1. In the Forefront TMG Management console, in the tree, click the Intrusion Prevention System node.

2. On the details pane of the Behavioral Intrusion Detection tab, click Configure Detection Settings for Common Network Attacks.

3. On the DNS Attacks tab, select Enable detection and filtering of DNS attacks.

4. Select one or more of the following types of suspicious activity:

   • DNS host name overflow—Select this option if you want Forefront TMG to check for DNS host name overflow attempts. The DNS Filter intercepts and analyzes DNS traffic destined for the Internal network. DNS host name overflow occurs when a DNS response for a host name exceeds a specified fixed length (255 bytes).
     
     
   • DNS length overflow—Select this option if you want Forefront TMG to check for DNS length overflow attempts. DNS length overflow occurs when a DNS response for an IP address exceeds a specified length of 4 bytes.
     
     
   • DNS zone transfer—Select this option if you want Forefront TMG to check for DNS zone transfer attempts. A DNS zone transfer attempt occurs when a client system uses a DNS client application to transfer zones from an internal DNS server.
     
     

5. Click OK.

6. In the details pane, click Apply to save and update the configuration, and then click OK.

Note:
By default, DNS attack detection is enabled for detecting attempts of DNS host name and DNS length overflow. When DNS attack detection is enabled and offending packets are detected, the packets are dropped, and an event that triggers a DNS Intrusion alert is generated.

Concepts