SYSTEMS AND METHODS FOR GENERATING A DNS QUERY TO IMPROVE RESISTANCE AGAINST A DNS ATTACK
First Claim
1. A method for generating a Domain Name Service (DNS) query to improve resistance against a DNS attack, the method comprising:
- a) receiving, by a DNS resolver configured on a device, a request to resolve a domain name;
b) identifying, by the DNS resolver, the domain name and an internet protocol address of a DNS server;
c) generating a transaction identifier for a DNS query by applying a one-way hash function to an input of a predetermined random number, the internet protocol address of the DNS server and the domain name; and
d) transmitting, by the DNS resolver, the DNS query for the domain name to the DNS server, the DNS query identified by the generated transaction identifier.
7 Assignments
0 Petitions
Accused Products
Abstract
The present solution provides systems and methods for generating DNS queries that are more resistant to being compromised by attackers. To generate the transaction identifier, the DNS resolver uses a cryptographic hash function. The inputs to the hash function may include a predetermined random number, the destination IP address of the name server to be queried, and the domain name to be queried. Because of the inclusion of the name server'"'"'s IP address in the formula, queries for the same domain name to different name servers may have different transaction identifiers, preventing an attacker from observing a query and predicting the identifiers for other queries. Additional entropy may be provided for generating transaction identifiers by including the port number of the name server and/or a portion of the domain name as inputs to the hash function. If it is determined that the responding server may preserve capitalization in its responses, the upper and lower case characters may be salted within the domain name to provide additional entropy in generating transaction identifiers.
71 Citations
26 Claims
-
1. A method for generating a Domain Name Service (DNS) query to improve resistance against a DNS attack, the method comprising:
-
a) receiving, by a DNS resolver configured on a device, a request to resolve a domain name; b) identifying, by the DNS resolver, the domain name and an internet protocol address of a DNS server; c) generating a transaction identifier for a DNS query by applying a one-way hash function to an input of a predetermined random number, the internet protocol address of the DNS server and the domain name; and d) transmitting, by the DNS resolver, the DNS query for the domain name to the DNS server, the DNS query identified by the generated transaction identifier. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for generating a Domain Name Service (DNS) query to improve resistance against a DNS attack, the system comprising:
-
a DNS resolver receiving a request to resolve a domain name and identifying the domain name and an internet protocol address of a destination of the request; a transaction identifier generator generating a transaction identifier by applying a one-way hash function to an input of a predetermined random number, the internet protocol address of the destination and the domain name; and wherein the DNS resolver forms the DNS query using the generated transaction identifier and transmits the DNS query for the domain name to the destination. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
Specification