DNS Profile
Use the DNS Profile to configure various DNS parameters and ACLs. Always assign an DNS profile to SPP.
All DNS Profile parameters can be used with symmetric or asymmetric traffic.
You can create a maximum of 64 DNS Profiles.
DNS mitigation is complex and varies depending on many factors such as what is being protected, including:
Contact Fortinet for expert help on DNS. |
DNS 0x20
DNS 0x20 is a method Recursive DNS servers use to improve resistance to DNS Cache Poisoning attacks among other things. While it has not been ratified by the IETF, it is in wide use. “0x20” creates randomized capitalization of the FQDN so that what would normally be sent (fortinet.com) is sent as ForTiNEt.cOM or fOrTinET.Com. The Query sender expects to see exactly the same capitalization in the Response or the Response is rejected. FortiDDoS uses several tables that need to react and match, drop and or pass 0x20 packets correctly.
From Release 6.3.0, the following is done:
-
Allowlist/Blocklist and manual FQDN ACL entries: All entries from file or manual are stored as lower-case only. When matching, Queries are converted to lower-case to check the match. Allows packets retain the original 0x20 format. Regex entries should allow upper and lower-case characters.
-
LQ/TTL table: All entries are stored as lower-case only. When matching, Queries are converted to lower-case to check the match. Allows packets retain the original 0x20 format.
-
Cache and DQRM tables: Entries are stored as 0x20 since the Response must exactly match the Query.
DNS 0x20 is automatic with no feature or anomaly setting.
DNS Anomalies Feature Control
Use the DNS Anomalies Feature Control section to configure DNS traffic anomaly detection. DNS Anomalies (and DNS Feature Controls) cannot be used in SPPs that contain devices such as Firewalls, Proxies, Gateways, mail servers that produce encrypted DNS packets destined for port 53 on their cloud services. For example, FortiGate firewalls by default send encrypted DNS packets to FortiGuard UDP Port 53. The FortiGuard DNS port can be modified to UDP port 8888 which is recommended but other products maynot be modifiable.
FortiDDoS interprets these encrypted DNS packets as anomalies and drops them. This can result in no Internet access for any LAN-based client.
Devices sending encrypted packets should be isolated in a separate SPP with DNS Anomaly and Feature Controls disabled.
In order to discover if these devices exist in the SPP and identify the IP addresses of the devices, in Detection Mode, enable all DNS anomalies. In Log & Report > Log Access > DDoS Attack Log: Top Attacks widget, with the direction set to Outbound, look for DNS Anomaly drops across a wide range of anomalies. If you are seeing Outbound DNS Anomaly drops, drill down (using page icon to the right of Attack description) to see the detailed attack logs. Drill down further to see the Protected IPs. These will be the devices sending encrypted DNS. Move these IP addresses to a separate SPP and disable all DNS Anomalies and Features for that SPP.
DNS Anomalies settings:
Setting |
Description |
---|---|
Header Anomaly |
|
Query Anomaly |
|
Response Anomaly |
|
Bufferoverflow Anomaly |
|
Exploit Anomaly |
|
Info Anomaly |
|
Data Anomaly |
|
DNS Known Opcode Anomaly |
Expert use only. Contact Fortinet with questions Status — Intended to get DNS server messages, this opcode has never been implemented. Notify — A NOTIFY message is sent from a Primary DNS server to notify secondary servers to initiate Zone Transfer updates for a specific domain. It looks very similar to a Query, with the exception that the Opcode and the secondary servers are expected to Respond before the initiate the Zone Transfer. Update — This Opcode was intended to allow a Master Authoritative DNS server to update specific domain resource records in secondary servers without Zone Transfers. The message format, CLASS, Opcode, and Rcodes are completely different from “normal” DNS messages and to the best of our knowledge, this has not been implemented. DSO — DNS Stateful Operations – This Opcode is intended for use with session-based DNS like DNS-over-TLS (DoT). If this Opcode is in use, the DNS messages are already encrypted and cannot be decodes by FortiDDoS and all DNS anomalies must be disabled. |
DNS Feature Controls
Use this section to configure DNS feature controls. For an overview of DNS features, see Understanding FortiDDoS DNS attack mitigation.
There are two network conditions where most DNS Feature controls must be disabled:
- If the FortiDDoS appliance is operating in Asymmetric traffic mode and cannot see both directions of the DNS traffic. See Understanding FortiDDoS Asymmetric Mode for more information.
- In SPPs that contain Firewalls, Proxies, Gateways, mail servers or other equipment that generates encrypted DNS packets.
