US10785192B2 - Methods and systems for secure DNS routing - Google Patents

Methods and systems for secure DNS routing Download PDF

Info

Publication number
US10785192B2
US10785192B2 US15/907,796 US201815907796A US10785192B2 US 10785192 B2 US10785192 B2 US 10785192B2 US 201815907796 A US201815907796 A US 201815907796A US 10785192 B2 US10785192 B2 US 10785192B2
Authority
US
United States
Prior art keywords
server
hostname
address
psm
secure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active, expires
Application number
US15/907,796
Other versions
US20190268309A1 (en
Inventor
Jagan Govindarajan
Gopikumar Ranganathan
Jayachandrakumar Konduru
Roopesh Gottipati
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Dish Network Technologies India Pvt Ltd
Original Assignee
Sling Media Pvt Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sling Media Pvt Ltd filed Critical Sling Media Pvt Ltd
Priority to US15/907,796 priority Critical patent/US10785192B2/en
Assigned to SLING MEDIA PVT. LTD. reassignment SLING MEDIA PVT. LTD. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: GOTTIPATI, ROOPESH, GOVINDARAJAN, JAGAN, KONDURU, JAYACHANDRAKUMAR, RANGANATHAN, GOPIKUMAR
Priority to PCT/IN2019/050117 priority patent/WO2019167056A1/en
Publication of US20190268309A1 publication Critical patent/US20190268309A1/en
Priority to US16/992,357 priority patent/US11546305B2/en
Application granted granted Critical
Publication of US10785192B2 publication Critical patent/US10785192B2/en
Assigned to DISH NETWORK TECHNOLOGIES INDIA PRIVATE LIMITED reassignment DISH NETWORK TECHNOLOGIES INDIA PRIVATE LIMITED CHANGE OF NAME (SEE DOCUMENT FOR DETAILS). Assignors: SLING MEDIA PVT. LTD.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • H04L61/1511
    • H04L61/2076
    • H04L61/304
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5076Update or notification mechanisms, e.g. DynDNS
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/168Implementing security features at a particular protocol layer above the transport layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/30Types of network names
    • H04L2101/33Types of network names containing protocol addresses or telephone numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords

Definitions

  • IP Internet protocol
  • a method for performing secure domain name system (DNS) routing may include generating, by an authorized device, a secure signature using an internet protocol (IP) address of the authorized device.
  • IP internet protocol
  • the method may include generating, by the authorized device, an encoded character string that comprises the IP address.
  • the method may include publishing, by the authorized device, a hostname.
  • the hostname may be constructed using the secure signature, the encoded character string, and a designated domain name.
  • the method may include receiving, by the domain name server from an end-user device, a request for an IP address mapped to the hostname.
  • the method may include validating, by the domain name server, the hostname using the secure signature.
  • the method may include decoding, by the domain name server, the IP address of the authorized device from the encoded character string at least partially in response to the hostname being validated by the domain name server.
  • the method may include transmitting, by the domain name server to the end-user device, the IP address decoded from the encoded character string at least partially based on the hostname being validated and the request for the IP address.
  • Embodiments of such a method may include one or more of the following features:
  • Validating the hostname may include determining whether the secure signature was generated using an authorized key.
  • the domain name server may decode the IP address of the authorized device from the encoded character string without using a database that maps with uniform resource locators (URLs) with IP addresses.
  • the method may include creating a subdomain comprising the encoded character string and the secure signature.
  • the hostname may include the created subdomain and the designated domain name.
  • the authorized device may be a private media server.
  • the method may include receiving, by the authorized device at the IP address from the end-user device, a request to stream television programming.
  • the method may include storing, by the authorized device, a key for use in generating the secure signature.
  • the secure signature may be generated by the authorized device using the stored key.
  • the request for the IP address mapped to the hostname may be received as part of an HTTPS (Hypertext Transfer Protocol Secure) request.
  • the IP address may be decoded
  • a system for performing secure domain name system (DNS) routing may include a private media server that streams video and audio content to one or more client devices.
  • the private media server may be configured to generate a secure signature using an interne protocol (IP) address of the authorized device.
  • IP interne protocol
  • the private media server may be configured to generate an encoded character string that comprises the IP address.
  • the private media server may be configured to publish a hostname.
  • the hostname may be constructed using the secure signature, the encoded character string, and a designated domain name.
  • the system may include a domain name server that provides DNS routing for one or more domains.
  • the domain name server may be configured to receive, from a client device, a request for an IP address mapped to the hostname.
  • the domain name server may be configured to validate the hostname using the secure signature.
  • the domain name server may be configured to decode the IP address of the authorized device from the encoded character string at least partially in response to the hostname being validated by the domain name server.
  • the domain name server may be configured to transmit the IP address decoded from the encoded character string to the client device at least partially based on the hostname being validated and the request for the IP address.
  • Embodiments of such a system may include one or more of the following features:
  • the domain name server being configured to validate the hostname may include the domain name server being configured to determine whether the secure signature was generated using an authorized key.
  • the domain name server may decode the IP address of the authorized device from the encoded character string without using a database that may map with uniform resource locators (URLs) with IP addresses.
  • the private media server may be configured to create a subdomain comprising the encoded character string and the secure signature.
  • the hostname may include the created subdomain and the designated domain name.
  • the private media server may be configured to receive, via the IP address from the client device, a request to stream television programming.
  • the system may include storing, by the authorized device, a key for use in generating the secure signature.
  • the secure signature may be generated by the authorized device using the stored key.
  • the request for the IP address mapped to the hostname may be received as part of an HTTPS (Hypertext Transfer Protocol Secure) request.
  • the IP address may be de
  • an apparatus for performing secure domain name system (DNS) routing may include means for generating a secure signature using an internet protocol (IP) address of the authorized device.
  • the apparatus may include means for generating an encoded character string that comprises the IP address.
  • the apparatus may include means for publishing a hostname of an authorized device.
  • the hostname may be constructed using the secure signature, the encoded character string, and a designated domain name.
  • the apparatus may include means for validating the hostname using the secure signature.
  • the apparatus may include means for decoding the IP address of the authorized device from the encoded character string at least partially in response to the hostname being validated by the domain name server.
  • the apparatus may include means for transmitting, to the end-user device, the IP address decoded from the encoded character string at least partially based on the hostname being validated and the request for the IP address.
  • Embodiments of such an apparatus may include one or more of the following features:
  • the means for validating the hostname may include means for determining whether the secure signature was generated using an authorized key.
  • the means for decoding the IP address of the authorized device from the encoded character string functions without using a database that maps with uniform resource locators (URLs) with IP addresses.
  • URLs uniform resource locators
  • FIG. 1 illustrates an embodiment of a system for performing secure domain name system (DNS) routing without a database.
  • DNS domain name system
  • FIG. 2 illustrates another embodiment of a system for performing secure DNS routing without a database.
  • FIG. 3 illustrates an embodiment of a method for performing secure DNS routing.
  • FIGS. 4A and 4B illustrate another embodiment of a method for performing secure DNS routing.
  • the request for the secure session may be routed through a domain name system (DNS) server.
  • DNS domain name system
  • DNS servers such as a root name server and name servers associated with a top and second level domain may be contacted in order to determine an internet protocol (IP) address that is associated with a particular hostname.
  • IP internet protocol
  • a name server that is specific to a particular top and second level domain may be present, such as for “mediaservers.org.” This name server may be tasked with storing and providing IP addresses for hostnames within “mediaservers.org.”
  • This name server may be specifically used to route connection requests from client devices to private streaming media servers that are operated by individual users.
  • the name server may publish hostnames for the private media servers operating within a private network, such as a home local area network (LAN). It may be desirable for such a name server to function securely in that the device operating within the home local area network is authenticated to be a private streaming media server that has access rights to use the DNS name server and an associated relay server. It may also be desirable for the DNS name server to function efficiently.
  • One possible way to make the DNS name server function more efficiently is to not have the DNS name server maintain a database that maps IP addresses of devices (e.g., private streaming media servers) with hostnames. Rather, the hostname can be determined by the DNS name server from the hostname itself.
  • the DNS name server can receive and publish a hostname, evaluate the hostname to determine if it was provided by an authorized device, and, in response to a request indicating the hostname, determine an IP address for the associated device (e.g., private streaming media server) from the hostname.
  • an IP address for the associated device e.g., private streaming media server
  • FIG. 1 illustrates an embodiment of a system 100 for performing secure domain name system (DNS) routing without a database.
  • System 100 may include: relay server (RS) system 110 ; streaming media (SM) client 120 ; private streaming media (PSM) server 130 ; private networks 140 ( 140 - 1 and 140 - 2 ); Internet 150 ; and DNS name server 160 .
  • PSM server 130 may be a computerized device that receives television programming via one or more television distribution networks (e.g., cable, satellite, OTT, OTA), encodes the received video and audio, and stores and/or streams such encoded television programming to an SM client (which can be located locally as part of the same private network or remote and accessible via the Internet).
  • PSM server 130 may also be called a television streaming media device.
  • PSM server 130 may be a Slingbox® made by Sling Media®.
  • PSM server 130 may be operated in association with a particular user account. That is, the media recorded and/or streamed live by PSM server 130 may only be permitted to be viewed by a particular user or users who have access to a particular user account linked with the entity operating RS system 110 .
  • PSM server 130 may be owned and operated by the particular user or users and may reside in a residence where the user receives television programming.
  • PSM server 130 may be a computerized device and, therefore, may include one or more processors, one or more non-transitory computer readable mediums (e.g., memories, hard drives, solid state drives), one or more communication buses, one or more wired and/or wireless network interfaces, or one or more input ports to receive television programming (e.g., an HDMI port, a coaxial antenna port, component inputs, optical input, etc.).
  • processors e.g., memories, hard drives, solid state drives
  • communication buses e.g., a wired and/or wireless network interfaces
  • input ports to receive television programming e.g., an HDMI port, a coaxial antenna port, component inputs, optical input, etc.
  • PSM server 130 can be part of private network 140 - 2 .
  • Private network 140 - 2 may serve as a barrier between the local trusted private network and the Internet.
  • Private network 140 - 2 may only permit outgoing network traffic and may block incoming communication requests. Therefore, for a device, such as PSM server 130 , to communicate with a device located outside of private network 140 - 2 , an outgoing communication session may be required to be established by PSM server 130 .
  • An incoming request that is unassociated with a previously-established outbound communication session may be prohibited by a gateway device of private network 140 - 2 .
  • Such a gateway device may be a wired or wireless router, or some other form of access point (AP) that serves as an interface between a LAN and an internet service provider (ISP).
  • PSM server 130 may not be part of a private network.
  • SM client 120 may be a computerized device that can output media for presentation. SM client 120 may directly output media for presentation, such as via an integrated speaker, integrated display screen, and/or integrated wired headphone jack or wireless headphone interface (e.g., a Bluetooth® interface). SM client 120 may be a computerized device and, therefore, also includes one or more processors, one or more non-transitory computer readable mediums (e.g., memories, hard drives, solid state drives), one or more communication buses, and one or more wired and/or wireless network interfaces. SM client 120 may be a smartphone, tablet computer, smart television, laptop computer, desktop computer, or gaming device.
  • non-transitory computer readable mediums e.g., memories, hard drives, solid state drives
  • SM client 120 is a device intended to be connected with a separate video and/or audio presentation device.
  • SM client 120 may not have an integrated display screen and/or integrated speaker, but rather may connect to another presentation device, such as a television for presenting received streaming media.
  • SM client 120 may function within private network 140 - 1 .
  • Private network 140 - 1 may function similarly to private network 140 - 2 .
  • Private network 140 - 1 may be separate and distinct from private network 140 - 2 .
  • private network 140 - 1 may be located at a different residence within private network 140 - 2 .
  • private network 140 - 1 may be located in a location other than a residence.
  • RS system 110 having an address may serve as an intermediary for communication between SM client 120 and PSM server 130 .
  • This URL may be translated by DNS name server 160 to point to an IP address (and, possibly, port) of PSM server 130 or of relay server system 110 that has been linked with PSM server 130 .
  • SM client 120 and PSM server 130 may communicate with RS system 110 and DNS name server 160 via Internet 150 .
  • one or more additional private or public networks are included as part of the communication path between SM client 120 and RS system 110 and/or PSM server 130 and RS system 110 .
  • SM client 120 may not be part of private network 140 - 1 .
  • SM client 120 may be a first computer system and PSM server 130 may be a second computer system.
  • DNS name server 160 may receive a request from SM client 120 directly or after SM client 120 has contacted one or more other DNS servers, which have, in turn, instructed SM client 120 to contact DNS name server 160 .
  • DNS name server 160 may be responsible for only DNS routing within a particular top and second level domain. For instance, DNS name server 160 may receive all DNS requests for “particularwebsite.com.”
  • DNS name server 160 may not store or maintain a database that links IP addresses with hostnames. While SM client 120 may provide DNS name server 160 with a requested hostname, DNS name server 160 does not perform a lookup of an IP address. Rather, the IP can be determined using only information that is present within the hostname.
  • the IP address provided by DNS name server 160 may be: 1) an IP address (and, possibly, port) of RS system 110 that has been linked with PSM server 130 ; or 2) the IP address (and, possibly, port) of PSM server 130 directly.
  • Option 1 may be used if a firewall is used to block in-bound connection requests to a private network in which PSM server 130 is located.
  • Option 2 may be used if in-bound connection requests to PSM server 130 are permitted.
  • RS system 110 may serve to relay communications between PSM server 130 and SM client 120 .
  • Such a relay of communications may include requests for media being routed from SM client 120 to PSM server 130 via RS system 110 and encrypted streaming media being routed from PSM server 130 to SM client 120 via RS system 110 .
  • an outbound communication session from PSM server 130 may be required to be established with RS system 110 . This requirement may be present due to PSM server 130 functioning as a part of private network 140 - 2 , which blocks incoming communication requests.
  • PSM server 130 may maintain a persistent communication path with RS system 110 by periodically or occasionally establishing an outgoing communication session with RS system 110 .
  • RS system 110 may be a group of one or more server systems that include one or more processors, one or more non-transitory computer readable mediums (e.g., memories, hard drives, solid state drives), one or more communication buses, and one or more wired and/or wireless network interfaces.
  • SM client 120 and PSM server 130 are typically owned by same user.
  • a user may install and configure PSM server 130 at his residence to receive, record, and stream television programming. The user may then use SM client 120 at a remote location to be able to access the media recorded and streaming from PSM server 130 . Therefore, while SM client 120 and PSM server 130 are functioning as part of distinct private networks, these devices can be owned and operated by the same user and, thus, a single username and password may be used to access PSM server 130 .
  • FIG. 2 illustrates another embodiment of a system 200 for performing secure DNS routing without a database.
  • System 200 can represent a more detailed embodiment of system 100 of FIG. 1 .
  • secure streaming media relay server (SSMRS) system 210 and DNS name server 230 are present.
  • private network 140 - 1 is created by router 220 - 1 .
  • Router 220 - 1 may be a wired or wireless router that communicates with Internet 150 via an ISP.
  • Router 220 - 1 may communicate using some form of ISP interface, such as a cable modem, fiber optic modem, or digital subscriber line (DSL) modem.
  • Router 220 - 1 may function as a gateway device that creates a firewall that prevents inbound communication requests from being established with SM client 120 .
  • Router 220 - 1 may permit outbound communication requests from SM client 120 to devices accessible via the Internet 150 , such as SSMRS system 210 .
  • router 220 - 2 may create private network 140 - 1 .
  • Private network 140 - 1 may function similarly to private network 140 - 2 , such that outbound communication sessions from PSM server 130 are permitted, but inbound communication sessions are blocked.
  • a secure communication session such as an HTTPS communication session, between PSM server 130 and SM client 120 may be established in order to permit media to be transmitted from PSM server 130 to SM client 120 .
  • This secure media session may be established such that packets of media encrypted by HTTPS server 242 , executed by PSM server 130 , are passed (possibly encrypted) by SSMRS system 210 to HTTPS client 232 , which is executed by SM client 120 .
  • the encrypted data packets are passed from HTTPS server 242 to SSMRS system 210 .
  • SSMRS system 210 readdresses the encrypted packets (without decrypting the data within the encrypted packets) and transmits the encrypted stream media data packets to HTTPS client 232 .
  • encrypted streaming media (that is not decrypted by SSMRS system 210 ) is passed from HTTPS server 242 to HTTPS client 232 via Internet 150 and SSMRS system 210 .
  • the secure communication session can be established through SSMRS system 210 . Further, an HTTPS communication session may be required to be established via a DNS name server (rather than directly to a particular IP address). DNS name server 230 may be in communication with systems and devices via Internet 150 .
  • PSM server 130 may include HTTPS server 242 , IP encoder 244 , signature generator 246 , and secure key 248 .
  • IP encoder 244 may serve to encode an IP address of PSM server 130 (through external devices, such as SSMRS system 210 , that can communicate with PSM server 130 ) into an encoded string of characters. This encoded string of (e.g., alphanumeric) characters may be decodable by another device that has access to the algorithm according to which encoding was performed by IP encoder 244 .
  • IP encoded 244 may be in the form of software, hardware, or firmware that performs encoding according to a particular algorithm. In some embodiments, rather than encoding the IP address, the IP address may be maintained in an encoded form.
  • Signature generator 246 may generate an encrypted signature using the IP address of PSM server 130 .
  • Signature generator 246 may use stored secure key 248 to generate the signature. Similar to the encoded IP address, the signature may be a string of (e.g., alphanumeric) characters.
  • Secure key 248 may be stored such that it cannot easily be accessed by a user or external device.
  • Signature generator 246 and secure key 248 may be in the form of software, hardware, or firmware that performs encryption according to a particular algorithm using secure key 248 .
  • PSM server 130 may generate a third (or higher) level domain name that is to be published to a cloud-based (Internet-based) server, such as published hostname list server 212 .
  • the URL may be: http:// ⁇ encoded-IP>- ⁇ signature>.privatestreamingmediaserver.com.
  • “.com” is the top level domain
  • “privatestreamingmediaserver” is the second level domain
  • “ ⁇ encoded-IP>- ⁇ signature>” is the third level domain.
  • DNS name server 230 may serve as the name server for all subdomains within “privatestreamingmediaserver.com.”
  • PSM server 130 may transmit the generated hostname to published hostname list server 212 .
  • some or all of the various components of the hostname may be transmitted to published hostname list server 212 , which may then generate the hostname for publishing.
  • SM client 120 can contact published hostname list server 212 to determine a hostname from which SM client 120 is to request content. SM client may then use the retrieved hostname to contact DNS name server 230 to obtain an IP address for PSM server 130 .
  • Published hostname list server 212 may include a stored, published hostname list, which may be stored to a non-transitory processor-readable medium. In some embodiments, rather than a hostname list being hosted by published hostname list server 212 , the published hostname list may be stored elsewhere in the cloud and accessible via the Internet.
  • the published hostname list may include hostnames that have been received from various PSM servers 130 .
  • DNS name server 230 may serve as the name server for hundreds or thousands of PSM servers operating within a particular second level domain (which may also be the same second level domain as SSMRS system 210 ).
  • the published hostname list can include hostnames, but such hostnames are not explicitly mapped to a stored IP address.
  • no database by DNS name server 230 maps IP addresses of PSM servers to hostnames of PSM servers.
  • the published hostname list does not need to be maintained because the IP address and whether the PSM server is authorized can be determined based on the hostname received from requesting SM client 120 .
  • Additional information such as user registration details, PSM server identifiers, and WAN IP addresses corresponding to the PSM servers may be stored at DNS name server 230 and/or elsewhere accessible via Internet 150 .
  • DNS name server 230 determines an IP address of PSM servers 130 by decoding the encoded IP address portion of the hostnames.
  • IP decoder engine 216 may decode the portion of the hostname that represents the encoded IP address (as encoded by IP encoder 244 ).
  • Signature verification engine 214 may have access to the same secure key as secure key 248 or a corresponding secure key that can be used to decrypt or verify the secure key included as part of the hostname.
  • Signature verification engine 214 may be used to determine if PSM server 130 , which supplied the hostname or portions of the hostname, is an authorized device that is permitted to have its hostname published by DNS name server 230 .
  • Signature verification engine 214 may verify a signature: 1) on receipt of the hostname or partial hostname from PSM server 130 ; 2) some time after receipt but prior to receiving a request for the hostname from SM client 120 ; or 3) in response to a request for the hostname from SM client 120 .
  • signature verification engine 214 does not verify a signature of a hostname, the hostname may be removed from the published hostname list. Alternatively, a response requesting an IP address linked with an unauthorized hostname may result in either no response being transmitted by DNS name server 230 or in an error message being transmitted to the requesting SM client.
  • DNS name server 230 may decode the IP address from the hostname and provide the IP address to SM client 120 if the signature was determined to be valid and associated with an authorized device.
  • the IP address (and possibly port) provided by DNS name server 230 may refer to SSMRS system 210 which may, in turn, be configured to forward or otherwise route data to PSM server 130 .
  • the IP address (and possibly port) provided by DNS name server 230 may refer directly to PSM server 130 .
  • DNS name server 230 may be incorporated as part of SSMRS system 210 in some embodiments.
  • SSMRS system 210 and PSM server 130 part of the same top and second level domain, the HTTPS session request from SM client 120 can be validly rerouted to PSM server 130 .
  • PSM server 130 may be assigned a domain by DNS linked with SSMRS system 210 of “PSM_identifier.streamingmediaserver.org” by DNS server 218 in which “PSM_identifier” (which could include both the encoded IP address and signature) uniquely identifies PSM server 130 from other PSM servers that may be communicating with SSMRS system 210 .
  • FIG. 3 illustrates an embodiment of a method for performing secure DNS routing.
  • Each step of method 300 may be performed using either system 100 or system 200 of FIGS. 1 and 2 , respectively.
  • Method 300 may be used for having a DNS name server securely route an IP request for a PSM server (or some other form of electronic device that is to have its IP address published by a DNS name server).
  • a secure signature may be generated based on an IP address.
  • This signature may be generated by a PSM server (or some other form of electronic device that is to have its IP address published by a DNS name server).
  • the secure signature may be generated by encrypting or hashing the IP address of the PSM server 130 (or the IP address of router 220 - 2 or some other device functioning as the gateway to private network 140 - 2 ).
  • PSM server 130 may not be part of a private network.
  • Generation of the signature may include encrypting or hashing the IP address using a secure key, such as secure key 248 .
  • the signature may be composed of numbers, letters, or a mix of alphanumeric characters.
  • a hash-based message authentication code (HMAC) is used. This arrangement allows for simultaneous verification of data integrity and authentication of the message.
  • the underlying cryptographic function may be MD5, SHA-1, or some other function.
  • an encoded IP address may be created.
  • This encoded IP address may be created by the PSM server (or some other form of electronic device that is to have its IP address published by a DNS name server) or by the DNS name server itself. Encoding may involve obscuring the IP address using a predefined algorithm in such a way that the IP address can be decoded by the DNS name server.
  • the encoded IP address may be composed of numbers, letters, or a mix of alphanumeric characters.
  • a hostname may be created by the PSM server.
  • the hostname may include the encoded IP address and the signature.
  • the hostname may also include a stored and predefined first and second level domain.
  • the third, fourth, or higher level domain may be a combination of the encoded IP address and the signature.
  • the format may be: “ ⁇ encoded IP>- ⁇ signature>.predefineddomain.com” or “ ⁇ signature> ⁇ encoded IP>.predefineddomain.com.”
  • This hostname may also be created by the DNS name server based on the signature and/or encoded IP being provided by the PSM server.
  • the IP address may be decoded by the DNS name server from the hostname. By decoding the IP address of the PSM server from the hostname, the DNS name server does not need to maintain a database that maps IP addresses to hostnames.
  • the hostname may be authenticated by the DNS name server.
  • the DNS name server may authenticate whether the signature corresponds to an authorized device. Only devices that have access to the secure key may be authorized devices.
  • the signature may be obtained by the DNS name server from the hostname and evaluated, using a locally stored copy of the key or corresponding key that permits verification. For instance, the keys may be a public/private key pair. In other embodiments, an arrangement such as HMAC may be used, as previously described.
  • the IP address decoded from the hostname may be provided to the SM client (or whatever type of electronic device requested an IP address from the DNS name server).
  • the IP address may only be provided by the DNS name server if authentication at block 350 determined that the PSM server is an authorized device by verifying the signature appended. Otherwise, a valid IP address may not be provided.
  • FIGS. 4A and 4B illustrate another embodiment of a method 400 for performing secure DNS routing.
  • Method 400 can represent a more detailed embodiment of method 300 of FIG. 3 .
  • Each step of method 400 may be performed using either system 100 or system 200 of FIGS. 1 and 2 , respectively.
  • Method 400 may be used for having a DNS name server securely route an IP request for a PSM server (or some other form of electronic device that is to have its IP address published by a DNS name server).
  • a secure signature may be generated, based on an IP address.
  • This signature may be generated by a PSM server (or some other form of electronic device that is to have its IP address published by a DNS name server).
  • the secure signature may be generated by hashing (e.g., using MAC/HMAC) or encrypting the IP address of the PSM server 130 (or the IP address of router 220 - 2 or some other device functioning as the gateway to private network 140 - 2 ).
  • PSM server 130 may not be part of a private network.
  • Generation of the signature may include encrypting the IP address, using a secure key, such as secure key 248 .
  • the signature may be composed of numbers, letters, or a mix of alphanumeric characters.
  • an IP address may be encoded to be represented in alphanumerical characters that can be used to build a valid hostname.
  • a hostname may be created by the PSM server.
  • the hostname may include the encoded IP address and the generated secure signature.
  • the hostname may also include stored and predefined first and second level domains.
  • the third, fourth, or higher level domain may be a combination of the encoded IP address and the signature.
  • the generated hostname may be transmitted to or “published to” a cloud-based server, such as a published hostname list server, relay server system, or some other Internet-accessible server system.
  • This generated hostname may be accessible by the DNS name server to allow the DNS name server to respond to requests for an IP address associated with the hostname.
  • the hostname may be stored and published as part of a hostname list. By the hostname being stored as part of a listing, the hostname has been published and can now, potentially, result in a response including an IP address if the hostname is requested by a client.
  • a request from a client device such as an SM client, may be received that specifies the hostname.
  • This request may be expecting an IP address (and, possibly, a port address) at which the PSM server can be contacted to be received in response.
  • This IP address (and possibly port) may correspond to a relay server, directly to the PSM server, or to a gateway device that enforces a private network in which the PSM operates (e.g., router 220 - 2 ).
  • the IP address may be decoded from the encoded IP address included as part of the hostname that is stored by the DNS server (or as received from the requesting client device). As such, no database mapping IP addresses to hostnames needs to be maintained by the DNS name server. Block 435 may involve an algorithm being used to decode the encoded IP address included in the hostname.
  • the secure signature of the hostname may be verified by the DNS name server.
  • the DNS name server may determine whether the signature corresponds to an authorized device. Only devices that have access to the secure key may be authorized devices.
  • the signature may be obtained by the DNS name server from the hostname and evaluated using a locally stored copy of the key or corresponding key that permits verification of the signature. For instance, the keys may be a public/private key pair or a fixed key may be used to calculate a MAC/HMAC.
  • the secure signature is verified in response to a request of block 430 . In other embodiments, the secure signature is verified prior to a request, such as prior to or following block 425 . If the signature is not verified, block 445 is performed in which an error, such as a “name not resolved” error, may be transmitted in response to the request to the client device. In other embodiments, no response or a different type of error message may be provided.
  • method 400 may proceed to block 450 .
  • the decoded IP address may be transmitted to the client from which the request was received.
  • the received IP address may be used by the client to initiate streaming of media between the PSM and SM client device. More generally, the IP address can be used to establish a secure or unsecure communication session, possibly via a relay server, between the two devices.
  • configurations may be described as a process which is depicted as a flow diagram or block diagram. Although each may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be rearranged. A process may have additional steps not included in the figure.
  • examples of the methods may be implemented by hardware, software, firmware, middleware, microcode, hardware description languages, or any combination thereof. When implemented in software, firmware, middleware, or microcode, the program code or code segments to perform the necessary tasks may be stored in a non-transitory computer-readable medium such as a storage medium. Processors may perform the described tasks.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Various arrangements for performing secure domain name system (DNS) routing are presented. A secure signature may be generated using an internet protocol (IP) address of an authorized device. An encoded character string may be generated that comprises the IP address. The domain name server may receive a request for an IP address mapped to the hostname. The hostname may be validated using the secure signature. The IP address of the authorized device may be decoded from the encoded character string at least partially in response to the hostname being validated by the domain name server. The IP address decoded from the encoded character string may be transmitted at least partially based on the hostname being validated and the request for the IP address.

