Dns attack protection, Notes – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 56

Advertising
background image

42

ServerIron ADX Security Guide

53-1002440-03

DNS attack protection

1

DNS attack protection

The ServerIron ADX can be configured to provide DNS attack protection to VIP traffic. This
protection is provided by performing a deep packet scan and then classifying DNS requests based
on the following: query type, query name, RD flag or the DNSSEC “OK” bit in the EDNS0 header.
Based on this classification, the following actions can be taken either individually or in
combination: forward traffic to a specific server group, drop packets, log events or rate limit DNS
traffic from the identified client.

Figure 4 displays a potential configuration of this feature. For this configuration, a DNS deep packet
inspection with DNS filtering could be configured to perform the following actions.

Block specified types of DNS queries – for example:

Block queries with the RD flag

Block queries with the DNSSEC “OK” bit set.

Log specified types of DNS queries – for example:

Log the number of queries to “www.mydomain.com”

Redirect specified DNS queries to a different set of DNS servers – for example:

Forward all requests with the DNSSEC “OK” bit to a separate set of servers.

Forward all queries for the “ www.mydomain.com” to a different group of servers

Impose rate limiting for certain types of DNS queries per client.– for example:

Rate limit queries to “ www.mydomain.com” for each client

Rate limit the number of MX queries that a client can send.

FIGURE 4

DNS attack protection

Notes:

1. Only DNS requests using UDP transport (port 53) is supported.

2. If an incoming request matches an existing L4 session (including sticky sessions), DNS filtering

will not apply on the request

3. Query not expected across multiple packet

4. When multiple queries are in a single DNS packet, only first RR will be processed

5. There is no csw dns rule to identify DNS Root requests.

DNS Server

ServerIron ADX

DNS client A

VIP
200.200.200.1

Internet

DNS client B

DNS Server

Advertising
Popular Brands
Popular manuals