DNS Feature Controls settings:
Setting |
Description |
---|---|
Authentication Direction |
The Authentication Direction determines if the Source Address validation is attempted from the Flood Mitigation Mode Inbound/Outbound as listed below:
|
Flood Mitigation Mode Inbound |
The Flood Mitigation Mode Inbound options appear if Inbound or Inbound Outbound is selected for Authentication Direction.
Note 1: If Transparent Proxy is used:
Note 2: TC Equal One,DNS Retransmission, and Transparent Proxy validations are effective against direct spoofed source Query floods protecting Recursive and Authoritative DNS servers as well as other infrastructure from spoofed IP floods. In all cases, TC=1 is strongly recommended as a more decisive “stateless” method to validate Query Sources. However, in many cases, attacks on Authoritative DNS servers are relayed through ISP or Global DNS Recursive Servers. These servers are “valid” by definition and will always respond correctly. While TC=1 is still recommended with Authoritative servers, other mitigations below will add protection. |
Flood Mitigation Mode Outbound or Inbound/Outbound |
Note: Expert use only. There is almost no situation where Outbound or Inbound/Outbound DNS Flood Mitigation is required. Use Inbound only. The Flood Mitigation Mode Outbound options appear if Outbound is selected for Authentication Direction.
|
Match Response With Queries(DQRM) |
DQRM is a protection from DNS Reflected (Amplified) Response floods. Attackers Query Recursive or Authoritative DNS servers using UDP and using the Target IP address (yours) as the Source IP of the packet. Since the server cannot verify the Source IP it sends a Response to the Target which never sent a Query. DNS Response Floods are the #1 or #2 attack by numbers of attacks and size of attacks every quarter. For Symmetric Traffic: Enable this always for all SPPs. FortiDDoS will record every outbound Query. When the Inbound Response is seen, it is matched to the Query, allowed to proceed and the table is cleared. If an inbound Response is seen that does not have a matching Query, it is immediately dropped with no Threshold. For Asymmetric Traffic: Disable this option. If FortiDDoS cannot see all outbound traffic and DNS Queries, there is a high risk of false-positive drops from DQRM. Use DNS Rcode Thresholds in SPP > Thresholds. For Encrypted DNS: Many firewalls encrypt DNS traffic over UDP 53, particularly for vendor web filter services. If encrypted DNS to UDP 53 is present, disable DQRM since it cannot decrypt vendor encryption. Use DNS Rcode Thresholds in SPP > Thresholds. Note: Some firewalls can change the web filter DNS Query port to HTTPS over TCP 442 (DoH). If you are unsure if you have encrypted traffic to UDP port 53, enable all DNS anomalies above and leave SPP in Detection mode for one hour. Examine the outbound drop information for that SPP from Dashboard > TOP ATTACKS > SPP. If there are a number of different DNS anomalies, particularly Invalid Opcodes and 5-10 others, then the system is seeing encrypted DNS. If in doubt, contact Fortinet for assistance. |
Validate TTL For Queries From The Same IP | During normal traffic, every Destination IP (client IP), FQDN and TTL from good Responses is extracted and stored in the TTL table. The TTL is decremented as normal. Under flood, if the Same IP Queries the same FQDN before the TTL has expired, the Query is dropped. |
Generate Response From Cache Under Flood |
The cache stores FQDNs and RR Types (A, AAAA, MX, etc. records) with decrementing TTLs from good Responses. Under Flood the cache can respond to Queries to offload the DNS server. Options for cache misses are described below. Cache should only be used with Authoritative DNS Servers with limited numbers of domains. Note: The Cache will not store any FQDN with TTL longer than 30 days (2,592,000 seconds). |
Allow Only Valid Queries Under Flood(LQ) |
During normal traffic, the FQDN, RR Type (A, AAAA, MX, etc) and TTL of good Responses is stored in the Legitimate Query (LQ) table. Under Flood a Query with matching FQDN and RR Type is allowed to pass for further processing while non-matching Queries are dropped. This stops random subdomain or dictionary FQDN Queries very quickly. Note: Good (Rcode = 0) DNS Responses that are NODATA (no answer section/IP address) are treated as negative responses and will not populate the LQ table. |
Block Identified Sources |
If Enabled: Under flood, FortiDDoS will block all traffic from the identified Source IPs. If Disabled: This is the default status. Under flood, FortiDDoS drops packets based on validations, TTL, LQ, etc. but does not block the Source IP. |
Duplicate Query Check |
If Enabled: FortiDDoS drops multiple identical Queries in rapid succession but below the Query thresholds. If Disabled: Only Query Thresholds are used for mitigation. |
Options When No Cache Match |
|
DNS Fragment |
If Enabled: Drop all DNS Fragments. Use with care. DNS Response fragments are common when communicating with upstream servers using DNSSEC and EDNS0. If you know this SPP never uses DNSSEC, then enabled is recommended. If Disabled: DNS Fragments are allowed and DNS Fragment Thresholds will be used to detect/mitigate DNS Fragments. |
Domain Reputation |
Enable if you have purchased FortiGuard Domain Reputation Service. When enabled, choose any or all of the following:
See System > FortiGuard for license information and additional settings. |
Forbid DNSSEC |
Drop any Query or Response that indicates DNSSEC D0 bit=1 or RR 41. Use with care. It is difficult to know who is using DNSSEC. |
DNSSEC Message Type Match |
DNSSEC Queries and Responses will be matched by DQRM using XID and QType (RR) only. Do not use Asymmetric Mode since Queries may not be seen. |
DNSSEC Require Response After Query |
DNSSEC Queries and Responses will be matched by DQRM using XID, QType (RR) and D0 bit =1. Use this option with care. DNSSEC requests to servers that don’t support it may result in a DO bit mismatch but an otherwise valid Response. If unsure, enable this during Detection Mode and look for inbound drops. If excessive disable. DNSSEC Message Type Match will protect from DNSSEC Response Floods. For additional support, contact Fortinet. Do not use Asymmetric Mode since Queries may not be seen. |
Force Qtype ANY Query Use TCP |
Query with Resource Record Type All/ANY (255) results in dropped Query with TC=1 Response to force TCP. Use with care. Most servers that support ANY Queries will do this automatically or respond to an ANY Query with a single A-Record. Use the DNS QType All Threshold. |
DNS Message IP Fragment Try Best |
Both standard and DNSSEC Responses from DNS servers can be fragmented into 3 packets. The first fragment normally contains the needed FQDN, Type an TTL information used to populate the LQ and TTL tables. FortiDDoS will attempt to parse the first fragment so that:
Use this in Symmetric or Asymmetric Modes. |
FQDN Control List Type |
|
Drop Allowlist Unmatched Query Under Flood |
The Drop Allowlist Unmatched Query Under Flood options appear if Allowlist is selected for FQDN Control List Type. Enabling this feature allows all Queries during normal traffic but will allow only the specified FQDN file list/Manual entries /Regex expressions to pass when the system is under DNS flood. |
Apply RR Type ACL under Flood Only |
Use this option with DNS Resource Record Type ACLs. If RR ACLs are not configured, it has no affect. See the DNS Resource Record Type ACL first. If you create RR ACLs, you can elect to only enforce the ACLs under DNS flood. This lowers the risk of false-positive drops during normal traffic. |
FQDN Files
Each SPP Profile allows you to add large numbers of FQDNs (maximum 150k) as CSV files to the Blocklist or Allowlist enabled in the DNS Feature Controls.
The FQDN Control List (Blocklist or Allowlist) is processed before any other DNS feature, anomaly or validation. For example, a DNS Query that is allowed to pass by the DNS Control List and gets a good Response will populate the LQ and TTL tables with FQDN, Type, Class and TTL.
File format is CSV or TXT, with one FQDN per line.
Options |
Description |
---|---|
Upload |
Opens a file selection dialog to upload files. Files must be CSV or TXT format with one FQDN per line. Maximum 150,000 entries. When the file is successfully uploaded the File name and FQDN count is displayed. Duplicate FQDNs will automatically be removed. Note: Upload checks for string errors:
|
Name/Check Domain | Enter a domain (full FQDN, no wildcards allowed) and the system will respond with present or absent message. |
FQDN List
Create individual FQDN (maximum 1024) or Regex (maximum 128) entries here. These entries follow the FQDN Control List Type settings selected for the DNS Feature Controls, Allowlist or Blocklist. Note, this means you cannot have a Blocklist with FQDN List exceptions, for example.
FQDN List entries are not searchable from the FQDN file search, instead you can filter for FQDN List entries using the Add Filter function.
Regular entries require a full FQDN as pictured above.
To create a regex entry, click Regular to select Regex entry type, then click Create New.
International domain names (IDN) must be converted to punycode to be used in regex strings. For example, 中国.china-fortiddos.com must be converted to xn--fiqs8s.china-fortiddos.com. |
Regex entries follow regex syntax, with a maximum length of 255 characters. Longer strings will be truncated without any error message. FortiDDoS evaluates all regex expressions for matches simultaneously, so longer strings can be broken up and separate regex can be entered in any order.
If the FQDN Control List Type is set to Blocklist, for example, the Combined regex above would:
- Block any right-most subdomain if it contains 4 or more digits 0-9 (with or without any other characters)
- Block any right-most subdomain if it contains 8 or more characters a-Z, (with or without any other digits)
- Block any right-most subdomain if it contains 9 or more characters or digits, and special characters “-“ or “_” (all legal domain characters). For example, Mirai-based subdomain floods include a 12 character (a-Z, 0-9 character set at least) subdomain.
Interaction between FQDN Control List Type and Drop Allowlist Unmatched Query Under Flood
The DNS Resource Record Type ACL
The DNS Resource Record Type ACL allows blocking of any number of DNS Resource Record Types by QTYPE number. The DNS QTYPE field allows 65,536 TYPES of which fewer than 100 are defined and less are in common use.
The following Qtypes can be blocked:
- Known Qtypes which are not needed (for example: ALL/ANY=255)
- Deprecated Qtypes (for example: NULL=10)
- Undefined Qtypes (for example: 32770-65279)
DNS Resource Record Type ACLs are defined in numeric ranges. A single ACL entry has DNS Resource
Record Type Start = DNS Resource Record Type End.
Guidelines for use with SPPs that contain Firewalls, Proxies, Gateways, Email servers and other outbound generators of DNS Queries.
Many Firewalls, including FortiGates, send encrypted SSL-over-UDP DNS Queries to destination UDP port 53. FortiDDoS sees these as DNS anomalies and drops them, preventing Internet access for users behind the firewall or other proxy devices. SSL-over-UDP DNS Queries do not meet any RFC but our experience is that they are standard industry practice for many firewalls, proxies, gateways, mail servers and other equipment that uses cloud services to detect malicious domains. Some firewalls are adopting DNS-over-HTTPS or DNS-over-TLS, but, in many cases, the equipment is unknown or is not capable of changing the Queries from UDP port 53. In this case, the Firewall or other equipment sending these encrypted DNS Queries should be isolated in a separate SPP with all DNS anomalies and DNS Feature controls disabled.
To determine if the firewall is sending encrypted DNS to UDP Port 53, in Detection Mode, enable all DNS Anomalies. Leave the system for at least a day. Then go to Dashboard Top Attacks. Select the SPP you are concerned with and set the direction to Outbound. Look for several different types of DNS Anomaly drops. The number of drops is not a concern, it is the number of types of drops. If you see Invalid Opcode, QDCount not One in Query, Class No IN or other Anomalies, it is likely the firewall (email server, WiFi gateway, etc.) is using encrypted DNS packets.
Settings | Guidelines for Symmetric traffic (or Asymmetric where FortiDDoS sees all traffic) | Guidelines for Asymmetric Mode, where FortiDDoS does not see all traffic. |
---|---|---|
Match responses with queries (DQRM) | Enable/disable the DNS query response match (DQRM) table. Enable on all SPPs that do not carry encrypted DNS Queries. |
Disable. |
Allow only valid queries under flood (LQ) | Enable/disable the legitimate query (LQ) table. LQ should normally be enabled ONLY on SPPs containing public Recursive or Authoritative DNS servers. It has little value for SPPs sending outbound Queries like firewalls and proxies. |
Disable.
|
Validate TTL for queries from the same IP under flood | Enable/disable the time-to-live (TTL) table. TTL validation should normally be enabled ONLY on SPPs containing public Recursive or Authoritative DNS servers. It has little value for SPPs sending outbound Queries like firewalls and proxies. |
Disable.
|
DNS UDP Anti-spoofing Method inbound/outbound | Enable/disable anti-spoofing
checks for inbound and outbound UDP DNS traffic. This can be
used for all types of services. See firewall notes in second column. |
Enable inbound if this leg of the traffic might see inbound DNS Queries |
DNS flood mitigation mode inbound/outbound |
Specify the antispoofing method
if the source IP address is not already in the legitimate IP table (LIP):
|
Enable as for normal traffic suggestions. |
Generate response from cache under flood | Enable/disable DNS caching. Generally, more valuable for DNS Authoritative servers and may assist Recursive servers under attack. No valid for outbound gateways, firewalls, etc. |
Disable. Cache is created from outbound Responses which may not be seen. |
Force TCP or forward to server when no cache response available | If DNS caching is enabled
('Generate Response From Cache Under Flood' setting above), one of the
following behaviors must be configured:
|
Enable TC=1 if seeing inbound traffic. |
Duplicate query check before response | Enable/disable checks for repeated queries from the same source. If enabled, under non-flood conditions, the system checks and drops repeated UDP/TCP queries from the same source if it sends them at a rate greater than 3 per second. Under flood conditions, the duplicate query check is done for TCP and not for UDP. |
Enable if seeing inbound traffic. |
Block identified sources | Enable/disable source IP address
blocking periods for violators of any DNS-protection feature (ACL, anomalies,
or flood meters). Disabled by default. DNS floods are often spoofed, so we do
not recommend blocking an identified source to avoid punishing legitimate
clients. Instead, we recommend you rely on the other DNS protection methods.
