Manual Chapter : Configuring Rapid Response to Mitigate DNS Flood Attacks

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 14.0.1, 14.0.0

BIG-IP DNS

  • 14.0.1, 14.0.0
Manual Chapter

Configuring Rapid Response to Mitigate DNS Flood Attacks

Overview: Configuring DNS Rapid Response

When the BIG-IP® system is processing authoritative DNS responses for domains on your network using DNS Express, you can configure DNS Rapid Response to protect your network from DNS flood attacks on those domains.
DNS Rapid Response uses the maximum system resources available to mitigate a DNS attack. Statistics are available that show the number of DNS queries handled, the number of DNS responses generated, and the number of dropped DNS queries. However, when this feature is enabled, the system does not log DNS requests and responses.
If you enable the Rapid Response Mode for a Rapid Response profile, only global server load balancing (GSLB) and DNS Express will function.

About configuring DNS Rapid Response

When DNS Rapid Response is enabled on a DNS profile attached to a BIG-IP Local Traffic Manager (LTM) virtual server or DNS listener, system validation can cause a configuration load failure. When this occurs, an administrator can change the options on the DNS profile and load the configuration again. When the configuration loads, system validation may display entries in the logs in
/var/log/ltm
.
Before creating a DNS Rapid Response profile, you should be aware of the configurations in the following table that result in system validation errors and warnings, once DNS Rapid Response is enabled.
Configuration
Validation Result
Protocol other than UDP associated with BIG-IP DNS listener or LTM virtual server
Error. DNS profile fails to load.
Auto Last Hop
disabled on BIG-IP DNS listener or LTM virtual server
Error. DNS profile fails to load.
LTM iRule associated with an LTM virtual server
Warning. Matching DNS queries do not cause the iRules to run.
LTM pool associated with LTM virtual server
Warning. Matching DNS queries are not load balanced to the pool.
Additional profiles associated with BIG-IP DNS listener or LTM virtual server
Warning. Matching DNS queries do not activate features enabled on other profiles.

Creating a DNS Rapid Response profile

To protect your network on a BIG-IP system from a DNS flood attack, configure a custom DNS Rapid Response profile.
DNS Rapid Response works only for traffic over the UDP protocol.
  1. On the Main tab, click
    DNS
    Delivery
    Profiles
    DNS
    .
    The DNS list screen opens.
  2. Click
    Create
    .
    The New DNS Profile screen opens.
  3. In the
    Name
    field, type a unique name for the profile.
  4. In the General Properties area, from the
    Parent Profile
    list, accept the default
    dns
    profile.
  5. Select the
    Custom
    check box.
  6. In the Denial of Service Protection area, from the
    Rapid Response Mode
    list, select
    Enabled
    .
    Enable this setting after a DNS flood attack occurs. When you enable it, all other DNS features are disabled, except for DNS Express and global server load balancing (GSLB), unless the
    Rapid Response Last Action
    is set to
    Allow
    .
  7. In the Denial of Service Protection area, from the
    Rapid Response Last Action
    list, select an option to protect your network:
    Option
    Description
    Allow
    BIG-IP system sends non-matching DNS queries along the regular packet processing path
    Drop
    BIG-IP system drops the message without sending a response to the client. This is the default value.
    No Error
    BIG-IP system returns NOERROR response to the client..
    NX Domain
    BIG-IP system returns non-existent name response to the client.
    Refuse
    BIG-IP system returns REFUSED response to the client.
    Truncate
    BIG-IP system truncates the response to the client.
  8. Click
    Finished
    .

Viewing DNS Rapid Response statistics

Ensure that you configure the BIG-IP system for DNS Rapid Response.
View statistics about DNS Rapid Response traffic to debug network traffic problems.
  1. On the Main tab, click
    DNS
    Delivery
    Listeners
    Statistics
    .
    The Listeners screen opens.
  2. In the Details column of a Listener, click
    View
    .
  3. In the Profiles area, for the
    Select Profile
    settings list, select a DNS profile.
  4. In the Rapid Response area, view the list of statistics.