DETAILED ACTION
This action is in response to communication filed on 1/21/2022
 	Claims 1-20 are pending.
Claims 1 have been amended.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant's arguments filed 1/21/2022 have been fully considered but they are not persuasive. 

In the communication filed, applicant argues in substance that:

The cited references do not disclose or suggest at a host computer intercepting domain name system (DNS) resolution mappings from DNS responses sent by a DNS server executing on the host machine because Darko merely talks about a DNS server that queries two other DNS servers in order to compare the replies from the two other DNS servers  and there is nothing in Darko that talks about a host computer in which intercepts the DNS mapping from DNS responses sent by a DNS server that is executing on the host computer itself  as cited in remarks, pg. 7.
In response to argument [a], Examiners respectfully disagrees.
The claim limitation requires intercepting DNS mapping from a DNS responses being sent by a DNS server executing on the host computer which is disclosed by Drako.  FIG. 1 shows a block diagram of a typical computing system 100 where the preferred embodiment of this invention 

The cited references do not disclose or suggest at a host computer sending a first table which contains multiple DNS resolution mappings to a manager in order to receive a second table which contains fewer DNS resolution mappings as any invalid DNS resolution mappings were removed by the manager because Earl does not disclose anything regarding retrieving a second table which contains only valid DNS resolution mappings as cited in claim remarks, pg. 8.
In response to argument [b], Examiners respectfully disagrees.
Earl discloses system 100 comprises a checking server 102, DNS cache server 16, 117, 118, Valid list data store 10, and authoritative DNS server 112.  The checking application 108 may find that there are multiple domain name to IP address mappings for the same domain name in the DNS cache servers 116-118, it is at this point that the checking application 108 consults the valid list 110 to see if the discrepant domain name to IP address mappings are valid and match the domain name to IP address mappings on the valid list 110.  If a discrepant domain name to IP address mapping not found on the valid list 110, the checking application 108 may then request a list of all domain name to IP address mappings for the subject domain name from the authoritative DNS server 112. The checking application 108 may determine that the discrepant domain name to IP address mapping is not authorized by the authoritative DNS server 112. The DNS cache servers 116-118 that store the unauthorized domain name to IP address mapping may delete the unauthorized domain name to IP address (see Earl; col 6/lines 47 – col. 7/lines 47).  Therefore, Earl teaches the claim limitations.

The cited references do not disclose or suggest a computing device that provides a first table to a manager to receive a second table containing valid DNS resolution mappings and then using the second table to validate DNS responses that it intercept from a DNS server because there is nothing in Drako that talks about a computer device using a table that contains only valid DNS resolutions mapping to validate DNS response it intercepts from a DNS server as cited in remarks, pg. 9.
In response to argument [c], Examiners respectfully disagrees.
In response to applicant's arguments against the references individually, one cannot show nonobviousness by attacking references individually where the rejections are based on combinations of references.  See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 1986).
Further, Earl discloses the checking application 108 may find that there are multiple domain name to IP address mappings for the same domain name in the DNS cache servers 116-118, it is at this point that the checking application 108 consults the valid list 110 to see if the discrepant domain name to IP address mappings are valid and match the domain name to IP address mappings on the valid list 110.  If a discrepant domain name to IP address mapping not found on the valid list 110, the checking application 108 may then request a list of all domain name to IP address mappings for the subject domain name from the authoritative DNS server 112. The checking application 108 may determine that the discrepant domain name to IP address mapping is not authorized by the authoritative DNS server 112 (see Earl; col 6/lines 47 – col. 7/lines 47).

