DNS LQ Populate
|
NOTE 1: On upgrade to 7.0.1, any existing LQ table is deleted and replaced by a new, much larger, and more granular table for improved mitigation. Existing entries are deleted. Fortinet strongly recommends:
|
|
NOTE 2: If you are using LQ Populate with “split-brain / split-horizon” DNS servers that provide Authoritative Responses to internet clients and Recursive Queries/Responses for inside clients, additional settings are required. See below. |
|
|
NOTE 3: If you have multiple Authoritative Servers in different SPP, additional DNS Profile Settings are required as noted below. |
|
|
NOTE 4: If you have wildcard domains or subdomains such as *example.com or *vpn.example.com, DNS LQ Populate cannot prevent random subdomain floods. In this case, use the Allowlist function. |
LQ Populate Overview
Legitimate Query (LQ) Populate is designed to protect Authoritative DNS servers from DNS Query floods, including floods that are relayed through global anycast Recursive DNS services like Google 8.8.8.8 or Cloudflare 1.1.1.1. It can be used with other services with expert knowledge.
DNS protection is complex because DNS is complex, with many variables. If unsure, contact Fortinet before proceeding with any configuration.
In summary, LQ Populate will:
-
During normal traffic:
-
Acquire valid FQDNS via:
-
Record the FQDNs from all Queries (100% packet inspection) in a large validation Table.
-
Save an uploaded comma-delimited CSV list of valid FQDNs in the validation table.
-
Save a manually entered (via GUI or CLI) list of FQDNs
-
As shown below, these saved “validation” FQDNs include the SPP to which they were directed, and can optionally include the Resource Record (A, MX, TXT, etc.).
-
-
-
Validate these FQDNs:
-
With Symmetric Traffic: Positive Rcode=0 Responses seen for the saved FQDN add the FQDN to the LQ table. Any FQDN receiving a “negative” Response will be removed from the validation (and LQ) tables.
-
With Asymmetric Traffic (Asymmetric Mode): FortiDDoS validates the FQDN via “dig” Queries from the FortiDDoS Management port. Positive and Negative dig Responses result in adding or deleting the FQDN as above.
-
-
Options exist to include Resource Records (A, MX, TXT, etc.) and/or filter for certain FQDNs.
-
-
Under Flood
-
Compare the FQDNs in all Queries with the LQ AND the SPP to which this Query should be directed.
-
Any match (even over Threshold) is allowed.
-
Any mismatch of FQDN and/or SPP is dropped.
-
-
-
Aging the LQ Populate table
-
The LQ Populate table is not aged by TTL, to prevent seldom-used or short TTL FQDNs from aging out.
-
The FQDN is retained in both the validation and the LQ tables and is continuously validated by system “digs”, or Responses. If the FQDN is removed from service, a “dig” or Response will detect this and remove the FQDN from both the LQ and validation table.
-
LQ is difficult to explain with its many options, but for most users, will be easy to implement. You can skip directly to Using LQ (DNS LQ Populate) for most scenarios and read the details later.
DNS LQ Populate table size
When Global Protection > DNS LQ Populate is enabled the LQ table size increases as below:
DNS LQ Populate functionality:
-
To enable DNS LQ Populate, enable TTL-less LQ Table Populate:
-
FortiDDoS automatically captures every Fully Qualified Domain Name it sees (FQDN = “mail.example.com” or “this-is_junk.123.exmple.com”) from Queries during non-flood times. It places the FQDN in a large (hidden) validation table. It validates the FQDN from:
-
The DNS Response if in Symmetric Mode, or
-
The system does its own low-rate (~130 per second) DNS dig Queries to system or user-defined DNS servers.
If valid, the FQDN is added to the Legitimate Query (LQ) Table to be used to allow only legitimate Queries under DNS Query Flood Attack. New FQDNs are Queried immediately and all FQDNs are Queried periodically to remove any FQDNs no longer used. The LQ table in this case does not age since no TTL is included with the FQDN.
-
-
The Validation and LQ table entries includes 2 optional additional fields.
-
Resource Record
-
SPP, based on the Destination/Protected IP from the Query
-
Note, all LQ entries include an SPP field, obtained from uploaded, traffic-based or “digs”.
