Secure request authentication for a threat protection service

The invention claimed is: 1. A method to enable a managed client device associated with an enterprise network to obtain access to an enterprise resource, comprising: configuring, by a service provider, a recursive Domain Name System (DNS) service on behalf of the enterprise, the recursive DNS service including a resolver associated with the enterprise; configuring the managed client device to act as a local proxy for off enterprise network DNS requests; receiving at the resolver a DNS query from the managed client device, the managed client device having determined it is operating off of the enterprise network and having issued to the resolver a request to a test domain and having received a response to that request, the DNS query having been extended using an edns(0) extension to encode an authorization token, the authorization token including a unique device identifier associated with the managed client device by the service provider, the unique device identifier having been encrypted and digitally-signed with a key to generate the authorization token; determining at the resolver, but without access to the unique device identifier encoded in the authorization token, whether the authorization token is allowed for the enterprise, wherein a determination is based at least in part on a threat protection policy for the enterprise; and upon a determination that the authorization token is allowed, returning a response to the DNS query, wherein the response to the DNS query is based on applying the threat protection policy to the DNS query. 2. The method as described in claim 1 wherein the DNS query also includes a customer identifier. 3. The method as described in claim 1 wherein the unique device identifier is encrypted and digitally-signed by the service provider. 4. The method as described in claim 3 further including generating and providing the authorization token to the managed client device during a registration of the managed client device. 5. The method as described in claim 1 wherein the request for the test domain also includes the authorization token. 6. The method as described in claim 1 wherein the authorization token is updated after a given time period. 7. The method as described in claim 1 wherein the resolver executes in association with a content delivery network (CDN). 8. The method as described in claim 1 wherein the managed client device is one of: a laptop, a mobile phone, a tablet, and a network-accessible device. 9. The method as described in claim 8 further including using the unique device identifier for one of: reporting, and analytics. 10. A mobile device managed by an enterprise and comprising: a hardware processor, and computer program code in a non-transitory computer-readable medium, the computer program code executed in the hardware processor and comprising: a DNS proxy; code that determines whether the mobile device is operating off an enterprise network; code, responsive to a determination that the mobile device is operating off the enterprise network, to issue a DNS query from the DNS proxy to a resolver, the resolver operating as a recursive Domain Name System (DNS) service on behalf of the enterprise, the DNS query having been extended using an edns(0) extension to encode an authorization token, the authorization token including a unique device identifier associated with the mobile device, the unique device identifier having been encrypted and digitally-signed with a key to generate the authorization token, the DNS proxy having previously issued to the resolver a request to a test domain and having received a response to the request; and code receiving a response to the DNS query, the response having been generated at the resolver upon a determination at the resolver that the authorization code is allowed for the enterprise, the determination having been carried out by the resolver without access to the unique device identifier encoded in the authentication token, together with application by the resolver of a threat protection policy associated with the enterprise. 11. The mobile device as described in claim 10 wherein the request to the test domain includes the authorization token. 12. The mobile device as described in claim 10 wherein the DNS query to the resolver also includes a customer identifier associated with the enterprise. 13. The mobile device as described in claim 10 further including code that registers the mobile device for off-net access to the resolver, wherein the unique device identifier is generated in response to registration of the mobile device. 14. The mobile device as described in claim 10 further including code that requests an updated authorization token after a given time period. 15. A system comprising one or more computing machines that include computer hardware, comprising: a recursive resolver executing on a computer machine and providing a recursive Domain Name System (DNS) service on behalf of an enterprise; a mobile device client application that instantiates a DNS proxy on a mobile device, the client application including code to determine whether the mobile device is operating off-net with respect to a protected enterprise network, code responsive to a determination that the mobile device is executing off-net to issue a DNS query from the DNS proxy to the recursive resolver, the DNS query having been extended using an edns(0) extension to encode an authorization token, the authentication token including a unique device identifier associated with the mobile device, the unique device identifier having been encrypted and digitally-signed with a key to generate the authorization token, the DNS proxy having previously issued to the recursive resolver a request to a test domain and having received a response to the request; wherein the recursive resolver receives the DNS query and, without access to the unique device identifier encoded in the authorization token, determines whether the authorization token is allowed for the enterprise, wherein the determination is based at least in part on a threat protection policy for the enterprise; and the recursive resolver further operative upon a determination that the authorization token is allowed, to return to the mobile device client application a response to the DNS query, wherein the response to the DNS query is based on applying the threat protection policy to the DNS query. 16. The system as described in claim 15 wherein the mobile device client application registers the mobile device for off-net access to the protected enterprise network, wherein the unique device identifier is generated upon registration.