In an attempt to resolve a name to an IP address, a host may query
the same DNS server multiple times. The DNS Guard feature of the PIX Security
Appliance recognizes an outbound DNS query and allows only the first answer
from the server back through the PIX. All other replies from the same source
are discarded. DNS Guard closes the UDP conduit opened by the DNS request after
the first DNS reply and not wait for the normal UDP timeout.
A host may
also query several different DNS servers. The connection to each server is
handled separately because each request is sent separately. For example, if the
DNS resolver sends three identical queries to three different servers, the PIX
Security Appliance creates three different connections. As the PIX receives a
reply through each connection, it shuts down that one connection. It does not
tear down all three connections because of the first reply. The DNS responses
of all servers queried are allowed through the PIX. This feature is always
enabled and does the following:
- Automatically tears down the UDP conduit on the PIX Security Appliance as
soon as the first DNS response is received from any given DNS server. It does
not wait for the default UDP timer to close the session.
- Prevents UDP session hijacking and denial of service (DoS) attacks.