Verification of DNS accuracy in cache poisoning

US 7,930,428 B2
Filed: 11/11/2008
Issued: 04/19/2011
Est. Priority Date: 11/11/2008
Status: Active Grant

First Claim

Patent Images

1. A computer executed method for adapting a processor from computer readable media to operate a domain name system (DNS) server apparatus resistant to cache poisoning comprising the following steps:

receiving, at a DNS server, a domain name system (dns) request from a resolver;

replicating the dns request;

generating a transaction id and source port for a first dns request using a first pseudo-random algorithm and generating a transaction id and source port for a second dns request using a second pseudo-random algorithm;

transmitting one of the replicated dns requests to a primary server and an other replicated dns request to at least one secondary server;

blocking a first DNS reply to the resolver until a plurality of DNS replies are received;

receiving a reply from each of at least two dns servers;

comparing the reply Internet Protocol (IP) address from a first dns request with the reply from a second dns request; and

responding to the resolver on the condition that two dns IP address replies match.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a method, a computer system, and a computer readable media product that contains a set of computer executable software instructions for directing the computer to execute a process for independent confirmation of DNS replies to foil DNS cache poisoning attacks. The process comprises comparing a plurality of DNS replies for an exact or predefined “close enough” match as a condition for blocking or forwarding a DNS reply to a resolver. The tangible beneficial result is to prevent the success of a dns cache poisoning attack from diverting a user to a malicious site on the internet.

Citations

17 Claims

1. A computer executed method for adapting a processor from computer readable media to operate a domain name system (DNS) server apparatus resistant to cache poisoning comprising the following steps:
- receiving, at a DNS server, a domain name system (dns) request from a resolver;
  
  replicating the dns request;
  
  generating a transaction id and source port for a first dns request using a first pseudo-random algorithm and generating a transaction id and source port for a second dns request using a second pseudo-random algorithm;
  
  transmitting one of the replicated dns requests to a primary server and an other replicated dns request to at least one secondary server;
  
  blocking a first DNS reply to the resolver until a plurality of DNS replies are received;
  
  receiving a reply from each of at least two dns servers;
  
  comparing the reply Internet Protocol (IP) address from a first dns request with the reply from a second dns request; and
  
  responding to the resolver on the condition that two dns IP address replies match.

2. A computer implemented method for foiling domain name system DNS cache poisoning attacks by controlling a processor from computer readable media to manage a DNS server comprising the following steps:
- receiving a DNS query from an originator;
  
  relaying said DNS query to a plurality of DNS servers, by transmitting each DNS query with a different transaction id and source port;
  
  blocking a first DNS reply to the originator until a plurality of DNS replies are received;
  
  receiving a plurality of DNS servers, containing said different transaction id and source port, from said plurality of DNS servers;
  
  comparing the Internet Protocol (IP) address contained in the reply from a first DNS server with the IP address contained in the reply from a second DNS server; and
  
  providing to the originator a substantially similar IP address if the IP address of the reply to the first DNS request is substantially similar to the IP address of the reply to the second DNS request.
- View Dependent Claims (3, 4, 5)
- - 3. The method of claim 2 wherein one of the DNS servers provides a digital certificate for authentication.
  - 4. The method of claim 2 wherein at least one of the DNS servers is selected pseudo-randomly.
  - 5. The method of claim 2 further comprising the step of:
    - turning Port Address Translation in network routers off.

6. A method for verifying domain name system DNS accuracy comprising:
- receiving a DNS query from an initiating resolver;
  
  duplicating said DNS query;
  
  generating a different transaction id and source port for each duplicate dns query using by randomizing the source port of each query;
  
  transmitting one of the duplicate DNS queries to at least three DNS servers;
  
  blocking a first DNS reply to the initiating resolver until a plurality of DNS replies are received;
  
  receiving a reply from each of at least two DNS servers, said reply containing one of the generated different transaction id and source port; and
  
  comparing the Internet Protocol (IP) address contained in the reply to a first DNS request with the IP address contained in the reply to a second DNS request to determine a match.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6 further comprising:
    - receiving a plurality of replies, and forwarding the reply having a majority of results which match to the initiating resolver.
  - 8. The method of claim 6 wherein a match comprises:
    - a reverse DNS lookup of a first IP address and a second IP address results in the same host and domain name.
  - 9. The method of claim 6 wherein a match comprises:
    - a first IP address is within a certain range of a second IP address.
  - 10. The method of claim 6 wherein a match comprises:
    - a first IP address and a second IP address are registered to the same entity.
  - 11. The method of claim 6 wherein a match comprises:
    - a mask of n least significant bits applied to a first IP address and a second IP address result in the same result.

12. An apparatus to protect a Domain Name System (DNS) cache from DNS poisoning attacks comprising a computer platform which comprisesa hardware unit, the hardware unit comprises one or more central processing units (CPUs), a random access memory (RAM), an input/output (I/O) interface, an external data storage device, and a network link to connect to the global Internet;
- an operating system to coordinate the operation of the various components of the computer system, manage various objects and files, and record certain information regarding same;
  
  said computer platform communicatively coupled to a machine readable store encoded with a computer program to adapt the hardware unit and link;
  
  to receive a DNS request from an originator;
  
  to replicate the DNS request;
  
  to generate a transaction id and source port for a first dns request using a first pseudo-random algorithm and to generate a transaction id and source port for a second dns request using a second pseudo-random algorithm;
  
  to transmit one of the replicated DNS requests to a primary server and an other replicated DNS request to at least one secondary server;
  
  to block a first DNS reply to the originator until a plurality of DNS replies are received;
  
  to receive a reply from each of at least two DNS servers validated by the generated transaction id and source port;
  
  to compare the IF address contained in the reply from a first DNS request with the IP address contained in the reply from a second DNS request; and
  
  to provide to the originator a substantially similar IP address if the IP address of the reply to the first DNS request is substantially similar to the IP address of the reply to the second DNS request.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. A system comprising the apparatus of claim 12 communicatively coupled to at least one DNS server which provides a digital certificate for authentication.
  - 14. The apparatus of claim 12 wherein the apparatus is a network switch or hub.
  - 15. The apparatus of claim 12 wherein the apparatus is a router.
  - 16. The apparatus of claim 12 wherein the apparatus is a firewall
  - 17. The apparatus of claim 12 further comprising a DNS cache coupled to said one or more cpus and said network link wherein the apparatus is a DNS server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barracuda Networks Incorporated
Original Assignee
Barracuda Networks Incorporated
Inventors
Drako, Dean
Primary Examiner(s)
Avellino; Joseph E
Assistant Examiner(s)
Afolabi; Mark O

Application Number

US12/268,446
Publication Number

US 20100121981A1
Time in Patent Office

889 Days
Field of Search

709/202, 709/204, 709220-226, 709/245, 358/1.15, 705/6, 705/1, 705/28, 705/26, 705/27, 705/56, 705/35, 705/37, 705/44, 705/10, 717/121, 717/126, 717/177, 717/101, 707/100, 707/10, 714 25- 34
US Class Current

709/245
CPC Class Codes

G06F 11/183   by voting, the voting not b...

H04L 2463/145   Detection or countermeasure...

H04L 61/4511   using domain name system [DNS]

H04L 63/0245   Filtering by information in...

H04L 63/0254   Stateful filtering

Verification of DNS accuracy in cache poisoning

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Verification of DNS accuracy in cache poisoning

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links