WO2017156231A1 - Methods and apparatus for intelligent domain name system forwarding - Google Patents

Methods and apparatus for intelligent domain name system forwarding Download PDF

Info

Publication number
WO2017156231A1
WO2017156231A1 PCT/US2017/021514 US2017021514W WO2017156231A1 WO 2017156231 A1 WO2017156231 A1 WO 2017156231A1 US 2017021514 W US2017021514 W US 2017021514W WO 2017156231 A1 WO2017156231 A1 WO 2017156231A1
Authority
WO
WIPO (PCT)
Prior art keywords
dns
response
proxy server
dns query
metadata
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/US2017/021514
Other languages
English (en)
French (fr)
Inventor
Amy LINARI
Erich RICKHEIT
Richard Gibson
Joseph ABLEY
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dynamic Network Services Inc
Original Assignee
Dynamic Network Services Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Dynamic Network Services Inc filed Critical Dynamic Network Services Inc
Priority to CN201780020823.2A priority Critical patent/CN108886525B/zh
Priority to EP17764066.1A priority patent/EP3427465B1/en
Priority to US16/080,684 priority patent/US10686751B2/en
Priority to JP2018547416A priority patent/JP6861219B2/ja
Publication of WO2017156231A1 publication Critical patent/WO2017156231A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4552Lookup mechanisms between a plurality of directories; Synchronisation of directories, e.g. metadirectories
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/59Network arrangements, protocols or services for addressing or naming using proxies for addressing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/565Conversion or adaptation of application format or content
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • H04L67/568Storing data temporarily at an intermediate stage, e.g. caching
    • H04L67/5682Policies or rules for updating, deleting or replacing the stored data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/34Network arrangements or protocols for supporting network services or applications involving the movement of software or configuration parameters 

