Policy-managed DNS server for to control network traffic
First Claim
1. An apparatus for policy managed DNS services comprising:
- a circuit to receive a UDP packet;
a circuit to read from the UDP packet;
a source IP address, socket, a query name, a query type, a query class, and a time and date;
a circuit to implement at least one policy, wherein a policy comprises a plurality of rules and for each rule a reply to be transmitted if the rule is evaluated to be true and a reply to be transmitted if the rule is evaluated to be false;
a circuit to evaluate the plurality of rules by application of values read from the UDP packet; and
a circuit to transmit the reply selected by the policy;
wherein the rule is selected from among the following;
a rule on a list of IP addresses controlled by commercial or governmental entities,a rule on IP addresses associated with open proxies, anda rule on IP addresses controlled by certain authorities.
11 Assignments
0 Petitions
Accused Products
Abstract
Disclosed is a method, a computer system, and a computer-readable media product that contains a set of computer executable software instructions for directing the computer to execute a process for policy-based operation of a DNS server apparatus to manage traffic due to undesirable mail or requests for electronic documents. The policies operate according to owners, regions, or countries controlling source IP addresses and deterministically select from a plurality of non-equivalent replies to be sent to the source IP address. Accumulating previous activity records may assist in determining which traffic may be usefully deferred or suppressed. The process includes withholding certain information from certain DNS servers seeking IP addresses to improve overall security and integrity of the Internet.
92 Citations
5 Claims
-
1. An apparatus for policy managed DNS services comprising:
-
a circuit to receive a UDP packet; a circuit to read from the UDP packet;
a source IP address, socket, a query name, a query type, a query class, and a time and date;a circuit to implement at least one policy, wherein a policy comprises a plurality of rules and for each rule a reply to be transmitted if the rule is evaluated to be true and a reply to be transmitted if the rule is evaluated to be false; a circuit to evaluate the plurality of rules by application of values read from the UDP packet; and a circuit to transmit the reply selected by the policy; wherein the rule is selected from among the following; a rule on a list of IP addresses controlled by commercial or governmental entities, a rule on IP addresses associated with open proxies, and a rule on IP addresses controlled by certain authorities.
-
-
2. An outsourced policy engine apparatus for providing domain name system (DNS) query service coupled through a network to a plurality of policy-based DNS server apparatus
said outsourced policy engine apparatus comprising a computing system comprising a computer platform, external data storage, a network link, an operating system, and computer software; -
said computer software adapted to configure the computer platform to receive from one of the policy-based DNS server apparatus, values read from a DNS query packet, and from a database, evaluate a plurality of rules, and return the result of the most restrictive of the plurality of rules to said one of the policy-based DNS server apparatus; said database comprising records of querynames, querytypes, queryclass, source IP addresses and ports, time of day and day of week, by commercial entities, by governmental entities, by certain authorities, and associated with open proxies, webcrawlers, geographical regions, or bot-nets; and means for determining the onset of a new cache poisoning or denial of service attack based on data received from a plurality of said policy-based DNS server apparatus coupled through said network to said outsourced policy engine apparatus and means for generating and distributing new rules to each coupled policy-based DNS server apparatus.
-
-
3. A computer executed method for operating an outsourced policy engine coupled through a network to a plurality of policy-based DNS server apparatus comprising the steps:
-
receiving from one of the policy-based DNS server apparatus, values read from a DNS query packet; receiving from a database records of previous performance of hosts associated with the values read from a DNS query packet; evaluating a plurality of rules; and returning a result of the most restrictive of the plurality of rules to said one of the policy-based DNS server apparatus; wherein rules include; a rule on volume or density of queries characteristic of denial of service attacks, a rule on frequency of queries characteristic of cache poisoning attacks, a rule on IP addresses within a range of a spammers'"'"' known activity, a rule on a list of IP addresses controlled by commercial or governmental entities, a rule on IP addresses associated with open proxies, and a rule on IP addresses controlled by certain authorities.
-
-
4. A system for providing informed domain name system (DNS) query service to protect DNS servers from bogus queries designed to poison cache comprising
a plurality of policy-based DNS server apparatus; -
communicatively coupled through a network to an outsourced policy engine apparatus, said outsourced policy engine apparatus coupled to a database of observed previous performance of hosts associated with a host requesting Domain Name System (DNS) services; said outsourced policy engine apparatus comprising a computing system comprising a computer platform, external data storage, a network link, an operating system, and computer software; said computer software adapted to configure the computer platform to receive from a plurality of the policy-based DNS server apparatus, values read from a DNS query packet, and from said database, evaluate a plurality of rules, and return the result of the most restrictive of the plurality of rules to said one of the policy-based DNS server apparatus; said database comprising records of querynames, querytypes, queryclass, source IP addresses and ports, time of day and day of week, ranges of IP addresses controlled by spammers, by commercial entities, by governmental entities, by certain authorities, and associated with open proxies, webcrawlers, geographical regions, or bot-nets; which policy engine evaluates a policy decision based on information extracted from a DNS query and used to retrieve values stored in the database and the most restrictive rule of a plurality of rules which evaluates as true.
-
-
5. An informed domain name system server method comprising a method for receiving a domain name system server request,
sending a query containing an IP address extracted from said domain name server request to an informational server, receiving a report on the observed previous performance of the host associated with the subject IP address, and deterministicly selecting a pre-identified reply as a first consequence and deterministicly selecting an algorithmically generated reply as a second consequence according to the report; - wherein the pre-identified reply comprises an IP address for the requested domain name;
the algorithmically generated reply comprises an IP address referencing a message.
- wherein the pre-identified reply comprises an IP address for the requested domain name;
Specification