DNS anti-spoofing using UDP

US 7,620,733 B1
Filed: 03/30/2005
Issued: 11/17/2009
Est. Priority Date: 03/30/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method for authenticating a source IP address of a Domain Name System (DNS) request sent using a connectionless protocol to a DNS server, the method comprising:

creating a new DNS zone in the server, exclusively for authentication;

designating the server as the only authoritative server for said new DNS zone in a global DNS network;

intercepting the DNS request;

responsively to the DNS request;

creating, by said only authoritative server for said new DNS zone, a new canonical domain name belonging to said new DNS zone, exclusively for authentication;

sending by said only authoritative server for said new DNS zone a DNS response to the source IP address, wherein said DNS response solicits a client at the source IP address to send a DNS request containing a query for said new canonical domain name, using the connectionless protocol;

receiving, using the connectionless protocol at said only authoritative server for said new DNS zone, a second DNS request containing a query for a requested domain name;

comparing said requested domain name to said new canonical domain name; and

assessing an authenticity of the source IP address based on a result of said comparing said requested domain name to said new canonical domain name.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating communication traffic includes receiving a first Domain Name System (DNS) request, sent using a connectionless protocol over a network from a source address, to provide network information regarding a domain name. Responsively to the first DNS request, a client at the source address is solicited to send a second DNS request using the connectionless protocol. An authenticity of the first DNS request is assessed based on the second DNS request.

108 Citations

View as Search Results

24 Claims

1. A method for authenticating a source IP address of a Domain Name System (DNS) request sent using a connectionless protocol to a DNS server, the method comprising:
- creating a new DNS zone in the server, exclusively for authentication;
  
  designating the server as the only authoritative server for said new DNS zone in a global DNS network;
  
  intercepting the DNS request;
  
  responsively to the DNS request;
  
  creating, by said only authoritative server for said new DNS zone, a new canonical domain name belonging to said new DNS zone, exclusively for authentication;
  
  sending by said only authoritative server for said new DNS zone a DNS response to the source IP address, wherein said DNS response solicits a client at the source IP address to send a DNS request containing a query for said new canonical domain name, using the connectionless protocol;
  
  receiving, using the connectionless protocol at said only authoritative server for said new DNS zone, a second DNS request containing a query for a requested domain name;
  
  comparing said requested domain name to said new canonical domain name; and
  
  assessing an authenticity of the source IP address based on a result of said comparing said requested domain name to said new canonical domain name.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method according to claim 1, wherein the connectionless protocol comprises a User Datagram Protocol (UDP).
  - 3. The method according to claim 1, wherein sending said DNS response comprises informing said client not to cache said new canonical domain name for use in future DNS requests.
  - 4. The method according to claim 1, wherein sending said DNS response comprises encoding a first cookie into said new canonical domain name, and wherein said assessing an authenticity comprises decoding a second cookie in said second DNS request.
  - 5. The method according to claim 4, wherein said encoding said first cookie comprises encoding at least one of:
    - a first IP TTL (Time-to-Live) value extracted from the DNS request;
      
      an IP address corresponding to the source address;
      
      a character string representing said new canonical domain name; and
      
      a pseudo-random number.
  - 6. The method according to claim 5, wherein said decoding said second cookie comprises comparing said first IP TTL value encoded in said second cookie to a second IP TTL value extracted from said second DNS request.
  - 7. The method according to claim 5, wherein said encoding said first cookie comprises storing at least a part of said first cookie in an authentication data structure, and wherein said assessing an authenticity comprises comparing said at least part of said first cookie with a corresponding part of said second cookie.
  - 8. The method according to claim 1, further comprising, following a successful assessment of an authenticity of the DNS request, retrieving and providing network information regarding a domain name to said client.
  - 9. The method according to claim 1, further comprising, following a successful assessment of an authenticity of the DNS request, storing the source IP address in a whitelist of authenticated source addresses.

10. Apparatus for authenticating a source IP address of a Domain Name System (DNS) request sent using a connectionless protocol to a DNS server, the apparatus comprising:
- a network interface, which is arranged to receive the DNS request; and
  
  a processor, which is arranged;
  
  to create a new DNS zone in the server, exclusively for authentication;
  
  to designate that the server is the only authoritative server for said new DNS zone in a global DNS network;
  
  to intercept the DNS request;
  
  responsively to the DNS request;
  
  to create a new canonical domain name belonging to said new DNS zone, exclusively for authentication;
  
  to send a DNS response to the source IP address, which solicits a client at the source IP address to send a DNS request containing a query for said new canonical domain name, using the connectionless protocol;
  
  to receive, using the connectionless protocol, a second DNS request containing a query for a requested domain name;
  
  to compare said requested domain name to said new canonical domain name; and
  
  to assess an authenticity of the source IP address based on a result of said comparing said requested domain name to said new canonical domain name.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The apparatus according to claim 10, wherein the connectionless protocol comprises a User Datagram Protocol (UDP).
  - 12. The apparatus according to claim 10, wherein said processor is further arranged to inform said client not to cache said new canonical domain name for use in future DNS requests.
  - 13. The apparatus according to claim 10, wherein said processor is further arranged to encode a first cookie into said new canonical domain name, and to decode a second cookie in said second DNS request.
  - 14. The apparatus according to claim 13, wherein said processor is further arranged to encode into said first cookie at least one of:
    - a first IP TTL (Time-to-Live) value extracted from the DNS request;
      
      an IP address corresponding to the source IP address;
      
      a character string representing said new canonical domain name; and
      
      a pseudo-random number.
  - 15. The apparatus according to claim 14, wherein said processor is further arranged to compare said first IP TTL value encoded in said second cookie to a second IP TTL extracted from said second DNS request.
  - 16. The apparatus according to claim 14, wherein said processor is further arranged to store at least a part of said first cookie in an authentication data structure and, responsively to said second DNS request, to compare said at least part of said first cookie with a corresponding part of said second cookie.
  - 17. The apparatus according to claim 10, wherein said processor is further arranged, following a successful assessment of an authenticity of the DNS request, to retrieve and provide network information regarding a domain name to said client.
  - 18. The apparatus according to claim 10, wherein said processor is further arranged, following a successful assessment of an authenticity of the DNS request, to store the source IP address in a whitelist of authenticated source addresses.

19. Apparatus for authenticating a source IP address of a Domain Name System (DNS) request sent using a connectionless protocol to a DNS server, the apparatus comprising:
- means for creating a new DNS zone in the server, exclusively for authentication;
  
  means for designating that the server is the only authoritative server for said new DNS zone in a global DNS network;
  
  means for intercepting the DNS request;
  
  means for creating a new canonical domain name belonging to said new DNS zone, exclusively for authentication;
  
  means for sending a DNS response to the source IP address responsively to the DNS request, which solicits a client at the source IP address to send a second DNS request containing a query for said new canonical domain name;
  
  means for receiving, using the connectionless protocol, a second DNS request containing a query for a requested domain name;
  
  means for comparing said requested domain name to said new canonical domain name; and
  
  means for assessing an authenticity of the source IP address based on a result of said comparing said requested domain name to said new canonical domain name.

20. A computer software product for authenticating a source IP address of a Domain Name System (DNS) request sent using a connectionless protocol to a DNS server, the product comprising a tangible computer-readable medium in which program instructions are stored, which instructions, when executed by at least one processor cause the at least one processor:
- to create a new DNS zone in the server, exclusively for authentication;
  
  to designate that the server is the only authoritative server for said new DNS zone in a global DNS network;
  
  to intercept a first Domain Name System (DNS) the DNS request that is addressed to the protected server, sent using a connectionless protocol over a network from a source address in order to provide network information regarding a domain name;
  
  to create a new canonical domain name belonging to said new DNS zone, exclusively for authentication;
  
  to send a DNS response to the source IP address by said only authoritative server for said new DNS zone, soliciting a client at the source IP address to send a DNS request containing a query for said new canonical domain name, using the connectionless protocol;
  
  to receive, using the connectionless protocol at said only authoritative server for said new DNS zone, a second DNS request containing a query for a requested domain name;
  
  to compare said requested domain name to said new canonical domain name; and
  
  to assess an authenticity of the source IP address based on a result of said comparing said requested domain name to said new canonical domain name.
- View Dependent Claims (21, 22, 23, 24)
- - 21. The product according to claim 20, wherein the connectionless protocol comprises a User Datagram Protocol (UDP).
  - 22. The product according to claim 20, wherein the instructions cause the at least one processor to encode a first cookie into said new canonical domain name, and to decode a second cookie in said second DNS request.
  - 23. The product according to claim 22, wherein the instructions cause the at least one processor to encode into said first cookie at least one of:
    - a first IP TTL (Time-to-Live) value extracted from the DNS request;
      
      an IP address corresponding to the source address;
      
      a character string representing said new canonical domain name; and
      
      a pseudo-random number.
  - 24. The product according to claim 23, wherein the instructions cause the at least one processor to store at least a part of said first cookie in an authentication data structure, and wherein said assessing an authenticity comprises comparing said at least part of said first cookie with a corresponding part of said second cookie.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Pazi, Guy, Tzakikario, Rephael, Touitou, Dan
Primary Examiner(s)
Pwu; Jeffrey
Assistant Examiner(s)
Taha; Shaq

Application Number

US11/094,732
Time in Patent Office

1,693 Days
Field of Search

709/245
US Class Current

709/245
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/0236   Filtering by address, proto...

H04L 63/126   the source of the received ...

H04L 63/1458   Denial of Service

H04L 63/1483   service impersonation, e.g....

DNS anti-spoofing using UDP

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

108 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

DNS anti-spoofing using UDP

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

108 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links