Filter
Top Products
42 ServerIron ADX Security Guide
53-1002440-03
DNS attack protection
1
DNS attack protection
The ServerIron ADX can be configured to provide DNS attack protection to VIP traffic. This
protection is provided by performing a deep packet scan and then classifying DNS requests based
on the following: query type, query name, RD flag or the DNSSEC “OK” bit in the EDNS0 header.
Based on this classification, the following actions can be taken either individually or in
combination: forward traffic to a specific server group, drop packets, log events or rate limit DNS
traffic from the identified client.
Figure 4 displays a potential configuration of this feature. For this configuration, a DNS deep packet
inspection with DNS filtering could be configured to perform the following actions.
Block specified types of DNS queries – for example:
• Block queries with the RD flag
• Block queries with the DNSSEC “OK” bit set.
Log specified types of DNS queries – for example:
• Log the number of queries to “www.mydomain.com”
Redirect specified DNS queries to a different set of DNS servers – for example:
• Forward all requests with the DNSSEC “OK” bit to a separate set of servers.
• Forward all queries for the “ www.mydomain.com” to a different group of servers
Impose rate limiting for certain types of DNS queries per client.– for example:
• Rate limit queries to “ www.mydomain.com” for each client
• Rate limit the number of MX queries that a client can send.
FIGURE 4 DNS attack protection
Notes:
1. Only DNS requests using UDP transport (port 53) is supported.
2. If an incoming request matches an existing L4 session (including sticky sessions), DNS filtering
will not apply on the request
3. Query not expected across multiple packet
4. When multiple queries are in a single DNS packet, only first RR will be processed
5. There is no csw dns rule to identify DNS Root requests.
DNS Server
ServerIron ADX
DNS client A
VIP
200.200.200.1
Internet
DNS client B
DNS Server