Description

CROSS-REFERENCES TO RELATED APPLICATIONS
This Application is related to U.S. patent application Ser. No. 15/907,463, filed on Feb. 28, 2018, entitled “Replaying Media Content via a Relay Server System Without Decryption,” the entirety of which is hereby incorporated by reference for all purposes.
BACKGROUND
Network-enabled devices that allow for the recording and storage of media are becoming commonplace. Such devices allow for the streaming or transmission of media across the Internet for playback at a remote network-enabled playback device. In order for an end-user device to be able to access a media server, the end-user device may need to determine an Internet protocol (IP) address of the media server. To do this, the end-user device may contact a domain name server.
SUMMARY
Various embodiments are described related to a method for performing secure domain name system (DNS) routing. In some embodiments, a method for performing secure domain name system (DNS) routing is described. The method may include generating, by an authorized device, a secure signature using an internet protocol (IP) address of the authorized device. The method may include generating, by the authorized device, an encoded character string that comprises the IP address. The method may include publishing, by the authorized device, a hostname. The hostname may be constructed using the secure signature, the encoded character string, and a designated domain name. The method may include receiving, by the domain name server from an end-user device, a request for an IP address mapped to the hostname. The method may include validating, by the domain name server, the hostname using the secure signature. The method may include decoding, by the domain name server, the IP address of the authorized device from the encoded character string at least partially in response to the hostname being validated by the domain name server. The method may include transmitting, by the domain name server to the end-user device, the IP address decoded from the encoded character string at least partially based on the hostname being validated and the request for the IP address.
Embodiments of such a method may include one or more of the following features: Validating the hostname may include determining whether the secure signature was generated using an authorized key. The domain name server may decode the IP address of the authorized device from the encoded character string without using a database that maps with uniform resource locators (URLs) with IP addresses. The method may include creating a subdomain comprising the encoded character string and the secure signature. The hostname may include the created subdomain and the designated domain name. The authorized device may be a private media server. The method may include receiving, by the authorized device at the IP address from the end-user device, a request to stream television programming. The method may include storing, by the authorized device, a key for use in generating the secure signature. The secure signature may be generated by the authorized device using the stored key. The request for the IP address mapped to the hostname may be received as part of an HTTPS (Hypertext Transfer Protocol Secure) request. The IP address may be decoded exclusively from the encoded character string.
In some embodiments, a system for performing secure domain name system (DNS) routing is described. The system may include a private media server that streams video and audio content to one or more client devices. The private media server may be configured to generate a secure signature using an interne protocol (IP) address of the authorized device. The private media server may be configured to generate an encoded character string that comprises the IP address. The private media server may be configured to publish a hostname. The hostname may be constructed using the secure signature, the encoded character string, and a designated domain name. The system may include a domain name server that provides DNS routing for one or more domains. The domain name server may be configured to receive, from a client device, a request for an IP address mapped to the hostname. The domain name server may be configured to validate the hostname using the secure signature. The domain name server may be configured to decode the IP address of the authorized device from the encoded character string at least partially in response to the hostname being validated by the domain name server. The domain name server may be configured to transmit the IP address decoded from the encoded character string to the client device at least partially based on the hostname being validated and the request for the IP address.
Embodiments of such a system may include one or more of the following features: The domain name server being configured to validate the hostname may include the domain name server being configured to determine whether the secure signature was generated using an authorized key. The domain name server may decode the IP address of the authorized device from the encoded character string without using a database that may map with uniform resource locators (URLs) with IP addresses. The private media server may be configured to create a subdomain comprising the encoded character string and the secure signature. The hostname may include the created subdomain and the designated domain name. The private media server may be configured to receive, via the IP address from the client device, a request to stream television programming. The system may include storing, by the authorized device, a key for use in generating the secure signature. The secure signature may be generated by the authorized device using the stored key. The request for the IP address mapped to the hostname may be received as part of an HTTPS (Hypertext Transfer Protocol Secure) request. The IP address may be decoded exclusively from the encoded character string.
In some embodiments, an apparatus for performing secure domain name system (DNS) routing is described. The apparatus may include means for generating a secure signature using an internet protocol (IP) address of the authorized device. The apparatus may include means for generating an encoded character string that comprises the IP address. The apparatus may include means for publishing a hostname of an authorized device. The hostname may be constructed using the secure signature, the encoded character string, and a designated domain name. The apparatus may include means for validating the hostname using the secure signature. The apparatus may include means for decoding the IP address of the authorized device from the encoded character string at least partially in response to the hostname being validated by the domain name server. The apparatus may include means for transmitting, to the end-user device, the IP address decoded from the encoded character string at least partially based on the hostname being validated and the request for the IP address.
Embodiments of such an apparatus may include one or more of the following features: The means for validating the hostname may include means for determining whether the secure signature was generated using an authorized key. The means for decoding the IP address of the authorized device from the encoded character string functions without using a database that maps with uniform resource locators (URLs) with IP addresses.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 illustrates an embodiment of a system for performing secure domain name system (DNS) routing without a database.
FIG. 2 illustrates another embodiment of a system for performing secure DNS routing without a database.
FIG. 3 illustrates an embodiment of a method for performing secure DNS routing.
FIGS. 4A and 4B illustrate another embodiment of a method for performing secure DNS routing.
 DETAILED DESCRIPTION
In order to establish a secure session, such as using the hypertext transfer protocol secure (HTTPS) between a client device and a server device, the request for the secure session may be routed through a domain name system (DNS) server. Multiple DNS servers, such as a root name server and name servers associated with a top and second level domain may be contacted in order to determine an internet protocol (IP) address that is associated with a particular hostname. A name server that is specific to a particular top and second level domain may be present, such as for “mediaservers.org.” This name server may be tasked with storing and providing IP addresses for hostnames within “mediaservers.org.”
This name server may be specifically used to route connection requests from client devices to private streaming media servers that are operated by individual users. The name server may publish hostnames for the private media servers operating within a private network, such as a home local area network (LAN). It may be desirable for such a name server to function securely in that the device operating within the home local area network is authenticated to be a private streaming media server that has access rights to use the DNS name server and an associated relay server. It may also be desirable for the DNS name server to function efficiently. One possible way to make the DNS name server function more efficiently is to not have the DNS name server maintain a database that maps IP addresses of devices (e.g., private streaming media servers) with hostnames. Rather, the hostname can be determined by the DNS name server from the hostname itself. Therefore, the DNS name server can receive and publish a hostname, evaluate the hostname to determine if it was provided by an authorized device, and, in response to a request indicating the hostname, determine an IP address for the associated device (e.g., private streaming media server) from the hostname. Such an arrangement can allow the DNS name server to function securely and/or efficiently.
FIG. 1 illustrates an embodiment of a system 100 for performing secure domain name system (DNS) routing without a database. System 100 may include: relay server (RS) system 110; streaming media (SM) client 120; private streaming media (PSM) server 130; private networks 140 (140-1 and 140-2); Internet 150; and DNS name server 160. PSM server 130 may be a computerized device that receives television programming via one or more television distribution networks (e.g., cable, satellite, OTT, OTA), encodes the received video and audio, and stores and/or streams such encoded television programming to an SM client (which can be located locally as part of the same private network or remote and accessible via the Internet). PSM server 130 may also be called a television streaming media device. An example of a type of PSM server 130 may be a Slingbox® made by Sling Media®. PSM server 130 may be operated in association with a particular user account. That is, the media recorded and/or streamed live by PSM server 130 may only be permitted to be viewed by a particular user or users who have access to a particular user account linked with the entity operating RS system 110. PSM server 130 may be owned and operated by the particular user or users and may reside in a residence where the user receives television programming. PSM server 130 may be a computerized device and, therefore, may include one or more processors, one or more non-transitory computer readable mediums (e.g., memories, hard drives, solid state drives), one or more communication buses, one or more wired and/or wireless network interfaces, or one or more input ports to receive television programming (e.g., an HDMI port, a coaxial antenna port, component inputs, optical input, etc.).
PSM server 130 can be part of private network 140-2. Private network 140-2 may serve as a barrier between the local trusted private network and the Internet. Private network 140-2 may only permit outgoing network traffic and may block incoming communication requests. Therefore, for a device, such as PSM server 130, to communicate with a device located outside of private network 140-2, an outgoing communication session may be required to be established by PSM server 130. An incoming request that is unassociated with a previously-established outbound communication session may be prohibited by a gateway device of private network 140-2. Such a gateway device may be a wired or wireless router, or some other form of access point (AP) that serves as an interface between a LAN and an internet service provider (ISP). In other embodiments, PSM server 130 may not be part of a private network.
