Cisco ASA 5505 Configuration Manual page 796

DNS Inspection
Protocol Conformance—Tab that lets you configure the protocol conformance settings for DNS.
•
Filtering—Tab that lets you configure the filtering settings for DNS.
•
Mismatch Rate—Tab that lets you configure the ID mismatch rate for DNS.
•
Inspections—Tab that shows you the DNS inspection configuration and lets you add or edit.
•
Cisco ASA 5500 Series Configuration Guide using ASDM
37-12
Enable DNS guard function—Performs a DNS query and response mismatch check using the
–
identification field in the DNS header. One response per query is allowed to go through the
security appliance.
– Enable NAT re-write function—Enables IP address translation in the A record of the DNS
response.
Enable protocol enforcement—Enables DNS message format check, including domain name,
–
label length, compression, and looped pointer check.
Randomize the DNS identifier for DNS query— Randomizes the DNS identifier in the DNS
–
query message.
Enforce TSIG resource record to be present in DNS message—Requires that a TSIG resource
–
record be present in DNS transactions. Actions taken when TSIG is enforced:
Drop packet—Drops the packet (logging can be either enabled or disabled).
Log—Enables logging.
Global Settings—Applies settings globally.
–
Drop packets that exceed specified maximum length (global)—Drops packets that exceed
maximum length in bytes.
Maximum Packet Length—Enter maximum packet length in bytes.
Server Settings—Applies settings on the server only.
–
Drop packets that exceed specified maximum length——Drops packets that exceed maximum
length in bytes.
Maximum Packet Length—Enter maximum packet length in bytes.
Drop packets sent to server that exceed length indicated by the RR—Drops packets sent to the
server that exceed the length indicated by the Resource Record.
Client Settings—Applies settings on the client only.
–
Drop packets that exceed specified maximum length——Drops packets that exceed maximum
length in bytes.
Maximum Packet Length—Enter maximum packet length in bytes.
Drop packets sent to client that exceed length indicated by the RR—Drops packets sent to the
client that exceed the length indicated by the Resource Record.
Enable Logging when DNS ID mismatch rate exceeds specified rate—Reports excessive
–
instances of DNS identifier mismatches.
Mismatch Instance Threshold—Enter the maximum number of mismatch instances before a
system message log is sent.
Time Interval—Enter the time period to monitor (in seconds).
Match Type—Shows the match type, which can be a positive or negative match.
–
Criterion—Shows the criterion of the DNS inspection.
–
Value—Shows the value to match in the DNS inspection.
–
Chapter 37 Configuring Inspection of Basic Internet Protocols
OL-20339-01