Abstract: Various embodiments disclosed herein provide techniques for transmitting an email message over a network. An email forwarding application executing on an email server receives a first request from a first device within the network to resolve an email address of an email recipient, where the email address is associated with a first domain. The email forwarding application determines that the email recipient is associated with a second domain. The email forwarding application transmits, to the first device, a first response to the first request that identifies the email recipient and the second domain.

Abstract: A method, system, and computer-readable memory containing instructions include receiving a DNS request containing authentication information, validating the authentication information, determining an appropriate action to take based on the validating status, and taking the appropriate action. Actions may include responding with an individualized network layer address or service location address, delaying sending a response message, sending a network layer address or service location address corresponding to a site containing authentication information, and sending a response with a network layer address or service location address with a web address configured to mimic the website related to the requested resource.

Abstract: One or more DNS services are provided that are configured to not only tolerate some commonly observed DNSSEC misconfigurations (while still providing DNSSEC's security guarantees), but also provide a more intelligent DNS resolution process informed by DNSSEC.

Abstract: A method, system, and computer-readable memory containing instructions include receiving a DNS request containing authentication information, validating the authentication information, determining an appropriate action to take based on the validating status, and taking the appropriate action. Actions may include responding with an individualized network layer address or service location address, delaying sending a response message, sending a network layer address or service location address corresponding to a site containing authentication information, and sending a response with a network layer address or service location address with a web address configured to mimic the website related to the requested resource.

Abstract: A method for detecting a domain name that is associated with malicious behavior includes receiving domain data for a plurality of domain names including a first domain name and a plurality of similar domain names. The domain data includes a first attribute and a second attribute of the first domain name and the similar domain names. The first attribute of the first domain name is compared to the first attributes of the similar domain names to produce a first value. The second attribute of the first domain name is compared to the second attributes of the similar domain names to produce a second value. The first value and the second value are combined to produce a combined value. A likelihood that the first domain name is associated with malicious behavior is determined based on the combined value.

Abstract: A resolution resiliency application performs robust domain name system (DNS) resolution. In operation, the resolution resiliency application determines that an authoritative name server that is responsible for a domain name specified in a DNS query is unavailable. In response to determining that the authoritative name server is unavailable, the resolution resiliency application performs operation(s) that modify one or more DNS records stored in a cache based on one or more resiliency policies associated with the authoritative name server. The resolution resiliency application then generates a DNS response to the DNS query based on a DNS record stored in the modified cache. Notably, the disclosed techniques increase the likelihood of providing clients with DNS responses that accurately provide requested information.

Abstract: In one embodiment, a DNS service provider determines that a domain name being configured by a user is a lame delegated domain name and manages the configuration of the domain name accordingly. In operation, when a user of the DNS service provider attempts to provide configuration information for a domain name, the DNS service provider determines whether the domain name is lame delegated to the DNS service provider. If the domain name is lame delegated, then, to avoid passing control of the domain name to a nefarious entity, the DNS service provider performs a verification process to determine whether the user is the rightful owner of the domain name. The user is allowed to configure the domain name within the DNS service provider when the user is the rightful owner of the domain name.

Abstract: Systems and methods for detecting spoofed traffic include determining a first hop count of a first data query from a first transmitting device to a first server, determining a second hop count of a second data query from the first transmitting device to a second server, determining a third hop count of a third data query appearing to be from the first transmitting device to the first server, and determining a fourth hop count of a fourth data query appearing to be from the first transmitting device to the second server. The third and fourth hop counts are compared to the first and second hop counts, respectively. It is determined whether the third hop count differs from the first hop count by more than a predetermined amount.

Abstract: A method, system, and computer-readable memory containing instructions include receiving a DNS request containing authentication information, validating the authentication information, determining an appropriate action to take based on the validating status, and taking the appropriate action. Actions may include responding with an individualized network layer address or service location address, delaying sending a response message, sending a network layer address or service location address corresponding to a site containing authentication information, and sending a response with a network layer address or service location address with a web address configured to mimic the website related to the requested resource.

Abstract: One or more DNS services are provided that are configured to not only tolerate some commonly observed DNSSEC misconfigurations (while still providing DNSSEC's security guarantees), but also provide a more intelligent DNS resolution process informed by DNSSEC.

Abstract: In one embodiment, a resolution resiliency application performs robust domain name system (DNS) resolution. In operation, the resolution resiliency application determines that an authoritative name server that is responsible for a domain name specified in a DNS query is unavailable. In response to determining that the authoritative name server is unavailable, the resolution resiliency application performs operation(s) that modify one or more DNS records stored in a cache based on one or more resiliency policies associated with the authoritative name server. The resolution resiliency application then generates a DNS response to the DNS query based on a DNS record stored in the modified cache. Notably, unlike conventional techniques that may generate inaccurate DNS responses based on stale DNS records, the disclosed techniques increase the likelihood of providing clients with DNS responses that accurately provide requested information.

Abstract: In one embodiment, a zone resiliency application indicates that an authoritative name server is in a degraded state. In operation, the zone resiliency application determines that the authoritative name server is in a degraded state. The zone resiliency application then generates a status record that indicates the degraded state. Subsequently, the zone resiliency application associates the status record with a domain name service (DNS) response to a DNS query. The zone resiliency application then transmits the DNS response and the associated status record to a requester.

Abstract: In one embodiment, a resolution resiliency application modifies domain name service (DNS) resolution. In operation, the resolution resiliency application determines that an authoritative name server has begun recovering from a degraded state or receives a flush list update from the authoritative name server. In response, the resolution resiliency application performs operation(s) that modify a query rate and/or a cache. The query rate specifies a frequency associated with DNS queries transmitted to the first authoritative name server. The cache stores DNS record(s) received from the first authoritative name server. Finally, the resolution resiliency application generates a DNS response to a DNS query based on the modified query rate and/or the modified cache.

Abstract: In one embodiment, a resolution resiliency application performs robust domain name system (DNS) resolution. In operation, the resolution resiliency application determines that an authoritative name server that is responsible for a domain name specified in a DNS query is unavailable. In response to determining that the authoritative name server is unavailable, the resolution resiliency application performs operation(s) that modify one or more DNS records stored in a cache based on one or more resiliency policies associated with the authoritative name server. The resolution resiliency application then generates a DNS response to the DNS query based on a DNS record stored in the modified cache. Notably, unlike conventional techniques that may generate inaccurate DNS responses based on stale DNS records, the disclosed techniques increase the likelihood of providing clients with DNS responses that accurately provide requested information.

Abstract: A method for detecting a predetermined behavior during a domain name registration or a domain resolution activity includes identifying one or more dimensions to be tracked. One or more metrics for each dimension is/are identified. A first time series for each of the metrics is generated. One or more first outliers in at least one of the first time series is detected. One or more sets of metrics is generated, each set including a combination of two or more of the metrics. A second time series for each of the metrics in the one or more sets of metrics is generated. One or more second outliers in at least one of the second time series is/are detected.

Abstract: One or more DNS services are provided that are configured to not only tolerate some commonly observed DNSSEC misconfigurations (while still providing DNSSEC's security guarantees), but also provide a more intelligent DNS resolution process informed by DNSSEC.

Abstract: The present invention generally relates to systems and methods for extending a chain of trust beyond the DNS. Some embodiments provide a verifier with the ability to validate a chain of trust starting with the trust anchor at the DNS root all the way to a service or object of interest outside the DNS.

Abstract: Systems and methods for detecting spoofed traffic include determining a first hop count of a first data query from a first transmitting device to a first server, determining a second hop count of a second data query from the first transmitting device to a second server, determining a third hop count of a third data query appearing to be from the first transmitting device to the first server, and determining a fourth hop count of a fourth data query appearing to be from the first transmitting device to the second server. The third and fourth hop counts are compared to the first and second hop counts, respectively. It is determined whether the third hop count differs from the first hop count by more than a predetermined amount.

Abstract: In one embodiment, a profiling engine analyzes DNS transaction data that is logged by a recursive resolver to generate profiling results that are used to manage network activity. In operation, the profiling engine computes scores based on the DNS transaction data and scoring criteria. The profiling engine may compute any number of scores at any level of granularity. For example, the profiling engine may compute a score for each source IP address that is associated with the DNS transaction data. Subsequently, the profiling engine generates profiling results based on the scores and profiling criteria. Notably, DNS queries are typically the first step of longer transaction chains that result in the transfer of data to and from the network. Consequently, the profiling engine may provide more timely and comprehensive insight into network activities than conventional network management tools that analyze data at layers that are further down transaction chains.

Abstract: Provided is a method of digitally securing a digital object from a first user in a first domain to a second user in a second domain using a DNS provider. The method includes accessing, at a client device of the first user, a client-side local policy, wherein the local policy comprises one or more zones managed by one or more DNS providers and secured by DANE using DNSSEC; constructing a DNS query for a cryptographic credential for the second user based, at least in part, on a zone of the one or more zones in the local policy; providing a request for the cryptographic credential for the second user; obtaining the cryptographic credential for the second user from a DNS provider of the one or more DNS providers; digitally securing the digital object using the cryptographic credential; and providing the digital object to the second user.