These fields may or may not be used depending on further options. In most cases they are not required and should only be used by experts.
-
-
The FQDN Validation table can be populated 4 ways:
-
In Symmetric traffic, FQDNs from Queries with “good” Rcode=0 Responses
-
In Asymmetric Mode, FQDNs from any Query
-
By uploading a list of valid FQDNs via the Global > DNS LQ Populate page
-
By entering an FQDN via the Global > DNS Global LQ > Import FQDN table.
-
-
FQDN Validation
-
To validate the FQDN, FortiDDoS will use one of the following:
-
The system-configured DNS server System DNS Servers (Network > DNS)
-
The DNS server IP addresses entered in Global Protection > DNS LQ Populate: Customized Servers
-
-
If Customized Servers are used, multiple servers can be defined with IP addresses, separated by spaces. Servers will be picked based on availability. Enter a maximum of 64 DNS servers.
-
The Service Protection > DNS Profile also supports an FQDN Validation Resolver field, supporting up to 64 DNS Server IP addresses. This field is intended for specific applications and should not be used without expert knowledge and Fortinet support.
-
It is recommended that the validation DNS servers be the actual Authoritative nameservers that host these domains.
-
-
In operation, If the Queried FQDN is valid (gets a NOERROR Rcode=0 Response), it is added to and retained in the LQ table without aging, until a validation cycle returns a “negative” Response, when it will be removed from both the LQ and validation table. Under any type of DNS Query flood, the first check done by the system is the LQ table. If the FQDN in the Query does not match any FQDN in the LQ table, it is dropped with no Response and does not reach the server. This will stop popular Random Subdomain floods within milliseconds, even when relayed through public Recursive DNS services.
-
Resource Records to Import
-
DNS LQ Populate allows you to import a CSV (comma delimited) list of FQDNs with additional optional information. This list is used to “seed” the LQ validation table and LQ table. Once imported, fields in this section show you the date of import (Last Change), File Name imported, and the number of domains in the file.
The import file can contain the following:
-
FQDN: Recommended and easiest to use. Others require expert knowledge.
Populate LQ Without Type enabled:
Examples:
-
www.example.com
-
mail.example.com
-
vpn.example.com
-
-
FQDN + Resource Record
Populate LQ Without Type disabled:
This adds more records and requires expert knowledge of every Resource Record used by every FQDN. The format must be one FQDN and one Resource Record per row:
-
example.com,A
-
example.com,AAAA
-
example.com,TXT
-
mail.example.com,MX
-
vpn.example.com,A
Since this can get very complex, it is recommended for experts only.
-
-
FQDN + SPP Name
Populate LQ Without Type enabled:
-
example.com,,DNS1
-
fortinet.com,,DNS2
Unless you are protecting multiple DNS servers and are concerned with Queries passing LQ for the wrong server (unlikely), this is not recommended.
-
-
FQDN + RR + SPP Name
Populate LQ Without Type disabled:
-
example.com,A,DNS1
-
fortinet.com,AAAA,DNS2
Unless you have very complex DNS environment and are an expert user, this is not recommended.
-
-
-
-
Other Options
-
LQ Populate Domains
LQ Populate Domains is a simple filter that will not add FQDNs to the validation table which don’t match at least the “top-level-domain (s)” for your server(s). For example, if example.com is in this field, “junk.example.com” will be added and validated but “fortinet.com” will never be added for validation. Adding the domains here will require less validation by FortiDDoS, but still ensure that ALL your highest-level Domains are added.
Note: Recursive servers will never send Queries for domains that don’t belong to your Authoritative DNS Server but botnets will send direct Queries with completely junk FQDNs (abc.xyz) because these still get possibly large NxDomain Responses (with DNSSEC keys or cookies). Adding your top-level domains is useful but be sure you record ALL of them or users will be blocked during floods. If unsure, do not add domains here.
Up to 64 domains can be added with single-space separation.
NOTE 1: If you are using LQ Populate with “split-brain / split-horizon” DNS servers that provide Authoritative Responses to internet clients and Recursive Queries/Responses for inside clients, add your top level domains here. LQ examines Queries in both directions and outbound Queries may populate the LQ table with unnecessary FQDNs.
