Section 8.0: Advanced Security
8.1. Perimeter Security
Configure ACL to deny TCP/53 with a SYN flag to prevent such an attack, as demonstrated in the example following item 2.
Permit any DNS request originating from VLAN2:
hostname r2 ! interface Serial0 ip address 179.7.2.2 255.255.255.248 ip access-group 199 in ! access-list 199 permit tcp any any eq domain established access-list 199 deny tcp any any eq domain syn access-list 199 permit ip any any ! ! Verify by telnetting from R3 to R2 on port 53 r3#telnet 179.7.2.2 53 Trying 179.7.2.2, 53 ... % Destination unreachable; gateway or host down r3# ! Check ACL counters on R2 r2#show access-lists 199 Extended IP access list 199 permit tcp any any eq domain established deny tcp any any eq domain ...
Get CCIE Security Practice Labs now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.