US Patent 9253068 Network application classification for network traffic management

Network traffic with encrypted packet payloads is classified based on monitored Domain Name System (DNS) query requests and responses. A network appliance, or some other computer, receives a DNS query request for a network name (e.g., host name) of a content server, and starts monitoring for a corresponding DNS query response. The network appliance receives the DNS query response and parses the DNS query response to retrieve an Internet Protocol (IP) address associated with the network name. The network appliance classifies the IP address as belonging to the content server or a network application associated with the content server. When the network appliance subsequently receives packets with a source or destination address that matches the IP address, the network appliance classifies the received packets as belonging to the content server or a network application associated with the content server.