Login
- Table of Contents
-
- 04-DPI Command Reference
- 00-Preface
- 01-DPI engine commands
- 02-IPS commands
- 03-URL filtering commands
- 04-Data filtering commands
- 05-File filtering commands
- 06-Anti-virus commands
- 07-Data analysis center commands
- 08-Proxy policy commands
- 09-WAF commands
- 10-APT defense commands
- 11-IP reputation commands
- 12-Domain reputation commands
- 13-DGA detection commands
- 14-Intelligent service platform commands
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 13-DGA detection commands | 56.23 KB |
DGA detection commands
The following compatibility matrix shows the support of hardware platforms for DGA detection:
|
Series |
Models |
DGA detection compatibility |
|
F5000 series |
F5000-AI-40, F5000-AI-20, F5000-AI-15 |
Yes |
|
F5000-AI160, F5000-CN160, F5000-CN-G85, F5000-CN-G65, F5000-CN-G55 |
No |
|
|
F1000 series |
F1000-AI-25 |
Yes |
action
Use action to specify DGA detection processing actions for detected packets.
Use undo action to restore the default.
Syntax
action { permit | drop } [ logging ]
undo action
Default
The default DGA detection processing action for detected packets is permit.
Views
DGA detection view
Predefined user roles
network-admin
context-admin
Parameters
permit: Permits matching packets to pass.
drop: Drops matching packets and changes the state of the packet source IP addresses in the DGA cache to frozen. The device then drops all DNS request packets initiated by the IP addresses for a fixed time of 30 minutes.
logging: Logs the packets.
Usage guidelines
The device detects the DNS request packets sent from each source IP address, and determines whether the accessed domain names are DGA domain names. If a detected domain name is a DGA domain name, the device will judge the DGA domain name access count of this IP address. When the count reaches the threshold (the current threshold is 5), the device will perform DGA detection processing actions on DNS request packets sent by this IP address.
Examples
# Specify the DGA detection processing action as drop.
<Sysname> system-view
[Sysname] dga
[Sysname-dga] action drop
dga
Use dga to enter a DGA detection view.
Use undo dga to delete all configurations in the DGA detection view.
Syntax
dga
undo dga
Views
System view
Predefined user roles
network-admin
context-admin
Usage guidelines
You can enable DGA detection and specify DGA detection processing actions in a DGA detection view.
Examples
# Enter a DGA detection view.
<Sysname> system-view
[Sysname] dga
[Sysname-dga]
display inspect domain-name exception
Use display inspect domain-name exception to display exceptional domain names.
Syntax
display inspect domain-name exception
Views
Any view
Predefined user roles
network-admin
context-admin
Usage guidelines
When a domain name extracted by the device from the DNS packet matches an exceptional domain name, the device will not perform DGA detection on the packet. You can use this command to view exceptional domain names configured on the device.
Examples
# Display all exceptional domain names.
<Sysname> display inspect domain-name exception
Domain names:
movimet.com
www.abcsd.com
Table 1 Command output
|
Field |
Description |
|
Domain names |
Exceptional domain names. |
Related commands
inspect domain-name exception
inspect domain-name exception
Use inspect domain-name exception to specify an exceptional domain name.
Use undo inspect domain-name exception to delete the exceptional domain name.
Syntax
inspect domain-name exception domain-name
undo inspect domain-name exception domain-name
Default
No exceptional domain name is specified.
Views
System view
Predefined user roles
network-admin
context-admin
Parameters
domain-name: Specifies an exceptional domain name, a case-insensitive string of 3 to 255 characters. The domain name can contain only letters, digits, hyphens (-), and dots (.). As multi-level domain name separator, dot (.) cannot appear at the beginning or end of each level of domain name. Each level of domain name can only be a string of 1 to 63 characters.
Usage guidelines
If you do not need to perform DGA detection on some domain names, specify them as exceptional domain names. When a domain name extracted by the device from the DNS packet matches an exceptional domain name, the device will not perform DGA detection on the packet.
You can execute this command multiple times to specify multiple exceptional domain names.
Examples
# Specify www.example.com as an exceptional domain name.
<Sysname> system-view
[Sysname] inspect domain-name exception www.example.com
Related commands
display inspect domain-name exception
service enable
Use service enable to enable DGA detection.
Use undo service enable to disable DGA detection.
Syntax
service enable
undo service enable
Default
DGA detection is disabled.
Views
DGA detection view
Predefined user roles
network-admin
context-admin
Usage guidelines
When this feature enabled, the device will send the domain name extracted from a DNS request packet to the intelligent service platform for DGA detection. After detection, the device caches the detection result returned by the platform.
Examples
# Enable DGA detection.
<Sysname> system-view
[Sysname] dga
[Sysname-dga] service enable
