WO2024050341A1 - Runtime match domain configurations - Google Patents

Runtime match domain configurations Download PDF

Info

Publication number
WO2024050341A1
WO2024050341A1 PCT/US2023/073057 US2023073057W WO2024050341A1 WO 2024050341 A1 WO2024050341 A1 WO 2024050341A1 US 2023073057 W US2023073057 W US 2023073057W WO 2024050341 A1 WO2024050341 A1 WO 2024050341A1
Authority
WO
WIPO (PCT)
Prior art keywords
dns
dns query
domain
match
domain name
Prior art date
Application number
PCT/US2023/073057
Other languages
French (fr)
Inventor
Vagish Kalligudd
Meera MOHIDEEN
Original Assignee
Ivanti, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ivanti, Inc. filed Critical Ivanti, Inc.
Publication of WO2024050341A1 publication Critical patent/WO2024050341A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/677Multiple interfaces, e.g. multihomed nodes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Definitions

  • the present disclosure generally relates to virtual private network (VPN) generation and configuration.
  • VPN virtual private network
  • some embodiments relate to match domain configuration at a virtual adapter at runtime for split tunneling.
  • a virtual private network (VPN) tunnel may be established.
  • the VPN tunnel is a secure connection between a mobile device and a private network.
  • the VPN tunnel may be established by a VPN client and a private network gateway.
  • the VPN client and the private network gateway operate to encrypt data packets that pass from the mobile device to the private network gateway and from the private network gateway to the mobile device.
  • Not all data may be communicated via the VPN tunnel.
  • split tunneling may be implemented such that a first portion of the data is routed through the VPN tunnel and a second portion is routed via a public communication channel.
  • Layer 3 refers to the network layer of the open system interconnected (OSI) model.
  • Layer 3 FQDN based split tunneling is typically performed by dynamic per internet-protocol (IP) routing or by a kernel mode driver. Inefficiencies occur in split tunneling due to the establishing and reestablishing the VPN tunnels.
  • IP internet-protocol
  • an embodiment includes a method of match domain configuration for a virtual private network (VPN).
  • the method may include establishing a VPN tunnel and creating a match domain for a first domain name.
  • the match domain may include the first domain name and a unique identifier.
  • the unique identifier may include a first character sequence that is different from all other character sequences assigned to other match domains.
  • the first character sequence may include a text string such as a sequence of random alphanumerical characters.
  • the method may include designating data traffic directed to and received from the first domain name as being routed through the VPN tunnel.
  • the method may include receiving a domain name system (DNS) query.
  • DNS query may be related to the first domain name.
  • the method may include parsing the DNS query.
  • DNS domain name system
  • the method may include determining whether the DNS query is an original DNS query or a subsequent DNS query based on the parsed DNS query. The determination that the DNS query is the original DNS query is based at least in part on presence of the unique identifier being appended on the DNS query.
  • the method may include forwarding the DNS query to the gateway without modification.
  • the method may include receiving a DNS response corresponding to the original DNS query.
  • the method may include parsing the DNS response to obtain one or more canonical names related to the first domain name.
  • the method may include appending the unique identifier to the one or more canonical names to generate an updated DNS response.
  • the method may include communicating the updated DNS response to the virtual adapter.
  • the method may include supplementing the match domain such that the one or more canonical names with the appended unique identifier are included in the match domain and data traffic directed to or received from each of the one or more canonical names are routed to the VPN tunnel.
  • the method may include removing the unique identifier from the DNS query. After the unique identifier is removed, the method may include communicating the DNS query to the gateway.
  • Another aspect of an embodiment includes a non-transitory computer-readable medium having encoded therein programming code executable by one or more processors to perform or control performance of any combination of the operations of the method of match domain configuration for a VPN described above.
  • Yet another aspect of an embodiment includes an endpoint comprising one or more processors and a non-transitory computer-readable medium having encoded therein programming code executable by one or more processors to perform or control performance of any combination of the operations of the method of match domain configuration for a VPN described above.
  • Figure 1 depicts an example operating environment in which some embodiments of the present disclosure may be implemented
  • Figure 2 depicts an example match domain configuration process (configuration process) that may be implemented in the operating environment of Figure 1;
  • FIG 3 is a sequence diagram of an example process of match domain configuration and communication for a virtual private network (VPN) that may be implemented in the operating environment of Figure 1;
  • VPN virtual private network
  • Figure 4 illustrates an example computing system configured for match domain configuration for split tunneling
  • Figures 5A and 5B are a block diagram of a method of match domain configuration and communication for a VPN, all in accordance with at least one embodiment disclosed in the present disclosure.
  • Operating systems may include constraints or limitations regarding how virtual private network (VPN) tunnels operate. Restrictions may be imposed by a network enforcement policy of a network or by the operating systems. For instance, Apple iOS® and other similar operating systems may restrict operations of a VPN. An example restriction in these operating systems includes reestablishing a VPN tunnel in response to updating match domains at a virtual adapter (VA). This restriction may interrupt data traffic flow through a VPN tunnel or may cause the VPN tunnel to fail.
  • VPN virtual private network
  • Some embodiments of the present disclosure relate to systems and methods of match domain configuration, which may reduce or eliminate a need to update the match domain after it is created.
  • the VPN tunnel may be maintained instead of being reestablished, which may reduce data traffic flow interruption and failures of the VPN tunnel.
  • a match domain may be configured to apply to a particular domain name and canonical names that are associated with the particular domain name.
  • a VPN service client may then append a unique identifier to domain name service (DNS) queriers and DNS responses.
  • DNS domain name service
  • the unique identifier may be appended and removed in real time as the DNS queries and the DNS response are communicated.
  • the unique identifier may indicate to a data packet handler whether a subsequent DNS request is included in the match domain. Accordingly, the data traffic of the subsequent DNS request included in the match domain may be appropriately routed through an established VPN tunnel or routed via a public or non-secure network channel.
  • the inclusion of the unique identifier enables consistent data communication using the VPN without having to reestablish the VPN tunnel or analyzing the subsequent DNS request o. Accordingly, the speed or reliability of data communication via the VPN tunnel may be improved.
  • FIG. 1 depicts an example operating environment 100 in which one or more embodiments of the present disclosure may be implemented.
  • an endpoint device 102 may be configured to establish a VPN tunnel.
  • the VPN tunnel may be established to securely communicate data and information with a second device 108, which may have a fully qualified domain names (FQDN).
  • the VPN tunnel may be managed at least partially at the endpoint device 102.
  • the endpoint device 102 may include a VPN service client 104, which may configure a match domain associated with the VPN tunnel and may at least partially determine which data traffic is communicated through the VPN tunnel and which data traffic is not communicated through the VPN tunnel such as through a public communication network.
  • the VPN service client 104 may configure the match domain such that a domain name associated with the second device 108 as well as canonical names (also referred to as “CNames”) associated with the domain name are identifiable and appropriately routed (e.g., via the VPN tunnel or outside the VPN tunnel) in real time.
  • the VPN service client 104 may generate a unique identifier.
  • the unique identifier may be assigned to the second device 108 and/or the domain name associated therewith.
  • the unique identifier is exclusive to the second device 108 at the VPN service client 104 such that no two devices communicating via a VPN tunnel and no two domain names have the same unique identifier.
  • the unique identifier may be unique such that each domain name and its related canonical names have a unique identifier that is not assigned to another domain name or its related canonical names.
  • the unique identifier may include a series or set of alphanumeric characters.
  • the unique identifier may be randomly or pseudo-randomly generated by the VPN service client 104 or another suitable system.
  • the unique identifier may be appended to one or more domain names (e.g., the domain name and related canonical names) of the match domain.
  • the unique identifier is appended as a unique suffix.
  • the unique identifier may be appended as a prefix or otherwise integrated in a DNS query.
  • a first DNS request may be communicated by the endpoint device 102 or an application 105 on the endpoint device 102.
  • the first DNS request may be analyzed by the VPN service client 104 to determine whether a domain name of the first DNS request includes a unique identifier.
  • the endpoint device 102 communicates the first DNS request without modification.
  • the first DNS request may be communicated to a DNS server 106 via a gateway 110, which may be then forwarded to the second device 108.
  • a first DNS response may be received by the endpoint device 102.
  • the VPN service client 104 may receive the first DNS response.
  • the first DNS response may include reference to one or more canonical names that are associated with the domain of the second device 108.
  • the canonical names may point to other websites owned by an entity 160 associated with the second device 108, may provide another hostname for a network service (e.g., an email) that points to the domain of the second device 108, may provide a subdomain for a user or customer that points to the domain of the second device 108, may register the domain of the second device 108 in another jurisdiction, or may provide a link to a content delivery network (CDN) that might be geographically closer to the endpoint device 102 than the second device 108.
  • a network service e.g., an email
  • CDN content delivery network
  • the VPN service client 104 incorporates the canonical names in the match domain. For instance, a packet handler of the VPN service client 104 may identify the canonical names and generate an updated DNS response that includes the canonical names with the unique identifier appended to the canonical names. The updated DNS response is communicated to a VA such that the canonical names are added to the match domain. Subsequent DSN requests to the domain name or the canonical names are intercepted by the VPN service client 104 have the unique identifier added to the request. The VA performs a split tunneling operation based on the presence of the unique identifier. The presence of the unique identifier indicates that the communication is associated with the second device 108. The communication may accordingly be communicated via the VPN tunnel.
  • a second DNS query may be directed to the domain of the second device 108 or to a CNAME related thereto.
  • the second DNS query may accordingly have the unique identifier appended to the second DNS query.
  • the VPN service client 104 may determine that the unique identifier is included in the second DNS query, which indicates inclusion in the match domain. Accordingly, the VPN service client 104 may remove the unique identifier from the second DNS query prior to communication via the gateway 110. Because the unique identifier is appended to the second DNS query, the VPN service client 104 may identify that the second DNS query as being included in the match domain. Accordingly, data traffic of the second DNS query is directed through the VPN tunnel. The presence of the unique identifier in the second DNS query enables routing of the data traffic without updating the match domain.
  • the communication via the VPN service client 104 may occur using the transmission control protocol (TCP) or another suitable protocol.
  • TCP transmission control protocol
  • the TCP channel underlying the VPN tunnel may be maintained without or with limited interruption because the match domain effectively routes data traffic based on the unique identifier instead of updating the match domain.
  • embodiments of the present disclosure are directed to a computer-centric problem and are implemented in a computer-centric environment.
  • the embodiments of the present disclosure are directed to VPN tunneling by the VPN service client 104 of the endpoint device 102.
  • Computing processes occurring in the operating environment 100 include configuration and implementation of match domains at the endpoint device 102.
  • the match domain(s) are implemented in split tunneling operations implemented at the endpoint device 102.
  • Communications during the processes described in this present disclosure involve the communication of data in electronic and optical forms via a network 118 and also involve the electrical and optical interpretation of the data and information.
  • the embodiments of the present disclosure address a technical issue that exists in a technical environment.
  • the technical issue includes an inability of the endpoint device 102 to maintain a VPN tunnel in response to an update to a match domain and the inefficiencies that result therefrom.
  • the technical problem is solved through a technical solution.
  • the technical solution involves configuration of a match domain to include CNames and a process to identify and manage DNS queries in real time, which reduces inefficiencies in conventional systems.
  • the operating environment 100 may include the second device 108, the endpoint device 102, the DNS server 106, and the gateway 110, which are configured to communicate data and information via the network 118.
  • the gateway 110 may include the second device 108, the endpoint device 102, the DNS server 106, and the gateway 110, which are configured to communicate data and information via the network 118.
  • the network 118 may include any communication network configured for communication of signals between the components (e.g., 102, 108, 110, and 106) of the operating environment 100.
  • the network 118 may be wired or wireless.
  • the network 118 may have configurations including a star configuration, a token ring configuration, or another suitable configuration.
  • the network 118 may include a local area network (LAN), a wide area network (WAN) (e.g., the Internet), and/or other interconnected data paths across which multiple devices may communicate.
  • the network 118 may include a peer-to-peer network.
  • the network 118 may also be coupled to or include portions of a telecommunications network that may enable communication of data in a variety of different communication protocols.
  • the network 118 includes or is configured to include a BLUETOOTH® communication network, a Z-Wave® communication network, an Insteon® communication network, an EnOcean® communication network, a Wi-Fi communication network, a ZigBee communication network, a representative state transfer application protocol interface (REST API) communication network, an extensible messaging and presence protocol (XMPP) communication network, a cellular communications network, any similar communication networks, or any combination thereof for sending and receiving data.
  • the data communicated in the network 118 may include data communicated via short messaging service (SMS), multimedia messaging service (MMS), hypertext transfer protocol (HTTP), direct data connection, wireless application protocol (WAP), or any other protocol that may be implemented in the components of the operating environment 100.
  • VPN tunnels implemented in the operating environment 100 may utilize portions or components of the network 118.
  • the second device 108 includes a hardware-based computer device that is configured to communicate with the other components of the operating environment 100 via the network 118.
  • the second device 108 may include sensitive or propriety information and/or sensitive or propriety applications.
  • the second device 108 may be an entity server.
  • the entity server may host an entity-specific email application.
  • Another example may include an entity-specific storage system.
  • the entity-specific storage system may store or host proprietary or protected data associated with the entity 160.
  • the second device 108 may be included in a private network 109.
  • the private network 109 may include a secured network that is protected from public access. Accordingly, a VPN tunnel may be involved in communication within the private network 109.
  • the second device 108 and/or the private network 109 may be associated with the entity 160.
  • the entity 160 may be an enterprise.
  • the enterprise may host private or secured information and applications at the second device 108 and may impose restrictions to access to the secured information and applications.
  • the access restrictions may include a secured communication channel such as a VPN tunnel implemented by the VPN service client.
  • the second device 108 may have a specific internet protocol (IP) address.
  • IP internet protocol
  • the IP address provides a network location with which data traffic is communicated.
  • the second device 108 may include a domain name.
  • the domain name may be a common name attributed to the second device 108.
  • one of more CNames may be associated with the second device 108.
  • the second device 108 may communicate via a VPN tunnel with the endpoint device 102.
  • the VPN tunnel may enable encrypted communication between the endpoint device 102 and the second device 108.
  • the application 105 may include a local email application.
  • the local email application may communicate with an entity-specific email application on the second device 108 via the VPN tunnel.
  • inclusion of the CNames in a match domain for the second device 108 may enable other applications at the endpoint device 102 to access a data repository associated with the second device 108.
  • the DNS server 106 includes a hardware-based device or collection thereof configured to answer DNS queries.
  • the DNS server 106 finds a correct IP address for a domain name.
  • the DNS server 106 tracks and associates CNames of the domain name. Accordingly, DNS queries communicated from the endpoint device 102 may be routed to the DNS server 106.
  • the DNS server 106 may generate DNS responses that include an IP address that corresponds to the domain name as well as CNames associated with the domain of the second device 108.
  • the gateway 110 includes a hardware-based device that is configured to communicate with the other components of the operating environment 100 via the network 118.
  • the gateway 110 connects the endpoint device 102 to the second device 108 and/or the private network 109 of the second device 108 as well as the DNS server 106.
  • the gateway 110 may route data and information from the endpoint device 102 that are routed through a VPN tunnel.
  • the VPN service client 104 or another suitable component of the endpoint device 102 may communicate with the gateway 110 to enable communication via the VPN tunnel.
  • the gateway 110 is shown separately from the network 118 in Figure 1. In some embodiments, the gateway 110 may be included in the network 118.
  • the endpoint device 102 may include hardware-based computer system that is configured to communicate with the other components of the operating environment 100 via the network 118.
  • the endpoint device 102 may be external or remote to the private network 109 at least some of the time. Accordingly, communication with the second device 108 and the private network 109 may be exposed if a public portion of the network 118 is used.
  • the endpoint device 102 may create and use a VPN tunnel and implement split tunnelling according to embodiments of this disclosure to route a first portion of data traffic through the VPN tunnel and a second portion of the data traffic outside the VPN tunnel.
  • the endpoint device 102 includes devices that are operated by the personnel and systems of an enterprise or store data of the enterprise.
  • the endpoint device 102 might include workstations of an enterprise (e.g., the entity 160), servers, data storage systems, printers, smart phones, laptop computers, telephones, internet of things (IOT) devices, smart watches, sensors, automobiles, battery charging devices, scanner devices, etc.
  • enterprise e.g., the entity 160
  • IOT internet of things
  • the endpoint device 102 includes the VPN service client 104 and the application 105.
  • the application 105 may include a software application of any kind or type. Some examples of the application 105 may include software applications, enterprise software, operating systems, and the like.
  • the endpoint device 102 may include multiple applications 105.
  • the endpoint device 102 may include an operating system and an email application. The email application and the operating system may interface with one another and the VPN service client 104 to direct communications via a VPN tunnel to the second device 108.
  • the operating system may include Apple® iOS.
  • the Apple® iOS does not allow setting complete addresses of websites or other internet-accessible entities such as FQDNs or alias domain names of the FQDNs (referred to as “match domains” in the present disclosure) for VPN tunneling of data traffic. Instead, a tunnel interface for computing devices that include the iOS operating system is re-established when a virtual adapter updates the match domains, which can interrupt IP traffic flow or cause the communication of data packets to fail.
  • the VPN service client 104 addresses this limitation of the Apple® iOS.
  • the VPN service client 104 is configured to create a VPN tunnel, configure one or more match domains, and implement a dynamic split VPN tunneling process based on the match domains.
  • the VPN service client 104 may be configured to support FQDN-based split tunneling at Layer 3 without recreating a virtual adapter or interrupting TCP connections.
  • the VPN service client 104 may maintain TCP connections with the gateway 110 thatunderly the VPN tunnels while dynamic split tunnelling occurs.
  • the VPN service client 104 may manage unique identifiers appended to and removed from communications directed to particular domain names and the related canonical names.
  • the VPN service client 104 may set up, generate, or establish a VPN tunnel.
  • the VPN tunnel may be established with the second device 108 via the gateway 110.
  • the VPN tunnel enables secure receipt, encryption, and transmission of data traffic with the second device 108.
  • the VPN service client 104 may configure a match domain for the domain name of the second device 108 at a virtual adapter or another virtual interface.
  • the match domain may include the domain name and a unique identifier that is uniquely associated with the domain name.
  • the VPN service client 104 may designate network data traffic directed to and received from the domain name as being routed through the VPN tunnel.
  • the VPN service client 104 receives and parses a DNS query that includes the domain name of the second device 108.
  • the VPN service client 104 determines whether the DNS query is an original DNS query or a subsequent DNS query based on whether the unique identifier is included in the DNS query. For instance, the presence of the unique identifier indicates that the DNS query is not an original (or first) DNS query identifying the domain name of the second device 108. An absence of the unique identifier indicates that the DNS query is the original DNS query.
  • the VPN service client 104 forwards the DNS query without modification. For instance, the VPN service client 104 may forward the DNS query to the DNS server 106 and forward data traffic associated with the DNS query to the gateway 110. In addition, in response to the DNS query being the original DNS query, the VPN service client 104 receives a DNS response from the DNS server 106. The DNS response corresponds to the original DNS query.
  • the VPN service client 104 parses the DNS response to obtain one or more canonical names related to the domain name.
  • the VPN service client 104 may generate an updated DNS response.
  • the updated DNS response includes information from the DNS response as well as an indication of the canonical names included therein.
  • the VPN service client 104 appends the unique identifier to the canonical names and includes them in the updated DNS response.
  • the VPN service client 104 uses the updated DNS response to supplement the one or more canonical names to the match domain.
  • the VPN service client 104 may include or be in communication with a VA. In these and other embodiments, the VPN service client 104 may communicate the updated DNS response to the VA.
  • the VA may supplement the match domain with the canonical names and use the unique identifier to identify DNS queries that are communicated through the VPN tunnel. Accordingly, after the match domain is supplemented, future DNS requests directed to the domain name as well as DNS requests directed to the canonical names are identified as part of the match domain.
  • Supplementing the match domain may occur during runtime of the application 105. For instance, communications generated by the application 105 may be ongoing as the match domain is supplemented.
  • subsequent DNS requests may be received at the VPN service client 104.
  • the VPN service client 104 may determine whether the subsequent DNS request is an original DNS request or a subsequent DNS request. For instance, the determination may be based on presence or absence of the unique identifier in DNS query.
  • the VPN service client 104 may remove the unique identifier from the subsequent DNS query.
  • the VPN service client 104 may communicate the subsequent DNS query along with associated information to the gateway 110 after the unique identifier is removed.
  • the subsequent DNS query along with the associated data traffic may be communicated via the VPN tunnel.
  • the VPN service client 104 may accordingly base split tunneling on the match domain that is supplemented to include the canonical names.
  • the application 105 on the endpoint device 102 may communicate with the domain name of the second device 108 and to the canonical names associated with the second device 108 via the VPN tunnels without reestablishing the VPN tunnel or interrupting the state of the VPN tunnel.
  • the VPN service client 104, the application 105, and components thereof may be implemented using hardware including a processor, a microprocessor (e.g., to perform or control performance of one or more operations), a field-programmable gate array (FPGA), or an application-specific integrated circuit (ASIC).
  • FPGA field-programmable gate array
  • ASIC application-specific integrated circuit
  • VPN service client 104, the application 105, and components may be implemented using a combination of hardware and software.
  • Implementation in software may include rapid activation and deactivation of one or more transistors or transistor elements such as may be included in hardware of a computing system (e.g., the endpoint device 102 of Figure 1). Additionally, software defined instructions may operate on information within transistor elements. Implementation of software instructions may at least temporarily reconfigure electronic pathways and transform computing hardware.
  • the operating environment 100 may include one or more endpoint devices 102, one or more gateways 110, one or more second devices 108, one or more DNS servers 106, or any combination thereof.
  • the separation of various components and devices in the embodiments described herein is not meant to indicate that the separation occurs in all embodiments.
  • the described components and servers may generally be integrated together in a single component or server or separated into multiple components or servers.
  • Figure 2 depicts a match domain configuration process (configuration process) 200 that may be implemented in the operating environment 100 of Figure 1 or another suitable operating environment.
  • the configuration process 200 may be implemented to dictate a split tunnelling operation performed at the endpoint device 102.
  • the embodiment of Figure 2 includes some components (e.g., 110, 105, 106, 108, and 104) of Figure 1. Description of these components are not repeated with reference to Figure 2.
  • the configuration process 200 may establish a VPN tunnel.
  • the VPN tunnel enables secure communication between the second device 108 and the endpoint device 102.
  • a virtual adapter (VA) 274 may be implemented to at least partially perform split tunneling of data traffic communicated by and with the endpoint device 102 and/or the application 105. Accordingly, a portion of communications transmitted from the endpoint device 102 may be routed via the VPN tunnel and a second portion of communications transmitted from the endpoint device 102 may be routed via an unsecured or public communication channel.
  • the VPN tunnel may be established between the endpoint device 102 and the second device 108 via the gateway 110. Accordingly, the communications transmitted by the endpoint device 102 may be routed via the VPN tunnel and the gateway 110 to the second device 108.
  • the VPN service client 104 may include a match domain generator 266.
  • the match domain generator 266 may be configured to create a match domain for the second device 108.
  • the match domain generator 266 may assign an identifier 264 to the match domain.
  • Information related to the identifier 264 and the created match domain may be communicated to the VA 274.
  • the VA 274 may process the information received from the VPN service client 104 such that the VA 274 can designate DNS queries including the identifier 264 as part of the match domain and therefore route the DNS queries of the match domain through the VPN tunnel.
  • the VA 274 may receive and the VPN service client 104 may process data packets sent from the application 105 (e.g., data traffic originating from the application 105) directed to the second device 108.
  • the data packets may be routed to the gateway 110, which may be communicated to the second device 108.
  • the gateway 110 may receive data packets originating from the second device 108 that are directed to the endpoint device 102, which may be more specifically directed to the application 105.
  • the data packets may include DNS queries (e.g., 214 and 250).
  • the DNS queries 214 and 250 may include a request for an IP address that corresponds to a domain name provided in the DNS query.
  • the DNS server 106 may identify an IP address that corresponds to the domain name mentioned with the DNS query.
  • the DNS server 106 may include a database that includes multiple entries that pair domain names with their corresponding IP addresses.
  • DNS server 106 may also be configured to retrieve the IP address that corresponds with the domain name identified by the DNS query.
  • the DNS server 106 may facilitate accurate communication of the IP traffic routed through the gateway 110 to their designated destinations by providing the gateway 110 with the appropriate IP addresses associated with the IP traffic in a DNS response such as the DNS response 220.
  • a first DNS query 214 may be communicated from the application 105 to the VA 274.
  • the VA 274 may then communicate the first DNS query 214 to the VPN service client 104.
  • a DNS packet handler 204 of the VPN service client 104 includes a query handler 222.
  • the query handler 222 is configured to determine whether the first DNS query 214 is an original DNS query 216 or a subsequent DNS query 218.
  • the query handler 222 may determine whether the first DNS query 214 includes a unique identifier assigned to a match domain. If the identifier 264 is present, then the query handler 222 determines that the first DNS query 214 is a subsequent DNS query 218. If the identifier 264 is not present, then the query handler 222 determines that the first DNS query 214 is an original DNS query 216.
  • the first DNS query 214 may be the original DNS query 216 directed to the second device 108 via the gateway 110.
  • the VPN service client 104 may communicate the first DNS query 214 and associated data packets to the gateway 110 without modification.
  • the first DNS query 214 may be communicated to the DNS server 106.
  • the DNS server 106 may communicate a DNS response 220 to the endpoint device 102 in response to receipt of the first DNS query 214.
  • the DNS response 220 may include one or more canonical names that are associated with the second device 108 or the domain name of the second device 108.
  • the DNS response 220 may be communicated to a DNS response handler 208 of the VPN service client 104.
  • the DNS response handler 208 may parse the DNS response 220. For instance, the DNS response handler 208 may parse the DNS response 220 to identify the one or more canonical names that are associated with the second device 108 or FQDN thereof. The DNS response handler 208 may append the identifier 264 to the identified canonical names. For instance, if the identifier 264 includes an alphanumeric suffix, the identifier 264 may be appended to an end of the canonical names.
  • the DNS response handler 208 may generate an updated DNS response 268.
  • the updated DNS response 268 may include the canonical names with the appended identifier 264. Additionally, the updated DNS response 268 may include information (e.g., an IP address corresponding to the hostname of the second device 108, a transaction time, flags, errors, authority, etc.) of the DNS response 220.
  • the updated DNS response 268 may be used to supplement the match domain created by the match domain generator 266. For instance, in some embodiments the updated DNS response 268 may be communicated the updated DNS response 268 to the VA 274 such that the canonical names are associated with the match domain for the second device 108.
  • the VA 274 may supplement the match domain such that traffic directed to the canonical names are also routed through the VPN tunnel based on presence of the identifier 264. Because the canonical names include the identifier 264, which is assigned to the match domain, DNS queries that request information relating to the canonical names may be routed to the VPN tunnel.
  • a second DNS query 250 may be communicated from the application 105 to the VA 274.
  • the VA 274 may communicate the second DNS query 250 to the DNS packet handler 204.
  • the query handler 222 of the DNS packet handler 204 may be configured to determine whether the second DNS query 250 is an original DNS query 216 or a subsequent DNS query 218 based on the presence of an identifier such as the identifier 264 assigned to a match domain.
  • the second DNS query 250 may include the identifier 264 and accordingly be identified as a subsequent DNS query directed to the second device 108.
  • the VPN service client 104 may remove the identifier 264 and then communicate the second DNS query 250 to the gateway 110.
  • the identifier 264 is added.
  • the presence of the identifier 264 enables identification of the DNS query and associated data packets that are routed through the VPN tunnel by the VA 274. Communication of the DNS queries 214 and 250 and the processing by the VPN service client 104 may occur during runtime of the application 105 and while maintaining the VA 274. Accordingly, split tunnelling using the process 200 occurs without interrupting the VPN tunnel.
  • Figure 3 is a flow diagram of an example process 300 of match domain configuration and communication for a VPN.
  • the process 300 may be implemented in the operating environment 100 of Figure 1 and/or may be implemented at least partially by the endpoint device 102 of Figures 1 and 2.
  • Figure 3 includes one or more components (e.g., 105, 110, 204, 274, and 266) described elsewhere in the present disclosure.
  • a VPN tunnel may be set up or established.
  • the VPN tunnel may be established for secured communication by the application 105 with a third-party device via the gateway 110.
  • the application 105 and/or the VA 274 may be involved in establishing the VPN tunnel.
  • Data traffic communicated with the application 105 and remaining components of an endpoint device may be split tunneled. For instance, data traffic may be tunneled based on a type of the application 105, a role of the application 105, an operating characteristic (geographic location, network location, network type, etc.) of an endpoint device implementing the process 300, a destination address such as a selected destination IP address (e.g., FQDNs or CNames), data traffic that is designated as encrypted or otherwise digitally secured, or combinations thereof.
  • an endpoint device (e.g., 102) implementing the process 300 may include a network policy enforcement point.
  • the network policy enforcement point may be configured to enforce network policies pertaining to split tunnelling. For instance, the network policies may determine which data traffic types are routed to destination addresses over the VPN tunnel and/or which data traffic types are routed to destination addresses over public networks without VPN tunnelling.
  • the match domain generator 266 may create a match domain.
  • a part of creation of the match domain may include assigning an identifier to the created match domain.
  • the identifier may be unique to the created match domain.
  • An example unique identifier may include a suffix string such as “xyz.tpm.”
  • the match domain generator 266 may communicate a DNS setting of the VA 274.
  • the match domain and information related to the identifier may be added to the DNS setting.
  • DNSSettings.matchDomains example, com”,
  • w w www.wex.eaxmapmlep.lceo.cmom.ed.egdegkeekye.nye.nt.exty.xzy.tzp.mtpm canonical name
  • the IP address for the DNS server for Google® DNS is defined as “8.8.8.8.”
  • the “matchDomains” for a website ending with “example.com” includes a unique identifier “*xyz.tpm.” By adding unique string as a match domain to the VA 274, it allows the application 105 to route any DNS query that matches the suffix "xyz.tpm" to the VA 274.
  • a DNS query may be initiated by the application 105.
  • the DNS query initiated at subprocess 305 may be an original DNS query.
  • the application 105 may communicate the original DNS query to the VA 274.
  • the VA 274 may communicate the original DNS query to the DNS packet handler 204 (in Figure 3, “Packet Handler”).
  • the DNS packet handler 204 may determine whether the received DNS query is an original or a subsequent DNS query. Responsive to the received DNS query being an original DNS query, the DNS packet handler 204 may not modify the received DNS query.
  • the DNS packet handler 204 may communicate the unmodified DNS query to the gateway 110, which may forward the unmodified DNS request to a DNS server (e.g., 106 of Figure 2).
  • the gateway 110 may receive a DNS response from the DNS server.
  • the DNS response may correspond to the DNS query communicated in subprocess 310.
  • the gateway 110 may communicate the DNS response to the DNS packet handler 204.
  • the generated DNS query may include www.example.com, which may be a FQDN for which communication is via the VPN tunnel.
  • the DNS packet handler 204 may generate an updated DNS response with the CNames having the appended identifier.
  • the DNS packet handler 204 may communicate the updated DNS response to the VA 274.
  • the updated DNS response is communicated to the application 105.
  • the updated DNS response is used at the application 105 and/or the VA 274 to supplement the match domain with the CNames.
  • a subsequent DNS query may be generated by the application 105.
  • the subsequent DNS query may include the identifier appended to it.
  • the application 105 may communicate the subsequent DNS query to the VA 274.
  • the VA 274 may identify the subsequent DNS query as a member of the match domain and route the subsequent DNS query to the VPN tunnel.
  • the VA 274 may communicate the subsequent DNS query to the DNS packet handler 204.
  • the DNS packet handler 204 may determine whether the received subsequent DNS query is an original or a subsequent DNS query. Responsive to the received DNS query being a subsequent DNS query, the DNS packet handler 204 may modify the received subsequent DNS query to remove the identifier. For example: tp.47-example.com.xyz.tpm —> tp.47-example.com.
  • the DNS packet handler 204 may communicate the modified DNS query to the gateway 110, which may forward the modified DNS request to a DNS server (e.g., 106 of Figure 2).
  • a DNS server e.g., 106 of Figure 2.
  • Subprocesses 306-322 may continue for two or more third party devices and VPN tunnels established therefore. In each circumstance, a match domain is created and supplemented with CNames. Additionally, for the DNS queries, it is determined whether the DNS query is an original or a subsequent DNS query and modify the DNS query responsive to the determination. Throughout the process 300, a TCP communication channel may be maintained.
  • Figure 4 illustrates an example computing system 400 configured for match domain configuration for split tunneling according to at least one embodiment of the present disclosure.
  • the computing system 400 may be implemented in the operating environment 100 of Figure 1, for instance. Examples of the computing system 400 may include the endpoint device 102, the gateway 110, the DNS server 106, the second device 108 or some combination thereof.
  • the computing system 400 may include one or more processors 410, a memory 412, a communication unit 414, a user interface device 416, and a data storage 404 that includes the application 105, the VA 274, and the VPN service client 104 (collectively, modules 105/274/104).
  • the processor 410 may include any suitable special-purpose or general -purpose computer, computing entity, or processing device including various computer hardware or software modules and may be configured to execute instructions stored on any applicable computer-readable storage media.
  • the processor 410 may include a microprocessor, a microcontroller, a digital signal processor (DSP), an ASIC, an FPGA, or any other digital or analog circuitry configured to interpret and/or to execute program instructions and/or to process data.
  • DSP digital signal processor
  • ASIC application specific integrated circuitry
  • FPGA field-programmable gate array
  • the processor 410 may more generally include any number of processors configured to perform individually or collectively any number of operations described in the present disclosure. Additionally, one or more of the processors 410 may be present on one or more different electronic devices or computing systems.
  • the processor 410 may interpret and/or execute program instructions and/or process data stored in the memory 412, the data storage 404, or the memory 412 and the data storage 404. In some embodiments, the processor 410 may fetch program instructions from the data storage 404 and load the program instructions in the memory 412. After the program instructions are loaded into the memory 412, the processor 410 may execute the program instructions.
  • the memory 412 and the data storage 404 may include computer-readable storage media for carrying or having computer-executable instructions or data structures stored thereon.
  • Such computer-readable storage media may include any available media that may be accessed by a general -purpose or special -purpose computer, such as the processor 410.
  • Such computer-readable storage media may include tangible or non-transitory computer-readable storage media including RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, flash memory devices (e.g., solid state memory devices), or any other storage medium which may be used to carry or store desired program code in the form of computer-executable instructions or data structures and that may be accessed by a general-purpose or special-purpose computer. Combinations of the above may also be included within the scope of computer-readable storage media.
  • Computer-executable instructions may include, for example, instructions and data configured to cause the processor 410 to perform a certain operation or group of operations.
  • the communication unit 414 may include one or more pieces of hardware configured to receive and send communications.
  • the communication unit 414 may include one or more of an antenna, a wired port, and modulation/demodulation hardware, among other communication hardware devices.
  • the communication unit 414 may be configured to receive a communication from outside the computing system 400 and to present the communication to the processor 410 or to send a communication from the processor 410 to another device or network (e.g., 122 of Figure 1).
  • the user interface device 416 may include one or more pieces of hardware configured to receive input from and/or provide output to a user.
  • the user interface device 416 may include one or more of a speaker, a microphone, a display, a keyboard, a touch screen, or a holographic projection, among other hardware devices.
  • the modules 105/274/104 may include program instructions stored in the data storage 404.
  • the processor 410 may be configured to load the modules 105/274/104 into the memory 412 and execute the modules 105/274/104. Alternatively, the processor 410 may execute the modules 105/274/104 line-by-line from the data storage 404 without loading them into the memory 412. When executing the modules 105/274/104 the processor 410 may be configured to perform a participation verification process as described elsewhere in this disclosure.
  • the computing system 400 may not include the user interface device 416.
  • the different components of the computing system 400 may be physically separate and may be communicatively coupled via any suitable mechanism.
  • the data storage 404 may be part of a storage device that is separate from a server, which includes the processor 410, the memory 412, and the communication unit 414, that is communicatively coupled to the storage device.
  • the embodiments described herein may include the use of a special-purpose or general- purpose computer including various computer hardware or software modules, as discussed in greater detail below.
  • Figures 5A and 5B are a block diagram of a method 500 of match domain configuration and communication for a virtual private network (VPN).
  • the method 500 describes configuration of a match domain and communication of data traffic based on the configuration.
  • the method 500 may be implemented in a managed network or another suitable environment such as the operating environment 100.
  • the operating environment implementing the method 500 may be included in a cloud-based networked system, an on-premises system, a managed network, managed subnetwork, or another suitable network computing environment.
  • the method 500 may begin at block 502 in which a VPN tunnel may be set up or established.
  • the VPN tunnel may be set up to communicate a portion of traffic between an endpoint device and a controlled or a secured network.
  • the VPN tunnel may be set up such that there is at least some portion data traffic is communicated via the VPN tunnel and another portion of the data traffic is communicated outside the VPN tunnel.
  • the endpoint device is a mobile device running an iOS operating system.
  • a match domain may be created.
  • the match domain may be created for a first domain name.
  • the first domain name corresponds to an application run on the endpoint device and/or a third-party device with which the endpoint device communicates.
  • Information related to the match domain may be communicated to and stored at a virtual adapter.
  • the match domain may include the first domain name and a unique identifier.
  • the unique identifier includes a first character sequence that is different from the other character sequences.
  • the first character sequence may include a text string having two or more random or pseudorandom alphanumerical characters.
  • data traffic directed to and received from the first domain name may be designated as routed through the VPN tunnel. Accordingly, the data traffic received at the endpoint device from the first domain name is directed through the VPN tunnel and the data traffic communicated to the first domain name is directed through the VPN tunnel.
  • a domain name system (DNS) query may be received.
  • the DNS query may be related to the first domain name.
  • the DNS query may be parsed.
  • the DNS query may be separated such that different portions of the DNS query may be analyzed.
  • the DNS query may be parsed to identify the presence of a unique identifier that may be included in the DNS query.
  • the DNS query may be parsed to determine whether the DNS query is an original DNS query (e.g., a first DNS request following the designation of block 506) or a subsequent DNS query (e.g., after the original).
  • the determination that the DNS query is the original DNS query is based at least in part on presence of the unique identifier in the DNS query.
  • the method 500 may proceed to block 514. In response to a determination that the DNS query is the subsequent DNS query (“NO” at block 512), the method 500 may proceed to block 516.
  • the unique identifier may be removed from the DNS query. For instance, the alphanumeric characters may be identified during the parsing of block 510 and removed.
  • the DNS query may be communicated to the gateway. For instance, in some embodiments, after the unique identifier is removed the DNS query (without the unique identifier) may be communicated to the gateway.
  • the DNS query may be forwarded without modification. For instance, the DNS query may be forwarded to a gateway without modification.
  • a DNS response may be received.
  • the DNS response may correspond to the original DNS query.
  • the DNS response may be parsed. For instance, the DNS response may be parsed to obtain one or more canonical names related to the first domain name. For instance, the one or more canonical names may map an alias domain name to a FQDN.
  • the unique identifier may be appended to the one or more canonical names. Appending the one or more canonical names may be included in generating an updated DNS response.
  • the updated DNS response may be communicated.
  • the updated DNS response may be communicated to the VA.
  • the VA may further communicate the updated DNS response or information therein to the application.
  • the match domain may be supplemented. The match domain may be supplemented such that the one or more canonical names with the appended unique identifier are included and such that data traffic directed to or received from each of the one or more canonical names are routed to the VPN tunnel.
  • blocks 502, 504, 506, 508, 510, 512, 514, 516, 518, 520, 522, 524, 526, and 528 may be implemented for each DNS query communicated by an application at an endpoint. Additionally, one or more of blocks 502, 504, 506, 508, 510, 512, 514, 516, 518, 520, 522, 524, 526, and 528 may be implemented during runtime of the application for which a match domain is created. Moreover, one or more of blocks 502, 504, 506, 508, 510, 512, 514, 516, 518, 520, 522, 524, 526, and 528 may be implemented to maintain the VPN tunnel without or with minimal interruption.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method of match domain configuration for a virtual private network (VPN) includes establishing a VPN tunnel and creating a match domain for a domain name. The match domain includes the domain name and a unique identifier. The method includes designating data traffic to and from the domain name as being routed through the VPN tunnel. The method includes receiving a domain name system (DNS) query related to the domain name and parsing the DNS query. The method includes determining whether the DNS query is an original or a subsequent DNS query based on presence of the unique identifier. Responsive to the DNS query being the original DNS query, the method includes forwarding the DNS query to the gateway without modification. The method includes parsing a received DNS response to obtain canonical names of the domain name and supplementing the match domain to include the canonical names.

