Interface-based DNS client verification configuration example
Network requirements
As shown in Figure 194, configure DNS client verification on the router to protect internal servers against DNS flood attacks.
Figure 189: Network diagram
Configuration procedure
# Configure IP addresses for the interfaces on the router. (Details not shown.)
# Create attack defense policy a1.
<Router> system-view [Router] attack-defense policy a1
# Enable global DNS flood attack detection.
[Router-attack-defense-policy-a1] dns-flood detect non-specific
# Set the global threshold for triggering DNS flood attack prevention to 10000.
[Router-attack-defense-policy-a1] dns-flood threshold 10000
# Specify logging and client-verify as the global actions against DNS flood attacks.
[Router-attack-defense-policy-a1] dns-flood action logging client-verify [Router-attack-defense-policy-a1] quit
# Apply the attack defense policy a1 to interface GigabitEthernet 1/0/1.
[Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] attack-defense apply policy a1 [Router-GigabitEthernet1/0/1] quit
# Enable DNS client verification on interface GigabitEthernet 1/0/1.
[Router] interface gigabitethernet 1/0/1 [Router-GigabitEthernet1/0/1] client-verify dns enable [Router-GigabitEthernet1/0/1] quit
Verifying the configuration
# Launch a DNS flood attack. (Details not shown.)
# Verify that the victim's IP address is added to the protected IP list for DNS client verification.
[Router] display client-verify dns protected ip IP address VPN instance Port Type Requested Trusted 192.168.1.10 -- 53 Dynamic 20 12