SYSTEMS AND METHODS FOR GENERATING A DNS QUERY TO IMPROVE RESISTANCE AGAINST A DNS ATTACK

US 20100269174A1
Filed: 04/20/2009
Published: 10/21/2010
Est. Priority Date: 04/20/2009
Status: Active Grant

First Claim

Patent Images

1. A method for generating a Domain Name Service (DNS) query to improve resistance against a DNS attack, the method comprising:

a) receiving, by a DNS resolver configured on a device, a request to resolve a domain name;

b) identifying, by the DNS resolver, the domain name and an internet protocol address of a DNS server;

c) generating a transaction identifier for a DNS query by applying a one-way hash function to an input of a predetermined random number, the internet protocol address of the DNS server and the domain name; and

d) transmitting, by the DNS resolver, the DNS query for the domain name to the DNS server, the DNS query identified by the generated transaction identifier.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present solution provides systems and methods for generating DNS queries that are more resistant to being compromised by attackers. To generate the transaction identifier, the DNS resolver uses a cryptographic hash function. The inputs to the hash function may include a predetermined random number, the destination IP address of the name server to be queried, and the domain name to be queried. Because of the inclusion of the name server'"'"'s IP address in the formula, queries for the same domain name to different name servers may have different transaction identifiers, preventing an attacker from observing a query and predicting the identifiers for other queries. Additional entropy may be provided for generating transaction identifiers by including the port number of the name server and/or a portion of the domain name as inputs to the hash function. If it is determined that the responding server may preserve capitalization in its responses, the upper and lower case characters may be salted within the domain name to provide additional entropy in generating transaction identifiers.

71 Citations

View as Search Results

26 Claims

1. A method for generating a Domain Name Service (DNS) query to improve resistance against a DNS attack, the method comprising:
- a) receiving, by a DNS resolver configured on a device, a request to resolve a domain name;
  
  b) identifying, by the DNS resolver, the domain name and an internet protocol address of a DNS server;
  
  c) generating a transaction identifier for a DNS query by applying a one-way hash function to an input of a predetermined random number, the internet protocol address of the DNS server and the domain name; and
  
  d) transmitting, by the DNS resolver, the DNS query for the domain name to the DNS server, the DNS query identified by the generated transaction identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein step (b) further comprises identifying, by the DNS resolver, a port of the DNS server.
  - 3. The method of claim 2, wherein step (c) further comprises generating the transaction identifier for the DNS query by applying the one-way hash function to the input of the predetermined random number, the internet protocol address and the port of the DNS server, and the domain name.
  - 4. The method of claim 3, wherein the input domain name comprises a portion of the domain name to be resolved.
  - 5. The method of claim 1, wherein step (c) further comprises changing the predetermined random number at a predetermined frequency.
  - 6. The method of claim 1, wherein step (c) further comprises changing the predetermined random number in response to an event.
  - 7. The method of claim 1, wherein step (c) further comprises generating by the one-way hash function the same transaction identifier for DNS queries to resolve the same domain name transmitted to the same DNS server.
  - 8. The method of claim 1, wherein step (c) further comprises encoding one or more fields of the DNS request and using the encoded one or more fields as input to the one-way hash function to generate the transaction identifier.
  - 9. The method of claim 1, wherein step (c) further comprises encoding the domain name by capitalizing one or more characters of the domain name and generating the transaction identifier by using the encoded domain name as the input of the domain name to the one-way hash function.
  - 10. The method of claim 1, wherein step (c) further comprises encoding the domain name by using one of a punycode and a RACE encoding scheme.
  - 11. The method of claim 1, further comprising determining, by the DNS resolver, that the DNS server is one of rewriting or normalizing responses and in response to the determination not encoding a portion of the DNS query.
  - 12. The method of claim 1, further comprising determining, by the DNS resolver, that the destination is not rewriting responses and in response to the determination encoding a portion of the DNS query and including the encoded portion in the transaction identifier.
  - 13. The method of claim 1, wherein step (c) further comprises communicating by the DNS resolver the input of the internet protocol address of the destination and the domain name to a transaction identifier generator.

14. A system for generating a Domain Name Service (DNS) query to improve resistance against a DNS attack, the system comprising:
- a DNS resolver receiving a request to resolve a domain name and identifying the domain name and an internet protocol address of a destination of the request;
  
  a transaction identifier generator generating a transaction identifier by applying a one-way hash function to an input of a predetermined random number, the internet protocol address of the destination and the domain name; and
  
  wherein the DNS resolver forms the DNS query using the generated transaction identifier and transmits the DNS query for the domain name to the destination.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 15. The system of claim 14, wherein the DNS resolver identifies a port of the destination of the request.
  - 16. The system of claim 15, wherein the transaction identifier generator generates the transaction identifier for the DNS query by applying the one-way hash function to the input of the predetermined random number, the internet protocol address and the port of the destination and the domain name.
  - 17. The system of claim 16, wherein the input domain name comprises a portion of the domain name to be resolved.
  - 18. The system of claim 14, wherein the transaction identifier generator changes the predetermined random number at a predetermined frequency.
  - 19. The system of claim 14, wherein the transaction identifier generator changes the predetermined random number in response to an event.
  - 20. The system of claim 14, wherein the transaction identifier generator generates the same transaction identifier for inputs identifying the same domain name and the same destination.
  - 21. The system of claim 14, wherein the DNS resolver encodes one or more fields of the DNS request and communicates the encoded one or more fields as input to the transaction identifier generator to generate the transaction identifier.
  - 22. The system of claim 14, wherein the DNS resolver encodes the domain name by capitalizing one or more characters of the domain name and communicates the encoded domain name as the input of the domain name to the transaction identifier generator.
  - 23. The system of claim 14, wherein the DNS resolver encodes the domain name by using one of a punycode and a RACE encoding scheme.
  - 24. The system of claim 14, wherein the DNS resolver determines that the destination is one of rewriting or normalizing responses and in response to the determination does not encode a portion of the DNS query.
  - 25. The system of claim 14, wherein the DNS resolver determines that the destination is not rewriting responses and in response to the determination encodes a portion of the DNS query and communicates the encoded portion as input to the transaction identifier generator to generate the transaction identifier.
  - 26. The system of claim 14, wherein the DNS resolver resides on one of a client, a server and an intermediary.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Shelest, Art

Granted Patent

US 9,270,646 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 2209/56   Financial cryptography, e.g...

H04L 61/4511   using domain name system [DNS]

H04L 63/04   for providing a confidentia...

H04L 63/14   for detecting or protecting...

H04L 9/3236   using cryptographic hash fu...

SYSTEMS AND METHODS FOR GENERATING A DNS QUERY TO IMPROVE RESISTANCE AGAINST A DNS ATTACK

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

71 Citations

26 Claims

Specification

Use Cases

Quick Links

Others

SYSTEMS AND METHODS FOR GENERATING A DNS QUERY TO IMPROVE RESISTANCE AGAINST A DNS ATTACK

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

71 Citations

26 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others