DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the America Invents Act (AIA ).

Response and Claim Status
The instant Office action is responsive to the response received December 20, 2021 (the “Response”).  Applicants’ election of Group I (claims 1–18) in the Response is acknowledged.  Because Applicants did not distinctly and specifically point out the supposed errors in the restriction requirement, the election has been treated as an election without traverse.  See MPEP § 818.01(a).
Claims 1–20 are currently pending.  

Joint Inventors
This application currently names joint inventors.  In considering patentability of the claims the Examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicants are advised of the obligation under 37 C.F.R. § 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the Examiner to consider the applicability of 35 U.S.C. § 102(b)(2)(C) for any potential § 102(a)(2) prior art against the later invention.

Claimed Foreign Priority
Acknowledgment is made of (1) Applicants’ claim for foreign priority based on an application filed in India on May 2, 2020; and (2) certified copies of papers required by 37 C.F.R. § 1.55.
Specification
The lengthy Specification has not been checked to the extent necessary to determine the presence of all possible minor errors.  Applicant’s cooperation is requested in correcting any errors of which Applicant may become aware in the specification.

Claim Objections
The following is a quotation of 37 C.F.R. § 1.71(a): 
The specification must include a written description of the invention or discovery and of the manner and process of making and using the same, and is required to be in such full, clear, concise, and exact terms as to enable any person skilled in the art or science to which the invention or discovery appertains, or with which it is most nearly connected, to make and use the same.

Claims 3–5 and 13–18 are objected to under 37 C.F.R. § 1.71(a) for the following informalities:
(1) claim 3, line 1 should be “wherein the computing apparatus.”
(2) claim 4, line 1 should be “wherein the directing.”
(3) claim 5, line 1 should be “wherein the determining.”
(4) claim 13, line 2 should be “wherein the instructions.”

Claim Rejections – 35 U.S.C. § 103
The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been 

Claims 1, 3, 4, 6, and 7 are rejected under 35 U.S.C. § 103 as being obvious over Parla et al. (US 9,455,909 B2; filed Sept. 1, 2015)(“Parla ‘909”) in view of Chien (US 9,015,090 B2; filed Aug. 14, 2013).
Regarding claim 1, while Parla ‘909 teaches a computing apparatus (fig. 1, mobile device item 100; fig. 3, item 300), comprising: 
a hardware platform comprising a processor (fig. 3, item 304) and a memory (fig. 3, item 306);  
a network interface (fig. 3, item 318);  
an operating system (Parla ‘909 at least suggests mobile device item 100 includes an operating system);  and 
a security agent (fig. 3, item 310; “storage device 310, such as a magnetic disk, optical disk, and/or flash storage, is provided and coupled to bus 302 for storing information and instructions” at 8:59–61), comprising instructions encoded within the memory to instruct the processor to: 
establish a split virtual private network (VPN) tunnel (fig. 1, items 102, 104; “dynamic split tunneling to multiple data centers” at 3:58–59) with a remote VPN service;  
receive outgoing network traffic (“DNS traffic is routed to the appropriate tunnel associated with the sub-domain” at 3:33–34; “Such traffic is retrieved by the VPN client 130 and then tunneled.  Any other traffic is routed to the depicted physical IP interface 132 and sent in the clear (e.g., not via an encrypted tunnel)” at 4:8–11); and

Parla ‘909 does not teach (A) the operating system comprising a native internet protocol (IP) stack; and (B) directing a second portion of the outgoing traffic to the native IP stack.
Chien teaches an operating system (fig. 5, item 31b) comprising a native IP stack (fig. 5, item 333); and
directing (15:50–61) a second portion of outgoing traffic (fig. 5, item 304) to the native IP stack.
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Parla ‘909’s operating system to comprise a native IP stack and for Parla ‘909’s outgoing traffic to include a second portion that is directed to the native IP stack as taught by Chien for “identifying and prohibiting a questionable network communication, such as may be received from a hacker, an intruder, a phishing source, a virus, an email sender, and/or other false or questionable source.”  Chien 1:25–28.
Regarding claim 3, Parla ‘909 teaches wherein the apparatus is a mobile computing device (fig. 1, mobile device item 100; fig. 3, item 300). 
claim 4, while the Parla ‘909/Chien combination teaches directing (Chien 15:50–61) the second portion (Chien fig. 5, item 304),
the Parla ‘909/Chien combination does not teach wherein directing the second portion comprises determining that the second portion includes a fully-resolved destination IP address.
Chien teaches determining that the second portion (fig. 5, item 304) includes a fully-resolved destination IP address (“Client operation system 31b receives this request, which includes the IP address” at 15:51–52).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Parla ‘909/Chien combination’s directing to comprise determining that the second portion includes a fully-resolved destination IP address as taught by Chien for “identifying and prohibiting a questionable network communication, such as may be received from a hacker, an intruder, a phishing source, a virus, an email sender, and/or other false or questionable source.”  Chien 1:25–28.
Regarding claim 6, Parla ‘909 teaches wherein the instructions are further to 
identify a class of traffic (“a first DNS request for a sub-domain associated with a first FQDN associated with the first network (e.g., finances.company.com)” at 5:15–18; “a second Domain Name System (DNS) request for a sub-domain associated with a second FQDN associated with the second network (e.g., Oracle.BizApp.Com)” at 5:33–36) for tunneling, and direct all packets of the class 
to the VPN tunnel (fig. 1, items 102, 104; “dynamic split tunneling to multiple data centers” at 3:58–59). 
Regarding claim 7, Parla ‘909 teaches wherein the instructions are further to 
receive a DNS response (“The VPN client 130 receives a response to the first DNS request from the first tunnel 102.” at 5:21–23; “The VPN client 130 receives a 

