Support Center > Search Results > SecureKnowledge Details
DNS packets are dropped by IPS protection "Non Compliant DNS" as attack "Bad domain format, empty domain"
Symptoms
  • DNS packets are dropped by IPS protection "Non Compliant DNS" as attack "Bad domain format, empty domain".

Cause
  • IPS protection "Non-Compliant DNS" does not allow UDP DNS response packets that are larger than 512 bytes.
  • If DNS UDP truncated response packets are allowed (dns_allow_udp_truncated_msg=1), then UDP DNS response packets with "TC" (Truncation Flag) may still be dropped if they are larger than 512 bytes.

Solution
Note: To view this solution you need to Sign In .