Definitions

  • DNS Domain Name System
  • IP Internet Protocol
  • Authoritative DNS servers also known as authoritative name servers or authoritatives, respond to queries about the mapping of domain names to numerical IP addresses and also to requests for other resource records (RRs), such as mail exchanger (MX) records.
  • RRs resource records
  • MX mail exchanger
  • each authoritative has its own DNS database of DNS records.
  • Common types of records stored in a DNS database include IP addresses (A and AAAA), Simple Mail Transfer Protocol (SMTP) MX records, and name server (NS) records for the corresponding domain.
  • a DNS database can also store records for other types of data, including domain name
  • CNAME aliases
  • DNS SEC DNS Security Extension
  • DNS servers used to answer queries for the new domain.
  • the registrant obtains authoritative
  • DNS service from an authoritative DNS provider (such as Dynamic Network Services Inc. of Manchester, NH) and configures the records for its domain name (or more precisely, zone) with the authoritative DNS provider.
  • an end user's machine attempts to access the new domain name, it asks a recursive DNS server to retrieve a DNS record for the new domain, most commonly an A or AAAA (IPv4 or IPv6 address).
  • AAAA IPv4 or IPv6 address
  • the recursive server locates the authoritative DNS server maintained by the authoritative DNS provider, then queries the authoritative DNS server for the DNS record.
  • the recursive DNS server returns the authoritative DNS server's answer to the end user's machine and may also cache the answer according to its time to live (TTL).
  • TTL time to live
  • Embodiments of the present technology include methods of responding to DNS queries.
  • An example method comprises receiving a DNS query from a client at a proxy server.
  • the proxy server modifies the DNS query to include a request for metadata and transmits the DNS query to an authoritative DNS server.
  • the proxy server receives a response to the DNS query from the authoritative DNS server, which includes the metadata, from the authoritative DNS server.
  • the proxy server modifies the response to the DNS query based at least in part on the metadata and transmits the response to the DNS query from the proxy server to the client.
  • the proxy server can modify the DNS query by setting a DNS Security (DNS SEC) OK (DO) flag in the DNS query.
  • DNS SEC DNS Security
  • DO DNS
  • the metadata can be a Requested Resource Signature (RRSIG) record.
  • the response to the DNS query received by the proxy server can include receiving metadata, which includes a program, and receiving a plurality of IP addresses.
  • the proxy server modifies the response to the DNS query by executing the program. During execution, the proxy server may reorder the plurality of IP addresses, filter the plurality of IP addresses and select an IP address from the plurality of IP addresses.
  • the proxy server modifies the response to the DNS query by removing the metadata from the response to the DNS query and then transmits the response to the client.
  • the proxy server can modify the response to the DNS query by applying a sequence of rules in order to transmit the response to the client.
  • Other embodiments of the present technology include systems for generating a plurality of responses to a DNS query.
  • An example system comprises a proxy server that is in digital communication with a DNS authoritative server and a client device.
  • the proxy server is configured to receive a DNS query from the client device.
  • the proxy server can modify the DNS query to include a request for metadata, transmit the DNS query to the authoritative server, receive a response to the DNS query, which includes the metadata, from the authoritative server.
  • the proxy server can modify the response to the DNS query based at least in part on the metadata and transmit the response to the DNS query to the client.
  • the proxy server can be configured to modify the DNS query by setting a DNS Security (DNSSEC) OK (DO) flag in the DNS query.
  • the metadata can be a RRSIG.
  • the response to the DNS query from the authoritative DNS server can include a program and a plurality of IP addresses.
  • the proxy server is configured to execute the program.
  • the proxy server can execute the program by reordering the plurality of IP addresses, filtering the plurality of IP addresses, and selecting an IP address from the plurality of IP addresses.
  • the proxy server can be configured to remove the metadata from the response to the DNS query before transmitting the response to the client device.
  • the proxy server can be configured to modify the response to the DNS query by applying a sequence of rules to transmit the response to the client device.
  • An example method comprises receiving the DNS query from a client at a proxy server.
  • the proxy server determines if the DNS query includes a request for metadata.
  • the proxy server transmits the DNS query from the proxy server to an authoritative DNS server.
  • the proxy server modifies the DNS query to include a request for metadata and transmits the DNS query from the proxy server to the authoritative DNS server.
  • the proxy server receives a response to the DNS query, which includes the metadata, from the authoritative DNS server.
  • the proxy server modifies the response to the DNS query based at least in part on the metadata and transmits the response to the DNS query from the proxy server to the client.
  • the response to the DNS query received from the authoritative DNS server can include a program that is included in the metadata and a plurality of IP addresses. Modifying the response to the DNS query can include executing the program at the proxy server to select an IP address from the plurality of IP addresses. Modifying the response to the DNS query can include the proxy server selecting the IP address based on at least one of a latency, an availability, or a priority of the IP address.
  • the proxy server can remove the metadata from the response before transmitting the response to the client.
  • FIG. 1 illustrates a system including a proxy server that facilitates intelligent DNS forwarding.
  • FIG. 2 shows a proxy server that provides advanced DNS services with an (unmodified) authoritative DNS server.
  • FIG. 3 is a flow diagram illustrating the method of intelligent DNS forwarding by a proxy server.
  • FIG. 4 is a flow diagram showing a method to process metadata from the authoritative DNS server.
  • FIG. 5 illustrates an example intelligent DNS forwarding by a proxy server.
  • An authoritative DNS server responds to queries about the name of website by returning the IP address that points to the website. Ordinarily, an authoritative DNS server should give the same IP address every time for queries directed to a given website, assuming that the IP address hasn't changed. But there are times when it would be advantageous for the authoritative DNS server to return different responses (e.g., an IP address) when queried about a given domain name—that is, for the authoritative DNS server to give different answers to the same query.
  • IP addresses could be used for load balancing at the directory level, to ensure that each end user was served by the closest server (e.g., the server with the lowest latency or shortest geographic distance), or to provide alias functionality or CNAME flattening (aka ALIAS) to get around limitations of the DNS standard itself.
  • ALIAS alias functionality
  • the authoritative DNS server may be modified to provide different responses to a given query depending, for example, on the IP address of the recursive server making the query or the time of day.
  • the responses may also be selected randomly from a larger set to balance the load across multiple servers.
  • the modification is based on information or an algorithm or code provided by the registrant.
  • the authoritative DNS server may be modified to store the desired behavior for the domain in question inside the DNS data as a special record type and return it according to modified code. [0020] But these modifications are generally custom and tend to scale poorly, in part because of the complexity of authoritative DNS servers.
  • an authoritative DNS server is usually optimized for certain use cases, so modifying it to provide custom answers often leads to scaling issues.
