[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

allow-dns-reply

Syntax

allow-dns-reply;

Hierarchy Level

[edit security flow]

Release Information

Statement introduced in Release 8.5 of JUNOS software.

Description

Allow an incoming Domain Name Service (DNS) reply packet without a matched request. By default, if an incoming UDP first-packet has dst-port 53, the device checks the DNS message packet header to verify that the query bit (QR) is 0, which denotes a query message. If the QR bit is 1, which denotes a response message, the device drops the packet, does not create a session, and increments the illegal packet flow counter for the interface. Using the allow-dns-reply statement directs the device to skip the check.

This statement is supported on J-series and SRX-series devices.

Usage Guidelines

For configuration instructions and examples, see the JUNOS Software Security Configuration Guide.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

[ Contents] [ Prev] [ Next] [ Index] [ Report an Error]

[an error occurred while processing this directive]