Cisco Cisco ASA 5512-X Adaptive Security Appliance Manuale Tecnico
Prerequisites
Requirements
Cisco states that DNS inspection must be enabled in order to perform DNS doctoring on the security
appliance. DNS inspection is on by default.
appliance. DNS inspection is on by default.
When DNS inspection is enabled, the security appliance performs these tasks:
Translates the DNS record based on the configuration completed with the use of object/auto NAT
commands (DNS rewrite). Translation only applies to the A−record in the DNS reply. Therefore
reverse lookups, which request the Pointer (PTR) record, are not affected by DNS rewrite. In Version
ASA 9.0(1) and later, translation of the DNS PTR record for reverse DNS lookups when using IPv4
NAT, IPv6 NAT, and NAT64 with DNS inspection enabled for the NAT rule.
commands (DNS rewrite). Translation only applies to the A−record in the DNS reply. Therefore
reverse lookups, which request the Pointer (PTR) record, are not affected by DNS rewrite. In Version
ASA 9.0(1) and later, translation of the DNS PTR record for reverse DNS lookups when using IPv4
NAT, IPv6 NAT, and NAT64 with DNS inspection enabled for the NAT rule.
Note: DNS rewrite is not compatible with static Port Address Translation (PAT) because multiple
PAT rules are applicable for each A−record, and the PAT rule to use is ambiguous.
PAT rules are applicable for each A−record, and the PAT rule to use is ambiguous.
•
Enforces the maximum DNS message length (the default is 512 bytes and the maximum length is
65535 bytes). Reassembly is performed as necessary in order to verify that the packet length is less
than the maximum length configured. The packet is dropped if it exceeds the maximum length.
65535 bytes). Reassembly is performed as necessary in order to verify that the packet length is less
than the maximum length configured. The packet is dropped if it exceeds the maximum length.
Note: If you enter the inspect dns command without the maximum length option, DNS packet size is
not checked.
not checked.
•
Enforces a domain−name length of 255 bytes and a label length of 63 bytes.
•
Verifies the integrity of the domain−name referred to by the pointer if compression pointers are
encountered in the DNS message.
encountered in the DNS message.
•
Checks to see if a compression pointer loop exists.
•
Components Used
The information in this document is based on the ASA 5500−X Series Security Appliance, Version 9.x.
The information in this document was created from the devices in a specific lab environment. All of the
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
devices used in this document started with a cleared (default) configuration. If your network is live, make sure
that you understand the potential impact of any command.
Related Products
This configuration can also be used with the Cisco ASA 5500 Series Security Appliance, Version 8.4 or later.
Note: The ASDM configuration is applicable to version 7.x only.
Background Information
In a typical DNS exchange, a client sends a URL or hostname to a DNS server in order to determine the IP
address of that host. The DNS server receives the request, looks up the name−to−IP−address mapping for that
host, and then provides the A−record with the IP address to the client. While this procedure works well in
many situations, problems can occur. These problems can occur when the client and the host that the client
tries to reach are both on the same private network behind NAT, but the DNS server used by the client is on
another public network.
address of that host. The DNS server receives the request, looks up the name−to−IP−address mapping for that
host, and then provides the A−record with the IP address to the client. While this procedure works well in
many situations, problems can occur. These problems can occur when the client and the host that the client
tries to reach are both on the same private network behind NAT, but the DNS server used by the client is on
another public network.