a10_ddos_template_dns

Synopsis

DNS template Configuration

Parameters

Parameters

Choices/Defaults

Comment

state

str/required

[‘noop’, ‘present’, ‘absent’]

State of the object to be created.

ansible_host

str/required

Host for AXAPI authentication

ansible_username

str/required

Username for AXAPI authentication

ansible_password

str/required

Password for AXAPI authentication

ansible_port

int/required

Port for AXAPI authentication

a10_device_context_id

int

[‘1-8’]

Device ID for aVCS configuration

a10_partition

str

Destination/target partition for object/command

name

str/required

Field name

action

str

‘drop’= Drop packets (Default action); ‘reset’= Send Client RST for TCP connections;

dns_any_check

bool

Drop DNS queries of Type ANY

dns_auth_cfg

dict

Field dns_auth_cfg

dns_auth

bool

DNS authentication

dns_auth_type

str

‘udp’= Drop DNS request and monitor client retry; ‘force-tcp’= Force DNS request over TCP;

udp_timeout_val_only

int

UDP authentication timeout in seconds

udp_timeout

int

UDP authentication timeout in seconds

min_retry_gap

int

Optional minimum sec gap in between 2 dns-udp packets for auth to pass, unit is specified by min-retry-gap-interval

min_retry_gap_interval

str

‘100ms’= 100ms; ‘1sec’= 1sec;

with_udp_auth

bool

Monitor client retry

force_tcp_timeout

int

TCP authentication timeout in seconds

force_tcp_min_retry_gap

int

Minimum sec gap in between 2 dns-udp packets for auth to pass

force_tcp_ignore_client_source_port

bool

Allow client to retransmit DNS request using different source port during udp- auth (supported in asymmetric mode only)

multi_pu_threshold_distribution

dict

Field multi_pu_threshold_distribution

multi_pu_threshold_distribution_value

int

Destination side rate limit only. Default= 0

multi_pu_threshold_distribution_disable

str

‘disable’= Destination side rate limit only. Default= Enable;

fqdn_cfg

list

Field fqdn_cfg

dns_fqdn_rate_limit

bool

DNS Rate limiting on the basis of FQDN

dns_fqdn_rate

int

Limiting rate (Range= 5-8000 for FQDN domain based rate limiting, 5-16000000 for FQDN label count based rate limiting)

per

str

‘domain-name’= Domain Name; ‘src-ip’= Source IP address; ‘label-count’= FQDN label count;

per_domain_per_src_ip

bool

Use both Domain Name and Source IP address for rate-limiting

fqdn_rate_suffix

int

Suffix count

fqdn_rate_label_count

int

FQDN label count (Range= 1-8)

by

str

‘domain-name’= Domain Name; ‘src-ip’= Source IP address; ‘both’= Use both Domain Name and Source IP address for rate-limiting;

fqdn_rate_suffix_by

int

Number of suffixes

fqdn_label_len_cfg

list

Field fqdn_label_len_cfg

fqdn_label_length

bool

Maximum FQDN label length

label_length

int

Maximum length of FQDN label

fqdn_label_suffix

int

Number of suffixes

fqdn_label_count

int

Maximum number of length of FQDN labels

nxdomain_cfg

dict

Field nxdomain_cfg

dns_nxdomain_rate_limit

bool

DNS NXDOMAIN Rate Limiting (SRC support only)

dns_nxdomain_rate

int

Limiting rate

dns_nxdomain_rate_limit_action

str

‘drop’= Drop queries if rate is exceeded; ‘black-list’= Black-List source if rate is exceeded;

symtimeout_cfg

dict

Field symtimeout_cfg

sym_timeout

bool

Timeout for DNS Symmetric session

sym_timeout_value

int

Session timeout value in seconds

dns_request_rate_limit

dict

Field dns_request_rate_limit

ntype

dict

Field type

domain_group_name

str

Apply a domain-group to the DNS template

on_no_match

str

‘permit’= permit; ‘deny’= deny (default);

domain_group_rate_exceed_action

str

‘drop’= Drop the query (default); ‘tunnel-encap-packet’= Encapsulate the query and send on a tunnel;

encap_template

str

DDOS encap template to sepcify the tunnel endpoint

domain_group_rate_per_service

bool

Enable per service domain rate checking

query_rate_threshold_for_cache_serving

int

This is for DNS cache mode only, it sets a DNS query rate threshold such that queries under the rate threshold would be forward

allow_query_class

dict

Field allow_query_class

allow_internet_query_class

bool

INTERNET query class

allow_csnet_query_class

bool

CSNET query class

allow_chaos_query_class

bool

CHAOS query class

allow_hesiod_query_class

bool

HESIOD query class

allow_none_query_class

bool

NONE query class

allow_any_query_class

bool

ANY query class

allow_record_type

dict

Field allow_record_type

allow_a_type

bool

Address record

allow_aaaa_type

bool

IPv6 address record

allow_cname_type

bool

Canonical name record

allow_mx_type

bool

Mail exchange record

allow_ns_type

bool

Name server record

allow_srv_type

bool

Service locator

record_num_cfg

list

Field record_num_cfg

uuid

str

uuid of the object

user_tag

str

Customized tag

malformed_query_check

dict

Field malformed_query_check

validation_type

str

‘basic-header-check’= Basic header validation for DNS TCP/UDP queries; ‘extended-header-check’= Extended header/query validation for DNS TCP/UDP queries; ‘disable’= Disable Malform query validation for DNS TCP/UDP;

non_query_opcode_check

str

‘disable’= When malform check is enabled, TPS always drops DNS query with non query opcode, this option disables this opcode check;

skip_multi_packet_check

bool

Bypass DNS fragmented and TCP segmented Queries(Default= dropped)

uuid

str

uuid of the object

Examples

Return Values

modified_values (changed, dict, )

Values modified (or potential changes if using check_mode) as a result of task operation

axapi_calls (always, list, )

Sequential list of AXAPI calls made by the task

endpoint (, str, [‘/axapi/v3/slb/virtual_server’, ‘/axapi/v3/file/ssl-cert’])

The AXAPI endpoint being accessed.

http_method (, str, [‘POST’, ‘GET’])

HTTP method being used by the primary task to interact with the AXAPI endpoint.

request_body (, complex, )

Params used to query the AXAPI

response_body (, complex, )

Response from the AXAPI

Status

  • This module is not guaranteed to have a backwards compatible interface. [preview]

  • This module is maintained by community.

Authors

  • A10 Networks