been installed.
- Another type of existing device control technology has utilized software that runs on the gateway. Such software is often limited in function because the memory and computing power on a gateway device typically is limited.
- Another type of existing device control technology has utilized software that runs on a server through which the gateway gains access to the Internet. Such software typically cannot distinguish among the individual devices that communicate through the gateway, and so it cannot apply different controls to individual devices.
- There exists a need for device control technology that runs in a central location, cannot be evaded by users of individual devices, and can distinguish among devices in order to apply different controls individually.
- This summary is provided to introduce a selection of concepts in a simplified form that are further described in the Detailed Description below. This summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used as an aid in determining the scope of the claimed subject matter.
- In a device control system designed according to the present disclosure, the gateway attaches a unique identifier to DNS messages originated by each individual device that is served by a gateway. The unique identifier may consist of a gateway identifier and a device identifier. The gateway identifier is fixed for each gateway. The unique identifier may be contained in pseudo-resource-records according to the EDNS0 standard.
- The device identifier is easy for the gateway to obtain because the gateway has access to all of the headers and other control information in messages exchanged between the gateway and the individual devices under its control. Thus the software that needs to be added to the gateway to enable the device control system is simple and has a small footprint.
- Device control is performed by a software module associated with the DNS server that responds to DNS messages forwarded by the gateway. In some embodiments of the device control software, the software module is associated with a memory device which holds a plurality of policies. The policies control the software module's treatment of the individual devices attached to the gateway. The policies may be configured by a person with authority over the individual devices, such as a parent or a system administrator, through an individual device that can communicate with the software module.
- A device control system designed according to the present disclosure may be used to implement parental control over individual devices attached to a gateway in a household. It may also be used to provide security to the individual devices in a household, office, or other location. It may also be used to deliver messages to individual devices, to insert advertising content into the data stream delivered to individual devices, to track the locations of individual devices, and for other purposes.
- Embodiments are illustrated by way of example, and not by limitation, in the figures of the accompanying drawings, in which like references indicate similar elements.
-
FIG. 1 shows a system for providing DNS-based control of individual devices and the structure of a DNS query employed by the system. -
FIG. 2 shows the operation of a user interface to the system for providing DNS-based control of individual devices, by means of which a privileged user may exercise control over a policy that governs an individual device's access to content servers. -
FIG. 3 shows a parental control application of the device control system in which a policy permits or blocks access to a site by an individual device. -
FIG. 4 shows a subscriber security application of the device control system in which a policy protects devices from malicious sites on an individualized basis. -
FIG. 5 shows an advertising delivery application of the device control system in which a policy causes advertising content to be delivered to an individual device. -
FIG. 6 shows a messaging application of the device control system in which a policy causes a message to be delivered to an individual device. -
FIG. 7 shows a mobile device tracking application of the device control system. -
FIG. 8 shows a device control application of the device control system in which a policy causes the system to exercise a control function on an individual device or an application that runs on an individual device. -
FIG. 9 shows an example of the device control system in which individual devices are classified into groups and policies are applied to groups. -
FIG. 10 shows a content selection application of the device control system in which a policy causes a policy-sensitive content server to select content to be delivered to an individual device in response to a content request. -
FIG. 11 shows the components of a system for providing DNS-based control of individual devices. - The following detailed description includes references to the accompanying drawings, which form a part of the detailed description. The drawings show illustrations in accordance with example embodiments. These example embodiments, which are also referred to herein as “examples,” are described in enough detail to enable those skilled in the art to practice the present subject matter. The embodiments can be combined, other embodiments can be utilized, or structural, logical, and electrical changes can be made without departing from the scope of what is claimed. The following detailed description is therefore not to be taken in a limiting sense, and the scope is defined by the appended claims and their equivalents. In this document, the terms “a” and “an” are used, as is common in patent documents, to include one or more than one. In this document, the term “or” is used to refer to a nonexclusive “or,” such that “A or B” includes “A but not B,” “B but not A,” and “A and B,” unless otherwise indicated.
- The present disclosure describes a device control system which exercises control over individual devices which communicate with the Internet through a gateway.
- “Individual device” is used herein to refer to any computing device that is capable of communicating through the Internet and delivering communicated content to an individual user. An individual device may be a personal computer (PC), a smartphone, a gaming console, a tablet, or a phablet.
- “Gateway” is used herein to refer to any connection point at the edge of a network through which at least one household, office, or other location connects at least one individual device to the Internet. A gateway may be fixed or mobile.
- “Network control point” is used herein to refer to any network which connects a gateway to the associated individual devices. A local area network is an example of a network control point. A network control point is not necessarily constrained to operate in a fixed location or a limited physical locality.
- “Wide area network” and “WAN” are used herein to refer to any network which connects at least one gateway to at least one server. The Internet is an example of a wide area network.
- Referring now to the drawings,
FIG. 1 illustrates adevice control system 100 designed according to an embodiment of the device control system and a DNS record utilized by thedevice control system 100. At least oneindividual device 102 is connected through anetwork control point 104 to agateway 106. Thegateway 106 is connected through awide area network 108 to a dynamicpolicy enforcement engine 110. The dynamicpolicy enforcement engine 110 communicates with aDNS engine 112 and with amemory device 114 which holds a plurality ofpolicies 116 which may apply to differentindividual devices 102. The dynamicpolicy enforcement engine 110, theDNS engine 112, and thememory device 114 may each run on a dedicated server, on a shared server, or in a computing cloud. - An
individual device 102 sends aDNS query 118 to theDNS engine 112 when it needs to resolve a domain name to an IP address. TheDNS query 118 passes through thenetwork control point 104, thegateway 106, thewide area network 108, and the dynamicpolicy enforcement engine 110. - A
unique gateway identifier 120 is assigned to eachgateway 106 that communicates with the dynamicpolicy enforcement engine 110. Thegateway identifier 120 may be permanently assigned when thegateway 106 is manufactured, or may be assigned dynamically when thegateway 106 is recognized by the dynamicpolicy enforcement engine 110. Thegateway identifier 120 may include an identifier associated with thegateway 106's location on thewide area network 108, such as thegateway 106's IP address. - A
unique device identifier 122 is associated with eachindividual device 102 that is associated with a givengateway 106. Thedevice identifier 122 may be permanently assigned when theindividual device 102 is manufactured. Alternatively, thedevice identifier 122 may be derived from a property of theindividual device 102's location on thenetwork control point 104, such as an internal IP address or a MAC address. - The
additional data section 124 may contain one ormore resource records 126, some of which may be pseudo resource records (pseudo-RRs). Thegateway 106 inserts into the additional data section 124 a pseudo-RR 128 whose pseudoresource record type 130 is OPT, identifying it as an EDNS0 pseudo-RR. Thegateway 106 inserts thegateway identifier 120 and thedevice identifier 122 into the pseudo-RR 128, uniquely identifying theindividual device 102 which originated theDNS query 118. - When the dynamic
policy enforcement engine 110 receives theDNS query 118, it extracts the pseudo-RR 128 from theadditional data section 124 and uses thegateway identifier 120 anddevice identifier 122 to select apolicy 116 which applies to theindividual device 102 which originated theDNS query 118. The dynamicpolicy enforcement engine 110 then processes theDNS query 118 according to the selectedpolicy 116. Depending on the contents of thepolicy 118, the dynamicpolicy enforcement engine 110 may pass theDNS query 118 to theDNS engine 112, pass a modified version of theDNS query 118 to theDNS engine 112, block theDNS query 118 from theDNS engine 112 and return its own response to theindividual device 102, or block theDNS query 118 from theDNS engine 112 and return no response to theindividual device 102. If the dynamicpolicy enforcement engine 110 passes theoriginal DNS query 118 or a modified DNS query to theDNS engine 112, it may return theDNS engine 112's response, return a modified version of theDNS engine 112's response, block the response and send its own response, or block the response and send no response. - If the dynamic
policy enforcement engine 110 blocks theDNS query 118, blocks theDNS engine 112's response, or modifies theDNS query 118 or theDNS engine 112's response, it may prevent theindividual device 102 from obtaining the IP address of asite 132 which is the object of theDNS query 118, effectively blocking theindividual device 102 from access tocontent 134 of thesite 132. - In some embodiments, the
device control system 100 may deliver content to anindividual device 102, as distinguished from directing theindividual device 102 to content on other servers. In such embodiments, acommunication module 136 affords access to content provided by thedevice control system 100. -
FIG. 2 shows anembodiment 200 of the device control system in which policies that control the dynamic policy enforcement engine may be created and maintained. At least one privileged user 202 uses anindividual device 204 which is associated with agateway 206. One or more non-privileged users 208 may useindividual devices 210 which are also associated with thegateway 206. The privileged user 202 communicates with a policycontrol user interface 212. The policycontrol user interface 212 may be implemented as an application on a web server operated by an Internet service provider (ISP) 214. The policycontrol user interface 212 may communicate with thegateway 206, theISP 214, or a dynamicpolicy enforcement engine 216. - The policy
control user interface 212 may permit the privileged user 202 to create and maintainpolicies 218 that apply to users ofindividual devices gateway 206, including the privileged user 202 him or herself, other privileged users 202, and non-privileged users 208. Thepolicies 218 are stored in amemory device 220. The policycontrol user interface 212 may create and maintain thepolicies 218 by operating directly on thememory device 220, or by communicating with the dynamicpolicy enforcement engine 216 which operates on thememory device 220. - In other embodiments the policy
control user interface 212 may include a gateway interface, an ISP interface, or a DNS interface, which respectively communicate with thegateway 206, theISP 214, or aDNS engine 222. The policycontrol user interface 212 may create and maintainpolicies 218 by respectively setting one or more flags on the gateway interface, the ISP interface, or the DNS interface. -
