As used herein the term network device refers to a device for forwarding data such as a layer 2 switch, layer 3 switch or router etc. A network device includes a control plane which determines forwarding policies and a data plane which carries out the actual forwarding of data. The data plane includes a forwarding table which stores forwarding entries. The forwarding entries may be programmed into the forwarding table by the control plane. The control plane may generate the forwarding entries based on data forwarding policies and manage the forwarding entries in the data plane. In a traditional approach to networking, both the control plane and the data plane are located in the network device. That is the network switch has a local control plane that manages the data plane of the network device.
Software defined networking (SDN) is an approach in which the control plane and the data plane are handled by separate devices. A SDN network device includes a forwarding table and forwards traffic flows based on the contents of the forwarding table. However, the data plane of a SDN network device is managed by a remote SDN controller, rather than a local control plane of the network device. The remote SDN controller may, for example, be a server which acts as an SDN control plane. The SDN controller may, for example, instruct adding entries to, or deleting entries from, the SDN switches forwarding table. The OpenFlow Protocol (OFP) is one example of an SDN protocol which is currently gaining acceptance in the marketplace.
In one known approach to network security, a SDN network device has a flow entry with an action to forward DNS requests to a SDN controller. On receiving the forwarded DNS request, the SDN controller carries out a security check on the requested domain name, sends a response denying access if the domain name is considered dangerous, or sends the DNS request back to the SDN network device for forwarding to a DNS server if the domain name is considered safe.