Abstract: Techniques for implementing a last known good (LKG) client-side cache for DNS resiliency are disclosed. A first DNS request is submitted to a DNS server. A first DNS resolution that resolves an IP address for a domain name is received. A service stores the first DNS resolution in an LKG cache residing on the local host. A second DNS request is sent, where the second DNS request again requests to resolve the same domain name. In response to determining that a second DNS resolution for the second DNS request has not been received, the service obtains the IP address for the domain name from the LKG cache.

Abstract: A front-end computing system provides cross machine message forwarding through a kernel mode component. The message is received in a kernel mode queue of the front-end computing system. The message includes one or more headers and an entity body including one or more data blocks. A user mode router in the front-end computing system designates a computing system to process the message based at least in part on the one or more headers. The one or more data blocks are passed through the kernel mode queue in the front-end computing system to the designated computing system without passing the one or more data blocks to the user mode router in the front-end computing system.

Abstract: A computing system delegates a request between a first container in user mode of an operating system on a webserver system and a second container in the user mode of the operating system. The operating system includes a kernel. A service in the second container creates a delegation queue in the kernel of the operating system. The service adds an identifier as a property of the delegation queue in the kernel, wherein the identifier is unique across the first container and the second container. A router executing in the first container opens the delegation queue in the kernel using the identifier, responsive to the adding operation. The request is delegated to the service executing in the second container via the delegation queue in the kernel, responsive to the opening operation.

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

Abstract: Providing access control by a first operating system. A method includes receiving at the first operating system, from the second operating system, a request for a bounding reference to a set having at least one resource. A bounding reference for the set is obtained. The bounding reference comprises a reference created from a first operating system resolvable reference to the set. The method further includes providing the obtained bounding reference for the obtained provided bounding reference to the second operating system. A request, including the obtained bounding reference and an identifier identifying the second operating system for the set, is received from the second operating system. The obtained bounding reference and the identifier identifying the second operating system are evaluated. As a result of evaluating the obtained bounding reference and the identifier identifying the second operating system, a resource control action is performed.

Abstract: The techniques and systems described herein improve security and improve connection reliability by providing a framework for an application to communicate its intent to an authority service so that the authority service can enforce networking security requirements. In various examples, an intent to access a resource over a network is received and queries are sent to resolve a network connection that enables access to the resource. Information for the resource is then collected and stored together in a trusted and secure environment. For instance, the information can include proxy data or can include hostname data. A ticket can be created based on the information. The ticket can be used to establish and maintain a secure network connection to the resource.

Abstract: A second operating system accessing resources from an external service. A method includes sending an anonymized request, for an anonymized user corresponding to an authorized user, for resources, through a broker. A request for proof indicating that the anonymized user is authorized to obtain the resources is received from the broker. As a result, a request is send to a first operating system for the proof that the anonymized user is authorized to obtain the resources. Proof is received from the first operating system, based on the anonymized user being associated with the authorized user, that the anonymized user is authorized to obtain the resources. The proof is provided to the broker. As a result, the resources are obtained by the second operating system from the service.

Abstract: Providing access control by a first operating system. A method includes receiving at the first operating system, from the second operating system, a request for a bounding reference to a set having at least one resource. A bounding reference for the set is obtained. The bounding reference comprises a reference created from a first operating system resolvable reference to the set. The method further includes providing the obtained bounding reference for the obtained provided bounding reference to the second operating system. A request, including the obtained bounding reference and an identifier identifying the second operating system for the set, is received from the second operating system. The obtained bounding reference and the identifier identifying the second operating system are evaluated. As a result of evaluating the obtained bounding reference and the identifier identifying the second operating system, a resource control action is performed.

Abstract: A second operating system accessing resources from an external service. A method includes sending an anonymized request, for an anonymized user corresponding to an authorized user, for resources, through a broker. A request for proof indicating that the anonymized user is authorized to obtain the resources is received from the broker. As a result, a request is send to a first operating system for the proof that the anonymized user is authorized to obtain the resources. Proof is received from the first operating system, based on the anonymized user being associated with the authorized user, that the anonymized user is authorized to obtain the resources. The proof is provided to the broker. As a result, the resources are obtained by the second operating system from the service.

Abstract: A host operating system running on a computing device monitors network communications for the computing device to identify network resources that are requested by the computing device. The host operating system compares requested network resources against security policies to determine if the requested network resources are trusted. When an untrusted network resource is identified, the host operating system accesses the untrusted network resource within a container that is isolated from the host operating system kernel using techniques discussed herein. By restricting access to untrusted network resources to isolated containers, the host operating system is protected from even kernel-level attacks or infections that may result from an untrusted network resource.

Abstract: The techniques and systems described herein improve security and improve connection reliability by providing a framework for an application to communicate its intent to an authority service so that the authority service can enforce networking security requirements. In various examples, an intent to access a resource over a network is received and queries are sent to resolve a network connection that enables access to the resource. Information for the resource is then collected and stored together in a trusted and secure environment. For instance, the information can include proxy data or can include hostname data. A ticket can be created based on the information. The ticket can be used to establish and maintain a secure network connection to the resource.

Abstract: Aspects of the subject matter described herein relate to providing adaptive system recovery for computer systems. This may include receiving restoration information from a first computer system wherein the restoration information defines each storage component associated with the first computer system and the restoration information includes a storage component status, a storage component signature, a storage component type, and a storage component size. The restoration information may be used to match each of the storage components of the first computer system to a storage component of the second computer system based at least on the restoration information and size of the storage component of the second computer system. Matching may include matching a storage component signature from the restoration information to a storage component signature of a storage component associated with the second computer system. Other aspects are described in the detailed description.