Cisco ASA 5505 User Manual

Page 1168

Advertising
background image

55-4

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 55 Configuring the Botnet Traffic Filter

Information About the Botnet Traffic Filter

blacklist and the whitelist are identified only as whitelist addresses in syslog messages and reports. Note
that you see syslog messages for whitelisted addresses even if the address is not also in the dynamic
blacklist.

When you add a domain name to the static database, the ASA waits 1 minute, and then sends a DNS
request for that domain name and adds the domain name/IP address pairing to the DNS host cache. (This
action is a background process, and does not affect your ability to continue configuring the ASA). We
recommend also enabling DNS packet inspection with Botnet Traffic Filter snooping. The ASA uses
Botnet Traffic Filter snooping instead of the regular DNS lookup to resolve static blacklist domain names
in the following circumstances:

The ASA DNS server is unavailable.

A connection is initiated during the 1 minute waiting period before the ASA sends the regular DNS
request.

If DNS snooping is used, when an infected host sends a DNS request for a name on the static database,
the ASA looks inside the DNS packets for the domain name and associated IP address and adds the name
and IP address to the DNS reverse lookup cache.

If you do not enable Botnet Traffic Filter snooping, and one of the above circumstances occurs, then that
traffic will not be monitored by the Botnet Traffic Filter.

Information About the DNS Reverse Lookup Cache and DNS Host Cache

When you use the dynamic database with DNS snooping, entries are added to the DNS reverse lookup
cache. If you use the static database, entries are added to the DNS host cache (see the

“Information

About the Static Database” section on page 55-3

about using the static database with DNS snooping and

the DNS reverse lookup cache).

Entries in the DNS reverse lookup cache and the DNS host cache have a time to live (TTL) value
provided by the DNS server. The largest TTL value allowed is 1 day (24 hours); if the DNS server
provides a larger TTL, it is truncated to 1 day maximum.

For the DNS reverse lookup cache, after an entry times out, the ASA renews the entry when an infected
host initiates a connection to a known address, and DNS snooping occurs.

For the DNS host cache, after an entry times out, the ASA periodically requests a refresh for the entry.

For the DNS host cache, the maximum number of blacklist entries and whitelist entries is 1000 each.

Table 55-1

lists the maximum number of entries in the DNS reverse lookup cache per model.

Table 55-1

DNS Reverse Lookup Cache Entries per Model

ASA Model

Maximum Entries

ASA 5505

5000

ASA 5510

10,000

ASA 5520

20,000

ASA 5540

40,000

ASA 5550

40,000

ASA 5580

100,000

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals