DNS denial of service attack protection
First Claim
Patent Images
1. A method for a Domain Name System proxy server to protect a data network from a Domain Name Service (DNS) denial of service attack, the method comprising:
- receiving a first DNS request from a client for a domain name, the first DNS request being a DNS User Datagram Protocol (UDP) request;
determining the domain name included in the DNS UDP request does not match with a plurality of domain names in a DNS entry table at a shared cache in the DNS proxy server, wherein the determining further comprises one or more of;
detecting a pre-determined plurality of unanswerable DNS requests from the client, a burst of unanswerable DNS requests within a short period of time from the client, or a plurality of unanswerable DNS requests from suspected clients or network address sources;
responding to the client to retry the DNS UDP request as a second DNS request via a DNS Transmission Control Protocol (TCP) request;
querying a DNS server for the domain name in the DNS TCP request;
receiving a DNS response from the DNS server; and
determining, based at least on the DNS response, that the first DNS UDP request from the client is characteristic of a DNS denial of service attack.
1 Assignment
0 Petitions
Accused Products
Abstract
Exemplary embodiments for protecting a data network from a DNS denial of service attack are disclosed. The systems and methods provide for the use of a shared DNS cache between DNS UDP and DNS TCP proxy servers, to enable detection and mitigation of DNS denial of service attacks.
198 Citations
19 Claims
-
1. A method for a Domain Name System proxy server to protect a data network from a Domain Name Service (DNS) denial of service attack, the method comprising:
-
receiving a first DNS request from a client for a domain name, the first DNS request being a DNS User Datagram Protocol (UDP) request; determining the domain name included in the DNS UDP request does not match with a plurality of domain names in a DNS entry table at a shared cache in the DNS proxy server, wherein the determining further comprises one or more of; detecting a pre-determined plurality of unanswerable DNS requests from the client, a burst of unanswerable DNS requests within a short period of time from the client, or a plurality of unanswerable DNS requests from suspected clients or network address sources; responding to the client to retry the DNS UDP request as a second DNS request via a DNS Transmission Control Protocol (TCP) request; querying a DNS server for the domain name in the DNS TCP request; receiving a DNS response from the DNS server; and determining, based at least on the DNS response, that the first DNS UDP request from the client is characteristic of a DNS denial of service attack. - View Dependent Claims (2)
-
-
3. A method for a Domain Name System proxy server to protect a data network from a Domain Name Service (DNS) denial of service attack, the method comprising:
-
receiving a first DNS request from a client for a domain name, the first DNS request being a DNS User Datagram Protocol (UDP) request; determining the domain name included in the DNS UDP request does not match with a plurality of domain names in a DNS entry table of a shared cache at the DNS proxy server, wherein the determining further comprises one or more of; detecting a pre-determined plurality of unanswerable DNS requests from the client, a burst of unanswerable DNS requests within a short period of time from the client, or a plurality of unanswerable DNS requests from suspected clients or network address sources; responding to the client to retry the DNS UDP request as a second DNS request via a DNS Transmission Control Protocol (TCP) request; querying a DNS server for the domain name in the DNS TCP request; receiving a DNS response from the DNS server in response to the DNS TCP request; determining from the DNS response to the second DNS TCP request that the first DNS UDP request from the client is not characteristic of a DNS denial of service attack; and forwarding the received DNS response to the client. - View Dependent Claims (4, 5, 6)
-
-
7. A system for protecting a data network from a Domain Name Service (DNS) denial of service attack, the system comprising:
a DNS proxy server configured to; receive a first DNS request from a client for a domain name, the first DNS request being a DNS User Datagram Protocol (UDP) request; determine the domain name included in the DNS UDP request does not match a plurality of domain names in a DNS entry table at a shared cache of the DNS proxy server, the determination comprising one or more of; detecting a pre-determined plurality of unanswerable DNS requests from the client, a burst of unanswerable DNS requests within a short period of time from the client, or a plurality of unanswerable DNS requests from suspected clients or network address sources; and respond to the client to retry the DNS UDP request as a second DNS request via a DNS Transmission Control Protocol (TCP) request; query a DNS server for the domain name in the DNS TCP request; receive a DNS response from the DNS server; and determine based at least on the DNS response, that the first DNS UDP request from the client is characteristic of a DNS denial of service attack. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
14. A system for protecting a data network from a Domain Name Service (DNS) denial of service attack, the system comprising:
a DNS proxy server with a plurality of ports, the DNS proxy server configured to; receive a DNS request from a client at a first port of the DNS proxy server; determine a domain name included in the DNS request does not match a plurality of domain names in a DNS entry table at a shared cache of the DNS proxy server, wherein the determining further comprises one or more of; detecting a pre-determined plurality of unanswerable DNS requests from the client, a burst of unanswerable DNS requests within a short period of time from the client, or a plurality of unanswerable DNS requests from suspected clients or network address sources; and respond to the client to retry the DNS request at a second port of the DNS proxy server; receive a DNS request at the second port of the DNS proxy server; query a DNS server for the domain name in the DNS request received at the second port of the DNS proxy server; receive a DNS response from the DNS server; and determine, based at least on the DNS response, that the DNS request received at the first port of the DNS server is characteristic of a DNS denial of service attack. - View Dependent Claims (15, 16, 17, 18, 19)
Specification