WO2012058238A2 - Surrogate name delivery network - Google Patents

Surrogate name delivery network Download PDF

Info

Publication number
WO2012058238A2
WO2012058238A2 PCT/US2011/057743 US2011057743W WO2012058238A2 WO 2012058238 A2 WO2012058238 A2 WO 2012058238A2 US 2011057743 W US2011057743 W US 2011057743W WO 2012058238 A2 WO2012058238 A2 WO 2012058238A2
Authority
WO
WIPO (PCT)
Prior art keywords
dns
dns query
surrogate
resolution
nameserver
Prior art date
Application number
PCT/US2011/057743
Other languages
French (fr)
Other versions
WO2012058238A3 (en
Inventor
Martin Kagan
Original Assignee
Martin Kagan
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Martin Kagan filed Critical Martin Kagan
Priority to US13/882,153 priority Critical patent/US9906488B2/en
Publication of WO2012058238A2 publication Critical patent/WO2012058238A2/en
Publication of WO2012058238A3 publication Critical patent/WO2012058238A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching

Definitions

  • the present invention relates generally to data communications and specifically to methods, systems, and computer program products for accessing computer resources.
  • Web clients such as web browsers operating on personal computers or on mobile computing devices, access a wide range of Internet resources (hereinbelow, “resources ”) , which may include files, web pages, applications, and mail servers, as well as access services, including gateways for voice and other media.
  • Resources are generally maintained within infrastructures, which may include corporate data centers, cloud computing infrastructures, and Content Delivery Networks (CDNs).
  • a web client issues a resource request, which includes an Internet Protocol (IP) address of a server or service at which the resource is accessible .
  • IP Internet Protocol
  • the web client Prior to issuing the resource request, the web client obtains the necessary IP address by executing a Domain Name System (DNS) query, by which a hostname, or Fully-Qualified Domain Name (FQDN) , such as www.example.com, is resolved to the IP address.
  • DNS Domain Name System
  • FQDN Fully-Qualified Domain Name
  • a DNS query issued by a web client is directed to a DNS resolver. If the hostname specified in the DNS query has previously been resolved by the DNS resolver, then the resolution for the query may be in a resolver cache, and the resolver returns the cached resolution to the web client. If the resolution is not in the resolver cache, the resolver identifies a nameserver that is registered with a root nameserver in the DNS network as an authoritative nameserver (ANS) for the specified domain, e.g., example.com. The resolver sends the DNS query to the ANS, and the ANS returns a DNS response including the resolution. The resolver then sends the DNS response to the web client, which may then issue the resource request.
  • ANS authoritative nameserver
  • TTL Time-to-Live
  • a method for providing access to an Internet resource including registering a surrogate nameserver to be an authoritative nameserver in a DNS network, receiving at the surrogate nameserver a DNS query, maintaining at the surrogate nameserver a cache that includes a resolution of the DNS query, executing at the surrogate nameserver a policy code to make a determination of validity of one or more of the DNS query and the cached resolution, and responsively to the validity determination generating a DNS response to the DNS query.
  • the method may further include receiving the policy code at the surrogate nameserver.
  • the policy code typically includes a set of conditions and actions.
  • a hostname specified by the DNS query indicates an infrastructure at which the Internet resource is to be accessed
  • making the determination of validity includes determining that the DNS query is invalid
  • the DNS query is initiated by a web client, and making the determination of validity of the cached resolution comprises evaluating one or more parameters including a time-to-live value for the cached resolution, a time of receipt of the DNS query, a location of the web client, data in the DNS query, and a measure of system performance .
  • generating the DNS response comprises sending a second DNS query from the surrogate DNS server to an origin DNS server, receiving at the surrogate DNS server from the origin DNS server an origin DNS response that includes a new DNS resolution, and including the new DNS resolution in the surrogate DNS response.
  • the method may further include receiving a purge command, and responsively to receipt of the purge command removing the DNS resolution from the cache.
  • the method may also include generating a report including one or more parameters of the validity determination, said parameters including data in the DNS query, a time of receipt of the DNS query, a location of the web client, and a measure of system performance.
  • a report may also include a measure of aggregation of multiple DNS queries.
  • a system for providing access to an Internet resource including a surrogate nameserver configured with means for receiving a DNS query for a resolution of a fully-qualified domain name (FQDN) , maintaining a cache that includes the resolution of the FQDN, executing a policy code to make a determination of validity of one or more of the DNS query and the cached FQDN resolution, and responsively to the validity determination generating a DNS response to the DNS query.
  • the system may also include means for receiving the policy code .
  • a computer program product including a computer readable medium, which includes a computer readable program that when executed on a computer causes the computer to receive a DNS query for a resolution of a fully-qualified domain name (FQDN) , to maintain a cache that includes the resolution for the FQDN, to execute a policy code to make a determination of validity of one or more of the DNS query and the cached FQDN resolution, and responsively to the validity determination to generate a DNS response to the DNS query.
  • FQDN fully-qualified domain name
  • FIG. 1 is a schematic, pictorial illustration of a system for providing access to an Internet resource including a surrogate nameserver, according to an embodiment of the present invention
  • FIG. 2 is a flow diagram of a process for providing access to an Internet resource, according to an embodiment of the present invention.
  • FIG. 1 is a schematic, pictorial illustration of a system 20 that provides access to an Internet resource and includes a surrogate nameserver 22 and an origin nameserver 24, according to an embodiment of the present invention .
  • surrogate nameserver 22 and origin nameserver 24 provide a multi-tier solution for resolving DNS queries for a resource provider domain, such as example.com.
  • Both surrogate and origin nameservers are configured to perform nameserver functions complying with the abovementioned IETF RFCs, such as receiving DNS queries, generally by User Datagram Protocol (UDP) , and providing DNS responses that resolve DNS queries.
  • UDP User Datagram Protocol
  • Surrogate nameserver 22 is registered as an authoritative nameserver (ANS) for the resource provider domain.
  • Origin nameserver 24 is typically managed by a resource provider as if it were an ANS for the resource provider domain.
  • an ANS typically performs DNS resolution by referring to mapping tables that are maintained at the ANS.
  • Tasks of managing the origin nameserver include maintaining these mapping tables.
  • Origin nameserver 24 may provide additional functionality, such as dynamic mapping that serves to balance traffic between multiple servers that each provide a copy of an Internet resource. Such load-balancing may be referred to as Global Server Load-Balancing (GSLB) or Global Traffic Balancing (GTB) .
  • GSLB Global Server Load-Balancing
  • GTB Global Traffic Balancing
  • the surrogate nameserver is configured to maintain a cache 26 of DNS resolutions.
  • the surrogate nameserver maintains a set of policy codes 28, which may also be referred to as metadata, or metadata applications.
  • Policy codes may be maintained in a variety of formats, such as binary codes, JavaScript Object Notation (JSON), or Extensible Markup Language (XML), and may be maintained in one or more files or databases .
  • the surrogate nameserver may also be configured to support policy codes that include programmable code with support for multiple programming languages or programming paradigms . Policy codes are typically configured by the resource provider, and may be implemented so as to support business goals.
  • Policy codes typically include one or more type or attribute identifiers, as well as a specification of conditions that determine when a given code is to be implemented, and the actions that are to be performed when conditions are met.
  • Policy code types may relate to time-to-live (TTL) values for cached DNS resolutions, to the time of day at which a DNS query is received, to locations of web clients issuing DNS queries (such as IP prefixes or net masks, network AS numbers, or geographic locations mapped to clients or resolvers), to data in the DNS query (the requestor, the domain and subdomain of the request, the record type, and other contents of the DNS request and response packet), and to measures of network load (performance, load, capacity, and availability of the surrogate itself, of peer or parent surrogates, of origin nameservers, and of external resources that may also communicate with the surrogate nameserver) .
  • TTL time-to-live
  • a web client 30 may seek access to a resource 32 in an infrastructure 34 of the resource provider domain. To gain access, the web client must acquire a resolution for the required hostname (such as www.example.com). To acquire this resolution, the web client sends a DNS query to a resolver 36. The resolver refers the DNS query to the authoritative nameserver for the designated domain, which is surrogate nameserver 22.
  • the surrogate nameserver Upon receiving the DNS query, the surrogate nameserver applies policy codes 28 to determine whether a DNS resolution in cache 26 is valid as a response to the given DNS query. For example, the DNS query may be received at a time of day corresponding to a time-of-day policy code, which specifies that a cached DNS resolution is valid for a half-hour period, or Time-to-Live (TTL) . A more complex set of policy codes may determine that a currently cached resolution is not valid due to the current network load and the geographic location of the web client.
  • TTL Time-to-Live
  • a cached DNS resolution is valid for a DNS query
  • the surrogate nameserver If a cached DNS resolution is valid for a DNS query, then the surrogate nameserver generates a DNS response from the cached DNS resolution. If, on the other hand, a cached resolution is invalid, the surrogate nameserver issues a DNS query to the origin server in order to acquire a valid, or current, DNS resolution. Upon receiving the valid DNS resolution, including in a DNS response from the origin nameserver, the surrogate nameserver issues a DNS response to the resolver.
  • Policy codes may specify multiple origin nameservers from which the surrogate nameserver is to acquire DNS resolutions.
  • Such specifications may also determine load balancing of queries across multiple origin nameservers based on time, location, and other criteria such as the source of the requests, the resource requested, and ideal distribution of load, current load relative to capacity, relative performance and availability, and other such capabilities .
  • Policy codes may also determine fail- over policy, by which a second origin nameserver is queried if a first origin nameserver does not respond within a given period of time.
  • Policies may also be set for consolidating responses from multiple origin nameservers, or selecting one, such as the first to be received.
  • the surrogate nameserver may also be configured to query other (peer or parent) surrogate nameservers. Policy codes may establish whether or not, and in what manner, a surrogate nameserver is to respond to a DNS query from another surrogate .
  • Policy codes may establish whether or not, and in what manner, a surrogate nameserver is to respond to a DNS query from another surrogate .
  • Various parameters of communication between the surrogate nameserver and the one or more origin and surrogate nameservers may also be set in policy codes, such as protocol (TCP or UDP), destination port, source IP address, gateway, and other network-level parameters.
  • TCP or UDP protocol
  • destination port destination port
  • source IP address source IP address
  • gateway gateway
  • a surrogate nameserver may modify the cache key by ignoring certain elements of the FQDN, or by adding additional elements, such as the identity of the requesting client. Such modifications serve to create multiple cache entries for the same subdomain and resource type.
  • Policy codes may also manipulate DNS queries that are transmitted to origin servers. For example, the surrogate nameserver may modify the hostname, domain name, and record type of a DNS query before relaying the query to the origin server. The surrogate may also insert location information, such as the IP address or geo-data of the resolver into the query, or include authentication credentials to verify the identity of the surrogate, or convert the query between IPv4 and IPv6 formats.
  • Policy codes may specify how DNS responses from the origin nameserver are to be cached. Examples of policies for caching a new response include: caching the new response together with the TTL value returned by the origin nameserver, applying a fixed TTL, dynamically calculating a TTL based on an algorithm included in the given policy code, and not caching until a number of requests for a particular resolution exceeds a specific threshold. Caching rules may be applied differently based on specific attributes of the query and response, such as debugging flags, or specific client IP addresses or locations. Caching rules may also vary depending on other parameters of policy codes, such as time, performance and load, as described above. [0036] Policy codes may also determine whether a DNS query is valid or invalid.
  • An invalid DNS query would be, for example, one of a set of malicious queries, such as a set forming a denial of service attack.
  • Policy codes may implement a variety of methods to identify and to prevent illicit traffic from accessing a resource provider infrastructure.
  • policy codes may refer to "blacklists" that specify specific IP addresses, or blocks of addresses (based on IP prefix or netmask) , or networks (based on AS numbers), or other determinants of geographic location.
  • the surrogate nameserver may return no response, an error response (e.g., a NXDOMAIN error), an alternative response (e.g., a CNAME response) or an intentionally false response (e.g., a response directed to a localhost or a null-route IP address) .
  • an error response e.g., a NXDOMAIN error
  • an alternative response e.g., a CNAME response
  • an intentionally false response e.g., a response directed to a localhost or a null-route IP address
  • Surrogate nameservers and origin nameservers may also implement mutual authentication rules to insure that resolvers cannot bypass the surrogate.
  • the origin nameserver is hidden from other nameservers and resolvers in the Domain Name System.
  • the surrogate may also validate a DNS response using DNSSEC standards or other proprietary methods .