FIG. 3 shows anembodiment 300 of the device control system which is adapted to parental control. One ormore children 302 use one or more child'sdevices 304 to communicate through agateway 306 which is associated with a household 308. Each DNS query from a child'sdevice 304 to aDNS engine 310 passes through a dynamicpolicy enforcement engine 312, which selects apolicy 314 which applies to that child'sdevice 304 from amemory device 316. - If the selected
policy 314 indicates that the child'sdevice 304's DNS query refers to anunblocked site 318, the dynamicpolicy enforcement engine 312 may pass the DNS query to theDNS engine 310 and return theDNS engine 310's response to the child'sdevice 304. The child'sdevice 304 may then request content from the unblockedsite 318. - If the selected
policy 314 indicates that the child'sdevice 304's DNS query refers to a blockedsite 320, the dynamicpolicy enforcement engine 312 may take action which denies thechild 302 access to the blockedsite 320. For example, it may return a response to the DNS query which redirects the child'sdevice 304 to a web page that contains a blocked site message 322, or to an alternative site that is not blocked. Alternatively, it may block the DNS query from theDNS engine 310 and send no response. - The dynamic
policy enforcement engine 312 may operate on responses from theDNS engine 310 instead of or in addition to operating on DNS queries to theDNS engine 310. For example, the dynamicpolicy enforcement engine 312 may block responses that contain a certain IP address or an IP address in a certain range, instead of or in addition to blocking DNS queries that contain certain domain names. - Parental control is exercised by one or
more parents 324 using parent'sdevices 326 which communicate with a policy control user interface 328. The policy control user interface 328 creates and maintainspolicies 314 for theparents 324 and stores them in thememory device 316. -
FIG. 4 shows anembodiment 400 of the device control system which is adapted to provide security to users. One ormore users 402 use one or moreindividual devices 404 to communicate through agateway 406. Each DNS query from anindividual device 404 to aDNS engine 408 passes through a dynamicpolicy enforcement engine 410, which selects apolicy 412 which applies to thatindividual device 404 from amemory device 414. The dynamicpolicy enforcement engine 410 uses thepolicy 412 to determine whether asite 416, 418 that is the object of the DNS request is abenign site 416 or a malicious site 418. A malicious site 418 may be characterized by content that includes malware, by phishing, or by executing attacks on users or on other sites. - If the selected
policy 412 indicates that theindividual device 404's DNS query refers to abenign site 416, the dynamicpolicy enforcement engine 410 may pass the DNS query to theDNS engine 408 and return theDNS engine 408's response to theindividual device 404. Theindividual device 404 may then request content from thebenign site 416. - If the selected
policy 412 indicates that theindividual device 404's DNS query refers to a malicious site 418, the dynamicpolicy enforcement engine 410 may take action which denies theuser 402 access to the malicious site 418. For example, it may return a response to the DNS query which redirects theindividual device 404 to a web page that contains a blockedsite message 420, or to a benign alternative site. - Alternatively, it may block the DNS query from the
DNS engine 408 and send no response. - The dynamic
policy enforcement engine 410 may operate on responses from theDNS engine 408 instead of or in addition to operating on DNS queries to theDNS engine 408. For example, the dynamicpolicy enforcement engine 410 may block DNS responses that contain a certain IP address or an IP address in a certain range, instead of or in addition to blocking DNS queries that contain certain domain names. - Administrative control is exercised by one or more administrative users 422 using administrative user's
devices 424 which communicate with a policycontrol user interface 426. The policycontrol user interface 426 creates and maintainspolicies 412 for the administrative users 422 and stores them in thememory device 414. -
FIG. 5 shows anembodiment 500 of the device control system which is adapted to deliver advertisement content to users. One ormore users 502 use one or moreindividual devices 504 to communicate through agateway 506. Anadvertisement module 508 receives a first DNS query from anindividual device 504 and selects anadvertisement 510 from amemory device 512, the selectedadvertisement 510 to be delivered to theindividual device 504. - The
advertisement module 508 may return a DNS response to theindividual device 504 which causes theindividual device 504 to load theadvertisement 510 from acommunication module 514 instead of loading the page requested by the first DNS query. Thecommunication module 514 retrieves theadvertisement 510 from thememory device 512 and returns it to theindividual device 504. - The
advertisement 510 may include a hyperlink or other control which theuser 502 may select to load the page which theindividual device 504 requested in the first DNS query. When theuser 502 selects the hyperlink or other control theindividual device 504 may send a second DNS query to theadvertisement module 508. The second DNS query may contains a URL which theadvertisement module 508 recognizes as a request originated by an advertising page as distinguished from a request originated by theuser 502. Theadvertisement module 508 accordingly passes a DNS query to aDNS engine 516 and returns theDNS engine 516's response to theindividual device 504. The DNS query which theadvertisement module 508 passes to theDNS engine 516 may be the first DNS query, or may be an equivalent of the first DNS query which theadvertisement module 508 reconstructs from the second DNS query. - The
