One of the foundations of Internet communications is the Domain Name System (DNS) which enables applications to find resources on the Internet via hostnames which are human-friendly names for servers rather than the dot-decimal notation Internet Protocol addresses comprising numeric labels punctuated with full stops used to route data.
It is known that a conventional DNS server may select from a plurality of equivalent mirrored hosts to improve performance by selecting a host according to network topology. Thus an instance of a mirrored host which has a high bandwidth connection to the client and low latency is a conventional selection to optimize customer satisfaction in responsiveness. Similarly, if too much traffic is loading down a specific host, a conventional load balancing DNS server may select from lesser loaded hosts which can provide a better user experience. In both cases the DNS server provides every requestor an IP address and selects the provided IP address according to effective or estimated network latency.
A conventional DNS server responds with an IP address when a query is made. The authoritative DNS server will give a response to whoever makes a request. The response is the proper IP address of a machine which hosts the specified service for the requested domain. Examples are the A record for websites and the MX record for mail. Unless otherwise configured, a conventional DNS server will attempt to find data it does not have by making a recursive query to another DNS server.
The term policy as used in the present application is consistent with its meaning to those skilled in the art of network management. The Internet Society has provided the following definitions in RFC3198-Terminology for Policy-Based Management, A. Westerineh et al, (c)2001 Network Working Group,
Definition List 1TermDefinition$ outsourced policyAn execution model where a policyenforcement device issues aquery to delegate a decision for aspecific policy event toanother component, external to it.$ policyA set of rules to administer, manage,and control access to network resources.$ policy conditionA representation of the necessary stateand/or prerequisites that define whethera policy rule's actions should beperformed. This representation need notbe completely specified, but may beimplicitly provided in an implementationor protocol. When the policycondition(s) associated with apolicy rule evaluate to TRUE, then(subject to other considerations such asrule priorities and decisionstrategies) the rule should be enforced.A rule's conditions can be expressed aseither an ORed set of ANDed sets ofstatements (disjunctive normal form), oran ANDed set of ORed sets of statements(conjunctive normal form). Individualcondition statements can also benegated.$ policy repositoryA specific data store that holds policyrules, their conditions and actions, andrelated policy data. A database ordirectory would be an example of such astore.$ policy ruleA basic building block of a policy-basedsystem. It is the binding of a set ofactions to a set of conditions, wherethe conditions are evaluated todetermine whether the actions areperformed.$ rule based engineA rule based engine is able to evaluatepolicy condition(s) and triggerappropriate policy actions.
It is known that the architecture of conventional DNS servers are susceptible to an attack called cache poisoning. In this attack, one or more DNS clients under the control of the attacker floods a DNS server with queries to force it to start many transactions with authoritative servers and the attacker simultaneously floods the DNS server with forged replies.
A conventional DNS server will provide a reply to any client sending a request for which it has stored resource records of the correct type. A conventional DNS server can be configured to cache resource records for queries it has resolved previously. A conventional DNS server can be an authoritative server for certain domains and have multiple resource records of a single type for a domain for load balancing purposes. A conventional DNS server can be configured to randomly select one or send all resource records of a single type for load balancing purposes to any query from any source.
By analogy, consider the telephone system where any caller may dial any mobile telephone number however mobile telephone numbers are not listed in the white pages of the telephone directory. DNS is similar to the directory or white pages. Any number can call any other number, however not all numbers are listed in the directory just as all IP addresses do not have to be listed in DNS. Consider further that if the telephone directory could provide a different number to the person looking up based on who they were and the situation, fewer unwanted calls would be connected. Similar to the secretary who may or may not give out their boss's number based upon who the requester is, or the circumstances. These circumstances and the identity of the requester make up a policy.
The intentional openness of the DNS architecture makes it usable by malicious intruders, spammers, and denial of service attackers. Under many circumstances it may be desirable to give different responses to DNS requests according to the source of the DNS query. Examples include excluding suspected bad actors from finding your hosts, preventing delivery of spam, excluding competitors from accessing your product support downloads and documentation, preventing agents of foreign powers from attempting to access your network, and protecting your dns server from bogus queries designed to poison cache.
What is needed is a system, apparatus, and method for DNS servers to select from a plurality of potential dns replies according to the source of the query and other circumstances including but not limited to the ability to ignore certain senders of DNS queries.