SM client 120 may be a computerized device that can output media for presentation. SM client 120 may directly output media for presentation, such as via an integrated speaker, integrated display screen, and/or integrated wired headphone jack or wireless headphone interface (e.g., a Bluetooth® interface). SM client 120 may be a computerized device and, therefore, also includes one or more processors, one or more non-transitory computer readable mediums (e.g., memories, hard drives, solid state drives), one or more communication buses, and one or more wired and/or wireless network interfaces. SM client 120 may be a smartphone, tablet computer, smart television, laptop computer, desktop computer, or gaming device. In some embodiments, SM client 120 is a device intended to be connected with a separate video and/or audio presentation device. For example, SM client 120 may not have an integrated display screen and/or integrated speaker, but rather may connect to another presentation device, such as a television for presenting received streaming media.
SM client 120 may function within private network 140-1. Private network 140-1 may function similarly to private network 140-2. Private network 140-1 may be separate and distinct from private network 140-2. For example, private network 140-1 may be located at a different residence within private network 140-2. Alternatively, private network 140-1 may be located in a location other than a residence. By SM client 120 and PSM server 130 being connected with Internet 150 via separate and distinct private networks 140, direct communication between SM client 120 and PSM server 130 may be difficult to establish due to both SM client 120 and PSM server 130 being required to establish communication sessions via outbound requests from within their respective private networks 140. In order to facilitate such communication, RS system 110 having an address (e.g., a uniform resource locator (URL)) may serve as an intermediary for communication between SM client 120 and PSM server 130. This URL may be translated by DNS name server 160 to point to an IP address (and, possibly, port) of PSM server 130 or of relay server system 110 that has been linked with PSM server 130. SM client 120 and PSM server 130 may communicate with RS system 110 and DNS name server 160 via Internet 150. It should be understood that in some embodiments one or more additional private or public networks are included as part of the communication path between SM client 120 and RS system 110 and/or PSM server 130 and RS system 110. It should further be understood that, in some embodiments, SM client 120 may not be part of private network 140-1.
While the above description is focused on an SM client and a PSM server, it should be understood that the DNS security and routing embodiments detailed herein can be used with respect to other forms of devices that are to be connected via a DNS name server. For instance, in some embodiments, SM client 120 may be a first computer system and PSM server 130 may be a second computer system.
DNS name server 160 may receive a request from SM client 120 directly or after SM client 120 has contacted one or more other DNS servers, which have, in turn, instructed SM client 120 to contact DNS name server 160. DNS name server 160 may be responsible for only DNS routing within a particular top and second level domain. For instance, DNS name server 160 may receive all DNS requests for “particularwebsite.com.”
DNS name server 160 may not store or maintain a database that links IP addresses with hostnames. While SM client 120 may provide DNS name server 160 with a requested hostname, DNS name server 160 does not perform a lookup of an IP address. Rather, the IP can be determined using only information that is present within the hostname. The IP address provided by DNS name server 160 may be: 1) an IP address (and, possibly, port) of RS system 110 that has been linked with PSM server 130; or 2) the IP address (and, possibly, port) of PSM server 130 directly. Option 1 may be used if a firewall is used to block in-bound connection requests to a private network in which PSM server 130 is located. Option 2 may be used if in-bound connection requests to PSM server 130 are permitted.
After DNS name server 160 has authenticated the hostname and returned an IP address that properly routes SM client 120, RS system 110 may serve to relay communications between PSM server 130 and SM client 120. Such a relay of communications may include requests for media being routed from SM client 120 to PSM server 130 via RS system 110 and encrypted streaming media being routed from PSM server 130 to SM client 120 via RS system 110. In order for RS system 110 to be able to route a request for media (or some other form of message or communication) to PSM server 130, an outbound communication session from PSM server 130 may be required to be established with RS system 110. This requirement may be present due to PSM server 130 functioning as a part of private network 140-2, which blocks incoming communication requests. Therefore, PSM server 130 may maintain a persistent communication path with RS system 110 by periodically or occasionally establishing an outgoing communication session with RS system 110. By doing so, when RS system 110 has data to be transmitted as a message to PSM server 130, the message can be transmitted into private network 140-2 to PSM server 130 without being blocked by a firewall of private network 140-2. RS system 110 may be a group of one or more server systems that include one or more processors, one or more non-transitory computer readable mediums (e.g., memories, hard drives, solid state drives), one or more communication buses, and one or more wired and/or wireless network interfaces.
It should be understood that SM client 120 and PSM server 130 are typically owned by same user. A user may install and configure PSM server 130 at his residence to receive, record, and stream television programming. The user may then use SM client 120 at a remote location to be able to access the media recorded and streaming from PSM server 130. Therefore, while SM client 120 and PSM server 130 are functioning as part of distinct private networks, these devices can be owned and operated by the same user and, thus, a single username and password may be used to access PSM server 130.
FIG. 2 illustrates another embodiment of a system 200 for performing secure DNS routing without a database. System 200 can represent a more detailed embodiment of system 100 of FIG. 1. In system 200, secure streaming media relay server (SSMRS) system 210 and DNS name server 230 are present.
In system 200, private network 140-1 is created by router 220-1. Router 220-1 may be a wired or wireless router that communicates with Internet 150 via an ISP. Router 220-1 may communicate using some form of ISP interface, such as a cable modem, fiber optic modem, or digital subscriber line (DSL) modem. Router 220-1 may function as a gateway device that creates a firewall that prevents inbound communication requests from being established with SM client 120. Router 220-1 may permit outbound communication requests from SM client 120 to devices accessible via the Internet 150, such as SSMRS system 210. Similarly, router 220-2 may create private network 140-1. Private network 140-1 may function similarly to private network 140-2, such that outbound communication sessions from PSM server 130 are permitted, but inbound communication sessions are blocked.
A secure communication session, such as an HTTPS communication session, between PSM server 130 and SM client 120 may be established in order to permit media to be transmitted from PSM server 130 to SM client 120. This secure media session may be established such that packets of media encrypted by HTTPS server 242, executed by PSM server 130, are passed (possibly encrypted) by SSMRS system 210 to HTTPS client 232, which is executed by SM client 120. The encrypted data packets are passed from HTTPS server 242 to SSMRS system 210. SSMRS system 210, in turn, readdresses the encrypted packets (without decrypting the data within the encrypted packets) and transmits the encrypted stream media data packets to HTTPS client 232. As such, encrypted streaming media (that is not decrypted by SSMRS system 210) is passed from HTTPS server 242 to HTTPS client 232 via Internet 150 and SSMRS system 210.
In order to establish the HTTPS communication session between SM client 120 and PSM server 130, since both devices are part of separate and distinct private networks, the secure communication session can be established through SSMRS system 210. Further, an HTTPS communication session may be required to be established via a DNS name server (rather than directly to a particular IP address). DNS name server 230 may be in communication with systems and devices via Internet 150.
PSM server 130 may include HTTPS server 242, IP encoder 244, signature generator 246, and secure key 248. IP encoder 244 may serve to encode an IP address of PSM server 130 (through external devices, such as SSMRS system 210, that can communicate with PSM server 130) into an encoded string of characters. This encoded string of (e.g., alphanumeric) characters may be decodable by another device that has access to the algorithm according to which encoding was performed by IP encoder 244. IP encoded 244 may be in the form of software, hardware, or firmware that performs encoding according to a particular algorithm. In some embodiments, rather than encoding the IP address, the IP address may be maintained in an encoded form.
Signature generator 246 may generate an encrypted signature using the IP address of PSM server 130. Signature generator 246 may use stored secure key 248 to generate the signature. Similar to the encoded IP address, the signature may be a string of (e.g., alphanumeric) characters. Secure key 248 may be stored such that it cannot easily be accessed by a user or external device. Signature generator 246 and secure key 248 may be in the form of software, hardware, or firmware that performs encryption according to a particular algorithm using secure key 248.
PSM server 130 may generate a third (or higher) level domain name that is to be published to a cloud-based (Internet-based) server, such as published hostname list server 212. For instance, the URL may be: http://<encoded-IP>-<signature>.privatestreamingmediaserver.com. In this example, “.com” is the top level domain, “privatestreamingmediaserver” is the second level domain, and “<encoded-IP>-<signature>” is the third level domain. DNS name server 230 may serve as the name server for all subdomains within “privatestreamingmediaserver.com.” PSM server 130 may transmit the generated hostname to published hostname list server 212. In other embodiments, some or all of the various components of the hostname (e.g., the encoded IP address, the signature) may be transmitted to published hostname list server 212, which may then generate the hostname for publishing. SM client 120 can contact published hostname list server 212 to determine a hostname from which SM client 120 is to request content. SM client may then use the retrieved hostname to contact DNS name server 230 to obtain an IP address for PSM server 130.
Published hostname list server 212 may include a stored, published hostname list, which may be stored to a non-transitory processor-readable medium. In some embodiments, rather than a hostname list being hosted by published hostname list server 212, the published hostname list may be stored elsewhere in the cloud and accessible via the Internet. The published hostname list may include hostnames that have been received from various PSM servers 130. DNS name server 230 may serve as the name server for hundreds or thousands of PSM servers operating within a particular second level domain (which may also be the same second level domain as SSMRS system 210). The published hostname list can include hostnames, but such hostnames are not explicitly mapped to a stored IP address. As such, no database by DNS name server 230 maps IP addresses of PSM servers to hostnames of PSM servers. In some embodiments, the published hostname list does not need to be maintained because the IP address and whether the PSM server is authorized can be determined based on the hostname received from requesting SM client 120. Additional information, such as user registration details, PSM server identifiers, and WAN IP addresses corresponding to the PSM servers may be stored at DNS name server 230 and/or elsewhere accessible via Internet 150.
Rather than maintaining such as a database, DNS name server 230 determines an IP address of PSM servers 130 by decoding the encoded IP address portion of the hostnames. IP decoder engine 216 may decode the portion of the hostname that represents the encoded IP address (as encoded by IP encoder 244). Signature verification engine 214 may have access to the same secure key as secure key 248 or a corresponding secure key that can be used to decrypt or verify the secure key included as part of the hostname. Signature verification engine 214 may be used to determine if PSM server 130, which supplied the hostname or portions of the hostname, is an authorized device that is permitted to have its hostname published by DNS name server 230. Signature verification engine 214 may verify a signature: 1) on receipt of the hostname or partial hostname from PSM server 130; 2) some time after receipt but prior to receiving a request for the hostname from SM client 120; or 3) in response to a request for the hostname from SM client 120.