Description

RUNTIME MATCH DOMAIN CONFIGURATIONS
CROSS-REFERENCE TO RELATED APPLICATION
This application claims the benefit of and priority to Indian Provisional Application No. 202211049540, filed August 30, 2022, which is incorporated herein by reference in its entirety.
FIELD
The present disclosure generally relates to virtual private network (VPN) generation and configuration. In particular, some embodiments relate to match domain configuration at a virtual adapter at runtime for split tunneling.
BACKGROUND
To securely communicate information, a virtual private network (VPN) tunnel may be established. The VPN tunnel is a secure connection between a mobile device and a private network. The VPN tunnel may be established by a VPN client and a private network gateway. The VPN client and the private network gateway operate to encrypt data packets that pass from the mobile device to the private network gateway and from the private network gateway to the mobile device.
Not all data may be communicated via the VPN tunnel. In these systems split tunneling may be implemented such that a first portion of the data is routed through the VPN tunnel and a second portion is routed via a public communication channel.
One type of split tunneling is layer 3 fully qualified domain name (FQDN) based split tunneling. Layer 3 refers to the network layer of the open system interconnected (OSI) model. Layer 3 FQDN based split tunneling is typically performed by dynamic per internet-protocol (IP) routing or by a kernel mode driver. Inefficiencies occur in split tunneling due to the establishing and reestablishing the VPN tunnels.
The subject matter claimed in the present disclosure is not limited to embodiments that solve any disadvantages or that operate only in environments such as those described above. Rather, this background is only provided to illustrate one example technology area where some embodiments described in the present disclosure may be practiced.
SUMMARY
According to an aspect of the invention, an embodiment includes a method of match domain configuration for a virtual private network (VPN). The method may include establishing a VPN tunnel and creating a match domain for a first domain name. The match domain may include the first domain name and a unique identifier. The unique identifier may include a first character sequence that is different from all other character sequences assigned to other match domains. The first character sequence may include a text string such as a sequence of random alphanumerical characters. The method may include designating data traffic directed to and received from the first domain name as being routed through the VPN tunnel. The method may include receiving a domain name system (DNS) query. The DNS query may be related to the first domain name. The method may include parsing the DNS query. The method may include determining whether the DNS query is an original DNS query or a subsequent DNS query based on the parsed DNS query. The determination that the DNS query is the original DNS query is based at least in part on presence of the unique identifier being appended on the DNS query. In response to a determination that the DNS query is the original DNS query, the method may include forwarding the DNS query to the gateway without modification. The method may include receiving a DNS response corresponding to the original DNS query. The method may include parsing the DNS response to obtain one or more canonical names related to the first domain name. The method may include appending the unique identifier to the one or more canonical names to generate an updated DNS response. The method may include communicating the updated DNS response to the virtual adapter. The method may include supplementing the match domain such that the one or more canonical names with the appended unique identifier are included in the match domain and data traffic directed to or received from each of the one or more canonical names are routed to the VPN tunnel. In response to a determination that the DNS query is the subsequent DNS query, the method may include removing the unique identifier from the DNS query. After the unique identifier is removed, the method may include communicating the DNS query to the gateway.
Another aspect of an embodiment includes a non-transitory computer-readable medium having encoded therein programming code executable by one or more processors to perform or control performance of any combination of the operations of the method of match domain configuration for a VPN described above.
Yet another aspect of an embodiment includes an endpoint comprising one or more processors and a non-transitory computer-readable medium having encoded therein programming code executable by one or more processors to perform or control performance of any combination of the operations of the method of match domain configuration for a VPN described above.
The object and advantages of the embodiments will be realized and achieved at least by the elements, features, and combinations particularly pointed out in the claims. It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory and are not restrictive of the invention, as claimed. BRIEF DESCRIPTION OF THE DRAWINGS
Example embodiments will be described and explained with additional specificity and detail through the accompanying drawings in which:
Figure 1 depicts an example operating environment in which some embodiments of the present disclosure may be implemented;
Figure 2 depicts an example match domain configuration process (configuration process) that may be implemented in the operating environment of Figure 1;
Figure 3 is a sequence diagram of an example process of match domain configuration and communication for a virtual private network (VPN) that may be implemented in the operating environment of Figure 1;
Figure 4 illustrates an example computing system configured for match domain configuration for split tunneling; and
Figures 5A and 5B are a block diagram of a method of match domain configuration and communication for a VPN, all in accordance with at least one embodiment disclosed in the present disclosure.
DETAILED DESCRIPTION
Operating systems may include constraints or limitations regarding how virtual private network (VPN) tunnels operate. Restrictions may be imposed by a network enforcement policy of a network or by the operating systems. For instance, Apple iOS® and other similar operating systems may restrict operations of a VPN. An example restriction in these operating systems includes reestablishing a VPN tunnel in response to updating match domains at a virtual adapter (VA). This restriction may interrupt data traffic flow through a VPN tunnel or may cause the VPN tunnel to fail.
Some embodiments of the present disclosure relate to systems and methods of match domain configuration, which may reduce or eliminate a need to update the match domain after it is created. The VPN tunnel may be maintained instead of being reestablished, which may reduce data traffic flow interruption and failures of the VPN tunnel.
For instance, in some embodiments, a match domain may be configured to apply to a particular domain name and canonical names that are associated with the particular domain name. A VPN service client may then append a unique identifier to domain name service (DNS) queriers and DNS responses. The unique identifier may be appended and removed in real time as the DNS queries and the DNS response are communicated. The unique identifier may indicate to a data packet handler whether a subsequent DNS request is included in the match domain. Accordingly, the data traffic of the subsequent DNS request included in the match domain may be appropriately routed through an established VPN tunnel or routed via a public or non-secure network channel. The inclusion of the unique identifier enables consistent data communication using the VPN without having to reestablish the VPN tunnel or analyzing the subsequent DNS request o. Accordingly, the speed or reliability of data communication via the VPN tunnel may be improved.
This and other embodiments are described with reference to the Figures in which like reference numbers indicate like function and structure unless indicated otherwise.
Figure 1 depicts an example operating environment 100 in which one or more embodiments of the present disclosure may be implemented. In the operating environment 100, an endpoint device 102 may be configured to establish a VPN tunnel. The VPN tunnel may be established to securely communicate data and information with a second device 108, which may have a fully qualified domain names (FQDN). The VPN tunnel may be managed at least partially at the endpoint device 102. For example, the endpoint device 102 may include a VPN service client 104, which may configure a match domain associated with the VPN tunnel and may at least partially determine which data traffic is communicated through the VPN tunnel and which data traffic is not communicated through the VPN tunnel such as through a public communication network.
The VPN service client 104 may configure the match domain such that a domain name associated with the second device 108 as well as canonical names (also referred to as “CNames”) associated with the domain name are identifiable and appropriately routed (e.g., via the VPN tunnel or outside the VPN tunnel) in real time. In some embodiments, the VPN service client 104 may generate a unique identifier. The unique identifier may be assigned to the second device 108 and/or the domain name associated therewith. The unique identifier is exclusive to the second device 108 at the VPN service client 104 such that no two devices communicating via a VPN tunnel and no two domain names have the same unique identifier. Additionally, the unique identifier may be unique such that each domain name and its related canonical names have a unique identifier that is not assigned to another domain name or its related canonical names.
The unique identifier may include a series or set of alphanumeric characters. The unique identifier may be randomly or pseudo-randomly generated by the VPN service client 104 or another suitable system. The unique identifier may be appended to one or more domain names (e.g., the domain name and related canonical names) of the match domain. In some embodiments, the unique identifier is appended as a unique suffix. In other embodiments, the unique identifier may be appended as a prefix or otherwise integrated in a DNS query.
Communication of data and information via the VPN tunnel uses the unique identifier. For instance, a first DNS request may be communicated by the endpoint device 102 or an application 105 on the endpoint device 102. The first DNS request may be analyzed by the VPN service client 104 to determine whether a domain name of the first DNS request includes a unique identifier. In response to the VPN service client 104 determining that there is no unique identifier present, the endpoint device 102 communicates the first DNS request without modification. For example, the first DNS request may be communicated to a DNS server 106 via a gateway 110, which may be then forwarded to the second device 108.
After the first DNS query is communicated to the DNS server 106, a first DNS response may be received by the endpoint device 102. For instance, the VPN service client 104 may receive the first DNS response. The first DNS response may include reference to one or more canonical names that are associated with the domain of the second device 108. The canonical names may point to other websites owned by an entity 160 associated with the second device 108, may provide another hostname for a network service (e.g., an email) that points to the domain of the second device 108, may provide a subdomain for a user or customer that points to the domain of the second device 108, may register the domain of the second device 108 in another jurisdiction, or may provide a link to a content delivery network (CDN) that might be geographically closer to the endpoint device 102 than the second device 108.
The VPN service client 104 incorporates the canonical names in the match domain. For instance, a packet handler of the VPN service client 104 may identify the canonical names and generate an updated DNS response that includes the canonical names with the unique identifier appended to the canonical names. The updated DNS response is communicated to a VA such that the canonical names are added to the match domain. Subsequent DSN requests to the domain name or the canonical names are intercepted by the VPN service client 104 have the unique identifier added to the request. The VA performs a split tunneling operation based on the presence of the unique identifier. The presence of the unique identifier indicates that the communication is associated with the second device 108. The communication may accordingly be communicated via the VPN tunnel.
Additionally, a second DNS query may be directed to the domain of the second device 108 or to a CNAME related thereto. The second DNS query may accordingly have the unique identifier appended to the second DNS query. The VPN service client 104 may determine that the unique identifier is included in the second DNS query, which indicates inclusion in the match domain. Accordingly, the VPN service client 104 may remove the unique identifier from the second DNS query prior to communication via the gateway 110. Because the unique identifier is appended to the second DNS query, the VPN service client 104 may identify that the second DNS query as being included in the match domain. Accordingly, data traffic of the second DNS query is directed through the VPN tunnel. The presence of the unique identifier in the second DNS query enables routing of the data traffic without updating the match domain. The communication via the VPN service client 104 may occur using the transmission control protocol (TCP) or another suitable protocol. Moreover, the TCP channel underlying the VPN tunnel may be maintained without or with limited interruption because the match domain effectively routes data traffic based on the unique identifier instead of updating the match domain.
Accordingly, embodiments of the present disclosure are directed to a computer-centric problem and are implemented in a computer-centric environment. For instance, the embodiments of the present disclosure are directed to VPN tunneling by the VPN service client 104 of the endpoint device 102. Computing processes occurring in the operating environment 100 include configuration and implementation of match domains at the endpoint device 102. The match domain(s) are implemented in split tunneling operations implemented at the endpoint device 102. Communications during the processes described in this present disclosure involve the communication of data in electronic and optical forms via a network 118 and also involve the electrical and optical interpretation of the data and information.
