Method and apparatus for limiting domain name server transaction bandwidth

US 7,970,878 B1
Filed: 11/16/2005
Issued: 06/28/2011
Est. Priority Date: 11/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

intercepting one or more Domain Name System (DNS) packets that are part of a DNS tunnel,examining a DNS packet of said one or more DNS packets for a suspect DNS record of a suspect DNS record type,wherein said suspect DNS record type is selected from the group consisting of a CNAME record type and a TXT record type,in response to determining that said DNS packet contains a suspect DNS record of a suspect DNS record type, then determining a size of said suspect DNS record,in response to determining that said size of said suspect DNS record exceeds a threshold, removing said suspect DNS record from said DNS packet, andallowing a DNS transaction comprising said DNS packet to proceed but with said suspect DNS record removed from said DNS packet,wherein the method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of limiting domain name server (DNS) transaction bandwidth comprises intercepting one or more DNS packets, examining said one or more packets for the presence of a suspect transaction criterion and, if said suspect transaction criterion is present, implementing a transaction bandwidth limitation action.

33 Citations

View as Search Results

17 Claims

1. A method comprising:
- intercepting one or more Domain Name System (DNS) packets that are part of a DNS tunnel,examining a DNS packet of said one or more DNS packets for a suspect DNS record of a suspect DNS record type,wherein said suspect DNS record type is selected from the group consisting of a CNAME record type and a TXT record type,in response to determining that said DNS packet contains a suspect DNS record of a suspect DNS record type, then determining a size of said suspect DNS record,in response to determining that said size of said suspect DNS record exceeds a threshold, removing said suspect DNS record from said DNS packet, andallowing a DNS transaction comprising said DNS packet to proceed but with said suspect DNS record removed from said DNS packet,wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method as claimed in claim 1 in which the DNS packet comprises one of a DNS request or a DNS response packet.
  - 3. A method as claimed in claim 1 in which the DNS packet includes one or more records selected from the group consisting of an A record, a CNAME record, and a TXT record.
  - 4. A method as claimed in claim 1 performed at a DNS proxy.
  - 5. A method as claimed in claim 4 comprising the step of intercepting a DNS request packet and sending a DNS proxy request packet.
  - 6. A method as claimed in claim 5 comprising examining the DNS request packet and/or a response packet received in response to the proxy DNS request packet.
  - 7. A method as claimed in claim 1 in which the DNS transaction is carried out between a client and a host on a network.
  - 8. A method as claimed in claim 7 in which the client and host communicate via one of a public wireless local area network (PWLAN), broadband or dial up connection to a network.

9. A volatile or a non-volatile computer readable non-transitory storage medium storing one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors to perform:
- intercepting one or more Domain Name System (DNS) packets that are part of a DNS tunnel,examining a DNS packet of said one or more DNS packets for a DNS record of a suspect DNS record type,wherein said suspect DNS record type is selected from the group consisting of a CNAME record type and a TXT record type,in response to determining that said DNS packet contains a suspect DNS record of a suspect DNS record type, then determining a size of said suspect DNS record,in response to determining that said size of said suspect DNS record exceeds a threshold, removing said suspect DNS record from said DNS packet, andallowing a DNS transaction comprising said DNS packet to proceed but with said suspect DNS record removed from said DNS packet.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The volatile or a non-volatile computer readable non-transitory storage medium of claim 9, wherein the DNS packet comprises one of a DNS request or a DNS response packet.
  - 12. The volatile or a non-volatile computer readable non-transitory storage medium in claim 9, wherein the DNS packet includes one or more records selected from the group consisting of an A record, a CNAME record, and a TXT record.
  - 13. The volatile or a non-volatile computer readable non-transitory storage medium of claim 9 performed at a DNS proxy.
  - 14. The volatile or a non-volatile computer readable non-transitory storage medium of claim 13, further storing instructions for intercepting a DNS request packet and sending a DNS proxy request packet.
  - 15. The volatile or a non-volatile computer readable non-transitory storage medium of claim 14, further storing instructions for examining the DNS request packet and/or a response packet received in response to the DNS proxy request packet.
  - 16. The volatile or a non-volatile computer readable non-transitory storage medium of claim 9, wherein the DNS transaction is carried out between a client and a host on a network.
  - 17. The volatile or a non-volatile computer readable non-transitory storage medium of claim 16, wherein the client and host communicate via one of a public wireless local area network (PWLAN), broadband or dial up connection to a network.

10. An apparatus comprising:
- one or more processors, anda network interface operatively coupled to the one or more processors, and a volatile or a non-volatile computer readable medium comprising one or more sequences of instructions which, when executed by the one or more processors, cause the one or more processors to perform;
  
  intercepting one or more Domain Name System (DNS) packets that are part of a DNS tunnel,examining a DNS packet of said one or more DNS packets for a DNS record of a suspect DNS record type,wherein said suspect DNS record type is selected from the group consisting of a CNAME record type and a TXT record type,if said DNS packet contains a suspect DNS record of a suspect DNS record type, then determining a size of said suspect DNS record,if said size of said suspect DNS record exceeds a threshold, then removing said suspect DNS record from said DNS packet, andallowing a DNS transaction comprising said DNS packet to proceed but with said suspect DNS record removed from said DNS packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Manning, Michael, Burshan, Chen Yehezkel, Cotton, Ian Michael, Wilkins, Gregory John
Primary Examiner(s)
Zele; Krista M
Assistant Examiner(s)
Forman; James Q

Application Number

US11/281,252
Time in Patent Office

2,050 Days
Field of Search

709/223, 370/255, 726/3
US Class Current

709/223
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/0245   Filtering by information in...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

Method and apparatus for limiting domain name server transaction bandwidth

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

33 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for limiting domain name server transaction bandwidth

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links