Table of Contents
Advertisement
1
DNS attack protection
This command enables DNS content switching.
Configuring global commands for DNS attack protection
You can optionally configure the following to apply to all DNS attack protection configurations:
•
•
•
To configure a ServerIron ADX to drop all DNS packets that are fragmented, use the server dns-dpi
drop-frag-pkts command as shown.
ServerIron(config) server dns-dpi drop-frag-pkts
Syntax: [no] server dns-dpi drop-frag-pkts
To configure a ServerIron ADX to drop all DNS packets with multiple queries, use the server dns-dpi
drop-multiple-query-pkts command as shown.
ServerIron(config) server dns-dpi drop-multiple-query-pkts
Syntax: [no] server dns-dpi drop-multiple-query-pkts
To configure a ServerIron ADX to drop all DNS packets that are malformed, use the server dns-dpi
drop-incomplete-malformed-pkts command as shown.
ServerIron(config) server dns-dpi drop-incomplete-malformed-pkts
Syntax: [no] server dns-dpi drop-incomplete-malformed-pkts
Configuring the ADX to drop requests if servers in redirect actions are down
You can configure the ServerIron ADX to drop requests if servers in redirect actions are down as
shown.
ServerIron(config-csw-pol-p1) dns-drop-on-fwd-fail
Syntax: [no] dns-drop-on-fwd-fail
Configuring the ADX to evaluate rules without query name first
You can configure the ServerIron ADX to evaluate rules without query name first as shown.
ServerIron(config-csw-pol-p1) evaluate-generic-first
Syntax: [no] evaluate-generic-first
Displaying DNS attack protection information
The following information can be displayed regarding DNS attack protection.
•
•
DIsplaying DNS DPI policy counters
DNS DPI policy counters can be displayed for a specified DNS policy as shown.
46
Dropping all DNS packets that are fragmented
Dropping all DNS packets with multiple queries
Dropping all DNS packets that are malformed
DNS DPI policy counters
IP addresses held down by a rate limit action
ServerIron ADX Security Guide
53-1002440-03
Advertisement
Table of Contents
Troubleshooting
