37-2
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 37 Configuring Inspection of Basic Internet Protocols
DNS Inspection
• Add/Edit DNS Traffic Class Map, page 37-6
• Add/Edit DNS Match Criterion, page 37-7
• DNS Inspect Map, page 37-8
• Add/Edit DNS Policy Map (Security Level), page 37-10
• Add/Edit DNS Policy Map (Details), page 37-11
How DNS Application Inspection Works
The adaptive security appliance tears down the DNS session associated with a DNS query as soon as the
DNS reply is forwarded by the adaptive security appliance. The adaptive security appliance also
monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.
When DNS inspection is enabled, which is the default, the adaptive security appliance performs the
following additional tasks:
• Translates the DNS record based on the configuration completed using the alias, static and nat
commands (DNS Rewrite). Translation only applies to the A-record in the DNS reply; therefore,
DNS Rewrite does not affect reverse lookups, which request the PTR record.
Note DNS Rewrite is not applicable for PAT because multiple PAT rules are applicable for each
A-record and the PAT rule to use is ambiguous.
• Enforces the maximum DNS message length (the default is 512 bytes and the maximum length is
65535 bytes). The adaptive security appliance performs reassembly as needed to verify that the
packet length is less than the maximum length configured. The adaptive security appliance drops the
packet if it exceeds the maximum length.
Note If you enter the inspect dns command without the maximum-length option, DNS packet size
is not checked
• Enforces a domain-name length of 255 bytes and a label length of 63 bytes.
• Verifies the integrity of the domain-name referred to by the pointer if compression pointers are
encountered in the DNS message.
• Checks to see if a compression pointer loop exists.
A single connection is created for multiple DNS sessions, as long as they are between the same two
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs
independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the adaptive
security appliance within a limited period of time and there is no resource build-up. However, if you
enter the show conn command, you will see the idle timer of a DNS connection being reset by a new
DNS session. This is due to the nature of the shared DNS connection and is by design.
To Next Page
Loading...
Need help?
General