  • One example of those scaling issues is loading too much into memory because one has selected an in-memory server. Loading memory can take an inconveniently long time for a large number of records. Changing the scaling or other properties of the authoritative by swapping for a different one often leads to redoing the custom work and possibly maintaining different versions in different systems. Also, these systems are complex and difficult to maintain. Maintaining a customized authoritative DNS server can also be complicated, especially if the records change over time.
  • the present technology provides ways to generate different responses to the same query using a proxy server coupled to the authoritative DNS server instead of modifying the authoritative DNS server.
  • the proxy server does not have to retain any customer data or advanced services specifications, so it isn't affected by scaling of that data or the access patterns to it.
  • FIG. l is an illustration of a system 100 including a proxy server 130, also called a DNS proxy server or DNS proxy, configured to detect DNS queries from a client device 120 and process responses from an authoritative DNS resolver 110 to provide intelligent DNS
  • the system 100 also includes an authoritative DNS resolver 110, an alias resolver 135, and network resources (memory) 199. These devices and the proxy server 130 are located at the DNS edge 101 and are operably coupled (e.g., via the internet) to a transformer 170, which in turn is coupled to a policy master 160 and a policy compiler 150.
  • the proxy server 130, authoritative server 110, recursive resolver 135, policy compiler 150, policy master 160, and transformer 170 can each be implemented as computer-executable code stored in computer-readable, nonvolatile memory and executed by a processor. They can be collocated or distributed as desired using suitable hardware and connections.
  • the network resources 199 can be implemented as any suitable type of computer-readable, nonvolatile memory that is communicatively coupled to the proxy server 130 and the transformer 170.
  • a customer 140 configures DNS records for its domain name(s) with the authoritative DNS resolver 110, just as in a conventional system.
  • These domain names may be associated with one or more customer assets 145a-145c (collectively, customer asset 145), such as content delivery networks (CDNs), each of which has a different IP address and can be resolved as the IP address corresponding to a given domain name.
  • the customer 140 sets one or more dynamic steering policies for directing traffic to these IP addresses in response to domain name queries from users 121. For instance, a customer 140 may use a web-based interface to specify latency, availability, geolocation, and other criteria for determining which IP address to supply in response to a given DNS query from an end user 121.
  • the network resources 199 may store the link data 180, subnet data 190, and/or asset data 195 corresponding to these criteria for use by the proxy server 130 in intelligent DNS forwarding.
  • Link data 180 and subnet data 190 can also be stored in memory data structures local to the proxy 130.
  • a dynamic steering policy includes criteria, data, and rules from the customer 140 and possibly from the end user 121 as well for supplying an IP address in response to a DNS query for one of the customer's domain names.
  • the policy master 160 stores dynamic steering policies from the customer 140, e.g., as one or more functions written in a formal computer language.
  • the policy master 160 generates programs including these functions with a policy compiler 150.
  • the policy compiler 150 can be implemented as a simple executable wrapper configured to build these programs such that the functions including dynamic steering policies can be interpreted by the proxy server 130.
  • the policy master 160 may supply customer configuration of advanced services (e.g., as programs in Requested Resource Signature (RRSIG) records) to the authoritative DNS resolver 110 as shown in FIG. 1.
  • RRSIG Requested Resource Signature
  • Dynamic steering policies and attachment data such as link data 180, subnet data 190, and asset data 195, from the policy master 160 are transmitted via the transformer 170 to the network resources 199.
  • the transfomer 170 propagates dynamic data (e.g., link data 180, subnet data 190, asset data 195, etc.) to the edge 101.
  • the transformer 170 gets that data by listening to events on various channels and processing them into declarative information like "Mean latency to ExampleCDN from behind resolvers in 192.0.2.0/24 is 42 milliseconds" or "198.51.100.0/24 is in France” or "webserver2.example.com is down.”
  • the network resources 199 store data provided by the customer 140 or acquired relating to latency, health, geolocation, availability and other criteria that are used to determine a response to the DNS query.
  • the link data 180 stores cooked latency performance data that may be aggregated (e.g., every five minutes) by the authoritative DNS resolver 110.
  • the subnet data 190 stores geolocation data for each customer asset 145 and possibly for each client 120.
  • Asset data 195 includes availability data such as health of an IP address.
  • the proxy server 130 uses the policies defined by the customer 140 and based on link data 180, subnet data 190, and/or asset data 195, among other things, to steer the client 120 to an appropriate customer asset 145a, 145b, or 145c.
  • the proxy server 130 receives queries from the client 120 for the DNS server 110 and inspects them to see if they include a request for metadata, such as DNSSEC information. If the query includes a request for DNSSEC information, the proxy server 130 passes the query to the authoritative DNS server 110; if not, the proxy server 130 sets a DNSSEC OK (DO) flag in the query to retrieve the DNSSEC information from the authoritative DNS server 110.
  • the authoritative DNS server 110 responds to the proxy server 130 according to the DNS standard.
  • the proxy server 130 modifies the response from the authoritative DNS server 110 based on the DNSSEC information, original query, query source (IP address), time of day, etc., then transmits the modified response to the recursive DNS server that made the request.
  • the proxy server 130 may retrieve metadata, such as DNSSEC related RRs not requested by the client 120, it removes the metadata from the response when not requested.
  • that DO flag is inside a record called OPT, which some clients don't ask for either, in which case it is removed as well.
  • modifications to the client query have their results reversed before passing back to the client. Modifications used in various circumstances include: (1) adding an OPT record if not present; (2) setting DO if not set; and (3) adding a client-subnet option with the client source IP address.
  • the proxy server can also add a custom option called EDNSO Proxy Option (EPO) to pass the client source IP so as to make the transition from the legacy infrastructure more seamless. EPO is useful when working with a modified authoritative DNS server. Of all of these, only the OPT and DO parts are fundamental to the RRSIG approach.
  • the proxy server 130 modifies the response from the authoritative DNS server 110 according to cryptographic signature information, called the Requested Resource Signature (RRSIG), stored in the DNS SEC record on the authoritative DNS server 110.
  • RRSIG Requested Resource Signature
  • the proxy server 130 uses both the RRSIG and information encoded in the query, such as the IP address of the query source, to determine if and how to modify the response to the query.
  • this approach involves treating the authoritative DNS server 110 as a "memory" for the RRSIG. Because the proxy server 130 modifies the query to return the DNS SEC record, the proxy server 130 does not have to make a separate request for the RRSIG.
  • this technique for modifying the query response doesn't involve any extra queries, it places a smaller processing burden on the authoritative DNS server 110 than making separate queries for RRSIGs. That is, the authoritative DNS server 110 can process a single (potentially modified) request from the proxy server 130 more efficiently than it can process two separate requests.
  • proxy server 130 to modify responses to DNS queries. Adding the proxy server 130 adds an extra layer to the network, which increases latency, cost, and complexity. Using the proxy server 130 also doubles the amount of network traffic. But unlike using a modified authoritative DNS server 110, using a proxy server 130 separates advanced DNS functionality from functionality that provides routine
