37-12
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 37 Configuring Inspection of Basic Internet Protocols
DNS Inspection
• Protocol Conformance—Tab that lets you configure the protocol conformance settings for DNS.
–
Enable DNS guard function—Performs a DNS query and response mismatch check using the
identification field in the DNS header. One response per query is allowed to go through the
security appliance.
–
Enable NAT re-write function—Enables IP address translation in the A record of the DNS
response.
–
Enable protocol enforcement—Enables DNS message format check, including domain name,
label length, compression, and looped pointer check.
–
Randomize the DNS identifier for DNS query— Randomizes the DNS identifier in the DNS
query message.
–
Enforce TSIG resource record to be present in DNS message—Requires that a TSIG resource
record be present in DNS transactions. Actions taken when TSIG is enforced:
Drop packet—Drops the packet (logging can be either enabled or disabled).
Log—Enables logging.
• Filtering—Tab that lets you configure the filtering settings for DNS.
–
Global Settings—Applies settings globally.
Drop packets that exceed specified maximum length (global)—Drops packets that exceed
maximum length in bytes.
Maximum Packet Length—Enter maximum packet length in bytes.
–
Server Settings—Applies settings on the server only.
Drop packets that exceed specified maximum length——Drops packets that exceed maximum
length in bytes.
Maximum Packet Length—Enter maximum packet length in bytes.
Drop packets sent to server that exceed length indicated by the RR—Drops packets sent to the
server that exceed the length indicated by the Resource Record.
–
Client Settings—Applies settings on the client only.
Drop packets that exceed specified maximum length——Drops packets that exceed maximum
length in bytes.
Maximum Packet Length—Enter maximum packet length in bytes.
Drop packets sent to client that exceed length indicated by the RR—Drops packets sent to the
client that exceed the length indicated by the Resource Record.
• Mismatch Rate—Tab that lets you configure the ID mismatch rate for DNS.
–
Enable Logging when DNS ID mismatch rate exceeds specified rate—Reports excessive
instances of DNS identifier mismatches.
Mismatch Instance Threshold—Enter the maximum number of mismatch instances before a
system message log is sent.
Time Interval—Enter the time period to monitor (in seconds).
• Inspections—Tab that shows you the DNS inspection configuration and lets you add or edit.
–
Match Type—Shows the match type, which can be a positive or negative match.
–
Criterion—Shows the criterion of the DNS inspection.
–
Value—Shows the value to match in the DNS inspection.
To Next Page
Loading...
Need help?
General
