A DNS resolution request for a hostname of a CDN is received. An edge server of the CDN may be identified, which may be associated with a subnet. The subnet is used to generate a response IP address, where the remaining bits of the response IP address may be used to store requestor information (e.g., a requestor IP address). When a client computing device uses the response IP address to access the edge server, requestor information is extracted and associated with client computing device information (e.g., an IP address and/or location, etc.) in an association record. Association records may be used to determine predicted characteristics for devices served by a requestor. When the authoritative DNS server resolves a request from the requestor, such predicted characteristics may be used rather than relying solely on information about a requestor. Thus, an edge server proximate to the predicted location may be returned instead.

A DNS resolution request for a hostname of a CDN is received. An edge server of the CDN may be identified, which may be associated with a subnet. The subnet is used to generate a response IP address, where the remaining bits of the response IP address may be used to store requestor information (e.g., a requestor IP address). When a client computing device uses the response IP address to access the edge server, requestor information is extracted and associated with client computing device information (e.g., an IP address and/or location, etc.) in an association record. Association records may be used to determine predicted characteristics for devices served by a requestor. When the authoritative DNS server resolves a request from the requestor, such predicted characteristics may be used rather than relying solely on information about a requestor. Thus, an edge server proximate to the predicted location may be returned instead.

Mapping anonymous Internet entities to known accounts. In an embodiment, events, representing online activity and comprising IP addresses, are received from a plurality of sources. Subsets of the events are aggregated into mappings that associate the IP address, shared by the subset, with an account. Each mapping is associated with statistics regarding the events. A confidence value is calculated for each mapping based on the statistics, and a final subset of the mappings is selected based on the confidence values. Subsequently, when a request with an IP address is received, the final subset of mappings is searched for the requested IP address, and an indication of the account associated with the requested IP address is returned in response to the request.

Mapping anonymous Internet entities to known accounts. In an embodiment, events, representing online activity and comprising IP addresses, are received from a plurality of sources. Subsets of the events are aggregated into mappings that associate the IP address, shared by the subset, with an account. Each mapping is associated with statistics regarding the events. A confidence value is calculated for each mapping based on the statistics, and a final subset of the mappings is selected based on the confidence values. Subsequently, when a request with an IP address is received, the final subset of mappings is searched for the requested IP address, and an indication of the account associated with the requested IP address is returned in response to the request.

Mechanisms for split tunneling are provided. The mechanisms identify user devices and determine that communications for a first device of the user devices are to be tunneled. These mechanisms also receive a DNS request from a second device of the user devices, modify the DNS request to request meta information corresponding to a domain identified in the DNS request, and send the DNS request to a DNS server. The mechanisms further receive a response to the DNS request, wherein the response includes the meta information, determine that communications for the second device are not to be tunneled based at least in part on the meta information, and cause the communications for the first device to be tunneled and the communications for the second device to not be tunneled.

Systems and methods are described herein for providing proxy mechanisms for DNS services, such as resolving DNS requests. In some embodiments, the systems and methods establish a Proxy DNS module at a DNS resolver of an internet service provider, and access, with the proxy DNS module, DNS queries destined for a public name server. The name server may be accessible by the DNS resolver via a publically-accessible network. Further, the systems and methods may route the accessed DNS queries to a private name server associated with the proxy DNS module and accessible via a private communications channel, and receive, from the private name server and via the private communications channel, IP addresses associated with the DNS queries.

Systems and methods are described herein for providing proxy mechanisms for DNS services, such as resolving DNS requests. In some embodiments, the systems and methods establish a Proxy DNS module at a DNS resolver of an internet service provider, and access, with the proxy DNS module, DNS queries destined for a public name server. The name server may be accessible by the DNS resolver via a publically-accessible network. Further, the systems and methods may route the accessed DNS queries to a private name server associated with the proxy DNS module and accessible via a private communications channel, and receive, from the private name server and via the private communications channel, IP addresses associated with the DNS queries.

Systems and methods for a VLAN switching and routing service (VSRS) are disclosed herein. A method can include generating a table for an instance of a VSRS, which VSRS couples a first virtual layer 2 network (VLAN) with a second network. The table can contain information identifying IP addresses, MAC addresses, and virtual interface identifiers for instances within the virtual layer 2 network. The method can include receiving with the VSRS a packet from a first instance designated for delivery to a second instance within the virtual layer 2 network, identifying with the VSRS the second instance within the virtual layer 2 network for delivery of the packet based on information received with the packet and information contained within the table, and delivering the packet to the identified second instance.

Systems and methods for a VLAN switching and routing service (VSRS) are disclosed herein. A method can include generating a table for an instance of a VSRS, which VSRS couples a first virtual layer 2 network (VLAN) with a second network. The table can contain information identifying IP addresses, MAC addresses, and virtual interface identifiers for instances within the virtual layer 2 network. The method can include receiving with the VSRS a packet from a first instance designated for delivery to a second instance within the virtual layer 2 network, identifying with the VSRS the second instance within the virtual layer 2 network for delivery of the packet based on information received with the packet and information contained within the table, and delivering the packet to the identified second instance.

In some embodiments, a method stores domain name system (DNS) resolution mappings from a domain name to an address in a first table. The DNS resolution mappings are intercepted from DNS responses being sent by a DNS server. The first table is sent to a manager for validation of the DNS resolution mappings. Then, a second table is received from the manager that contains validated DNS resolution mappings. The method intercepts a DNS response that includes a domain name to address resolution mapping from the DNS server and validates the domain name to address resolution mapping using a validated DNS resolution mapping in the second table.