advertisement module 508's selection of theadvertisement 510 may be based at least in part on historical user actions 518. Historical user actions 518 may include actions such as issuing DNS queries for particular types of content and indicating approval or disapproval ofadvertisements 510 by selecting hyperlinks or other controls which may be included in theadvertisements 510 for that purpose. Theadvertisement module 508 may store historical user actions 518 in ahistorical memory device 520 and subsequently refer to them when selectingadvertisements 510. -
FIG. 6 shows anembodiment 600 of the device control system which is adapted to deliver messages to users. One ormore users 602 use one or moreindividual devices 604 to communicate through agateway 606. Amessaging module 608 receives a first DNS query from anindividual device 604 and selects amessage 610 from amemory device 612, the selectedmessage 610 to be delivered to theindividual device 604. Themessages 610 may be addressed tospecific users 602 ofindividual devices 604. - The
messaging module 608 returns a DNS response to theindividual device 604 which causes theindividual device 604 to load the selectedmessage 610 from acommunication module 614 instead of loading the page requested by the first DNS query. Thecommunication module 614 retrieves the selectedmessage 610 from thememory device 612 and returns it to theindividual device 604. Theuser 602 may view the message via abrowser 618 or via anapplication 620 associated with theindividual device 604. - The
message 610 may include a hyperlink or other control which theuser 602 may select to load the page which theindividual device 604 requested in the first DNS query. The hyperlink or other control may cause theindividual device 604 to send a second DNS query to themessaging module 608. The second DNS query may contain a URL which themessaging module 608 recognizes as a request originated by a message page as distinguished from a request originated by theuser 602. Themessaging module 608 accordingly passes a DNS query to theDNS engine 616 and returns theDNS engine 616's response to theindividual device 604. The DNS query which themessaging module 608 passes to theDNS engine 616 may be the first DNS query, or may be an equivalent of the first DNS query which themessaging module 608 reconstructs from the second DNS query. -
FIG. 7 shows anembodiment 700 of the device control system which is adapted to track mobile devices. One or moremobile devices 702 communicate through awireless network 704 to agateway 706. Thewireless network 704 may consist of one or more WiFi connections between thegateway 706 and the respectivemobile devices 702. Thegateway 706 may be a mobile device such as a mobile hotspot. Thegateway 706 is connected through awide area network 708 to a dynamicpolicy enforcement engine 710. The dynamicpolicy enforcement engine 710 communicates with aDNS engine 712, and may also communicate with amemory device 714 which holds a plurality ofpolicies 716 which apply to differentmobile devices 702. - A
mobile device 702 periodically reports itscoordinates 718 to thegateway 706. Thecoordinates 718 may be obtained from GPS data. - The
mobile device 702 sends aDNS query 720 to theDNS engine 712 when it needs to resolve a domain name to an IP address. TheDNS query 720 passes through thewireless network 704, thegateway 706, thewide area network 708, and the dynamicpolicy enforcement engine 710. - A
unique gateway identifier 722 is assigned to eachgateway 706 that communicates with the dynamicpolicy enforcement engine 710. Thegateway identifier 722 may be permanently assigned when thegateway 706 is manufactured. Alternatively, thegateway identifier 722 may be derived from a property of thegateway 706's location on thewide area network 708. - A
unique device identifier 724 is associated with eachmobile device 702 that is associated with thegateway 706. Thedevice identifier 724 may be permanently assigned when themobile device 702 is manufactured. Alternatively, thedevice identifier 724 may be derived from a property of themobile device 702's location on thewireless network 704. - Each
DNS query 720 transmitted over thewide area network 708 by thegateway 706 contains anadditional data section 726. Thegateway 706 inserts anadditional data section 726 in eachDNS query 720 if none is present in theDNS query 720 received from themobile device 702. Theadditional data section 726 may contain one ormore resource records 728, some of which may be pseudo resource records (pseudo-RRs). Thegateway 706 inserts into the additional data section 726 a pseudo-RR 730 whose pseudoresource record type 732 is OPT, identifying it as an EDNS0 pseudo-RR. Thegateway 706 inserts thegateway identifier 722 and thedevice identifier 724 into the pseudo-RR 730, uniquely identifying themobile device 702 which originated theDNS query 720. Thegateway 706 further inserts themobile device 702'scoordinates 718 into the pseudo-RR 730, identifying themobile device 702's location. - When the dynamic
policy enforcement engine 710 receives theDNS query 720 from thegateway 706 it selects apolicy 716 which applies to the originatingmobile device 702 from thememory device 714. - If the selected
policy 716 indicates that themobile device 702 is to be tracked, the dynamicpolicy enforcement engine 710 extracts themobile device 702'scoordinates 718 from theDNS query 720 and passes them to atracking module 734, which stores them in atracking database 736. - In another embodiment the dynamic
policy enforcement engine 710 determines whether and when to store tracking data without reference to apolicy 716. This embodiment does not use amemory device 714 orpolicies 716. -
