Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Information Disclosure Statement
	The IDS filed 1/11/2021 has been considered.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 6, and 11 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claim 1, 6 and 11 recite the limitation "the retrieval of classification data."  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-15 are is/are rejected under 35 U.S.C. 103 as being unpatentable over Clarke et al. (US 2019/0052658, hereinafter referred to as “Clarke”) in view of Venkatasubramanian (US 2020/0014724, hereinafter referred to as “Venka”).

	Regarding claim 1, Clarke teaches a method comprising: 
	receiving, by a first security component executing on a first server from a second security component executing on a first device, a domain name resolution (DNS) query initiated by a client device for a resolution of a domain name (figure 3B, and [0044]: outgoing DNS query 304 from node A), and the DNS query also including authentication information about the client device [0044 - the intercepting device may insert metadata regarding node A into DNS query 304 before sending DNS query 
304 on to DNS service 302; [0045] - The User Level metadata may represent the level or category of the specific user of the node that sent the DNS query (e.g., node A in FIG. 3B); 0046 – the inserting device may leverage authentication, authorization and accounting (AAA)];  
	determining, by the first security component using the DNS query authentication information, whether the second security component is authorized to access a domain resolution service performed by the first security component [0079 – in a case in which a user is attempting to access a certain database while physically located in his company’s building, information about the user may be inserted into the DNS query, in response, the DNS service may return policy information as part of the DNS response, such as a deny to user access];  and 
	in response to a determination that the second security component is authorized to access the domain resolution service, the first security component performing the domain resolution service by: 
	resolving the domain name included in the DNS query to obtain a first internet protocol (IP) address associated with the domain name [0033 – DNS service may resolve domain names to an IP address];  
	initiating the retrieval of classification data that is associated with the domain name or the first IP address [0067 - The Host/Domain Classification metadata may map classifications codes for the host/node, and/or the domain requested by the node, to their corresponding types.  For example, this can be used to specify the category of a site (and its opcode value) along with the service name (e.g., Dropbox) and its opcode value];  
	evaluating retrieved classification data associated with the domain name or the first IP address against a first policy associated with the client device [0074 - such classification metadata can be used in local network 160 to augment traffic account methodologies, such as IPFIX or NetFlow.  For example, in a Flexible NetFlow (FNF) export, a new record can be added so that analytics systems can do further correlation based on flow domain and flow category.];  and
	when the evaluation results in a determination that the client device is not allowed to access the IP address, sending to the client device a first DNS response including a second IP address that does not lead to the first IP address or a code indicating that the client device will not receive an IP address [0046 - based on the requesting user level, the service may return alternate lookup results (e.g., NXDOMAIN [no such domain] responses, certain sites, or return captive portal links]. 
	However, Clarke does not teach when the evaluation results in a determination that the client device is allowed to access the IP address, or does not provide a determination of whether the client device is or is not allowed to access the IP address, sending to the client device a second DNS response including the IP address and the retrieved classification data. 
	In an analogous art, Venka teaches when the evaluation results in a determination that the client device is allowed to access the IP address, or does not provide a determination of whether the client device is or is not allowed to access the IP address, sending to the client device a second DNS response including the IP address and the retrieved classification data [0034 - the requesting endpoint 102(1) may obtain (receive) the DNS response 300 from the DNS resolver 110.  The DNS response 300 may include the IP address of the first web server 112 hosting the requested domain name 114, the proxy server 116, or the second web server 118 hosting the blocked page 120.  The DNS response 300 may also include the DNS-Classification field 330 in the option-data field 328.  As described above, the 
DNS-Classification field 330 may range from zero to three, with zero indicating a safe domain name, one indicating an unknown or newly seen domain name, two indicating a suspicious domain name, and three indicating a malicious domain name. ]. Before the effective filing date of the invention, one of ordinary skill in the art would have been motivated to send the IP address and the retrieved classification as a way compute DNS-based score [0051], thus ensuring that proper security control is performed. 

	Regarding claim 2, Clarke in view of Venka teaches the method of claim 1, wherein the first device executing the second security component is the client device or a network device (Clarke, figure 3B: client A; Venka, figure 1: endpoint 102). The motivation to combine is that same as claim 1 above. 
 
