Configure The Dns Inspection Service Policy - Cisco ASA Series Configuration Manual

DNS Inspection
Example
The following example shows a how to define a DNS inspection policy map.
regex domain_example "example\.com"
regex domain_foo "foo\.com"
! define the domain names that the server serves
class-map type inspect regex match-any my_domains
! Define a DNS map for query only
class-map type inspect dns match-all pub_server_map
policy-map type inspect dns new_dns_map

Configure the DNS Inspection Service Policy

The default ASA configuration includes DNS inspection on the default port applied globally on all
interfaces. A common method for customizing the inspection configuration is to customize the default
global policy. You can alternatively create a new service policy as desired, for example, an
interface-specific policy.
Procedure
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
class-map name
match parameter
Example:
hostname(config)# class-map dns_class_map
hostname(config-cmap)# match access-list dns
In the default global policy, the inspection_default class map is a special class map that includes default
ports for all inspection types (match default-inspection-traffic). If you are using this class map in
either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
Cisco ASA Series Firewall CLI Configuration Guide
13-6
match regex domain_example
match regex domain_foo
match not header-flag QR
match question
match not domain-name regex class my_domains
class pub_server_map
drop log
match header-flag RD
mask log
parameters
message-length maximum client auto
message-length maximum 512
dns-guard
protocol-enforcement
nat-rewrite
Chapter 13
Identify Traffic (Layer 3/4 Class Maps), page
Inspection of Basic Internet Protocols
11-13.