Manual Chapter : Filtering DNS Packets

Applies To:

Show Versions Show Versions

BIG-IP AFM

  • 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About DNS protocol filtering

With a DNS security profile, you can filter DNS to allow or deny specific DNS query types, and to deny specific DNS OpCodes. The DNS security profile is attached to, and works with, a local traffic DNS profile to configure a range of DNS settings for a virtual server. Use DNS protocol filtering:

  • To filter DNS query types or header OpCodes that are not necessary or relevant in your configuration, or that you do not want your DNS servers to handle.
  • As a remediation tool to drop packets of a specific query type, if a DoS Protection Profile identifies anomalous DNS activity with that query type.

Task list

Filtering DNS traffic with a DNS security profile

The BIG-IP® system can allow or drop packets of specific DNS query types, or with specific opcodes, to prevent attacks or allow legitimate DNS traffic. You can use this to filter out header opcodes or query types that are not necessary on your system, or to respond to suspicious increases in packets of a certain type, as identified with the DNS security profile.

In this task, you create a DNS security profile and configure DNS security settings at the same time. However, you can also configure settings in a DNS security profile that already exists.

  1. On the Main tab, click Security > Protocol Security > Security Profiles > DNS .
    The DNS Security Profiles list screen opens.
  2. Click Create.
    The New Security Profile screen opens.
  3. In the Name field, type the name for the profile.
  4. From the Query Type list, select how to handle query types you add to the Active list.
    • Select Inclusion to allow packets with the DNS query types and header opcodes you add to the Active list, and drop all others.
    • Select Exclusion to deny packets with the DNS query types and header opcodes you add to the Active list, and allow all others.
  5. In the Query Type Filter setting, move query types to filter for inclusion or exclusion from the Available list to the Active list.
  6. In the Header Opcode Exclusion setting, move header types to filter for exclusion from the Available list to the Active list.
    Note: Only the query opcode is available for header exclusion.
  7. Click Finished to save your changes.
Now you have configured the profile to include or exclude only specified DNS query types and header opcodes.
Specify this DNS security profile in a local traffic DNS profile attached to a virtual server.

Creating a custom DNS profile to firewall DNS traffic

Ensure that you have a DNS security profile created before you configure this system DNS profile.
You can create a custom DNS profile to configure the BIG-IP® system firewall traffic through the system.
  1. On the Main tab, click Local Traffic > Profiles > Services > DNS .
    The DNS profile list screen opens.
  2. Click Create.
    The New DNS Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. In the General Properties area, from the Parent Profile list, accept the default dns profile.
  5. Select the Custom check box.
  6. In the DNS Traffic area, from the DNS Security list, select Enabled.
  7. In the DNS Traffic area, from the DNS Security Profile Name list, select the name of the DNS firewall profile.
  8. Click Finished.
Assign the custom DNS profile to the virtual server that handles the DNS traffic that you want to firewall.

Assigning a DNS profile to a virtual server

  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the name of the virtual server you want to modify.
  3. From the Configuration list, select Advanced.
  4. From the DNS Profile list, select the profile you want to assign to the virtual server.
  5. Click Update.
The virtual server now handles DNS traffic.