  • the surrogate nameserver may delay providing a DNS response in order to control the rate of throughput.
  • Policy codes may determine delay times based on the load parameters described above. Policy codes may also determine length of queues of delayed responses and what actions to perform when a queue exceeds a certain length (such as dropping first or last responses in the queue) .
  • Policy codes may also determine how a surrogate may modify or transform the contents of a DNS response, including adding, removing, or modifying records . Such transformations may enhance security or may provide means for transfer of additional data for various technical and business applications. Policy codes may also set rates at which responses may be returned (per customer, domain, or host) .
  • Refreshing i.e., acquiring a new DNS resolution from the origin server
  • simply purging one or more records of DNS resolution in the surrogate cache may be performed when a DNS query is received, or may be initiated by the surrogate nameserver when a cached object is past or near its point of expiration.
  • a resource provider can also force a refresh or purge via a direct or indirect request or Application Program Interface (API), indicated in Fig. 1 as purge API 38.
  • a purge request may purge (or refresh) one or more records. Regular-expression rules may be applied to indicate multiple records. Once a purge request is received, the surrogate nameserver implements the request as quickly as is technically possible, for example by setting a purge flag with the indicated records.
  • communications through the purge API include methods for authentication and authorization.
  • the purge request may be sent by a message service, such as Java Message Service (JMS), or by any other synchronous or asynchronous communication means .
  • JMS Java Message Service
  • a resource provider or other coder of policy code may update, change, or edit policy code through policy code transfer interface 40 (PCTI) .
  • PCTI policy code transfer interface 40
  • settings for the generation of surrogate nameserver logs and reports 42 can also be set through the PCTI.
  • Fig. 2 is a flow diagram of a process 300 for providing a web client with access to an Internet resource, according to an embodiment of the present invention.
  • a surrogate nameserver receives one or more policy codes, which may be transmitted by a resource provider as described above with respect to Fig. 1. Policy codes provide flexible control over multiple aspects of the operation of the surrogate nameserver.
  • the surrogate nameserver receives a DNS query.
  • the DNS query is typically initiated by a web client and is transmitted via a resolver.
  • the DNS application server applies one or more policy codes to determine if the DNS query is valid. An invalid query is blocked, by means of a blocking DNS response provided at a step 308.
  • the blocking response may be no response, or a response described in more detail above .
  • policy code determines cache validity, that is, whether or not a response from cache of a cached DNS resolution should be provided. The determination is based on a wide range of conditions of system status, DNS query, TTL parameters, and time-of-day, and business logic rules, described in more detail above.
  • the cache may also be invalid if the desired record of DNS resolution was purged, as described above.
  • the DNS query is passed on to one or more origin nameservers at a step 312.
  • Security measures in the communication such as authentication, are typically implemented.
  • the communication with the origin nameservers may also include fail-over, load-balancing, and queuing.
  • the surrogate may also transform the DNS query and may monitor the subsequent response from the origin nameserver to determine origin nameserver and network performance.
  • the surrogate nameserver After a response is received from the origin nameserver, or if the cached DNS resolution was determined at step 310 to be valid, then the surrogate nameserver returns a DNS response at a step 314, typically including in the response the desired DNS resolution.
  • Alternative DNS responses may include hostname redirection or error messages .
  • the surrogate nameserver of the present invention may be implemented in software and/or in hardware.
  • An embodiment as a software program product may be implemented as one or more applications on a general- purpose computing system.
  • a computing system configured to implement the surrogate nameserver may have one or more processors and one or more network interface modules.
  • Processors may be configured as a multi-processing or distributed processing system.
  • the network interface modules control the sending and receiving of data packets over networks .
  • Such a computing system also includes memory storage for storing computer executable instructions that instruct the processors to perform various operations described herein.
  • Memory storage may also include multiple distributed memory units, including one or more types of storage media. Examples of storage media include, but are not limited to, magnetic media, optical media, and integrated circuits such as read-only memory devices (ROM) and random access memory (RAM) .
  • policies implemented on the surrogate nameserver may determine actions to implement based on conditions of network and/or system performance. Such conditions may include: response time (which may be the elapsed time between sending a transmission and receiving a first response, or receiving a complete response, or similar measures, such as the time between requesting a service and having the service performed); connect time (such as a time for an IP connection, an SSL connection, or a connection to a transaction application server), transmission speed (typically measured in bytes/sec), error rates (such as percent of bad bytes or bad packets), connection jitter (a measure of variability in quality, such as variability of transmission speed or error rate), and rate of availability (e.g., rates of completion of connections or services).
  • response time which may be the elapsed time between sending a transmission and receiving a first response, or receiving a complete response, or similar measures, such as the time between requesting a service and having the service performed
  • connect time such as a time for an IP connection, an SSL connection, or a connection to a transaction
  • Further measures may include: instantaneous burst rates (i.e., instantaneous throughput as measured in bytes/second of resource content transmitted and/or received by an infrastructure), aggregate usage (i.e., total number of bytes transferred over a given period of time), number of queries served, number of open connections, transaction rates, threshold margins, or aggregate processing load.
  • instantaneous burst rates i.e., instantaneous throughput as measured in bytes/second of resource content transmitted and/or received by an infrastructure
  • aggregate usage i.e., total number of bytes transferred over a given period of time
  • number of queries served i.e., number of open connections, transaction rates, threshold margins, or aggregate processing load.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for providing access to an Internet resource includes registering a surrogate nameserver to be an authoritative nameserver in a DNS network, receiving at the surrogate nameserver a DNS query, maintaining at the surrogate nameserver a cache that includes a resolution of the DNS query, and executing at the surrogate nameserver a policy code to make a determination of validity of one or more of the DNS query and the cached resolution.

