Abstract: Techniques for leveraging a distributed Domain Name System (DNS) infrastructure for preserving Personally Identifiable Information (PII) data for distributed resolvers using a hash to policy pair (HPP) database are described. A DNS security service receives metadata including PII associated with a client. A cryptographic hash function is applied to the metadata including PII associated with the client to generate a client hash value. A client HPP is created by mapping the client hash value to a set of DNS policy instructions associated with the client. The client HPP is stored in a HPP database. A distributed resolver is authorized to provide DNS services to the client. Finally, the HPP database is published to the distributed resolver.

Abstract: Techniques for leveraging efficient metadata communications to improve domain name system (DNS) security are described. The DNS service uses a hash value to uniquely identify a client, and detect any change in metadata in order to keep policies up-to-date for the client. In an example method a first DNS query for a client device is intercepted. A cryptographic hash function is applied to metadata associated with the client device to generate a hash value. The hash value is added to an additional records section of the first DNS query to generate a second DNS query. The second DNS query is transmitted to a DNS service. The metadata associated with the client device is transmitted to the DNS service on an out-of-band encrypted channel. A DNS response, including the hash value, is received from the DNS service and transmitted to the client device.