Systems and methods for active exposure and unwanted connection protection

What is claimed is: 1 . A method comprising steps of: receiving a request from a user to access a destination service; directing the request to a control layer; enforcing one or more controls, via the control layer, on the request based on a configuration provided by an owner of the destination service; and creating a connection initiated outbound from the destination service to the control layer based on the one or more controls, without inbound listener exposure of the destination service, thereby providing access to the destination service without exposing the destination service to a direct connection, wherein the connection is ephemeral, dynamically created per session at the request of the control layer, and torn down responsive to completion of the session; and wherein the directing the request comprises dynamically resolving, by the control layer acting as authoritative Domain Name Service (DNS) resolver for the destination service based on DNS resolution policies provided by the owner of the destination service, an internal Internet Protocol (IP) address of the destination service, without revealing the internal IP address to the user. 2 . The method of claim 1 , wherein the connection is created on a per-session basis, and wherein responsive to a session being closed, the steps further comprise tearing down the associated connection. 3 . The method of claim 1 , wherein the connection is created based on a request from the control layer. 4 . The method of claim 1 , wherein creating a connection comprises creating a connection from a connection plane to the control layer and creating a connection from the connection plane to the destination service. 5 . The method of claim 4 , wherein the connection plane is adapted to enforce one or more controls via local functions. 6 . The method of claim 4 , wherein the connection between the connection plane and the destination service is created based on authorization granted by the control layer. 7 . The method of claim 1 , wherein the steps further comprise: becoming a Domain Name Service (DNS) authority for the destination service; and directing requests for the destination service to the control layer based thereon. 8 . The method of claim 1 , wherein the destination service is a public destination service. 9 . The method of claim 1 , wherein the steps further comprise: receiving the configuration from the owner, wherein the configuration defines one or more destination services requiring protection, and one or more policies; and based on the request being to one of the one or more destination services requiring protection, enforcing the one or more controls on the request based on the policies. 10 . A non-transitory computer-readable medium comprising instructions that, when executed, cause one or more processors to perform steps of: receiving a request from a user to access a destination service; directing the request to a control layer; enforcing one or more controls, via the control layer, on the request based on a configuration provided by an owner of the destination service; and creating a connection initiated outbound from the destination service to the control layer based on the one or more controls, without inbound listener exposure of the destination service, thereby providing access to the destination service without exposing the destination service to a direct connection, wherein the connection is ephemeral, dynamically created per session at the request of the control layer, and torn down responsive to completion of the session; and wherein the directing the request comprises dynamically resolving, by the control layer acting as authoritative Domain Name Service (DNS) resolver for the destination service based on DNS resolution policies provided by the owner of the destination service, an internal Internet Protocol (IP) address of the destination service, without revealing the internal IP address to the use. 11 . The non-transitory computer-readable medium of claim 10 , wherein the connection is created on a per-session basis, and wherein responsive to a session being closed, the steps further comprise tearing down the associated connection. 12 . The non-transitory computer-readable medium of claim 10 , wherein the connection is created based on a request from the control layer. 13 . The non-transitory computer-readable medium of claim 10 , wherein creating a connection comprises creating a connection from a connection plane to the control layer and creating a connection from the connection plane to the destination service. 14 . The non-transitory computer-readable medium of claim 13 , wherein the connection plane is adapted to enforce one or more controls via local functions. 15 . The non-transitory computer-readable medium of claim 13 , wherein the connection between the connection plane and the destination service is created based on authorization granted by the control layer. 16 . The non-transitory computer-readable medium of claim 10 , wherein the steps further comprise: becoming a Domain Name Service (DNS) authority for the destination service; and directing requests for the destination service to the control layer based thereon. 17 . The non-transitory computer-readable medium of claim 10 , wherein the destination service is a public destination service. 18 . The non-transitory computer-readable medium of claim 10 , wherein the steps further comprise: receiving the configuration from the owner, wherein the configuration defines one or more destination services requiring protection, and one or more policies; and based on the request being to one of the one or more destination services requiring protection, enforcing the one or more controls on the request based on the policies.