Description

Surrogate Name Delivery Network
FIELD OF THE INVENTION
[0001] The present invention relates generally to data communications and specifically to methods, systems, and computer program products for accessing computer resources.
RELATED APPLICATION DATA
[0002] This application claims benefit of U.S. provisional patent application 61/406,762 filed 26 October 2010, entitled "Surrogate Name Delivery Network," which is incorporated herein by reference.
BACKGROUND
[0003] Web clients, such as web browsers operating on personal computers or on mobile computing devices, access a wide range of Internet resources (hereinbelow, "resources ") , which may include files, web pages, applications, and mail servers, as well as access services, including gateways for voice and other media. Resources are generally maintained within infrastructures, which may include corporate data centers, cloud computing infrastructures, and Content Delivery Networks (CDNs). To access a resource over the Internet, a web client issues a resource request, which includes an Internet Protocol (IP) address of a server or service at which the resource is accessible .
[0004] Prior to issuing the resource request, the web client obtains the necessary IP address by executing a Domain Name System (DNS) query, by which a hostname, or Fully-Qualified Domain Name (FQDN) , such as www.example.com, is resolved to the IP address.
[0005] A DNS query issued by a web client is directed to a DNS resolver. If the hostname specified in the DNS query has previously been resolved by the DNS resolver, then the resolution for the query may be in a resolver cache, and the resolver returns the cached resolution to the web client. If the resolution is not in the resolver cache, the resolver identifies a nameserver that is registered with a root nameserver in the DNS network as an authoritative nameserver (ANS) for the specified domain, e.g., example.com. The resolver sends the DNS query to the ANS, and the ANS returns a DNS response including the resolution. The resolver then sends the DNS response to the web client, which may then issue the resource request.
[0006] Generally, a resolution is maintained in the resolver cache for a period of time determined by a DNS Time-to-Live (TTL) value. TTL values are generally maintained at the ANS and delivered to the resolver within the DNS response.
[0007] DNS resolution and the operation of nameservers is described in publication RFC 1035 of the Internet Engineering Task Force (IETF) entitled, "DOMAIN NAMES IMPLEMENTATION AND SPECIFICATION", as well as in additional IETF publications related to DNS including RFCs 1033, 1034, 1912, 2181, 2136, 2535, and 4033, the teachings of which are all incorporated herein by reference. [0008] U.S. Patent 7, 155, 723 to Swildens, et al . , whose disclosure is incorporated herein by reference, describes an ANS that performs resolution based on network information, service probes, latency probes, packet loss probes, bandwidth usage and static latency information.
[0009] U.S. Patent 6, 996, 616 to Leighton, et al . , whose disclosure is incorporated herein by reference, describes an ANS that utilizes a map maker service, which generates a nameserver map based on server performance.
SUMMARY
[0010] In accordance with an embodiment of the present invention, a method is provided for providing access to an Internet resource including registering a surrogate nameserver to be an authoritative nameserver in a DNS network, receiving at the surrogate nameserver a DNS query, maintaining at the surrogate nameserver a cache that includes a resolution of the DNS query, executing at the surrogate nameserver a policy code to make a determination of validity of one or more of the DNS query and the cached resolution, and responsively to the validity determination generating a DNS response to the DNS query.
[0011] The method may further include receiving the policy code at the surrogate nameserver. The policy code typically includes a set of conditions and actions.
[0012] In some embodiments a hostname specified by the DNS query indicates an infrastructure at which the Internet resource is to be accessed, making the determination of validity includes determining that the DNS query is invalid, and generating the DNS response includes generating a response that does not allow access to the infrastructure. Determining that the DNS query is invalid may include determining that a parameter of the DNS query is on a blacklist. [0013] Typically, the DNS query is initiated by a web client, and making the determination of validity of the cached resolution comprises evaluating one or more parameters including a time-to-live value for the cached resolution, a time of receipt of the DNS query, a location of the web client, data in the DNS query, and a measure of system performance .
[0014] In some embodiments, generating the DNS response comprises sending a second DNS query from the surrogate DNS server to an origin DNS server, receiving at the surrogate DNS server from the origin DNS server an origin DNS response that includes a new DNS resolution, and including the new DNS resolution in the surrogate DNS response. [0015] The method may further include receiving a purge command, and responsively to receipt of the purge command removing the DNS resolution from the cache.
[0016] The method may also include generating a report including one or more parameters of the validity determination, said parameters including data in the DNS query, a time of receipt of the DNS query, a location of the web client, and a measure of system performance. A report may also include a measure of aggregation of multiple DNS queries.
[0017] There is also provided, in accordance with further embodiments of the present invention, a system for providing access to an Internet resource including a surrogate nameserver configured with means for receiving a DNS query for a resolution of a fully-qualified domain name (FQDN) , maintaining a cache that includes the resolution of the FQDN, executing a policy code to make a determination of validity of one or more of the DNS query and the cached FQDN resolution, and responsively to the validity determination generating a DNS response to the DNS query. The system may also include means for receiving the policy code .
[0018] There is also provided, in accordance with further embodiments of the present invention, a computer program product including a computer readable medium, which includes a computer readable program that when executed on a computer causes the computer to receive a DNS query for a resolution of a fully-qualified domain name (FQDN) , to maintain a cache that includes the resolution for the FQDN, to execute a policy code to make a determination of validity of one or more of the DNS query and the cached FQDN resolution, and responsively to the validity determination to generate a DNS response to the DNS query.
[0019] The present invention will be more fully understood from the following detailed description of embodiments thereof.
BRIEF DESCRIPTION OF THE DRAWINGS
[0020] Fig. 1 is a schematic, pictorial illustration of a system for providing access to an Internet resource including a surrogate nameserver, according to an embodiment of the present invention;
[0021] Fig. 2 is a flow diagram of a process for providing access to an Internet resource, according to an embodiment of the present invention.
DETAILED DESCRIPTION OF EMBODIMENTS
[0022] Fig. 1 is a schematic, pictorial illustration of a system 20 that provides access to an Internet resource and includes a surrogate nameserver 22 and an origin nameserver 24, according to an embodiment of the present invention .
