US9270646B2 - Systems and methods for generating a DNS query to improve resistance against a DNS attack - Google Patents
Systems and methods for generating a DNS query to improve resistance against a DNS attack Download PDFInfo
- Publication number
- US9270646B2 US9270646B2 US12/426,330 US42633009A US9270646B2 US 9270646 B2 US9270646 B2 US 9270646B2 US 42633009 A US42633009 A US 42633009A US 9270646 B2 US9270646 B2 US 9270646B2
- Authority
- US
- United States
- Prior art keywords
- dns
- domain name
- transaction identifier
- server
- query
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
- 238000000034 method Methods 0.000 title claims abstract description 64
- 230000004044 response Effects 0.000 claims abstract description 111
- 230000008859 change Effects 0.000 claims description 3
- 230000001010 compromised effect Effects 0.000 abstract description 2
- 230000006870 function Effects 0.000 description 45
- 238000004891 communication Methods 0.000 description 17
- 230000008569 process Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 6
- 238000012545 processing Methods 0.000 description 5
- 238000009434 installation Methods 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 241000699666 Mus <mouse, genus> Species 0.000 description 2
- 238000007726 management method Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 241000501754 Astronotus ocellatus Species 0.000 description 1
- 101000666896 Homo sapiens V-type immunoglobulin domain-containing suppressor of T-cell activation Proteins 0.000 description 1
- 241000699670 Mus sp. Species 0.000 description 1
- 102100038282 V-type immunoglobulin domain-containing suppressor of T-cell activation Human genes 0.000 description 1
- 230000001133 acceleration Effects 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000003139 buffering effect Effects 0.000 description 1
- 238000005352 clarification Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- IJJVMEJXYNJXOJ-UHFFFAOYSA-N fluquinconazole Chemical compound C=1C=C(Cl)C=C(Cl)C=1N1C(=O)C2=CC(F)=CC=C2N=C1N1C=NC=N1 IJJVMEJXYNJXOJ-UHFFFAOYSA-N 0.000 description 1
- 238000011176 pooling Methods 0.000 description 1
- 238000004321 preservation Methods 0.000 description 1
- 150000003839 salts Chemical class 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000010025 steaming Methods 0.000 description 1
- 238000000859 sublimation Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
-
- H04L29/12066—
-
- H04L61/1511—
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3236—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using cryptographic hash functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash
Definitions
- the present application generally relates to data communication networks.
- the present application relates to systems and methods for generating a Domain Name System [“DNS”] query to improve resistance against a DNS attack.
- DNS Domain Name System
- the Domain Name System [“DNS”] allows human meaningful names to be associated with the numerical internet protocol [“IP”] addresses of clients, servers, or other resources on the internet.
- IP numerical internet protocol
- DNS Domain Name System
- IP numerical internet protocol
- Each name server is authoritative or responsible for indexing clients, servers, or other resources within its zone of authority.
- a DNS resolver identifies the request. If the IP address for the requested resource is not available in its cache, the resolver initiates a query to a name server.
- the DNS resolver's query includes a transaction identifier.
- the name server's reply may also include the transaction identifier to identify the response as having come from the name server queried by the DNS resolver. If a malicious attacker can respond to a DNS resolver's request before the real name server can, the malicious attacker can direct the user to a different client, server, or resource than was intended. This opens possibilities of identity or data theft or other malicious activities.
- the present solution provides systems and methods for generating DNS queries that are more resistant to being compromised by attackers.
- the DNS resolver uses a cryptographic hash function.
- the inputs to the hash function may include a predetermined random number, the destination IP address of the name server to be queried, and the domain name to be queried. Because of the inclusion of the name server's IP address in the formula, queries for the same domain name to different name servers may have different transaction identifiers, preventing an attacker from observing a query and predicting the identifiers for other queries.
- Additional entropy may be provided for generating transaction identifiers by including the port number of the name server and/or a portion of the domain name as inputs to the hash function. If it is determined that the responding server may preserve capitalization in its responses, the upper and lower case characters may be salted within the domain name to provide additional entropy in generating transaction identifiers.
- the present invention features a method for generating a DNS query to improve resistance against a DNS attack.
- the method includes a DNS resolver receiving a request to resolve a domain name.
- the method also includes the DNS resolver identifying the domain name and an IP address of a DNS server.
- the method further includes generating a transaction identifier for a DNS query by applying a one-way hash function to an input of a predetermined random number, the IP address of the DNS server and the domain name.
- the method also includes the DNS resolver transmitting a DNS query for the domain name to the DNS server, the DNS query identified by the generated transaction identifier.
- the method includes the DNS resolver identifying the IP port number of the DNS server. In further embodiments, the method includes generating the transaction identifier for the DNS query by applying the one-way hash function to the input of a predetermined random number, the IP address and the port of the DNS server, and the domain name. In yet further embodiments, the domain name input to the one-way hash function may comprise a portion of the domain name to be resolved.
- the method includes changing the predetermined random number input to the one-way hash function at a predetermined frequency. In another embodiment, the method includes changing the predetermined random number in response to an event. In other embodiments, the method includes generating the same transaction identifier for DNS queries to resolve the same domain name transmitted to the same DNS server. In still other embodiments, the method includes encoding one or more fields of the DNS request and using the encoded one or more fields as input to the one-way hash function to generate the transaction identifier. In other embodiments, the method includes encoding the domain name by capitalizing one or more characters of the domain name and generating the transaction identifier by using the encoded domain name as the input of the domain name to the one-way hash function. In still other embodiments, the method further comprises encoding the domain name input to the one-way hash function by using a punycode or a RACE encoding scheme.
- the method further comprises the DNS resolver determining that the DNS server rewrites or normalizes responses. In response to the determination, the DNS resolver may not encode a portion of the DNS query. In other embodiments, the method further comprises the DNS resolver determining that the destination is not rewriting responses. In response to the determination, the DNS resolver may encode a portion of the DNS query and include the encoded portion in the transaction identifier. In yet other embodiments, the method further includes the DNS resolver communicating the input of the IP address of the destination and the domain name to a transaction identifier generator.
- the present invention features a system for generating a DNS query to improve resistance against a DNS attack.
- the system includes a DNS resolver and a transaction identifier generator.
- the DNS resolver receives a request to resolve a domain name and identifies the domain name and an IP address of a destination of the request.
- the transaction identifier generator that generates a transaction identifier by applying a one-way hash function to an input of a predetermined random number, the IP address of the destination and the domain name.
- the DNS resolver forms the DNS query using the generated transaction identifier and transmits the DNS query for the domain name to the destination.
- the DNS resolver identifies a port of the destination of the request.
- the transaction identifier generator may generate the transaction identifier by applying the one-way hash function to the input of the predetermined random number, the internet protocol address and the port of the destination and the domain name.
- the domain name input to the one-way hash function may comprise a portion of the domain name to be resolved.
- the transaction identifier generator changes the predetermined random number at a predetermined frequency. In yet another embodiment, the transaction identifier generator changes the predetermined random number in response to an event. In still another embodiment, the transaction identifier generator generates the same transaction identifier for inputs identifying the same domain name and the same destination.
- the DNS resolver encodes one or more fields of the DNS request and communicates the encoded one or more fields as input to the transaction identifier generator to generate the transaction identifier.
- the DNS resolver encodes the domain name by capitalizing one or more characters of the domain name and communicates the encoded domain name as the input of the domain name to the transaction identifier generator.
- the DNS resolver encodes the domain name by using a punycode or a RACE encoding scheme.
- the DNS resolver may determine that the destination rewrites or normalizes responses, and in response to the determination the DNS resolver may not encode a portion of the DNS query.
- the DNS resolver may determine that the destination does not rewrite responses, and in response to the determination the DNS resolver may encode a portion of the DNS query and communicate the encoded portion as input to the transaction identifier generator to generate the transaction identifier.
- the DNS resolver may reside on a client, a server, or an intermediary.
- FIG. 1A is a block diagram of an embodiment of a network environment for a client to access a server via an appliance
- FIG. 1B is a block diagram of another embodiment of an environment for delivering a computing environment from a server to a client via;
- FIGS. 1C and 1D are block diagrams of embodiments of a computing device
- FIG. 2 is a block diagram of an embodiment of a domain name resolver
- FIG. 3 is a flow diagram of an embodiment of steps of a method for generating a DNS query with improved resistance against a DNS attack.
- Section A describes a network environment and computing environment which may be useful for practicing embodiments described herein;
- Section B describes embodiments of systems and methods for responding to DNS name resolution requests, transmitting requests to name servers, receiving responses from name servers, and transmitting responses to DNS name resolution requests;
- Section C describes embodiments of systems for and methods of generating DNS queries with improved resistance to DNS attacks.
- the network environment comprises one or more clients 102 a - 102 n (also generally referred to as local machine(s) 102 , or client(s) 102 ) in communication with one or more servers 106 a - 106 n (also generally referred to as server(s) 106 , or remote machine(s) 106 ) via one or more networks 104 , 104 ′ (generally referred to as network 104 ).
- a client 102 communicates with a server 106 via an appliance 105 .
- FIG. 1A shows a network 104 and a network 104 ′ between the clients 102 and the servers 106
- the networks 104 and 104 ′ can be the same type of network or different types of networks.