The cited references do not disclose or suggest adding a DNS resolution mapping from a first table to a second table if the mapping is validated and not adding the DNS resolution mapping 
In response to argument [d], Examiners respectfully disagrees.
Earl discloses system 100 comprises a checking server 102, DNS cache server 16, 117, 118, Valid list data store 10, and authoritative DNS server 112.  The checking application 108 may find that there are multiple domain name to IP address mappings for the same domain name in the DNS cache servers 116-118, it is at this point that the checking application 108 consults the valid list 110 to see if the discrepant domain name to IP address mappings are valid and match the domain name to IP address mappings on the valid list 110.  If the discrepant domain name to IP address mapping is determined to be valid when compared to the authoritative DNS server 112 list received by the checking application 108, the discrepant domain name to IP address mapping is written to the valid list 110. If the discrepant domain name to IP address mapping is not identified on the authoritative DNS server 112 list, the checking application 108 may alert the one or more DNS cache servers 116-118 that contain the discrepant domain name to IP address mapping to flush the discrepant domain name to IP address mapping and then replace the discrepant mapping with a valid mapping from the authoritative DNS server 112 list. (see Earl; col 6/lines 47 – col. 7/lines 47).  Therefore, Earl teaches the claim limitations.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:


The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 1-20 is/are rejected under 35 U.S.C. 103 as being unpatentable over Drako (US 2010/0121981) in view of Earl et al. (US 9,300,623).

Regarding claim 1, Drako discloses a method comprising: 
at a host computer (see Drako; [0078]; a typical computing system 100 where the preferred embodiment of this invention can be practiced): 
intercepting (DNS) resolution mappings resolution mappings from DNS responses being sent by a DNS server executing on the host computer (see Drako; [0081]; receiving a DNS response from DNS server 130 at DNS server 121); 
intercepting, a DNS response that includes a domain name to address resolution mapping from the DNS server (see Drako; [0081]; receiving a DNS response from DNS server 130 at DNS server 121).
	However, the prior art does not explicitly disclose the following:
storing, DNS resolution mappings that map a plurality of domain names to a plurality of network addresses in a first table;
sending, the first table to a manager for validation of the DNS resolution mappings, said first table comprising a first plurality of entries with each entry providing a mapping that maps a domain name to a network address; 
receiving, a second table from the manager that contains validated entries for validated DNS resolution mappings, the second table comprising a second plurality of entries with each entry associating a domain name to a network address, said second plurality of entries comprising fewer entries than the first plurality of entries as one or more entries from the first plurality of entries were removed by the manager as being invalid entries; 
validating, the domain name to address resolution mapping using a validated DNS resolution mapping in the second table.
	Earl in the field of the same endeavor discloses techniques for A domain name system (DNS) cache integrity check.  In particular, Earl teaches the following:
storing, DNS resolution mappings that map a plurality of domain names to a plurality of network addresses in a first table (see Earl; col. 10/lines 27-47; detx 31; at block 332, each of a plurality of DNS records stored in a plurality of DNS cache servers are checked, for example by a checking application of a checking server);
sending, the first table to a manager for validation of the DNS resolution mappings, said first table comprising a first plurality of entries with each entry providing a mapping that maps a domain name to a network address (see Earl; col 6/lines 33-47; detx 19; the checking application 108 may access the DNS cache servers 116-118); 
receiving, a second table from the manager that contains validated entries for validated DNS resolution mappings, the second table comprising a second plurality of entries with each entry associating a domain name to a network address, said second plurality of entries comprising fewer entries than the first plurality of entries as one or more entries from the first plurality of entries were removed by the manager as being invalid entries (see Earl; col 6/lines 47 – col. 7/lines 47; detx 20-22; the checking application 108 may find that there are multiple domain name to IP address mappings for 108 may determine that the discrepant domain name to IP address mapping is not authorized by the authoritative DNS server 112. The DNS cache servers 116-118 that store the unauthorized domain name to IP address mapping may delete the unauthorized domain name to IP address); 
validating, the domain name to address resolution mapping using a validated DNS resolution mapping in the second table (see Earl; col 7/lines 17-47; detx 22; If the discrepant domain name to IP address mapping is determined to be valid when compared to the authoritative DNS server 112 list received by the checking application 108, the discrepant domain name to IP address mapping is written to the valid list 110. If the discrepant domain name to IP address mapping is not identified on the authoritative DNS server 112 list, the checking application 108 may alert the one or more DNS cache servers 116-118 that contain the discrepant domain name to IP address mapping to flush the discrepant domain name to IP address mapping and then replace the discrepant mapping with a valid mapping from the authoritative DNS server 112 list).
Therefore, it would have been obvious to a person of ordinary skill in the art at the time the invention was effectively filed to modify the prior art with the teaching of Earl in order to incorporate techniques for checking the integrity of a DNS cache by adding valid DNS resolution mapping to a valid list.  One would have been motivated because without the checking server and the checking application, it is possible that existing DNS cache servers may be poisoned by attackers that wish to corrupt the DNS records stored in one or more of the cache servers, for example to hijack domain name to IP address 