NOTE 2: If this same “split-brain” DNS server is encrypting its Recursive DNS Queries and Responses (usually with vendor- or third-party-based web filtering, this may not be needed. See the DNS Profile for a method to confirm that outbound DNS Recursive Queries are encrypted.
-
Max FQDN Length – The maximum length allowed for an FQDN is 255 characters. If you have expert knowledge that all your subdomains do not exceed a specific length, you can use this as a filter to prevent longer FQDNs from being added to the validation table. In most cases, this is not needed, and the default value is acceptable.
-
Altogether, the above provide very accurate mitigation of typical random subdomain (like this-is_junk.example.com) floods within milliseconds without blocking legitimate Queries, even when attacks are relayed through ISP and Cloud DNS service Recursive DNS servers, like Google or Cloudflare.
Protecting Multiple DNS Server SPPs
If you are protecting only one DNS Server or none, this section is not required.
If you are protecting multiple different nameservers in different SPPs, additional SPP options are available in the DNS Profile assigned to each SPP:
-
LQ Populate Domain
As described in the Global DNS LQ Populate, the FQDN added to the validation table and LQ table has an additional SPP field, based on the Destination/Protected IP of the Query.
There is a slight possibility that an attacker will use Queries that are valid “globally” but direct them to a DNS Server in a different SPP, that does not host those domains.
The LQ Populate Domain field can contain the local “tlds” that are valid for this SPP. If the Query FQDN and SPP do not match this SPP and this “tld”, it will not be placed in the validation table, saving some validation cycles.
Up to 64 valid domains can be entered here with single-space separation. Far fewer are normally needed. Enter the highest-level domains in the server, like example.com or example.org.
If you are not sure, leave this blank. Mitigation is not affected.
-
FQDN Validation Resolver
The specific domains associated with this SPP will use this resolver list (IP addresses, single-space separation).
See DNS Profile for more details.
Using LQ (DNS LQ Populate)
|
|
DNS server protection is complex with possible variations required for:
Misconfigured DNS will prevent legitimate clients from reaching your servers of reaching the internet. If unsure, contact FortiCare for support. |
-
Using LQ with a single, enterprise-class Authoritative DNS Server
-
In Global Protection > DNS LQ Populate:
-
Enable:
-
TTL-Less LQ Table Populate
-
Populate LQ Without Type
-
-
Optional
-
LQ Populate Domains
Leaving this empty is acceptable. Entering your top-level domains may save some FortiDDoS validation cycles but if you do this, ensure that you include ALL the top-level domains. If unsure, leave empty.
-
-
Leave
-
Max FQDN Length 255 (default)
-
FQDN Validation Resolver = System DNS Servers
-
-
Optionally
-
Add a small number of FQDNs via Imported FQDN
-
Leave Type=1 (won’t be used) and SPP Blank (won’t be used)
-
In a comma-delimited CSV document, gather the known FQDNs for the DNS Server (only FQDNs, no TTL, Resource Records or SPP info).
-
Easiest format is a spreadsheet with one FQDN per row and saved as CSV (comma-delimited).
-
-
Upload this document via Resource Records to Import
This list will “seed” the validation, so it does not need to wait for Queries and validation. The list and “live” traffic Queries will work together.
-
-
-
Assign a DNS Profile to the SPP that contains the Authoritative DNS Server and ensure Allow Only Valid Queries Under Flood (LQ) option is enabled. You can use LQ in other SPPs as well.
-
LQ Populate Domain and FQDN Validation Resolver in the DNS Profile are not required. Leave empty.
-
-
Enable other DNS Anomalies and Features as recommended in the DNS Profile handbook section.
-
See Monitoring DNS LQ Populate for operational information.
-
-
Using LQ with Multiple Enterprise-Class Authoritative DNS Servers in different SPPs
-
Create an SPP for each DNS Server (or set of servers serving the same domains)
-
In Global Protection > DNS LQ Populate
-
Enable
-
TTL-Less LQ Table Populate and
-
Populated LQ Without Type
-
-
Leave
-
LQ Populate Domains empty (default)
-
Max FQDN Length 255 (default)
-
FQDN Validation Resolver = System DNS Servers – NOTE: These will be modified in the DNS Profiles associated with each server SPP.
