DNS tunneling prevention

US 10,097,568 B2
Filed: 08/25/2016
Issued: 10/09/2018
Est. Priority Date: 08/25/2016
Status: Active Grant

First Claim

Patent Images

1. A method, by a processor, for domain name service (DNS) tunneling prevention, comprising:

requesting a domain name service (DNS) tunneling detection operation upon receiving a DNS query;

generating a response based on the DNS tunneling detection operation such that the DNS tunneling detection operation indicates in the response that the DNS query for a domain name is associated with DNS tunneling activity;

assigning a value to each one of a plurality of factors, wherein the plurality of factors include an age of a domain name, a set of resource records, reputation data of the domain name, and detection of DNS tunneling activity using DNS tunneling;

calculating a DNS response score according to the assigned values for generating the response;

comparing the DNS response score to a first level threshold; and

providing a non-existing domain in the DNS response to prevent the DNS tunneling activity upon the DNS response score being greater than the first level threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments for domain name service (DNS) tunneling prevention by a processor. A DNS tunneling detection operation is requested to be performed upon receiving a DNS query. A response is generated based on the DNS tunneling detection operation such that the DNS tunneling detection operation indicates in the response that the DNS query for a domain name is associated with DNS tunneling activity.

24 Citations

View as Search Results

12 Claims

1. A method, by a processor, for domain name service (DNS) tunneling prevention, comprising:
- requesting a domain name service (DNS) tunneling detection operation upon receiving a DNS query;
  
  generating a response based on the DNS tunneling detection operation such that the DNS tunneling detection operation indicates in the response that the DNS query for a domain name is associated with DNS tunneling activity;
  
  assigning a value to each one of a plurality of factors, wherein the plurality of factors include an age of a domain name, a set of resource records, reputation data of the domain name, and detection of DNS tunneling activity using DNS tunneling;
  
  calculating a DNS response score according to the assigned values for generating the response;
  
  comparing the DNS response score to a first level threshold; and
  
  providing a non-existing domain in the DNS response to prevent the DNS tunneling activity upon the DNS response score being greater than the first level threshold.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further including providing in the response a request to perform a DNS lookup request to determine the DNS query is associated with the DNS tunneling activity.
  - 3. The method of claim 1, further including sending a non-existing domain name in the response to prevent the DNS tunneling according to the response.
  - 4. The method of claim 1, further including:
    - comparing the DNS response score to a second level threshold; and
      
      providing a DNS server address in the DNS response upon the DNS response score being less than the second level threshold.

5. A system for domain name service (DNS) tunneling prevention, comprising:
- one or more computers with executable instructions that when executed cause the system to;
  
  request a domain name service (DNS) tunneling detection operation upon receiving a DNS query;
  
  generate a response based on the DNS tunneling detection operation such that the DNS tunneling detection operation indicates in the response that the DNS query for a domain name is associated with DNS tunneling activity;
  
  assign a value to each one of a plurality of factors, wherein the plurality of factors include an age of a domain name, a set of resource records, reputation data of the domain name, and detection of DNS tunneling activity using DNS tunneling;
  
  calculate a DNS response score according to the assigned values for generating the response;
  
  compare the DNS response score to a first level threshold; and
  
  provide a non-existing domain in the DNS response to prevent the DNS tunneling activity upon the DNS response score being greater than the first level threshold.
- View Dependent Claims (6, 7, 8)
- - 6. The system of claim 5, wherein the executable instructions further provide in the response a request to perform a DNS lookup request to determine the DNS query is associated with the DNS tunneling activity.
  - 7. The system of claim 5, wherein the executable instructions further provide send a non-existing domain name in the response to prevent the DNS tunneling activity according to the response.
  - 8. The system of claim 5, wherein the executable instructions further:
    - compares the DNS response score to a second level threshold; and
      
      provides a DNS server address in the DNS response upon the DNS response score being less than the second level threshold.

9. A computer program product for, by a processor, domain name service (DNS) tunneling prevention, the computer program product comprising a non-transitory computer-readable storage medium having computer-readable program code portions stored therein, the computer-readable program code portions comprising:
- an executable portion that requests a domain name service (DNS) tunneling detection operation upon receiving a DNS query;
  
  an executable portion that generates a response based on the DNS tunneling detection operation such that the DNS tunneling detection operation indicates in the response that the DNS query for a domain name is associated with DNS tunneling activity;
  
  an executable portion that assigns a value to each one of a plurality of factors, wherein the plurality of factors include an age of a domain name, a set of resource records, reputation data of the domain name, and detection of DNS tunneling activity using DNS tunneling;
  
  an executable portion that calculates a DNS response score according to the assigned values for generating the response;
  
  an executable portion that compares the DNS response score to a first level threshold; and
  
  an executable portion that provides a non-existing domain in the DNS response to prevent the DNS tunneling activity upon the DNS response score being greater than the first level threshold.
- View Dependent Claims (10, 11, 12)
- - 10. The computer program product of claim 9, further including an executable portion that provides in the response a request to perform a DNS lookup request to determine the DNS query is associated with the DNS tunneling activity.
  - 11. The computer program product of claim 9, further including an executable portion that sends a non-existing domain name in the response to prevent the DNS tunneling activity according to the response.
  - 12. The computer program product of claim 9, further including an executable portion that:
    - compares the DNS response score to a second level threshold; and
      
      provides a DNS server address in the DNS response upon the DNS response score being less than the second level threshold.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Baughman, Aaron K., Marzorati, Mauro, Porpora, Gregory A.
Primary Examiner(s)
Okeke, Izunna
Assistant Examiner(s)
Zarrineh, Shahriar

Application Number

US15/247,480
Publication Number

US 20180063162A1
Time in Patent Office

775 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/55   Detecting local intrusion o...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/1475   Passive attacks, e.g. eaves...

DNS tunneling prevention

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

24 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

DNS tunneling prevention

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

24 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links