The present solution provides systems and methods for generating DNS queries that are more resistant to being compromised by attackers. To generate the transaction identifier, the DNS resolver uses a cryptographic hash function. The inputs to the hash function may include a predetermined random number, the destination IP address of the name server to be queried, and the domain name to be queried. Because of the inclusion of the name server's IP address in the formula, queries for the same domain name to different name servers may have different transaction identifiers, preventing an attacker from observing a query and predicting the identifiers for other queries. Additional entropy may be provided for generating transaction identifiers by including the port number of the name server and/or a portion of the domain name as inputs to the hash function. If it is determined that the responding server may preserve capitalization in its responses, the upper and lower case characters may be salted within the domain name to provide additional entropy in generating transaction identifiers.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method for generating a Domain Name Service (DNS) query to improve resistance against a DNS attack, the method comprising: a) receiving, by a DNS resolver configured on a device, a request to resolve a domain name; b) identifying, by the DNS resolver, the domain name, an internet protocol address of a DNS server, and a port of the DNS server; c) generating a transaction identifier for a DNS query by applying a one-way hash function to an input of a predetermined random number, the internet protocol address of the DNS server, the port of the DNS server, and the domain name, the input of the domain name comprising a portion of the domain name to be resolved; and d) transmitting, by the DNS resolver, the DNS query for the domain name to the DNS server, the DNS query identified by the generated transaction identifier.
2. The method of claim 1 , wherein step (c) further comprises changing the predetermined random number at a predetermined frequency.
3. The method of claim 1 , wherein step (c) further comprises changing the predetermined random number in response to an event.
4. The method of claim 1 , wherein step (c) further comprises generating by the one-way hash function the same transaction identifier for DNS queries to resolve the same domain name transmitted to the same DNS server.
5. The method of claim 1 , wherein step (c) further comprises encoding one or more fields of the DNS request and using the encoded one or more fields as input to the one-way hash function to generate the transaction identifier.
6. The method of claim 1 , wherein step (c) further comprises encoding the domain name by capitalizing one or more characters of the domain name and generating the transaction identifier by using the encoded domain name as the input of the domain name to the one-way hash function.
7. The method of claim 1 , wherein step (c) further comprises encoding the domain name by using one of a punycode and a RACE encoding scheme.
8. The method of claim 1 , further comprising determining, by the DNS resolver, that the DNS server is one of rewriting or normalizing responses and in response to the determination not encoding a portion of the DNS query.
9. The method of claim 1 , further comprising determining, by the DNS resolver, that the destination is not rewriting responses and in response to the determination encoding a portion of the DNS query and including the encoded portion in the transaction identifier.
10. The method of claim 1 , wherein step (c) further comprises communicating by the DNS resolver the input of the internet protocol address of the destination and the domain name to a transaction identifier generator.
11. A system for generating a Domain Name Service (DNS) query to improve resistance against a DNS attack, the system comprising: a computing device, comprising a processor executing a DNS resolver and a transaction identifier generator, wherein the DNS resolver is configured to receive a request to resolve a domain name and identify the domain name, an internet protocol address of a destination of the request, and a port of the destination of the request; wherein the transaction identifier generator is configured to generate a transaction identifier by applying a one-way hash function to an input of a predetermined random number, the internet protocol address of the destination, the port of the destination, and the domain name, the input of the domain name comprising a portion of the domain name to be solved; and wherein the DNS resolver is further configured to form the DNS query using the generated transaction identifier and transmit the DNS query for the domain name to the destination.
12. The system of claim 11 , wherein the transaction identifier generator is further configured to change the predetermined random number at a predetermined frequency.
13. The system of claim 11 , wherein the transaction identifier generator is further configured to change the predetermined random number in response to an event.
14. The system of claim 11 , wherein the transaction identifier generator is further configured to generate the same transaction identifier for inputs identifying the same domain name and the same destination.
15. The system of claim 11 , wherein the DNS resolver is further configured to encode one or more fields of the DNS request and communicate the encoded one or more fields as input to the transaction identifier generator to generate the transaction identifier.
16. The system of claim 11 , wherein the DNS resolver is further configured to encode the domain name by capitalizing one or more characters of the domain name and communicate the encoded domain name as the input of the domain name to the transaction identifier generator.
17. The system of claim 11 , wherein the DNS resolver is further configured to encode the domain name by using one of a punycode and a RACE encoding scheme.
18. The system of claim 11 , wherein the DNS resolver is further configured to determine that the destination is one of rewriting or normalizing responses and in response to the determination does not encode a portion of the DNS query.
19. The system of claim 11 , wherein the DNS resolver is further configured to determine that the destination is not rewriting responses and in response to the determination encodes a portion of the DNS query and communicate the encoded portion as input to the transaction identifier generator to generate the transaction identifier.
20. The system of claim 11 , wherein the computing device executing the DNS resolver is one of a client, a server and an intermediary.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
April 20, 2009
February 23, 2016
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.