Using DNS communications to filter domain names

US 9,467,421 B2
Filed: 05/24/2011
Issued: 10/11/2016
Est. Priority Date: 05/24/2011
Status: Active Grant

First Claim

Patent Images

1. A system, comprising:

a processor configured to;

intercept a DNS (Domain Name System) request from a client on a private network, wherein the processor is part of a security appliance configured to intercept communications associated with the private network and wherein the DNS request is directed to a DNS server;

extract a domain name from the DNS request;

determine that the domain name is unknown;

determine that at least a prescribed number of DNS requests including the DNS request to resolve unknown domain names have been received from the client;

flag the unknown domain names as suspicious or malicious; and

respond to the DNS request from the client with a spoofed DNS response comprising a non-existent or unavailable IP (Internet Protocol) address;

wherein the processor blocks the DNS request from being transmitted to any DNS server; and

a memory coupled to the processor and configured to provide the processor with instructions.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Using DNS communications to filter domain names is disclosed. A domain name is extracted from a received DNS request. The received DNS request is blocked in response to determining based on a policy that access to the domain name of the DNS request is not permitted. In some cases, such a DNS request is responded to with a spoofed DNS response.

Citations

24 Claims

1. A system, comprising:
- a processor configured to;
  
  intercept a DNS (Domain Name System) request from a client on a private network, wherein the processor is part of a security appliance configured to intercept communications associated with the private network and wherein the DNS request is directed to a DNS server;
  
  extract a domain name from the DNS request;
  
  determine that the domain name is unknown;
  
  determine that at least a prescribed number of DNS requests including the DNS request to resolve unknown domain names have been received from the client;
  
  flag the unknown domain names as suspicious or malicious; and
  
  respond to the DNS request from the client with a spoofed DNS response comprising a non-existent or unavailable IP (Internet Protocol) address;
  
  wherein the processor blocks the DNS request from being transmitted to any DNS server; and
  
  a memory coupled to the processor and configured to provide the processor with instructions.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system as recited in claim 1, wherein the processor is further configured to compare the domain name extracted from the DNS request with a list or database of domain names.
  - 3. The system as recited in claim 1, wherein the processor is further configured to determine a category or classification of the domain name.
  - 4. The system as recited in claim 1, wherein the processor is further configured to block client access to unknown domain names.
  - 5. The system as recited in claim 1, wherein the processor is further configured to block client access to unknown domain names according to a policy.
  - 6. The system as recited in claim 1, wherein to flag the unknown domain names as suspicious or malicious comprises to blacklist the unknown domain names.
  - 7. The system as recited in claim 1, wherein the processor is further configured to determine that the client is compromised.
  - 8. The system as recited in claim 1, wherein the processor is further configured to facilitate sanitizing the client.

9. A method, comprising:
- using a processor to intercept a DNS (Domain Name System) request from a client on a private network, wherein the processor is part of a security appliance configured to intercept communications associated with the private network and wherein the DNS request is directed to a DNS server;
  
  extracting a domain name from the DNS request;
  
  determining that the domain name is unknown;
  
  determining that at least a prescribed number of DNS requests including the DNS request to resolve unknown domain names have been received from the client;
  
  flagging the unknown domain names as suspicious or malicious; and
  
  responding to the DNS request from the client with a spoofed DNS response comprising a non-existent or unavailable IP (Internet Protocol) address;
  
  wherein the processor blocks the DNS request from being transmitted to any DNS server.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The method as recited in claim 9, further comprising blocking client access to unknown domain names.
  - 11. The method as recited in claim 9, further comprising blocking client access to unknown domain names according to a policy.
  - 12. The method as recited in claim 9, wherein flagging the unknown domain names as suspicious or malicious comprises blacklisting the unknown domain names.
  - 13. The method as recited in claim 9, further comprising determining that the client is compromised.
  - 14. The method as recited in claim 9, further comprising facilitating sanitizing the client.
  - 15. The method as recited in claim 9, further comprising comparing the domain name extracted from the DNS request with a list or database of domain names.
  - 16. The method as recited in claim 9, further comprising determining a category or classification of the domain name.

17. A computer program product stored on a non-transitory computer readable storage medium and comprising computer instructions for:
- intercepting a DNS (Domain Name System) request from a client on a private network, wherein the computer program product is part of a security appliance configured to intercept communications associated with the private network and wherein the DNS request is directed to a DNS server;
  
  extracting a domain name from the DNS request;
  
  determining that the domain name is unknown;
  
  determining that at least a prescribed number of DNS requests including the DNS request to resolve unknown domain names have been received from the client;
  
  flagging the unknown domain names as suspicious or malicious; and
  
  responding to the DNS request from the client with a spoofed DNS response comprising a non-existent or unavailable IP (Internet Protocol) address;
  
  wherein the computer program product blocks the DNS request from being transmitted to any DNS server.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24)
- - 18. The computer program product as recited in claim 17, further comprising computer instructions for blocking client access to unknown domain names.
  - 19. The computer program product as recited in claim 17, further comprising computer instructions for blocking client access to unknown domain names according to a policy.
  - 20. The computer program product as recited in claim 17, wherein flagging the unknown domain names as suspicious or malicious comprises blacklisting the unknown domain names.
  - 21. The computer program product as recited in claim 17, further comprising computer instructions for determining that the client is compromised.
  - 22. The computer program product as recited in claim 17, further comprising computer instructions for facilitating sanitizing the client.
  - 23. The computer program product as recited in claim 17, further comprising computer instructions for comparing the domain name extracted from the DNS request with a list or database of domain names.
  - 24. The computer program product as recited in claim 17, further comprising computer instructions for determining a category or classification of the domain name.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
Palo Alto Networks Incorporated
Inventors
Xie, Huagang
Primary Examiner(s)
Smithers, Matthew

Application Number

US13/115,050
Publication Number

US 20120303808A1
Time in Patent Office

1,967 Days
Field of Search

726/11, 709/225, 709/239
US Class Current

1/1
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/20   for managing network securi...

H04L 67/01   Protocols

H04L 67/02   based on web technology, e....

Using DNS communications to filter domain names

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

Using DNS communications to filter domain names

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links