They make packet-by-packet determinations and are not prone to false
positives The configuration is open, allowing you to enable source blocking if you want to experiment with it in your network. If enabled, when a threshold is reached, packets are dropped and the identified sources are subject to the Blocking Period for Identified Sources configured on the Global Settings > Settings page.
|
Disable |
Restrict DNS Queries to Specific Subnets | Enable/disable restriction to DNS queries from unwanted sources from the Internet. This feature allows service providers to protect their recursive or open DNS resolvers. In a typical deployment, the service provider will keep their open resolvers on the 'LAN' or the protected side of FortiDDoS and their own customers will be on the Internet side. On the Internet side, there will also be rogue DNS clients who send unwanted DNS query floods. To ensure that the DNS queries are only allowed from the service provider’s customers, the service provider must add those subnets into the Restricted Subnets list. By restricting the DNS queries to specific subnets, the service provider can avoid responding to unwanted queries and thus protecting DNS infrastructure from getting overloaded. |
Optional. |
DNS Fragment |
Enable/disable checks for DNS packets. |
Enable if seeing inbound traffic. |
Domain Reputation |
Enable/disable domain reputation. If enabled, domain names in DNS query and response will used to match items in the Domain reputation database file. Domain Reputation updated through FortiGuard. |
Enable if seeing inbound traffic. |
DNS Resource Record Type ACL |
Config range number of Resource Record Type. |
Enable if seeing inbound traffic. |
To configure with CLI:
config ddos spp dns profile
edit <dns profile name>
set dns-headeranomaly-feature-control {illegal-flag-combination invalid-op-code sp-equals-dp incomplete-dns}
set dns-queryanomaly-feature-control {qr-bit-set null-query qdcount-not-one-in-query ra-bit-set}
set dns-responseanomaly-feature-control {qclass-in-reply qtype-in-reply qr-bit-not-set qd-count-not-one-in-response}
set dns-bufferoverflow-anomaly-feature-control {long-name-length long-label-length tcp-message-long udp-message-long}
set dns-exploitanomaly-feature-control {premature-end-of-packet class-not-in zone-transfer pointer-loop empty-udp tcp-buffer-underflow}
set dns-infoanomaly-feature-control {enable/disable}
set dns-dataanomaly-feature-control {extraneous-data long-ttl invalid-class-type short-name-length multiple-opt-rr}
set dns-authentication-direction {none inbound outbound inbound-outbound}
set dns-flood-mitigation-mode-inbound {TC-equal-one dns-retransmission}
set dns-flood-mitigation-mode-outbound {TC-equal-one dns-retransmission}
set match-response-with-queries {enable/disable}
set validate-ttl-for-queries-from-the-same-ip {enable/disable}
set generate-response-from-cache-under-flood {enable/disable}
set allow-only-valid-queries-under-flood {enable/disable}
set source-blocking-in-dns {enable/disable}
set duplicate-query-check {enable/disable}
set force-tcp-or-forward-to-server {forcetcp/forward-to-server}
set aggressive-aging-incomplete-request {enable/disable}
set dns-fragment {enable/disable}
set domain-reputation {enable/disable}
set forbid-dnssec {enable/disable}
set dnssec-message-type-match {enable/disable}
set dnssec-require-response-after-query {enable/disable}
set force-any-query-use-tcp {enable/disable}
set dns-msg-ipfrag-parse-try-best {enable/disable}
set fqdn-control-list-type {allowlist/blocklist}
set block-allowlist-unmatched-query-under-flood
config fqdn-regex-list
edit <rule name>
set value <regex expression>
next
end
config fqdn-regular-list
edit <rule name>
set value <FQDN (lower-case characters, numbers, - _ only)
next
end
config dns-resource-record-type-acl
edit <rule name>
set dns-resource-record-type-start <1-65535>
set dns-resource-record-type-end <1-65535>
next
end
next
end