DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This is a reply to the amendment filed on 02/25/2022, in which, claim(s) 1, 2, 4, and 6-20 are pending. Claim(s) 1, 2, 4, 6-10, 16, and 17 are amended. Claim(s) 3 and 5 are cancelled. No claim(s) are added.

Response to Arguments
Claim Objection: 
Applicant’s arguments with respect to objection of claim(s) 2-9 and 17 have been considered. The objection of claim(s) 2-9 and 17 have been withdrawn in view of the amendment to claim.

Claim Rejections - 35 U.S.C. § 101:
Applicants’ arguments with respect to claim(s) 16-20 have been fully considered and are persuasive.  The rejection of 35 USC §101 regarding claim(s) 16-20 have been withdrawn in view of the amendment to claim. 

Claim Rejections - 35 U.S.C. § 102 and 35 U.S.C. § 103:
Applicant’s arguments with respect to the rejection of claim(s) 1 and 10 have been considered but are moot in view of the new ground(s) of rejection.
Applicant is encouraged to schedule an interview with the Examiner prior to the next communication to compact prosecution of the case.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
Claims 1-2, 4, 7, 10 and 11-14, are rejected under 35 U.S.C. 103 as being unpatentable over Lapidous et al. (US 2019/0036871 A1) in view of Judge et al. (US 2016/0308875 A1) further in view of Foxhoven et al. (US 2018/0113807 A1).
Regarding Claim 1, Lapidous discloses A method of securing network devices by managing Domain Name Server (DNS) requests, comprising: 
installing an endpoint Domain Name Server (DNS) agent on a client device on a local network ([0049], “The computing device 1500 may likewise host (install) a virtual private router (VPR) 104 (as the DNS agent)…the VPR 104 may include a traffic interceptor 106 that intercepts both of requests for domain name resolution (e.g. domain name service (DNS) requests)”); 
receiving a DNS request from the client device in the endpoint DNS agent ([0049], “the VPR 104 may include a traffic interceptor 106 that intercepts both of requests for domain name resolution (e.g. domain name service (DNS) requests)”, [0050], “receive a DNS resolution request from an application 102”); 
processing the received DNS request in the endpoint DNS agent via the endpoint DNS agent ([0050], “DNS resolution requests may be processed by a DNS resolver 108” of the VPR 104, see Fig. 1);  
wherein the security server is operable to return a response to the DNS request ([0066], “returning 218 the DNS response to the application (via the VPR 104, i.e. the endpoint DNS agent) that generated the intercepted 202 DNS request”),
Lapidous does not explicitly teach but Judge teaches
processing the received DNS request based on the security policy set for the client device ([0004], “retrieving a (security) policy associated with the device or user; applying the policy to the DNS request”); wherein processing the received DNS request comprises identifying the client device ([0004], “determining an identity of the device or user making the DNS request”)
Lapidous and Judge are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Judge with the disclosure of Lapidous. The motivation/suggestion would have been to secure and manage home or other networks (Judge, Abstract).
The combined teaching of Lapidous and Judge does not explicitly teach but Foxhoven teaches
receiving a security policy from a cloud-based DNS server running endpoint DNS support software configured to communicate with the endpoint device ([0004], “a DNS-policy driven infrastructure that is capable of supporting tens or hundreds of millions of devices”, [0018], “distributed cloud-based Dynamic Name Server (DNS)”, [0019], “providing DNS-based policy”, [0028], ““software as a service” (SaaS) is sometimes used to describe application programs offered through cloud computing”);
sending the identified client device and the DNS request to the cloud-based DNS server ([0006], “providing a request from the one of the plurality of surrogates to an authoritative DNS server associated with a domain name of the DNS request”, “include receiving the result of the DNS resolution based on a location or source Internet Protocol address of the one of the plurality of surrogates instead of based on the DNS server. The one of the plurality of surrogates can include a (identified) user device associated with the DNS request”);
Lapidous, Judge and Foxhoven are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Foxhoven with the combined teaching of Lapidous and Judge. The motivation/suggestion would have been to provide security and policy enforcement for devices (Foxhoven, [0056]).

Regarding Claim 2, the combined teaching of Lapidous, Judge and Foxhoven teaches
wherein the response to the DNS request comprises: an IP address for the requested domain itself (Lapidous, [0066], “creating 216 a DNS response including the pseudo IP address mapped to the FQDN in the table”).

Regarding Claim 4, the combined teaching of Lapidous, Judge and Foxhoven teaches wherein the returned response to the DNS request comprises an IP address associated with a domain name comprising part of the DNS request (Lapidous, [0066], “creating 216 a DNS response including the pseudo IP address mapped to the FQDN in the table and the TTL set at step 214”).

Regarding Claim 7, the combined teaching of Lapidous, Judge and Foxhoven teaches wherein the endpoint DNS agent is operable to process received DNS requests irrespective of whether the client device is behind a firewall or gateway (Lapidous, [0055], “The illustrated components of the VPR 104 may be stored and executed by a single client device 1500 or distributed across multiple computing devices, such as on a gateway computer or a router connected to the client device 1500 by a local or some other network”).

Regarding Claim 10, Lapidous discloses A method of securing network client devices in a DNS server, comprising: 
receiving a DNS request from an endpoint Domain Name Server (DNS) agent on a client device, the DNS request comprising a domain name ([0050], “the DNS resolver 108 (of the VPR 104, i.e. the endpoint DNS agent on the device) may respond to DNS requests from an application 102 by transmitting an actual DNS request to a DNS server”, [0058], “intercepting 202 a DNS request and getting 204 from the DNS the fully qualified domain name (FQDN) from the DNS request”); 
processing the received DNS request to generate a result ([0066], “creating 216 a DNS response including the pseudo IP address mapped to the FQDN in the table and the TTL set at step 214”); and 
sending a reply comprising the result to the endpoint DNS agent on the client device ([0066], “returning 218 the DNS response to the application (via the VPR 104, i.e. the endpoint DNS agent) that generated the intercepted 202 DNS request”).
Lapidous does not explicitly teach but Judge teaches
the DNS server is a cloud-based DNS server ([0035], “a DNS server…on a public or private cloud”);
the DNS request comprising a client identity ([0004], “determining an identity of the device or user making the DNS request”);
processing the received DNS request in compliance with a security policy associated with the client identity ([0004], “retrieving a (security) policy associated with the device or user; applying the policy to the DNS request”).  
Lapidous and Judge are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Judge with the disclosure of Lapidous. The motivation/suggestion would have been to secure and manage home or other networks (Judge, Abstract).
The combined teaching of Lapidous and Judge does not explicitly teach but Foxhoven teaches
running, on the cloud-based DNS server, endpoint DNS support software configured to communicate with the endpoint device ([0004], “a DNS-policy driven infrastructure that is capable of supporting tens or hundreds of millions of devices”, [0018], “distributed cloud-based Dynamic Name Server (DNS)”, [0028], ““software as a service” (SaaS) is sometimes used to describe application programs offered through cloud computing”);
Lapidous, Judge and Foxhoven are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Foxhoven with the combined teaching of Lapidous and Judge. The motivation/suggestion would have been to provide security and policy enforcement for devices (Foxhoven, [0056]).

Regarding Claim 11, the combined teaching of Lapidous, Judge and Foxhoven teaches wherein the reply comprises at least one of an IP address associated with the domain name, and a response indicating the requested domain name is a security risk (Lapidous, [0066], “creating 216 a DNS response including the pseudo IP address mapped to the FQDN in the table and the TTL set at step 214”, [0130], “respond with an assessment of the privacy or security risk associated with the request, e.g. the FQDN from the first request”).

Regarding Claim 12, the combined teaching of Lapidous, Judge and Foxhoven teaches wherein the client identity comprises at least one of an identity of the client device and an identity of a user of the client device (Judge, [0004], “determining an identity of the device or user”).

