DNS Message Type
- Ashish Khabde
Analytics
The following table lists the system and auto rules that are used to mitigate DNS message type attacks on your advanced appliance.
All rules for DNS record types are system rules. By default, they are configured as Pass rules. You can override this and change the rule action to Drop. Note that when you do that, the appliance drops all DNS packets that contain the requested record type. For information about the parameters, see Overview of Packet Flow.
| Rule ID | Rule Type | Rule Name | Description | Enable/Disable Condition | Parameters | Comments |
|---|---|---|---|---|---|---|
| 100000080 | Auto | EARLY PASS UDP QUIC response traffic | Passes rule for encrypted DNS traffic when the Recursive Queries Forwarding to ActiveTrust Cloud feature is enabled | Enabled if Infoblox DNS forwards recursive queries to the Active Trust Cloud | Packets per second (default = 1000) Rate Algorithm = rate limiting Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second if Infoblox DNS should process a large number of recursive queries. |
| 100100100 | Auto | EARLY PASS IPv4 UDP Notify messages | This rule passes IPv4 UDP DNS NOTIFY messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Enabled if Infoblox DNS serves as the secondary server with IPv4 external primaries configured. | Packets per second (default = 1000) Rate Algorithm = rate limiting Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid external primary server, tune the Packets per second value accordingly. |
| 100100101 | Auto | EARLY PASS IPv6 UDP Notify messages | This rule passes IPv6 UDP DNS NOTIFY messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Enabled if Infoblox DNS serves as the secondary server with IPv6 external primaries configured. | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid external primary server, tune the Packets per second value accordingly. |
| 100100200 | Auto | EARLY PASS IPv4 TCP Notify messages | This rule passes IPv4 TCP DNS NOTIFY messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Enabled if Infoblox DNS serves as the secondary server with IPv4 external primaries configured | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid external primary server, tune the Packets per second value accordingly. |
| 100100201 | Auto | EARLY PASS IPv6 TCP Notify messages | This rule passes IPv6 TCP DNS NOTIFY messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Enabled if Infoblox DNS serves as the secondary server with IPv6 external primaries configured. | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid external primary server, tune the Packets per second value accordingly. |
| 100100300 | Auto | EARLY PASS IPv4 UDP Notify messages for DDNS update | This rule passes IPv4 UDP NOTIFY messages for DDNS update if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Enabled if DDNS update is enabled for IPv4 clients. | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 100100350 | Auto | EARLY PASS IPv6 UDP Notify messages for DDNS update | This rule passes IPv6 UDP NOTIFY messages for DDNS update if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Enabled if DDNS update is enabled for IPv6 clients. | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 130100100 | Auto | RATELIMIT PASS IPv4 UDP DNS AXFR zone transfer requests | This rule passes IPv4 UDP DNS full zone transfer requests if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Enabled if Infoblox DNS allows incoming IPv4 zone transfer requests. | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly. |
| 130100101 | Auto | RATELIMIT PASS IPv6 UDP DNS AXFR zone transfer requests | This rule passes IPv6 UDP DNS full zone transfer requests if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks subsequent DNS traffic from this source IP for the remainder of the Drop interval. | Enabled if Infoblox DNS allows incoming IPv6 zone transfer requests. | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly. |
| 130100200 | Auto | RATELIMIT PASS IPv4 TCP DNS AXFR zone transfer requests | This rule passes IPv4 TCP DNS full zone transfer requests if the packet rate is less than the specified Packets per second value (default = 100). If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Enabled if Infoblox DNS allows incoming IPv4 zone transfer requests. | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly. |
| 130100201 | Auto | EARLY PASS IPv6 TCP Notify messages | This rule passes IPv6 TCP DNS NOTIFY messages if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Enabled if Infoblox DNS serves as the secondary server with IPv6 external primaries configured. | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid external primary server, tune the Packets per second value accordingly. |
| 130100300 | Auto | EARLY PASS IPv4 UDP Notify messages for DDNS update | This rule passes IPv4 UDP NOTIFY messages for DDNS update if the packet rate is less than the Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Enabled if DDNS update is enabled for IPv4 clients. | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | |
| 130100301 | Auto | RATELIMIT PASS IPv6 UDP DNS IXFR zone Transfer requests | This rule passes IPv6 UDP DNS incremental zone transfer requests if the packet rate is less than the specified Packets per second value (default = 100). If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Enabled if Infoblox DNS allows incoming IPv6 zone transfer requests. | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly. |
| 130100400 | Auto | RATELIMIT PASS IPv4 TCP DNS IXFR zone Transfer requests | This rule passes IPv4 TCP DNS incremental zone transfer requests if the packet rate is less than the specified Packets per second value (default = 100). If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Enabled if Infoblox DNS allows incoming IPv4 zone transfer requests. | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly. |
