Verifying And Monitoring Dns Inspection - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
DNS Inspection
Verifying and Monitoring DNS Inspection
To view information about the current DNS connections, enter the following command:
hostname# show conn
For connections using a DNS server, the source port of the connection may be replaced by the IP address
of DNS server in the show conn command output.
A single connection is created for multiple DNS sessions, as long as they are between the same two
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs
independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the security
appliance within a limited period of time and there is no resource build-up. However, when you enter
the show conn command, you see the idle timer of a DNS connection being reset by a new DNS session.
This is due to the nature of the shared DNS connection and is by design.
To display the statistics for DNS application inspection, enter the show service-policy command. The
following is sample output from the show service-policy command:
hostname# show service-policy
Interface outside:
Service-policy: sample_policy
Configuring a DNS Inspection Policy Map for Additional Inspection Control
DNS application inspection supports DNS message controls that provide protection against DNS
spoofing and cache poisoning. User configurable rules allow filtering based on DNS header, domain
name, resource record type and class. Zone transfer can be restricted between servers with this function,
for example.
The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a
public server from attack if that server only supports a particular internal zone. In addition, DNS
randomization can be enabled avoid spoofing and cache poisoning of servers that either do not support
randomization, or utilize a weak pseudo random number generator. Limiting the domain names that can
be queried also restricts the domain names which can be queried, which protects the public server
further.
A configurable DNS mismatch alert can be used as notification if an excessive number of mismatching
DNS responses are received, which could indicate a cache poisoning attack. In addition, a configurable
check to enforce a Transaction Signature be attached to all DNS messages is also supported.
To specify actions when a message violates a parameter, create a DNS inspection policy map. You can
then apply the inspection policy map when you enable DNS inspection according to the
Application Inspection" section on page
To create a DNS inspection policy map, perform the following steps:
(Optional) Add one or more regular expressions for use in traffic matching commands according to the
Step 1
"Creating a Regular Expression" section on page
commands described in
Cisco Security Appliance Command Line Configuration Guide
25-20
Class-map: dns_port
Inspect: dns maximum-length 1500, packet 0, drop 0, reset-drop 0
Step
3.
Chapter 25
Configuring Application Layer Protocol Inspection
25-5.
21-6. See the types of text you can match in the match
"Configuring
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