Regarding Claim 13, the combined teaching of Lapidous, Judge and Foxhoven teaches wherein the security policy is set via an administrator of the client device (Judge, [0018], “user interface to provide an administrator with an option to edit polices”).

Regarding Claim 14, the combined teaching of Lapidous, Judge and Foxhoven teaches wherein the cloud-based DNS server is operable to receive requests from the client device and respond to such requests irrespective of whether the client device is behind a firewall or gateway (Lapidous, [0055], “The illustrated components of the VPR 104 may be stored and executed by a single client device 1500 or distributed across multiple computing devices, such as on a gateway computer or a router connected to the client device 1500 by a local or some other network”, Judge, [0035], “a DNS server…on a public or private cloud”).

Claims 6, 8, 9 and 15 are rejected under 35 U.S.C. 103 as being unpatentable over Lapidous et al. (US 2019/0036871 A1) in view of Judge et al. (US 2016/0308875 A1) further in view of Foxhoven et al. (US 2018/0113807 A1) and further in view of Hoover et al. (US 2007/0061887 A1).
Regarding Claim 6, the combined teaching of Lapidous, Judge and Foxhoven does not explicitly teach but Hoover teaches
allowing a user of the client device to override a DNS redirection returned in response to the DNS request ([0045], “the address assignment server 319 can override the addresses for the DNS and WINS servers that normally would be used by each physical network”).
Lapidous, Judge, Foxhoven and Hoover are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hoover with the combined teaching of Lapidous, Judge and Foxhoven. The motivation/suggestion would have been to ensure that data, exchanged between a client computer and resources in a remote network, are routed using network addresses that do not conflict with addresses local to the client computer (Hoover, [0002]).

Regarding Claims 8 and 15, the combined teaching of Lapidous, Judge and Foxhoven does not explicitly teach but Hoover teaches
wherein the endpoint DNS agent is further operable to resolve local addresses behind a firewall or gateway ([0039], “It also will include the IP address of the default gateway being used by the local area network, and the IP addresses of the DNS and/or WINS servers that are used by each physical network adapter 229 to resolve domain names”).
Lapidous, Judge, Foxhoven and Hoover are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hoover with the combined teaching of Lapidous, Judge and Foxhoven. The motivation/suggestion would have been to ensure that data, exchanged between a client computer and resources in a remote network, are routed using network addresses that do not conflict with addresses local to the client computer (Hoover, [0002]).

Regarding Claim 9, the combined teaching of Lapidous, Judge, Foxhoven and Hoover teaches
wherein the endpoint DNS agent is further operable to distinguish between DNS requests for systems behind the firewall or router and systems outside the firewall or router, and to redirect DNS requests for systems behind the firewall or router to a local network DNS server (Hoover, [0045], “In the redirect all mode, the address assignment server 319 can override the addresses for the DNS and WINS servers that normally would be used by each physical network adapter 229 by allocating the virtual network adapter 313 conflicting addresses for the IP router/routing table 315, along with rules giving precedence to the assigned addresses of the DNS/WINS servers 321”).

Claims 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Lapidous et al. (US 2019/0036871 A1) in view of Judge et al. (US 2016/0308875 A1).
Regarding Claim 16, Lapidous discloses A network client device comprising an endpoint DNS agent ([0049], “The computing device 1500 may likewise host (install) a virtual private router (VPR) 104 (as the DNS agent)”), comprising: 
a hardware processor and a hardware memory ([0152], “Computing device 1500 includes… Processor(s) 1502 include one or more processors or controllers that execute instructions stored in memory device(s) 1504”); and 
an endpoint Domain Name Server (DNS) module comprising instructions executable on the hardware processor of the client device, the endpoint DNS module operable to receive a DNS request from the client device ([0049], “the VPR 104 may include a traffic interceptor 106 that intercepts both of requests for domain name resolution (e.g. domain name service (DNS) requests)”, [0050], “receive a DNS resolution request from an application 102”) and 
process the received DNS request via the endpoint DNS agent ([0049], “DNS resolution requests may be processed by a DNS resolver 108” of the VPR 104, see Fig. 1”).  
Lapidous does not explicitly teach but Judge teaches
process the received DNS request based on a security policy set for the client device ([0004], “retrieving a (security) policy associated with the device or user; applying the policy to the DNS request”).  
Lapidous and Judge are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Judge with the disclosure of Lapidous. The motivation/suggestion would have been to secure and manage home or other networks (Judge, Abstract).