Claim 2 is rejected under 35 U.S.C. § 103 as being obvious over Parla ‘909 in view of Chien, and in further view of Li et al. (US 2019/0132288 A1; filed May 2, 2019).
Regarding claim 2, while the Parla ‘909/Chien combination at least suggests the operating system (Parla ‘909 at least suggests mobile device item 100 includes an operating system; Chien fig. 5, item 31b), 
the Parla ‘909/Chien combination does not teach the operating system being a closed operating system. 
Li teaches a closed operating system (¶ 24).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Parla ‘909/Chien combination’s operating system to be a closed operating system as taught by Li for “us[ing] code that is proprietary and kept secret to prevent its use by other entities, with only limited APIs made accessible to third party software developers.”  Li ¶ 24.

Claim 5 is rejected under 35 U.S.C. § 103 as being obvious over Parla ‘909 in view of Chien, and in further view of Chen et al. (US 11,057,404 B2; filed Apr. 19, 2019).
Regarding claim 5, while the Parla ‘909 teaches determining that the first portion includes an outgoing DNS request (“DNS requests are routed to the VPN tunnel to the first predefined concentrator” at 3:34–36; “The VPN client 130 determines that the DNS request is for a sub-domain associated with the first network, and forwards the first DNS request onto the first tunnel 102” at 5:18–21; 
the Parla ‘909/Chien combination does not teach the determining comprises determining that a destination port is 53.
Chen teaches determining that a destination port is 53 (“determining that the data packet is a UDP packet and that the destination port is 53” at 5:42–43).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Parla ‘909/Chien combination’s determining to comprise determining that a destination port is 53 as taught by Chen “for defending against a DNS attack.”  Chen 4:63–64.

Claims 8 and 9 are rejected under 35 U.S.C. § 103 as being obvious over Parla ‘909 in view of Chien, and in further view of Clarke et al. (US 10,897,475 B2; filed Aug. 1, 2017).
Regarding claim 8, while Parla ‘909 teaches the DNS response (“The VPN client 130 receives a response to the first DNS request from the first tunnel 102.” at 5:21–23; “The VPN client 130 receives a response to the second DNS request from tunnel 104.” at 5:37–39),
the Parla ‘909/Chien combination does not teach wherein the DNS response includes extended DNS data.
Clarke teaches extended DNS data (“OPT pseudo-resource records (RRs)” at 7:12-13; “the OPT RR of DNS query 304” at 7:67–8:1; “reply OPT RRs in DNS response 306 sent back to node A” at 12:5–6).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Parla ‘909/Chien combination’s DNS response to include extended DNS data as taught by Clarke “for network policy control.”  Clarke 1:8.
claim 9, Clarke teaches wherein the extended DNS data include 
an OPT pseudo-resource record (“OPT pseudo-resource records (RRs)” at 7:12-13; “the OPT RR of DNS query 304” at 7:67–8:1; “reply OPT RRs in DNS response 306 sent back to node A” at 12:5–6).
Claims 12–15 are rejected under 35 U.S.C. § 103 as being obvious over Parla ‘909 in view of Song et al. (US 2019/0372937 A1; filed May 31, 2018), and in further view of Chien.
Regarding claim 12, while Parla ‘909 teaches one or more tangible, non-transitory computer readable storage media (fig. 1, mobile device item 100; fig. 3, items 300, 306) having stored thereon executable instructions to: 
establish a virtual private network (VPN) (fig. 1, items 102, 104; “dynamic split tunneling to multiple data centers” at 3:58–59 with VPN client item 130);  
intercept outgoing network traffic (“DNS traffic is routed to the appropriate tunnel associated with the sub-domain” at 3:33–34; “Such traffic is retrieved by the VPN client 130 and then tunneled.  Any other traffic is routed to the depicted physical IP interface 132 and sent in the clear (e.g., not via an encrypted tunnel)” at 4:8–11) of a device (fig. 1, item 100);  
designate a first class of traffic (“certain traffic (e.g., traffic targeted to specific networks)” at 4:5–6; “Such traffic is retrieved by the VPN client 130 and then tunneled” at 4:8–9) for tunneling via the VPN; and 
designate a second class of traffic for handling in the clear via a physical adapter (“Any other (e.g., non-tunneled) traffic is sent in the clear via the physical adapter.” at 3:55–56; “Any other traffic is routed to the depicted physical IP interface 132 and sent in the clear (e.g., not via an encrypted tunnel).” at 4:9–11), 
wherein the first class includes outgoing domain name service (DNS) 