  • proxy server 130 also increases flexibility for providing advanced DNS functionality. And it may be easier and faster to implement new features in a proxy server because the proxy server can be built for feature development.
  • the proxy server 130 can also use a language sufficiently generalized that many new features can be released without any updates to the proxy server itself or to the authoritative DNS server(s). It also makes it practical to overlay advanced features on most DNSSEC ready authoritative DNS systems that may already have been built, with little if any modification.
  • proxy servers 130 with an authoritative DNS server 110 also simplifies maintaining coherency among servers.
  • Some proxy servers 130 keep configuration data for a website, for example, but this configuration data has to be carefully synchronized with the configuration data on the actual content servers. Keeping both the desired advanced feature behavior and the data in the same zone allows these to be kept in sync using standard zone update mechanisms. This is why custom RR types are commonly used rather than another approach altogether - because although a separate database could contain the advanced features, keeping it in sync would be problematic.
  • the proxy approach disclosed herein retains this in- zone property while separating the implementation parts, which is fairly unusual.
  • proxy server 130 coupled to an authoritative DNS server 110, there is no need to maintain changes to an open source or internally developed authoritative server implementations.
  • Using a proxy server 130 also provides the flexibility to use different authoritative DNS server implementations without redeveloping features within each authoritative DNS server. That flexibility allows the feature set to be used in deployments which have very different
  • FIG. 2 shows a DNS proxy server 230 that sits in front of a DNS server 210 (e.g., an authoritative DNS server or backend recursive DNS server). In operation, it accepts
  • a DNS server 210 e.g., an authoritative DNS server or backend recursive DNS server. In operation, it accepts
  • Transmission Control Protocol (TCP) 207 and User Datagram Protocol (UDP) 205 DNS queries (e.g., DNS queries 233a and 233b) from a client 220 (e.g., a recursive server), and issues DNS queries (e.g., 233c and 233d) to the DNS server 210.
  • the DNS proxy server 230 interprets instructions embedded in the responses from the authoritative DNS server 210 to provide various dynamic responses to the client's queries in a general way, without necessarily storing any configuration regarding those dynamic responses, to reduce or eliminate synchronization concerns. It does not necessarily cache the responses from the authoritative DNS server and does not necessarily depend on a cache for good performance or correct behavior.
  • the DNS proxy server 230 passes a query 233a and/or 233b from the client 220 to the DNS server 210 (with some minor modifications) and awaits the reply.
  • the DNS proxy server 230 includes one or more Query Processing Workers 232 for handling queries
  • the proxy server 230 may keep a large collection of uniform workers 232 and hand them queries 233 as the queries arrive, with each worker 232 is committed to a single query 233 at a time. A worker 232 becomes ready for the next query 232 as soon as the response is sent.
  • TCP Clients 234 in a TCP Backend 236 regulate messages from the workers 232 to the servers 210 and back in a similar one-at-a-time fashion, but can maintain persistent connections to the servers 210 for efficiency.
  • Each TCP Backend 236 is a pool of TCP Clients
  • the reply (e.g., 237a and 237b) from the DNS server 230 may contain an answer record for the query, and may optionally also contain one or more RRSIG records. That behavior is present in any DNS SEC compliant DNS server and does not conflict with the intended use of RRSIG records.
  • the RRSIG records may include one using the standardized custom cryptography type, which is then disambiguated with a name which is traceable to a specific owner and thus unique.
  • the RRSIG record may carry any data, including an embedded program written in a language sophisticated enough to compose together smaller functions to create desired behaviors. It can also use specific RR types for each behavior/feature, such as the degenerate case of each feature being named in the program. For example, the degenerate case might be expressed in human readable form as: Alias("domain.com”). And a more sophisticated expression that composes more primitive functions (very approximately): ReplaceRR(Qname(), Qtype(), LookupRecursive("domain.com”)). It's put in authoritative memory by adding the appropriate RRSIG record into the zone.
  • the DNS proxy server 230 watches for the embedded program and executes it to generate a modified response to the client's 220 original query. In the course of determining what response the DNS proxy server 230 should send to the client 220, the DNS proxy server 230 may issue additional queries to other systems using DNS or other protocols, or consult other local data. Finally, the proxy server 230 returns a result (e.g., 237c and/or 237d) to the client 220.
  • a result e.g., 237c and/or 237d
  • the DNS proxy server 230 can generate a response to the client's query by passing only one query to the authoritative DNS server 210. Conversely, embedding the program in a custom type would require two queries, first one for the custom type to see if there is a program, then one for the data requested. For the RRSIG implementation, the DNS proxy server 230 may make additional queries beyond the initial query depending on the application specific behavior being
  • the policy master is responsible for storing dynamic steering policies and attachment data from the customers.
  • the policy master generates programs with a policy compiler, which can be implemented as a simple executable wrapper configured to build programs that can be interpreted by the proxy server.
  • the policy compiler provides functions configured to construct programs. Some example functions added to the policy compiler include filter functions and sorting functions for selecting an IP address from among all of the possible IP addresses that could be supplied in response to the DNS query.
  • the policy compiler includes a BuildResponse function that takes a list of resource records that may go into the final response and a rule function that can alter the list of records by sorting and/or reducing it.
  • a function in addition to arguments to perform the sorting or filtering, also takes a rule function.
  • a special function End can be used to end the sequence of rules that need to be applied.
  • the BuildResponse function can shuffle the (reduced) list of records and construct the DNS response.
  • An example of a BuildResponse program is as below:
  • Available, Performance, and Priority are rules to perform sorting and filtering. These rules are described further below.
  • the function Available [avl, av2, ...] can filter the list of resource records based on the list of asset mappings where each element maps a resource record index in the list of proposed resource records to an asset identifier.
  • the asset identifier can be used to lookup the availability data from a network resource. Records corresponding to assets that are not available are removed from the list. So “0:asset9998” in the example below means to look up availability for asset “asset9998” and filter out the resource record "rrO" if that asset is marked unavailable. This rule will never leave the list empty: if all records would be removed, no filtering is performed.
  • the function Performance [lpl, lp2, ...] type can filter the list of resource records based on the list of asset mapping where each element maps a resource record index in the list of proposed resource records, to an asset identifier.
  • the asset identifier can be used to lookup the link's latency data. An asset with no latency data is considered to have maximum latency.
  • assetlOOl in the example below means to look up the link performance data for asset “assetlOOl " and filter out the resource record “rrl " if that asset has too high of a latency. This rule will never leave the list empty: if all records would be removed, no filtering is performed.
  • the type argument defines how link performance filtering is applied. It is defined to be a mapping of a non-negative integer value N to a link performance filter option. These options may include:
  • Priority [pfl, pf2, ...] can sort the list of resource records based on the given list of priority mappings where each element maps a resource record index in the list of proposed resource records, to a priority ranking. So “0:20" and “ 1 : 10" in the example below means that "rrl " is preferred over "rrO". If records have the same ranking (there is a tie), the proxy server can determine the order at random. A record with no assigned priority will be given an infinite priority. An empty list means there is no priority and the final response will be shuffled. Rank is specified as a 16-bit unsigned integer equivalent (uintl6).
  • rules can include functions such as Bias to randomly shuffle the list of resource records, Max num to limit the list of resource records, and Reject to remove particular resource records.
  • functions such as Bias to randomly shuffle the list of resource records, Max num to limit the list of resource records, and Reject to remove particular resource records.
  • FIG. 3 is a flow diagram showing a process 300 for providing intelligent DNS forwarding using a proxy server.
  • This process 300 can be implemented using system 100 illustrated in FIG. 1 or any other suitable system or network including a proxy server such as proxy server 130 in FIG. 2.
  • the process 300 involves detecting DNS queries from a client device and processing responses from authoritative DNS servers to provide intelligent DNS forwarding.
  • a client device When a client device attempts to access a domain, at step 310, it sends a DNS query to the DNS proxy.
  • the DNS proxy analyzes the DNS query to determine if the DNS query includes a request for metadata. In one implementation, the DNS proxy inspects the DNS query to determine if the DNS query includes a request for metadata, such as DNS SEC information or OPT records. If the DNS query does include a request for metadata (e.g., request for DNS SEC information), at step 330, the DNS proxy passes the DNS query to the authoritative DNS server. If the DNS query does not include a request for metadata, then at step 340, the DNS query is updated to include a request for metadata.
  • a request for metadata e.g., request for DNS SEC information
  • the DNS proxy sets a DNS SEC OK (DO) flag in the DNS query to retrieve the DNS SEC information from the authoritative DNS server.
  • the DNS proxy passes the updated DNS query to the authoritative DNS server.
  • the DNS proxy determines if the response from the authoritative DNS server includes metadata. In one implementation, the DNS proxy determines if the response includes metadata, e.g., an RRSIG stored in DNSSEC records. In another implementation, the DNS proxy determines if the response includes OPT records. If the response from the authoritative DNS server does not include metadata, at step 360, the DNS response message from the authoritative DNS server is sent to the client device. That is, the proxy server retrieves a DNS record with one or more IP addresses corresponding to the domain name from the authoritative DNS server and sends it to the client device.
  • metadata e.g., an RRSIG stored in DNSSEC records.
  • OPT records e.g., OPT records.
  • the DNS proxy further processes the metadata to generate a modified response including one of the IP addresses from the authoritative DNS server.
  • this modified response generated by the proxy server is sent to the client device.
  • FIG. 4 is a flow diagram showing a method 400 of processing metadata from the authoritative DNS server at a proxy server.
  • the DNS proxy receives a response from the authoritative DNS server. This response includes metadata and one or more IP addresses.
  • the DNS proxy processes one or more programs embedded in the metadata. Programs embedded in the metadata define dynamic steering policies and rules to determine an optimal IP address associated with the domain name.
  • the DNS proxy processes one or more functions embedded in RRSIG.
  • the DNS proxy looks up network resources based on embedded rules and functions in the metadata.
  • the DNS proxy executes embedded programs in RRSIG and depending on the rules in RRSIG, the DNS proxy looks up network resources such as link data, subnet data, and asset data. Link data, subnet data, and asset data include information about latency, performance, health, and other information relating to the content IP address and client IP address.
  • the data from the network resources are reordered, sorted, and filtered to determine one optimal IP address associated with the domain name. For example, routes from the client device to the content delivery networks can be sorted based on their latencies, IP origins can be sorted and reordered based on their health.
  • the DNS response from the authoritative server is modified to include an optimal answer generated by the DNS proxy. Modified DNS response message is sent to the client device. If the DNS query from the client device did not include a request for metadata, the metadata in the modified DNS response message can be removed before it is sent to the client device.
  • FIG. 5 illustrates a more specific example of intelligent DNS forwarding by a proxy server 530.
  • the proxy server 530 can be functionally similar, if not the same as, to proxy server
  • a client device 520 attempts to access a domain name by sending a DNS query 512 to the authoritative DNS server 510.
  • the proxy server 530 accepts the DNS query 512 and determines if the DNS query 512 includes a request for metadata to be included in the response. Upon determination that the DNS query 512 does not include this request, the query 512 is updated to reflect the request for metadata.
  • the updated DNS request 516 is transmitted to the DNS authoritative server 510 to retrieve DNS records for the domain name. If the DNS authoritative server 510 does not include metadata for the requested domain, the DNS authoritative server 510 transmits a program-free response 518 to the proxy server 530.
  • the program-free response 518 is the target IP address for the domain name without any metadata.
  • the proxy server 530 maps this program-free response 518 to the client. And at 524, the proxy server 530 returns A or AAAA (IPv4 or IPv6 address) of the domain to the client device 520.
  • the authoritative DNS server 510 includes metadata for the requested domain, then the authoritative DNS server 510 provides DNS records including IP address relating to the domain 526a along with requested metadata 526b to the proxy server 530.
  • the "example.com. A 0.0.0.0" in 526a is a "dummy" answer that will be occluded by the dynamic processing instructions in 526b.
  • a fundamental characteristic of RRSIG records is that they are metadata
  • FIG. 5 demonstrates that answer data is present in the response from authoritative 510, even if it will be ignored by proxy 530 because it is
  • the metadata includes one or more embedded programs to create desired behaviors.
  • the proxy server 530 includes an interpreter to execute the embedded programs in the metadata 526b and generate a modified response. During processing, the proxy server 530 looks up subnet data 590 and/or link data 580 to obtain information relating to latency, performance, health, or other such criteria.
  • the subnet data 590 and link data 580 are network resources that provide answers (e.g., 532 and 538) to the proxy server 530 based on lookup requests (e.g., 528 and 536).
  • the proxy server 530 reorders, filters, and reduces the list of IP addresses based on these answers to determine one optimal IP address.
  • the answer is mapped to the client and a modified DNS response message 546 is sent to the client 320. If the DNS query from the client 320 did not contain a request for metadata, the proxy server 530 removes the metadata from the DNS response message and sends a modified DNS response message 546 with only the IP address to the client device 320.
  • client device 320 with IP address 203.0.113.1 attempts to access domain "example.com A”.
  • DNS query 512 requesting access to "example.com A" is sent to the proxy server 530. Since the DNS query 512 does not include a request for metadata, that is, the DNS query does not include a request for DNSSEC record, the query 512 is updated by setting the DNSSEC DO flag at 514. The updated request 516 is sent to the authoritative DNS server 510.
  • the authoritative DNS server 510 presuming that the authoritative DNS server 510 does not include metadata for "example.com", the authoritative DNS server 510 returns a program-free response 518 with the IP address of the CDN corresponding to the domain(e.g., example.com A 192.0.2.1).
