Cisco Systems and the ASA Services Module Manual De Usuario
10-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 10 Configuring Inspection of Basic Internet Protocols
DNS Inspection
•
•
Information About DNS Inspection
•
•
General Information About DNS
A single connection is created for multiple DNS sessions, as long as they are between the same two
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs
independently. Because the app_id expires independently, a legitimate DNS response can only pass
through the ASA within a limited period of time and there is no resource build-up. However, if you enter
the show conn command, you will see the idle timer of a DNS connection being reset by a new DNS
session. This is due to the nature of the shared DNS connection and is by design.
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs
independently. Because the app_id expires independently, a legitimate DNS response can only pass
through the ASA within a limited period of time and there is no resource build-up. However, if you enter
the show conn command, you will see the idle timer of a DNS connection being reset by a new DNS
session. This is due to the nature of the shared DNS connection and is by design.
DNS Inspection Actions
DNS inspection is enabled by default. You can customize DNS inspection to perform many tasks:
•
Translate the DNS record based on the NAT configuration. For more information, see the
.
•
Enforce message length, domain-name length, and label length.
•
Verify the integrity of the domain-name referred to by the pointer if compression pointers are
encountered in the DNS message.
encountered in the DNS message.
•
Check to see if a compression pointer loop exists.
•
Inspect packets based on the DNS header, type, class and more.
Default Settings for DNS Inspection
DNS inspection is enabled by default, using the preset_dns_map inspection class map:
•
The maximum DNS message length is 512 bytes.
•
The maximum client DNS message length is automatically set to match the Resource Record.
•
DNS Guard is enabled, so the ASA tears down the DNS session associated with a DNS query as
soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to
ensure that the ID of the DNS reply matches the ID of the DNS query.
soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to
ensure that the ID of the DNS reply matches the ID of the DNS query.
•
Translation of the DNS record based on the NAT configuration is enabled.
•
Protocol enforcement is enabled, which enables DNS message format check, including domain
name length of no more than 255 characters, label length of 63 characters, compression, and looped
pointer check.
name length of no more than 255 characters, label length of 63 characters, compression, and looped
pointer check.
See the following default DNS inspection commands:
class-map inspection_default
match default-inspection-traffic