Furthermore, the embodiments of the present disclosure address a technical issue that exists in a technical environment. The technical issue includes an inability of the endpoint device 102 to maintain a VPN tunnel in response to an update to a match domain and the inefficiencies that result therefrom. The technical problem is solved through a technical solution. For instance, the technical solution involves configuration of a match domain to include CNames and a process to identify and manage DNS queries in real time, which reduces inefficiencies in conventional systems.
As introduced above, the operating environment 100 may include the second device 108, the endpoint device 102, the DNS server 106, and the gateway 110, which are configured to communicate data and information via the network 118. Each of these components of the operating environment 100 some additional details of the endpoint device 102 and the VPN service client 104 are described in the following paragraphs.
The network 118 may include any communication network configured for communication of signals between the components (e.g., 102, 108, 110, and 106) of the operating environment 100. The network 118 may be wired or wireless. The network 118 may have configurations including a star configuration, a token ring configuration, or another suitable configuration. Furthermore, the network 118 may include a local area network (LAN), a wide area network (WAN) (e.g., the Internet), and/or other interconnected data paths across which multiple devices may communicate. In some embodiments, the network 118 may include a peer-to-peer network. The network 118 may also be coupled to or include portions of a telecommunications network that may enable communication of data in a variety of different communication protocols.
In some embodiments, the network 118 includes or is configured to include a BLUETOOTH® communication network, a Z-Wave® communication network, an Insteon® communication network, an EnOcean® communication network, a Wi-Fi communication network, a ZigBee communication network, a representative state transfer application protocol interface (REST API) communication network, an extensible messaging and presence protocol (XMPP) communication network, a cellular communications network, any similar communication networks, or any combination thereof for sending and receiving data. The data communicated in the network 118 may include data communicated via short messaging service (SMS), multimedia messaging service (MMS), hypertext transfer protocol (HTTP), direct data connection, wireless application protocol (WAP), or any other protocol that may be implemented in the components of the operating environment 100. VPN tunnels implemented in the operating environment 100 may utilize portions or components of the network 118.
The second device 108 includes a hardware-based computer device that is configured to communicate with the other components of the operating environment 100 via the network 118. The second device 108 may include sensitive or propriety information and/or sensitive or propriety applications. For instance, the second device 108 may be an entity server. The entity server may host an entity-specific email application. Another example may include an entity-specific storage system. The entity-specific storage system may store or host proprietary or protected data associated with the entity 160.
In some embodiments, the second device 108 may be included in a private network 109. The private network 109 may include a secured network that is protected from public access. Accordingly, a VPN tunnel may be involved in communication within the private network 109.
The second device 108 and/or the private network 109 may be associated with the entity 160. For instance, the entity 160 may be an enterprise. The enterprise may host private or secured information and applications at the second device 108 and may impose restrictions to access to the secured information and applications. The access restrictions may include a secured communication channel such as a VPN tunnel implemented by the VPN service client.
The second device 108 may have a specific internet protocol (IP) address. The IP address provides a network location with which data traffic is communicated. Additionally, the second device 108 may include a domain name. The domain name may be a common name attributed to the second device 108. In addition, one of more CNames may be associated with the second device 108. The second device 108 may communicate via a VPN tunnel with the endpoint device 102. The VPN tunnel may enable encrypted communication between the endpoint device 102 and the second device 108. For instance, the application 105 may include a local email application. The local email application may communicate with an entity-specific email application on the second device 108 via the VPN tunnel. In addition, inclusion of the CNames in a match domain for the second device 108 may enable other applications at the endpoint device 102 to access a data repository associated with the second device 108.
Communication via the network 118 involves the DNS server 106. The DNS server 106 includes a hardware-based device or collection thereof configured to answer DNS queries. The DNS server 106 finds a correct IP address for a domain name. In addition, the DNS server 106 tracks and associates CNames of the domain name. Accordingly, DNS queries communicated from the endpoint device 102 may be routed to the DNS server 106. The DNS server 106 may generate DNS responses that include an IP address that corresponds to the domain name as well as CNames associated with the domain of the second device 108.
The gateway 110 includes a hardware-based device that is configured to communicate with the other components of the operating environment 100 via the network 118. The gateway 110 connects the endpoint device 102 to the second device 108 and/or the private network 109 of the second device 108 as well as the DNS server 106. For instance, the gateway 110 may route data and information from the endpoint device 102 that are routed through a VPN tunnel. The VPN service client 104 or another suitable component of the endpoint device 102 may communicate with the gateway 110 to enable communication via the VPN tunnel. The gateway 110 is shown separately from the network 118 in Figure 1. In some embodiments, the gateway 110 may be included in the network 118.
The endpoint device 102 may include hardware-based computer system that is configured to communicate with the other components of the operating environment 100 via the network 118. In general, the endpoint device 102 may be external or remote to the private network 109 at least some of the time. Accordingly, communication with the second device 108 and the private network 109 may be exposed if a public portion of the network 118 is used. The endpoint device 102 may create and use a VPN tunnel and implement split tunnelling according to embodiments of this disclosure to route a first portion of data traffic through the VPN tunnel and a second portion of the data traffic outside the VPN tunnel. Generally, the endpoint device 102 includes devices that are operated by the personnel and systems of an enterprise or store data of the enterprise. The endpoint device 102 might include workstations of an enterprise (e.g., the entity 160), servers, data storage systems, printers, smart phones, laptop computers, telephones, internet of things (IOT) devices, smart watches, sensors, automobiles, battery charging devices, scanner devices, etc.
The endpoint device 102 includes the VPN service client 104 and the application 105. The application 105 may include a software application of any kind or type. Some examples of the application 105 may include software applications, enterprise software, operating systems, and the like. In some embodiments, the endpoint device 102 may include multiple applications 105. For instance, the endpoint device 102 may include an operating system and an email application. The email application and the operating system may interface with one another and the VPN service client 104 to direct communications via a VPN tunnel to the second device 108. In some embodiments, the operating system may include Apple® iOS.
The Apple® iOS (and some other operating systems) does not allow setting complete addresses of websites or other internet-accessible entities such as FQDNs or alias domain names of the FQDNs (referred to as “match domains” in the present disclosure) for VPN tunneling of data traffic. Instead, a tunnel interface for computing devices that include the iOS operating system is re-established when a virtual adapter updates the match domains, which can interrupt IP traffic flow or cause the communication of data packets to fail. The VPN service client 104 addresses this limitation of the Apple® iOS.
The VPN service client 104 is configured to create a VPN tunnel, configure one or more match domains, and implement a dynamic split VPN tunneling process based on the match domains. For instance, the VPN service client 104 may be configured to support FQDN-based split tunneling at Layer 3 without recreating a virtual adapter or interrupting TCP connections. The VPN service client 104 may maintain TCP connections with the gateway 110 thatunderly the VPN tunnels while dynamic split tunnelling occurs. The VPN service client 104 may manage unique identifiers appended to and removed from communications directed to particular domain names and the related canonical names.
For example, in some embodiments, the VPN service client 104 may set up, generate, or establish a VPN tunnel. The VPN tunnel may be established with the second device 108 via the gateway 110. The VPN tunnel enables secure receipt, encryption, and transmission of data traffic with the second device 108. The VPN service client 104 may configure a match domain for the domain name of the second device 108 at a virtual adapter or another virtual interface. The match domain may include the domain name and a unique identifier that is uniquely associated with the domain name. The VPN service client 104 may designate network data traffic directed to and received from the domain name as being routed through the VPN tunnel.
After the VPN tunnel is established and the match domain is initiated, the VPN service client 104 receives and parses a DNS query that includes the domain name of the second device 108. The VPN service client 104 determines whether the DNS query is an original DNS query or a subsequent DNS query based on whether the unique identifier is included in the DNS query. For instance, the presence of the unique identifier indicates that the DNS query is not an original (or first) DNS query identifying the domain name of the second device 108. An absence of the unique identifier indicates that the DNS query is the original DNS query.
In response to a determination that the DNS query is the original DNS query, the VPN service client 104 forwards the DNS query without modification. For instance, the VPN service client 104 may forward the DNS query to the DNS server 106 and forward data traffic associated with the DNS query to the gateway 110. In addition, in response to the DNS query being the original DNS query, the VPN service client 104 receives a DNS response from the DNS server 106. The DNS response corresponds to the original DNS query.
The VPN service client 104 parses the DNS response to obtain one or more canonical names related to the domain name. The VPN service client 104 may generate an updated DNS response. The updated DNS response includes information from the DNS response as well as an indication of the canonical names included therein. The VPN service client 104 appends the unique identifier to the canonical names and includes them in the updated DNS response. The VPN service client 104 uses the updated DNS response to supplement the one or more canonical names to the match domain. For instance, the VPN service client 104 may include or be in communication with a VA. In these and other embodiments, the VPN service client 104 may communicate the updated DNS response to the VA. The VA may supplement the match domain with the canonical names and use the unique identifier to identify DNS queries that are communicated through the VPN tunnel. Accordingly, after the match domain is supplemented, future DNS requests directed to the domain name as well as DNS requests directed to the canonical names are identified as part of the match domain.
Supplementing the match domain may occur during runtime of the application 105. For instance, communications generated by the application 105 may be ongoing as the match domain is supplemented.
After the match domain is supplemented, subsequent DNS requests may be received at the VPN service client 104. As before, the VPN service client 104 may determine whether the subsequent DNS request is an original DNS request or a subsequent DNS request. For instance, the determination may be based on presence or absence of the unique identifier in DNS query. In response to a determination that the DNS query is the subsequent DNS query, the VPN service client 104 may remove the unique identifier from the subsequent DNS query. The VPN service client 104 may communicate the subsequent DNS query along with associated information to the gateway 110 after the unique identifier is removed. The subsequent DNS query along with the associated data traffic may be communicated via the VPN tunnel.
The VPN service client 104 may accordingly base split tunneling on the match domain that is supplemented to include the canonical names. The application 105 on the endpoint device 102 may communicate with the domain name of the second device 108 and to the canonical names associated with the second device 108 via the VPN tunnels without reestablishing the VPN tunnel or interrupting the state of the VPN tunnel. The VPN service client 104, the application 105, and components thereof may be implemented using hardware including a processor, a microprocessor (e.g., to perform or control performance of one or more operations), a field-programmable gate array (FPGA), or an application-specific integrated circuit (ASIC). In some other instances, VPN service client 104, the application 105, and components may be implemented using a combination of hardware and software. Implementation in software may include rapid activation and deactivation of one or more transistors or transistor elements such as may be included in hardware of a computing system (e.g., the endpoint device 102 of Figure 1). Additionally, software defined instructions may operate on information within transistor elements. Implementation of software instructions may at least temporarily reconfigure electronic pathways and transform computing hardware.
