Abstract: The present invention relates to a method and a detection device for detecting a DGA domain generation algorithm in a computer communication network (106) comprising at least one server (104) for resolving DNS requests from at least one client terminal (102). The computer communication network (106) further includes a detection module (108) coupled to the resolution server (104) and configured to analyse DNS queries according to the following steps: for each DNS request, associate the requested domain name and the identity of the requesting client terminal to form a tuple; combine tuples into homogeneous partitions according to the tuple community detection technique; and deduce for each homogeneous partition all the client terminals using a same DGA.

Abstract: Method(s) and a domain name server (DNS) for detecting and blocking DNS query raised by a computing device are described. In an example implementation, the DNS may implement a method that includes monitoring DNS queries received from a computing device at the DNS. The DNS identifies if a fully qualified domain name (FQDN) associated with the DNS query is not present in a cache of the DNS and DNS responses received by the computing device in response to the DNS queries whose FQDN is not present in the cache. An exfiltration, an infiltration or a tunneling event is detected based on a summation of size of the DNS queries, DNS responses or both. Accordingly, further DNS queries from the computing device may be blocked.

Abstract: The present invention relates to a method and a detection device for detecting a DGA domain generation algorithm in a computer communication network (106) comprising at least one server (104) for resolving DNS requests from at least one client terminal (102). The computer communication network (106) further includes a detection module (108) coupled to the resolution server (104) and configured to analyse DNS queries according to the following steps: for each DNS request, associate the requested domain name and the identity of the requesting client terminal to form a tuple; combine tuples into homogeneous partitions according to the tuple community detection technique; and deduce for each homogeneous partition all the client terminals using a same DGA.

Abstract: Method(s) and a domain name server (DNS) for detecting and blocking DNS query raised by a computing device are described. In an example implementation, the DNS may implement a method that includes monitoring DNS queries received from a computing device at the DNS. The DNS identifies if a fully qualified domain name (FQDN) associated with the DNS query is not present in a cache of the DNS and DNS responses received by the computing device in response to the DNS queries whose FQDN is not present in the cache. An exfiltration, an infiltration or a tunneling event is detected based on a summation of size of the DNS queries, DNS responses or both. Accordingly, further DNS queries from the computing device may be blocked.

Abstract: Method(s) and a Domain Name Server (DNS) for quarantining an IP address of a computing device are described. The DNS may implement method(s) that include receiving a request at the DNS and analyzing the request based on a pre-defined set of rules. The IP address of the computing device may be quarantined by the DNS and a quarantine mode may be triggered. In the quarantine mode, restricted services may be provided by the DNS. Further the method includes providing a response corresponding to the request to the computing device. The response available in the cache can either be an expired response or an unexpired response based on a Time to Live of the response. If the response is not available, then the method includes abstaining from providing the response corresponding to the request. The abstaining may include not performing a recursive search for accessing the response corresponding to the request.

Abstract: Method(s) and System(s) for managing traffic-overload on Domain Name System (DNS) server during a network overload are described. The described system(s) may implement method(s) that include monitoring of traffic associated with the DNS server and identifying an occurrence of an event. Thereafter, activating (deactivating) a rescue mode and implementing one or more policies for handling the traffic during the rescue mode. In implementing the one or more policies, the method includes segregating the traffic into three sets of requests based on availability of responses in a cache, and a Time to Live (TTL) associated with the responses. Further, the method includes processing a first set of requests for which corresponding responses stored in the cache have expired based on TTL of corresponding responses. Furthermore, the method includes transmission of the corresponding responses with expired data to the client devices.

Abstract: Method(s) and a Domain Name Server (DNS) for quarantining an IP address of a computing device are described. The DNS may implement method(s) that include receiving a request at the DNS and analyzing the request based on a pre-defined set of rules. The IP address of the computing device may be quarantined by the DNS and a quarantine mode may be triggered. In the quarantine mode, restricted services may be provided by the DNS. Further the method includes providing a response corresponding to the request to the computing device. The response available in the cache can either be an expired response or an unexpired response based on a Time to Live of the response. If the response is not available, then the method includes abstaining from providing the response corresponding to the request. The abstaining may include not performing a recursive search for accessing the response corresponding to the request.

Abstract: Method(s) and System(s) for managing traffic-overload on Domain Name System (DNS) server during a network overload are described. The described system(s) may implement method(s) that include monitoring of traffic associated with the DNS server and identifying an occurrence of an event. Thereafter, activating (deactivating) a rescue mode and implementing one or more policies for handling the traffic during the rescue mode. In implementing the one or more policies, the method includes segregating the traffic into three sets of requests based on availability of responses in a cache, and a Time to Live (TTL) associated with the responses. Further, the method includes processing a first set of requests for which corresponding responses stored in the cache have expired based on TTL of corresponding responses. Furthermore, the method includes transmission of the corresponding responses with expired data to the client devices.