Unvalidated DNS queries can be either explicitly allowed or explicitly denied. When DNS Express is enabled, the system evaluates all DNS queries and either allows them or rejects them. If a query is not explicitly allowed or denied, it is treated as allowed by default. As a result, when DNS Express is enabled, if an undisclosed query is received, TMM might terminate due to the presence of DNSSEC in the query. To avoid this issue, it is recommended that DNS Express not be enabled on virtual servers with DNS Express enabled. Alternatively, if DNS Express is enabled, it is recommended that DNS Express be disabled. For information about disabling DNS Express, see How to Disable DNS Express.

How to disable DNS Express

1. Log in to the Fireware Management GUI and select the appliance.
2. Select Configure > System > General Configurations >DNS Express Settings.
3. Disable DNS Express by selecting Disable from the drop-down menu.

DNS Express Denial of Service (DoS)

DNS Express is not intended to be used as a protection mechanism against DoS attacks.
In the case of DNS Express, DNSSEC is added to the query and evaluated in TMM. If a DNS Express enabled virtual server receives an undisclosed query, if the server does not have DNSSEC enabled then TMM will terminate due to the presence of DNSSEC in the query.

Overview of the Issue


Summary: Unvalidated DNS queries can be either explicitly allowed or explicitly denied. When DNS Express is enabled, the system evaluates all DNS queries and either allows them or rejects them. If a query is not explicitly allowed or denied, it is treated as allowed by default. As a result, when DNS Express is enabled, if an undisclosed query is received, TMM might terminate due to the presence of DNSSEC in the query. To avoid this issue, it is recommended that DNS Express not be enabled on virtual servers with DNS Express enabled. Alternatively, if DNS Express is enabled, it is recommended that DNS Express be disabled.
Details: When a new TCP connection comes from an external network and TMM receives a UDP packet for any given service such as DHCPv4-S (TCP port 67) or DHCPv4-C (UDP port 68), TMM checks whether the source MAC address matches any peer MAC addresses in its policy table configured for that service. If so, then TSM applies its security policy rule to authorize the connection and allows it through to other active endpoints such as PPPoE/PPPoA client systems or VLAN interfaces on physical switches to ensure that they are secure against unauthorized accesses by malicious users. However, if no match can be found in the policy table for any of these services with respect to the remote external IP address of incoming traffic packets then TSM ignores those packets because they are most likely coming

Timeline

Published on: 10/19/2022 22:15:00 UTC
Last modified on: 10/24/2022 13:36:00 UTC

References