47-5
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter47 Configuring Inspection of Basic Internet Protocol s
DNS Inspection
3. The ASA receives the DNS reply and submits it to the DNS application inspection engine.
4. The DNS application inspection engine does the following:
a. Searches for any NAT rule to undo the translation of the embedded A-record address
“[outside]:209.165.200.5”. In this example, it finds the following static configuration:
object network obj-192.168.100.10-01
host 192.168.100.10
nat (dmz,outside) static 209.165.200.5 dns
b. Uses the static rule to rewrite the A-record as follows because the dns option is included:
[outside]:209.165.200.225 --> [dmz]:192.168.100.10
Note If the dns option were not included with the nat command, DNS Rewrite would not be
performed and other processing for the packet continues.
c. Searches for any NAT to translate the web server address, [dmz]:192.168.100.10, when
communicating with the inside web client.
No NAT rule is applicable, so application inspection completes.
If a NAT rule (nat or static) were applicable, the dns option must also be specified. If the dns
option were not specified, the A-record rewrite in step b would be reverted and other processing
for the packet continues.
5. The ASA sends the HTTP request to server.example.com on the DMZ interface.
Select DNS Inspect Map
The Select DNS Map dialog box is accessible as follows:
Add/Edit Service PolicyRule Wizard > Rule Actions >
Protocol Inspection Tab>Select DNS Inspect Map
The Select DNS Map dialog box lets you select or create a new DNS map. A DNS map lets you change
the configuration values used for DNS application inspection. The Select DNS Map table provides a list
of previously configured maps that you can select for application inspection.
Fields
Use the default DNS inspection map—Specifies to use the default DNS map.
Select a DNS map for fine control over inspectionLets you select a defined application inspection
map or add a new one.
Enable Botnet traffic filter DNS snooping— Enables Botnet Traffic Filter snooping, which
compares the domain name with those on the dynamic database or static database, and adds the name
and IP address to the Botnet Traffic Filter DNS reverse lookup cache. This cache is then used by the
Botnet Traffic Filter when connections are made to the suspicious address. We suggest that you
enable DNS snooping only on interfaces where external DNS requests are going. Enabling DNS
snooping on all UDP DNS traffic, including that going to an internal DNS server, creates
unnecessary load on the ASA. For example, if the DNS server is on the outside interface, you should
enable DNS inspection with snooping for all UDP DNS traffic on the outside interface.
Add—Opens the Add Policy Map dialog box for the inspection.