Brocade Communications Systems 12.4.00a Manual De Usuario
ServerIron ADX Security Guide
43
53-1002440-03
DNS attack protection
1
Configuring DNS attack protection
Configuring DNS attack protection involves the following steps:
1. Create DNS DPI rules.
In this step you specify the filtering parameters under a rule. A packet must match all of the
filtering parameters defined under a rule to match the rule.
filtering parameters defined under a rule to match the rule.
2. Create a DNS DPI policy and bind the rules to it.
In this step you bind a rule to a policy and specify the action to be taken if a packet matches
the rule.
the rule.
3. Bind a DNS DPI policy to a Virtual port.
In the final configuration step, you bind a policy to a virtual port. Then, all packets destined to
that virtual are subject to the DNS DPI rules and policies defined in steps 1 and 2.
that virtual are subject to the DNS DPI rules and policies defined in steps 1 and 2.
In addition, there are global commands that you can optionally configure to apply to all DNS attack
protection configurations.
protection configurations.
Defining DNS rules to filter packets
The DNS rules define the parameters that the DNS packets are filtered on. Rules can be defined for
the following parameters:
the following parameters:
•
Query-name
•
Query type
•
RD flag
•
DNS Sec bit
To define a rule, you must first define the rule and then define the DNS filtering rule parameters
under it as shown.
under it as shown.
ServerIron(config)# csw-rule rule1 udp-content dns
Syntax: [no] csw-rule <rule-name> udp-content dns
The <rule-name> variable specifies a name for the rule that must be unique across all CSW
functionality. A maximum of 512 DNS DPI rules can be configured.
functionality. A maximum of 512 DNS DPI rules can be configured.
The filtering rule parameters are defined within the rule as shown. The rule parameters function as
an inherent “AND” which means that all of the parameters must be met for the rule to be matched.
an inherent “AND” which means that all of the parameters must be met for the rule to be matched.
ServerIron(config)# csw-rule rule1 udp-content dns
ServerIron(config-csw-dns-rule-rule1) query-type MX
ServerIron(config-csw-dns-rule-rule1) query-name abc.com
ServerIron(config-csw-dns-rule-rule1) query-rd-flag on
ServerIron(config-csw-dns-rule-rule1) query-dnssec-ok off
Syntax: query-type <type>
The <type> variable specifies the DNS query type to match on.
Syntax: query-name <name>
The <name> variable specifies the name of the DNS query type to match on.
Syntax: query-rd-flag { on | off}
The on parameter is matched if the RD flag is set in the packet.