With NetScaler build 51, Citrix introduced DNS Security Options which allows for simple defining security policies against DNS endpoints on NetScaler. The DNS Options are split into different options.
- Cache Poisioning Protection
- DNS DDoS Protection
- Manage Exception (whitelist / blacklist) servers
- Prevent random subdomain attacks
- Bypass the cache
- Enforce DNS transactions over TCP
- Provide root details in the DNS response
These options can now be found under Security –> DNS Security, so let’s dig a little deeper into what the different options here mean.
- Cache Poisioning Protection (Cache poisoning is a type of attack in which corrupt data is inserted into the cache database of the DNS server so for instnace if we have GSLB based ADNS servers running on our NetScaler (This feature is enabled globally already)
- DNS DDoS Protection (Specify that hte NetScaler should drop it is reciving alot of requests coming from the same endpoint within a short time range, where the action is that the request could be blocked or warn (which send a SYSLOG event)
- Whitelist/Blacklist Clients Is pretty much a reponder policy which specifies who is allowed to query the DNS server
- Prevent Random Subdomain Attacks option directs the DNS responder to drop DNS queries that exceed a specified length.
- Bypassing the cache option directs the NetScaler appliance to bypass the cache for specified domains, record types, or response codes when an attack is detected.
- Some DNS attacks can be prevented if the transactions are forced to use TCP instead of UDP, so with this feature we can specify records or domains which should only be available over TCP instead of UDP
- In some attacks, the attacker sends a flood of queries for unrelated domains that are not configured or cached on the NetScaler appliance. lf the dnsRootReferral parameter is ENABLED, it exposes all the root servers.The Provide Root Details in the DNS Response option directs the NetScaler appliance to restrict access to root referrals for a query that is not configured or cached. The appliance sends a blank response.
You can find a youtube video of the process of setting it up and seeing the policies in Action here –> https://www.youtube.com/watch?v=mWlY0hyA6KU
But note that these settings do not use any of the mode advanced features such as DNSSEC, but mostly resolves around leveraging Reponder policies to block attacks.