FIG. 8 shows anembodiment 800 of the device control system which provides control of individual devices and applications that run on individual devices. At least one privileged user 802 uses anindividual device 804 which is associated with agateway 806. Additional non-privileged users 808 may useindividual devices 810 which are also associated with thegateway 806. Theindividual devices operating system more applications - When an
individual device DNS engine 820, thegateway 806 inserts a DNS0 pseudo-RR into the DNS query in the manner shown inFIG. 1 and explained in the description ofFIG. 1 , thereby enabling a dynamicpolicy enforcement engine 822 to identify theindividual device - The privileged user 802 communicates with a policy control user interface 824. The policy control user interface 824 may be implemented as an application on a web server operated by an Internet service provider (ISP) 826. The policy control user interface 824 can also communicate with the dynamic
policy enforcement engine 822. - The policy control user interface 824 may permit the privileged user 802 to create and maintain
policies 828 which apply to one or moreindividual devices policies 828 are stored in amemory device 830. The policy control user interface 824 may create and maintain thepolicies 828 by operating directly on thememory device 830, or by communicating with the dynamicpolicy enforcement engine 822 which operates on thememory device 830. - The dynamic
policy enforcement engine 822 controls aspects of the operation of anindividual device policy 828 that applies to theindividual device individual device policy 828 may control include theoperating system individual device applications individual device policy enforcement engine 822 may exercise control over theoperating system operating system operating system policy enforcement engine 822 may exercise control over anapplication application operating system application operating system policy enforcement engine 822 may exercise control over theoperating system application policy 828 is created or modified, times when theindividual device -
FIG. 9 shows anembodiment 900 of the device control system which associates apolicy 902 with adevice group 904 rather than with anindividual device device group 904 contains one or moreindividual devices individual device user 910, 912, communicates with aDNS engine 914 through agateway 916 and a dynamicpolicy enforcement engine 918. - Each
DNS query 920 transmitted by thegateway 916 contains anadditional data section 922. Thegateway 916 inserts anadditional data section 922 in eachDNS query 920 if none is present in theDNS query 920 received from theindividual device gateway 916 inserts apseudo-RR 924 of type OPT into theadditional data section 922. The pseudo-RR 924 contains agateway identifier 926 which identifies thegateway 916 and adevice identifier 928 which identifies thedevice group 904 to which theindividual device policy enforcement engine 918 uses thegateway identifier 926 and thedevice identifier 928 to identify thedevice group 904 to which theindividual device policy enforcement engine 918 selects apolicy 902 that applies to thedevice group 904 from amemory device 930. -
FIG. 10 shows anembodiment 1000 of the device control system which delivers individualized content to individual devices. One ormore users individual devices gateway 1010. Each DNS query from anindividual device DNS engine 1012 passes through thegateway 1010 and acontent module 1014. - When an
individual device content module 1014 selects apolicy 1016 which applies to theindividual device memory device 1018. The selectedpolicy 1016 may determine what content acommunication module 1020 should present to theindividual device content module 1014 sends a DNS response to theindividual device communication module 1020 should present. Theindividual device communication module 1020, and thecommunication module 1020 presents the content. - In some embodiments the
content module 1014 may forward a DNS query that refers to policy-sensitive content to theDNS engine 1012 and modify theDNS engine 1012's response according to the selectedpolicy 1016. - In some embodiments the DNS response which the
content module 1014 returns to theindividual device policy 1016. Thecommunication module 1020 may then retrieve the selectedpolicy 1016 from thememory device 1018 and use it to determine what content to present to theindividual device -
FIG. 11 shows the components of asystem 1100 which implements the server side elements of a device control system. Thesystem 1100 comprises one ormore processors 1102,main memory 1104,static memory 1106, adisk drive unit 1108, and anetwork interface device 1110, all of which are communicably attached to abus 1112. The bus may be any type of hardware or software which enables the attached components of thesystem 1100 to communicate with each other, such as a local area network or a wide area network. - The
processors 1102 perform the functions of thesystem 1100 by executinginstructions 1114 from themain memory 1104, theinstructions 1114 being fetched into themain memory 1104 from a computer readable medium 1116 in thedisk drive unit 1108. - The
network interface device 1110 is attached to awide area network 1118 through which thesystem 1100 can communicate with gateways and individual devices. - Many modifications and other embodiments of the example descriptions set forth herein to which these descriptions pertain will come to mind having the benefit of the teachings presented in the foregoing descriptions and the associated drawings. Thus, it will be appreciated that the disclosure may be embodied in many forms and should not be limited to the example embodiments described above.
