Cisco Cisco Firepower Management Center 4000
25-15
FireSIGHT System User Guide
Chapter 25 Using Application Layer Preprocessors
Detecting Exploits in DNS Name Server Responses
A DNS response is comprised of a message header, a Question section that contains one or more
requests, and three sections that respond to requests in the Question section (Answer, Authority, and
Additional Information). Responses in these three sections reflect the information in resource records
(RR) maintained on the name server. The following table describes these three sections.
requests, and three sections that respond to requests in the Question section (Answer, Authority, and
Additional Information). Responses in these three sections reflect the information in resource records
(RR) maintained on the name server. The following table describes these three sections.
There are many types of resource records, all adhering to the following structure:
Theoretically, any type of resource record can be used in the Answer, Authority, or Additional
Information section of a name server response message. The DNS preprocessor inspects any resource
record in each of the three response sections for the exploits it detects.
Information section of a name server response message. The DNS preprocessor inspects any resource
record in each of the three response sections for the exploits it detects.
The Type and RData resource record fields are of particular importance to the DNS preprocessor. The
Type field identifies the type of resource record. The RData (resource data) field provides the response
content. The size and content of the RData field differs depending on the type of resource record.
Type field identifies the type of resource record. The RData (resource data) field provides the response
content. The size and content of the RData field differs depending on the type of resource record.
DNS messages typically use the UDP transport protocol but also use TCP when the message type
requires reliable delivery or the message size exceeds UDP capabilities. The DNS preprocessor inspects
DNS server responses in both UDP and TCP traffic. TCP stream preprocessing must be enabled to enable
the DNS preprocessor. However, you do not have to enable UDP session tracking because the DNS
preprocessor inspects UDP traffic on a packet-by-packet basis. For more information, see
requires reliable delivery or the message size exceeds UDP capabilities. The DNS preprocessor inspects
DNS server responses in both UDP and TCP traffic. TCP stream preprocessing must be enabled to enable
the DNS preprocessor. However, you do not have to enable UDP session tracking because the DNS
preprocessor inspects UDP traffic on a packet-by-packet basis. For more information, see
The DNS preprocessor does not inspect TCP sessions picked up in midstream, and ceases inspection if
a session loses state because of dropped packets.
a session loses state because of dropped packets.
The typical port to configure for the DNS preprocessor is well-known port 53, which DNS name servers
use for DNS messages in both UDP and TCP.
use for DNS messages in both UDP and TCP.
Detecting Overflow Attempts in RData Text Fields
License:
Protection
Table 25-2
DNS Name Server RR Responses
This section...
Includes...
For example...
Answer
Optionally, one or more resource
records that provide a specific answer
to a query
records that provide a specific answer
to a query
The IP address corresponding to a
domain name
domain name
Authority
Optionally, one or more resource
records that point to an authoritative
name server
records that point to an authoritative
name server
The name of an authoritative name
server for the response
server for the response
Additional Information
Optionally, one or more resource
records that provided additional
information related to the Answer
sections
records that provided additional
information related to the Answer
sections
The IP address of another server to
query
query