POLICY-MANAGED DNS SERVER FOR TO CONTROL NETWORK TRAFFIC

US 20100131646A1
Filed: 11/25/2008
Published: 05/27/2010
Est. Priority Date: 11/25/2008
Status: Active Grant

First Claim

Patent Images

1. A computer system comprising a link circuit to send and receive packets on the Internet, a processor, and a computer-readable media product that contains a set of computer executable software instructions for directing the computer system to execute a process for policy-based operation of a DNS server apparatus whereby a reply to a DNS query from a sender is selected according to the source IP of the sender of the DNS query.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a method, a computer system, and a computer-readable media product that contains a set of computer executable software instructions for directing the computer to execute a process for policy-based operation of a DNS server apparatus to manage traffic due to undesirable mail or requests for electronic documents. The policies operate according to owners, regions, or countries controlling source IP addresses and deterministically select from a plurality of non-equivalent replies to be sent to the source IP address. Accumulating previous activity records may assist in determining which traffic may be usefully deferred or suppressed. The process includes withholding certain information from certain DNS servers seeking IP addresses to improve overall security and integrity of the Internet.

315 Citations

33 Claims

1. A computer system comprising a link circuit to send and receive packets on the Internet, a processor, and a computer-readable media product that contains a set of computer executable software instructions for directing the computer system to execute a process for policy-based operation of a DNS server apparatus whereby a reply to a DNS query from a sender is selected according to the source IP of the sender of the DNS query.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer system of claim 1 wherein the source IP is one of a IPv6 and a IPv4 format addresses.
  - 3. The computer system of claim 1 wherein the process comprises evaluating logic operating on the day of the week and time of day.
  - 4. The computer system of claim 1 wherein the process comprises evaluating logic operating on query type and query name.
  - 5. The computer system of claim 1 wherein the process comprises looking up the IP source address in a database for information and evaluating logic operating on the result received.
  - 6. The computer system of claim 1 wherein the process comprises transmitting the IP source address to a reverse DNS lookup service and evaluating logic operating on one of:
    - the absence of a returned value, the start of authority of the domain name, and the fully qualified domain name recorded in the reverse DNS lookup database.
  - 7. The computer system of claim 1 whereby load on servers is reduced by refusing an unwanted visitor selected from the group comprising spammers, competitors, agents of hostile governments and organizations, criminal enterprises, vandals, or others.
  - 8. The computer system of claim 1 whereby a content provider tailors message language to match the native language associated with the location of source IP address.

9. A computer system for providing tailored message content to certain communities comprising a link circuit to send and receive packets on the Internet, a processor, and a computer-readable media product that contains a set of computer executable software instructions for directing the computer system to execute a process for policy-based operation of a DNS server apparatus comprising reading a source IP address from the DNS query, checking a database for information about the community served by the source IP address, and transmitting a certain message for said community.

10. A computer system for providing tailored message content by day of the week and time of day comprising a link circuit to send and receive packets on the Internet, a processor, and a computer-readable media product that contains a set of computer executable software instructions for directing the computer system to execute a process for policy-based operation of a DNS server apparatus whereby a reply to a DNS query from a sender is generated according to the day of week and time of day of the DNS query.

11. A computer system whereby access is denied to bots and webcrawlers comprising a link circuit to send and receive packets on the Internet, a processor, and a computer-readable media product that contains a set of computer executable software instructions for directing the computer system to execute a process for policy-based operation of a DNS server apparatus comprising extracting a source IP address, checking a list of IP addresses which serve bots and webcrawlers, and replying only to queries from sources not on said list.

12. A computer executed method encoded as computer executable software instructions on computer-readable media comprising the following steps:
- receiving a UDP packet containing a DNS query comprising a query name, a query type, query class, from an IP source address and source port at a certain time;
  
  evaluating at least one rule operating on at least two of the following;
  
  time and date, query type and query name, and IP source address; and
  
  transmitting a pre-identified reply to the source IP address and port.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12 wherein a rule comprises a conditional statement and a first consequence if the conditional statement is evaluated as true and a second consequence if the conditional statement is evaluated as false.
  - 14. The method of claim 12 further comprising evaluating a plurality of rules and selecting the consequence of the most restrictive rule which is evaluated as true, else the consequence is selecting a valid query type and query record data reply if all rules evaluate as false.
  - 15. The method of claim 12 further comprising deterministicly selecting a first pre-identified reply as a first consequence and deterministicly selecting a second distinct pre-identified reply as a second consequence wherein the second distinct pre-identified reply is not equivalent in utility to the first pre-identified reply.
  - 16. The method of claim 12 wherein a pre-identified reply comprises at least one of the following flag codes:
    - 1010 not zone,0101 refused,0001 name does not exist,0010 server failure,0100 format error in query.
  - 17. The method of claim 12 wherein a pre-identified reply comprises at least one oftype=A and host IP address;
    - type=NS and nameserver IP address; and
      