  • the program-free response 518 is mapped to the client and the IP address (example.com A 192.0.2.1) 524 is sent to the client.
  • the authoritative DNS server 510 provides RRSIG 526b stored in the DNSSEC records to the proxy server 530.
  • the proxy server 530 executes the "BuildResponse" function included in the RRSIG.
  • the "BuildResponse” function is a rule function that is added to the policy master by one or more customers to store dynamic steering policies for the domain.
  • the "BuildResponse” function includes arguments for geolocation data (geo data) and latency.
  • the proxy server 530 looks up geo data for the client 320 by sending a look up request 528 to the subnet.
  • the proxy server 530 analyzes the geo data to determine if the geo data in RRSIG matches the client geo data.
  • the proxy server 530 looks up performance data for the Content Delivery Networks (CDN) ([0:cdnl, 1 :cdn2]) listed in the RRSIG by sending a latency look up request 536 to the link data 580.
  • the link data 580 returns the latency for cdnl and cdn2.
  • the latency for cdnl is 180 ms for cdnl and the latency for cdn2 is 142 ms.
  • the proxy server 530 filters out high latency records thereby reducing the answer to cdn2.
  • the proxy server 530 maps the response to the client, then sends the DNS response message 546 including the IP address of cdn2 (example.com a
  • Advanced DNS services can also be provided with a proxy server that looks for instructions in the target name of a Canonical Name (CNAME) response from an authoritative DNS server.
  • CNAME Canonical Name
  • a CNAME record specifies that a domain name is an alias for another domain name, the "canonical" domain.
  • the canonical domain defines all information for the other domain, including subdomains, IP addresses, etc.
  • inventive embodiments are presented by way of example only and that, within the scope of the appended claims and equivalents thereto, inventive embodiments may be practiced otherwise than as specifically described and claimed.
  • inventive embodiments of the present disclosure are directed to each individual feature, system, article, material, kit, and/or method described herein.
  • a computer may be embodied in any of a number of forms, such as a rack-mounted computer, a desktop computer, a laptop computer, or a tablet computer. Additionally, a computer may be embedded in a device not generally regarded as a computer but with suitable processing capabilities, including a Personal Digital Assistant (PDA), a smart phone or any other suitable portable or fixed electronic device.
  • PDA Personal Digital Assistant
  • a computer may have one or more input and output devices. These devices can be used, among other things, to present a user interface. Examples of output devices that can be used to provide a user interface include printers or display screens for visual presentation of output and speakers or other sound generating devices for audible presentation of output.
  • Examples of input devices that can be used for a user interface include keyboards, and pointing devices, such as mice, touch pads, and digitizing tablets.
  • a computer may receive input information through speech recognition or in other audible format.
  • Such computers may be interconnected by one or more networks in any suitable form, including a local area network or a wide area network, such as an enterprise network, and intelligent network (EST) or the Internet.
  • networks may be based on any suitable technology and may operate according to any suitable protocol and may include wireless networks, wired networks or fiber optic networks.
  • the various methods or processes may be coded as software that is executable on one or more processors that employ any one of a variety of operating systems or platforms. Additionally, such software may be written using any of a number of suitable programming languages and/or programming or scripting tools, and also may be compiled as executable machine language code or intermediate code that is executed on a framework or virtual machine.
  • inventive concepts may be embodied as a computer readable storage medium (or multiple computer readable storage media) (e.g., a computer memory, one or more floppy discs, compact discs, optical discs, magnetic tapes, flash memories, circuit configurations in Field Programmable Gate Arrays or other semiconductor devices, or other non- transitory medium or tangible computer storage medium) encoded with one or more programs that, when executed on one or more computers or other processors, perform methods that implement the various embodiments of the invention discussed above.
  • the computer readable medium or media can be transportable, such that the program or programs stored thereon can be loaded onto one or more different computers or other processors to implement various aspects of the present invention as discussed above.
  • program or “software” are used herein in a generic sense to refer to any type of computer code or set of computer-executable instructions that can be employed to program a computer or other processor to implement various aspects of embodiments as discussed above. Additionally, it should be appreciated that according to one aspect, one or more computer programs that when executed perform methods of the present invention need not reside on a single computer or processor, but may be distributed in a modular fashion amongst a number of different computers or processors to implement various aspects of the present invention.
  • Computer-executable instructions may be in many forms, such as program modules, executed by one or more computers or other devices.
  • program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types.
  • functionality of the program modules may be combined or distributed as desired in various embodiments.
  • data structures may be stored in computer-readable media in any suitable form.
  • data structures may be shown to have fields that are related through location in the data structure. Such relationships may likewise be achieved by assigning storage for the fields with locations in a computer-readable medium that convey relationship between the fields.
  • any suitable mechanism may be used to establish a relationship between information in fields of a data structure, including through the use of pointers, tags or other mechanisms that establish relationship between data elements.
  • inventive concepts may be embodied as one or more methods, of which an example has been provided.
  • the acts performed as part of the method may be ordered in any suitable way. Accordingly, embodiments may be constructed in which acts are performed in an order different than illustrated, which may include performing some acts simultaneously, even though shown as sequential acts in illustrative embodiments.
  • All definitions, as defined and used herein, should be understood to control over dictionary definitions, definitions in documents incorporated by reference, and/or ordinary meanings of the defined terms.
  • a reference to "A and/or B", when used in conjunction with open-ended language such as “comprising” can refer, in one embodiment, to A only (optionally including elements other than B); in another embodiment, to B only (optionally including elements other than A); in yet another embodiment, to both A and B (optionally including other elements); etc.
  • At least one of A and B can refer, in one embodiment, to at least one, optionally including more than one, A, with no B present (and optionally including elements other than B); in another embodiment, to at least one, optionally including more than one, B, with no A present (and optionally including elements other than A); in yet another embodiment, to at least one, optionally including more than one, A, and at least one, optionally including more than one, B (and optionally including other elements); etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
PCT/US2017/021514 2016-03-09 2017-03-09 Methods and apparatus for intelligent domain name system forwarding Ceased WO2017156231A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
CN201780020823.2A CN108886525B (zh) 2016-03-09 2017-03-09 智能域名系统转发的方法和装置
EP17764066.1A EP3427465B1 (en) 2016-03-09 2017-03-09 Methods and apparatus for intelligent domain name system forwarding
US16/080,684 US10686751B2 (en) 2016-03-09 2017-03-09 Methods and apparatus for intelligent domain name system forwarding
JP2018547416A JP6861219B2 (ja) 2016-03-09 2017-03-09 インテリジェントドメインネームシステム転送のための方法および装置