Parla ‘909 does not teach, in italics, (A) the establishing the VPN with a VPN provider; and (B) designate the second class of traffic for handling via a native internet protocol (IP) stack.
(A)
Song teaches establishing a VPN with a VPN provider (¶ 48).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Parla ‘909’s established VPN to be with a VPN provider as taught by Song “for split network tunneling based on traffic inspection.”  Song ¶ 30.
(B)
Chien teaches designating (15:50–61) a second class of traffic (fig. 5, item 304) for handling via a native IP stack (fig. 5, item 333).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Parla ‘909’s second class of traffic to be handles via a native IP stack as taught by Chien for “identifying and prohibiting a questionable network communication, such as may be received from a hacker, an intruder, a phishing source, a virus, an email sender, and/or other false or questionable source.”  Chien 1:25–28.
Regarding claim 13, Parla ‘909 teaches wherein instructions are further to receive a DNS response (“The VPN client 130 receives a response to the first DNS request from the first tunnel 102.” at 5:21–23; “The VPN client 130 receives a response to the second DNS request from tunnel 104.” at 5:37–39), parse a domain 
Regarding claim 14, Parla ‘909 teaches wherein the instructions are further to parse a domain name category (“a source address matching the first service IP address” at 6:43–45; “a first service IP address associated with the first network” at 5:24) from the DNS response. 
Regarding claim 15, Parla ‘909 teaches wherein the domain name category indicates that a domain belongs to a class of traffic (“The VPN client 130 determines that the DNS request is for a sub-domain associated with the first network, and forwards the first DNS request onto the first tunnel 102.  The VPN client 130 receives a response to the first DNS request from the first tunnel 102.  The response to the DNS request comprises a first service IP address associated with the first network.  The VPN client 130 maps the first service IP address in the response to the first DNS request to a first dummy service IP address allocated to the FQDNs associated with the first tunnel.” at 5:18–23) that should be fully tunneled via the VPN. 

Claim 16 is rejected under 35 U.S.C. § 103 as being obvious over Parla ‘909 in view of Song, in further view of Chien, and in further view of Wang et al. (US 7,756,987 B2; filed Apr. 4, 2007).
Regarding claim 16, while Parla ‘909 teaches wherein the domain name category indicates that a domain is associated with a network (“The VPN client 130 determines that the DNS request is for a sub-domain associated with the first network, and forwards the first DNS request onto the first tunnel 102.  The VPN client 130 receives a response to the first DNS request from the first tunnel 102.  The response to the DNS request comprises a first service IP address associated with the first network.  The VPN client 130 maps the first service IP address in the response to the first DNS request to a first dummy service IP address allocated to the FQDNs associated with the first tunnel.” at 5:18–23),
the Parla ‘909/Song/Chien combination does not teach the domain is a typo squatting domain.
Wang teaches a typo squatting domain (1:66–2:10).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Parla ‘909/Song/Chien combination’s domain to be a typo squatting domain as taught by Wang to “allow a parent to protect a child’s web browsing activities, [and to] allow a website owner to systematically monitor cybersquatting activities against a website.”  Wang 2:8–10.