- Therefore, it is to be understood that the disclosure is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for the purposes of limitation.
Claims (13)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/170,399 US20190124048A1 (en) | 2015-06-19 | 2018-10-25 | System for providing dns-based policies for devices |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/745,183 US9992234B2 (en) | 2010-03-18 | 2015-06-19 | System for providing DNS-based control of individual devices |
US14/832,935 US9742811B2 (en) | 2010-03-18 | 2015-08-21 | System for providing DNS-based control of individual devices |
US15/668,561 US10142291B2 (en) | 2015-06-19 | 2017-08-03 | System for providing DNS-based policies for devices |
US16/170,399 US20190124048A1 (en) | 2015-06-19 | 2018-10-25 | System for providing dns-based policies for devices |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/668,561 Continuation US10142291B2 (en) | 2015-06-19 | 2017-08-03 | System for providing DNS-based policies for devices |
Publications (1)
Publication Number | Publication Date |
---|---|
US20190124048A1 true US20190124048A1 (en) | 2019-04-25 |
Family
ID=60294920
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/832,935 Active US9742811B2 (en) | 2010-03-18 | 2015-08-21 | System for providing DNS-based control of individual devices |
US15/668,561 Active US10142291B2 (en) | 2015-06-19 | 2017-08-03 | System for providing DNS-based policies for devices |
US16/170,399 Abandoned US20190124048A1 (en) | 2015-06-19 | 2018-10-25 | System for providing dns-based policies for devices |
Family Applications Before (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/832,935 Active US9742811B2 (en) | 2010-03-18 | 2015-08-21 | System for providing DNS-based control of individual devices |
US15/668,561 Active US10142291B2 (en) | 2015-06-19 | 2017-08-03 | System for providing DNS-based policies for devices |
Country Status (1)
Country | Link |
---|---|
US (3) | US9742811B2 (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190020621A1 (en) * | 2016-03-17 | 2019-01-17 | Huawei Technologies Co., Ltd. | Metering device address management method, collection terminal, and metering device |
Families Citing this family (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9742811B2 (en) | 2010-03-18 | 2017-08-22 | Nominum, Inc. | System for providing DNS-based control of individual devices |
US9992234B2 (en) | 2010-03-18 | 2018-06-05 | Nominum, Inc. | System for providing DNS-based control of individual devices |
US10263958B2 (en) | 2010-03-18 | 2019-04-16 | Nominum, Inc. | Internet mediation |
US8769060B2 (en) | 2011-01-28 | 2014-07-01 | Nominum, Inc. | Systems and methods for providing DNS services |
US9319381B1 (en) | 2011-10-17 | 2016-04-19 | Nominum, Inc. | Systems and methods for supplementing content policy |
CN105453488B (en) * | 2014-04-22 | 2019-01-18 | 柏思科技有限公司 | For handling the method and system of DNS request |
US10645057B2 (en) * | 2016-06-22 | 2020-05-05 | Cisco Technology, Inc. | Domain name system identification and attribution |
US11122004B1 (en) * | 2016-10-21 | 2021-09-14 | Verisign, Inc. | Externally applying internal network domain name system (DNS) policies |
US10897475B2 (en) * | 2017-08-10 | 2021-01-19 | Cisco Technology, Inc. | DNS metadata-based signaling for network policy control |
US11601466B2 (en) * | 2017-09-13 | 2023-03-07 | Comcast Cable Communications, Llc | Identifying malware devices with domain name system (DNS) queries |
US10681001B2 (en) | 2018-03-29 | 2020-06-09 | Akamai Technologies, Inc. | High precision mapping with intermediary DNS filtering |
US11050792B2 (en) * | 2018-07-05 | 2021-06-29 | Cisco Technology, Inc. | Dynamic DNS policy enforcement based on endpoint security posture |
GB2584120B (en) * | 2019-05-22 | 2023-04-05 | F Secure Corp | Network security |
US11805095B2 (en) * | 2019-07-03 | 2023-10-31 | Bank Of America, N.A., As Administrative Agent | System for event-driven redirection of internet protocol service flows |
CN110636150B (en) * | 2019-10-24 | 2023-04-18 | 北京小米移动软件有限公司 | Domain name resolution method, domain name resolution device, and storage medium |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110231927A1 (en) * | 2010-03-18 | 2011-09-22 | Tovar Tom C | Internet Mediation |
Family Cites Families (44)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6233618B1 (en) | 1998-03-31 | 2001-05-15 | Content Advisor, Inc. | Access control of networked data |
AU765704B2 (en) * | 1998-11-02 | 2003-09-25 | Airbiquity Inc. | Geospacial internet protocol addressing |