Modifications, additions, or omissions may be made to the operating environment 100 without departing from the scope of the present disclosure. For example, the operating environment 100 may include one or more endpoint devices 102, one or more gateways 110, one or more second devices 108, one or more DNS servers 106, or any combination thereof. Moreover, the separation of various components and devices in the embodiments described herein is not meant to indicate that the separation occurs in all embodiments. Moreover, it may be understood with the benefit of this disclosure that the described components and servers may generally be integrated together in a single component or server or separated into multiple components or servers.
Figure 2 depicts a match domain configuration process (configuration process) 200 that may be implemented in the operating environment 100 of Figure 1 or another suitable operating environment. The configuration process 200 may be implemented to dictate a split tunnelling operation performed at the endpoint device 102. The embodiment of Figure 2 includes some components (e.g., 110, 105, 106, 108, and 104) of Figure 1. Description of these components are not repeated with reference to Figure 2.
The configuration process 200 may establish a VPN tunnel. The VPN tunnel enables secure communication between the second device 108 and the endpoint device 102. A virtual adapter (VA) 274 may be implemented to at least partially perform split tunneling of data traffic communicated by and with the endpoint device 102 and/or the application 105. Accordingly, a portion of communications transmitted from the endpoint device 102 may be routed via the VPN tunnel and a second portion of communications transmitted from the endpoint device 102 may be routed via an unsecured or public communication channel. In the example described with reference to Figure 2, the VPN tunnel may be established between the endpoint device 102 and the second device 108 via the gateway 110. Accordingly, the communications transmitted by the endpoint device 102 may be routed via the VPN tunnel and the gateway 110 to the second device 108. The VPN service client 104 may include a match domain generator 266. The match domain generator 266 may be configured to create a match domain for the second device 108. The match domain generator 266 may assign an identifier 264 to the match domain. Information related to the identifier 264 and the created match domain may be communicated to the VA 274. The VA 274 may process the information received from the VPN service client 104 such that the VA 274 can designate DNS queries including the identifier 264 as part of the match domain and therefore route the DNS queries of the match domain through the VPN tunnel.
The VA 274 may receive and the VPN service client 104 may process data packets sent from the application 105 (e.g., data traffic originating from the application 105) directed to the second device 108. The data packets may be routed to the gateway 110, which may be communicated to the second device 108. Similarly, the gateway 110 may receive data packets originating from the second device 108 that are directed to the endpoint device 102, which may be more specifically directed to the application 105. The data packets may include DNS queries (e.g., 214 and 250).
The DNS queries 214 and 250 may include a request for an IP address that corresponds to a domain name provided in the DNS query. The DNS server 106 may identify an IP address that corresponds to the domain name mentioned with the DNS query. The DNS server 106 may include a database that includes multiple entries that pair domain names with their corresponding IP addresses. DNS server 106 may also be configured to retrieve the IP address that corresponds with the domain name identified by the DNS query. The DNS server 106 may facilitate accurate communication of the IP traffic routed through the gateway 110 to their designated destinations by providing the gateway 110 with the appropriate IP addresses associated with the IP traffic in a DNS response such as the DNS response 220.
For instance, a first DNS query 214 may be communicated from the application 105 to the VA 274. The VA 274 may then communicate the first DNS query 214 to the VPN service client 104. A DNS packet handler 204 of the VPN service client 104 includes a query handler 222. The query handler 222 is configured to determine whether the first DNS query 214 is an original DNS query 216 or a subsequent DNS query 218. In some embodiments, the query handler 222 may determine whether the first DNS query 214 includes a unique identifier assigned to a match domain. If the identifier 264 is present, then the query handler 222 determines that the first DNS query 214 is a subsequent DNS query 218. If the identifier 264 is not present, then the query handler 222 determines that the first DNS query 214 is an original DNS query 216.
In the embodiment of Figure 2, the first DNS query 214 may be the original DNS query 216 directed to the second device 108 via the gateway 110. In response, the VPN service client 104 may communicate the first DNS query 214 and associated data packets to the gateway 110 without modification. The first DNS query 214 may be communicated to the DNS server 106. The DNS server 106 may communicate a DNS response 220 to the endpoint device 102 in response to receipt of the first DNS query 214. The DNS response 220 may include one or more canonical names that are associated with the second device 108 or the domain name of the second device 108. The DNS response 220 may be communicated to a DNS response handler 208 of the VPN service client 104.
The DNS response handler 208 may parse the DNS response 220. For instance, the DNS response handler 208 may parse the DNS response 220 to identify the one or more canonical names that are associated with the second device 108 or FQDN thereof. The DNS response handler 208 may append the identifier 264 to the identified canonical names. For instance, if the identifier 264 includes an alphanumeric suffix, the identifier 264 may be appended to an end of the canonical names.
The DNS response handler 208 may generate an updated DNS response 268. The updated DNS response 268 may include the canonical names with the appended identifier 264. Additionally, the updated DNS response 268 may include information (e.g., an IP address corresponding to the hostname of the second device 108, a transaction time, flags, errors, authority, etc.) of the DNS response 220. The updated DNS response 268 may be used to supplement the match domain created by the match domain generator 266. For instance, in some embodiments the updated DNS response 268 may be communicated the updated DNS response 268 to the VA 274 such that the canonical names are associated with the match domain for the second device 108. The VA 274 may supplement the match domain such that traffic directed to the canonical names are also routed through the VPN tunnel based on presence of the identifier 264. Because the canonical names include the identifier 264, which is assigned to the match domain, DNS queries that request information relating to the canonical names may be routed to the VPN tunnel.
Additionally, in the embodiment of Figure 2, a second DNS query 250 may be communicated from the application 105 to the VA 274. The VA 274 may communicate the second DNS query 250 to the DNS packet handler 204. The query handler 222 of the DNS packet handler 204 may be configured to determine whether the second DNS query 250 is an original DNS query 216 or a subsequent DNS query 218 based on the presence of an identifier such as the identifier 264 assigned to a match domain. For instance, the second DNS query 250 may include the identifier 264 and accordingly be identified as a subsequent DNS query directed to the second device 108. In response, the VPN service client 104 may remove the identifier 264 and then communicate the second DNS query 250 to the gateway 110. For any later DNS queries (e.g., 214 and 250) directed to any domain names included in the match domain, the identifier 264 is added. The presence of the identifier 264 enables identification of the DNS query and associated data packets that are routed through the VPN tunnel by the VA 274. Communication of the DNS queries 214 and 250 and the processing by the VPN service client 104 may occur during runtime of the application 105 and while maintaining the VA 274. Accordingly, split tunnelling using the process 200 occurs without interrupting the VPN tunnel.
Figure 3 is a flow diagram of an example process 300 of match domain configuration and communication for a VPN. The process 300 may be implemented in the operating environment 100 of Figure 1 and/or may be implemented at least partially by the endpoint device 102 of Figures 1 and 2. Figure 3 includes one or more components (e.g., 105, 110, 204, 274, and 266) described elsewhere in the present disclosure.
At subprocess 302, a VPN tunnel may be set up or established. The VPN tunnel may be established for secured communication by the application 105 with a third-party device via the gateway 110. The application 105 and/or the VA 274 may be involved in establishing the VPN tunnel.
Data traffic communicated with the application 105 and remaining components of an endpoint device (e.g., the endpoint device 102 of Figures 1 and 2) may be split tunneled. For instance, data traffic may be tunneled based on a type of the application 105, a role of the application 105, an operating characteristic (geographic location, network location, network type, etc.) of an endpoint device implementing the process 300, a destination address such as a selected destination IP address (e.g., FQDNs or CNames), data traffic that is designated as encrypted or otherwise digitally secured, or combinations thereof. In some embodiments, an endpoint device (e.g., 102) implementing the process 300 may include a network policy enforcement point. The network policy enforcement point may be configured to enforce network policies pertaining to split tunnelling. For instance, the network policies may determine which data traffic types are routed to destination addresses over the VPN tunnel and/or which data traffic types are routed to destination addresses over public networks without VPN tunnelling.
At subprocess 303, the match domain generator 266 may create a match domain. A part of creation of the match domain may include assigning an identifier to the created match domain. The identifier may be unique to the created match domain. An example unique identifier may include a suffix string such as “xyz.tpm.”
At subprocess 304, the match domain generator 266 may communicate a DNS setting of the VA 274. The match domain and information related to the identifier may be added to the DNS setting. For example, an example communication for subprocess 304 is provided below: networksettings. DNSSettings.dnsServers = "8.8.8.8" networksettings. DNSSettings.matchDomains = example, com”,
“*.xyz.tpm”.l 11111111111111111
w =w www.wex.eaxmapmlep.lceo.cmom.ed.egdegkeekye.nye.nt.exty.xzy.tzp.mtpm canonical name
15
In the above example communication, the IP address for the DNS server for Google® DNS is defined as “8.8.8.8.” The “matchDomains” for a website ending with “example.com” includes a unique identifier “*xyz.tpm.” By adding unique string as a match domain to the VA 274, it allows the application 105 to route any DNS query that matches the suffix "xyz.tpm" to the VA 274.
At subprocess 305, a DNS query may be initiated by the application 105. The DNS query initiated at subprocess 305 may be an original DNS query. At subprocess 306, the application 105 may communicate the original DNS query to the VA 274. At subprocess 308 the VA 274 may communicate the original DNS query to the DNS packet handler 204 (in Figure 3, “Packet Handler”). At subprocess 309, the DNS packet handler 204 may determine whether the received DNS query is an original or a subsequent DNS query. Responsive to the received DNS query being an original DNS query, the DNS packet handler 204 may not modify the received DNS query. At subprocess 310, the DNS packet handler 204 may communicate the unmodified DNS query to the gateway 110, which may forward the unmodified DNS request to a DNS server (e.g., 106 of Figure 2).
At subprocess 311, the gateway 110 may receive a DNS response from the DNS server. The DNS response may correspond to the DNS query communicated in subprocess 310. At subprocess 312, the gateway 110 may communicate the DNS response to the DNS packet handler 204.
For instance, the generated DNS query may include www.example.com, which may be a FQDN for which communication is via the VPN tunnel. The domain name www.example.com may include multiple CNames as shown below: www.example.com canonical name = http://tp.47-.example.com. http://tp.47-example.com canonical name = www.example.com.edgekey.net. www.example.com.edgekey.net canonical name = el5316.a.edge.net.
Name: el5316.a.iedge.net Address: 23.53.169.61.
At subprocess 313, the DNS packet handler 204 may identify the CNames in the DNS response and append the identifier of the match domain to each of the CNames. For example: www. example.com canonical name = http://tp.47cf2c8c9-. example. com.xyz.tpm http://tp.47-.example.com.xyz.tpm canonicalname = el5316.a.edge.net.xyz.tpm Name: el5316.a.iedge.net.xyz.tpm Address: 23.53.169.61. The DNS packet handler 204 may generate an updated DNS response with the CNames having the appended identifier. At subprocess 314, the DNS packet handler 204 may communicate the updated DNS response to the VA 274. At subprocess 316, the updated DNS response is communicated to the application 105. The updated DNS response is used at the application 105 and/or the VA 274 to supplement the match domain with the CNames.
At subprocess 317, a subsequent DNS query may be generated by the application 105. The subsequent DNS query may include the identifier appended to it. At subprocess 318, the application 105 may communicate the subsequent DNS query to the VA 274. The VA 274 may identify the subsequent DNS query as a member of the match domain and route the subsequent DNS query to the VPN tunnel. At subprocess 320, the VA 274 may communicate the subsequent DNS query to the DNS packet handler 204.
At subprocess 321, the DNS packet handler 204 may determine whether the received subsequent DNS query is an original or a subsequent DNS query. Responsive to the received DNS query being a subsequent DNS query, the DNS packet handler 204 may modify the received subsequent DNS query to remove the identifier. For example: tp.47-example.com.xyz.tpm —> tp.47-example.com.
