Title:
SYSTEMS AND METHODS FOR GENERATING A DNS QUERY TO IMPROVE RESISTANCE AGAINST A DNS ATTACK
Document Type and Number:
WIPO Patent Application WO/2010/123632
Kind Code:
A3
Abstract:
The present solution provides systems and methods for generating DNS queries that are more resistant to being compromised by attackers. To generate the transaction identifier, the DNS resolver uses a cryptographic hash function. The inputs to the hash function may include a predetermined random number, the destination IP address of the name server to be queried, and the domain name to be queried. Because of the inclusion of the name server's IP address in the formula, queries for the same domain name to different name servers may have different transaction identifiers, preventing an attacker from observing a query and predicting the identifiers for other queries. Additional entropy may be provided for generating transaction identifiers by including the port number of the name server and/or a portion of the domain name as inputs to the hash function. If it is determined that the responding server may preserve capitalization in its responses, the upper and lower case characters may be salted within the domain name to provide additional entropy in generating transaction identifiers.
Inventors:
SHELEST ART (US)
Application Number:
PCT/US2010/027132
Publication Date:
March 22, 2012
Filing Date:
March 12, 2010
Export Citation:
Assignee:
CITRIX SYSTEMS INC (US)
SHELEST ART (US)
SHELEST ART (US)
International Classes:
G06F21/00; H04L29/06; H04L29/12
Other References:
HUBERT NETHERLABS COMPUTER CONSULTING BV R VAN MOOK EQUINIX A: "Measures for Making DNS More Resilient against Forged Answers; rfc5452.txt", MEASURES FOR MAKING DNS MORE RESILIENT AGAINST FORGED ANSWERS; RFC5452.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARD, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 1 January 2009 (2009-01-01), XP015065470
VIXIE P ET AL: "Use of Bit 0x20 in DNS Labels to Improve Transaction Identity; draft-vixie-dnsext-dns0x20-00.txt", USE OF BIT 0X20 IN DNS LABELS TO IMPROVE TRANSACTION IDENTITY; DRAFT-VIXIE-DNSEXT-DNS0X20-00.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARDWORKINGDRAFT, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 17 March 2008 (2008-03-17), XP015060071
MENEZES A J ET AL: "Handbook of Appied Cryptography , CHAPTER 5 - PSEUDORANDOM BITS AND SEQUENCES", 1 January 1997, HANDBOOK OF APPLIED CRYPTOGRAPHY; [CRC PRESS SERIES ON DISCRETE MATHEMATICES AND ITS APPLICATIONS], CRC PRESS SERIES ON DISCRETE MATHEMATICS AND ITS APPLICATIONS, BOCA RATON, FL, US, PAGE(S) 169 - 190, ISBN: 978-0-8493-8523-0, XP002403364
VIXIE P ET AL: "Use of Bit 0x20 in DNS Labels to Improve Transaction Identity; draft-vixie-dnsext-dns0x20-00.txt", USE OF BIT 0X20 IN DNS LABELS TO IMPROVE TRANSACTION IDENTITY; DRAFT-VIXIE-DNSEXT-DNS0X20-00.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARDWORKINGDRAFT, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 17 March 2008 (2008-03-17), XP015060071
MENEZES A J ET AL: "Handbook of Appied Cryptography , CHAPTER 5 - PSEUDORANDOM BITS AND SEQUENCES", 1 January 1997, HANDBOOK OF APPLIED CRYPTOGRAPHY; [CRC PRESS SERIES ON DISCRETE MATHEMATICES AND ITS APPLICATIONS], CRC PRESS SERIES ON DISCRETE MATHEMATICS AND ITS APPLICATIONS, BOCA RATON, FL, US, PAGE(S) 169 - 190, ISBN: 978-0-8493-8523-0, XP002403364
Attorney, Agent or Firm:
MCKENNA, Christopher, J. (Hall & Stewart LLPTwo International Plac, Boston MA, US)
Download PDF: