beautypg.com

Configuring dns attack protection, Defining dns rules to filter packets – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 30

background image

18

Brocade Virtual ADX Security Guide

53-1003250-01

DNS-DPI Attack Protection

1

When multiple queries are in a single DNS packet, only first RR will be processed.

There is no CSW DNS rule to identify DNS Root requests.

Configuring DNS attack protection

Configuring DNS attack protection involves the following steps:

1. Create DNS DPI rules.

In this step you specify the filtering parameters under a rule. A packet must match all of the
filtering parameters defined under a rule to match the rule.

2. Create a DNS DPI policy and bind the rules to it.

In this step you bind a rule to a policy and specify the action to be taken if a packet matches
the rule.

3. Bind a DNS DPI policy to a virtual port.

In the final configuration step, you bind a policy to a virtual port. Then, all packets destined to
that virtual port are subject to the DNS DPI rules and policies defined in steps 1 and 2.

In addition, there are global commands that you can optionally configure to apply to all DNS attack
protection configurations.

Defining DNS rules to filter packets

The DNS rules define the parameters that the DNS packets are filtered on. Rules can be defined for
the following parameters:

Query-name

Query type

RD flag

DNS Sec bit

To define a rule, you must first define the rule and then define the DNS filtering rule parameters
under it as shown.

Virtual ADX(config)#csw-rule rule1 udp-content dns

Syntax: [no] csw-rule rule-name udp-content dns

The rule-name variable specifies a name for the rule that must be unique across all CSW
functionality. A maximum of 512 DNS DPI rules can be configured.

The filtering rule parameters are defined within the rule as shown. The rule parameters function as
an inherent AND, which means that all of the parameters must be met for the rule to be matched.

Virtual ADX(config)#csw-rule rule1 udp-content dns

Virtual ADX(config-csw-dns-rule-rule1)#query-type MX

Virtual ADX(config-csw-dns-rule-rule1)#query-name example1.com

Virtual ADX(config-csw-dns-rule-rule1)#query-rd-flag on

Virtual ADX(config-csw-dns-rule-rule1)#query-dnssec-ok off

Syntax: query-type type

The type variable specifies the DNS query type to match on.

Syntax: query-name name

See also other documents in the category Brocade Computer Accessories: