Table of Contents
Advertisement
1
DNS attack protection
DNS attack protection
The ServerIron ADX can be configured to provide DNS attack protection to VIP traffic. This
protection is provided by performing a deep packet scan and then classifying DNS requests based
on the following: query type, query name, RD flag or the DNSSEC "OK" bit in the EDNS0 header.
Based on this classification, the following actions can be taken either individually or in
combination: forward traffic to a specific server group, drop packets, log events or rate limit DNS
traffic from the identified client.
Figure 4 displays a potential configuration of this feature. For this configuration, a DNS deep packet
inspection with DNS filtering could be configured to perform the following actions.
Block specified types of DNS queries – for example:
•
•
Log specified types of DNS queries – for example:
•
Redirect specified DNS queries to a different set of DNS servers – for example:
•
•
Impose rate limiting for certain types of DNS queries per client.– for example:
•
•
FIGURE 4
DNS client A
DNS client B
Notes:
1. Only DNS requests using UDP transport (port 53) is supported.
2. If an incoming request matches an existing L4 session (including sticky sessions), DNS filtering
3. Query not expected across multiple packet
4. When multiple queries are in a single DNS packet, only first RR will be processed
5. There is no csw dns rule to identify DNS Root requests.
42
Block queries with the RD flag
Block queries with the DNSSEC "OK" bit set.
Log the number of queries to "www.mydomain.com"
Forward all requests with the DNSSEC "OK" bit to a separate set of servers.
Forward all queries for the " www.mydomain.com" to a different group of servers
Rate limit queries to " www.mydomain.com" for each client
Rate limit the number of MX queries that a client can send.
DNS attack protection
Internet
will not apply on the request
ServerIron ADX
VIP
200.200.200.1
ServerIron ADX Security Guide
DNS Server
DNS Server
53-1002440-03
Advertisement
Table of Contents
Troubleshooting
