Cisco ASA 5505 Configuration Manual page 789

Chapter 37 Configuring Inspection of Basic Internet Protocols
3.
4.
5.
Select DNS Inspect Map
The Select DNS Map dialog box is accessible as follows:
Add/Edit Service Policy Rule Wizard > Rule Actions >
Protocol Inspection Tab >Select DNS Inspect Map
The Select DNS Map dialog box lets you select or create a new DNS map. A DNS map lets you change
the configuration values used for DNS application inspection. The Select DNS Map table provides a list
of previously configured maps that you can select for application inspection.
Fields
•
•
•
•
OL-20339-01
The adaptive security appliance receives the DNS reply and submits it to the DNS application
inspection engine.
The DNS application inspection engine does the following:
Searches for any NAT rule to undo the translation of the embedded A-record address
a.
"[outside]:209.165.200.5". In this example, it finds the following static configuration:
static (dmz,outside) 209.165.200.225 192.168.100.10 dns
b. Uses the static rule to rewrite the A-record as follows because the dns option is included:
[outside]:209.165.200.225 --> [dmz]:192.168.100.10
If the dns option were not included with the static command, DNS Rewrite would not
Note
be performed and other processing for the packet continues.
c. Searches for any NAT to translate the web server address, [dmz]:192.168.100.10, when
communicating with the inside web client.
No NAT rule is applicable, so application inspection completes.
If a NAT rule (nat or static) were applicable, the dns option must also be specified. If the dns
option were not specified, the A-record rewrite in step
for the packet continues.
The adaptive security appliance sends the HTTP request to server.example.com on the DMZ
interface.
Use the default DNS inspection map—Specifies to use the default DNS map.
Select a DNS map for fine control over inspection—Lets you select a defined application inspection
map or add a new one.
Enable Botnet traffic filter DNS snooping— Enables Botnet Traffic Filter snooping, which
compares the domain name with those on the dynamic database or static database, and adds the name
and IP address to the Botnet Traffic Filter DNS reverse lookup cache. This cache is then used by the
Botnet Traffic Filter when connections are made to the suspicious address. We suggest that you
enable DNS snooping only on interfaces where external DNS requests are going. Enabling DNS
snooping on all UDP DNS traffic, including that going to an internal DNS server, creates
unnecessary load on the adaptive security appliance. For example, if the DNS server is on the outside
interface, you should enable DNS inspection with snooping for all UDP DNS traffic on the outside
interface.
Add—Opens the Add Policy Map dialog box for the inspection.
b would be reverted and other processing
Cisco ASA 5500 Series Configuration Guide using ASDM
DNS Inspection
37-5