Search

US-12621351-B2 - Secure conditional domain name system operation

US12621351B2US 12621351 B2US12621351 B2US 12621351B2US-12621351-B2

Abstract

Some embodiments enhance the security of domain name resolution and other DNS operations, by automatically intercepting the DNS operation, determining an associated device identity or ascertaining an associated user identity, and enforcing a security policy based on at least the DNS operation and based on at least one of the identities. Some securable DNS operations include resolution requests, reverse lookups from IP addresses to domain names, DNS record accesses, mail server mappings, redirection, forwarding, and DNS record cache operations. Enforcing the policy includes, e.g., preventing a result requested by the DNS operation, permitting computational progress toward the requested result, allowing a different result, modifying a DNS record, or flushing a DNS record from a cache. In some embodiments, DNS operation security functionality utilizes or implements a conditional access security functionality, thereby providing, e.g., a secure conditional domain name resolution.

Inventors

  • Ashish Jain
  • Shyamshankar Dharmarajan
  • Avraham Carmon
  • Murali Krishna Sangubhatla
  • Andrey TERENTYEV
  • Rupa PARAMASIVAN
  • Sinead O'Donovan

Assignees

  • MICROSOFT TECHNOLOGY LICENSING, LLC

Dates

Publication Date
20260505
Application Date
20231027

Claims (20)

  1. 1 . A method of securing domain name system operations, the method comprising: automatically intercepting a domain name system operation; determining a device identity associated with the domain name system operation; ascertaining a user identity associated with the domain name system operation; reading an authentication token associated with the user identity, the authentication token issued by an identity provider; locating a domain name record associated with a domain name of the domain name system operation; enforcing a security policy based on the domain name system operation and at least one of the device identity or the user identity, wherein enforcing the security policy comprises; modifying a response to the domain name system operation based on at least one of the device identity or the user identity; and confirming that a time-to-live specified in the domain name record does not exceed a lifetime of the authentication token, wherein modifying the response comprises performing at least one of: allowing a different result than the result requested by the domain name system operation; modifying a domain name system record; or flushing at least a portion of a cache containing at least one domain name record.
  2. 2 . The method of claim 1 , wherein the domain name system operation includes or is part of a domain name resolution request for the domain name, and wherein enforcing the security policy comprises: assessing a domain name resolution risk based on at least the security policy and based on at least one of: the user identity, or the device identity; selecting an IP address from a set of IP addresses which are identified in a set of domain name system records as potential resolutions of the domain name, the selecting based on at least a result of the assessing; and providing the selected IP address in response to the domain name resolution request.
  3. 3 . The method of claim 1 , wherein enforcing the security policy based on the domain name system operation and at least one of the device identity or the user identity further comprises: checking whether the device is compliant with a specified device security policy; and preventing the result requested by the domain name system operation when the device is not compliant with the specified device security policy.
  4. 4 . The method of claim 1 , wherein enforcing the security policy based on the domain name system operation and at least one of the device identity or the user identity further comprises: enforcing the security policy based on at least the authentication token.
  5. 5 . The method of claim 1 , further comprising: receiving a notification of a change in a health status of the device; in response to receiving the notification, performing at least one of: setting the time-to-live in the domain name record, deleting the domain name record, or flushing at least a portion of a domain name record cache.
  6. 6 . The method of claim 1 , further comprising: receiving a notification of a change in a risk score associated with the device or a risk score associated with the user identity, or both; in response to receiving the notification, performing at least one of: setting the time-to-live in the domain name record, deleting the domain name record, or flushing at least a portion of a domain name record cache.
  7. 7 . The method of claim 1 , wherein: the domain name system operation requests a particular result; and enforcing the security policy based on the name system operation and at least one of the device identity or the user identity further comprises: discerning that a non-empty proper subset of a set of conditions specified by the security policy is satisfied, wherein the security policy specifies that all of the conditions be satisfied in order to permit the particular result; and in response to the discerning, barring a portion but not all of the particular result, or barring a portion but not all progress toward a less risky result which is designated as less risky than the particular result.
  8. 8 . The method of claim 1 , wherein enforcing the security policy based on the name system operation and at least one of the device identity or the user identity further comprises: assessing a risk based on at least the security policy and based on at least one of the user identity or the device identity, and wherein enforcing the security policy further comprises performing at least one of the following in response to a result of the assessing: adding an access requirement specifying that a network protocol with a specified security characteristic or a specified security level, or both, be utilized for a network communication which includes the intercepted domain name system operation; adding an access requirement specifying that a network protocol with a specified security characteristic or a specified security level, or both, be utilized for a network communication which responds to the intercepted domain name system operation; adding an access requirement that prohibits use of a network protocol with a specified security characteristic or a specified security level, or both; adding an access requirement that prohibits forwarding the intercepted domain name system operation to a public domain name system server; or adding an access requirement that prohibits redirecting the intercepted domain name system operation to a public domain name system server.
  9. 9 . A computing system which is configured to assist in securing domain name system operations, the computing system comprising: a digital memory; a processor set comprising at least one processor, the processor set in operable communication with the digital memory; a domain name system operations security assistant which is configured to, upon execution by the processor set; automatically intercept a domain name system operation; determine a device identity associated with the domain name system operation or ascertain a user identity associated with the domain name system operation; read an authentication token associated with the user identity, the authentication token issued by an identity provider; locate a domain name record associated with a domain name of the domain name system operation; enforce a security policy based on the domain name system operation and at least one of the device identity or the user identity, wherein enforcing the security policy comprises: modifying a response to the domain system operation based on at least of the device identity or the user identity; and confirming that a time-to-live specified in the domain name record does not exceed a lifetime of the authentication token, wherein modifying the response comprises performing at least one of: allowing a different result than the result requested by the domain name system operation; modifying a domain name system record; or flushing at least a portion of a cache containing at least one domain name record.
  10. 10 . The computing system of claim 9 , wherein the domain name system operations security assistant is configured to, upon execution by the processor set: check whether the device is enrolled as a managed device; and prevent the result requested by the domain name system operation when the device is not enrolled as a managed device.
  11. 11 . The computing system of claim 9 , wherein the domain name system operation includes or is part of a domain name resolution request for the domain name.
  12. 12 . The computing system of claim 9 , wherein the domain name system operations security assistant is configured to, upon execution by the processor set: get a security group identification which identifies a security group, the user identity being a member of the security group; and base the enforcing on at least the security group identification.
  13. 13 . The computing system of claim 9 , wherein the domain name system operations security assistant is configured to, upon execution by the processor set: get a security role identification which identifies a security role, the user identity being a holder of the security role; and base the enforcing on at least the security role identification.
  14. 14 . The computing system of claim 9 , wherein the domain name system operations security assistant is configured to, upon execution by the processor set: detect a security heartbeat anomaly; and in response to detecting the security heartbeat anomaly, flush at least a portion of a domain name record cache.
  15. 15 . The computing system of claim 9 , wherein the domain name system operations security assistant is configured to, upon execution by the processor set: add an access requirement that prohibits forwarding the intercepted domain name system operation to a public domain name system server; or add an access requirement that prohibits redirecting the intercepted domain name system operation to a public domain name system server.
  16. 16 . A computer-readable storage device configured with data and instructions which upon execution by a processor cause a computing system to perform a method of securing domain name system operations, the method comprising: automatically intercepting a domain name system operation; determining at least one of a device identity associated with the domain name system operation or a user identity associated with the domain name system operation; and reading an authentication token associated with the user identity, the authentication token issued by an identity provider; locating a domain name record associated with a domain name of the domain name system operation; enforcing a security policy based on the domain name system operation and at least one of the device identity or the user identity, wherein enforcing the security policy comprises: modifying a response to the domain name system operation based on at least one of the device identity or the user identity; and confirming that a time-to-live specified in the domain name record does not exceed a lifetime of the authentication token, wherein modifying the response comprises performing at least one of: allowing a different result than the result requested by the domain name system operation; modifying a domain name system record; or flushing at least a portion of a cache containing at least one domain name record.
  17. 17 . The computer-readable storage device of claim 16 , wherein the automatically intercepting occurs on the device, and enforcing the security policy also occurs at least partially on the device.
  18. 18 . The computer-readable storage device of claim 16 , wherein the domain name system operation includes or is part of a domain name resolution request for the domain name, and wherein enforcing the security policy comprises: assessing a domain name resolution risk based on at least the security policy and based on at least one of: the user identity, or the device identity; choosing a response tier from a set of response tiers, the choosing based on at least a result of the assessing; selecting an IP address from a set of one or more IP addresses which correspond to the response tier, the selected IP address corresponding to exactly one of the response tiers, the selected IP address identified in a set of domain name system records as a potential resolution of the domain name; and providing the selected IP address in response to the domain name resolution request.
  19. 19 . The computer-readable storage device of claim 18 , wherein the set of response tiers comprises at least three tiers, each tier having a respective selectable IP address which is distinct from all selectable IP addresses of the other tiers.
  20. 20 . The computer-readable storage device of claim 16 , wherein the domain name system operation includes or is part of a domain name resolution request for the domain name, and wherein enforcing the security policy comprises: assessing a domain name resolution risk based on at least the security policy and based on at least one of: the user identity, or the device identity; selecting an IP address set from a collection of IP address sets, each IP address set of the collection including one or more IP addresses which are identified in one or more domain name system records as potential resolutions of the domain name, the selecting based on at least a result of the assessing; and providing an IP address of the selected IP address set in response to the domain name resolution request.

Description

BACKGROUND The Domain Name System (DNS) associates various pieces of information with identification strings which are known as Uniform Resource Locators (URLs). In particular, the DNS translates between URL domain names and IP addresses in a computing system, such as in the public internet (a.k.a. Internet) or IP addresses in a private network. IP stands for Internet Protocol, which is a widely used computer communications protocol. The DNS has been an important part of the Internet for decades. Although the DNS is widely used in various versions, and although multiple improvements have been made in the DNS over the years, additional beneficial improvements are still possible. SUMMARY Some embodiments described herein address technical challenges arising from cybersecurity weaknesses involving Domain Name System (DNS) operations, such as operations to translate or map a domain name to an IP address. Translation or mapping of a domain name to an IP address is also called “resolution” of the domain name. In computing systems lacking various security enhancements taught herein, domain name resolution and other DNS operations have been allowed to proceed even when, in hindsight, proceeding conflicts with security goals or other security enforcement measures. In one scenario, computing system security (a.k.a. cybersecurity) is weakened when an employee still has full access to a confidential internal application even after the employee's account was flagged for unauthorized exfiltration activity. In another scenario, security is weakened when a confidential internal network address is leaked to a public server. In a third scenario, security is weakened when a domain name resolution request from a user account is fulfilled after the authentication lifetime of the user account has expired. These are merely example scenarios; one of skill will also recognize the applicability of teachings herein to many other scenarios. Some embodiments enhance the security of domain name resolution and other DNS operations, by automatically intercepting the DNS operation (i.e., intercepting an electronic communication which is a part of the operation), determining a device identity associated with the DNS operation, ascertaining a user identity associated with the DNS operation, and enforcing a security policy against the DNS operation. The enforcing is based on at least the DNS operation and the device identity, or on at least the DNS operation and the user identity, or both. Some examples of DNS operations include resolution requests, reverse lookups which map from IP addresses to domain names, attempts to access a DNS record, mail server mappings, redirection operations, forwarding operations, and operations which access or configure a DNS record cache. In some embodiments, the enforcing includes at least one of: preventing a result requested by the DNS operation, permitting computational progress toward the result requested by the DNS operation, allowing a different result than the result requested by the DNS operation, modifying a DNS record, or flushing at least a portion of a cache containing at least one DNS record. In some embodiments, enforcing a DNS operation security policy utilizes or implements a conditional access security functionality, thereby providing a secure conditional DNS operation, e.g., a secure conditional domain name resolution. Other technical activities and characteristics pertinent to teachings herein will also become apparent to those of skill in the art. The examples given are merely illustrative. This Summary is not intended to identify key features or essential features of the claimed subject matter, nor is it intended to be used to limit the scope of the claimed subject matter. Rather, this Summary is provided to introduce-in a simplified form-some technical concepts that are further described below in the Detailed Description. Subject matter scope is defined with claims as properly understood, and to the extent this Summary conflicts with the claims, the claims should prevail. BRIEF DESCRIPTION OF THE DRAWINGS A more particular description will be given with reference to the attached drawings. These drawings only illustrate selected aspects and thus do not fully determine coverage or scope. FIG. 1 is a diagram illustrating aspects of computer systems and also illustrating configured storage media, including some aspects generally suitable for systems which provide domain name system operation security functionality; FIG. 2 is a block diagram illustrating aspects of a family of enhanced systems which are each configured with domain name system operation security functionality; FIG. 3 is a block diagram illustrating aspects of another family of systems which are each enhanced with domain name system operation security functionality; FIG. 4 is a block diagram illustrating some aspects of secured domain name system operations; FIG. 5 is a data flow diagram illustrating some aspects of domain name s