beautypg.com

Brocade Virtual ADX Security Guide (Supporting ADX v03.1.00) User Manual

Page 33

background image

Brocade Virtual ADX Security Guide

21

53-1003250-01

DNS-DPI Attack Protection

1

You can bind a DNS DPI policy to a virtual port as shown.

Virtual ADX(config)#server virtual vip1 10.120.62.53

Virtual ADX(config-vs-vip1)#port dns csw-policy DNSpolicy1

Virtual ADX(config-vs-vip1)#port dns csw

Syntax: [no] port dns csw-policy policy-name

The policy-name variable specifies the name of the policy to be bound to a virtual port.

Syntax: [no] port dns csw

This command enables DNS content switching.

Configuring global commands for DNS attack protection

You can optionally configure the following to apply to all DNS attack protection configurations:

Dropping all DNS packets that are fragmented

Dropping all DNS packets with multiple queries

Dropping all DNS packets that are malformed

To configure a Brocade Virtual ADX to drop all DNS packets that are fragmented, use the server
dns-dpi drop-frag-pkts command as shown.

Virtual ADX(config)#server dns-dpi drop-frag-pkts

Syntax: [no] server dns-dpi drop-frag-pkts

To configure a Brocade Virtual ADX to drop all DNS packets with multiple queries, use the server
dns-dpi drop-multiple-query-pkts command as shown.

Virtual ADX(config)#server dns-dpi drop-multiple-query-pkts

Syntax: [no] server dns-dpi drop-multiple-query-pkts

To configure a Brocade Virtual ADX to drop all DNS packets that are malformed, use the server
dns-dpi drop-incomplete-malformed-pkts command as shown.

Virtual ADX(config)#server dns-dpi drop-incomplete-malformed-pkts

Syntax: [no] server dns-dpi drop-incomplete-malformed-pkts

Configuring the Brocade Virtual ADX to drop requests if servers in redirect actions
are down

You can configure the Brocade Virtual ADX to drop requests if servers in redirect actions are down
as shown.

Virtual ADX(config-csw-pol-p1)#dns-drop-on-fwd-fail

Syntax: [no] dns-drop-on-fwd-fail

Configuring the Brocade Virtual ADX to evaluate rules without query name first

You can configure the Brocade Virtual ADX to evaluate rules without query name first as shown.

Virtual ADX(config-csw-pol-p1)#evaluate-generic-first

Syntax: [no] evaluate-generic-first

See also other documents in the category Brocade Computer Accessories: