DNS anti-spoofing using UDP
First Claim
Patent Images
1. A method for authenticating a source IP address of a Domain Name System (DNS) request sent using a connectionless protocol to a DNS server, the method comprising:
- creating a new DNS zone in the server, exclusively for authentication;
designating the server as the only authoritative server for said new DNS zone in a global DNS network;
intercepting the DNS request;
responsively to the DNS request;
creating, by said only authoritative server for said new DNS zone, a new canonical domain name belonging to said new DNS zone, exclusively for authentication;
sending by said only authoritative server for said new DNS zone a DNS response to the source IP address, wherein said DNS response solicits a client at the source IP address to send a DNS request containing a query for said new canonical domain name, using the connectionless protocol;
receiving, using the connectionless protocol at said only authoritative server for said new DNS zone, a second DNS request containing a query for a requested domain name;
comparing said requested domain name to said new canonical domain name; and
assessing an authenticity of the source IP address based on a result of said comparing said requested domain name to said new canonical domain name.
1 Assignment
0 Petitions
Accused Products
Abstract
A method for authenticating communication traffic includes receiving a first Domain Name System (DNS) request, sent using a connectionless protocol over a network from a source address, to provide network information regarding a domain name. Responsively to the first DNS request, a client at the source address is solicited to send a second DNS request using the connectionless protocol. An authenticity of the first DNS request is assessed based on the second DNS request.
108 Citations
24 Claims
-
1. A method for authenticating a source IP address of a Domain Name System (DNS) request sent using a connectionless protocol to a DNS server, the method comprising:
-
creating a new DNS zone in the server, exclusively for authentication; designating the server as the only authoritative server for said new DNS zone in a global DNS network; intercepting the DNS request; responsively to the DNS request; creating, by said only authoritative server for said new DNS zone, a new canonical domain name belonging to said new DNS zone, exclusively for authentication; sending by said only authoritative server for said new DNS zone a DNS response to the source IP address, wherein said DNS response solicits a client at the source IP address to send a DNS request containing a query for said new canonical domain name, using the connectionless protocol; receiving, using the connectionless protocol at said only authoritative server for said new DNS zone, a second DNS request containing a query for a requested domain name; comparing said requested domain name to said new canonical domain name; and assessing an authenticity of the source IP address based on a result of said comparing said requested domain name to said new canonical domain name. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. Apparatus for authenticating a source IP address of a Domain Name System (DNS) request sent using a connectionless protocol to a DNS server, the apparatus comprising:
-
a network interface, which is arranged to receive the DNS request; and a processor, which is arranged; to create a new DNS zone in the server, exclusively for authentication; to designate that the server is the only authoritative server for said new DNS zone in a global DNS network; to intercept the DNS request; responsively to the DNS request; to create a new canonical domain name belonging to said new DNS zone, exclusively for authentication; to send a DNS response to the source IP address, which solicits a client at the source IP address to send a DNS request containing a query for said new canonical domain name, using the connectionless protocol; to receive, using the connectionless protocol, a second DNS request containing a query for a requested domain name; to compare said requested domain name to said new canonical domain name; and to assess an authenticity of the source IP address based on a result of said comparing said requested domain name to said new canonical domain name. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. Apparatus for authenticating a source IP address of a Domain Name System (DNS) request sent using a connectionless protocol to a DNS server, the apparatus comprising:
-
means for creating a new DNS zone in the server, exclusively for authentication; means for designating that the server is the only authoritative server for said new DNS zone in a global DNS network; means for intercepting the DNS request; means for creating a new canonical domain name belonging to said new DNS zone, exclusively for authentication; means for sending a DNS response to the source IP address responsively to the DNS request, which solicits a client at the source IP address to send a second DNS request containing a query for said new canonical domain name; means for receiving, using the connectionless protocol, a second DNS request containing a query for a requested domain name; means for comparing said requested domain name to said new canonical domain name; and means for assessing an authenticity of the source IP address based on a result of said comparing said requested domain name to said new canonical domain name.
-
-
20. A computer software product for authenticating a source IP address of a Domain Name System (DNS) request sent using a connectionless protocol to a DNS server, the product comprising a tangible computer-readable medium in which program instructions are stored, which instructions, when executed by at least one processor cause the at least one processor:
-
to create a new DNS zone in the server, exclusively for authentication; to designate that the server is the only authoritative server for said new DNS zone in a global DNS network; to intercept a first Domain Name System (DNS) the DNS request that is addressed to the protected server, sent using a connectionless protocol over a network from a source address in order to provide network information regarding a domain name; to create a new canonical domain name belonging to said new DNS zone, exclusively for authentication; to send a DNS response to the source IP address by said only authoritative server for said new DNS zone, soliciting a client at the source IP address to send a DNS request containing a query for said new canonical domain name, using the connectionless protocol; to receive, using the connectionless protocol at said only authoritative server for said new DNS zone, a second DNS request containing a query for a requested domain name; to compare said requested domain name to said new canonical domain name; and to assess an authenticity of the source IP address based on a result of said comparing said requested domain name to said new canonical domain name. - View Dependent Claims (21, 22, 23, 24)
-
Specification