If signature verification engine 214 does not verify a signature of a hostname, the hostname may be removed from the published hostname list. Alternatively, a response requesting an IP address linked with an unauthorized hostname may result in either no response being transmitted by DNS name server 230 or in an error message being transmitted to the requesting SM client.
In response to a request for an IP address associated with a hostname from SM client 120, DNS name server 230 may decode the IP address from the hostname and provide the IP address to SM client 120 if the signature was determined to be valid and associated with an authorized device. The IP address (and possibly port) provided by DNS name server 230 may refer to SSMRS system 210 which may, in turn, be configured to forward or otherwise route data to PSM server 130. In other embodiments, the IP address (and possibly port) provided by DNS name server 230 may refer directly to PSM server 130.
DNS name server 230 may be incorporated as part of SSMRS system 210 in some embodiments. By having SSMRS system 210 and PSM server 130 part of the same top and second level domain, the HTTPS session request from SM client 120 can be validly rerouted to PSM server 130. As an example, if RS system 214 has a top and second level domain of “streamingmediaserver.org,” then PSM server 130 may be assigned a domain by DNS linked with SSMRS system 210 of “PSM_identifier.streamingmediaserver.org” by DNS server 218 in which “PSM_identifier” (which could include both the encoded IP address and signature) uniquely identifies PSM server 130 from other PSM servers that may be communicating with SSMRS system 210.
Various methods may be performed using the systems described in FIG. 3, which illustrates an embodiment of a method for performing secure DNS routing. Each step of method 300 may be performed using either system 100 or system 200 of FIGS. 1 and 2, respectively. Method 300 may be used for having a DNS name server securely route an IP request for a PSM server (or some other form of electronic device that is to have its IP address published by a DNS name server).
At block 310, a secure signature may be generated based on an IP address. This signature may be generated by a PSM server (or some other form of electronic device that is to have its IP address published by a DNS name server). The secure signature may be generated by encrypting or hashing the IP address of the PSM server 130 (or the IP address of router 220-2 or some other device functioning as the gateway to private network 140-2). In some embodiments, PSM server 130 may not be part of a private network. Generation of the signature may include encrypting or hashing the IP address using a secure key, such as secure key 248. The signature may be composed of numbers, letters, or a mix of alphanumeric characters. In some embodiments, a hash-based message authentication code (HMAC) is used. This arrangement allows for simultaneous verification of data integrity and authentication of the message. The underlying cryptographic function may be MD5, SHA-1, or some other function.
At block 320, an encoded IP address may be created. This encoded IP address may be created by the PSM server (or some other form of electronic device that is to have its IP address published by a DNS name server) or by the DNS name server itself. Encoding may involve obscuring the IP address using a predefined algorithm in such a way that the IP address can be decoded by the DNS name server. The encoded IP address may be composed of numbers, letters, or a mix of alphanumeric characters.
At block 330, a hostname may be created by the PSM server. The hostname may include the encoded IP address and the signature. The hostname may also include a stored and predefined first and second level domain. In some embodiments, the third, fourth, or higher level domain may be a combination of the encoded IP address and the signature. For instance, the format may be: “<encoded IP>-<signature>.predefineddomain.com” or “<signature><encoded IP>.predefineddomain.com.” This hostname may also be created by the DNS name server based on the signature and/or encoded IP being provided by the PSM server.
At block 340, the IP address may be decoded by the DNS name server from the hostname. By decoding the IP address of the PSM server from the hostname, the DNS name server does not need to maintain a database that maps IP addresses to hostnames. At block 350, the hostname may be authenticated by the DNS name server. The DNS name server may authenticate whether the signature corresponds to an authorized device. Only devices that have access to the secure key may be authorized devices. The signature may be obtained by the DNS name server from the hostname and evaluated, using a locally stored copy of the key or corresponding key that permits verification. For instance, the keys may be a public/private key pair. In other embodiments, an arrangement such as HMAC may be used, as previously described.
At block 360, the IP address decoded from the hostname may be provided to the SM client (or whatever type of electronic device requested an IP address from the DNS name server). The IP address may only be provided by the DNS name server if authentication at block 350 determined that the PSM server is an authorized device by verifying the signature appended. Otherwise, a valid IP address may not be provided.
FIGS. 4A and 4B illustrate another embodiment of a method 400 for performing secure DNS routing. Method 400 can represent a more detailed embodiment of method 300 of FIG. 3. Each step of method 400 may be performed using either system 100 or system 200 of FIGS. 1 and 2, respectively. Method 400 may be used for having a DNS name server securely route an IP request for a PSM server (or some other form of electronic device that is to have its IP address published by a DNS name server).
At block 405, a secure signature may be generated, based on an IP address. This signature may be generated by a PSM server (or some other form of electronic device that is to have its IP address published by a DNS name server). The secure signature may be generated by hashing (e.g., using MAC/HMAC) or encrypting the IP address of the PSM server 130 (or the IP address of router 220-2 or some other device functioning as the gateway to private network 140-2). In some embodiments, PSM server 130 may not be part of a private network. Generation of the signature may include encrypting the IP address, using a secure key, such as secure key 248. The signature may be composed of numbers, letters, or a mix of alphanumeric characters. At block 410, an IP address may be encoded to be represented in alphanumerical characters that can be used to build a valid hostname.
At block 420, a hostname may be created by the PSM server. The hostname may include the encoded IP address and the generated secure signature. The hostname may also include stored and predefined first and second level domains. In some embodiments, the third, fourth, or higher level domain may be a combination of the encoded IP address and the signature.
At block 425, the generated hostname may be transmitted to or “published to” a cloud-based server, such as a published hostname list server, relay server system, or some other Internet-accessible server system. This generated hostname may be accessible by the DNS name server to allow the DNS name server to respond to requests for an IP address associated with the hostname. At block 430, the hostname may be stored and published as part of a hostname list. By the hostname being stored as part of a listing, the hostname has been published and can now, potentially, result in a response including an IP address if the hostname is requested by a client. At block 435, a request from a client device, such as an SM client, may be received that specifies the hostname. This request may be expecting an IP address (and, possibly, a port address) at which the PSM server can be contacted to be received in response. This IP address (and possibly port) may correspond to a relay server, directly to the PSM server, or to a gateway device that enforces a private network in which the PSM operates (e.g., router 220-2).
At block 435, the IP address may be decoded from the encoded IP address included as part of the hostname that is stored by the DNS server (or as received from the requesting client device). As such, no database mapping IP addresses to hostnames needs to be maintained by the DNS name server. Block 435 may involve an algorithm being used to decode the encoded IP address included in the hostname.
At block 440, the secure signature of the hostname may be verified by the DNS name server. The DNS name server may determine whether the signature corresponds to an authorized device. Only devices that have access to the secure key may be authorized devices. The signature may be obtained by the DNS name server from the hostname and evaluated using a locally stored copy of the key or corresponding key that permits verification of the signature. For instance, the keys may be a public/private key pair or a fixed key may be used to calculate a MAC/HMAC. In some embodiments, the secure signature is verified in response to a request of block 430. In other embodiments, the secure signature is verified prior to a request, such as prior to or following block 425. If the signature is not verified, block 445 is performed in which an error, such as a “name not resolved” error, may be transmitted in response to the request to the client device. In other embodiments, no response or a different type of error message may be provided.
If block 440 results in validation, method 400 may proceed to block 450. At block 450, the decoded IP address may be transmitted to the client from which the request was received. At block 455, the received IP address may be used by the client to initiate streaming of media between the PSM and SM client device. More generally, the IP address can be used to establish a secure or unsecure communication session, possibly via a relay server, between the two devices.
The methods, systems, and devices discussed above are examples. Various configurations may omit, substitute, or add various procedures or components as appropriate. For instance, in alternative configurations, the methods may be performed in an order different from that described, and/or various stages may be added, omitted, and/or combined. Also, features described with respect to certain configurations may be combined in various other configurations. Different aspects and elements of the configurations may be combined in a similar manner. Also, technology evolves and, thus, many of the elements are examples and do not limit the scope of the disclosure or claims.
Specific details are given in the description to provide a thorough understanding of example configurations (including implementations). However, configurations may be practiced without these specific details. For example, well-known circuits, processes, algorithms, structures, and techniques have been shown without unnecessary detail in order to avoid obscuring the configurations. This description provides example configurations only, and does not limit the scope, applicability, or configurations of the claims. Rather, the preceding description of the configurations will provide those skilled in the art with an enabling description for implementing described techniques. Various changes may be made in the function and arrangement of elements without departing from the spirit or scope of the disclosure.
Also, configurations may be described as a process which is depicted as a flow diagram or block diagram. Although each may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be rearranged. A process may have additional steps not included in the figure. Furthermore, examples of the methods may be implemented by hardware, software, firmware, middleware, microcode, hardware description languages, or any combination thereof. When implemented in software, firmware, middleware, or microcode, the program code or code segments to perform the necessary tasks may be stored in a non-transitory computer-readable medium such as a storage medium. Processors may perform the described tasks.
Having described several example configurations, various modifications, alternative constructions, and equivalents may be used without departing from the spirit of the disclosure. For example, the above elements may be components of a larger system, wherein other rules may take precedence over or otherwise modify the application of the invention. Also, a number of steps may be undertaken before, during, or after the above elements are considered.

Claims (11)

What is claimed is:
1. A method for performing secure domain name system (DNS) routing, the method comprising:
generating, by a private streaming media (PSM) server device, a secure signature using an interne protocol (IP) address of the PSM server device and a secure key, wherein:
the PSM server device operates within a home local area network and receives television programming via a television distribution network, stores the television programming, and streams the television programming to a streaming media client device;
generating, by the PSM server device, an encoded character string that comprises the IP address;
publishing, by the PSM server device, a hostname such that the hostname is accessed by a domain name server, wherein:
the hostname is constructed using the secure signature, the encoded character string, and a designated domain name;
receiving, by the domain name server from the streaming media client device, a request for an IP address mapped to the hostname;
validating, by the domain name server, the hostname using the secure signature to determine that the PSM server is authorized to have the hostname published by the domain name server, wherein
the domain name server stores a corresponding secure key that corresponds to the secure key and is used to validate the secure signature;
decoding, by the domain name server, the IP address of the PSM server device from the encoded character string at least partially in response to the hostname being validated by the domain name server, wherein
the domain name server decodes the IP address of the PSM server device from the encoded character string without using a database that maps uniform resource locators (URLs) with IP addresses; and
transmitting, by the domain name server to the streaming media client device, the IP address decoded from the encoded character string at least partially based on the hostname being validated and the request for the IP address.
2. The method for performing secure DNS routing of claim 1, further comprising: creating a subdomain comprising the encoded character string and the secure signature, wherein the hostname comprises the created subdomain and the designated domain name.
3. The method for performing secure DNS routing of claim 1, further comprising: receiving, by the PSM server device at the IP address from the streaming media client device, a request to stream television programming.
4. The method for performing secure DNS routing of claim 3, further comprising: storing, by the PSM server device, a key for use in generating the secure signature, wherein the secure signature is generated by the PSM server device using the stored key.
5. The method for performing secure DNS routing of claim 1, wherein the request for the IP address mapped to the hostname is received as part of an HTTPS (Hypertext Transfer Protocol Secure) request.
6. The method for performing secure DNS routing of claim 1, wherein the IP address is decoded exclusively from the encoded character string.
7. A system for performing secure domain name system (DNS) routing, the system comprising:
a private streaming media (PSM) server computer system that streams video and audio content to one or more client devices, wherein the PSM server computer system is configured to:
generate a secure signature using an internet protocol (IP) address of the PSM server computer system and a secure key, wherein
the PSM server computer system operates within a home local area network and receives television programming via a television distribution network, stores the television programming, and streams the television programming to a streaming media client device;
generate an encoded character string that comprises the IP address; and
publish a hostname, such that the hostname is accessible by a domain name server (DNS) computer system wherein the hostname is constructed using the secure signature, the encoded character string, and a designated domain name; and
the DNS computer system that provides DNS routing for one or more domains, the domain name server computer system configured to:
receive, from a streaming media client device, a request for an IP address mapped to the hostname;
validate the hostname using the secure signature to determine that the PSM server computer system is authorized to have the hostname published by the domain name server computer system, wherein
the domain name server computer system stores a corresponding secure key that corresponds to the secure key and is used to validate the secure signature;
decode the IP address of the PSM server computer system from the encoded character string at least partially in response to the hostname being validated by the domain name server, wherein
the domain name server decodes the IP address of the PSM server computer system from the encoded character string without using a database that maps uniform resource locators (URLs) with IP addresses; and
transmit the IP address decoded from the encoded character string to the streaming media client device at least partially based on the hostname being validated and the request for the IP address.
8. The system for performing the secure DNS routing of claim 7, wherein the PSM server computer system is configured to create a subdomain comprising the encoded character string and the secure signature, wherein the hostname comprises the created subdomain and the designated domain name.
9. The system for performing the secure DNS routing of claim 8, wherein the PSM server computer system is further configured to receive, via the IP address from the client device, a request to stream television programming.
10. The system for performing the secure DNS routing of claim 7, wherein the request for the IP address mapped to the hostname is received as part of an HTTPS (Hypertext Transfer Protocol Secure) request.
11. The system for performing the secure DNS routing of claim 7, wherein the IP address is decoded exclusively from the encoded character string.
US15/907,796 2018-02-28 2018-02-28 Methods and systems for secure DNS routing Active 2038-11-18 US10785192B2 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US15/907,796 US10785192B2 (en) 2018-02-28 2018-02-28 Methods and systems for secure DNS routing
PCT/IN2019/050117 WO2019167056A1 (en) 2018-02-28 2019-02-14 Methods and systems for secure dns routing
US16/992,357 US11546305B2 (en) 2018-02-28 2020-08-13 Methods and systems for secure DNS routing

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US15/907,796 US10785192B2 (en) 2018-02-28 2018-02-28 Methods and systems for secure DNS routing

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US16/992,357 Continuation US11546305B2 (en) 2018-02-28 2020-08-13 Methods and systems for secure DNS routing

Publications (2)

Publication Number Publication Date
US20190268309A1 US20190268309A1 (en) 2019-08-29
US10785192B2 true US10785192B2 (en) 2020-09-22

Family

ID=65516695

Family Applications (2)

Application Number Title Priority Date Filing Date
US15/907,796 Active 2038-11-18 US10785192B2 (en) 2018-02-28 2018-02-28 Methods and systems for secure DNS routing
US16/992,357 Active 2038-08-28 US11546305B2 (en) 2018-02-28 2020-08-13 Methods and systems for secure DNS routing

Family Applications After (1)

Application Number Title Priority Date Filing Date
US16/992,357 Active 2038-08-28 US11546305B2 (en) 2018-02-28 2020-08-13 Methods and systems for secure DNS routing

Country Status (2)

Country Link
US (2) US10785192B2 (en)
WO (1) WO2019167056A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200076763A1 (en) * 2018-08-31 2020-03-05 Comcast Cable Communications, Llc Localization For Domain Name Resolution

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11196705B2 (en) * 2018-01-05 2021-12-07 Nextroll, Inc. Identification services for internet-enabled devices
US11223599B1 (en) * 2020-08-17 2022-01-11 Netflix, Inc. Techniques for templated domain management
CN112468607B (en) * 2020-11-14 2023-01-31 北京网聚云联科技有限公司 DNS analysis method and system based on coding and decoding technology
CN112671779B (en) * 2020-12-25 2022-10-18 赛尔网络有限公司 DoH server-based domain name query method, device, equipment and medium

Citations (30)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6335927B1 (en) * 1996-11-18 2002-01-01 Mci Communications Corporation System and method for providing requested quality of service in a hybrid network
US20030088767A1 (en) * 2001-06-28 2003-05-08 Emerson Harry E. Integrating the internet with the public switched telephone network
US20030126252A1 (en) * 2001-09-05 2003-07-03 Eli Abir Method and apparatus for dynamic client-side load balancing system
US20030131353A1 (en) * 2001-12-11 2003-07-10 Rolf Blom Method of rights management for streaming media
WO2003081460A1 (en) 2002-03-26 2003-10-02 Wiral Ltd. Method and system of using fixed-length addresses in message routing
US20040162787A1 (en) * 2001-06-06 2004-08-19 Justin Madison System and method for controlling access to digital content, including streaming media
US20040254887A1 (en) * 2003-03-12 2004-12-16 Yahoo! Inc. Access control and metering system for streaming media
US20050021467A1 (en) * 2001-09-07 2005-01-27 Robert Franzdonk Distributed digital rights network (drn), and methods to access operate and implement the same
US20060123478A1 (en) * 2004-12-02 2006-06-08 Microsoft Corporation Phishing detection, prevention, and notification
US20070239886A1 (en) * 2005-01-20 2007-10-11 Citrix Systems, Inc. Systems and Methods for Preserving Transport Layer Protocol Options
US7441270B1 (en) 2000-07-06 2008-10-21 Intel Corporation Connectivity in the presence of barriers
WO2010002761A1 (en) 2008-07-01 2010-01-07 Sling Media Inc. Systems and methods for securely place shifting media content
US7647614B2 (en) * 2004-06-07 2010-01-12 Sling Media, Inc. Fast-start streaming and buffering of streaming content for personal media player
US20100036969A1 (en) * 2007-08-27 2010-02-11 Declude, Inc. Method, System, and Apparatus for Discovering User Agent DNS Settings
US20100125626A1 (en) * 2008-11-20 2010-05-20 At&T Corp. Systems and Methods for Directing Content Requests to Servers
US20100198043A1 (en) * 2008-01-14 2010-08-05 Christian Holzer Garment for monitoring physiological properties
US7995756B1 (en) 2005-10-12 2011-08-09 Sprint Communications Company L.P. Mobile device playback and control of media content from a personal media host device
US8181014B2 (en) * 2007-05-09 2012-05-15 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for protecting the routing of data packets
US8185741B1 (en) * 2006-01-30 2012-05-22 Adobe Systems Incorporated Converting transport level transactional security into a persistent document signature
US20120170741A1 (en) * 2011-01-05 2012-07-05 General Instrument Corporation Secure live television streaming
US20130046864A1 (en) 2011-08-18 2013-02-21 Cisco Technology, Inc. Deriving Unique Local Addresses From Device Names
US20130250358A1 (en) * 2012-03-21 2013-09-26 Ricoh Company, Ltd. Arrangement for connecting to network in network system
US20150222609A1 (en) * 2009-08-26 2015-08-06 Sling Media Inc. Systems and methods for transcoding and place shifting media content
US9436773B2 (en) * 2012-04-20 2016-09-06 The Boeing Company Method and computer program for discovering a dynamic network address
US20160323260A1 (en) 2013-12-23 2016-11-03 Orange Obtaining data for connection to a device via a network
US20170250797A1 (en) * 2015-02-14 2017-08-31 Valimail Inc. Secure and delegated distribution of private keys via domain name service
US9819648B1 (en) * 2014-10-21 2017-11-14 Amazon Technologies, Inc. Secure content delivery
US20180288117A1 (en) * 2017-03-30 2018-10-04 Arris Enterprises Llc Secure media casting bypassing mobile devices
US10389689B2 (en) * 2010-03-22 2019-08-20 Sling Media L.L.C. Systems and methods for securely streaming media content
US20190268389A1 (en) * 2018-02-28 2019-08-29 Sling Media Pvt. Ltd. Relaying media content via a relay server system without decryption

