Manual Chapter :
Configuring Rapid Response to Mitigate DNS Flood Attacks
Applies To:
Show VersionsBIG-IP LTM
- 14.0.1, 14.0.0
BIG-IP DNS
- 14.0.1, 14.0.0
Configuring Rapid Response to Mitigate DNS Flood Attacks
Overview: Configuring DNS Rapid Response
When the BIG-IP® system is processing authoritative DNS responses for
domains on your network using DNS Express, you can configure DNS Rapid Response to protect your
network from DNS flood attacks on those domains.
DNS Rapid Response uses the maximum system resources available to mitigate a DNS attack.
Statistics are available that show the number of DNS queries handled, the number of DNS responses
generated, and the number of dropped DNS queries. However, when this feature is enabled, the
system does not log DNS requests and responses.
If you enable the Rapid Response Mode for a Rapid Response profile, only global server load
balancing (GSLB) and DNS Express will function.
About configuring DNS
Rapid Response
When DNS Rapid Response is enabled on a DNS profile attached to a BIG-IP Local Traffic
Manager (LTM) virtual server or DNS listener,
system validation can cause a configuration load failure. When this occurs, an administrator can
change the options on the DNS profile and load the configuration again. When the configuration
loads, system validation may display entries in the logs in
/var/log/ltm
. Before creating a DNS Rapid Response profile, you should be aware of the
configurations in the following table that result in system validation errors and warnings, once
DNS Rapid Response is enabled.
Configuration | Validation Result |
---|---|
Protocol other than UDP associated with BIG-IP DNS listener or
LTM virtual server | Error. DNS profile fails to load. |
Auto Last
Hop disabled on BIG-IP DNS listener or LTM virtual server | Error. DNS profile fails to load. |
LTM iRule associated with an LTM virtual server | Warning. Matching DNS queries do not cause the iRules to
run. |
LTM pool associated with LTM virtual server | Warning. Matching DNS queries are not load balanced to the
pool. |
Additional profiles associated with BIG-IP DNS listener or LTM
virtual server | Warning. Matching DNS queries do not activate features enabled
on other profiles. |
Creating a DNS Rapid Response profile
To protect your network on a BIG-IP system from a DNS flood
attack, configure a custom DNS Rapid Response profile.
DNS Rapid Response works
only for traffic over the UDP protocol.
- On the Main tab, click.The DNS list screen opens.
- ClickCreate.The New DNS Profile screen opens.
- In theNamefield, type a unique name for the profile.
- In the General Properties area, from theParent Profilelist, accept the defaultdnsprofile.
- Select theCustomcheck box.
- In the Denial of Service Protection area, from theRapid Response Modelist, selectEnabled.Enable this setting after a DNS flood attack occurs. When you enable it, all other DNS features are disabled, except for DNS Express and global server load balancing (GSLB), unless theRapid Response Last Actionis set toAllow.
- In the Denial of Service Protection area, from theRapid Response Last Actionlist, select an option to protect your network:OptionDescriptionAllowBIG-IP system sends non-matching DNS queries along the regular packet processing pathDropBIG-IP system drops the message without sending a response to the client. This is the default value.No ErrorBIG-IP system returns NOERROR response to the client..NX DomainBIG-IP system returns non-existent name response to the client.RefuseBIG-IP system returns REFUSED response to the client.TruncateBIG-IP system truncates the response to the client.
- ClickFinished.
Viewing DNS Rapid Response statistics
Ensure that you configure the BIG-IP system for DNS Rapid
Response.
View statistics about DNS Rapid Response traffic to debug network traffic
problems.
- On the Main tab, click.The Listeners screen opens.
- In the Details column of a Listener, clickView.
- In the Profiles area, for theSelect Profilesettings list, select a DNS profile.
- In the Rapid Response area, view the list of statistics.