[0023] In embodiments of the present invention, surrogate nameserver 22 and origin nameserver 24 provide a multi-tier solution for resolving DNS queries for a resource provider domain, such as example.com. Both surrogate and origin nameservers are configured to perform nameserver functions complying with the abovementioned IETF RFCs, such as receiving DNS queries, generally by User Datagram Protocol (UDP) , and providing DNS responses that resolve DNS queries.
[0024] Surrogate nameserver 22 is registered as an authoritative nameserver (ANS) for the resource provider domain. Origin nameserver 24, on the other hand, is typically managed by a resource provider as if it were an ANS for the resource provider domain. As described in the abovementioned IETF RFCs, an ANS typically performs DNS resolution by referring to mapping tables that are maintained at the ANS. Tasks of managing the origin nameserver include maintaining these mapping tables. Origin nameserver 24 may provide additional functionality, such as dynamic mapping that serves to balance traffic between multiple servers that each provide a copy of an Internet resource. Such load-balancing may be referred to as Global Server Load-Balancing (GSLB) or Global Traffic Balancing (GTB) . [0025] The surrogate nameserver is configured to maintain a cache 26 of DNS resolutions. In addition, the surrogate nameserver maintains a set of policy codes 28, which may also be referred to as metadata, or metadata applications. Policy codes may be maintained in a variety of formats, such as binary codes, JavaScript Object Notation (JSON), or Extensible Markup Language (XML), and may be maintained in one or more files or databases . The surrogate nameserver may also be configured to support policy codes that include programmable code with support for multiple programming languages or programming paradigms . Policy codes are typically configured by the resource provider, and may be implemented so as to support business goals. [0026] Policy codes typically include one or more type or attribute identifiers, as well as a specification of conditions that determine when a given code is to be implemented, and the actions that are to be performed when conditions are met. [0027] Policy code types may relate to time-to-live (TTL) values for cached DNS resolutions, to the time of day at which a DNS query is received, to locations of web clients issuing DNS queries (such as IP prefixes or net masks, network AS numbers, or geographic locations mapped to clients or resolvers), to data in the DNS query (the requestor, the domain and subdomain of the request, the record type, and other contents of the DNS request and response packet), and to measures of network load (performance, load, capacity, and availability of the surrogate itself, of peer or parent surrogates, of origin nameservers, and of external resources that may also communicate with the surrogate nameserver) .
[0028] In a typical scenario, a web client 30 may seek access to a resource 32 in an infrastructure 34 of the resource provider domain. To gain access, the web client must acquire a resolution for the required hostname (such as www.example.com). To acquire this resolution, the web client sends a DNS query to a resolver 36. The resolver refers the DNS query to the authoritative nameserver for the designated domain, which is surrogate nameserver 22.
[0029] Upon receiving the DNS query, the surrogate nameserver applies policy codes 28 to determine whether a DNS resolution in cache 26 is valid as a response to the given DNS query. For example, the DNS query may be received at a time of day corresponding to a time-of-day policy code, which specifies that a cached DNS resolution is valid for a half-hour period, or Time-to-Live (TTL) . A more complex set of policy codes may determine that a currently cached resolution is not valid due to the current network load and the geographic location of the web client.
[0030] If a cached DNS resolution is valid for a DNS query, then the surrogate nameserver generates a DNS response from the cached DNS resolution. If, on the other hand, a cached resolution is invalid, the surrogate nameserver issues a DNS query to the origin server in order to acquire a valid, or current, DNS resolution. Upon receiving the valid DNS resolution, including in a DNS response from the origin nameserver, the surrogate nameserver issues a DNS response to the resolver. [0031] Policy codes may specify multiple origin nameservers from which the surrogate nameserver is to acquire DNS resolutions. Such specifications may also determine load balancing of queries across multiple origin nameservers based on time, location, and other criteria such as the source of the requests, the resource requested, and ideal distribution of load, current load relative to capacity, relative performance and availability, and other such capabilities . Policy codes may also determine fail- over policy, by which a second origin nameserver is queried if a first origin nameserver does not respond within a given period of time. Policies may also be set for consolidating responses from multiple origin nameservers, or selecting one, such as the first to be received.
[0032] The surrogate nameserver may also be configured to query other (peer or parent) surrogate nameservers. Policy codes may establish whether or not, and in what manner, a surrogate nameserver is to respond to a DNS query from another surrogate . [0033] Various parameters of communication between the surrogate nameserver and the one or more origin and surrogate nameservers may also be set in policy codes, such as protocol (TCP or UDP), destination port, source IP address, gateway, and other network-level parameters. [0034] By default, a caching nameserver uses the entire FQDN specified in a DNS query as a "cache key" to determine a mapping to a DNS resolution. A surrogate nameserver may modify the cache key by ignoring certain elements of the FQDN, or by adding additional elements, such as the identity of the requesting client. Such modifications serve to create multiple cache entries for the same subdomain and resource type. Policy codes may also manipulate DNS queries that are transmitted to origin servers. For example, the surrogate nameserver may modify the hostname, domain name, and record type of a DNS query before relaying the query to the origin server. The surrogate may also insert location information, such as the IP address or geo-data of the resolver into the query, or include authentication credentials to verify the identity of the surrogate, or convert the query between IPv4 and IPv6 formats.
[0035] Policy codes may specify how DNS responses from the origin nameserver are to be cached. Examples of policies for caching a new response include: caching the new response together with the TTL value returned by the origin nameserver, applying a fixed TTL, dynamically calculating a TTL based on an algorithm included in the given policy code, and not caching until a number of requests for a particular resolution exceeds a specific threshold. Caching rules may be applied differently based on specific attributes of the query and response, such as debugging flags, or specific client IP addresses or locations. Caching rules may also vary depending on other parameters of policy codes, such as time, performance and load, as described above. [0036] Policy codes may also determine whether a DNS query is valid or invalid. An invalid DNS query would be, for example, one of a set of malicious queries, such as a set forming a denial of service attack. Policy codes may implement a variety of methods to identify and to prevent illicit traffic from accessing a resource provider infrastructure. For example, policy codes may refer to "blacklists" that specify specific IP addresses, or blocks of addresses (based on IP prefix or netmask) , or networks (based on AS numbers), or other determinants of geographic location. When a parameter of a DNS query is included in such a blacklist, the surrogate nameserver may return no response, an error response (e.g., a NXDOMAIN error), an alternative response (e.g., a CNAME response) or an intentionally false response (e.g., a response directed to a localhost or a null-route IP address) .
