Protecting against DNS and other attacks

Microsoft Forefront Threat Management Gateway provides the DNS Filter, which intercepts and analyzes all inbound DNS traffic destined for the Internal network and other protected networks. If the detection of DNS attacks is enabled, you can specify that the DNS Filter will check for specific types of suspicious activity. For more information about the detection of DNS attacks, see Overview of intrusion detection.

To enable detection of DNS attacks

1. In the Forefront TMG Management console tree, click Firewall Policy.

2. On the Tasks tab, click Configure DNS Attack Detection.

3. On the DNS Attacks tab, select Enable detection and filtering of DNS attacks.

4. Select one or more of the following types of suspicious activity:

   • DNS host name overflow. Select this option if Forefront TMG should check for DNS host name overflow attempts. The DNS Filter intercepts and analyzes DNS traffic destined for the Internal network. DNS host name overflow occurs when a DNS response for a host name exceeds a certain fixed length (255 bytes).
   • DNS length overflow. Select this option if Forefront TMG should check for DNS length overflow attempts. DNS length overflow occurs when a DNS response for an IP address exceeds a specified length of 4 bytes.
   • DNS zone transfer. Select this option if Forefront TMG should check for DNS zone transfer attempts. A DNS zone transfer attempt occurs when a client system uses a DNS client application to transfer zones from an internal DNS server.

5. Click OK.

6. In the details pane, click the Apply button to save and update the configuration, and then click OK.

Notes

• By default, DNS attack detection is enabled for detecting attempts of DNS length overflow and DNS zone transfer intrusion.
• When DNS attack detection is enabled and offending packets are detected, they are dropped, and an event that triggers a DNS Intrusion alert is generated.