Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Rapid Response to Mitigate DNS Flood Attacks
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Configuring Rapid Response to Mitigate DNS Flood Attacks

Overview: Configuring DNS Rapid Response

When the BIG-IP® system is processing authoritative DNS responses for domains on your network using DNS Express, you can configure DNS Rapid Response to protect your network from DNS flood attacks on those domains.

DNS Rapid Response uses the maximum system resources available to mitigate a DNS attack. Statistics are available that show the number of DNS queries handled, the number of DNS responses generated, and the number of dropped DNS queries. However, when this feature is enabled, the system does not log DNS requests and responses.

If you enable the Rapid Response Mode for a Rapid Response profile, only global server load balancing (GSLB) and DNS Express will function.

About configuring DNS Rapid Response

When DNS Rapid Response is enabled on a DNS profile attached to a BIG-IP® Local Traffic Manager™ (LTM™) virtual server or DNS listener, system validation can cause a configuration load failure. When this occurs, an administrator can change the options on the DNS profile and load the configuration again. When the configuration loads, system validation may display entries in the logs in /var/log/ltm.

Before creating a DNS Rapid Response profile, you should be aware of the configurations in the following table that result in system validation errors and warnings, once DNS Rapid Response is enabled.

Configuration Validation Result
Protocol other than UDP associated with BIG-IP DNS listener or LTM virtual server Error. DNS profile fails to load.
Auto Last Hop disabled on BIG-IP DNS listener or LTM virtual server Error. DNS profile fails to load.
LTM iRule associated with an LTM virtual server Warning. Matching DNS queries do not cause the iRules to run.
LTM pool associated with LTM virtual server Warning. Matching DNS queries are not load balanced to the pool.
Additional profiles associated with BIG-IP DNS listener or LTM virtual server Warning. Matching DNS queries do not activate features enabled on other profiles.

Creating a DNS Rapid Response profile

To protect your network on a BIG-IP® system from a DNS flood attack, configure a custom DNS Rapid Response profile.
Note: DNS Rapid Response works only for traffic over the UDP protocol.
  1. On the Main tab, click DNS > Delivery > Profiles > DNS .
    The DNS list screen opens.
  2. Click Create.
    The New DNS Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. In the General Properties area, from the Parent Profile list, accept the default dns profile.
  5. Select the Custom check box.
  6. In the Denial of Service Protection area, from the Rapid Response Mode list, select Enabled.
    Note: Enable this setting after a DNS flood attack occurs. When you enable, all other DNS features are disabled, except for DNS Express and global server load balancing (GSLB), unless the Rapid Response Last Action is set to Allow.
  7. In the Denial of Service Protection area, from the Rapid Response Last Action list, select an option to protect your network:
    Option Description
    Allow BIG-IP system sends non-matching DNS queries along the regular packet processing path
    Drop BIG-IP system drops the message without sending a response to the client. This is the default value.
    No Error BIG-IP system returns NOERROR response to the client..
    NX Domain BIG-IP system returns non-existent name response to the client.
    Refuse BIG-IP system returns REFUSED response to the client.
    Truncate BIG-IP system truncates the response to the client.
  8. Click Finished.

Viewing DNS Rapid Response statistics

Ensure that you configure the BIG-IP® system for DNS Rapid Response.
View statistics about DNS Rapid Response traffic to debug network traffic problems.
  1. On the Main tab, click DNS > Delivery > Listeners > Statistics .
    The Listeners screen opens.
  2. In the Details column of a Listener, click View.
  3. In the Profiles area, for the Select Profile settings list, select a DNS profile.
  4. In the Rapid Response area, view the list of statistics.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)