Manual Chapter :
Filter DNS traffic with a DNS security profile
Applies To:
Show VersionsBIG-IP AFM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Filter DNS traffic with a DNS security profile
The BIG-IP
system can allow or drop packets of specific DNS query types, or with specific opcodes,
to prevent attacks or allow legitimate DNS traffic. You can use this to filter out
header opcodes or query types that are not necessary on your system, or to respond to
suspicious increases in packets of a certain type, as identified with the DNS security
profile.
In this task, you create a DNS security profile and configure DNS
security settings at the same time. However, you can also configure settings in a
DNS security profile that already exists.
- On the Main tab, click.The DNS Security Profiles list screen opens.
- ClickCreate.The New Protection Profile screen opens.
- In theNamefield, type the name for the profile.
- From theQuery Typelist, select how to handle query types you add to theActivelist.
- SelectInclusionto allow packets with the DNS query types and header opcodes you add to theActivelist, and drop all others.
- SelectExclusionto deny packets with the DNS query types and header opcodes you add to theActivelist, and allow all others.
- In theQuery Type Filtersetting, move query types to filter for inclusion or exclusion from theAvailablelist to theActivelist.
- In theHeader Opcode Exclusionsetting, move header types to filter for exclusion from theAvailablelist to theActivelist.Only thequeryopcode is available for header exclusion.
- ClickFinishedto save your changes.
Now you have configured the profile
to include or exclude only specified DNS query types and header opcodes.
Specify this DNS security profile in a local
traffic DNS profile attached to a protected object.