- the network 104 and/or the network 104 ′ can be a local-area network (LAN), such as a company Intranet, a metropolitan area network (MAN), or a wide area network (WAN), such as the Internet or the World Wide Web.
- LAN local-area network
- MAN metropolitan area network
- WAN wide area network
- network 104 ′ may be a private network and network 104 may be a public network.
- network 104 may be a private network and network 104 ′ a public network.
- networks 104 and 104 ′ may both be private networks.
- clients 102 may be located at a branch office of a corporate enterprise communicating via a WAN connection over the network 104 to the servers 106 located at a corporate data center.
- the network 104 and/or 104 ′ be any type and/or form of network and may include any of the following: a point to point network, a broadcast network, a wide area network, a local area network, a telecommunications network, a data communication network, a computer network, an ATM (Asynchronous Transfer Mode) network, a SONET (Synchronous Optical Network) network, a SDH (Synchronous Digital Hierarchy) network, a wireless network and a wireline network.
- the network 104 may comprise a wireless link, such as an infrared channel or satellite band.
- the topology of the network 104 and/or 104 ′ may be a bus, star, or ring network topology.
- the network 104 and/or 104 ′ and network topology may be of any such network or network topology as known to those ordinarily skilled in the art capable of supporting the operations described herein.
- the appliance 105 which also may be referred to as an interface unit 105 or gateway 105 , is shown between the networks 104 and 104 ′.
- the appliance 105 may be located on network 104 .
- a branch office of a corporate enterprise may deploy an appliance 105 at the branch office.
- the appliance 105 may be located on network 104 ′.
- an appliance 105 may be located at a corporate data center.
- a plurality of appliances 105 may be deployed on network 104 .
- a plurality of appliances 105 may be deployed on network 104 ′.
- a plurality of appliances 105 may be deployed on both networks 104 and 104 ′.
- the appliance 105 could be a part of any client 102 or server 106 on the same or different network 104 , 104 ′ as the client 102 .
- One or more appliances 105 may be located at any point in the network or network communications path between a client 102 and a server 106 .
- the appliance 105 comprises any of the network devices manufactured by Citrix Systems, Inc. of Ft. Lauderdale Fla., such as the Citrix NetScalerTM, Citrix WANScalerTM, Citrix RepeaterTM, Citrix Branch RepeaterTM, or Citrix Branch RepeaterTM with Windows Server®.
- the appliance 105 includes any of the product embodiments referred to as WebAccelerator and BigIP manufactured by F5 Networks, Inc. of Seattle, Wash.
- the appliance 105 includes any application acceleration and/or security related appliances and/or software manufactured by Cisco Systems, Inc. of San Jose, Calif., such as the Cisco ACE Application Control Engine Module service software and network modules, and Cisco AVS Series Application Velocity System.
- the system may include multiple, logically-grouped servers 106 .
- the logical group of servers may be referred to as a server farm 38 .
- the servers 106 may be geographically dispersed.
- a farm 38 may be administered as a single entity.
- the server farm 38 comprises a plurality of server farms 38 .
- the server farm executes one or more applications on behalf of one or more clients 102 .
- the servers 106 within each farm 38 can be heterogeneous. One or more of the servers 106 can operate according to one type of operating system platform (e.g., WINDOWS NT, manufactured by Microsoft Corp. of Redmond, Wash.), while one or more of the other servers 106 can operate on according to another type of operating system platform (e.g., Unix or Linux).
- the servers 106 of each farm 38 do not need to be physically proximate to another server 106 in the same farm 38 .
- the group of servers 106 logically grouped as a farm 38 may be interconnected using a wide-area network (WAN) connection or medium-area network (MAN) connection.
- WAN wide-area network
- MAN medium-area network
- a farm 38 may include servers 106 physically located in different continents or different regions of a continent, country, state, city, campus, or room. Data transmission speeds between servers 106 in the farm 38 can be increased if the servers 106 are connected using a local-area network (LAN) connection or some form of direct connection.
- LAN local-area network
- Servers 106 may be referred to as a file server, application server, web server, proxy server, or gateway server.
- a server 106 may have the capacity to function as either an application server or as a master application server.
- a server 106 may include an Active Directory.
- the clients 102 may also be referred to as client nodes or endpoints.
- a client 102 has the capacity to function as both a client node seeking access to applications on a server and as an application server providing access to hosted applications for other clients 102 a - 102 n.
- a client 102 communicates with a server 106 .
- the client 102 communicates directly with one of the servers 106 in a farm 38 .
- the client 102 executes a program neighborhood application to communicate with a server 106 in a farm 38 .
- the server 106 provides the functionality of a master node.
- the client 102 communicates with the server 106 in the farm 38 through a network 104 . Over the network 104 , the client 102 can, for example, request execution of various applications hosted by the servers 106 a - 106 n in the farm 38 and receive output of the results of the application execution for display.
- only the master node provides the functionality required to identify and provide address information associated with a server 106 ′ hosting a requested application.
- the server 106 provides functionality of a web server.
- the server 106 a receives requests from the client 102 , forwards the requests to a second server 106 b and responds to the request by the client 102 with a response to the request from the server 106 b .
- the server 106 acquires an enumeration of applications available to the client 102 and address information associated with a server 106 hosting an application identified by the enumeration of applications.
- the server 106 presents the response to the request to the client 102 using a web interface.
- the client 102 communicates directly with the server 106 to access the identified application.
- the client 102 receives application output data, such as display data, generated by an execution of the identified application on the server 106 .
- a server 106 includes an application delivery system 190 for delivering a computing environment or an application and/or data file to one or more clients 102 .
- a client 102 is in communication with a server 106 via network 104 , 104 ′ and appliance 105 .
- the client 102 may reside in a remote office of a company, e.g., a branch office, and the server 106 may reside at a corporate data center.
- the client 102 comprises a client agent 120 , and a computing environment 15 .
- the computing environment 15 may execute or operate an application that accesses, processes or uses a data file.
- the computing environment 15 , application and/or data file may be delivered via the appliance 105 and/or the server 106 .
- the appliance 105 accelerates delivery of a computing environment 15 , or any portion thereof, to a client 102 .
- the appliance 105 accelerates the delivery of the computing environment 15 by the application delivery system 190 .
- the embodiments described herein may be used to accelerate delivery of a streaming application and data file processable by the application from a central corporate data center to a remote user location, such as a branch office of the company.
- the appliance 105 accelerates transport layer traffic between a client 102 and a server 106 .
- the appliance 105 may provide acceleration techniques for accelerating any transport layer payload from a server 106 to a client 102 , such as: 1) transport layer connection pooling, 2) transport layer connection multiplexing, 3) transport control protocol buffering, 4) compression and 5) caching.
- the appliance 105 provides load balancing of servers 106 in responding to requests from clients 102 .
- the appliance 105 acts as a proxy or access server to provide access to the one or more servers 106 .
- the appliance 105 provides a secure virtual private network connection from a first network 104 of the client 102 to the second network 104 ′ of the server 106 , such as an SSL VPN connection.
- the appliance 105 provides application firewall security, control and management of the connection and communications between a client 102 and a server 106 .
- the application delivery management system 190 provides application delivery techniques to deliver a computing environment to a desktop of a user, remote or otherwise, based on a plurality of execution methods and based on any authentication and authorization policies applied via a policy engine 195 . With these techniques, a remote user may obtain a computing environment and access to server stored applications and data files from any network connected device 100 .
- the application delivery system 190 may reside or execute on a server 106 . In another embodiment, the application delivery system 190 may reside or execute on a plurality of servers 106 a - 106 n . In some embodiments, the application delivery system 190 may execute in a server farm 38 .
- the server 106 executing the application delivery system 190 may also store or provide the application and data file.
- a first set of one or more servers 106 may execute the application delivery system 190
- a different server 106 n may store or provide the application and data file.
- each of the application delivery system 190 , the application, and data file may reside or be located on different servers.
- any portion of the application delivery system 190 may reside, execute or be stored on or distributed to the appliance 200 , or a plurality of appliances.
- the client 102 may include a computing environment 15 for executing an application that uses or processes a data file.
- the client 102 via networks 104 , 104 ′ and appliance 105 may request an application and data file from the server 106 .
- the appliance 105 may forward a request from the client 102 to the server 106 .
- the client 102 may not have the application and data file stored or accessible locally.
- the application delivery system 190 and/or server 106 may deliver the application and data file to the client 102 .
- the server 106 may transmit the application as an application stream to operate in computing environment 15 on client 102 .
- the application delivery system 190 comprises any portion of the Citrix Access SuiteTM by Citrix Systems, Inc., such as the MetaFrame or Citrix Presentation ServerTM; any portion of the Citrix Delivery CenterTM by Citrix Systems, Inc., such as the XenDesktopTM, XenAppTM, XenServerTM, or NetScalerTM; and/or any of the Microsoft® Windows Terminal Services manufactured by the Microsoft Corporation.
- the application delivery system 190 may deliver one or more applications to clients 102 or users via a remote-display protocol or otherwise via remote-based or server-based computing.
- the application delivery system 190 may deliver one or more applications to clients or users via steaming of the application.
