This invention relates to name resolution technologies. In computer communication networks, several different techniques may be used for identifying resources accessible via the network. These resources may include hosts attached to the network, such as client and server computing devices, as well as networking resources such as routers, gateways, firewalls, and others. In one technique, resources may be identified by one or more identifying numbers, such as a Medium Access Control (MAC) address or Internet Protocol (IP) address. It has been recognized, however, that while these addresses are useful for computer-to-computer communication, users often find it difficult to remember such identifying numbers and that this difficulty may deter users from accessing network resources. Resources may also, therefore, be additionally or alternatively identified by textual identifiers that are more easily remembered by users. Technologies which implement textual identifiers for identifying resources include NetBIOS, Local Link Multicast Name Resolution (LLMNR), and the Domain Name System (DNS).
Technologies that offer such textual identifiers may also offer translation services to match a textual identifier, which is easy for the user to remember, to a numeric identifier, which is easier for the computing device to process (or vice versa). In DNS, for example, when a user inputs to a computing device a textual identifier (a “domain name” in DNS) to initiate communication with a resource identified by that domain name, a DNS client on the computing device will query a DNS server to “resolve” the domain name into an IP address. The DNS server, upon receiving a query, will find an IP address corresponding to a domain name, either through information available to it locally or by querying other DNS servers, and return the IP address to the DNS client. The computing device can then initiate communication with the resource using the IP address.
It has been appreciated that some such name resolution technologies could be abused. In DNS, for example, an attacker may be able to misdirect a computing device to the attacker's own resource (e.g., the attacker's server) by responding to a DNS query with the IP address of the attacker's resource before the DNS server responds with the legitimate IP address. The computing device may then be misdirected and will connect to the attacker's resource rather than the legitimate resource. Then, while connected to the attacker's resource, the computing device may disclose data to the attacker or receive bogus data or malware from the attacker.
Some security technologies have been implemented to reduce the likelihood of this scenario by, for example, including randomized identifiers in each of the DNS queries and requiring that they be included in the response to the query, which will deter the attacker from responding with the hoax address unless the attacker is able to guess or detect the randomized identifier of the query. One security technology that has been proposed to solve these security concerns is the Domain Name System Security Extensions (DNSSEC) protocol, implemented with DNS. DNSSEC provides for digital signing of DNS results by certifying authorities (CAs) such that the results can be verified as accurate. Additionally, using DNS or DNSSEC with the Internet Protocol Security (IPsec) protocol has been proposed, to allow for encryption and/or authentication of the communications between a DNS client and a DNS server.