DNS Protocol Anomalies
- Ashish Khabde
Analytics
DNS protocol anomalies send malformed DNS packets, including unexpected header and payload values, to the targeted server. This causes the server to stop responding or crash, which results in an infinite loop in server threads. These anomalies sometimes take the form of impersonation attacks.
The following table lists rules that are used to mitigate DNS protocol anomalies sent to the appliance.
| Rule ID | Rule Type | Rule Name | Description | Enable Condition | Parameters | Comments |
|---|---|---|---|---|---|---|
| 110100400 | Auto | EARLY DROP UDP DNS question name too long | This rule drops UDP DNS packets when the DNS Question Name is too long. | Always enabled | Events per second (default = 1) | |
| 110100500 | Auto | EARLY DROP UDP DNS label too long | This rule drops UDP DNS packets when the DNS Label in the name being queried is too long. | Always enabled | Events per second (default = 1) | |
| 110100600 | Auto | EARLY DROP UDP query invalid question count | This rule drops UDP DNS packets when the number of entries in the question section is invalid. | Always enabled | Events per second (default = 1) | |
| 110100700 | Auto | EARLY DROP UDP query invalid question class | This rule drops UDP DNS packets when the RR (resource record) class being queried is invalid. | Always enabled | Events per second (default = 1) | |
| 110100800 | Auto | EARLY DROP UDP query invalid question string | This rule drops UDP DNS packets that contain invalid question string. | Always enabled | Events per second (default = 1) | |
| 110100850 | Auto | EARLY UDP drop invalid DNS query with Authority | This rule drops UDP DNS queries that contain invalid AUTHORITY entry. | Always enabled | Events per second (default = 1) | |
| 110100860 | System | EARLY DROP UDP DNS query without Recursion Desired | This rule drops UDP DNS queries without Recursion Desired bit set in the DNS header. Do not enable this rule for authoritative servers. | Events per second (default = 1) | This rule is designed specifically for recursive caching servers only. Ensure that you do not enable this rule for authoritative DNS servers to avoid unexpected packet drops. | |
| 110100900 | Auto | EARLY DROP query multiple questions or non query operation code | This rule drops UDP DNS packets when there are multiple questions being queried at one time or its operation code is not Query. | Always enabled | Events per second (default = 1) | |
| 110101000 | System | EARLY DROP TCP DNS query without Recursion Desired | This rule drops TCP DNS queries without Recursion Desired bit set in the DNS header. Do not enable this rule for authoritative servers. | Events per second (default = 1) | This rule is designed specifically for recursive caching servers only. Ensure that you do not enable this rule for authoritative DNS servers to avoid unexpected packet drops. | |
| 130000700 | Auto | EARLY DROP TCP non- DNS query | This rule drops TCP packets when its operation code is not Query. | Always enabled | Events per second (default = 1) | |
| 130000800 | Auto | EARLY DROP TCP query multiple questions | This rule drops TCP DNS packets when there are multiple questions being queried at one time. | Always enabled | Events per second (default = 1) | |
| 130100500 | Auto | DROP UDP DNS invalid IXFR query with zero or more than one Authority | This rule drops UDP DNS incremental zone transfer requests that contain zero or more than one Authority entries. | Always enabled | Events per second (default = 1) | |
| 130100600 | Auto | DROP TCP DNS invalid IXFR query with zero or more than one Authority | This rule drops TCP DNS incremental zone transfer requests that contain zero or more than one Authority entries. | Always enabled | Events per second (default = 1) | |
| 130300200 | Auto | DROP TCP invalid DNS query with Authority | This rule drops TCP DNS queries that contain invalid Authority entries. | Always enabled | Events per second (default = 1) |