	Regarding claim 3, Clarke in view of Venka teaches the method of claim 1, wherein, when the second security component receives the response including the first IP address and the retrieved classification data, the second security component evaluates the retrieved classification data against a second policy associated with the client device to determine whether to allow the client device to access the first IP address and prevents the client device from accessing the first IP address as a result of the evaluation (Venka; figure 8, classification is evaluated against policy and domain name resolution is performed accordingly). The motivation to combine is that same as claim 1 above. 

 
	Regarding claim 4, Clarke in view of Venka teaches the method of claim 1, wherein the authentication information is included in at least one extended domain name system (EDNS) option of the query and the retrieved classification data is included in at least one EDNS option of the response [Clarke, 0039 -  EDNS(0) is used as a mechanism to provide for devices to communicate with DNS service; Venka, 0018 – EDNS0]. The motivation to combine is that same as claim 1 above.
 
	Regarding claim 5, Clarke in view of Venka teaches the method of claim 1, wherein the classification data is retrieved from a third-party service [Clarke, 0067 – mapping classification of cloud service names (e.g. Dropbox, iTunes, etc.)]. 

	Claims 6-10 are system version of claims 1-5, respectively. They are rejected similarly under the same rationale. 

	Claims 11-15 are non-transitory computer-readable medium version of claims 1-5, respectively. They are rejected similarly under the same rationale.

Allowable Subject Matter
Claims 16-22 are allowed.
	Regarding claim 16, although the cited prior art of record such as Clarke teaches a method comprising: receiving, by a first security component executing on a first server from a second security component executing on a first device, a domain name resolution (DNS) query initiated by a client device for resolution of a domain name  (Clarke, figure 3B, and [0044]: outgoing DNS query 304 from node A), the encryption of the domain name and the authentication information included with the DNS query by the second security component  [Clarke, 0044 - the intercepting device may insert metadata regarding node A into DNS query 304 before sending DNS query 304 on to DNS service 302; [0045] - The User Level metadata may represent the level or category of the specific user of the node that sent the DNS query (e.g., node A in FIG. 3B); 0046 – the inserting device may leverage authentication, authorization and accounting (AAA)]; and determining, by the first security component using the authentication information, whether the second security component is authorized to access a domain resolution service performed by the first security component [0079 – in a case in which a user is attempting to access a certain database while physically located in his company’s building, information about the user may be inserted into the DNS query, in response, the DNS service may return policy information as part of the DNS response, such as a deny to user access]. 
	However, none of the prior art of record teaches “the DNS query received by the first security component including an encryption of the domain name instead of the domain name and the DNS query also including authentication information about the client device and in response determining that the second security component is authorized to access the domain resolution service, the first security component performing the domain resolution service by: modifying the DNS query by: removing from the DNS query identification of the client device;  and 	adding a DNS query identifier (ID);  associating the DNS query ID with the client device in a DNS query database; sending the modified DNS query to a second server for resolution of the domain name; receiving, from the second server in response to the modified DNS query, a DNS response including: an encrypted IP address or encrypted code, and the DNS query ID;  retrieving the identity of the client device using the DNS query ID;  and sending the DNS response with the encrypted IP address to the client device for decrypting by the second security component.” 
	Claims 17-22 are allowed for the dependency on allowed claim 16.  
 
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
1.	Dobbins et al. (US 20150312272), method and system includes intercepting queries and messages, such as EDNS0 queries, and sending probe queries and reply queries to the originating computing device to determine whether the originating computing device may be sufficiently validated so as to justify forwarding resource-intensive queries and messages to the targeted computing device.
2.	Siba et al. (US 20170374015), a DNS resolver to encode a falsified IP address with a client identifier that identifies a client attempting to access a blocked domain.  The DNS resolver receives, from a client, a DNS request that contains a requested domain name and a client identifier.  The DNS resolver then determines the identity of the client from the client identifier in the DNS request.  The DNS resolver then applies policies for the domain name system request to determine that the requested domain name should be blocked for the identity of the client.

Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALINA N BOUTAH whose telephone number is (571)272-3908.  The examiner can normally be reached on M-F 7:00 AM - 3:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Rupal Dharia can be reached on 571-272-3880.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


ALINA N. BOUTAH
Primary Examiner
Art Unit 2443



/ALINA A BOUTAH/Primary Examiner, Art Unit 2443