The present invention generally relates to a device communication, and more particularly, relates to a method, system, and product for discovering a communication between user agents and DNS devices.
A user agent is application software under control of a user which accesses, manipulates, displays, and supports navigation within information from its environment, such as on a computer network. Typically, the application software is used to access resources made available via various protocols. Application software includes, but is not limited to, desktop graphical browsers, text browsers, voice browsers, mobile phones, multimedia players, plug-ins, and some software assistive technologies used in conjunction with browsers such as screen readers, screen magnifiers, and voice recognition software.
Domain Name System (DNS) is an Internet protocol and service that translates hostnames and domain names into Internet Protocol (IP) addresses. The domain name www.example.com might translate to 192.168.1.1, for example. The DNS is its own network. If one DNS server does not know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is acquired. A client, consumer, user or generally anyone that utilizes DNS may be called a resolver; resolvers may be located in the application layer of the networking software of each Transmission Control Protocol/Internet Protocol (TCP/IP) capable entity. User agents that use the DNS rely heavily on the resolver. Communications are made to the DNS based upon the user agent's DNS settings which in turn handles the communications required.
The Web is based on the concept of hypertext and a transfer method known as Hypertext Transfer Protocol (HTTP) which is designed to run primarily via TCP/IP connections. HTTP permits user agents of client systems connected to networks to access independent and geographically scattered systems also connected to the Internet. User agent requests for data are made by means of an HTTP request. An HTTP request is information that a user agent sends to an entity containing the details of what the user agent wants and will accept back. An HTTP response is information that an entity sends back to the user agent in response to receiving an HTTP request. These transmissions may contain environment variables which provide information about the entities involved. Much of this information may be contained in the headers of the HTTP request and may include the client IP address and identification of the user agent. However there are no protocols that specify including current DNS settings of the client user agent as an environmental variable. Therefore, a server has no way to learn of both the IP address and current DNS settings from the request made by the client user agent.
DNS settings are becoming a rising attack vector. For example, an attacker's malicious code could change the DNS server settings on a victim's home broadband router (whether or not it's a wireless router). As a result, all future DNS requests would be resolved by the attacker's DNS server, which means that the attacker effectively could control the victim's Internet connection.
DNS also plays an essential and often unquestioned role in the operation of networks. Drive-by alterations of DNS host files are a looming threat and are associated with individual computers being directed to use rogue or malicious DNS services instead of those natural DNS servers provided by their network. This, of course, is different from traditional DNS attacks, such as poisoning, because the individual user's computer is targeted, instead of servers. Since these attacks involve only the victim and a complicit remote server, the attack is difficult to witness outside of the local network.
Accordingly, a need exists for a system, method and apparatus for discovering user agent DNS settings and an engine to analyze and correlate DNS settings in order to make a judgment on the authenticity of DNS settings to detect and alert on potential malicious or vulnerably DNS settings.