Cisco ASA Series Cli Configuration Manual page 1114

DNS Inspection
Examples
The following example shows a how to define a DNS inspection policy map.
regex domain_example "example\.com"
regex domain_foo "foo\.com"
! define the domain names that the server serves
class-map type inspect regex match-any my_domains
! Define a DNS map for query only
class-map type inspect dns match-all pub_server_map
policy-map type inspect dns new_dns_map
Configuring DNS Inspection
The default ASA configuration includes many default inspections on default ports applied globally on
all interfaces. A common method for customizing the inspection configuration is to customize the
default global policy. The steps in this section show how to edit the default global policy, but you can
alternatively create a new service policy as desired, for example, an interface-specific policy.
Detailed Steps
Command
Step 1
class-map name
Example:
hostname(config)# class-map dns_class_map
Step 2
match parameter
Example:
hostname(config-cmap)# match access-list
dns
Cisco ASA Series CLI Configuration Guide
1-8
match regex domain_example
match regex domain_foo
match not header-flag QR
match question
match not domain-name regex class my_domains
class pub_server_map
drop log
match header-flag RD
mask log
parameters
message-length maximum client auto
message-length maximum 512
dns-guard
protocol-enforcement
nat-rewrite
Chapter 1 Configuring Inspection of Basic Internet Protocols
Purpose
Creates a class map to identify the traffic for which you want to
apply the inspection.
In the default global policy, the inspection_default class map is a
special class map that includes default ports for all inspection
types (match default-inspection-traffic). If you are using this
class map in either the default policy or for a new service policy,
you can skip this step and the next step.
Specifies the traffic in the class map. See the
(Layer 3/4 Class Maps)" section on page 1-12
information.
"Identifying Traffic
for more