F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP AFM
  4. BIG-IP Systems: DoS Protection and Protocol Firewall Implementations
  5. Filtering DNS Packets
Manual Chapter : Filtering DNS Packets

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Filtering DNS Packets

About DNS protocol filtering

With a DNS security profile, you can filter DNS to allow or deny specific DNS query types, and to deny specific DNS opcodes. The DNS security profile is attached to, and works with, a local traffic DNS profile to configure a range of DNS settings for a virtual server. Use DNS protocol filtering:

  • To filter DNS query types or header opcodes that are not necessary or relevant in your configuration, or that you do not want your DNS servers to handle.
  • As a remediation tool to drop packets of a specific query type, if a DoS Protection Profile identifies anomalous DNS activity with that query type.

Filtering DNS traffic with a DNS security profile

In this task, you create a DNS security profile and configure DNS security settings at the same time. However, you can also configure settings in a DNS security profile that already exists.
The BIG-IP® system can allow or drop packets of specific DNS query types, or with specific opcodes, to prevent attacks or allow legitimate DNS traffic. Use this to filter out header opcodes or query types that are not necessary on your system, or to respond to suspicious increases in packets of a certain type, as identified with the DNS security profile.
  1. On the Main tab, click Security > Protocol Security > Security Profiles > DNS .
    The DNS Security Profiles list screen opens.
  2. Click Create.
    The Create New DoS Profile screen opens.
  3. In the Profile Name field, type the name for the profile.
  4. From the Query Type list, select how to handle query types you add to the Active list.
    • Select Inclusion to allow packets with the DNS query types you add to the Active list, and drop all others.
    • Select Exclusion to deny packets with the DNS query types you add to the Active list, and allow all others.
  5. In the Profile Name field, type the name for the profile.
  6. In the Profile Name field, type the name for the profile.
  7. In the Profile Name field, type the name for the profile.
  8. Click Update to save your changes.
Now you have configured the profile to include or exclude only specified DNS query types and header opcodes.
Specify this DNS security profile in a local traffic DNS profile attached to a virtual server.

Creating a custom DNS profile to firewall DNS traffic

Ensure that you have a DNS security profile created before you configure this system DNS profile.
You can create a custom DNS profile to configure the BIG-IP® system firewall traffic through the system.
  1. On the Main tab, click Local Traffic > Profiles > Services > DNS .
    The DNS profile list screen opens.
  2. Click Create.
    The New DNS Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. In the Parent Profile list, accept the default dns profile.
  5. Select the Custom check box.
  6. From the DNS Security list, select Enabled.
  7. From the DNS Security Profile Name list, select the name of the DNS firewall profile.
  8. Click Finished.
Assign the custom DNS profile to the virtual server that handles the DNS traffic that you want to firewall.

Assigning a DNS profile to a virtual server

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the Configuration list, select Advanced.
  4. From the DNS Profile list, select the profile you want to assign to the virtual server.
  5. Click Update.
The virtual server now handles DNS traffic.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information