      type=MX and mailserver IP address.
  - 18. The method of claim 12 wherein a pre-identified reply comprises at least one ofa fictitious IP address not assigned;
    - a loopback IP address;
      
      an IP address referencing a message; and
      
      an IP address in the network of the sender.
  - 19. The method of claim 12 wherein a pre-identified reply comprises a flag 0000 no error and no data.
  - 20. The method of claim 12 further comprising searching a database encoded on computer-readable media for at least stored one IP address which matches the IP source address.
  - 21. The method of claim 20 wherein matches is determined by comparing only the prefix of n bits of the IP source address with a stored IP address and ignoring the remainder of the source IP address.
  - 22. The method of claim 20 wherein matches is determined by applying a bitmask to an IP source address and comparing to a database of IP addresses to determine that an IP address is “
    - close enough”
      
      to evaluate the rule as “
      
      true”
      
      .

23. An apparatus for policy managed DNS services comprising:
- a circuit to receive a UDP packet;
  
  a circuit to read from the UDP packet;
  
  a source IP address, socket, a query name, a query type, a query class, and a time and date;
  
  a circuit to implement at least one policy, wherein a policy comprises a rule and a reply to be transmitted if the rule is evaluated to be true and a reply to be transmitted if the rule is evaluated to be false;
  
  a circuit to evaluate the rule by application of values read from the UDP packet; and
  
  a circuit to transmit the reply selected by the policy.
- View Dependent Claims (24, 25, 26)
- - 24. The apparatus of claim 23 wherein a circuit for to evaluate the rule comprises a processor and computer readable media encoded with software instructions for to evaluate the rule by application of values read from the UDP packet.
  - 25. The apparatus of claim 23 further comprising at least one of computer-readable media encoded with IP addresses, computer-readable media encoded with at least one rule, and computer-readable media encoded with a plurality of distinct pre-identified replies for each query name.
  - 26. The apparatus of claim 25 wherein the rule is selected from among the following:
    - a rule on IP addresses located in countries, a rule on IP addresses within a range of a spammers'"'"' known activity, a rule on a list of IP addresses controlled by commercial or governmental entities, a rule on IP addresses associated with open proxies, and a rule on IP addresses controlled by certain authorities.

27. An apparatus for providing domain name system (DNS) query service comprising a outsourced policy engine coupled through a network to a policy-based DNS server apparatus which evaluates a policy decision based on the source IP address of a DNS query.

28. A computer executed method for providing domain name system (DNS) query service comprising a outsourced policy engine coupled through a network to a policy-based DNS server apparatus which evaluates a policy decision based on information stored in a database queried with the source IP address of a DNS query.

29. A system for providing domain name system (DNS) query service comprising a database, and an outsourced policy engine coupled through a network to a policy-based DNS server apparatus which policy engine evaluates a policy decision based on information extracted from a DNS query and used to retrieve values stored in the database.

30. A computer executed method of policy translation for providing executable modules to a policy engine comprising the steps of converting an abstract policy on spam, abusive users, sources of malicious software to ranges of IP addresses for use by a policy engine in a domain name system server apparatus.

31. A computer executed method for creating a policy rule for a policy-managed DNS server comprising binding at least one of the following actions to the condition that a source of a DNS request is found in a list of undesirable IP addresses:
- transmitting a code for no such address found;
  
  transmitting a loopback address;
  
  transmitting a fictitious address;
  
  transmitting an address to a fixed message; and
  
  no reply at all.

32. An informed domain name system server method comprising a system for requesting information having a method for receiving a domain name server request, a method for checking a local cache for an IP address, and a method for requesting DNS resource records from another domain name system server wherein the improvement comprises the steps of sending a query containing an IP address to an informational server, receiving report on the observed previous performance of the host associated with the subject IP address, and suppressing a query or a reply on DNS resource records according to the report.

33. A computer executed method encoded as computer executable software instructions on computer-readable media comprising the following steps:
- receiving a UDP packet containing a DNS query comprising a query name, a query type, query class, from an IP source address and source port at a certain time;
  
  evaluating at least one rule operating on at least two of the following;
  
  time and date, query type and query name, and IP source address;
  
  generating a reply based on the result of rule evaluation; and
  
  transmitting the generated reply to the source IP address and port.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barracuda Networks Incorporated
Original Assignee
Barracuda Networks Incorporated
Inventors
DRAKO, DEAN

Granted Patent

US 8,447,856 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/225
CPC Class Codes

H04L 61/4511 using domain name system [DNS]

H04L 63/0263 Rule management

POLICY-MANAGED DNS SERVER FOR TO CONTROL NETWORK TRAFFIC

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

315 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

POLICY-MANAGED DNS SERVER FOR TO CONTROL NETWORK TRAFFIC

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

315 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links