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201662305602P 2016-03-09 2016-03-09
US62/305,602 2016-03-09

Publications (1)

Publication Number Publication Date
WO2017156231A1 true WO2017156231A1 (en) 2017-09-14

Family

ID=59790779

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2017/021514 Ceased WO2017156231A1 (en) 2016-03-09 2017-03-09 Methods and apparatus for intelligent domain name system forwarding

Country Status (5)

Country Link
US (1) US10686751B2 (enExample)
EP (1) EP3427465B1 (enExample)
JP (1) JP6861219B2 (enExample)
CN (1) CN108886525B (enExample)
WO (1) WO2017156231A1 (enExample)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11368365B2 (en) 2019-10-25 2022-06-21 Samsung Electronics Co., Ltd. Methods and systems for determining ICN capability of a node/server

Families Citing this family (27)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10530734B2 (en) 2014-12-16 2020-01-07 Verisign, Inc. Balancing visibility in the domain name system
US10110614B2 (en) * 2016-07-28 2018-10-23 Verisign, Inc. Strengthening integrity assurances for DNS data
CN107222492A (zh) * 2017-06-23 2017-09-29 网宿科技股份有限公司 一种dns防攻击方法、设备和系统
US10666603B2 (en) * 2017-07-13 2020-05-26 T-Mobile Usa, Inc. Optimizing routing of access to network domains via a wireless communication network
US11019083B2 (en) * 2018-06-20 2021-05-25 Cisco Technology, Inc. System for coordinating distributed website analysis
US10862854B2 (en) * 2019-05-07 2020-12-08 Bitdefender IPR Management Ltd. Systems and methods for using DNS messages to selectively collect computer forensic data
CN111953617B (zh) * 2019-05-17 2023-01-31 贵州白山云科技股份有限公司 一种负载均衡调度方法、装置、介质及设备
CN111917898B (zh) * 2020-07-24 2021-08-27 网宿科技股份有限公司 一种资源调度策略的调整方法及装置
US11303647B1 (en) 2021-04-22 2022-04-12 Netskope, Inc. Synthetic request injection to disambiguate bypassed login events for cloud policy enforcement
US11336698B1 (en) 2021-04-22 2022-05-17 Netskope, Inc. Synthetic request injection for cloud policy enforcement
US11178188B1 (en) 2021-04-22 2021-11-16 Netskope, Inc. Synthetic request injection to generate metadata for cloud policy enforcement
US11190550B1 (en) 2021-04-22 2021-11-30 Netskope, Inc. Synthetic request injection to improve object security posture for cloud security enforcement
US11647052B2 (en) * 2021-04-22 2023-05-09 Netskope, Inc. Synthetic request injection to retrieve expired metadata for cloud policy enforcement
WO2022226210A1 (en) * 2021-04-22 2022-10-27 Netskope, Inc. Synthetic request injection for cloud policy enforcement
US11184403B1 (en) 2021-04-23 2021-11-23 Netskope, Inc. Synthetic request injection to generate metadata at points of presence for cloud security enforcement
US11271972B1 (en) 2021-04-23 2022-03-08 Netskope, Inc. Data flow logic for synthetic request injection for cloud security enforcement
US11271973B1 (en) 2021-04-23 2022-03-08 Netskope, Inc. Synthetic request injection to retrieve object metadata for cloud policy enforcement
CN115277815B (zh) * 2021-04-30 2024-10-22 维沃移动通信有限公司 信息处理方法、装置及通信设备
US12111957B2 (en) 2021-06-08 2024-10-08 Microsoft Technology Licensing, Llc Software provenance validation
US11652782B1 (en) * 2021-11-24 2023-05-16 Oracle International Corporation Methods, systems, and computer readable media for dynamically updating domain name system (DNS) records from registered network function (NF) profile information
US11863518B2 (en) 2021-11-24 2024-01-02 Oracle International Corporation Methods, systems, and computer readable media for automatic domain name system (DNS) configuration for 5G core (5GC) network functions (NFs) using NF repository function (NRF)
CN114268605B (zh) * 2021-12-16 2023-11-24 云盾智慧安全科技有限公司 一种智能dns实现方法、装置及计算机存储介质
US11943260B2 (en) 2022-02-02 2024-03-26 Netskope, Inc. Synthetic request injection to retrieve metadata for cloud policy enforcement
US20230291738A1 (en) * 2022-03-10 2023-09-14 BunnyWay d.o.o. Method and system of dynamically returning domain name system record
US12255868B2 (en) 2022-07-11 2025-03-18 Cisco Technology, Inc. Leveraging contextual metadata communication to improve DNS security
CN115297087A (zh) * 2022-08-03 2022-11-04 中国电信股份有限公司 域名查询方法、系统、装置、设备及存储介质
US11811730B1 (en) * 2022-10-11 2023-11-07 International Business Machines Corporation Determining domain name system forwarding rules in a multi-cloud environment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050286514A1 (en) 2004-06-25 2005-12-29 Cheshire Stuart D Method and apparatus for looking up configuration information for a network node
AU2009225283A1 (en) 2008-10-16 2010-05-06 David Tucker Method Of Collecting Data From Computers Over The Internet
US20120117379A1 (en) * 2010-11-04 2012-05-10 F5 Networks, Inc. Methods for handling requests between different resource record types and systems thereof
US20130173769A1 (en) 2011-12-30 2013-07-04 Time Warner Cable Inc. System and method for resolving a dns request using metadata
US8656490B1 (en) * 2010-09-14 2014-02-18 Symantec Corporation Safe and secure access to dynamic domain name systems
US20140344925A1 (en) * 2013-05-15 2014-11-20 Citrix Systems, Inc. Systems and methods for reducing denial of service attacks against dynamically generated next secure records