- the application delivery system 190 includes a policy engine 195 for controlling and managing the access to, selection of application execution methods and the delivery of applications.
- the policy engine 195 determines the one or more applications a user or client 102 may access.
- the policy engine 195 determines how the application should be delivered to the user or client 102 , e.g., the method of execution.
- the application delivery system 190 provides a plurality of delivery techniques from which to select a method of application execution, such as a server-based computing, streaming or delivering the application locally to the client 120 for local execution.
- a client 102 requests execution of an application program and the application delivery system 190 comprising a server 106 selects a method of executing the application program.
- the server 106 receives credentials from the client 102 .
- the server 106 receives a request for an enumeration of available applications from the client 102 .
- the application delivery system 190 in response to the request or receipt of credentials, enumerates a plurality of application programs available to the client 102 .
- the application delivery system 190 receives a request to execute an enumerated application.
- the application delivery system 190 selects one of a predetermined number of methods for executing the enumerated application, for example, responsive to a policy of a policy engine.
- the application delivery system 190 may select a method of execution of the application enabling the client 102 to receive application-output data generated by execution of the application program on a server 106 .
- the application delivery system 190 may select a method of execution of the application enabling the local machine 10 to execute the application program locally after retrieving a plurality of application files comprising the application.
- the application delivery system 190 may select a method of execution of the application to stream the application via the network 104 to the client 102 .
- a client 102 may execute, operate or otherwise provide an application, which can be any type and/or form of software, program, or executable instructions such as any type and/or form of web browser, web-based client, client-server application, a thin-client computing client, an ActiveX control, or a Java applet, or any other type and/or form of executable instructions capable of executing on client 102 .
- the application may be a server-based or a remote-based application executed on behalf of the client 102 on a server 106 .
- the server 106 may display output to the client 102 using any thin-client or remote-display protocol, such as the Independent Computing Architecture (ICA) protocol manufactured by Citrix Systems, Inc. of Ft. Lauderdale, Fla.
- ICA Independent Computing Architecture
- the application can use any type of protocol and it can be, for example, an HTTP client, an FTP client, an Oscar client, or a Telnet client.
- the application comprises any type of software related to VoIP communications, such as a soft IP telephone.
- the application comprises any application related to real-time data communications, such as applications for streaming video and/or audio.
- the server 106 or a server farm 38 may be running one or more applications, such as an application providing a thin-client computing or remote display presentation application.
- the server 106 or server farm 38 executes as an application, any portion of the Citrix Access SuiteTM by Citrix Systems, Inc., such as the MetaFrame or Citrix Presentation ServerTM; any portion of the Citrix Delivery CenterTM by Citrix Systems, Inc., such as the XenDesktopTM, XenAppTM, XenServerTM, or NetScalerTM; and/or any of the Microsoft® Windows Terminal Services manufactured by the Microsoft Corporation.
- the application is an ICA client, developed by Citrix Systems, Inc. of Fort Lauderdale, Fla.
- the application includes a Remote Desktop (RDP) client, developed by Microsoft Corporation of Redmond, Wash.
- the server 106 may run an application, which for example, may be an application server providing email services such as Microsoft Exchange manufactured by the Microsoft Corporation of Redmond, Wash., a web or Internet server, or a desktop sharing server, or a collaboration server.
- any of the applications may comprise any type of hosted service or products, such as GoToMeetingTM, GoToWebinarTM, GoToMyPCTM, or GoToAssistTM provided by Citrix Online Division, Inc. of Santa Barbara, Calif., WebExTM provided by WebEx, Inc. of Santa Clara, Calif., or Microsoft Office Live Meeting provided by Microsoft Corporation of Redmond, Wash.
- FIGS. 1C and 1D depict block diagrams of a computing device 100 useful for practicing an embodiment of the client 102 , server 106 or appliance 105 .
- each computing device 100 includes a central processing unit 101 , and a main memory unit 122 .
- a computing device 100 may include a visual display device 124 , a keyboard 126 and/or a pointing device 127 , such as a mouse.
- Each computing device 100 may also include additional optional elements, such as one or more input/output devices 130 a - 130 b (generally referred to using reference numeral 130 ), and a cache memory 140 in communication with the central processing unit 101 .
- the central processing unit 101 is any logic circuitry that responds to and processes instructions fetched from the main memory unit 122 .
- the central processing unit is provided by a microprocessor unit, such as: those manufactured by Intel Corporation of Mountain View, Calif.; those manufactured by Motorola Corporation of Schaumburg, Ill.; those manufactured by Transmeta Corporation of Santa Clara, Calif.; the RS/6000 processor, those manufactured by International Business Machines of White Plains, N.Y.; or those manufactured by Advanced Micro Devices of Sunnyvale, Calif.
- the computing device 100 may be based on any of these processors, or any other processor capable of operating as described herein.
- Main memory unit 122 may be one or more memory chips capable of storing data and allowing any storage location to be directly accessed by the microprocessor 101 , such as Static random access memory (SRAM), Burst SRAM or SynchBurst SRAM (BSRAM), Dynamic random access memory (DRAM), Fast Page Mode DRAM (FPM DRAM), Enhanced DRAM (EDRAM), Extended Data Output RAM (EDO RAM), Extended Data Output DRAM (EDO DRAM), Burst Extended Data Output DRAM (BEDO DRAM), Enhanced DRAM (EDRAM), synchronous DRAM (SDRAM), JEDEC SRAM, PC100 SDRAM, Double Data Rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), SyncLink DRAM (SLDRAM), Direct Rambus DRAM (DRDRAM), or Ferroelectric RAM (FRAM).
- SRAM Static random access memory
- BSRAM SynchBurst SRAM
- DRAM Dynamic random access memory
- FPM DRAM Fast Page Mode DRAM
- EDRAM Enhanced D
- the main memory 122 may be based on any of the above described memory chips, or any other available memory chips capable of operating as described herein.
- the processor 101 communicates with main memory 122 via a system bus 150 (described in more detail below).
- FIG. 1C depicts an embodiment of a computing device 100 in which the processor communicates directly with main memory 122 via a memory port 103 .
- the main memory 122 may be DRDRAM.
- FIG. 1D depicts an embodiment in which the main processor 101 communicates directly with cache memory 140 via a secondary bus, sometimes referred to as a backside bus.
- the main processor 101 communicates with cache memory 140 using the system bus 150 .
- Cache memory 140 typically has a faster response time than main memory 122 and is typically provided by SRAM, BSRAM, or EDRAM.
- the processor 101 communicates with various I/O devices 130 via a local system bus 150 .
- FIG. 1D depicts an embodiment of a computer 100 in which the main processor 101 communicates directly with I/O device 130 via HyperTransport, Rapid I/O, or InfiniBand.
- FIG. 1D also depicts an embodiment in which local busses and direct communication are mixed: the processor 101 communicates with I/O device 130 using a local interconnect bus while communicating with I/O device 130 directly.
- the computing device 100 may support any suitable installation device 116 , such as a floppy disk drive for receiving floppy disks such as 3.5-inch, 5.25-inch disks or ZIP disks, a CD-ROM drive, a CD-R/RW drive, a DVD-ROM drive, tape drives of various formats, USB device, hard-drive or any other device suitable for installing software and programs such as any client agent 120 , or portion thereof.
- the computing device 100 may further comprise a storage device 128 , such as one or more hard disk drives or redundant arrays of independent disks, for storing an operating system and other related software, and for storing application software programs such as any program related to the client agent 120 .
- any of the installation devices 116 could also be used as the storage device 128 .
- the operating system and the software can be run from a bootable medium, for example, a bootable CD, such as KNOPPIX®, a bootable CD for GNU/Linux that is available as a GNU/Linux distribution from knoppix.net.
- a bootable CD such as KNOPPIX®
- KNOPPIX® a bootable CD for GNU/Linux that is available as a GNU/Linux distribution from knoppix.net.
- the computing device 100 may include a network interface 118 to interface to a Local Area Network (LAN), Wide Area Network (WAN) or the Internet through a variety of connections including, but not limited to, standard telephone lines, LAN or WAN links (e.g., 802.11, T 1 , T 3 , 56 kb, X.25), broadband connections (e.g., ISDN, Frame Relay, ATM), wireless connections, or some combination of any or all of the above.
- the network interface 118 may comprise a built-in network adapter, network interface card, PCMCIA network card, card bus network adapter, wireless network adapter, USB network adapter, modem or any other device suitable for interfacing the computing device 100 to any type of network capable of communication and performing the operations described herein.
- I/O devices 130 a - 130 n may be present in the computing device 100 .
- Input devices include keyboards, mice, trackpads, trackballs, microphones, and drawing tablets.
- Output devices include video displays, speakers, inkjet printers, laser printers, and dye-sublimation printers.
- the I/O devices 130 may be controlled by an I/O controller 123 as shown in FIG. 1C .
- the I/O controller may control one or more I/O devices such as a keyboard 126 and a pointing device 127 , e.g., a mouse or optical pen.
- an I/O device may also provide storage 128 and/or an installation medium 116 for the computing device 100 .
- the computing device 100 may provide USB connections to receive handheld USB storage devices such as the USB Flash Drive line of devices manufactured by Twintech Industry, Inc. of Los Alamitos, Calif.