Family Cites Families (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7099957B2 (en) * 2001-08-23 2006-08-29 The Directtv Group, Inc. Domain name system resolution
US20040022222A1 (en) * 2002-07-31 2004-02-05 Allister Clisham Wireless metropolitan area network system and method
CN100399768C (en) 2003-12-24 2008-07-02 华为技术有限公司 Method and system for realizing network address translation traversal
US7941512B2 (en) * 2004-12-13 2011-05-10 Cisco Technology, Inc. Use of IPv6 in access networks
CN101026615B (en) * 2006-02-18 2011-09-14 华为技术有限公司 IMS-based flow media network system
US8935748B2 (en) * 2007-10-31 2015-01-13 Microsoft Corporation Secure DNS query
US7996475B2 (en) * 2008-07-03 2011-08-09 Barracuda Networks Inc Facilitating transmission of email by checking email parameters with a database of well behaved senders
US8219644B2 (en) * 2008-07-03 2012-07-10 Barracuda Networks, Inc. Requesting a service or transmitting content as a domain name system resolver
US8375132B2 (en) * 2010-03-01 2013-02-12 Cisco Technology, Inc. Schedulable transport for contribution services
US8549148B2 (en) * 2010-10-15 2013-10-01 Brocade Communications Systems, Inc. Domain name system security extensions (DNSSEC) for global server load balancing
US9456253B2 (en) * 2012-12-04 2016-09-27 Virtual Marketing Incorporated Internet protocol television streaming methods and apparatus
US10715377B2 (en) * 2012-12-21 2020-07-14 Comcast Cable Communications, Llc Domain name services servers management to share data efficiently
US9544278B2 (en) * 2015-01-07 2017-01-10 Red Hat, Inc. Using domain name system security extensions in a mixed-mode environment
US11303604B2 (en) * 2015-03-31 2022-04-12 Conviva Inc. Advanced resource selection
US9894041B2 (en) * 2015-09-25 2018-02-13 Microsoft Technology Licensing, Llc Secure domain name resolution in computer networks
US10447482B2 (en) * 2017-05-25 2019-10-15 Red Hat, Inc. Using domain name system for verifying integrity of application packages

Patent Citations (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6335927B1 (en) * 1996-11-18 2002-01-01 Mci Communications Corporation System and method for providing requested quality of service in a hybrid network
US7441270B1 (en) 2000-07-06 2008-10-21 Intel Corporation Connectivity in the presence of barriers
US20040162787A1 (en) * 2001-06-06 2004-08-19 Justin Madison System and method for controlling access to digital content, including streaming media
US20030088767A1 (en) * 2001-06-28 2003-05-08 Emerson Harry E. Integrating the internet with the public switched telephone network
US20030126252A1 (en) * 2001-09-05 2003-07-03 Eli Abir Method and apparatus for dynamic client-side load balancing system
US20050021467A1 (en) * 2001-09-07 2005-01-27 Robert Franzdonk Distributed digital rights network (drn), and methods to access operate and implement the same
US20030131353A1 (en) * 2001-12-11 2003-07-10 Rolf Blom Method of rights management for streaming media
WO2003081460A1 (en) 2002-03-26 2003-10-02 Wiral Ltd. Method and system of using fixed-length addresses in message routing
US20040254887A1 (en) * 2003-03-12 2004-12-16 Yahoo! Inc. Access control and metering system for streaming media
US7647614B2 (en) * 2004-06-07 2010-01-12 Sling Media, Inc. Fast-start streaming and buffering of streaming content for personal media player
US20060123478A1 (en) * 2004-12-02 2006-06-08 Microsoft Corporation Phishing detection, prevention, and notification
US20070239886A1 (en) * 2005-01-20 2007-10-11 Citrix Systems, Inc. Systems and Methods for Preserving Transport Layer Protocol Options
US7995756B1 (en) 2005-10-12 2011-08-09 Sprint Communications Company L.P. Mobile device playback and control of media content from a personal media host device
US8185741B1 (en) * 2006-01-30 2012-05-22 Adobe Systems Incorporated Converting transport level transactional security into a persistent document signature
US8181014B2 (en) * 2007-05-09 2012-05-15 Telefonaktiebolaget Lm Ericsson (Publ) Method and apparatus for protecting the routing of data packets
US20100036969A1 (en) * 2007-08-27 2010-02-11 Declude, Inc. Method, System, and Apparatus for Discovering User Agent DNS Settings
US20100198043A1 (en) * 2008-01-14 2010-08-05 Christian Holzer Garment for monitoring physiological properties
US20100005483A1 (en) * 2008-07-01 2010-01-07 Sling Media Inc. Systems and methods for securely place shifting media content
WO2010002761A1 (en) 2008-07-01 2010-01-07 Sling Media Inc. Systems and methods for securely place shifting media content
US20100125626A1 (en) * 2008-11-20 2010-05-20 At&T Corp. Systems and Methods for Directing Content Requests to Servers
US20150222609A1 (en) * 2009-08-26 2015-08-06 Sling Media Inc. Systems and methods for transcoding and place shifting media content
US10389689B2 (en) * 2010-03-22 2019-08-20 Sling Media L.L.C. Systems and methods for securely streaming media content
US20120170741A1 (en) * 2011-01-05 2012-07-05 General Instrument Corporation Secure live television streaming
US20130046864A1 (en) 2011-08-18 2013-02-21 Cisco Technology, Inc. Deriving Unique Local Addresses From Device Names
US20130250358A1 (en) * 2012-03-21 2013-09-26 Ricoh Company, Ltd. Arrangement for connecting to network in network system
US9436773B2 (en) * 2012-04-20 2016-09-06 The Boeing Company Method and computer program for discovering a dynamic network address
US20160323260A1 (en) 2013-12-23 2016-11-03 Orange Obtaining data for connection to a device via a network
US9819648B1 (en) * 2014-10-21 2017-11-14 Amazon Technologies, Inc. Secure content delivery
US20170250797A1 (en) * 2015-02-14 2017-08-31 Valimail Inc. Secure and delegated distribution of private keys via domain name service
US20180288117A1 (en) * 2017-03-30 2018-10-04 Arris Enterprises Llc Secure media casting bypassing mobile devices
US20190268389A1 (en) * 2018-02-28 2019-08-29 Sling Media Pvt. Ltd. Relaying media content via a relay server system without decryption

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
International Search Report and Written Opinion for PCT/IN2019/050117 dated May 7, 2019, all pages.
International Search Report and Written Opinion for PCT/IN2019/050118 dated Apr. 3, 2019, all pages.
Nakamura Keio Univ/Wide Project H Hazeyama Naist / Wide Project Y Ueno Keio Univ / Wide Project A Kato Keio Univ / Wide Project O: A Special Purpose TLD to resolve IPv4 Address Literal on DNS64/NAT64 environments: draft-osamu-v6ops-ipv4-literal-in-url-02.txt:, A Special Purpose TLD to Resolve IPV4 Address Literal on DNS64/NAT64 Environments; Draft-OSAMU_V6OPS-IPV4-Literal-in-URL-02.txt, Internet Engineering Task Force IETF; Standardworkingdraft, Internet Society (ISOC) 4, Rue Des Falasises CH-1205 Geneva, Oct. 27, 2014, pp. 1-15, XP015102819.
O. NAKAMURA KEIO UNIV./WIDE PROJECT H. HAZEYAMA NAIST / WIDE PROJECT Y. UENO KEIO UNIV./WIDE PROJECT A. KATO KEIO UNIV. / WIDE PRO: "A Special Purpose TLD to resolve IPv4 Address Literal on DNS64/NAT64 environments; draft-osamu-v6ops-ipv4-literal-in-url-02.txt", A SPECIAL PURPOSE TLD TO RESOLVE IPV4 ADDRESS LITERAL ON DNS64/NAT64 ENVIRONMENTS; DRAFT-OSAMU-V6OPS-IPV4-LITERAL-IN-URL-02.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARDWORKINGDRAFT, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA,, draft-osamu-v6ops-ipv4-literal-in-url-02, 27 October 2014 (2014-10-27), Internet Society (ISOC) 4, rue des Falaises CH- 1205 Geneva, Switzerland, pages 1 - 15, XP015102819

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200076763A1 (en) * 2018-08-31 2020-03-05 Comcast Cable Communications, Llc Localization For Domain Name Resolution
US11706188B2 (en) * 2018-08-31 2023-07-18 Comcast Cable Communications, Llc Localization for domain name resolution
US12047347B2 (en) 2018-08-31 2024-07-23 Comcast Cable Communications, Llc Localization for domain name resolution

Also Published As

Publication number Publication date
US20200382473A1 (en) 2020-12-03
US11546305B2 (en) 2023-01-03
WO2019167056A1 (en) 2019-09-06
US20190268309A1 (en) 2019-08-29

Similar Documents

Publication Publication Date Title
US11546305B2 (en) Methods and systems for secure DNS routing
US11936786B2 (en) Secure enrolment of security device for communication with security server
US9130935B2 (en) System and method for providing access credentials
US12301563B2 (en) System and method for pre-shared key (PSK) based wireless access point authentication
US11297115B2 (en) Relaying media content via a relay server system without decryption
US20130019297A1 (en) System and Method for Communicating with a Client Application
KR20180095873A (en) Wireless network access method and apparatus, and storage medium
JP2010503323A (en) Method and system for establishing a real-time authenticated and guaranteed communication channel in a public network
WO2022100356A1 (en) Identity authentication system, method and apparatus, device, and computer readable storage medium
US12015721B1 (en) System and method for dynamic retrieval of certificates with remote lifecycle management
US12132846B2 (en) System and method for extended attributes in certificates for dynamic authorization
US10708326B2 (en) Secure media casting bypassing mobile devices
JP2012519995A (en) Method and apparatus for protecting network communications
US20250023714A1 (en) System and method to securely distribute authenticated and trusted data streams to ai systems
JP6056970B2 (en) Information processing apparatus, terminal, information processing system, and information processing method
CN117354032A (en) Multiple authentication method based on code server
TWI849942B (en) Multi-device multi-factor dynamic strong encryption authentication method
US12309262B2 (en) System and method for pre-shared key (PSK) based document security
Protocol draft-hallambaker-omnibroker-02

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

AS Assignment

Owner name: SLING MEDIA PVT. LTD., INDIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:GOVINDARAJAN, JAGAN;RANGANATHAN, GOPIKUMAR;KONDURU, JAYACHANDRAKUMAR;AND OTHERS;REEL/FRAME:045461/0005

Effective date: 20180214

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

CC Certificate of correction
AS Assignment

Owner name: DISH NETWORK TECHNOLOGIES INDIA PRIVATE LIMITED, INDIA

Free format text: CHANGE OF NAME;ASSIGNOR:SLING MEDIA PVT. LTD.;REEL/FRAME:060570/0361

Effective date: 20220609

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4