Chapter 3
Configuring Application Protocol Inspection
Configuring a DNS Query Timeout
OL-16202-01
The name argument is the identifier assigned to the parameter map. Enter an
unquoted text string with no spaces and a maximum of 32 alphanumeric
characters.
For example, to create a parameter map called DNS_PARAMMAP, enter the
following command:
host1/Admin(config)# parameter-map type dns DNS_PARAMMAP
host1/Admin(config-parammap-dns)#
To remove a DNS parameter map from the configuration, enter the following
command:
host1/Admin(config)# no parameter-map type dns DNS_PARAMMAP
This section contains the following subsections:
Configuring a DNS Query Timeout
•
Associating a DNS Parameter Map with a Layer 3 and Layer 4 Policy Map
•
When you enable DNS inspection using the inspect dns command as a Layer 4
policy-map action (see the
Inspection Policy Actions"
from clients in a hash table. When it receives a response from the DNS server, the
ACE forwards the server response to the client if it finds a matching query in the
table and then deletes the entry in the table. Queries, for which the ACE does not
receive a response, remain in the table until they time out. The ACE may not
receive an answer for a DNS query because the server is down, the query was
spoofed, and so on.
If the underlying UDP connection times out, the ACE removes all DNS query
hash entries using that UDP connection in 2 seconds. You can configure the UDP
inactivity timeout using a connection parameter map. For details, see
Configuring TCP/IP Normalization and IP Reassembly
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
"Defining Layer 3 and Layer 4 Application Protocol
section), the ACE stores DNS queries that it receives
Configuring a DNS Parameter Map
Chapter 4,
Parameters.
3-107