DNS Guard

• After the client does a DNS request, a dynamic conduit allows UDP packets to return from the DNS server.

- The default UDP timer expires in two minutes.

• The DNS server response is recognized by the firewall, which closes the dynamic UDP conduit immediately.

- The DNS server does not wait for UDP timer to expire.

Client 10.0.0.2

Server 172.30.0.100

Client 10.0.0.2

Server 172.30.0.100

©2000, Cisco Systems,

DNS Guard identifies an outbound DNS query request and only allows a single DNS response back to the sender. A host may query several servers for a response in case the first server is slow in responding; however, only the first answer to the specific question will be allowed back in. All the additional answers from other servers will be dropped. This feature is always enabled and does the following:

■ Automatically tears down the UDP conduit on the PIX Firewall as soon as the DNS response is received. Does not wait for the default UDP timer to close the session.

■ Prevents against UDP session hijacking and denial of service (DoS) attacks.

0 0

Post a comment