The set monitor dns alert commands enable DNS alert monitoring and set the thresholds for invalid DNS responses. After you enable DNS alert monitoring, the appliance monitors the UDP traffic on port 53 for recursive DNS queries, and then reports invalid DNS responses on UDP ports that are not open and with mismatched TXIDs. You must enable DNS network monitoring when you enable DNS alert monitoring. For information, see theĀ set monitor dns command.
You can also configure the thresholds for invalid DNS responses. When the number of invalid responses exceeds the thresholds, the appliance logs the event and sends SNMP traps and notifications, if previously enabled. The default thresholds for both invalid ports and invalid TXIDs are 50%. You can configure the thresholds either as absolute packet counts or as percentages of the total traffic during a one minute time interval.
This command is useful for monitoring possible cache poisoning. Use theĀ show monitor dns alert status command to view invalid port and invalid TXID data.
| Note | ||
|---|---|---|
| ||
This command is not supported for IPv6 in NIOS 7.0 and later releases. |
Syntax
set monitor dns alert {on | off} set monitor dns alert modify {port | txid} over threshold_value {packets | percent}
...