DNS
Profiles screen
“IPS” tab
Maximum size of DNS fields (in bytes)
| DNS name (query) |
This field has to be between 10 and 2048 bytes. |
Size of DNS messages
| Enable detection of large messages |
This checkbox makes it possible to enable (or disable) the option that checks the length of DNS messages in order to generate alarms when messages exceed a specified threshold. |
| Threshold before "DNS message too large" alarm is raised [0-65535] (in bytes) |
Indicate the size above which a DNS message will be considered potentially suspicious and trigger the "DNS message too large" alarm. This size is expressed in bytes. |
DNS request parameters (in seconds)
| Maximum request duration |
This value is the period after which DNS requests without responses will be deleted. It can vary from 1 to 60 seconds, but has been set to 3 seconds by default. |
Whitelist of DNS domains (DNS rebinding)
This list contains the allowed domain names (<www.ofdomain.fr>, for example) to be resolved by a server located on an unprotected interface.
You can add codecs by clicking on the appropriate button or remove them from the list by selecting them and clicking on Delete.
DNS registration types
Known types to be prohibited
This is a list of the known DNS types (A, A6, AAAA, CNAME, etc) and their associated codes. By default, these DNS types are allowed and scanned by the firewall.
The action (Analyze / Block) applied to a DNS type can be modified by clicking on the Action column corresponding to this type.
The Modify all operations button allows modifying the action (Analyze / Block) applied to all DNS types.
Additional types to be prohibited
This list allows blocking additional DNS types (identified by their codes). It is possible to Add or Delete elements to or from this list by clicking on the relevant buttons.
Support
| Disable intrusion prevention |
When this option is selected, the scan of the DNS protocol will be disabled and traffic will be authorized if the filter policy allows it |