Verification of DNS accuracy in cache poisoning
First Claim
1. A computer executed method for adapting a processor from computer readable media to operate a domain name system (DNS) server apparatus resistant to cache poisoning comprising the following steps:
- receiving, at a DNS server, a domain name system (dns) request from a resolver;
replicating the dns request;
generating a transaction id and source port for a first dns request using a first pseudo-random algorithm and generating a transaction id and source port for a second dns request using a second pseudo-random algorithm;
transmitting one of the replicated dns requests to a primary server and an other replicated dns request to at least one secondary server;
blocking a first DNS reply to the resolver until a plurality of DNS replies are received;
receiving a reply from each of at least two dns servers;
comparing the reply Internet Protocol (IP) address from a first dns request with the reply from a second dns request; and
responding to the resolver on the condition that two dns IP address replies match.
11 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a method, a computer system, and a computer readable media product that contains a set of computer executable software instructions for directing the computer to execute a process for independent confirmation of DNS replies to foil DNS cache poisoning attacks. The process comprises comparing a plurality of DNS replies for an exact or predefined “close enough” match as a condition for blocking or forwarding a DNS reply to a resolver. The tangible beneficial result is to prevent the success of a dns cache poisoning attack from diverting a user to a malicious site on the internet.
-
Citations
17 Claims
-
1. A computer executed method for adapting a processor from computer readable media to operate a domain name system (DNS) server apparatus resistant to cache poisoning comprising the following steps:
-
receiving, at a DNS server, a domain name system (dns) request from a resolver; replicating the dns request; generating a transaction id and source port for a first dns request using a first pseudo-random algorithm and generating a transaction id and source port for a second dns request using a second pseudo-random algorithm; transmitting one of the replicated dns requests to a primary server and an other replicated dns request to at least one secondary server; blocking a first DNS reply to the resolver until a plurality of DNS replies are received; receiving a reply from each of at least two dns servers; comparing the reply Internet Protocol (IP) address from a first dns request with the reply from a second dns request; and responding to the resolver on the condition that two dns IP address replies match.
-
-
2. A computer implemented method for foiling domain name system DNS cache poisoning attacks by controlling a processor from computer readable media to manage a DNS server comprising the following steps:
-
receiving a DNS query from an originator; relaying said DNS query to a plurality of DNS servers, by transmitting each DNS query with a different transaction id and source port; blocking a first DNS reply to the originator until a plurality of DNS replies are received; receiving a plurality of DNS servers, containing said different transaction id and source port, from said plurality of DNS servers; comparing the Internet Protocol (IP) address contained in the reply from a first DNS server with the IP address contained in the reply from a second DNS server; and providing to the originator a substantially similar IP address if the IP address of the reply to the first DNS request is substantially similar to the IP address of the reply to the second DNS request. - View Dependent Claims (3, 4, 5)
-
-
6. A method for verifying domain name system DNS accuracy comprising:
-
receiving a DNS query from an initiating resolver; duplicating said DNS query; generating a different transaction id and source port for each duplicate dns query using by randomizing the source port of each query; transmitting one of the duplicate DNS queries to at least three DNS servers; blocking a first DNS reply to the initiating resolver until a plurality of DNS replies are received; receiving a reply from each of at least two DNS servers, said reply containing one of the generated different transaction id and source port; and comparing the Internet Protocol (IP) address contained in the reply to a first DNS request with the IP address contained in the reply to a second DNS request to determine a match. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. An apparatus to protect a Domain Name System (DNS) cache from DNS poisoning attacks comprising a computer platform which comprises
a hardware unit, the hardware unit comprises one or more central processing units (CPUs), a random access memory (RAM), an input/output (I/O) interface, an external data storage device, and a network link to connect to the global Internet; -
an operating system to coordinate the operation of the various components of the computer system, manage various objects and files, and record certain information regarding same; said computer platform communicatively coupled to a machine readable store encoded with a computer program to adapt the hardware unit and link; to receive a DNS request from an originator; to replicate the DNS request; to generate a transaction id and source port for a first dns request using a first pseudo-random algorithm and to generate a transaction id and source port for a second dns request using a second pseudo-random algorithm; to transmit one of the replicated DNS requests to a primary server and an other replicated DNS request to at least one secondary server; to block a first DNS reply to the originator until a plurality of DNS replies are received; to receive a reply from each of at least two DNS servers validated by the generated transaction id and source port; to compare the IF address contained in the reply from a first DNS request with the IP address contained in the reply from a second DNS request; and to provide to the originator a substantially similar IP address if the IP address of the reply to the first DNS request is substantially similar to the IP address of the reply to the second DNS request. - View Dependent Claims (13, 14, 15, 16, 17)
-
Specification