Cisco ASA 5505 User Manual
Page 1175
55-11
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 55 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Default DNS Inspection Configuration and Recommended Configuration
The default configuration for DNS inspection inspects all UDP DNS traffic on all interfaces, and does
not have DNS snooping enabled.
We suggest that you enable DNS snooping only on interfaces where external DNS requests are going.
Enabling DNS snooping on all UDP DNS traffic, including that going to an internal DNS server, creates
unnecessary load on the ASA.
For example, if the DNS server is on the outside interface, you should enable DNS inspection with
snooping for all UDP DNS traffic on the outside interface. See the
section for the
recommended commands for this configuration.
Detailed Steps
Command
Purpose
Step 1
class-map
name
Example:
hostname(config)# class-map
dynamic-filter_snoop_class
Creates a class map to identify the traffic for which you want to
inspect DNS.
Step 2
match
parameters
Example:
hostname(config-cmap)# match port udp eq
domain
Specifies traffic for the class map. See the
(Layer 3/4 Class Maps)” section on page 32-12
for more
information about available parameters. For example, you can
specify an access list for DNS traffic to and from certain
addresses, or you can specify all UDP DNS traffic.
Step 3
policy-map
name
Example:
hostname(config)# policy-map
dynamic-filter_snoop_policy
Adds or edits a policy map so you can set the actions to take with
the class map traffic.
Step 4
class
name
Example:
hostname(config-pmap)# class
dynamic-filter_snoop_class
Identifies the class map you created in