Manual Chapter : Configuring Rapid-Response to Mitigate DNS Flood Attacks

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter

Configuring Rapid-Response to Mitigate DNS Flood Attacks

Overview: Configuring DNS Rapid-Response

When the BIG-IP® system is processing authoritative DNS responses for domains on your network using DNS Express, you can configure DNS Rapid-Response to protect your network from DNS flood attacks on those domains.

DNS Rapid-Response uses the maximum system resources available to mitigate a DNS attack. Statistics are available that show the number of DNS queries handled, the number of DNS responses generated, and the number of dropped DNS queries. However, when this feature is enabled, the system does not log DNS requests and responses.

If you enable the Rapid Response Mode for a Rapid-Response profile, only global server load balancing (GSLB) and DNS Express will function.

About configuring DNS Rapid-Response

When DNS Rapid-Response is enabled on a DNS profile attached to a BIG-IP® Local Traffic Manager™ (LTM™) virtual server or DNS listener, system validation can cause a configuration load failure. When this occurs, an administrator can change the options on the DNS profile and load the configuration again. When the configuration loads, system validation may display entries in the logs in /var/log/ltm.

Before creating a DNS Rapid-Response profile, you should be aware of the configurations in the following table that result in system validation errors and warnings, once DNS Rapid-Response is enabled.

Configuration Validation Result
Protocol other than UDP associated with GTM listener or LTM virtual server Error. DNS profile fails to load.
Auto Last Hop disabled on GTM listener or LTM virtual server Error. DNS profile fails to load.
LTM iRule associated with an LTM virtual server Warning. Matching DNS queries do not cause the iRules to run.
LTM pool associated with LTM virtual server Warning. Matching DNS queries are not load balanced to the pool.
Additional profiles associated with GTM listener or LTM virtual server Warning. Matching DNS queries do not activate features enabled on other profiles.

Creating a DNS Rapid-Response profile

To protect your network on a BIG-IP® system from a DNS flood attack, configure a custom DNS Rapid-Response profile.
Note: DNS Rapid-Response works only for traffic over the UDP protocol.
  1. On the Main tab, click DNS > Delivery > Profiles > DNS or Local Traffic > Profiles > Services > DNS .
    The DNS profile list screen opens.
  2. Click Create.
    The New DNS Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. In the General Properties area, from the Parent Profile list, accept the default dns profile.
  5. Select the Custom check box.
  6. In the Denial of Service Protection area, from the Rapid Response Mode list, select Enabled.
    Note: Enable this setting after a DNS flood attack occurs. When you enable, all other DNS features are disabled, except for DNS Express and global server load balancing (GSLB), unless the Rapid Response Last Action is set to Allow.
  7. In the Denial of Service Protection area, from the Rapid Response Last Action list, select an option to protect your network:
    Option Description
    Allow BIG-IP sends non-matching DNS queries along the regular packet processing path
    Drop BIG-IP drops the message without sending a response to the client. This is the default value.
    No Error BIG-IP returns NOERROR response to the client..
    NX Domain BIG-IP returns non-existent name response to the client.
    Refuse BIG-IP returns REFUSED response to the client.
    Truncate BIG-IP truncates the response to the client.
  8. Click Finished.

Viewing DNS Rapid-Response statistics

Ensure that you configure the BIG-IP® system for DNS Rapid-Response.
View statistics about DNS Rapid-Response traffic to debug network traffic problems.
  1. On the Main tab, click DNS > Delivery > Listeners > Statistics .
    The Listeners screen opens.
  2. In the Details column of a Listener, click View.
  3. In the Profiles area, for the Select Profile settings list, select a DNS profile.
  4. In the Rapid Response area, view the list of statistics.