Claims 17 and 18 are rejected under 35 U.S.C. § 103 as being obvious over Parla ‘909 in view of Song, in further view of Chien, and in further view of Mahjoub et al. (US 10,740,363 B2; filed Nov. 26, 2018).
Regarding claim 17, while Parla ‘909 teaches wherein the domain name category indicates that a domain is associated with a network (“The VPN client 130 determines that the DNS request is for a sub-domain associated with the first 
the Parla ‘909/Song/Chien combination does not teach the domain hosts illegal content.
Mahjoub teaches a domain hosting illegal content (“a domain hosts illegal material, hate speech, pornography, material related to drugs or alcohol, or otherwise objectionable material that a subscriber does not wish to access or permit access to” at 6:60–63).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Parla ‘909/Song/Chien combination’s domain to host illegal content as taught by Mahjoub “so that domains that are malicious or associated with malicious activity can be identified” and users can be protected from those domains.  Mahjoub 2:49–50.
Regarding claim 18, while Parla ‘909 teaches wherein the domain name category indicates that a domain is associated with a network (“The VPN client 130 determines that the DNS request is for a sub-domain associated with the first network, and forwards the first DNS request onto the first tunnel 102.  The VPN client 130 receives a response to the first DNS request from the first tunnel 102.  The response to the DNS request comprises a first service IP address associated with the first network.  The VPN client 130 maps the first service IP address in the response to the first DNS request to a first dummy service IP address allocated to the FQDNs associated with the first tunnel.” at 5:18–23),

Mahjoub teaches a domain for a website with questionable privacy terms (“a domain hosts illegal material, hate speech, pornography, material related to drugs or alcohol, or otherwise objectionable material that a subscriber does not wish to access or permit access to” at 6:60–63).
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Parla ‘909/Song/Chien combination’s domain to be for a website with questionable privacy terms as taught by Mahjoub “so that domains that are malicious or associated with malicious activity can be identified” and users can be protected from those domains.  Mahjoub 2:49–50.

Claim 1 is rejected under 35 U.S.C. § 103 as being obvious over Parla ‘909 et al. (US 2018/0309658 A1; filed July 26, 2017)(“Parla ‘658”) in view of Chien.
Regarding claim 1, while Parla ‘658 teaches a computing apparatus (fig. 1, computing device item 110; fig. 4, item 401 “that may be representative of the computing device 110” at ¶ 47), comprising: 
a hardware platform comprising a processor (fig. 4, item 403) and a memory (fig. 4, item 404);  
a network interface (fig. 4, item 413);  
an operating system (“The computing device 110 includes an operating system with a kernel space 160” at ¶ 19);  and 
a security agent (“information and instructions to be executed by processor 403” at ¶ 47), comprising instructions encoded within the memory to instruct the processor to: 

receive outgoing network traffic (“network traffic tunneled to the VPN server 155 inside the VPN tunnel 152” and “the computing device to inspect DNS traffic” at ¶ 19; “traffic targeting certain server host names is excluded from the VPN tunnel” at ¶ 20); and
direct a first portion (fig. 2A, DNS request item 240; ¶ 22) of the outgoing traffic to the VPN tunnel (“the DNS request 240 and the DNS response 245 are configured to be sent through the VPN tunnel 152” at ¶ 22), comprising determining that the first portion includes an outgoing domain name service (DNS) request (¶ 22),
Parla ‘658 does not teach (A) the operating system comprising a native internet protocol (IP) stack; and (B) directing a second portion of the outgoing traffic to the native IP stack.
Chien teaches an operating system (fig. 5, item 31b) comprising a native IP stack (fig. 5, item 333); and
directing (15:50–61) a second portion of outgoing traffic (fig. 5, item 304) to the native IP stack.
It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Parla ‘658’s operating system to comprise a native IP stack and for Parla ‘658’s outgoing traffic to include a second portion that is directed to the native IP stack as taught by Chien for “identifying and prohibiting a questionable network communication, such as may be received from a hacker, an intruder, a phishing source, a virus, an email sender, and/or other false or questionable source.”  Chien 1:25–28.

Allowable Subject Matter
Claim 10 is objected to as being dependent upon rejected base claim 1 and intervening claims 7 and 8, but would be allowable if rewritten to include all of the limitations of base claim 1 and intervening claims 7 and 8.  See MPEP §§ 608.01(n), 707.07(j).
Claim 11 is objected to as being dependent upon rejected base claim 1 and intervening claims 7, 8, and 10, but would be allowable if rewritten to include all of the limitations of base claim 1 and intervening claims 7, 8, and 10.  See id.

Conclusion
The prior art made of record and not relied upon is considered pertinent to Applicants’ disclosure: US 20030219022 A1; US 20180159825 A1; US 10721338 B2; and US 10958662 B1.
Any inquiry concerning this communication or earlier communications from the Examiner should be directed to DAVID P. ZARKA whose telephone number is (703) 756-5746.  The Examiner can normally be reached Monday–Friday from 9:30AM–6PM ET.
If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Vivek Srivastava, can be reached at (571) 272-7304.  The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://portal.uspto.gov/external/portal.  Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free).
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool.  To schedule an interview, Applicants are encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
/DAVID P ZARKA/PATENT EXAMINER, Art Unit 2449