- the computing device 100 may comprise or be connected to multiple display devices 124 a - 124 n , which each may be of the same or different type and/or form.
- any of the I/O devices 130 a - 130 n and/or the I/O controller 123 may comprise any type and/or form of suitable hardware, software, or combination of hardware and software to support, enable or provide for the connection and use of multiple display devices 124 a - 124 n by the computing device 100 .
- the computing device 100 may include any type and/or form of video adapter, video card, driver, and/or library to interface, communicate, connect or otherwise use the display devices 124 a - 124 n .
- a video adapter may comprise multiple connectors to interface to multiple display devices 124 a - 124 n .
- the computing device 100 may include multiple video adapters, with each video adapter connected to one or more of the display devices 124 a - 124 n .
- any portion of the operating system of the computing device 100 may be configured for using multiple displays 124 a - 124 n .
- one or more of the display devices 124 a - 124 n may be provided by one or more other computing devices, such as computing devices 100 a and 100 b connected to the computing device 100 , for example, via a network.
- These embodiments may include any type of software designed and constructed to use another computer's display device as a second display device 124 a for the computing device 100 .
- a computing device 100 may be configured to have multiple display devices 124 a - 124 n.
- an I/O device 130 may be a bridge 170 between the system bus 150 and an external communication bus, such as a USB bus, an Apple Desktop Bus, an RS-232 serial connection, a SCSI bus, a FireWire bus, a FireWire 800 bus, an Ethernet bus, an AppleTalk bus, a Gigabit Ethernet bus, an Asynchronous Transfer Mode bus, a HIPPI bus, a Super HIPPI bus, a SerialPlus bus, a SCI/LAMP bus, a FibreChannel bus, or a Serial Attached small computer system interface bus.
- an external communication bus such as a USB bus, an Apple Desktop Bus, an RS-232 serial connection, a SCSI bus, a FireWire bus, a FireWire 800 bus, an Ethernet bus, an AppleTalk bus, a Gigabit Ethernet bus, an Asynchronous Transfer Mode bus, a HIPPI bus, a Super HIPPI bus, a SerialPlus bus, a SCI/LAMP bus, a FibreChannel bus, or
- a computing device 100 of the sort depicted in FIGS. 1C and 1D typically operate under the control of operating systems, which control scheduling of tasks and access to system resources.
- the computing device 100 can be running any operating system such as any of the versions of the Microsoft® Windows operating systems, the different releases of the Unix and Linux operating systems, any version of the Mac OS® for Macintosh computers, any embedded operating system, any real-time operating system, any open source operating system, any proprietary operating system, any operating systems for mobile computing devices, or any other operating system capable of running on the computing device and performing the operations described herein.
- Typical operating systems include: WINDOWS 3.x, WINDOWS 95, WINDOWS 98, WINDOWS 2000, WINDOWS NT 3.51, WINDOWS NT 4.0, WINDOWS CE, WINDOWS XP, WINDOWS VISTA, and WINDOWS 7, all of which are manufactured by Microsoft Corporation of Redmond, Wash.; MacOS, manufactured by Apple Computer of Cupertino, Calif.; OS/2, manufactured by International Business Machines of Armonk, N.Y.; and Linux, a freely-available operating system distributed by Caldera Corp. of Salt Lake City, Utah, or any type and/or form of a Unix operating system, among others.
- the computing device 100 may have different processors, operating systems, and input devices consistent with the device.
- the computer 100 is a Treo 180 , 270 , 1060 , 600 or 650 smart phone manufactured by Palm, Inc.
- the Treo smart phone is operated under the control of the PalmOS operating system and includes a stylus input device as well as a five-way navigator device.
- the computer 100 is an iPhone smart phone manufactured by Apple Computers, Inc.
- the iPhone is operated under the control of the iPhone OS operating system and includes a multi-touch screen interface.
- the computing device 100 can be any workstation, desktop computer, laptop or notebook computer, server, handheld computer, mobile telephone, any other computer, or other form of computing or telecommunications device that is capable of communication and that has sufficient processor power and memory capacity to perform the operations described herein.
- FIG. 2 describes an embodiment of a DNS resolver 200 residing on a server, client, or intermediary.
- the DNS resolver 200 includes a DNS query identifier 201 , a memory cache 202 , a transaction identifier generator 203 , a DNS query generator 205 , a comparator 206 for comparing requests and responses, and a DNS response generator 207 .
- the DNS resolver 200 may also receive input numbers from a random number generator 204 .
- the DNS resolver 200 receives DNS resolution requests 208 from hardware or software on the client, server, or intermediary, or from any hardware or software on another client, server, or intermediary.
- the DNS resolver 200 transmits DNS query messages 209 to DNS name servers, and in turn DNS receives response messages 210 .
- the DNS response messages 210 can also arrive from different sources than the name servers.
- the DNS resolver 200 also transmits DNS resolution responses 211 to the hardware or software on the same or different client, server, or intermediary that sent the DNS resolution request 208 .
- the simplified architecture shown is provided for illustration purposes only and is not intended to be limiting.
- a DNS resolver 200 comprises any type or form of logic, operations or functions to resolve a domain name.
- the DNS resolver 200 may comprise any combination of software and hardware.
- the DNS resolver 200 may comprise a library, service, daemon, process, function, or subroutine.
- the random number generator 204 shown in FIG. 2 is external to the DNS resolver 200 , in some embodiments the DNS resolver 200 may also include the random number generator 204 . In other embodiments, the random number generator 204 may be on another software or hardware system.
- the DNS resolver 200 may include functionality for transmitting and receiving data in any format or protocol, such as Internet Protocol. As such, in some embodiments, the DNS resolver 200 may include hardware or communicate with hardware capable of performing this functionality. In other embodiments, the DNS resolver 200 may operate within a virtual machine and may include or communicate with virtual hardware.
- the DNS query identifier 201 comprises one or more programs, tasks, services, processes or executable instructions to provide logic, rules, functions, or operations for receiving and handling a DNS resolution request 208 .
- the DNS query identifier 201 checks the resolver cache 202 to determine if a previously-received DNS response message corresponding to the DNS resolution request 208 has been stored in the resolver cache 202 . If so, the DNS response generator 207 transmits a DNS resolution response 211 to the requester using the previously-received DNS response message in the resolver cache 202 . If the answer is unknown, the DNS query identifier 201 checks that the DNS resolution request 208 is a fully qualified domain name query or unqualified multi-label domain name query.
- the DNS query identifier 201 determines that the DNS resolution request 208 is not a fully qualified domain name query or unqualified multi-label query, the DNS query identifier 201 consults the cache 202 for a suffix search list. If a suffix search list does not reside in the cache 202 , the DNS query identifier 201 appends a global DNS suffix to the DNS resolution request 208 . If a suffix search list does reside in the cache 202 , the DNS query identifier 201 appends a primary DNS suffix to the DNS resolution request 208 . The DNS query identifier 201 consults the cache 202 to determine the IP address or addresses of a domain name server or servers from which to request an answer. In some embodiments, the DNS query identifier 201 consults the cache 202 to determine the port or ports of the domain name server or servers.
- the domain name requested is an ASCII name. In other embodiments, the domain name requested is part of the international domain name system and is encoded in Row-based ASCII Compatible Encoding (RACE) or punycode.
- the international domain name may be encoded by the DNS resolver 200 or may be already encoded when received by the DNS query identifier 201 .
- the DNS query identifier 201 consults the cache 202 to determine if each domain name server to be contacted is compliant with IETF RFC 4343 (Domain Name System Case Insensitivity Clarification). In some embodiments if a domain name server is RFC 4343 compliant, the DNS query identifier 201 may retain mixed capitalization of the domain name as received in the DNS resolution request 208 . In other embodiments where a domain name server is RFC 4343 compliant, the DNS query identifier 201 may encode random capitalization in the domain name.
- the cache 202 may comprise any type and form of data structure, implemented in any combination of hardware and software.
- the cache 202 may comprise a database, a flat file, dictionary, registry, index, lookup table, or any other repository capable of storing DNS resource records in any format.
- the cache 202 may include any associated logic and control functions for recording and obtaining DNS resource records. Once DNS resource records are stored in the cache 202 , the DNS resolver 200 can use the cached copy rather than re-transmitting a DNS query message for the resource, thereby reducing access time and use of network bandwidth.
- the cache 202 may include an associated memory element, including RAM, Flash memory, or a portion of a disk drive.
- the cache 202 may comprise a data object in main memory unit 122 or cache memory 140 , discussed above in connection with FIGS. 1C and 1D , or any combination thereof.
- the cache 202 may comprise any type of integrated circuit, such as a Field Programmable Gate Array (FPGA) or a Programmable Logic Device (PLD).
- FPGA Field Programmable Gate Array
- PLD Programmable Logic Device
- the cache 202 may have a fixed maximum size. In other embodiments, there may be no such limitation.
- the cache 202 may include logic or functionality for invalidating or removing cached DNS resource records based on the expiration of a time period or upon receipt of an invalidation command from the DNS resolver 200 . The logic or functionality may allow invalidation or removal of single records, groups of records, or all records residing in the cache 202 .
- the random number generator 204 may comprise any type and form of software or hardware, or any combinations thereof, for generating random or pseudo-random numbers.
