The DNS preprocessor decodes DNS Responses and can detect the following exploits: DNS Client RData Overflow, Obsolete Record Types, and Experimental Record Types.
DNS looks at DNS Response traffic over UDP and TCP and it requires Stream preprocessor to be enabled for TCP decoding.
By default, all alerts are disabled and the preprocessor checks traffic on port 53.
The available configuration options are described below.
This option specifies the source ports that the DNS preprocessor should inspect traffic.
Alert on Obsolete (per RFC 1035) Record Types
Alert on Experimental (per RFC 1035) Record Types
Check for DNS Client RData TXT Overflow
The DNS preprocessor does nothing if none of the 3 vulnerabilities it checks for are enabled. It will not operate on TCP sessions picked up midstream, and it will cease operation on a session if it loses state because of missing data (dropped packets).
Looks for traffic on DNS server port 53. Check for the DNS Client RData overflow vulnerability. Do not alert on obsolete or experimental RData record types.
verbatim315#