Configuring DNS client verification
Configure DNS client verification the interface that is connected to the external network. The DNS client verification protects internal DNS servers against DNS flood attacks.
IP addresses protected by DNS client verification can be manually added or automatically learned:
You can manually add protected IP addresses. The device performs client verification when it receives the first DNS query destined for a protected IP address.
The DNS client verification can automatically add victims' IP addresses to the protected IP list when collaborating with DNS flood attack detection. Make sure client-verify is specified as the DNS flood attack prevention action. For more information, see "Configuring a DNS flood attack defense policy."
If a DNS client is verified legitimate, the device adds the client's IP address to the trusted IP list. The device directly forwards DNS packets from trusted IP addresses.
DNS client verification can be used alone or together with a DNS flood attack defense policy.
To configure DNS client verification:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. (Optional.) Specify an IP address to be protected by the DNS client verification feature. | client-verify dns protected { ip destination-ip-address | ipv6 destination-ipv6-address } [ vpn-instance vpn-instance-name ] [ port port-number ] | By default, the DNS client verification feature does not protect any IP address. |
3. Enter interface view. | interface interface-type interface-number | N/A |
4. Enable DNS client verification. | client-verify dns enable | By default, DNS client verification is disabled. |