Regarding Claim 17, the combined teaching of Lapidous and Judge teaches wherein the security policy set via the DNS agent (Lapidous, [0049], “a virtual private router (VPR) 104”) is received from a cloud-based security server (Judge, [0004], “retrieving a (security) policy associated with the device or user; applying the policy to the DNS request”, [0035], “a DNS server…on a public or private cloud”).

Regarding Claim 18, the combined teaching of Lapidous and Judge teaches wherein processing the received DNS request comprises identifying the DNS request and at least one of a client device identity and a client device user identity (Judge, [0004], “determining an identity of the device or user making the DNS request”) to a cloud-based DNS server operable to return a response to the DNS request (Lapidous, [0066], “returning 218 the DNS response to the application (via the VPR 104, i.e. the endpoint DNS agent) that generated the intercepted 202 DNS request”, Judge, [0035], “a DNS server…on a public or private cloud”).

Regarding Claim 19, the combined teaching of Lapidous and Judge teaches wherein the endpoint DNS agent is operable to process received DNS requests irrespective of whether the client device is behind a firewall or gateway (Lapidous, [0055], “The illustrated components of the VPR 104 may be stored and executed by a single client device 1500 or distributed across multiple computing devices, such as on a gateway computer or a router connected to the client device 1500 by a local or some other network”).

Claim 20 is rejected under 35 U.S.C. 103 as being unpatentable over Lapidous et al. (US 2019/0036871 A1) in view of Judge et al. (US 2016/0308875 A1) further in view of Hoover et al. (US 2007/0061887 A1).
Regarding Claim 20, the combined teaching of Lapidous and Judge does not explicitly teach but Hoover teaches wherein the endpoint DNS agent is further operable to distinguish between DNS requests for systems behind the firewall or router and systems outside the firewall or router, and to redirect DNS requests for systems behind the firewall or router to a local network DNS server ([0045], “In the redirect all mode, the address assignment server 319 can override the addresses for the DNS and WINS servers that normally would be used by each physical network adapter 229 by allocating the virtual network adapter 313 conflicting addresses for the IP router/routing table 315, along with rules giving precedence to the assigned addresses of the DNS/WINS servers 321”).
Lapidous, Judge and Hoover are analogous art as they are in the same field of endeavor of information security. It would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to combine the teachings of Hoover with the combined teaching of Lapidous and Judge. The motivation/suggestion would have been to ensure that data, exchanged between a client computer and resources in a remote network, are routed using network addresses that do not conflict with addresses local to the client computer (Hoover, [0002]).

Conclusion
Applicants are encouraged to take advantage of the After Final Consideration Pilot 2.0 (AFCP 2.0) which authorizes non-production time for consideration of responses filed after a final rejection. The purpose of the pilot is to compact prosecution of the case. The request must include 1) A signed AFCP request form (PTO/SB/434 or equivalent) that includes a statement that applicant is requesting consideration under the AFCP; 2) An amendment to at least one independent claim that does not broaden the scope of the independent claim in any aspect; and 3) A statement that applicant is willing and available to participate in any interview initiated by the examiner concerning the present response.  In the limited amount of non-production time if the examiner’s consideration of a proper AFCP 2.0 request and response does not result in a determination that all pending claims are in condition for allowance, the examiner will request an interview with the applicant to discuss the response. For more info, please visit http://www.uspto.gov/patent/initiatives/after-final-consideration-pilot-20.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHENG-FENG HUANG whose telephone number is (571)272-6186. The examiner can normally be reached Monday-Friday: 9 am - 5 pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Eleni A Shiferaw can be reached on (571) 272-3867. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/CHENG-FENG HUANG/           Primary Examiner, Art Unit 2497