Dns Client Verification - HPE FlexNetwork MSR Series Configuration Manual
Comware 7 security
Hide thumbs
Also See for FlexNetwork MSR Series:
- Configuration manual (861 pages) ,
- Comware 7 layer 3 - ip services configuration manuals (554 pages) ,
- Comware 5 security configuration manual (547 pages)
Table of Contents
Advertisement
In SYN cookie mode, the TCP proxy is the server proxy that communicates with clients and the client
proxy that communicates with server. Choose this mode when the following requirements are met:
•
The TCP proxy device is deployed on the key path that passes through the ingress and egress
of the protected server.
•
All packets exchanged between clients and server pass through the TCP proxy device.
Figure 179 TCP proxy in SYN cookie mode
TCP client
(2) SYN ACK (win=0)
DNS client verification
The DNS client verification feature protects DNS servers against DNS flood attacks. It is configured
on the device where packets from the DNS clients to the DNS servers pass through. The device with
DNS client verification feature configured is called a DNS client authenticator.
As shown in
1.
Upon receiving a UDP DNS query destined for a protected server, the DNS client authenticator
responds with a DNS truncate (TC) packet. The DNS truncate packet requires the client to
initiate a query in a TCP packet.
2.
When the authenticator receives a DNS query in a TCP SYN packet to port 53 from the client,
the authenticator responds with a SYN-ACK packet that contains an incorrect sequence
number.
3.
When the authenticator receives a RST packet from the client, the authenticator verifies the
client as legitimate.
4.
The authenticator adds the client's IP address to the trusted IP list and forwards the trusted
client's subsequent packets to the server.
TCP proxy
(1) SYN
(3) ACK
(7) ACK (win=0)
Figure
186, the DNS client verification functions as follows:
TCP server
(4) SYN
(5) SYN ACK (win=n)
(6) ACK
574
Advertisement
Table of Contents
Troubleshooting
