Applies To:Show Versions
- 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Configuring Rapid-Response to Mitigate DNS Flood Attacks
Overview: Configuring DNS Rapid-Response
When the BIG-IP® system is processing authoritative DNS responses for domains on your network using DNS Express, you can configure DNS Rapid-Response to protect your network from DNS flood attacks on those domains.
DNS Rapid-Response uses the maximum system resources available to mitigate a DNS attack. Statistics are available that show the number of DNS queries handled, the number of DNS responses generated, and the number of dropped DNS queries. However, when this feature is enabled, the system does not log DNS requests and responses.
If you enable the Rapid Response Mode for a Rapid-Response profile, only global server load balancing (GSLB) and DNS Express will function.
About configuring DNS Rapid-Response
When DNS Rapid-Response is enabled on a DNS profile attached to a BIG-IP® Local Traffic Manager™ (LTM™) virtual server or DNS listener, system validation can cause a configuration load failure. When this occurs, an administrator can change the options on the DNS profile and load the configuration again. When the configuration loads, system validation may display entries in the logs in /var/log/ltm.
Before creating a DNS Rapid-Response profile, you should be aware of the configurations in the following table that result in system validation errors and warnings, once DNS Rapid-Response is enabled.
|Protocol other than UDP associated with GTM listener or LTM virtual server||Error. DNS profile fails to load.|
|Auto Last Hop disabled on GTM listener or LTM virtual server||Error. DNS profile fails to load.|
|LTM iRule associated with an LTM virtual server||Warning. Matching DNS queries do not cause the iRules to run.|
|LTM pool associated with LTM virtual server||Warning. Matching DNS queries are not load balanced to the pool.|
|Additional profiles associated with GTM listener or LTM virtual server||Warning. Matching DNS queries do not activate features enabled on other profiles.|
Creating a DNS Rapid-Response profile
On the Main tab, click
or . The DNS profile list screen opens.
The New DNS Profile screen opens.
- In the Name field, type a unique name for the profile.
- In the General Properties area, from the Parent Profile list, accept the default dns profile.
- Select the Custom check box.
In the Denial of Service Protection area, from the Rapid Response
Mode list, select Enabled.
Note: Enable this setting after a DNS flood attack occurs. When you enable, all other DNS features are disabled, except for DNS Express and global server load balancing (GSLB), unless the Rapid Response Last Action is set to Allow.
In the Denial of Service Protection area, from the Rapid Response Last
Action list, select an option to protect your network:
Option Description Allow BIG-IP sends non-matching DNS queries along the regular packet processing path Drop BIG-IP drops the message without sending a response to the client. This is the default value. No Error BIG-IP returns NOERROR response to the client.. NX Domain BIG-IP returns non-existent name response to the client. Refuse BIG-IP returns REFUSED response to the client. Truncate BIG-IP truncates the response to the client.
- Click Finished.
Viewing DNS Rapid-Response statistics
On the Main tab, click
.The Listeners screen opens.
- In the Details column of a Listener, click View.
- In the Profiles area, for the Select Profile settings list, select a DNS profile.
- In the Rapid Response area, view the list of statistics.