Creating a dns dpi policy and bind the rules to it – Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 31

background image

Brocade Virtual ADX Security Guide

19

53-1003250-01

DNS-DPI Attack Protection

1

The name variable specifies the name of the DNS query type to match on.

Syntax: query-rd-flag { on | off }

The on parameter is matched if the RD flag is set in the packet.

The off parameter is matched if the RD flag is not set in the packet.

Syntax: query-dnssec-ok { on | off }

The on parameter is matched if the DNSSEC bit is set in the packet.

The off parameter is matched if the DNSSEC bit is not set in the packet.

Order of Rule matching
Matching on the query-name is first attempted in the order of the length of the query-name. This is
followed by the rules without query-name (only if needed), in the order they were added to the
policy. If two rules with query-name have the same length of the string, then the alphabetical order
will take precedence. And, when two rules with query-name are exactly the same string, then the
order in which the rules are added to the policy, will take precedence.

For example, initially the order of rules in a policy is:

1. Rule to match query-name www.brocade.com

2. Rule to match query-type A & query-RDflag ON

Adding a couple of new rules to match query-name www.example2.com and to match query-type
AAAA will rearrange the rules in policy as

1. Rule to match query-name www.brocade.com

2. Rule to match query-name www.example2.com

3. Rule to match query-type A & query-RDflag ON

4. Rule to match query-type AAAA

The policy level configuration 'evaluate-generic-first' would reverse this default behavior by first
matching the rules not based on query-names. In that case, same rules would be ordered as

1. Rule to match query-type A & query-RDflag ON

2. Rule to match query-type AAAA

3. Rule to match query-name www.brocade.com

4. Rule to match query-name www.example2.com

Creating a DNS DPI policy and bind the rules to it

A DNS DPI policy specifies the action to take when a previously defined rule is matched. A DNS DPI
policy is defined as shown.

Virtual ADX(config)#csw-policy DNSpolicy1 type dns-filter

Syntax: [no] csw-policy policy-name type dns-filter

The policy-name variable specifies a name for the CSW policy that must be unique across all CSW
functionality.

See also other documents in the category Brocade Computer Accessories: