Cisco Systems ASA5515K9, ASA 5500 Information About the DNS Reverse Lookup Cache and DNS Host Cache

55-4

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter55 Configuring the Botnet Traffic Filter

Information About the Botnet Traffic Filter

blacklist and the whitelist are identified only as whitelist addresses in syslog messages and reports. Note

that you see syslog messages for whitelisted addresses even if the address is not also in the dynamic

blacklist.

When you add a domain name to the static database, the ASA waits 1 minute, and then sends a DNS

request for that domain name and adds the domain name/IP address pairing to the DNS host cache. (This

action is a background process, and does not affect your ability to continue configuring the ASA). We

recommend also enabling DNS packet inspection with Botnet Traffic Filter snooping. The ASA uses

Botnet Traffic Filter snooping instead of the regular DNS lookup to resolve static blacklist domain names

in the following circumstances:

•The ASA DNS server is unavailable.

•A connection is initiated during the 1 minute waiting period before the ASA sends the regular DNS

request.

If DNS snooping is used, when an infected host sends a DNS request for a name on the static database,

the ASA looks inside the DNS packets for the domain name and associated IP address and adds the name

and IP address to the DNS reverse lookup cache.

If you do not enable Botnet Traffic Filter snooping, and one of the above circumstances occurs, then that

traffic will not be monitored by the Botnet Traffic Filter.

Information About the DNS Reverse Lookup Cache and DNS Host Cache

When you use the dynamic database with DNS snooping, entries are added to the DNS reverse lookup

cache. If you use the static database, entries are added to the DNS host cache (see the “Information

About the Static Database” section on page 55-3 about using the static database with DNS snooping and

the DNS reverse lookup cache).

Entries in the DNS reverse lookup cache and the DNS host cache have a time to live (TTL) value

provided by the DNS server. The largest TTL value allowed is 1 day (24 hours); if the DNS server

provides a larger TTL, it is truncated to 1 day maximum.

For the DNS reverse lookup cache, after an entry times out, the ASA renews the entry when an infected

host initiates a connection to a known address, and DNS snooping occurs.

For the DNS host cache, after an entry times out, the ASA periodically requests a refresh for the entry.

For the DNS host cache, the maximum number of blacklist entries and whitelist entries is 1000 each.

Table55-1 lists the maximum number of entries in the DNS reverse lookup cache per model.

Table55-1 DNS Reverse Lookup Cache Entries per Model

ASA Model Maximum Entries

ASA 5505 5000

ASA 5510 10,000

ASA 5520 20,000

ASA 5540 40,000

ASA 5550 40,000

ASA 5580 100,000