Family Cites Families (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2002069608A2 (en) * 2001-01-16 2002-09-06 Akamai Technologies, Inc. Using virtual domain name service (dns) zones for enterprise content delivery
JP4668775B2 (ja) * 2005-11-28 2011-04-13 株式会社日立製作所 Dnsサーバ装置
US7694016B2 (en) * 2007-02-07 2010-04-06 Nominum, Inc. Composite DNS zones
US8429715B2 (en) * 2008-08-08 2013-04-23 Microsoft Corporation Secure resource name resolution using a cache
US7917616B2 (en) * 2008-08-08 2011-03-29 Microsoft Corporation Secure resource name resolution
CN101488965B (zh) * 2009-02-23 2012-02-15 中国科学院计算技术研究所 一种域名过滤系统及方法
JP2013502190A (ja) * 2009-08-20 2013-01-17 エヌイーシー ヨーロッパ リミテッド ネットワーク構造内でトラフィックを制御する方法およびネットワーク構造
CN101841577B (zh) * 2010-06-07 2015-01-28 中兴通讯股份有限公司 一种实现域名解析代理功能的方法和装置
US8549148B2 (en) * 2010-10-15 2013-10-01 Brocade Communications Systems, Inc. Domain name system security extensions (DNSSEC) for global server load balancing
JP5942997B2 (ja) * 2011-09-06 2016-06-29 日本電気株式会社 エージェント装置及び通信中継方法
US11411912B2 (en) * 2015-07-17 2022-08-09 Verisign, Inc. Methods and systems for domain name data networking
US10708226B2 (en) * 2016-01-29 2020-07-07 Verisign, Inc. Domain name resolution
US10110614B2 (en) * 2016-07-28 2018-10-23 Verisign, Inc. Strengthening integrity assurances for DNS data
US10367825B2 (en) * 2016-12-28 2019-07-30 Verisign, Inc. Method and system for parallel validation of domain name system security extension records

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050286514A1 (en) 2004-06-25 2005-12-29 Cheshire Stuart D Method and apparatus for looking up configuration information for a network node
AU2009225283A1 (en) 2008-10-16 2010-05-06 David Tucker Method Of Collecting Data From Computers Over The Internet
US8656490B1 (en) * 2010-09-14 2014-02-18 Symantec Corporation Safe and secure access to dynamic domain name systems
US20120117379A1 (en) * 2010-11-04 2012-05-10 F5 Networks, Inc. Methods for handling requests between different resource record types and systems thereof
US20130173769A1 (en) 2011-12-30 2013-07-04 Time Warner Cable Inc. System and method for resolving a dns request using metadata
US20140344925A1 (en) * 2013-05-15 2014-11-20 Citrix Systems, Inc. Systems and methods for reducing denial of service attacks against dynamically generated next secure records

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
R. ARENDS ET AL.: "DNS Security Introduction and Requirements", RFC4033
R. ARENDS ET AL.: "Protocol Modifications for the DNS Security Extensions", RFC 4035
See also references of EP3427465A4

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11368365B2 (en) 2019-10-25 2022-06-21 Samsung Electronics Co., Ltd. Methods and systems for determining ICN capability of a node/server

Also Published As

Publication number Publication date
EP3427465A1 (en) 2019-01-16
EP3427465B1 (en) 2022-03-23
CN108886525B (zh) 2021-08-20
US20190097965A1 (en) 2019-03-28
JP2019507994A (ja) 2019-03-22
EP3427465A4 (en) 2019-10-16
CN108886525A (zh) 2018-11-23
JP6861219B2 (ja) 2021-04-21
US10686751B2 (en) 2020-06-16

Similar Documents

Publication Publication Date Title
US10686751B2 (en) Methods and apparatus for intelligent domain name system forwarding
US9779113B2 (en) Systems and methods for improving domain name system traffic routing
US10425379B2 (en) Establishing unique sessions for DNS subscribers
US9866523B2 (en) Method and system for increasing speed of domain name system resolution within a computing device
EP2933986B1 (en) Computer-implemented method and computer program product for processing named entity queries using a cached functionality in a domain name system
CN103780715B (zh) 域名解析实现方法、客户端和云服务器
EP2605486A1 (en) Method and system for handling a domain name service request
JP2014501958A (ja) ネットワークにおけるコンテンツにアクセスする方法および対応するシステム
EP3223497B1 (en) Systems and methods for preserving privacy of a registrant in a domain name system ("dns")
CN107231445A (zh) 一种动态域名系统dns重定向方法、装置及系统
CN102868550A (zh) 全网流量调度器及使用该调度器查询域名解析记录的方法
US11102166B2 (en) Explicit service function chaining (SFC) using DNS extensions
CN108848205A (zh) 一种区分IPv4、IPv6的CNAME域名解析方法
Blanchet Finding the Authoritative Registration Data (RDAP) Service
US8161135B2 (en) Device identification number based name service
CN102904858B (zh) 一种ims网络中的数据存储、查询方法
JP2008206081A (ja) マルチホーミング通信システムに用いられるデータ中継装置およびデータ中継方法
JP6001512B2 (ja) 通信制御システム及び通信制御方法
JP3834770B2 (ja) 名前解決方法および装置
Blanchet RFC 7484: Finding the Authoritative Registration Data (RDAP) Service

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2018547416

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2017764066

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 2017764066

Country of ref document: EP

Effective date: 20181009

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17764066

Country of ref document: EP

Kind code of ref document: A1