Regarding claim 2, Drako-Earl discloses the method of claim 1, wherein at least a portion of the DNS resolution mappings in the first table are included in a third table, wherein the third table is used by the DNS server to respond to DNS resolution mapping requests that request the address for a domain name (see Drako; [0081]; referring to FIG. 7, the dns server 121 receives a second reply from a second dns server 131 and upon matching the two replies, forwards the response to the client 110).  

Regarding claim 3, Drako-Earl discloses the method of claim 1, wherein validating the domain name to address resolution mapping comprises: determining if the domain name to address resolution mapping changes an address in a corresponding entry in the second table for the domain name (see Drako; [0081]; referring now to FIG. 6, the dns server 121 receives a reply from dns server 130 but the process of the present invention is to withhold the reply from the client 110. Referring to FIG. 7, the dns server 121 receives a second reply from a second dns server 131 and upon matching the two replies, forwards the response to the client 110).  

Regarding claim 4, Drako-Earl discloses the method of claim 1, further comprising: when the domain name to address resolution mapping is not validated, performing an action that includes not allowing the DNS server to send the DNS response to another entity (see Drako; [0083]; referring to FIG. 9, an embodiment of the invention is a DNS observer, any logical entity in the path between a client 110 and a dns server 130. The DNS observer is not itself a server but duplicates queries and blocks replies until a match is received from at least one second dns server).  

claim 5, Drako-Earl discloses the method of claim 1, wherein the second table includes validated DNS resolution mappings that are validated from DNS resolution mappings received from multiple DNS servers (see Drako; [0082]; referring to FIG. 8, an embodiment of the invention is the method of querying a plurality of second dns servers 131 and 132, and voting on the replies. Voting could require a unanimous result or a majority result in embodiments. The result of voting can be to forward the winning reply to the client 110 or withhold any reply from the client 110.).  

Regarding claim 6, Drako-Earl discloses the method of claim 1, wherein the DNS server and the manager are located in different divisions of a network such that the DNS server is associated with a first hierarchy of DNS servers and the manager is associated with a second hierarchy of DNS servers (see Drako; [0081]; DNS server 130  and DNS server 131 are in different divisions of a network since Drako teaches that dns server 131 which is protected and  can be hidden from attack and to be used to verify DNS addressing).  

Regarding claim 7, Drako-Earl discloses the method of claim 1, further comprising: storing the second table in a secure area that is not accessible by a workload implementing the DNS server (see Drako; [0081]; the dns server 131 which is protected and may be hidden from attack).  