US20060136595A1 (en) * | 1998-12-08 | 2006-06-22 | Ramakrishna Satyavolu | Network-based verification and fraud-prevention system |
US6336117B1 (en) | 1999-04-30 | 2002-01-01 | International Business Machines Corporation | Content-indexing search system and method providing search results consistent with content filtering and blocking policies implemented in a blocking engine |
US20020161680A1 (en) | 2001-01-22 | 2002-10-31 | Tarnoff Harry L. | Methods for managing and promoting network content |
US20030014659A1 (en) * | 2001-07-16 | 2003-01-16 | Koninklijke Philips Electronics N.V. | Personalized filter for Web browsing |
US7243369B2 (en) | 2001-08-06 | 2007-07-10 | Sun Microsystems, Inc. | Uniform resource locator access management and control system and method |
EP1433037A2 (en) | 2001-08-06 | 2004-06-30 | Matsushita Electric Industrial Co., Ltd. | License management server, terminal device, license management system and usage restriction control method |
US20030065942A1 (en) | 2001-09-28 | 2003-04-03 | Lineman David J. | Method and apparatus for actively managing security policies for users and computers in a network |
US7149219B2 (en) | 2001-12-28 | 2006-12-12 | The Directtv Group, Inc. | System and method for content filtering using static source routes |
US7818565B2 (en) * | 2002-06-10 | 2010-10-19 | Quest Software, Inc. | Systems and methods for implementing protocol enforcement rules |
US20050105513A1 (en) | 2002-10-27 | 2005-05-19 | Alan Sullivan | Systems and methods for direction of communication traffic |
US7743158B2 (en) | 2002-12-04 | 2010-06-22 | Ntt Docomo, Inc. | Access network dynamic firewall |
US8082563B2 (en) | 2003-07-25 | 2011-12-20 | Home Box Office, Inc. | System and method for content access control through default profiles and metadata pointers |
US9026597B1 (en) | 2003-11-07 | 2015-05-05 | Radix Holdings, Llc | Messaging enhancements |
US20050277445A1 (en) | 2004-06-09 | 2005-12-15 | Bae Hyon S | Hands-free vehicle phone system and method |
US20060173792A1 (en) | 2005-01-13 | 2006-08-03 | Glass Paul H | System and method for verifying the age and identity of individuals and limiting their access to appropriate material |
US7591002B2 (en) * | 2005-06-09 | 2009-09-15 | Microsoft Corporation | Conditional activation of security policies |
US8375120B2 (en) | 2005-11-23 | 2013-02-12 | Trend Micro Incorporated | Domain name system security network |
US20070143827A1 (en) | 2005-12-21 | 2007-06-21 | Fiberlink | Methods and systems for intelligently controlling access to computing resources |
JP2007249657A (en) | 2006-03-16 | 2007-09-27 | Fujitsu Ltd | Access limiting program, access limiting method and proxy server device |
US8606926B2 (en) * | 2006-06-14 | 2013-12-10 | Opendns, Inc. | Recursive DNS nameserver |
US8713188B2 (en) * | 2007-12-13 | 2014-04-29 | Opendns, Inc. | Per-request control of DNS behavior |
US20080209057A1 (en) | 2006-09-28 | 2008-08-28 | Paul Martini | System and Method for Improved Internet Content Filtering |
US8051475B2 (en) | 2006-11-01 | 2011-11-01 | The United States Of America As Represented By The Secretary Of The Air Force | Collaboration gateway |
US8812579B2 (en) | 2006-12-21 | 2014-08-19 | Verizon Patent And Licensing Inc. | Apparatus for transferring data via a proxy server and an associated method and computer program product |
US8015174B2 (en) | 2007-02-28 | 2011-09-06 | Websense, Inc. | System and method of controlling access to the internet |
US8166535B2 (en) | 2007-10-10 | 2012-04-24 | Microsoft Corporation | Universal media firewall |
US8443106B2 (en) | 2007-12-21 | 2013-05-14 | Gary Stephen Shuster | Content restriction compliance using reverse DNS lookup |
US8543667B2 (en) | 2008-01-14 | 2013-09-24 | Akamai Technologies, Inc. | Policy-based content insertion |
US8826443B1 (en) | 2008-09-18 | 2014-09-02 | Symantec Corporation | Selective removal of protected content from web requests sent to an interactive website |
US8447856B2 (en) * | 2008-11-25 | 2013-05-21 | Barracuda Networks, Inc. | Policy-managed DNS server for to control network traffic |
US20100154024A1 (en) | 2008-12-12 | 2010-06-17 | At&T Intellectual Property I, L.P. | Methods, appliances, and computer program products for controlling access to a communication network based on policy information |
US9992234B2 (en) | 2010-03-18 | 2018-06-05 | Nominum, Inc. | System for providing DNS-based control of individual devices |
US9742811B2 (en) | 2010-03-18 | 2017-08-22 | Nominum, Inc. | System for providing DNS-based control of individual devices |
US10263958B2 (en) | 2010-03-18 | 2019-04-16 | Nominum, Inc. | Internet mediation |
