Configure Attack Guards on the PIX Security Appliance
DNS Guard

In an attempt to resolve a name to an IP address, a host may query the same DNS server multiple times. The DNS Guard feature of the PIX Security Appliance recognizes an outbound DNS query and allows only the first answer from the server back through the PIX. All other replies from the same source are discarded. DNS Guard closes the UDP conduit opened by the DNS request after the first DNS reply and not wait for the normal UDP timeout.

A host may also query several different DNS servers. The connection to each server is handled separately because each request is sent separately. For example, if the DNS resolver sends three identical queries to three different servers, the PIX Security Appliance creates three different connections. As the PIX receives a reply through each connection, it shuts down that one connection. It does not tear down all three connections because of the first reply. The DNS responses of all servers queried are allowed through the PIX. This feature is always enabled and does the following:

  • Automatically tears down the UDP conduit on the PIX Security Appliance as soon as the first DNS response is received from any given DNS server. It does not wait for the default UDP timer to close the session.
  • Prevents UDP session hijacking and denial of service (DoS) attacks.