- the random number generator 204 is within the DNS resolver 200 .
- the random number generator 204 is in the same client, server, or intermediary as the DNS resolver 200 .
- the random number generator 204 is separate from the client, server, or intermediary that includes the DNS resolver 200 .
- the random number generator 204 may communicates with the DNS resolver over any type and form of network or communications device or protocol.
- the random number generator 204 generates and transmits random or pseudo-random numbers to the transaction identifier generator 203 in the DNS resolver 200 .
- the random or pseudo-random numbers can be of any length. In some embodiments, the number length is at least as long as the length of the requested domain name. For example, under IETF RFC 1034, the maximum length of a fully qualified domain name is 255 octets, or 2040 bits. In other embodiments, the random or pseudo-random number may be shorter or longer. In some embodiments, the random number generator 204 may generate a new random or pseudo-random number for each new DNS resolution request received by the DNS resolver 200 . In other embodiments, the same random or pseudo-random number may be used for multiple transaction identifiers, reducing the need for new random or pseudo-random numbers for each request.
- the random number generator 204 may generate a new random or pseudo-random number at a predetermined frequency. Higher frequencies may result in higher computation costs, while lower frequencies may result in less resistance to attack. In other embodiments, the random number generator 204 may generate a new random or pseudo-random number in response to an event. For example, the random number generator 204 may generate a new random number in response to every fifth or tenth DNS resolution request 208 received by the DNS resolver 200 . For another example, the random number generator 204 may generate a new random number in response to every invalidation of a DNS response record in the cache 202 .
- the event that causes the random number generator 204 to generate a new random or pseudo-random number may be any event capable of triggering such functionality within the random number generator 204 , such as closing or opening a switch, changing a value in a memory register, executing a function call, or accessing a memory location.
- the transaction identifier generator 203 comprises a process, logic, function, service, task, subroutine, or executable instructions for creating or providing a transaction identifier, such as for a DNS query.
- the DNS transaction identifier is a 16-bit field in the header of DNS query message 209 .
- the transaction identifier may be of different lengths or formats.
- the queried domain name server responds to a DNS query message 209 with a DNS response message 210 including an identical DNS transaction identifier, associating the response with the query.
- the transaction identifier allows the DNS resolver 200 to identify which outstanding request is associated with which response.
- the sent and received transaction identifiers are compared by the response/request comparator 206 , and if the received transaction identifier matches no outstanding DNS query message 209 , the DNS response message 210 is discarded by the DNS resolver 200 . If the received transaction identifier does match an outstanding DNS query message 209 , the DNS response message 210 is passed to the DNS response generator 207 .
- the transaction identifier generator 203 may perform a cryptographic hashing function using inputs comprising the random or pseudo-random number received from the random number generator 204 , the IP address of the domain name server to be queried, and the domain name or a portion of the domain name requested.
- the inputs to the transaction identifier generator 203 hash function may include the port number of the domain name server to be queried.
- the inputs to the hash function may include the domain name encoded with capitalization.
- the inputs to the hash function may include the domain name encoded in punycode or RACE.
- the cryptographic hash function used to create the transaction identifier may be any hash function, with or without collision resistance, such as MD5, SHA-1, SHA-256, or any other known or currently unknown hash function or combination of hash functions.
- the output of the cryptographic hash function may be compressed to 16 bits.
- the output may be truncated or shortened through any other means to 16 bits.
- the output of the cryptographic hash function may be shortened, truncated, or extended in any means to achieve the length of the transaction identifier required by the protocol format of the DNS query message 209 .
- the cryptographic hashing function may be collision resistant or collision free.
- the DNS query generator 205 comprises a process, logic, function, service, task, subroutine, or executable instructions for creating any type and form of DNS query message 209 .
- the DNS query message 209 may be created in compliance with the standard DNS query message format defined in IETF RFC 1035, or may be created in any other desired format.
- the DNS query message 209 may include a transaction identifier received from the transaction identifier generator 203 .
- the DNS query message 209 may include a question entry of the domain name queried received from the DNS query identifier 201 .
- the question entry may include a domain name, class, and type, as described in RFC 1035, or may contain more or fewer information as dictated by the query message format.
- the DNS query message 209 may be transmitted by the DNS resolver 200 to the address or addresses of the domain name server or servers selected by the DNS query identifier 201 from the cache 202 .
- the DNS query message 209 may be stored in a memory element associated with the response/request comparator 206 .
- the DNS query message 209 may be stored in a memory element associated with the DNS query generator 205 , the cache 202 , or any other memory element associated with or accessible by the DNS resolver 200 .
- the stored DNS query message may be marked, flagged or recorded in such a way as to identify the query as an outstanding query.
- the DNS resolver 200 may include functionality for invalidating or removing markings or flags or deleting the stored DNS query once it is no longer outstanding.
- the DNS query message 209 may be transmitted by the DNS resolver 200 multiple times, such as in response to expiration of a time-to-live period.
- the response/request comparator 206 comprises a process, logic, function, service, task, subroutine, or executable instructions for comparing a DNS response message 210 with a DNS query message 209 .
- the response/request comparator 206 may compare a DNS response message 210 received by the DNS resolver 200 with a DNS query message 209 sent by the DNS resolver 200 .
- the response/request comparator 206 may compare a received DNS response message 210 with a DNS query message marked as an outstanding query as discussed above.
- the response/request comparator 206 may check if the DNS response message 210 has apparently come from the same IP address and port of the domain name server to whom the DNS query message 209 was sent.
- the response/request comparator 206 may check if the DNS response message 210 has the same transaction identifier as the DNS query message 209 that was sent. In these embodiments, if the response/request comparator 206 determines that the DNS response message 210 does not match the DNS query message 209 , the comparator 206 disregards the DNS response message 210 . In further embodiments, where the domain name server queried is RFC 4343 compliant, the response/request comparator 206 may compare capitalization of the domain name in the transmitted DNS query message 209 and received DNS response message 210 .
- the response/request comparator 206 may instruct the DNS resolver 200 to disregard the DNS response message 210 , responsive to a determination that the capitalization does not match. If the response/request comparator 206 identifies the DNS response message 210 as matching an outstanding DNS query message 209 , it may, in some embodiments, pass the DNS response message 210 as a validated response to the DNS response generator 207 . The response/request comparator 206 may also invalidate or remove markings or flags or delete memory entries identifying the DNS query message 209 as outstanding, or instruct another process to do so.
- the DNS response generator 207 comprises a process, logic, function, service, task, subroutine, or executable instructions for generating and/or sending a DNS resolution response 211 .
- the DNS response generator 207 may receive a validated DNS response message 210 from the response/request comparator 206 .
- the DNS response generator 207 may inspect the DNS response message 210 to determine if it is fully responsive to the DNS resolution request 208 .
- a fully responsive message contains the final address sought. For example, a request for the address of www.example.com may return a response that the domain name www.example.com is located at 208.77.188.166.
- a non-fully responsive message to the query for the address of www.example.com may return a response that the domain name server for example.com is located at 208.77.188.1, but be silent on the address of www.example.com.
- the DNS response generator 207 may record any partial response or additional name server information in the cache 202 .
- the DNS query identifier 201 may create a new iteration of the query using the partial response or additional name server information.
- the DNS response generator 207 may record the response in the cache 202 .
- the DNS response generator 207 may send a DNS resolution response 211 to the originally requesting software or hardware on the same or different client, server, or intermediary.
- the DNS resolution request 208 is a data packet or packets comprising a DNS name to be resolved.
- the DNS resolution request 208 may include a fully qualified domain name or a portion of a domain name; a DNS query type; and a DNS query class.
- the DNS resolution request 208 comes from a software or hardware system on the same client, server, or intermediary. In other embodiments, the DNS resolution request 208 comes from a software or hardware system on another client, server, or intermediary.
- the DNS query message 209 is a data packet or packets comprising a request to a name server to identify a domain name.
- the DNS query message 209 may include a transaction identifier and a question entry, as discussed above in connection with the DNS query generator 205 .
- the DNS query message 209 may be transmitted over TCP, UDP, or any other protocol known or currently unknown for allowing communication over a network.
- the DNS response message 210 is a data packet or packets comprising a response to a DNS query message 210 .
- the DNS query message 210 may include a transaction identifier.
- the transaction identifier may be identical, similar, or different from the transaction identifier of an outstanding DNS query message 209 .
- the DNS query message 210 may include a response entry.
- the response entry may include a domain name, class, or type as described in RFC 1035, or may contain more or fewer information as dictated by the query message format.
- the response entry may also include additional information, such as the address of an authoritative name server for the domain name requested.
- the DNS query message 210 may be transmitted over TCP, UDP, or any other type and form of protocol for allowing communication over a network.
- the DNS resolution response 211 is a data packet or packets comprising a response to a DNS resolution request 208 .
- the DNS resolution response 211 may include a domain name and IP address corresponding to the domain name requested in the DNS resolution request 208 .
- the DNS resolution response 211 may include a message that the domain name could not be located.
- FIG. 3 describes an embodiment of steps for a method of generating a transaction identifier for a DNS query message.
- a request is received to resolve a domain name.
- the request is parsed and the IP address and port of a domain name server with the domain in its zone of authority or a delegated zone is determined.