[0037] Surrogate nameservers and origin nameservers may also implement mutual authentication rules to insure that resolvers cannot bypass the surrogate. Generally, the origin nameserver is hidden from other nameservers and resolvers in the Domain Name System. The surrogate may also validate a DNS response using DNSSEC standards or other proprietary methods .
[0038] The surrogate nameserver may delay providing a DNS response in order to control the rate of throughput. Policy codes may determine delay times based on the load parameters described above. Policy codes may also determine length of queues of delayed responses and what actions to perform when a queue exceeds a certain length (such as dropping first or last responses in the queue) .
[0039] Policy codes may also determine how a surrogate may modify or transform the contents of a DNS response, including adding, removing, or modifying records . Such transformations may enhance security or may provide means for transfer of additional data for various technical and business applications. Policy codes may also set rates at which responses may be returned (per customer, domain, or host) .
[0040] Refreshing (i.e., acquiring a new DNS resolution from the origin server) or simply purging one or more records of DNS resolution in the surrogate cache may be performed when a DNS query is received, or may be initiated by the surrogate nameserver when a cached object is past or near its point of expiration. A resource provider can also force a refresh or purge via a direct or indirect request or Application Program Interface (API), indicated in Fig. 1 as purge API 38. A purge request may purge (or refresh) one or more records. Regular-expression rules may be applied to indicate multiple records. Once a purge request is received, the surrogate nameserver implements the request as quickly as is technically possible, for example by setting a purge flag with the indicated records.
[0041] Typically, communications through the purge API include methods for authentication and authorization. The purge request may be sent by a message service, such as Java Message Service (JMS), or by any other synchronous or asynchronous communication means .
[0042] In an embodiment of the present invention, a resource provider or other coder of policy code may update, change, or edit policy code through policy code transfer interface 40 (PCTI) . Typically, settings for the generation of surrogate nameserver logs and reports 42 can also be set through the PCTI. [0043] Fig. 2 is a flow diagram of a process 300 for providing a web client with access to an Internet resource, according to an embodiment of the present invention.
[0044] At a step 302, a surrogate nameserver receives one or more policy codes, which may be transmitted by a resource provider as described above with respect to Fig. 1. Policy codes provide flexible control over multiple aspects of the operation of the surrogate nameserver.
[0045] At a step 304, the surrogate nameserver receives a DNS query. The DNS query is typically initiated by a web client and is transmitted via a resolver.
[0046] At a step 306, the DNS application server applies one or more policy codes to determine if the DNS query is valid. An invalid query is blocked, by means of a blocking DNS response provided at a step 308. The blocking response may be no response, or a response described in more detail above .
[0047] If the DNS query is valid, at a step 310, policy code determines cache validity, that is, whether or not a response from cache of a cached DNS resolution should be provided. The determination is based on a wide range of conditions of system status, DNS query, TTL parameters, and time-of-day, and business logic rules, described in more detail above. The cache may also be invalid if the desired record of DNS resolution was purged, as described above.
[0048] If the cached DNS resolution is not valid, then the DNS query is passed on to one or more origin nameservers at a step 312. Security measures in the communication, such as authentication, are typically implemented. The communication with the origin nameservers may also include fail-over, load-balancing, and queuing. The surrogate may also transform the DNS query and may monitor the subsequent response from the origin nameserver to determine origin nameserver and network performance.
[0049] After a response is received from the origin nameserver, or if the cached DNS resolution was determined at step 310 to be valid, then the surrogate nameserver returns a DNS response at a step 314, typically including in the response the desired DNS resolution. Alternative DNS responses may include hostname redirection or error messages .
[0050] Generally, the surrogate nameserver of the present invention may be implemented in software and/or in hardware. An embodiment as a software program product may be implemented as one or more applications on a general- purpose computing system. A computing system configured to implement the surrogate nameserver may have one or more processors and one or more network interface modules. Processors may be configured as a multi-processing or distributed processing system. The network interface modules control the sending and receiving of data packets over networks .
[0051] Such a computing system also includes memory storage for storing computer executable instructions that instruct the processors to perform various operations described herein. Memory storage may also include multiple distributed memory units, including one or more types of storage media. Examples of storage media include, but are not limited to, magnetic media, optical media, and integrated circuits such as read-only memory devices (ROM) and random access memory (RAM) .
[0052] Policies implemented on the surrogate nameserver may determine actions to implement based on conditions of network and/or system performance. Such conditions may include: response time (which may be the elapsed time between sending a transmission and receiving a first response, or receiving a complete response, or similar measures, such as the time between requesting a service and having the service performed); connect time (such as a time for an IP connection, an SSL connection, or a connection to a transaction application server), transmission speed (typically measured in bytes/sec), error rates (such as percent of bad bytes or bad packets), connection jitter (a measure of variability in quality, such as variability of transmission speed or error rate), and rate of availability (e.g., rates of completion of connections or services). Further measures may include: instantaneous burst rates (i.e., instantaneous throughput as measured in bytes/second of resource content transmitted and/or received by an infrastructure), aggregate usage (i.e., total number of bytes transferred over a given period of time), number of queries served, number of open connections, transaction rates, threshold margins, or aggregate processing load.
[0053] It is to be understood that the embodiments described hereinabove are cited by way of example, and that the present invention is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the present invention includes both combinations and subcombinations of the various features described hereinabove, as well as variations and modifications thereof which would occur to persons skilled in the art upon reading the foregoing description and which are not disclosed in the prior art.

