43-10
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter43 Configuring Inspection of Basic Internet Protocols
DNS Inspection
hostname(config-pmap-p)# tsig enforced action {drop [log] | [log}
Where the count string argument specifies the maximum number of mismatch instances before a
system message log is sent. The duration seconds specifies the period, in seconds, to monitor.
The following example shows a how to define a DNS inspection policy map.
hostname(config)# regex domain_example “example\.com”
hostname(config)# regex domain_foo “foo\.com”
hostname(config)# ! define the domain names that the server serves
hostname(config)# class-map type inspect regex match-any my_domains
hostname(config-cmap)# match regex domain_example
hostname(config-cmap)# match regex domain_foo
hostname(config)# ! Define a DNS map for query only
hostname(config)# class-map type inspect dns match-all pub_server_map
hostname(config-cmap)# match not header-flag QR
hostname(config-cmap)# match question
hostname(config-cmap)# match not domain-name regex class my_domains
hostname(config)# policy-map type inspect dns serv_prot
hostname(config-pmap)# class pub_server_map
hostname(config-pmap-c)# drop log
hostname(config-pmap-c)# match header-flag RD
hostname(config-pmap-c)# mask log
hostname(config)# class-map dns_serv_map
hostname(config-cmap)# match default-inspection-traffic
hostname(config)# policy-map pub_policy
hostname(config-pmap)# class dns_serv_map
hostname(config-pmap-c)# inspect dns serv_prot
hostname(config)# service-policy pub_policy interface dmz
Verifying and Monitoring DNS Inspection
To view information about the current DNS connections, enter the following command:
hostname# show conn
For connections using a DNS server, the source port of the connection may be replaced by the IP address
of DNS server in the show conn command output.
A single connection is created for multiple DNS sessions, as long as they are between the same two
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the security
appliance within a limited period of time and there is no resource build-up. However, when you enter the
show conn command, you see the idle timer of a DNS connection being reset by a new DNS session.
This is due to the nature of the shared DNS connection and is by design.
To display the statistics for DNS application inspection, enter the show service-policy command. The
following is sample output from the show service-policy command:
hostname# show service-policy
Interface outside: