Profiles screen

“IPS” tab

Maximum size of DNS fields (in bytes)

DNS name (query) This field has to be between 10 and 2048 bytes.

Size of DNS messages

Enable detection of large messages This checkbox makes it possible to enable (or disable) the option that checks the length of DNS messages in order to generate alarms when messages exceed a specified threshold.
Threshold before "DNS message too large" alarm is raised [0-65535] (in bytes) Indicate the size above which a DNS message will be considered potentially suspicious and trigger the "DNS message too large" alarm.
This size is expressed in bytes.

DNS request parameters (in seconds)

Maximum request duration This value is the period after which DNS requests without responses will be deleted. It can vary from 1 to 60 seconds, but has been set to 3 seconds by default.

Whitelist of DNS domains (DNS rebinding)

This list contains the allowed domain names (<www.ofdomain.fr>, for example) to be resolved by a server located on an unprotected interface.

You can add codecs by clicking on the appropriate button or remove them from the list by selecting them and clicking on Delete.

To prevent false positives, this list contains the domain name of the Windows DNS service by default (msftncsi.com).

DNS registration types

Known types to be prohibited

This is a list of the known DNS types (A, A6, AAAA, CNAME, etc) and their associated codes. The firewall allows and analyzes these DNS types by default .

The action (Analyze/Block) applied to a DNS type can be changed by clicking on the Action column corresponding to this type.

The Modify all operations button makes it possible to change the action (Analyze/Block) applied to all DNS types.

Additional types to be prohibited

This list allows blocking additional DNS types (identified by their codes). It is possible to Add or Delete elements to or from this list by clicking on the relevant buttons.


Disable intrusion prevention When this option is selected, the scan of the DNS protocol will be disabled and traffic will be authorized if the filter policy allows it