Claims

CLAIMS What is claimed is:
1. A method for providing access to an Internet resource comprising:
registering a surrogate nameserver to be an authoritative nameserver;
receiving at the surrogate nameserver a DNS query;
maintaining at the surrogate nameserver a cache that includes a DNS resolution of the DNS query;
executing at the surrogate nameserver a policy code to make a determination of validity of one or more of the DNS query and the cached resolution; and
responsively to the validity determination generating a DNS response to the DNS query.
2. The method of claim 1, and comprising receiving the policy code at the surrogate nameserver, wherein the policy code includes a set of conditions and actions.
3. The method of claim 1, wherein a hostname specified by the DNS query indicates an infrastructure at which the Internet resource is to be accessed, wherein making the determination of validity comprises determining that the DNS query is invalid, and wherein generating the DNS response comprises generating a response that does not allow access to the infrastructure.
4. The method of claim 3, wherein determining that the DNS query is invalid comprises determining that a parameter of the DNS query is on a blacklist.
5. The method of claim 1, wherein the DNS query is initiated by a web client, and wherein making the determination of validity of the cached resolution comprises evaluating one or more parameters including a time-to-live value for the cached resolution, a time of receipt of the DNS query, a location of the web client, data in the DNS query, and a measure of system performance.
6. The method of claim 1, wherein the DNS query is a first DNS query, wherein the DNS response is a surrogate DNS response, and wherein generating the first DNS response comprises sending a second DNS query from the surrogate DNS server to an origin DNS server, receiving at the surrogate DNS server from the origin DNS server an origin DNS response that includes a new DNS resolution, and including the new DNS resolution in the surrogate DNS response.
7. The method of claim 1, and comprising receiving purge command, and responsively to receipt of the pur command removing the DNS resolution from the cache.
8. The method of claim 1, and comprising generating a report including one or more parameters of the validity determination, said parameters including data in the DNS query, a time of receipt of the DNS query, a location of the web client, and a measure of system performance.
9. The method of claim 1, wherein the DNS query is a first DNS query, and comprising: receiving a second DNS query and generating a report including a measure of aggregation of the first and second DNS queries.
10. A system for providing access to an Internet resource comprising a surrogate nameserver configured with means for receiving a DNS query for a resolution of a fully-qualified domain name (FQDN) , maintaining a cache that includes the resolution for the FQDN, executing a policy code to make a determination of validity of one or more of the DNS query and the cached FQDN resolution, and responsively to the validity determination generating a DNS response to the DNS query.
11. The system of claim 9, and including means for receiving the policy code .
12. A computer program product comprising a computer readable medium, which includes a computer readable program that when executed on a computer causes the computer to receive a DNS query for a resolution of a fully-qualified domain name (FQDN) , to maintain a cache that includes the resolution for the FQDN, to execute a policy code to make a determination of validity of one or more of the DNS query and the cached FQDN resolution, and responsively to the validity determination to generate a DNS response to the DNS query.
PCT/US2011/057743 2010-10-26 2011-10-25 Surrogate name delivery network WO2012058238A2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US13/882,153 US9906488B2 (en) 2010-10-26 2011-10-25 Surrogate name delivery network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US61/258,042 2009-11-04
US25804210P 2010-10-26 2010-10-26

Publications (2)

Publication Number Publication Date
WO2012058238A2 true WO2012058238A2 (en) 2012-05-03
WO2012058238A3 WO2012058238A3 (en) 2014-04-10

Family

ID=45994696

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2011/057743 WO2012058238A2 (en) 2010-10-26 2011-10-25 Surrogate name delivery network

Country Status (1)

Country Link
WO (1) WO2012058238A2 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016049432A1 (en) * 2014-09-26 2016-03-31 Microsoft Technology Licensing, Llc Dns-based load balancing
CN106470208A (en) * 2015-08-18 2017-03-01 法赛特安全公司 The no lock of domain name blacklist is updated
US9882767B1 (en) 2013-07-23 2018-01-30 Zscaler, Inc. Distributed cloud-based dynamic name server surrogation systems and methods
US9906488B2 (en) 2010-10-26 2018-02-27 Cedexis, Inc. Surrogate name delivery network

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040047349A1 (en) * 2002-08-20 2004-03-11 Nec Corporation Packet transfer equipment, packet transfer method resolution server, DNS server, network system and program
US20060129672A1 (en) * 2001-03-27 2006-06-15 Redseal Systems, Inc., A Corporation Of Delaware Method and apparatus for network wide policy-based analysis of configurations of devices
US20070288588A1 (en) * 2000-04-14 2007-12-13 Wein Joel M Content delivery network (CDN) content server request handling mechanism
US7680276B2 (en) * 1998-06-26 2010-03-16 Secure Storage Solutions, Llc Secure storage device for transfer of digital camera data
US20100269174A1 (en) * 2009-04-20 2010-10-21 Art Shelest Systems and methods for generating a dns query to improve resistance against a dns attack

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7680276B2 (en) * 1998-06-26 2010-03-16 Secure Storage Solutions, Llc Secure storage device for transfer of digital camera data
US20070288588A1 (en) * 2000-04-14 2007-12-13 Wein Joel M Content delivery network (CDN) content server request handling mechanism
US20060129672A1 (en) * 2001-03-27 2006-06-15 Redseal Systems, Inc., A Corporation Of Delaware Method and apparatus for network wide policy-based analysis of configurations of devices
US20040047349A1 (en) * 2002-08-20 2004-03-11 Nec Corporation Packet transfer equipment, packet transfer method resolution server, DNS server, network system and program
US20100269174A1 (en) * 2009-04-20 2010-10-21 Art Shelest Systems and methods for generating a dns query to improve resistance against a dns attack

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9906488B2 (en) 2010-10-26 2018-02-27 Cedexis, Inc. Surrogate name delivery network
US9882767B1 (en) 2013-07-23 2018-01-30 Zscaler, Inc. Distributed cloud-based dynamic name server surrogation systems and methods
US11023378B2 (en) 2013-07-23 2021-06-01 Zscaler, Inc. Distributed cloud-based dynamic name server surrogation systems and methods
WO2016049432A1 (en) * 2014-09-26 2016-03-31 Microsoft Technology Licensing, Llc Dns-based load balancing
CN106470208A (en) * 2015-08-18 2017-03-01 法赛特安全公司 The no lock of domain name blacklist is updated
CN106470208B (en) * 2015-08-18 2017-11-21 法赛特安全公司 Domain name blacklist is updated without lock

Also Published As

Publication number Publication date
WO2012058238A3 (en) 2014-04-10

Similar Documents

Publication Publication Date Title
US9906488B2 (en) Surrogate name delivery network
US9992157B2 (en) DNS application server
US10397178B2 (en) Internet infrastructure survey
US10212124B2 (en) Facilitating content accessibility via different communication formats
US9525602B2 (en) Maintaining IP tables
US8762573B2 (en) Reverse DNS lookup with modified reverse mappings
US9319315B2 (en) Distributing transmission of requests across multiple IP addresses of a proxy server in a cloud-based proxy service
US8621038B2 (en) Incompatible network gateway provisioned through DNS
EP2521330A1 (en) DNSSEC signing server
US9497063B2 (en) Maintaining IP tables
Bushart et al. DNS unchained: Amplified application-layer DoS attacks against DNS authoritatives
WO2018214853A1 (en) Method, apparatus, medium and device for reducing length of dns message
Alani et al. Tcp/ip model
WO2012058238A2 (en) Surrogate name delivery network
CN107222588A (en) A kind of method and system of raising DNS availabilities
KR101345372B1 (en) System and Method for servicing domain name based on user information
KR20190053170A (en) System and method for suppressing DNS requests
US11095605B1 (en) Request routing utilizing encoded DNS-based messaging parameters
US20230379304A1 (en) Policy-based dynamic vpn profile selection using dns protocol
Otsuka et al. Design and implementation of client IP notification feature on DNS for proactive firewall system
CN114268605A (en) Intelligent DNS realization method and device and computer storage medium
Abegaz DNS Services, alternative ways of using DNS infrastructures
Weaver et al. RASD–Rapid Adaptive Secure DNS
Streibelt EDNS-Client-Subnet Extension

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11836964

Country of ref document: EP

Kind code of ref document: A2

WWE Wipo information: entry into national phase

Ref document number: 13882153

Country of ref document: US

122 Ep: pct application non-entry in european phase

Ref document number: 11836964

Country of ref document: EP

Kind code of ref document: A2