Regarding claim 8, Drako-Earl discloses a non-transitory computer-readable storage medium containing instructions, that when executed, control a computer system to be operable for: 
storing, by a computing device, domain name system (DNS) resolution mappings from a domain name to an address in a first table, wherein the DNS resolution mappings are intercepted from DNS responses being sent by a DNS server (see Drako; [0080]; referring now to FIG. 4, a block diagram of a normal dns reply is illustrated. The IP address found in cache of DNS server 130 is sent to DNS server 120 ; 
sending, by the computing device, the first table to a manager for validation of the DNS resolution mappings (see Earl; col 6/lines 33-47; detx 19; the checking application 108 may access the DNS cache servers 116-118); 
receiving, by the computing device, a second table from the manager that contains validated DNS resolution mappings ((see Earl; col 6/lines 47 – col. 7/lines 47; detx 20-22; the checking application 108 may find that there are multiple domain name to IP address mappings for the same domain name in the DNS cache servers 116-118, it is at this point that the checking application 108 consults the valid list 110 to see if the discrepant domain name to IP address mappings are valid and match the domain name to IP address mappings on the valid list 110); 
intercepting, by the computing device, a DNS response that includes a domain name to address resolution mapping from the DNS server (see Drako; [0081]; referring now to FIG. 6, the dns server 121 receives a reply from dns server 130 but the process of the present invention is to withhold the reply from the client 110); and 
validating, by the computing device, the domain name to address resolution mapping using a validated DNS resolution mapping in the second table ((see Earl; col 7/lines 17-47; detx 22; If the discrepant domain name to IP address mapping is determined to be valid when compared to the authoritative DNS server 112 list received by the checking application 108, the discrepant domain name to IP address mapping is written to the valid list 110. If the discrepant domain name to IP address mapping is not identified on the authoritative DNS server 112 list, the checking application 108 may alert the one or more DNS cache servers 116-118 that contain the discrepant domain name to IP address mapping to flush the discrepant domain name to IP address mapping and then replace the discrepant mapping with a valid mapping from the authoritative DNS server 112 list).

Regarding claim(s) 9-14, do(es) not teach or further define over the limitation in claim(s) 2-7 respectively.  Therefore claim(s) 9-14 is/are rejected for the same rationale of rejection as set forth in claim(s) 2-7 respectively.

Regarding claim 15, Drako-Earl discloses a method comprising: 
receiving, by a computing device, a first table including a first DNS resolution mapping for a domain name to an address, the first DNS resolution mapping determined from a DNS response by a DNS server (see Drako; [0080]; referring now to FIG. 4, a block diagram of a normal dns reply is illustrated. The IP address found in cache of DNS server 130 is sent to DNS server 120 which provides it to the client 110. If the cache 140 has been poisoned, every client who relies upon dns server 130 will receive bogus IP addresses); 
communicating, by the computing device, with a set of DNS servers to receive a second resolution mapping for the first DNS resolution mapping in the first table (see Earl; col 6/lines 47 – col. 7/lines 47; detx 20-22; the checking application 108 may find that there are multiple domain name to IP address mappings for the same domain name in the DNS cache servers 116-118, it is at this point that the checking application 108 consults the valid list 110 to see if the discrepant domain name to IP address mappings are valid and match the domain name to IP address mappings on the valid list 110);
comparing, by the computing device, the domain name or the address in the received second resolution mapping with a corresponding domain name or a corresponding address in the first DNS resolution mapping (see Earl; col. 6/lines 47-57; detx 20; If the discrepant domain name to IP address mappings are located on the valid list 110, the system 100 is paused until the checking application 108 accesses and compares the domain name to IP address mappings of the DNS cache servers 116-118 once again); 
validating, by the computing device, the first DNS resolution mapping based on the comparing (see Earl; col 7/lines 17-47; detx 22; If the discrepant domain name to IP address mapping is determined to be valid when compared to the authoritative DNS server 112 list received by the checking application 108, the discrepant domain name to IP address mapping is written to the valid list 110. If the discrepant domain name to IP address mapping is not identified on the authoritative DNS server 112 list, the checking application 108 may alert the one or more DNS cache servers 116-118 that contain the discrepant domain name to IP address mapping to flush the discrepant domain name to IP address mapping and then replace the discrepant mapping with a valid mapping from the authoritative DNS server 112 list); 
when the first DNS resolution mapping is validated, adding, by the computing device, the first DNS resolution mapping to a second table (see Earl; col. 11/lines 10-26; detx 36; at block 340, the discrepant DNS record is compared to the response received from the authoritative DNS server. If the discrepant DNS record is validated or substantiated by the response (e.g., the response comprises a value that comports with or agrees with the discrepant DNS record), the discrepant DNS record is added to the valid list. In this case, the discrepant DNS record is affirmed or confirmed to be valid by the authoritative DNS server, and hence is added to the valid list);
when the first DNS resolution mapping is not validated, not adding, by the computing device, the first DNS resolution mapping to the second table  (see Earl col. 7/lines 17-47; detx 22; If the discrepant domain name to IP address mapping is not identified on the authoritative DNS server 112 list, the checking application 108 may alert the one or more DNS cache servers 116-118 that contain the discrepant domain name to IP address mapping to flush the discrepant domain name to IP address mapping and then replace the discrepant mapping with a valid mapping from the authoritative DNS server 112 list); and 
sending, by the computing device, the second table to an agent for use in validating DNS resolution responses by the DNS server (see Earl; col. 8/lines 31-54; detx 26; the authoritative DNS server 112 list received via the checking application 108 comprises all valid domain name to IP address mappings 

Regarding claim 16, Drako-Earl discloses the method of claim 15, wherein comparing the domain name or the address comprises: comparing whether the address is a same value from multiple second resolution mappings, wherein a lookup to determine the address is performed using the domain name from the first DNS resolution mapping (see Drako; [0082]; referring to FIG. 8, an embodiment of the invention is the method of querying a plurality of second dns servers 131 and 132, and voting on the replies. Voting could require a unanimous result or a majority result in embodiments. The result of voting can be to forward the winning reply to the client 110 or withhold any reply from the client 110).  

Regarding claim 17, Drako-Earl discloses the method of claim 15, wherein comparing the domain name or the address comprises: comparing whether the domain name is a same value from multiple second resolution mappings, wherein a reverse lookup to determine the domain name is performed using the address from the first DNS resolution mapping (see Drako; claim 30; a reverse DNS lookup of a first IP address and a second IP address resulting in the same host and domain name).  

Regarding claim 18, Drako-Earl discloses the method of claim 15, wherein comparing the domain name or the address comprises: comparing whether the address or the domain name is a same value from multiple second resolution mappings (see Drako; [0081]; referring now to FIG. 6, the dns server 121 receives a reply from dns server 130 but the process of the present invention is to withhold the reply from the client 110. Referring to FIG. 7, the dns server 121 receives a second reply from a second dns server 131 and upon matching the two replies, forwards the response to the client 110).  

Regarding claim 19, Drako-Earl discloses the method of claim 15, wherein the set of DNS servers are located in different divisions of a network such that the DNS server is associated with a first hierarchy of DNS servers and another DNS server in the set of DNS servers is associated with a second hierarchy of DNS servers (see Drako; [0081]; DNS server 130  and DNS server 131 are in different divisions of a network since Drako teaches that dns server 131 which is protected and  can be hidden from attack and to be used to verify DNS addressing).  

Regarding claim 20, Drako-Earl discloses the method of claim 15, wherein the second table includes validated DNS resolution mappings that are received in first tables from different DNS servers (see Drako; [0082]; referring to FIG. 8, an embodiment of the invention is the method of querying a plurality of second dns servers 131 and 132, and voting on the replies. Voting could require a unanimous result or a majority result in embodiments. The result of voting can be to forward the winning reply to the client 110 or withhold any reply from the client 110).


Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 
For the reason above, claims 1-20 have been rejected and remain pending.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JIMMY H TRAN whose telephone number is (571)270-5638.  The examiner can normally be reached on Monday - Friday 9am-5pm PST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Philip Chea can be reached on 571-272-3951.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-


JIMMY H TRAN
Primary Examiner
Art Unit 2456



/JIMMY H TRAN/Primary Examiner, Art Unit 2456