Protecting against DNS and other attacks
Updated: February 1, 2011
Applies To: Forefront Threat Management Gateway (TMG)
In Forefront TMG, the DNS Filter intercepts and analyzes all DNS traffic destined for published DNS servers (that is, DNS servers that are made accessible through publishing rules). When the detection of DNS attacks is enabled, you can specify the types of suspicious activity that you want the DNS Filter to check for.
For more information about the detection of DNS attacks, see Planning to protect against common attacks and DNS attacks.
To enable the detection and filtering of DNS attacks
In the Forefront TMG Management console, in the tree, click the Intrusion Prevention System node.
On the details pane of the Behavioral Intrusion Detection tab, click Configure Detection Settings for Common Network Attacks.
On the DNS Attacks tab, select Enable detection and filtering of DNS attacks.
Select one or more of the following types of suspicious activity:
DNS host name overflow—Select this option if you want Forefront TMG to check for DNS host name overflow attempts. The DNS Filter intercepts and analyzes DNS traffic destined for the Internal network. DNS host name overflow occurs when a DNS response for a host name exceeds a specified fixed length (255 bytes).
DNS length overflow—Select this option if you want Forefront TMG to check for DNS length overflow attempts. DNS length overflow occurs when a DNS response for an IP address exceeds a specified length of 4 bytes.
DNS zone transfer—Select this option if you want Forefront TMG to check for DNS zone transfer attempts. A DNS zone transfer attempt occurs when a client system uses a DNS client application to transfer zones from an internal DNS server.
In the details pane, click Apply to save and update the configuration, and then click OK.
- By default, DNS attack detection is enabled for detecting attempts of DNS host name and DNS length overflow.
- When DNS attack detection is enabled and offending packets are detected, the packets are dropped, and an event that triggers a DNS Intrusion alert is generated.