Domain name system security network
First Claim
1. A method of processing a domain name system (DNS) client query sent to a DNS server, the method to be performed by the DNS server and comprising:
- receiving in the DNS server a client query from a client computer, the client query requesting an Internet Protocol (IP) address associated with a domain name identified in the client query;
comparing a first set of information about the client query against security policies to determine if the client computer is performing a prohibited activity indicated in at least one of the security policies, the first set of information being with the client query as first received by the DNS server;
comparing a second set of information about the client query against the security policies to determine if the client computer is performing the prohibited activity, the second set of information including information that became available in the DNS server after the client query has been received in the DNS server;
determining an answer to the client query, the answer providing the IP address associated with the domain name identified in the client query; and
replacing the answer with a different answer when the client computer is deemed to be performing the prohibited activity.
1 Assignment
0 Petitions
Accused Products
Abstract
In one embodiment, a DNS security network includes several DNS appliances and a security operations center (SOC) server computer. The SOC server computer may receive telemetry data from the DNS appliances, the telemetry data comprising information about DNS client queries received in the respective DNS appliances. From the telemetry data, the SOC server computer may generate security policies for distribution to the DNS appliances. The security policies may be used by the DNS appliances to determine whether a DNS client query is originated by a client computer performing a prohibited activity (e.g., sending spam, communicating with a zombie control computer, navigating to a prohibited website, etc.). An answer to a client query may be replaced or discarded altogether in cases where the originator is performing a prohibited activity.
-
Citations
12 Claims
-
1. A method of processing a domain name system (DNS) client query sent to a DNS server, the method to be performed by the DNS server and comprising:
-
receiving in the DNS server a client query from a client computer, the client query requesting an Internet Protocol (IP) address associated with a domain name identified in the client query; comparing a first set of information about the client query against security policies to determine if the client computer is performing a prohibited activity indicated in at least one of the security policies, the first set of information being with the client query as first received by the DNS server; comparing a second set of information about the client query against the security policies to determine if the client computer is performing the prohibited activity, the second set of information including information that became available in the DNS server after the client query has been received in the DNS server; determining an answer to the client query, the answer providing the IP address associated with the domain name identified in the client query; and replacing the answer with a different answer when the client computer is deemed to be performing the prohibited activity. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for processing DNS client queries, the system comprising:
-
a plurality of DNS appliances, each of the DNS appliances including a DNS server configured to process a DNS client query from a client computer, the DNS server being configured to check the DNS client query for compliance with security policies and to replace an answer to the client query with a replacement answer when at least one of the security policies indicate that the client computer is performing a prohibited activity, the answer comprising an IP address of a domain name of interest indicated in the client query as originally received by the DNS server; and a server computer configured to receive telemetry data from the plurality of DNS appliances, the telemetry data comprising information about client queries received by the DNS appliances, the server computer including a threat aggregator configured to detect a malicious activity based on the telemetry data from the plurality of DNS appliances, to generate an update to the security policies in response to the detection of the malicious activity, and to provide the update to the DNS appliances. - View Dependent Claims (8, 9)
-
-
10. A method of processing a DNS client query, the method comprising:
-
in a server computer, receiving telemetry data from a plurality of DNS computers that each run a DNS server, the telemetry data including information about DNS client queries received by the DNS computers; in the server computer, generating a plurality of policies based on the telemetry data; providing the plurality of policies from the server computer to the DNS computers over the Internet; receiving a DNS client query in a DNS computer in the plurality of DNS computers, the DNS client query being originated by a customer computer requesting an IP address of a remote computer; in the DNS computer, checking the DNS client query against the plurality of policies to determine if the DNS client query is for a prohibited activity; in the DNS computer, determining an answer to the DNS client query, the answer including an IP address of the remote computer; and providing the customer computer a replacement answer instead of the answer when the client query is for the prohibited activity, the replacement answer being provided to the customer computer by the DNS server. - View Dependent Claims (11, 12)
-
Specification