DETAILED ACTION
Claims 1 & 12 have been amended. Claims 2-3, 6-11 & 13-14 have been canceled. Claim 16 has been newly added. Claims 1, 4-5, 12, & 15-16 remain pending.
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with Benjamin Koopferstock on January 24, 2022. The application has been amended as follows: 
In the claims:
1.	(Currently Amended)	A method comprising:
monitoring, by a domain name server (DNS), DNS queries raised by a DNS client communicatively coupled to the DNS;
identifying, by the DNS, from amongst the DNS queries raised by the DNS client, a plurality of DNS queries whose fully qualified domain name (FQDN) is not present in a cache of the DNS;
determining a sum of sizes of the plurality of DNS queries whose FQDN is not present in the cache of the DNS;
detecting, for the DNS client, an exfiltration event based on the sum of sizes of the plurality of DNS queries whose FQDN is not present in the cache of the DNS; 
blocking, based on the detection of the exfiltration event, a further DNS query from the DNS client;
providing, by the DNS, an alert to a third-party computing device, wherein the third-party computing device is accessible by an administrator of the DNS or the DNS client;
inspecting, by the DNS, a FQDN associated with the further DNS query from the DNS client; and
allowing the further DNS query if the FQDN is present in the cache of the DNS.

2–3.	(Cancelled)	

4.	(Previously presented)	The method as claimed in claim 1, wherein the plurality of DNS queries include a same Top Level Domain (TLD) and a different Second Level Domain (SLD). 

5.	(Previously presented)	The method as claimed in claim 1, further comprising:
monitoring, by the DNS, DNS responses received by the DNS client, wherein the DNS responses are received in response to the plurality of DNS queries whose FQDN is not present in the cache of the DNS;
detecting, an infiltration event based on a sum of sizes of the DNS responses; and
blocking, based on the detection of the infiltration event, the further DNS query from the DNS client.

6–11.	(Cancelled)	

12.	(Currently Amended)	A non-transitory computer-readable medium comprising instructions executable by a processing resource to:
monitor a plurality of DNS queries generated by a DNS client communicatively coupled to a DNS, wherein the plurality of DNS queries are associated with a fully qualified domain name (FQDN) not present in a cache of the DNS; 
identify, a plurality of DNS responses received by the DNS, wherein the plurality of DNS responses are received in response to the plurality of DNS queries whose FQDN is not present in the cache of the DNS;
determine, at least one of a sum of sizes of the plurality of DNS queries and a sum of sizes of the plurality of DNS responses; 
block, based on the sum of sizes of the plurality of DNS queries or the sum of sizes of the plurality of DNS responses, a further DNS query from the DNS client;
provide an alert to a third-party computing device, wherein the third-party computing device is accessible by an administrator of the DNS or the DNS client;
inspect a FQDN associated with the further DNS query from the DNS client; and
allow the further DNS query if the FQDN is present in the cache of the DNS.

13–14.	(Cancelled)	

15.	(Previously presented)	The non-transitory computer-readable medium as claimed in claim 12, further comprising instructions executable by a processing resource to identify a Top Level Domain (TLD) and a Second Level Domain (SLD) associated with each of the plurality of DNS queries.

16.	(New)	A domain name server (DNS) for executing DNS queries initiating from a DNS client, the DNS comprising:
a processor;
cache; and
memory comprising a cache and executable instructions, wherein the executable instructions, when executed by the processor, cause the DNS to:
monitor a plurality of DNS queries generated by the DNS client, wherein the plurality of DNS queries are associated with a fully qualified domain name (FQDN) not present in the cache;
identify, a plurality of DNS responses received by the DNS, wherein the plurality of DNS responses are received in response to the plurality of DNS queries whose FQDN is not present in the cache of the DNS;
determine, at least one of a sum of sizes of the plurality of DNS queries and a sum of sizes of the plurality of DNS responses;
block, based on the sum of sizes of the plurality of DNS queries or the sum of sizes of the plurality of DNS responses, a further DNS query from the DNS client;
provide an alert to a third-party computing device, wherein the third-party computing device is accessible by an administrator of the DNS or the DNS client;
inspect a FQDN associated with the further DNS query from the DNS client; and
allow the further DNS query if the FQDN is present in the cache.

	

PLEASE CANCEL CLAIMS 2-3, 6-11, &13-14. 

Allowable Subject Matter
Claims 1, 4-5, 12, & 15-16 are allowed. No reason for allowance is needed as the record is clear in light of applicant’s arguments and examiner amendment above. See MPEP 1302.14(l).

According to MPEP 1302.14 (I): “In most cases, the examiner’s actions and the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule. This is particularly true when applicant fully complies with 37 CFR 1.111 (b) and (c) and 37 CFR 1.133(b). Thus, where the examiner’s actions clearly point out the reasons for rejection and the applicant’s reply explicitly presents reasons why claims are patentable over the reference, the reasons for allowance are in all probability evident from the record and no statement should be necessary.”
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SHARIF ULLAH whose telephone number is (571)272-5453.  The examiner can normally be reached on Mon-Fri 7:30-5:00.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 5712723739.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.


/SHARIF E ULLAH/Primary Examiner, Art Unit 2495