At subprocess 322, the DNS packet handler 204 may communicate the modified DNS query to the gateway 110, which may forward the modified DNS request to a DNS server (e.g., 106 of Figure 2).
Subprocesses 306-322 may continue for two or more third party devices and VPN tunnels established therefore. In each circumstance, a match domain is created and supplemented with CNames. Additionally, for the DNS queries, it is determined whether the DNS query is an original or a subsequent DNS query and modify the DNS query responsive to the determination. Throughout the process 300, a TCP communication channel may be maintained.
Figure 4 illustrates an example computing system 400 configured for match domain configuration for split tunneling according to at least one embodiment of the present disclosure. The computing system 400 may be implemented in the operating environment 100 of Figure 1, for instance. Examples of the computing system 400 may include the endpoint device 102, the gateway 110, the DNS server 106, the second device 108 or some combination thereof. The computing system 400 may include one or more processors 410, a memory 412, a communication unit 414, a user interface device 416, and a data storage 404 that includes the application 105, the VA 274, and the VPN service client 104 (collectively, modules 105/274/104).
The processor 410 may include any suitable special-purpose or general -purpose computer, computing entity, or processing device including various computer hardware or software modules and may be configured to execute instructions stored on any applicable computer-readable storage media. For example, the processor 410 may include a microprocessor, a microcontroller, a digital signal processor (DSP), an ASIC, an FPGA, or any other digital or analog circuitry configured to interpret and/or to execute program instructions and/or to process data. Although illustrated as a single processor in Figure 4, the processor 410 may more generally include any number of processors configured to perform individually or collectively any number of operations described in the present disclosure. Additionally, one or more of the processors 410 may be present on one or more different electronic devices or computing systems. In some embodiments, the processor 410 may interpret and/or execute program instructions and/or process data stored in the memory 412, the data storage 404, or the memory 412 and the data storage 404. In some embodiments, the processor 410 may fetch program instructions from the data storage 404 and load the program instructions in the memory 412. After the program instructions are loaded into the memory 412, the processor 410 may execute the program instructions.
The memory 412 and the data storage 404 may include computer-readable storage media for carrying or having computer-executable instructions or data structures stored thereon. Such computer-readable storage media may include any available media that may be accessed by a general -purpose or special -purpose computer, such as the processor 410. By way of example, and not limitation, such computer-readable storage media may include tangible or non-transitory computer-readable storage media including RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, flash memory devices (e.g., solid state memory devices), or any other storage medium which may be used to carry or store desired program code in the form of computer-executable instructions or data structures and that may be accessed by a general-purpose or special-purpose computer. Combinations of the above may also be included within the scope of computer-readable storage media. Computer-executable instructions may include, for example, instructions and data configured to cause the processor 410 to perform a certain operation or group of operations.
The communication unit 414 may include one or more pieces of hardware configured to receive and send communications. In some embodiments, the communication unit 414 may include one or more of an antenna, a wired port, and modulation/demodulation hardware, among other communication hardware devices. In particular, the communication unit 414 may be configured to receive a communication from outside the computing system 400 and to present the communication to the processor 410 or to send a communication from the processor 410 to another device or network (e.g., 122 of Figure 1).
The user interface device 416 may include one or more pieces of hardware configured to receive input from and/or provide output to a user. In some embodiments, the user interface device 416 may include one or more of a speaker, a microphone, a display, a keyboard, a touch screen, or a holographic projection, among other hardware devices.
The modules 105/274/104 may include program instructions stored in the data storage 404. The processor 410 may be configured to load the modules 105/274/104 into the memory 412 and execute the modules 105/274/104. Alternatively, the processor 410 may execute the modules 105/274/104 line-by-line from the data storage 404 without loading them into the memory 412. When executing the modules 105/274/104 the processor 410 may be configured to perform a participation verification process as described elsewhere in this disclosure.
Modifications, additions, or omissions may be made to the computing system 400 without departing from the scope of the present disclosure. For example, in some embodiments, the computing system 400 may not include the user interface device 416. In some embodiments, the different components of the computing system 400 may be physically separate and may be communicatively coupled via any suitable mechanism. For example, the data storage 404 may be part of a storage device that is separate from a server, which includes the processor 410, the memory 412, and the communication unit 414, that is communicatively coupled to the storage device. The embodiments described herein may include the use of a special-purpose or general- purpose computer including various computer hardware or software modules, as discussed in greater detail below.
Figures 5A and 5B are a block diagram of a method 500 of match domain configuration and communication for a virtual private network (VPN). The method 500 describes configuration of a match domain and communication of data traffic based on the configuration. The method 500 may be implemented in a managed network or another suitable environment such as the operating environment 100. The operating environment implementing the method 500 may be included in a cloud-based networked system, an on-premises system, a managed network, managed subnetwork, or another suitable network computing environment.
The method 500 may begin at block 502 in which a VPN tunnel may be set up or established. For example, the VPN tunnel may be set up to communicate a portion of traffic between an endpoint device and a controlled or a secured network. The VPN tunnel may be set up such that there is at least some portion data traffic is communicated via the VPN tunnel and another portion of the data traffic is communicated outside the VPN tunnel. In some embodiments, the endpoint device is a mobile device running an iOS operating system.
At block 504, a match domain may be created. The match domain may be created for a first domain name. In some embodiments, the first domain name corresponds to an application run on the endpoint device and/or a third-party device with which the endpoint device communicates. Information related to the match domain may be communicated to and stored at a virtual adapter. The match domain may include the first domain name and a unique identifier. The unique identifier includes a first character sequence that is different from the other character sequences. The first character sequence may include a text string having two or more random or pseudorandom alphanumerical characters.
At block 506, data traffic directed to and received from the first domain name may be designated as routed through the VPN tunnel. Accordingly, the data traffic received at the endpoint device from the first domain name is directed through the VPN tunnel and the data traffic communicated to the first domain name is directed through the VPN tunnel.
At block 508, a domain name system (DNS) query may be received. The DNS query may be related to the first domain name. At block 510, the DNS query may be parsed. The DNS query may be separated such that different portions of the DNS query may be analyzed. In some embodiments, the DNS query may be parsed to identify the presence of a unique identifier that may be included in the DNS query.
At block 512, it may be determined whether the DNS query is an original DNS query or a subsequent DNS query. For instance, the DNS query may be parsed to determine whether the DNS query is an original DNS query (e.g., a first DNS request following the designation of block 506) or a subsequent DNS query (e.g., after the original). In some embodiments, the determination that the DNS query is the original DNS query is based at least in part on presence of the unique identifier in the DNS query.
In response to a determination that the DNS query is the original DNS query (“YES” at block 512), the method 500 may proceed to block 514. In response to a determination that the DNS query is the subsequent DNS query (“NO” at block 512), the method 500 may proceed to block 516. At block 516, the unique identifier may be removed from the DNS query. For instance, the alphanumeric characters may be identified during the parsing of block 510 and removed. At block 518, the DNS query may be communicated to the gateway. For instance, in some embodiments, after the unique identifier is removed the DNS query (without the unique identifier) may be communicated to the gateway. At block 514, the DNS query may be forwarded without modification. For instance, the DNS query may be forwarded to a gateway without modification.
With reference to Figure 5B, at block 520, a DNS response may be received. The DNS response may correspond to the original DNS query. At block 522, the DNS response may be parsed. For instance, the DNS response may be parsed to obtain one or more canonical names related to the first domain name. For instance, the one or more canonical names may map an alias domain name to a FQDN.
At block 524, the unique identifier may be appended to the one or more canonical names. Appending the one or more canonical names may be included in generating an updated DNS response. At block 526, the updated DNS response may be communicated. The updated DNS response may be communicated to the VA. The VA may further communicate the updated DNS response or information therein to the application. At block 528, the match domain may be supplemented. The match domain may be supplemented such that the one or more canonical names with the appended unique identifier are included and such that data traffic directed to or received from each of the one or more canonical names are routed to the VPN tunnel.
One or more of blocks 502, 504, 506, 508, 510, 512, 514, 516, 518, 520, 522, 524, 526, and 528 may be implemented for each DNS query communicated by an application at an endpoint. Additionally, one or more of blocks 502, 504, 506, 508, 510, 512, 514, 516, 518, 520, 522, 524, 526, and 528 may be implemented during runtime of the application for which a match domain is created. Moreover, one or more of blocks 502, 504, 506, 508, 510, 512, 514, 516, 518, 520, 522, 524, 526, and 528 may be implemented to maintain the VPN tunnel without or with minimal interruption.
Further, modifications, additions, or omissions may be made to the method 500 without departing from the scope of the present disclosure. For example, the operations of the method 500 may be implemented in differing order. Furthermore, the outlined operations and actions are only provided as examples, and some of the operations and actions may be optional, combined into fewer operations and actions, or expanded into additional operations and actions without detracting from the disclosed embodiments.
Terms used in the present disclosure and especially in the appended claims (e.g., bodies of the appended claims) are generally intended as “open terms” (e.g., the term “including” should be interpreted as “including, but not limited to.”).
Additionally, if a specific number of an introduced claim recitation is intended, such an intent will be explicitly recited in the claim, and in the absence of such recitation no such intent is present. For example, as an aid to understanding, the following appended claims may contain usage of the introductory phrases “at least one” and “one or more” to introduce claim recitations. However, the use of such phrases should not be construed to imply that the introduction of a claim recitation by the indefinite articles “a” or “an” limits any particular claim containing such introduced claim recitation to embodiments containing only one such recitation, even when the same claim includes the introductory phrases “one or more” or “at least one” and indefinite articles such as “a” or “an” (e.g., “a” and/or “an” should be interpreted to mean “at least one” or “one or more”); the same holds true for the use of definite articles used to introduce claim recitations.
In addition, even if a specific number of an introduced claim recitation is expressly recited, those skilled in the art will recognize that such recitation should be interpreted to mean at least the recited number (e.g., the bare recitation of “two recitations,” without other modifiers, means at least two recitations, or two or more recitations). Furthermore, in those instances where a convention analogous to “at least one of A, B, and C, etc.” or “one or more of A, B, and C, etc.” is used, in general such a construction is intended to include A alone, B alone, C alone, A and B together, A and C together, B and C together, or A, B, and C together, etc. Further, any disjunctive word or phrase preceding two or more alternative terms, whether in the description, claims, or drawings, should be understood to contemplate the possibilities of including one of the terms, either of the terms, or both of the terms. For example, the phrase “A or B” should be understood to include the possibilities of “A” or “B” or “A and B.”
All examples and conditional language recited in the present disclosure are intended for pedagogical objects to aid the reader in understanding the present disclosure and the concepts contributed by the inventor to furthering the art, and are to be construed as being without limitation to such specifically recited examples and conditions. Although embodiments of the present disclosure have been described in detail, various changes, substitutions, and alterations could be made hereto without departing from the spirit and scope of the present disclosure.

