DNS full name DomainNameSystem domain name resolution system, in layman's terms, DNS is to help users find the name and IP resolution services on the Internet. To make it easier to use network resources, the DNS service provides a way to map a computer or service name to an IP address associated with that name. The name must be easier to understand and remember than the boring IP address. Most users prefer to use an easy-to-remember name (such as www.enet.com.cn) to look for a mail server or web server on the network instead of using an IP address such as 123.196.118.10. When the user enters a friendly DNS name in the application, the DNS service resolves the name to its numeric address.
DNS resolution is the actual addressing method of most Internet applications; its emergence perfectly solves the problem of combining enterprise services with corporate image. The enterprise's DNS name is the identity on the Internet and cannot be repeated. The unique identification resource, the globalization of the Internet makes the DNS name the most important resource for identifying the enterprise.
however important resource for people who are interested may cause concern, as the events of DNS attacks on the Internet, DNS security issue has become the focus of concern to everyone, the common way:
1. Malicious attack against the DNS system: DNS name resolution is caused by launching a DNS DDOS attack.
2, DNS name hijacking: modify the registration message, hijacking result of the analysis.
When the DNS server encounters DNSSpoofing malicious attacks, whether it is normal or abnormal DNS query packets are packets via UDPPort53 into the internal DNS servers, DNS servers, in addition to the normal packet processing, but also to deal with these garbage Packets, when the number of packets per second is large enough, the DNS server can't handle it. At this time, the normal packet request must not be able to get a normal response. When the IP of the query website cannot be responded, the user will of course connect. If the website is not invisible, if the mail server is queried, the mail cannot be sent, and important information cannot be successfully transmitted. Therefore, maintaining the normal operation of the DNS service is a very important task.
AX has a solution to the above problem, which is the DNS application service firewall. AX has three powerful methods in this problem, which can effectively alleviate the impact of these attacks,
1 , the first non-DNS packet protocol filtering (Malformed query filter)
2, again the query to the DNS server via message do caching (DNS cache)
3, if it encounters a large number of normal query, AX can start wiring control per second (Connection Rate Limit)
Malformed query Filter:
this abnormal packets are usually It is used to boost the bandwidth of the external network, and of course it will cause the DNS server to be busy. Therefore, AX filters such packets on the first line, and the correct packets are transmitted to the server at the back. The abnormal packets are automatically filtered. Avoid the burden of the server.
DNS Cache: When
when DNS query response back AX, AX which does not need to be pre-configured Domain Cache what to Cache, if Cache, When the next query arrives at AX, AX can respond directly from the Cache. It does not need to go to the DNS server to query, which reduces the burden on the DNS server and speeds up the response.
Furthermore, when companies use this function only company to better set of Domain Cache do, rather than closing this Domain query Never Cache or refused to respond, so better able to effectively protect enterprise DNS server .
The ISP must provide a number of services such queries, more suitable to use this feature, provide better and faster responses to DNS services.
Connection RateLimit:
the flow when the query is large to a certain extent, for example with a Domain over 1,000 requests per second, can now be started on AX The connection control per second controls the amount of queries entering the back-end DNS server. The excess is directly discarded, and the resources of the DSN server are more strictly protected.
believe that many people look forward to seeing innovative network technologies in the ever-changing Internet, and to provide better network application services. And to ensure that the DNS service continues to operate continuously and that the information provided by the DNS service is correct, this is the basis of all network application services.
mentioned herein DNS application firewall services, in addition wishes to caution the reader important DNS services, but also hope that readers have an understanding of the security of the DNS, DNS server and then know how to protect and prevent Provide some effective help on malicious attacks.