Ciscoの DNS Best Practices

DNS Flood Attackと DNS cache poisoning attacksの二つのフィルタかけてがんばりましょう かな。


とりあえず有効そうな気はする。
iptables的なパケットフィルタを駆使して流量制限かけるとかなり緩和されるかなあ。

Feature Overview

DNS Guard
Beginning with software release 7.0(5) for Cisco ASA 5500 Series and Cisco PIX 500 Series, and software release 4.0 for the FWSM the DNS guard function can be controlled through the dns-guard global configuration or the dns-guard parameters submode command for policy-map type inspect dns. For Cisco ASA 5500 and Cisco PIX 500 Firewalls that are running releases prior to 7.0(5) and for the FWSM Firewall releases prior to 4.0, the DNS guard function is always enabled, and it cannot be configured through this command. The configuration of this feature, when configurable, will be detailed later in the feature configuration section.