Claims

CLAIMS What is claimed is:
1. A method of match domain configuration for a virtual private network (VPN), the method comprising: establishing a VPN tunnel; creating a match domain for a first domain name, the match domain including the first domain name and a unique identifier; designating data traffic directed to and received from the first domain name as being routed through the VPN tunnel; receiving a domain name system (DNS) query, wherein the DNS query related to the first domain name; parsing the DNS query; determining whether the DNS query is an original DNS query or a subsequent DNS query based on the parsed DNS query; in response to a determination that the DNS query is the original DNS query, forwarding the DNS query to the gateway without modification; receiving a DNS response corresponding to the original DNS query; parsing the DNS response to obtain one or more canonical names related to the first domain name; appending the unique identifier to the one or more canonical names to generate an updated DNS response; communicating the updated DNS response to the virtual adapter; and supplementing the match domain such that the one or more canonical names with the appended unique identifier is included in the match domain and data traffic directed to or received from each of the one or more canonical names are routed to the VPN tunnel.
2. The method of claim 1, wherein the determination that the DNS query is the original DNS query is based at least in part on presence of the unique identifier being appended on the DNS query.
3. The method of claim 1, further comprising: in response to a determination that the DNS query is the subsequent DNS query, removing the unique identifier from the DNS query; and after the unique identifier is removed, communicating the DNS query to the gateway.
4. The method of claim 1, wherein the unique identifier includes a first character sequence that is different from all other character sequences assigned to other match domains.
5. The method of claim 4, wherein the first character sequence includes a text string that further includes a plurality of random alphanumerical characters.
6. The method of claim 1, wherein: the first domain name corresponds to an application run on an endpoint device; and the DNS query is communicated by the application.
7. The method of claim 6, wherein the endpoint device is a mobile device running an iOS operating system.
8. The method of claim 6, wherein the supplementing the match domain occurs during runtime of the application.
9. The method of claim 1, wherein the DNS query includes a domain name of a fully qualified domain name.
10. The method of claim 1, wherein the appending the unique identifier includes appending the suffix string to an end of the canonical names.
11. A non-transitory computer-readable medium having encoded therein programming code executable by one or more processors to perform or control performance of operations of any of claims 1-10.
12. A compute device comprising: one or more processors; and a non-transitory computer-readable medium having encoded therein programming code executable by the one or more processors to perform or control performance of operations of any of claims 1-10.
PCT/US2023/073057 2022-08-30 2023-08-29 Runtime match domain configurations WO2024050341A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
IN202211049540 2022-08-30
IN202211049540 2022-08-30

Publications (1)

Publication Number Publication Date
WO2024050341A1 true WO2024050341A1 (en) 2024-03-07

Family

ID=88020921

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2023/073057 WO2024050341A1 (en) 2022-08-30 2023-08-29 Runtime match domain configurations

Country Status (1)

Country Link
WO (1) WO2024050341A1 (en)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130111066A1 (en) * 2011-10-26 2013-05-02 Ramprasad Vempati Device and Method for Split DNS Communications

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130111066A1 (en) * 2011-10-26 2013-05-02 Ramprasad Vempati Device and Method for Split DNS Communications

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
ANONYMOUS: "Fully Qualified Domain Names (FQDN) based Split Tunneling", 31 December 2022 (2022-12-31), XP093089019, Retrieved from the Internet <URL:https://help.ivanti.com/ps/help/en_US/PDC/9.1R13/depg_fqdn/fqdn_based_split_tunneling.htm> [retrieved on 20231005] *
PAULY APPLE INC P WOUTERS RED HAT T: "Split DNS Configuration for the Internet Key Exchange Protocol Version 2 (IKEv2); rfc8598.txt", 29 May 2019 (2019-05-29), pages 1 - 16, XP015132456, Retrieved from the Internet <URL:https://tools.ietf.org/html/rfc8598> [retrieved on 20190529] *

Similar Documents

Publication Publication Date Title
US10742595B2 (en) Fully qualified domain name-based traffic control for virtual private network access control
US11489858B2 (en) Malware detection for proxy server networks
US9270646B2 (en) Systems and methods for generating a DNS query to improve resistance against a DNS attack
CN109889618B (en) Method and system for processing DNS request
US8214537B2 (en) Domain name system using dynamic DNS and global address management method for dynamic DNS server
JP5587732B2 (en) Computer-implemented method, computer program, and system for managing access to a domain name service (DNS) database
US8190773B2 (en) System and method for accessing a web server on a device with a dynamic IP-address residing behind a firewall
US9515988B2 (en) Device and method for split DNS communications
US20080065775A1 (en) Location data-URL mechanism
CN105009509A (en) Augmenting name/prefix based routing protocols with trust anchor in information-centric networks
US20210021564A1 (en) Per-application split-tunneled udp proxy
US20140258491A1 (en) Methods and apparatus for hostname selective routing in dual-stack hosts
EP2928117B1 (en) System and method for device registration and discovery in content-centric networks
JP2019515555A (en) Anonymous Identification Information and Protocol of Identification Information Oriented Network
US11764963B2 (en) Methods and apparatus for adding and/or providing stir/shaken diversion information
US10530758B2 (en) Methods of collaborative hardware and software DNS acceleration and DDOS protection
US20230108854A1 (en) Dynamically updating network routes
US20100318679A1 (en) Method and system for content-based routing of network traffic
Yan et al. Is DNS ready for ubiquitous Internet of Things?
Alani et al. Tcp/ip model
CN113347198B (en) ARP message processing method, device, network equipment and storage medium
US9077666B2 (en) Service segregation according to subscriber service association
JP2012527794A (en) Method and system for host identity tag acquisition
US20130052994A1 (en) Pairing of subscriber identity module and domain management functions in a secure environment
CN114338809B (en) Access control method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23769087

Country of ref document: EP

Kind code of ref document: A1