US 12,413,554 B2
Domain name system (DNS) security
Dan Luther, Claremore, OK (US); Dean Ballew, Sterling, VA (US); John R. B. Woodworth, Amissvile, VA (US); Carol Dawn Lovell, West Monroe, LA (US); James C. Anders, Lee's Summit, MO (US); and Lisa Lamanna, Harrisonburg, VA (US)
Assigned to Level 3 Communications, LLC, Denver, CO (US)
Filed by Level 3 Communications, LLC, Broomfield, CO (US)
Filed on Jan. 31, 2024, as Appl. No. 18/428,609.
Claims priority of provisional application 63/483,628, filed on Feb. 7, 2023.
Prior Publication US 2024/0267359 A1, Aug. 8, 2024
Int. Cl. H04L 9/40 (2022.01)
CPC H04L 63/0236 (2013.01) [H04L 63/101 (2013.01)] 8 Claims
OG exemplary drawing
 
1. A system, comprising:
a computing system of a domain name system (“DNS”), comprising:
at least one first processor; and
a first non-transitory computer readable medium communicatively coupled to the at least one first processor, the first non-transitory computer readable medium having stored thereon computer software comprising a first set of instructions that, when executed by the at least one first processor, causes the computing system to:
receive a first user datagram protocol (“UDP”)-based DNS request, the first UDP-based DNS request comprising a source address and a query for a destination DNS record associated with at least one of a destination device in a network, a destination entity associated with the destination device, or a destination domain associated with the destination device or the destination entity;
in response to receiving the first UDP-based DNS request, send a UDP-based response message to the source address, the UDP-based response message comprising an empty payload portion and a header portion containing truncate (“TC”) flag that is set;
when a first transmission control protocol (“TCP”)-based DNS request corresponding to the first UDP-based DNS request is not received from the source address within a first predetermined period, cause one or more second UDP-based DNS requests from the source address to be blocked, the one or more second UDP-based DNS requests comprising the first UDP-based DNS request;
when a first TCP-based DNS request corresponding to the first UDP-based DNS request is received from the source address within the first predetermined period, allow, within a second predetermined period after receiving the first TCP-based DNS request, at least the first UDP-based DNS request from the source address to be processed, by sending, to the source address, at least a TCP-based response message comprising an answer to the query for the destination DNS record:
receive, from the source address, one or more third UDP-based DNS requests, after the second predetermined period:
analyze, using a machine learning model, the one or more third UDP-based DNS requests, to determine whether or not to block the one or more third UDP-based DNS requests; and
perform one or more DNS tasks based on the analysis.