Systems and methods for generating a DNS query to improve resistance against a DNS attack
First Claim
1. A method for generating a Domain Name Service (DNS) query to improve resistance against a DNS attack, the method comprising:
- a) receiving, by a DNS resolver configured on a device, a request to resolve a domain name;
b) identifying, by the DNS resolver, the domain name, an internet protocol address of a DNS server, and a port of the DNS server;
c) generating a transaction identifier for a DNS query by applying a one-way hash function to an input of a predetermined random number, the internet protocol address of the DNS server, the port of the DNS server, and the domain name, the input of the domain name comprising a portion of the domain name to be resolved; and
d) transmitting, by the DNS resolver, the DNS query for the domain name to the DNS server, the DNS query identified by the generated transaction identifier.
8 Assignments
0 Petitions
Accused Products
Abstract
The present solution provides systems and methods for generating DNS queries that are more resistant to being compromised by attackers. To generate the transaction identifier, the DNS resolver uses a cryptographic hash function. The inputs to the hash function may include a predetermined random number, the destination IP address of the name server to be queried, and the domain name to be queried. Because of the inclusion of the name server'"'"'s IP address in the formula, queries for the same domain name to different name servers may have different transaction identifiers, preventing an attacker from observing a query and predicting the identifiers for other queries. Additional entropy may be provided for generating transaction identifiers by including the port number of the name server and/or a portion of the domain name as inputs to the hash function. If it is determined that the responding server may preserve capitalization in its responses, the upper and lower case characters may be salted within the domain name to provide additional entropy in generating transaction identifiers.
-
Citations
20 Claims
-
1. A method for generating a Domain Name Service (DNS) query to improve resistance against a DNS attack, the method comprising:
-
a) receiving, by a DNS resolver configured on a device, a request to resolve a domain name; b) identifying, by the DNS resolver, the domain name, an internet protocol address of a DNS server, and a port of the DNS server; c) generating a transaction identifier for a DNS query by applying a one-way hash function to an input of a predetermined random number, the internet protocol address of the DNS server, the port of the DNS server, and the domain name, the input of the domain name comprising a portion of the domain name to be resolved; and d) transmitting, by the DNS resolver, the DNS query for the domain name to the DNS server, the DNS query identified by the generated transaction identifier. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A system for generating a Domain Name Service (DNS) query to improve resistance against a DNS attack, the system comprising:
a computing device, comprising a processor executing a DNS resolver and a transaction identifier generator, wherein the DNS resolver is configured to receive a request to resolve a domain name and identify the domain name, an internet protocol address of a destination of the request, and a port of the destination of the request; wherein the transaction identifier generator is configured to generate a transaction identifier by applying a one-way hash function to an input of a predetermined random number, the internet protocol address of the destination, the port of the destination, and the domain name, the input of the domain name comprising a portion of the domain name to be solved; and wherein the DNS resolver is further configured to form the DNS query using the generated transaction identifier and transmit the DNS query for the domain name to the destination. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
Specification