Cisco Systems ASA 5585-X Manual De Usuario

The following recommended configuration creates a class map for all UDP DNS traffic, enables DNS 
inspection and Botnet Traffic Filter snooping with the default DNS inspection policy map, and applies 
it to the outside interface:

ciscoasa(config)# class-map dynamic-filter_snoop_class

ciscoasa(config-cmap)# match port udp eq domain

ciscoasa(config-cmap)# policy-map dynamic-filter_snoop_policy

ciscoasa(config-pmap)# class dynamic-filter_snoop_class

ciscoasa(config-pmap-c)# inspect dns preset_dns_map dynamic-filter-snoop

ciscoasa(config-pmap-c)# service-policy dynamic-filter_snoop_policy interface outside

See the 

.

This procedure enables the Botnet Traffic Filter. The Botnet Traffic Filter compares the source and 
destination IP address in each initial connection packet to the following:

Dynamic database IP addresses

Static database IP addresses

DNS reverse lookup cache (for dynamic database domain names)

DNS host cache (for static database domain names)

When an address matches, the ASA sends a syslog message. The only additional action currently 
available is to drop the connection.

In multiple context mode, perform this procedure in the context execution space.

 [map_name] 

ciscoasa(config-pmap-c)# inspect dns 

preset_dns_map dynamic-filter-snoop

Enables DNS inspection with Botnet Traffic Filter snooping. To 
use the default DNS inspection policy map for the map_name, 
specify preset_dns_map for the map name. See the 

 for more information about 

creating a DNS inspection policy map.

policymap_name interface 

ciscoasa(config)# service-policy 

dynamic-filter_snoop_policy interface 

outside

Activates the policy map on an interface. The interface-specific 
policy overrides the global policy. You can only apply one policy 
map to each interface.