Displaying dns attack protection information, Displaying dns dpi policy counters – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 60

Advertising
background image

46

ServerIron ADX Security Guide

53-1002440-03

DNS attack protection

1

This command enables DNS content switching.

Configuring global commands for DNS attack protection

You can optionally configure the following to apply to all DNS attack protection configurations:

Dropping all DNS packets that are fragmented

Dropping all DNS packets with multiple queries

Dropping all DNS packets that are malformed

To configure a ServerIron ADX to drop all DNS packets that are fragmented, use the server dns-dpi
drop-frag-pkts command as shown.

ServerIron(config) server dns-dpi drop-frag-pkts

Syntax: [no] server dns-dpi drop-frag-pkts

To configure a ServerIron ADX to drop all DNS packets with multiple queries, use the server dns-dpi
drop-multiple-query-pkts command as shown.

ServerIron(config) server dns-dpi drop-multiple-query-pkts

Syntax: [no] server dns-dpi drop-multiple-query-pkts

To configure a ServerIron ADX to drop all DNS packets that are malformed, use the server dns-dpi
drop-incomplete-malformed-pkts command as shown.

ServerIron(config) server dns-dpi drop-incomplete-malformed-pkts

Syntax: [no] server dns-dpi drop-incomplete-malformed-pkts

Configuring the ADX to drop requests if servers in redirect actions are down

You can configure the ServerIron ADX to drop requests if servers in redirect actions are down as
shown.

ServerIron(config-csw-pol-p1) dns-drop-on-fwd-fail

Syntax: [no] dns-drop-on-fwd-fail

Configuring the ADX to evaluate rules without query name first

You can configure the ServerIron ADX to evaluate rules without query name first as shown.

ServerIron(config-csw-pol-p1) evaluate-generic-first

Syntax: [no] evaluate-generic-first

Displaying DNS attack protection information

The following information can be displayed regarding DNS attack protection.

DNS DPI policy counters

IP addresses held down by a rate limit action

DIsplaying DNS DPI policy counters

DNS DPI policy counters can be displayed for a specified DNS policy as shown.

Advertising
Popular Brands
Popular manuals