There is disclosed in one example a home router, including: a hardware platform including a processor and a memory; a local area network (LAN) interface; a data store including rules for domain name-based services; and instructions encoded within the memory to instruct the processor to: provision a certificate and key pair to provide domain name system (DNS) over hypertext transfer protocol secure (DoH) or DNS over transport layer security (DoT) services; receive on the LAN interface an encrypted DNS request; decrypt the DNS request; query the data store according to the DNS request; receive a rule for the DNS request; and execute the rule.

Matching an internet service with an IP host address to attribute network traffic to the internet service by mapping one or more server names to an internet service by a network device by detecting a DNS Response to a DNS Query. Inspect the DNS Response to determine an association of a service consumer's IP address with an internet service's server IP address relating to a certain internet service to maintain an array of indexed entries having an association of the service consumer's IP address with an internet service's server IP address relating to a certain internet service for a certain length of time using a probabilistic data structure for the indexed entries.

Systems, devices, and methods are discussed for limiting exposure of internal network operations beyond the boundary of a secure network.

Novel tools and techniques are provided for implementing dynamic border gateway protocol (“BGP”) host route generation based on domain name system (“DNS”) resolution. In various embodiments, a computing system may receive, from a user device via a first network, a request to establish a communications link with an external device via a second network that is separate from the first network, based on a first uniform resource identifier (“URI”) indicative of a network location of the external device. The computing system may query a DNS resolver for an Internet Protocol (“IP”) address corresponding to a valid current IP address, based on the first URI, and may advertise the IP address and/or a route based on the IP address. A communications link may be established between the user device and the external device based on the IP address and/or the route.

A method is implemented by a router and includes: upon receiving a query on an Internet Protocol (IP) address for a domain name, sending the query to a DNS server in order for the DNS server to translate the domain name to an IP address and to transmit a DNS response containing the domain name and the IP address to the router; recording the domain name and the IP address in a table; sending the DNS response to an endpoint device so as to enable the endpoint device to establish a link with an application server via the router based on the IP address; finding the domain name in the lookup table based on the IP address; and determining a type of a service provided by the application server based on the domain name with reference to another table.

Systems and methods are provided for distributing a domain name service (DNS) response cache in a DNS resolving system on a network. The systems and methods described herein may improve response times for client queries and also protect the DNS resolving system from DNS related cyber attacks

Systems and methods are provided for distributing a domain name service (DNS) response cache in a DNS resolving system on a network. The systems and methods described herein may improve response times for client queries and also protect the DNS resolving system from DNS related cyber attacks

A method for establishing a connection between two nodes in a communication network without use of a centralized directory or mapping identifiers includes: receiving a lookup message from another node in the communication network that includes a lookup term; determining if a target node in a local directory cache can be identified that satisfies the lookup term; and, if such a node is identified, establishing a connection to the target node and forwarding the lookup message, or, if no such node is identified, forwarding the lookup message to other nodes in the network with which the node has an active communication connection.

One aspect provides a method and system for managing address resolution requests in a network. During operation, a gateway of the network advertises a route for sending address resolution requests and determines whether a cached entry corresponding to an address resolution request received via the route exists in a neighbor table. In response to determining that the cached entry exists, the gateway responds to the address resolution request based on the cached entry; in response to determining that the cached entry does not exist, the gateway replicates the address resolution request to edge devices in the network, thereby facilitating discovery of a target host corresponding to the address resolution request.

One aspect provides a method and system for managing address resolution requests in a network. During operation, a gateway of the network advertises a route for sending address resolution requests and determines whether a cached entry corresponding to an address resolution request received via the route exists in a neighbor table. In response to determining that the cached entry exists, the gateway responds to the address resolution request based on the cached entry; in response to determining that the cached entry does not exist, the gateway replicates the address resolution request to edge devices in the network, thereby facilitating discovery of a target host corresponding to the address resolution request.