Order of rule matching, Creating a dns dpi policy and bind the rules to it – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual
Page 58
44
ServerIron ADX Security Guide
53-1002440-03
DNS attack protection
1
The off parameter is matched if the RD flag is not set in the packet.
Syntax: query-dnssec-ok { on | off}
The on parameter is matched if the DNSSEC bit is set in the packet.
The off parameter is matched if the DNSSEC bit is not set in the packet.
Order of Rule matching
Matching on the query-name is first attempted in the order of the length of the query-name. THis is
followed by the rules without query-name (only if needed), in the order they were added to the
policy. If two rules with query-name have the same length of the string, then the alphabetical order
will take precedence. And, when two rules with query-name are exactly the same string, then the
order in which the rules are added to the policy, will take precedence.
For example, initially the order of rules in a policy is:
1. Rule to match query-name www.brocade.com
2. Rule to match query-type A & query-RDflag ON
Adding a couple of new rules to match query-name www.mywebsite.com and to match query-type
AAAA will rearrange the rules in policy as
1. Rule to match query-name www.brocade.com
2. Rule to match query-name www.mywebsite.com
3. Rule to match query-type A & query-RDflag ON
4. Rule to match query-type AAAA
The policy level configuration 'evaluate-generic-first' would reverse this default behavior by first
matching the rules not based on query-names. In that case, same rules would be ordered as
1. Rule to match query-type A & query-RDflag ON
2. Rule to match query-type AAAA
3. Rule to match query-name www.brocade.com
4. Rule to match query-name www.mywebsite.com
Creating a DNS DPI policy and bind the rules to it
A DNS DPI policy specifies the action to take when a previously defined rule is matched. A DNS DPI
policy is defined as shown.
ServerIron(config)# csw-policy DNSpolicy1 type dns-filter
Syntax: [no] csw-policy <policy-name> type dns-filter
The <policy-name> variable specifies a name for the CSW policy that must be unique across all
CSW functionality.
NOTE
A maximum of 255 DNS policies can be configured on a ServerIron ADX. Also, the total number of
rules that can be bound to a single policy is 512 and the global limit for binding rules to a policy is
2500. For example, if you bind 500 rules to each of 5 policies you will reach 2500 which is the global
limit for binding rules to a policy.