AUTOMATED VERIFICATION OF DNS ACCURACY

US 20100121981A1
Filed: 11/11/2008
Published: 05/13/2010
Est. Priority Date: 11/11/2008
Status: Active Grant

First Claim

Patent Images

1. A computer executed method for verifying DNS results, comprising controlling a processor to perform the following steps:

actively observing a domain name system (dns) request from a resolver;

replicating the dns request;

transmitting the dns request to a first server and at least one secondary server;

blocking any response to the original resolver until a plurality of dns replies are received; and

allowing a response to the original resolver on the condition that two dns replies match in content.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a method, a computer system, and a computer readable media product that contains a set of computer executable software instructions for directing the computer to execute a process for independent confirmation of DNS replies to foil DNS cache poisoning attacks. The process comprises comparing a plurality of DNS replies for an exact or predefined “close enough” match as a condition for blocking or forwarding a DNS reply to a resolver. The tangible beneficial result is to prevent the success of a dns cache poisoning attack from diverting a user to a malicious site on the internet.

Citations

30 Claims

1. A computer executed method for verifying DNS results, comprising controlling a processor to perform the following steps:
- actively observing a domain name system (dns) request from a resolver;
  
  replicating the dns request;
  
  transmitting the dns request to a first server and at least one secondary server;
  
  blocking any response to the original resolver until a plurality of dns replies are received; and
  
  allowing a response to the original resolver on the condition that two dns replies match in content.
- View Dependent Claims (2, 24, 25, 26, 27)
- - 2. The method of claim 1 further comprising sending a fixed IP address if two dns replies do not match.
  - 24. A switch/hub apparatus comprising a computer, computer readable media, networking circuits, and a program according to claim 1.
  - 25. A router apparatus comprising a computer, computer readable media, networking circuits, and a program according to claim 1.
  - 26. A DNS server apparatus comprising a computer, computer readable media, networking circuits, and a program according to claim 1.
  - 27. A firewall apparatus further comprising a computer, computer readable media, networking circuits, and a program according to claim 1.

3. A computer implemented method for obtaining verified DNS results, comprising controlling a processor to perform the following steps:
- passively receiving a domain name system (dns) request from a resolver;
  
  replicating the dns request;
  
  transmitting the dns request to at least one secondary server;
  
  holding a response to the original resolver until at least one dns reply from a secondary server is received; and
  
  responding to the original resolver on the condition that two dns replies match in content.
- View Dependent Claims (4)
- - 4. The method of claim 3 further comprising sending a fixed IP address if two dns replies do not match.

5. A computer executed method for controlling a processor from computer readable media to operate on a DNS request comprising the following steps:
- receiving a domain name system (dns) request from a resolver;
  
  replicating the dns request;
  
  transmitting the dns request to a primary server and at least one secondary server; and
  
  responding to the original resolver on the condition that two dns replies match in content.
- View Dependent Claims (6, 7, 8)
- - 6. The method of claim 5 further comprising the step of generating a transaction id and source port for a dns request using a first pseudo-random algorithm
  - 7. The method of claim 5 further comprising the steps of generating a transaction id and source port for a first dns request using a first pseudo-random algorithm and generating a transaction id and source port for a second dns request using a second pseudo-random algorithm and comparing the contents of the first dns request and the second dns request.
  - 8. The method of claim 7 further comprising the step of dynamically selecting from a plurality of pseudo-random algorithms for generating a transaction id and source port.

9. A computer implemented method for foiling DNS cache poisoning attacks by controlling a processor from computer readable media to manage a DNS request comprising the following steps:
- receiving a DNS query and relaying a DNS query to a plurality of DNS servers;
  
  receiving a plurality of DNS responses and comparing the contents;
  
  truncating the DNS response to remove authority information unrelated to the original query;
  
  voting the plurality of DNS responses to determine a winner; and
  
  relaying the winning DNS response to the originator.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The method of claim 9 wherein one of the DNS servers is a trusted DNS server provided by a service.
  - 11. The method of claim 9 wherein one of the DNS servers provides a digital certificate for authentication.
  - 12. The method of claim 9 wherein at least one of the DNS servers is selected pseudo-randomly.
  - 13. The method of claim 9 further comprising changing the source port and transaction id of each dns query pseudo-randomly and sending a plurality of dns requests to a plurality of dns servers, each request having a different source port and transaction id
  - 14. The method of claim 9 further comprising the step of turning Port Address Translation in network routers off.
  - 15. The method of claim 9 further comprising comparing the first and nth dns reply wherein n is the number of dns servers queried.

16. A method for foiling DNS cache poisoning attacks comprising the following steps:
- observing a DNS query to a DNS server and blocking a reply,initiating at least one additional DNS query to at least one of a plurality of DNS servers;
  
  receiving a plurality of DNS responses and comparing the contents;
  
  truncating the DNS response to remove authority information unrelated to the original query;
  
  voting the plurality of DNS responses to determine a winner; and
  
  relaying the winning DNS response to the originator.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The method of claim 16 wherein one of the DNS servers is a trusted DNS server provided by a service.
  - 18. The method of claim 16 wherein one of the DNS servers provides a digital certificate for authentication.
  - 19. The method of claim 16 wherein at least one of the DNS servers is selected pseudo-randomly.
  - 20. The method of claim 16 further comprising changing the source port and transaction id of each dns query pseudo-randomly and sending a plurality of dns requests to a plurality of dns servers, each request having a different source port and transaction id
  - 21. The method of claim 16 further comprising the step of turning Port Address Translation in network routers off.
  - 22. The method of claim 16 further comprising comparing the first and nth dns reply wherein n is the number of dns servers queried.

23. A computer implemented method tangibly embodied as programming instructions on computer readable media for to control a processor comprising receiving a dns request, pseudo randomly generating a plurality of transaction ids and port addresses, requesting a dns record from a plurality of servers, and flushing cache if results from a query do not match the cached value.

28. A method for verifying DNS accuracy comprising duplicating a DNS query and transmitting it to at least three DNS servers and on the condition of receiving at least two replies not having a condition of match, blocking any reply to the initiating resolver.
- View Dependent Claims (29, 30)
- - 29. The method of claim 28 further comprising receiving a plurality of replies, and forwarding the reply having a majority of results which match to the initiating resolver.
  - 30. The method of claim 28 wherein a match comprises at least one of the following:
    - a first IP address is within a certain range of a second IP address, a first IP address and a second IP address are registered to the same entity, a reverse DNS lookup of a first IP address and a second IP address resulting in the same host and domain name, and a mask of n least significant bits applied to a first IP address and a second IP address result in the same result.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barracuda Networks Incorporated
Original Assignee
Barracuda Networks Incorporated
Inventors
DRAKO, DEAN

Granted Patent

US 7,930,428 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/245
CPC Class Codes

G06F 11/183   by voting, the voting not b...

H04L 2463/145   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

AUTOMATED VERIFICATION OF DNS ACCURACY

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

AUTOMATED VERIFICATION OF DNS ACCURACY

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links