Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for generating a Domain Name Service (DNS) query to improve resistance against a DNS attack, the method comprising: a) receiving, by a DNS resolver configured on a device, a request to resolve a domain name; b) identifying, by the DNS resolver, the domain name, an internet protocol address of a DNS server, and a port of the DNS server; c) generating a transaction identifier for a DNS query by applying a one-way hash function to an input of a predetermined random number, the internet protocol address of the DNS server, the port of the DNS server, and the domain name, the input of the domain name comprising a portion of the domain name to be resolved; and d) transmitting, by the DNS resolver, the DNS query for the domain name to the DNS server, the DNS query identified by the generated transaction identifier.
2. The method of claim 1 , wherein step (c) further comprises changing the predetermined random number at a predetermined frequency.
3. The method of claim 1 , wherein step (c) further comprises changing the predetermined random number in response to an event.
4. The method of claim 1 , wherein step (c) further comprises generating by the one-way hash function the same transaction identifier for DNS queries to resolve the same domain name transmitted to the same DNS server.
5. The method of claim 1 , wherein step (c) further comprises encoding one or more fields of the DNS request and using the encoded one or more fields as input to the one-way hash function to generate the transaction identifier.
6. The method of claim 1 , wherein step (c) further comprises encoding the domain name by capitalizing one or more characters of the domain name and generating the transaction identifier by using the encoded domain name as the input of the domain name to the one-way hash function.
7. The method of claim 1 , wherein step (c) further comprises encoding the domain name by using one of a punycode and a RACE encoding scheme.
8. The method of claim 1 , further comprising determining, by the DNS resolver, that the DNS server is one of rewriting or normalizing responses and in response to the determination not encoding a portion of the DNS query.
9. The method of claim 1 , further comprising determining, by the DNS resolver, that the destination is not rewriting responses and in response to the determination encoding a portion of the DNS query and including the encoded portion in the transaction identifier.
10. The method of claim 1 , wherein step (c) further comprises communicating by the DNS resolver the input of the internet protocol address of the destination and the domain name to a transaction identifier generator.
11. A system for generating a Domain Name Service (DNS) query to improve resistance against a DNS attack, the system comprising: a computing device, comprising a processor executing a DNS resolver and a transaction identifier generator, wherein the DNS resolver is configured to receive a request to resolve a domain name and identify the domain name, an internet protocol address of a destination of the request, and a port of the destination of the request; wherein the transaction identifier generator is configured to generate a transaction identifier by applying a one-way hash function to an input of a predetermined random number, the internet protocol address of the destination, the port of the destination, and the domain name, the input of the domain name comprising a portion of the domain name to be solved; and wherein the DNS resolver is further configured to form the DNS query using the generated transaction identifier and transmit the DNS query for the domain name to the destination.
12. The system of claim 11 , wherein the transaction identifier generator is further configured to change the predetermined random number at a predetermined frequency.
13. The system of claim 11 , wherein the transaction identifier generator is further configured to change the predetermined random number in response to an event.
14. The system of claim 11 , wherein the transaction identifier generator is further configured to generate the same transaction identifier for inputs identifying the same domain name and the same destination.
15. The system of claim 11 , wherein the DNS resolver is further configured to encode one or more fields of the DNS request and communicate the encoded one or more fields as input to the transaction identifier generator to generate the transaction identifier.
16. The system of claim 11 , wherein the DNS resolver is further configured to encode the domain name by capitalizing one or more characters of the domain name and communicate the encoded domain name as the input of the domain name to the transaction identifier generator.
17. The system of claim 11 , wherein the DNS resolver is further configured to encode the domain name by using one of a punycode and a RACE encoding scheme.
18. The system of claim 11 , wherein the DNS resolver is further configured to determine that the destination is one of rewriting or normalizing responses and in response to the determination does not encode a portion of the DNS query.
19. The system of claim 11 , wherein the DNS resolver is further configured to determine that the destination is not rewriting responses and in response to the determination encodes a portion of the DNS query and communicate the encoded portion as input to the transaction identifier generator to generate the transaction identifier.
20. The system of claim 11 , wherein the computing device executing the DNS resolver is one of a client, a server and an intermediary.
Unknown
February 23, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.