| CPC H04L 63/20 (2013.01) [H04L 9/0891 (2013.01); H04L 9/3234 (2013.01); H04L 9/3247 (2013.01); H04L 61/4511 (2022.05); H04L 63/0281 (2013.01); H04W 12/37 (2021.01)] | 10 Claims |
|
1. A method to enable a client device associated with an enterprise network to obtain access to an enterprise resource, comprising:
configuring a recursive Domain Name System (DNS) service, the recursive DNS service including a resolver associated with the enterprise;
configuring the client device to act as a local proxy for off enterprise network DNS requests;
receiving at the resolver a DNS query from the client device, the client device having determined it is operating off of the enterprise network, the DNS query having been extended using an edns (0) extension to encode an authorization token, the authorization token including a unique device identifier associated with the client device and an identifier associated with the enterprise, the unique device identifier having been encrypted and digitally-signed with a key to generate the authorization token, the identifier associated with the enterprise being unencrypted;
determining at the resolver, but without access to the unique device identifier encoded in the authorization token, whether the authorization token is allowed for the enterprise, wherein a determination is based at least in part on the identifier associated with the enterprise and a threat protection policy; and
upon a determination that the authorization token is allowed, returning a response to the DNS query, wherein the response to the DNS query is based on applying the threat protection policy to the DNS query.
|