US8745128B2 (en) | 2010-09-01 | 2014-06-03 | Edgecast Networks, Inc. | Optimized content distribution based on metrics derived from the end user |
US8707429B2 (en) | 2011-03-31 | 2014-04-22 | Nominum, Inc. | DNS resolution, policies, and views for large volume systems |
EP2737742A4 (en) | 2011-07-27 | 2015-01-28 | Seven Networks Inc | Automatic generation and distribution of policy information regarding malicious mobile traffic in a wireless network |
US9319381B1 (en) | 2011-10-17 | 2016-04-19 | Nominum, Inc. | Systems and methods for supplementing content policy |
WO2013116530A1 (en) | 2012-02-01 | 2013-08-08 | Xerocole, Inc. | Dns outage avoidance method for recursive dns servers |
US8583806B2 (en) | 2012-02-06 | 2013-11-12 | Xerocole, Inc. | Data sharing method for recursive DNS servers |
WO2015031356A1 (en) | 2013-08-26 | 2015-03-05 | Seven Networks, Inc. | Enhanced caching of domain name system (dns) and reverse dns queries for traffic management for signaling optimization in a mobile network |
US9467461B2 (en) | 2013-12-21 | 2016-10-11 | Akamai Technologies Inc. | Countering security threats with the domain name system |
-
2015
- 2015-08-21 US US14/832,935 patent/US9742811B2/en active Active
-
2017
- 2017-08-03 US US15/668,561 patent/US10142291B2/en active Active
-
2018
- 2018-10-25 US US16/170,399 patent/US20190124048A1/en not_active Abandoned
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110231927A1 (en) * | 2010-03-18 | 2011-09-22 | Tovar Tom C | Internet Mediation |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190020621A1 (en) * | 2016-03-17 | 2019-01-17 | Huawei Technologies Co., Ltd. | Metering device address management method, collection terminal, and metering device |
US10944716B2 (en) * | 2016-03-17 | 2021-03-09 | Huawei Technologies Co., Ltd. | Metering device address management method, collection terminal, and metering device |
Also Published As
Publication number | Publication date |
---|---|
US20170331788A1 (en) | 2017-11-16 |
US9742811B2 (en) | 2017-08-22 |
US10142291B2 (en) | 2018-11-27 |
US20150365441A1 (en) | 2015-12-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10142291B2 (en) | System for providing DNS-based policies for devices | |
US9992234B2 (en) | System for providing DNS-based control of individual devices | |
US8370407B1 (en) | Systems providing a network resource address reputation service | |
US10574698B1 (en) | Configuration and deployment of decoy content over a network | |
US8499077B2 (en) | Controlling internet access using DNS root server reputation | |
US8447856B2 (en) | Policy-managed DNS server for to control network traffic | |
CN106068639B (en) | The Transparent Proxy certification handled by DNS | |
US8881248B2 (en) | Service provider access | |
EP2695358B1 (en) | Selection of service nodes for provision of services | |
AU2020202148A1 (en) | Rule-based network-threat detection | |
US9038181B2 (en) | Prioritizing malicious website detection | |
US8533581B2 (en) | Optimizing security seals on web pages | |
US20130007882A1 (en) | Methods of detecting and removing bidirectional network traffic malware | |
US20130007870A1 (en) | Systems for bi-directional network traffic malware detection and removal | |
US20110185436A1 (en) | Url filtering based on user browser history | |
US9973590B2 (en) | User identity differentiated DNS resolution | |
US20110289575A1 (en) | Directory authentication method for policy driven web filtering | |
US9690901B1 (en) | Enhanced privacy with fewer cookies | |
CN114189376B (en) | Cloud host state information security monitoring method based on CDN service platform | |
US11985133B1 (en) | Gating access to destinations on a network | |
US20030177232A1 (en) | Load balancer based computer intrusion detection device | |
CN117955681A (en) | Phishing mail exercise method and device, electronic equipment and storage medium | |
Burke et al. | Who Needs a Botnet if you Have Google? | |
KR102187136B1 (en) | DNS Backend Processing For Network Traffic Isolation And Apparatus Therefor | |
RASHID | CROSS REFERENCE TO RELATED APPLICATIONS |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: AKAMAI TECHNOLOGIES, INC., MASSACHUSETTS Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LEMON, EDWARD;WELLINGTON, BRIAN;HALLEY, ROBERT THOMAS;AND OTHERS;SIGNING DATES FROM 20150821 TO 20150902;REEL/FRAME:047326/0470 |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
AS | Assignment |
Owner name: AKAMAI TECHNOLOGIES, INC., MASSACHUSETTS Free format text: MERGER;ASSIGNOR:NOMINUM, INC.;REEL/FRAME:052720/0339 Effective date: 20200309 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |