Using DNS communications to filter domain names
First Claim
Patent Images
1. A system, comprising:
- a processor configured to;
intercept a DNS (Domain Name System) request from a client on a private network, wherein the processor is part of a security appliance configured to intercept communications associated with the private network and wherein the DNS request is directed to a DNS server;
extract a domain name from the DNS request;
determine that the domain name is unknown;
determine that at least a prescribed number of DNS requests including the DNS request to resolve unknown domain names have been received from the client;
flag the unknown domain names as suspicious or malicious; and
respond to the DNS request from the client with a spoofed DNS response comprising a non-existent or unavailable IP (Internet Protocol) address;
wherein the processor blocks the DNS request from being transmitted to any DNS server; and
a memory coupled to the processor and configured to provide the processor with instructions.
1 Assignment
0 Petitions
Accused Products
Abstract
Using DNS communications to filter domain names is disclosed. A domain name is extracted from a received DNS request. The received DNS request is blocked in response to determining based on a policy that access to the domain name of the DNS request is not permitted. In some cases, such a DNS request is responded to with a spoofed DNS response.
-
Citations
24 Claims
-
1. A system, comprising:
-
a processor configured to; intercept a DNS (Domain Name System) request from a client on a private network, wherein the processor is part of a security appliance configured to intercept communications associated with the private network and wherein the DNS request is directed to a DNS server; extract a domain name from the DNS request; determine that the domain name is unknown; determine that at least a prescribed number of DNS requests including the DNS request to resolve unknown domain names have been received from the client; flag the unknown domain names as suspicious or malicious; and respond to the DNS request from the client with a spoofed DNS response comprising a non-existent or unavailable IP (Internet Protocol) address; wherein the processor blocks the DNS request from being transmitted to any DNS server; and a memory coupled to the processor and configured to provide the processor with instructions. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method, comprising:
-
using a processor to intercept a DNS (Domain Name System) request from a client on a private network, wherein the processor is part of a security appliance configured to intercept communications associated with the private network and wherein the DNS request is directed to a DNS server; extracting a domain name from the DNS request; determining that the domain name is unknown; determining that at least a prescribed number of DNS requests including the DNS request to resolve unknown domain names have been received from the client; flagging the unknown domain names as suspicious or malicious; and responding to the DNS request from the client with a spoofed DNS response comprising a non-existent or unavailable IP (Internet Protocol) address; wherein the processor blocks the DNS request from being transmitted to any DNS server. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A computer program product stored on a non-transitory computer readable storage medium and comprising computer instructions for:
-
intercepting a DNS (Domain Name System) request from a client on a private network, wherein the computer program product is part of a security appliance configured to intercept communications associated with the private network and wherein the DNS request is directed to a DNS server; extracting a domain name from the DNS request; determining that the domain name is unknown; determining that at least a prescribed number of DNS requests including the DNS request to resolve unknown domain names have been received from the client; flagging the unknown domain names as suspicious or malicious; and responding to the DNS request from the client with a spoofed DNS response comprising a non-existent or unavailable IP (Internet Protocol) address; wherein the computer program product blocks the DNS request from being transmitted to any DNS server. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
-
Specification