-
Optional but Recommended
-
In a CSV (comma-delimited) document, gather the known FQDNs for all the DNS Servers with:
-
FQDNs
-
Optional and not recommended, Resource Record Names (A, MX, etc.)
-
SPP Name
-
Format
example.com,,DNS1
fortinet.com,,DNS2
Saved as CSV (comma delimited).
Note: You do not need to exhaustively include all domains – the CSV list will “seed” the validation and LQ tables and will work with "live" traffic Queries to complete the tables over time.
-
Upload this document via Resource Records to Import.
-
-
Optional and recommended only for servers with very few top-level domains:
-
Add a small number of FQDNs via Import FQDN
-
Include:
-
FQDN
-
Resource Record Type may be left default (recommended) or used. Unlike CSV import, Type must be the Resource Record number ID. For example an A record = 1, MX = 15.
DNS Resource Record type labels and numerical IDs can be found here: List of DNS record types - Wikipedia.
-
SPP Name
-
-
-
-
-
-
Assign a unique DNS Profile to each SPP
-
Enable Allow Only Valid Queries Under Flood (LQ)
-
Optionally but highly recommended, add FQDN Validation Resolver.
Enter the nameserver IP address(es) that you are protecting with thus SPP, assuming that FortiDDoS Management port can reach that server. This limits the validation Queries to those servers.
-
Optional but recommended, Add LQ Populate Domain
Add the top-level domain names for the nameservers protected by this SPP, separated by single spaces. For example: “example.com fortinet.com”. This will act as a simple early filter. If Query FQDNs do not match these, they will not be added to the LQ validation table and will not require validation.
-
-
-
Using DNS LQ Populate with Hosted DNS Authoritative Servers in different SPPs
-
Create an SPP for each DNS Nameserver (or set of servers serving the same domains)
-
In Global Protection > DNS LQ Populate
-
Enable TTL-Less LQ Table Populate
-
Disable:
-
Populated LQ Without Type
-
-
Leave:
-
LQ Populate Domains empty (default)
These will be added in each DNS Profile.
-
-
Optional:
-
Max FQDN Length 255 (default)
If you know the longest FQDN allowed for your customers and it is less than 255, you can enter it here.
-
-
Optional but highly recommended:
In a CSV (comma-delimited) document, gather the known FQDNs for the DNS Server with:
-
FQDNs with Resource Records and SPP Name per row
-
FQDNs for all DNS nameservers are entered in the Global > DNS LQ Populate.
-
If SPPs are not included, they will be determined during FortiDDoS “dig” validations.
-
-
-
Assign a DNS Profile to the SPP that contains the specific Authoritative DNS Server and ensure Allow Only Valid Queries Under Flood(LQ) option is enabled.
-
Optional:
-
Add LQ Populate Domain(s)
This filter will prevent domains not associated with this SPP from being added to LQ. We would not expect his list to be used because:
-
Users may be able to define their own domains, leaving this blank is acceptable.
-
Only 64 domains can be added here, which may not be enough for hosted servers.
The risk that non-legitimate FQDNs are added is low. FortiDDoS will validate at about 128 Queries per second. 200,000 FQDNs, each with 5 Resource Records are validated within about 2 hours. FQDNs+Resource Records will not age until a future validation Query returns a negative Response.
-
-
-
Add
-
FQDN Validation Resolver IP Address(es)
Enter the IP address(es) of the name servers in this SPP.
Note: You can use the FQDN Files Upload function here but you should already have done that in Global > DNS LQ Populate. All FQDNs go into one global table. You cannot import individual FQDNs here – use Global > DNS LQ Populate.
-
-
-
-
The Query side of Recursive DNS Servers
Do not attempt to use this feature independently. For usage details and instructions, please contact Fortinet Support.
Monitoring DNS LQ Populate
In operation, LQ will validate and drop, add or delete FQDNs from the LQ Table. The contents of the table are displayed in the DNS LQ Populate > Valid FQDN table.
You can:
-
Download the list for comparison and troubleshooting purposes,
-
Search the list to confirm a domain is present or not.
-
Note: Type and SPP will always display, even it they are not used.