| 130100401 | Auto | RATELIMIT PASS IPv6 TCP DNS IXFR zone Transfer requests | This rule passes IPv6 TCP DNS incremental zone transfer requests if the packet rate is less than the specified Packets per second value. If any source IP sends packets over this value, the appliance allows traffic up to the rate limit and then blocks traffic from this source IP for the remainder of the Drop interval. | Enabled if Infoblox DNS allows incoming IPv6 zone transfer requests. | Packets per second (default = 1000) Drop interval (default = 10 seconds) Rate algorithm (default = rate limiting) Events per second (default = 1) | Consider tuning Packets per second if Infoblox DNS serves a large number of zones. If this rule is triggered and the source IP address indicates a valid secondary server, tune the Packets per second value accordingly. |
| 130200100 | Auto | DROP UDP DNS AXFR zone transfer requests | This rule drops any DNS UDP full zone transfer requests when zone transfer is disabled. You can configure only the Events per second parameter. | Enabled if Infoblox DNS does not allow incoming zone transfer requests. | Events per second (default = 1) | |
| 130200200 | Auto | DROP TCP DNS AXFR zone transfer requests | This rule drops any DNS TCP full zone transfer requests when zone transfer is disabled. You can configure only the Events per second parameter. | Enabled if Infoblox DNS does not allow incoming zone transfer requests. | Events per second (default = 1) | |
| 130200300 | Auto | DROP UDP DNS IXFR zone Transfer requests | This rule drops any DNS UDP incremental zone transfer requests when zone transfer is disabled. You can configure only the Events per second parameter. | Enabled if Infoblox DNS does not allow incoming zone transfer requests. | Events per second (default = 1) | |
| 130200400 | Auto | DROP TCP DNS IXFR zone Transfer requests | This rule drops any DNS TCP incremental zone transfer requests when zone transfer is disabled. You can configure only the Events per second parameter. | Enabled if Infoblox DNS does not allow incoming zone transfer requests. | Events per second (default = 1) | |
| 130500100 | System | DNS A record | You can configure this rule to pass or drop UDP packets that contain A record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130500200 | System | DNS AAAA record | You can configure this rule to pass or drop UDP packets that contain AAAA record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130500300 | System | DNS CNAME record | You can configure this rule to pass or drop UDP packets that contain CNAME record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130500400 | System | DNS DS record | You can configure this rule to pass or drop UDP packets that contain DS record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130500500 | System | DNS PTR record | You can configure this rule to pass or drop UDP packets that contain PTR record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130500600 | System | DNS NS record | You can configure this rule to pass or drop UDP packets that contain NS record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130500700 | System | DNS NSEC record | You can configure this rule to pass or drop UDP packets that contain NSEC record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130500800 | System | DNS NSEC3 record | You can configure this rule to pass or drop UDP packets that contain NSEC3 record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130500900 | System | DNS NSEC3PARAM record | You can configure this rule to pass or drop UDP packets that contain NSEC3PARAM record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130501000 | System | DNS MX record | You can configure this rule to pass or drop UDP packets that contain MX record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130501100 | System | DNS SRV record | You can configure this rule to pass or drop UDP packets that contain SRV record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130501200 | System | DNS TXT record | You can configure this rule to pass or drop UDP packets that contain TXT record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130501300 | System | DNS DNAME record | You can configure this rule to pass or drop UDP packets that contain DNAME record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130501400 | System | DNS RRSIG record | You can configure this rule to pass or drop UDP packets that contain RRSIG record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130501500 | System | DNS NAPTR record | You can configure this rule to pass or drop UDP packets that contain NAPTR record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130501600 | System | DNS DNSKEY record | You can configure this rule to pass or drop UDP packets that contain DNSKEY record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130501700 | System | DNS SPF record | You can configure this rule to pass or drop UDP packets that contain SPF record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130501800 | System | DNS DHCID record | You can configure this rule to pass or drop UDP packets that contain DHCID record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130501900 | System | DNS SOA record | You can configure this rule to pass or drop UDP packets that contain SOA record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130502000 | System | DNS SIG record | You can configure this rule to pass or drop UDP packets that contain SIG record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130502100 | System | DNS LOC record | You can configure this rule to pass or drop UDP packets that contain LOC record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130502200 | System | DNS SSHFP record | You can configure this rule to pass or drop UDP packets that contain SSHFP record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130502300 | System | DNS IPSECKEY record | You can configure this