- the cache is consulted to determine if the domain name server to be queried rewrites or normalizes mixed-capitalization domain names; if the domain name server does not do so, capitalization shifts may be made in the characters of the requested domain name.
- a random or pseudo-random number is generated for a salt input to a cryptographic hashing function.
- a transaction identifier is created as an output of the cryptographic hashing function.
- the DNS query message is created.
- the DNS query message is transmitted to the domain name server to be queried. In some embodiments, this process may be repeated multiple times for the same request to query multiple domain name servers. In further embodiments, this process may be repeated iteratively or recursively where DNS answers fail to fully answer the DNS request, but indicate a more authoritative name server to query.
- the DNS resolver may receive a request to resolve a domain name.
- this request may come from a web browser or similar application.
- this request may come from a kernel service, function, daemon, or other executable code residing in hardware, software, or any combination thereof.
- the source of the request may be on the same client, server, or intermediary as the DNS resolver. In other embodiments, the source of the request may be from a different client, server, or intermediary on the same or a different network.
- the DNS request may be for a full or partial domain name.
- the DNS request may include a domain class and domain type.
- the DNS request may include wildcard characters in the name or class or type, signifying that all records relevant to a domain name or partial domain name or class or type are being requested. If a relevant fully-responsive DNS record resides in the DNS resolver's cache, a response containing the information in the DNS record may be returned to the requestor. In such a case, no further steps of generating a DNS query may need to be taken.
- the DNS resolver may select a domain name server to query from the index of name servers in the cache.
- the DNS resolver may select a preferred name server.
- the DNS resolver may select the name server with the narrowest zone of authority containing the requested domain listed in the index of name servers in the cache.
- the DNS resolver may select the name server for the root zone. Once a name server to be queried has been selected, the DNS resolver retrieves the name server's IP address and port number from the index of name servers in the cache.
- the DNS resolver may consult the cache to determine if the domain name server to be queried rewrites or normalizes responses. In some embodiments, the DNS resolver may determine that the name server rewrites responses by the presence and content of additional data fields in the cached resource record. In other embodiments, the DNS resolver may determine that the name server rewrites responses by comparing prior mixed capitalization domain name queries to the name server with responses from the same name server for preservation of capitalization. If the domain name server to be queried does not rewrite or normalize responses, in some embodiments the DNS resolver may shift any or all of the characters of the domain name between upper and lower case.
- the random number generator generates a random or pseudo-random number.
- the random number generator passes the random or pseudo-random number to the transaction identifier generator.
- the transaction identifier generator obtains or retrieves the random or pseudo-random number from a memory element associated with the random number generator.
- a new random or pseudo-random number is passed to the cryptographic hashing function for each new DNS query.
- a random or pseudo-random number may be reused for multiple DNS queries.
- the random or pseudo-random number may be updated at a predetermined frequency. In other embodiments, the random or pseudo-random number may be updated in response to an event, as discussed above in connection the random number generator 204 and FIG. 2 .
- the transaction identifier generator performs a cryptographic hashing function on inputs comprising the random or pseudo-random number, the IP address of the domain name server to be queried, and the domain name or a portion of the domain name requested.
- the cryptographic hashing function may be any hash function or combination of hash functions, including MD5, SHA-1, SHA-256, or any other hash function or functions currently known or unknown.
- the transaction identifier generator may append the input bits of the random number, the IP address of the domain name server and the domain name to create a string of bits.
- the transaction identifier generator may use a combination of addition, exclusive-or (XOR), and constant rotations of adjacent bits or groups of bits to convert the string of bits into a cryptographic hash of length specified by the size of the transaction identifier field of the protocol.
- XOR exclusive-or
- the transaction identifier generator may be configured to output a hash of any length required by the network protocol in use.
- the transaction identifier generator may use appending, multiplying, adding, subtracting, XORing, or any other method known to those skilled in the art.
- the DNS query generator creates a DNS query using the requested domain name, domain class and/or domain type received at step 300 , and the transaction identifier generated at step 304 .
- the DNS request may be for a full or partial domain name, and wildcard characters may be present in the name or class or type, signifying that all records relevant to a domain name or partial domain name or classes or types are being requested.
- the DNS query generator may create an RFC 1035 standard DNS query, comprising a header followed by a question.
- the header may include the transaction identifier generated at step 304 , a query flag, an opcode specifying the type of query, and a recursion flag.
- the question may include the domain name, the domain type and domain class.
- the DNS query generator may also create a message compliant with the relevant protocol, such as TCP or UDP, with the DNS query as a payload.
- the DNS query generator may pass the query as a payload to another process or service acting at the application or transport layer.
- the DNS resolver transmits the DNS query to the domain name server selected at step 301 .
- the domain name server may be on the same network as the DNS resolver or on a different network.
- the DNS resolver transmits the DNS query directly.
- the DNS resolver passes the DNS query to another process or service responsible for handling network communications, such as a network driver.
- the DNS query generated at step 305 complies with IETF standard DNS protocol.
- the domain name server may recognize the generated DNS query as a standard DNS query.
- the functionality of DNS name resolution may be performed without alteration to hardware or software on the domain name server, client, or intermediary.
- the DNS protocol used or supported by the client and/or server do not need to change to support any of the functionality or operations described herein.
- compliance with DNS protocols such as with IETF standards, may prevent compatibility issues between the client, server, and intermediary.
- the DNS query may be generated to comply with other standards, including Extended DNS (described in RFC 2671) and DNS Security Extensions (described in RFC 2535).
- the DNS query may be encrypted.
- the encryption protocol may be DNSCurve.
- any other encryption protocol or combinations of protocols may be used.
- the DNS query may be generated in a proprietary format, and may require hardware or software changes to the client, server, or intermediary.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
Description
Claims (20)
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/426,330 US9270646B2 (en) | 2009-04-20 | 2009-04-20 | Systems and methods for generating a DNS query to improve resistance against a DNS attack |
CN201080026895.6A CN102577303B (en) | 2009-04-20 | 2010-03-12 | Systems and methods for generating a DNS query to improve resistance against a DNS attack |
EP10702228.7A EP2422092B1 (en) | 2009-04-20 | 2010-03-12 | Generating a dns query to improve resistance against a dns attack |
PCT/US2010/027132 WO2010123632A2 (en) | 2009-04-20 | 2010-03-12 | Systems and methods for generating a dns query to improve resistance against a dns attack |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US12/426,330 US9270646B2 (en) | 2009-04-20 | 2009-04-20 | Systems and methods for generating a DNS query to improve resistance against a DNS attack |
Publications (2)
Publication Number | Publication Date |
---|---|
US20100269174A1 US20100269174A1 (en) | 2010-10-21 |
US9270646B2 true US9270646B2 (en) | 2016-02-23 |
Family
ID=42982012
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US12/426,330 Active 2032-12-01 US9270646B2 (en) | 2009-04-20 | 2009-04-20 | Systems and methods for generating a DNS query to improve resistance against a DNS attack |
Country Status (4)
Country | Link |
---|---|
US (1) | US9270646B2 (en) |
EP (1) | EP2422092B1 (en) |
CN (1) | CN102577303B (en) |
WO (1) | WO2010123632A2 (en) |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160316006A1 (en) * | 2015-03-31 | 2016-10-27 | Conviva Inc. | Advanced resource selection |
US9961101B2 (en) | 2015-10-29 | 2018-05-01 | Duo Security, Inc. | Methods and systems for implementing a phishing assessment |
US9979693B2 (en) * | 2016-01-28 | 2018-05-22 | Fiber Logic Communications, Inc. | IP allocation method for use in telecommunication network automatic construction |
US10193923B2 (en) | 2016-07-20 | 2019-01-29 | Duo Security, Inc. | Methods for preventing cyber intrusions and phishing activity |
US20190081923A1 (en) * | 2010-11-17 | 2019-03-14 | Hola Newco Ltd. | Method and system for increasing speed of domain name system resolution within a computing device |
US10963245B2 (en) | 2019-02-06 | 2021-03-30 | Arm Limited | Anchored data element conversion |
US11019022B1 (en) * | 2020-01-28 | 2021-05-25 | F5 Networks, Inc. | Processing packets with returnable values |
Families Citing this family (54)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2011056796A1 (en) | 2009-11-04 | 2011-05-12 | Martin Kagan | Internet infrastructure survey |
US9514243B2 (en) * | 2009-12-03 | 2016-12-06 | Microsoft Technology Licensing, Llc | Intelligent caching for requests with query strings |
US8321551B2 (en) * | 2010-02-02 | 2012-11-27 | Symantec Corporation | Using aggregated DNS information originating from multiple sources to detect anomalous DNS name resolutions |
US8103915B2 (en) | 2010-02-12 | 2012-01-24 | Verizon Patent And Licensing Inc. | Failure system for domain name system client |
US9891931B2 (en) * | 2010-06-15 | 2018-02-13 | Microsoft Technology Licensing, Llc | Techniques for efficient remote presentation session connectivity and routing |
US8407471B1 (en) * | 2010-08-24 | 2013-03-26 | Symantec Corporation | Selecting a network service for communicating with a server |
WO2012058238A2 (en) * | 2010-10-26 | 2012-05-03 | Martin Kagan | Surrogate name delivery network |
US9906488B2 (en) | 2010-10-26 | 2018-02-27 | Cedexis, Inc. | Surrogate name delivery network |
US9313085B2 (en) * | 2010-12-16 | 2016-04-12 | Microsoft Technology Licensing, Llc | DNS-based determining whether a device is inside a network |
KR20130014226A (en) * | 2011-07-29 | 2013-02-07 | 한국전자통신연구원 | Dns flooding attack detection method on the characteristics by attack traffic type |
CN102325132B (en) * | 2011-08-23 | 2014-09-17 | 北京凝思科技有限公司 | System level safety domain name system (DNS) protection method |
US9246882B2 (en) | 2011-08-30 | 2016-01-26 | Nokia Technologies Oy | Method and apparatus for providing a structured and partially regenerable identifier |
US9515988B2 (en) * | 2011-10-26 | 2016-12-06 | Aruba Networks, Inc. | Device and method for split DNS communications |
US9319377B2 (en) | 2011-10-26 | 2016-04-19 | Hewlett-Packard Development Company, L.P. | Auto-split DNS |
US9342698B2 (en) * | 2011-12-30 | 2016-05-17 | Verisign, Inc. | Providing privacy enhanced resolution system in the domain name system |
US8880686B2 (en) * | 2011-12-30 | 2014-11-04 | Verisign, Inc | Providing privacy enhanced resolution system in the domain name system |
EP2615772A1 (en) * | 2012-01-10 | 2013-07-17 | Thomson Licensing | Method and device for timestamping data and method and device for verification of a timestamp |
US20140059071A1 (en) * | 2012-01-11 | 2014-02-27 | Saguna Networks Ltd. | Methods, circuits, devices, systems and associated computer executable code for providing domain name resolution |
US20130290734A1 (en) * | 2012-04-26 | 2013-10-31 | Appsense Limited | Systems and methods for caching security information |
JP6007458B2 (en) * | 2012-06-30 | 2016-10-12 | ▲ホア▼▲ウェイ▼技術有限公司Huawei Technologies Co.,Ltd. | Packet receiving method, deep packet inspection apparatus and system |
CN103685213A (en) * | 2012-09-26 | 2014-03-26 | 西门子公司 | Device, system and method for reducing attacks on DNS |
US10565394B2 (en) | 2012-10-25 | 2020-02-18 | Verisign, Inc. | Privacy—preserving data querying with authenticated denial of existence |
US9202079B2 (en) | 2012-10-25 | 2015-12-01 | Verisign, Inc. | Privacy preserving data querying |
US9363288B2 (en) | 2012-10-25 | 2016-06-07 | Verisign, Inc. | Privacy preserving registry browsing |
CN103838753B (en) * | 2012-11-23 | 2018-04-27 | 腾讯科技(北京)有限公司 | A kind of storage of redemption code, verification method and device |
US8560455B1 (en) * | 2012-12-13 | 2013-10-15 | Digiboo Llc | System and method for operating multiple rental domains within a single credit card domain |
US10320628B2 (en) | 2013-06-19 | 2019-06-11 | Citrix Systems, Inc. | Confidence scoring of device reputation based on characteristic network behavior |
US20150350153A1 (en) * | 2014-05-30 | 2015-12-03 | Vonage Business Solutions, Inc. | System and method for account-based dns routing |
US9544266B2 (en) * | 2014-06-27 | 2017-01-10 | Microsoft Technology Licensing, Llc | NSEC3 performance in DNSSEC |
US9473516B1 (en) | 2014-09-29 | 2016-10-18 | Amazon Technologies, Inc. | Detecting network attacks based on a hash |
US9426171B1 (en) * | 2014-09-29 | 2016-08-23 | Amazon Technologies, Inc. | Detecting network attacks based on network records |
US10021065B2 (en) | 2015-01-27 | 2018-07-10 | Anchorfree Inc. | System and method for suppressing DNS requests |
CN106506322A (en) * | 2015-09-08 | 2017-03-15 | 阿里巴巴集团控股有限公司 | The implementation method of business function and device |
KR101713191B1 (en) * | 2015-10-27 | 2017-03-08 | 한국정보보호시스템(주) | Access point for preventing malignant action using prior testing of malignant data and method of the same |
WO2017106779A1 (en) * | 2015-12-18 | 2017-06-22 | F5 Networks, Inc. | Methods of collaborative hardware and software dns acceleration and ddos protection |
US10574674B2 (en) * | 2016-07-08 | 2020-02-25 | Nec Corporation | Host level detect mechanism for malicious DNS activities |
GB201611948D0 (en) * | 2016-07-08 | 2016-08-24 | Kalypton Int Ltd | Distributed transcation processing and authentication system |
CN106357839B (en) * | 2016-09-28 | 2019-11-19 | 中国互联网络信息中心 | A kind of DNS query method and device |
CN106533829B (en) * | 2016-11-04 | 2019-04-30 | 东南大学 | A kind of DNS method for recognizing flux based on bit entropy |
CN106790071B (en) * | 2016-12-21 | 2020-04-03 | 北京奇虎测腾科技有限公司 | Method and device for detecting DNS full-flow hijacking risk |
WO2018162087A1 (en) * | 2017-03-10 | 2018-09-13 | NEC Laboratories Europe GmbH | Explicit service function chaining (sfc) using dns extensions |
US10666602B2 (en) | 2017-05-05 | 2020-05-26 | Microsoft Technology Licensing, Llc | Edge caching in edge-origin DNS |
US10599836B2 (en) * | 2017-08-11 | 2020-03-24 | Verisign, Inc. | Identification of visual international domain name collisions |
US10375016B1 (en) * | 2018-04-02 | 2019-08-06 | Cloudflare, Inc. | Managing domain name system (DNS) record cache across multiple DNS servers using multicast communication |
US11677713B2 (en) * | 2018-10-05 | 2023-06-13 | Vmware, Inc. | Domain-name-based network-connection attestation |
US10922139B2 (en) | 2018-10-11 | 2021-02-16 | Visa International Service Association | System, method, and computer program product for processing large data sets by balancing entropy between distributed data segments |
US11394746B2 (en) * | 2019-03-07 | 2022-07-19 | Lookout, Inc. | DNS prefetching based on triggers for increased security |
CN110674098B (en) * | 2019-09-19 | 2022-04-22 | 浪潮电子信息产业股份有限公司 | Domain name resolution method in distributed file system |
CN112954683B (en) * | 2021-05-13 | 2021-08-17 | 中兴通讯股份有限公司 | Domain name resolution method, domain name resolution device, electronic equipment and storage medium |
US11621963B2 (en) * | 2021-05-27 | 2023-04-04 | Western Digital Technologies, Inc. | Fleet health management corrective action communication exchange |
CN114006724B (en) * | 2021-09-18 | 2023-08-29 | 中国互联网络信息中心 | Method and system for discovering and authenticating encryption DNS resolver |
CN113900460A (en) * | 2021-10-25 | 2022-01-07 | 哈尔滨工大卫星技术有限公司 | Temperature control method, system and medium for satellite platform |
CN114124887B (en) * | 2021-11-29 | 2023-09-05 | 牙木科技股份有限公司 | View query method of DNS server, DNS server and readable storage medium |
US11991291B1 (en) * | 2022-03-31 | 2024-05-21 | Amazon Technologies, Inc. | Content-based domain name enconding, encryption, and routing system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030135625A1 (en) * | 2002-01-15 | 2003-07-17 | International Business Machines Corporation | Blended SYN cookies |
JP2003208371A (en) * | 2002-01-11 | 2003-07-25 | Kddi Corp | Routing method using name resolution and its system |
US20040083306A1 (en) * | 2002-10-24 | 2004-04-29 | International Business Machines Corporation | Method and apparatus for maintaining internet domain name data |
US7296155B1 (en) * | 2001-06-08 | 2007-11-13 | Cisco Technology, Inc. | Process and system providing internet protocol security without secure domain resolution |
US20100121981A1 (en) * | 2008-11-11 | 2010-05-13 | Barracuda Networks, Inc | Automated verification of dns accuracy |
US20110022675A1 (en) * | 2008-03-10 | 2011-01-27 | Afilias Limited | Platform independent idn e-mail storage translation |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101267313B (en) * | 2008-04-23 | 2010-10-27 | 成都市华为赛门铁克科技有限公司 | Flooding attack detection method and detection device |
CN101383830A (en) * | 2008-10-28 | 2009-03-11 | 成都市华为赛门铁克科技有限公司 | Method, system, gateway and domain name system for protecting network attack |
-
2009
- 2009-04-20 US US12/426,330 patent/US9270646B2/en active Active
-
2010
- 2010-03-12 EP EP10702228.7A patent/EP2422092B1/en active Active
- 2010-03-12 CN CN201080026895.6A patent/CN102577303B/en not_active Expired - Fee Related
- 2010-03-12 WO PCT/US2010/027132 patent/WO2010123632A2/en active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7296155B1 (en) * | 2001-06-08 | 2007-11-13 | Cisco Technology, Inc. | Process and system providing internet protocol security without secure domain resolution |
JP2003208371A (en) * | 2002-01-11 | 2003-07-25 | Kddi Corp | Routing method using name resolution and its system |
US20030135625A1 (en) * | 2002-01-15 | 2003-07-17 | International Business Machines Corporation | Blended SYN cookies |
US20040083306A1 (en) * | 2002-10-24 | 2004-04-29 | International Business Machines Corporation | Method and apparatus for maintaining internet domain name data |
US20110022675A1 (en) * | 2008-03-10 | 2011-01-27 | Afilias Limited | Platform independent idn e-mail storage translation |
US20100121981A1 (en) * | 2008-11-11 | 2010-05-13 | Barracuda Networks, Inc | Automated verification of dns accuracy |
Non-Patent Citations (10)
Title |
---|
Chinese Office Action for Chinese Application No. 201080026895.6 dated Aug. 12, 2014. |
CN Office Action for Application No. 201080026895.6 dated Jan. 30, 2014. |
Hubert et al, Measures for Making DNS More Resilient against Forged Answers, Netherlands Computer Consulting BV., Network Work Group, Jan. 2009 (18 pages). |
Hubert Netherlabs Computer Consulting BV., R. van Mook Equinix. 01CMeasures for Making DNS More Resilient against Forged Answers,01D >, Internet Enginerering Task Force, IETF; Standardworkingdraft, Internet Society (ISOC), Jan. 1, 2009. |
International Preliminary Report on Patentability on PCT/US2010/027132 dated Feb. 16, 2012. |
International Search Report on PCT/US2010/027132 dated Jan. 31, 2012. |
Menezes A J et al., 01CHandbook of Applied Cryptography, Chapter 5-Pseudorandom Bits and Sequences,01D Jan. 1, 1997. |
Vixie P. et al., 01CUse of Bit 0×20 in DNS Labels to Improve Transaction Identity,01D , Internet Enginerering Task Force, IETF; Standardworkingdraft, Internet Society (ISOC), Mar. 17, 2008. |
Vixie P. et al., 01CUse of Bit 0×20 in DNS Labels to Improve Transaction Identity,01D <ft-vixie-dnsext-dns0x20-00.txt>, Internet Enginerering Task Force, IETF; Standardworkingdraft, Internet Society (ISOC), Mar. 17, 2008. |
Written Opinion on PCT/US2010/027132 dated Jan. 31, 2012. |
Cited By (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190081923A1 (en) * | 2010-11-17 | 2019-03-14 | Hola Newco Ltd. | Method and system for increasing speed of domain name system resolution within a computing device |
US20160316006A1 (en) * | 2015-03-31 | 2016-10-27 | Conviva Inc. | Advanced resource selection |
US11303604B2 (en) * | 2015-03-31 | 2022-04-12 | Conviva Inc. | Advanced resource selection |
US9961101B2 (en) | 2015-10-29 | 2018-05-01 | Duo Security, Inc. | Methods and systems for implementing a phishing assessment |
US10230754B2 (en) | 2015-10-29 | 2019-03-12 | Duo Security, Inc. | Methods and systems for implementing a phishing assessment |
US10505968B2 (en) | 2015-10-29 | 2019-12-10 | Duo Security, Inc. | Methods and systems for implementing a phishing assessment |
US11140191B2 (en) | 2015-10-29 | 2021-10-05 | Cisco Technology, Inc. | Methods and systems for implementing a phishing assessment |
US9979693B2 (en) * | 2016-01-28 | 2018-05-22 | Fiber Logic Communications, Inc. | IP allocation method for use in telecommunication network automatic construction |
US10193923B2 (en) | 2016-07-20 | 2019-01-29 | Duo Security, Inc. | Methods for preventing cyber intrusions and phishing activity |
US10963245B2 (en) | 2019-02-06 | 2021-03-30 | Arm Limited | Anchored data element conversion |
US11019022B1 (en) * | 2020-01-28 | 2021-05-25 | F5 Networks, Inc. | Processing packets with returnable values |
Also Published As
Publication number | Publication date |
---|---|
EP2422092A2 (en) | 2012-02-29 |
WO2010123632A2 (en) | 2010-10-28 |
EP2422092B1 (en) | 2018-10-10 |
CN102577303A (en) | 2012-07-11 |
WO2010123632A3 (en) | 2012-03-22 |
CN102577303B (en) | 2015-02-04 |
US20100269174A1 (en) | 2010-10-21 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9270646B2 (en) | Systems and methods for generating a DNS query to improve resistance against a DNS attack | |
EP3607732B1 (en) | Systems and methods for securely and transparently proxying saas applications through a cloud-hosted or on-premise network gateway for enhanced security and visibility | |
USRE47019E1 (en) | Methods for DNSSEC proxying and deployment amelioration and systems thereof | |
US10484336B2 (en) | Systems and methods for a unique mechanism of providing ‘clientless SSLVPN’ access to a variety of web-applications through a SSLVPN gateway | |
US9363287B2 (en) | Systems and methods for managing domain name system security (DNSSEC) | |
JP5587732B2 (en) | Computer-implemented method, computer program, and system for managing access to a domain name service (DNS) database | |
US11102125B2 (en) | Securing communications between services in a cluster using load balancing systems and methods | |
US9396330B2 (en) | Systems and methods for reducing denial of service attacks against dynamically generated next secure records | |
RU2346398C2 (en) | System and method of transferring shortcut information from certificate used for encryptation operations | |
Jiang et al. | A survey on information-centric networking: rationales, designs and debates | |
US9258293B1 (en) | Safe and secure access to dynamic domain name systems | |
EP2521330A1 (en) | DNSSEC signing server | |
US11824829B2 (en) | Methods and systems for domain name data networking | |
US11647008B2 (en) | Generating a negative answer to a domain name system query that indicates resource records as existing for the domain name regardless of whether those resource records actually exist | |
WO2015134933A1 (en) | Manage encrypted network traffic using spoofed addresses | |
US20220141172A1 (en) | Verification associated with a domain name | |
Fotiou et al. | Enabling self-verifiable mutable content items in IPFS using Decentralized Identifiers | |
WO2020245568A1 (en) | Processing domain name system data | |
US11165824B2 (en) | Transport layer security extension for hybrid information centric networking | |
WO2024050341A1 (en) | Runtime match domain configurations | |
JP2012199607A (en) | Dnssec proxy device | |
Skendaj et al. | Secure File Sharing in JXTA Using Digital Signatures |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: CITRIX SYSTEMS, INC, FLORIDA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:SHELEST, ART;REEL/FRAME:022593/0934 Effective date: 20090414 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |
|
AS | Assignment |
Owner name: WILMINGTON TRUST, NATIONAL ASSOCIATION, DELAWARE Free format text: SECURITY INTEREST;ASSIGNOR:CITRIX SYSTEMS, INC.;REEL/FRAME:062079/0001 Effective date: 20220930 |
|
AS | Assignment |
Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, NORTH CAROLINA Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:TIBCO SOFTWARE INC.;CITRIX SYSTEMS, INC.;REEL/FRAME:062112/0262 Effective date: 20220930 Owner name: WILMINGTON TRUST, NATIONAL ASSOCIATION, AS NOTES COLLATERAL AGENT, DELAWARE Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:TIBCO SOFTWARE INC.;CITRIX SYSTEMS, INC.;REEL/FRAME:062113/0470 Effective date: 20220930 Owner name: GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT, NEW YORK Free format text: SECOND LIEN PATENT SECURITY AGREEMENT;ASSIGNORS:TIBCO SOFTWARE INC.;CITRIX SYSTEMS, INC.;REEL/FRAME:062113/0001 Effective date: 20220930 |
|
AS | Assignment |
Owner name: CLOUD SOFTWARE GROUP, INC. (F/K/A TIBCO SOFTWARE INC.), FLORIDA Free format text: RELEASE AND REASSIGNMENT OF SECURITY INTEREST IN PATENT (REEL/FRAME 062113/0001);ASSIGNOR:GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT;REEL/FRAME:063339/0525 Effective date: 20230410 Owner name: CITRIX SYSTEMS, INC., FLORIDA Free format text: RELEASE AND REASSIGNMENT OF SECURITY INTEREST IN PATENT (REEL/FRAME 062113/0001);ASSIGNOR:GOLDMAN SACHS BANK USA, AS COLLATERAL AGENT;REEL/FRAME:063339/0525 Effective date: 20230410 Owner name: WILMINGTON TRUST, NATIONAL ASSOCIATION, AS NOTES COLLATERAL AGENT, DELAWARE Free format text: PATENT SECURITY AGREEMENT;ASSIGNORS:CLOUD SOFTWARE GROUP, INC. (F/K/A TIBCO SOFTWARE INC.);CITRIX SYSTEMS, INC.;REEL/FRAME:063340/0164 Effective date: 20230410 |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 8TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1552); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 8 |
|
AS | Assignment |
Owner name: WILMINGTON TRUST, NATIONAL ASSOCIATION, AS NOTES COLLATERAL AGENT, DELAWARE Free format text: SECURITY INTEREST;ASSIGNORS:CLOUD SOFTWARE GROUP, INC. (F/K/A TIBCO SOFTWARE INC.);CITRIX SYSTEMS, INC.;REEL/FRAME:067662/0568 Effective date: 20240522 |