When the BIG-IP® system is processing authoritative DNS responses for domains on your network using DNS Express, you can configure DNS Rapid Response to protect your network from DNS flood attacks on those domains.
DNS Rapid Response uses the maximum system resources available to mitigate a DNS attack. Statistics are available that show the number of DNS queries handled, the number of DNS responses generated, and the number of dropped DNS queries. However, when this feature is enabled, the system does not log DNS requests and responses.
If you enable the Rapid Response Mode for a Rapid Response profile, only global server load balancing (GSLB) and DNS Express will function.
When DNS Rapid Response is enabled on a DNS profile attached to a BIG-IP® Local Traffic Manager™ (LTM™) virtual server or DNS listener, system validation can cause a configuration load failure. When this occurs, an administrator can change the options on the DNS profile and load the configuration again. When the configuration loads, system validation may display entries in the logs in /var/log/ltm.
Before creating a DNS Rapid Response profile, you should be aware of the configurations in the following table that result in system validation errors and warnings, once DNS Rapid Response is enabled.
|Protocol other than UDP associated with BIG-IP DNS listener or LTM virtual server||Error. DNS profile fails to load.|
|Auto Last Hop disabled on BIG-IP DNS listener or LTM virtual server||Error. DNS profile fails to load.|
|LTM iRule associated with an LTM virtual server||Warning. Matching DNS queries do not cause the iRules to run.|
|LTM pool associated with LTM virtual server||Warning. Matching DNS queries are not load balanced to the pool.|
|Additional profiles associated with BIG-IP DNS listener or LTM virtual server||Warning. Matching DNS queries do not activate features enabled on other profiles.|
|Allow||BIG-IP system sends non-matching DNS queries along the regular packet processing path|
|Drop||BIG-IP system drops the message without sending a response to the client. This is the default value.|
|No Error||BIG-IP system returns NOERROR response to the client..|
|NX Domain||BIG-IP system returns non-existent name response to the client.|
|Refuse||BIG-IP system returns REFUSED response to the client.|
|Truncate||BIG-IP system truncates the response to the client.|