55-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter55 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Default DNS Inspection Configuration and Recommended Configuration
The default configuration for DNS inspection inspects all UDP DNS traffic on all interfaces, and does
not have DNS snooping enabled.
We suggest that you enable DNS snooping only on interfaces where external DNS requests are going.
Enabling DNS snooping on all UDP DNS traffic, including that going to an internal DNS server, creates
unnecessary load on the ASA.
For example, if the DNS server is on the outside interface, you should enable DNS inspection with
snooping for all UDP DNS traffic on the outside interface. See the “Examples” section for the
recommended commands for this configuration.
Detailed Steps
Command Purpose
Step1 class-map name
Example:
hostname(config)# class-map
dynamic-filter_snoop_class
Creates a class map to identify the traffic for which you want to
inspect DNS.
Step2 match parameters
Example:
hostname(config-cmap)# match port udp eq
domain
Specifies traffic for the class map. See the “Identifying Traffic
(Layer 3/4 Class Maps)” section on page 32-12 for more
information about available parameters. For example, you can
specify an access list for DNS traffic to and from certain
addresses, or you can specify all UDP DNS traffic.
Step3 policy-map name
Example:
hostname(config)# policy-map
dynamic-filter_snoop_policy
Adds or edits a policy map so you can set the actions to take with
the class map traffic.
Step4 class name
Example:
hostname(config-pmap)# class
dynamic-filter_snoop_class
Identifies the class map you created in Step 1.