rule to pass or drop UDP packets that contain IPSECKEY record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130502400 | System | DNS TKEY record | You can configure this rule to pass or drop UDP packets that contain TKEY record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130502500 | System | DNS TSIG record | You can configure this rule to pass or drop UDP packets that contain TSIG record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130502600 | System | DNS TA record | You can configure this rule to pass or drop UDP packets that contain TA record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130502700 | System | DNS DLV record | You can configure this rule to pass or drop UDP packets that contain DLV record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130502800 | System | DNS ANY record | You can configure this rule to pass or drop UDP packets that contain ANY record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130502900 | System | DNS A record TCP | You can configure this rule to pass or drop TCP packets that contain A record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130503000 | System | DNS AAAA record TCP | You can configure this rule to pass or drop TCP packets that contain AAAA record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130503100 | System | DNS CNAME record TCP | You can configure this rule to pass or drop TCP packets that contain CNAME record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130503200 | System | DNS DS record TCP | You can configure this rule to pass or drop TCP packets that contain DS record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130503300 | System | DNS PTR record TCP | You can configure this rule to pass or drop TCP packets that contain PTR record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130503400 | System | DNS NS record TCP | You can configure this rule to pass or drop TCP packets that contain NS record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130503500 | System | DNS NSEC record TCP | You can configure this rule to pass or drop TCP packets that contain NSEC record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130503600 | System | DNS NSEC3 record TCP | You can configure this rule to pass or drop TCP packets that contain NSEC3 record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130503700 | System | DNS NSEC3PARAM record TCP | You can configure this rule to pass or drop TCP packets that contain NSEC3PARAM record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130503800 | System | DNS MX record TCP | You can configure this rule to pass or drop TCP packets that contain MX record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130503900 | System | DNS SRV record TCP | You can configure this rule to pass or drop TCP packets that contain SRV record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130504000 | System | DNS TXT record TCP | You can configure this rule to pass or drop TCP packets that contain TXT record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130504100 | System | DNS DNAME record TCP | You can configure this rule to pass or drop TCP packets that contain DNAME record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130504200 | System | DNS RRSIG record TCP | You can configure this rule to pass or drop TCP packets that contain RRSIG record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130504300 | System | DNS NAPTR record TCP | You can configure this rule to pass or drop TCP packets that contain NAPTR record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130504400 | System | DNS DNSKEY record TCP | You can configure this rule to pass or drop TCP packets that contain IDNSKEY record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130504500 | System | DNS SPF record TCP | You can configure this rule to pass or drop TCP packets that contain SPF record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130504600 | System | DNS DHCID record TCP | You can configure this rule to pass or drop TCP packets that contain DHCID record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130504700 | System | DNS SOA record TCP | You can configure this rule to pass or drop TCP packets that contain SOA record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130504800 | System | DNS SIG record TCP | You can configure this rule to pass or drop TCP packets that contain SIG record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130504900 | System | DNS ROC record TCP | You can configure this rule to pass or drop TCP packets that contain ROC record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130505000 | System | DNS SSHFP record TCP | You can configure this rule to pass or drop TCP packets that contain SSHFP record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130505100 | System | DNS IPSECKEY record TCP | You can configure this rule to pass or drop TCP packets that contain IPSECKEY record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130505200 | System | DNS TKEY record TCP | You can configure this rule to pass or drop TCP packets that contain TKEY record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130505300 | System | DNS TSIG record TCP | You can configure this rule to pass or drop TCP packets that contain TSIG record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130505400 | System | DNS TA record TCP | You can configure this rule to pass or drop TCP packets that contain TA record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130505500 | System | DNS DLV record TCP | You can configure this rule to pass or drop TCP packets that contain DLV record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) | |
| 130505600 | System | DNS ANY record TCP | You can configure this rule to pass or drop TCP packets that contain ANY record request. The default Action = Pass. | Enabled by default. | Action (default = Pass) Events per second (default = 1) |