Verifying and monitoring dns inspection – Cisco ASA 5505 User Manual

43-10

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 43 Configuring Inspection of Basic Internet Protocols

DNS Inspection

hostname(config-pmap-p)# tsig enforced action {drop [log] | [log}

Where the count string argument specifies the maximum number of mismatch instances before a
system message log is sent. The duration seconds specifies the period, in seconds, to monitor.

The following example shows a how to define a DNS inspection policy map.

hostname(config)# regex domain_example “example\.com”

hostname(config)# regex domain_foo “foo\.com”

hostname(config)# ! define the domain names that the server serves

hostname(config)# class-map type inspect regex match-any my_domains

hostname(config-cmap)# match regex domain_example

hostname(config-cmap)# match regex domain_foo

hostname(config)# ! Define a DNS map for query only

hostname(config)# class-map type inspect dns match-all pub_server_map

hostname(config-cmap)# match not header-flag QR

hostname(config-cmap)# match question

hostname(config-cmap)# match not domain-name regex class my_domains

hostname(config)# policy-map type inspect dns serv_prot

hostname(config-pmap)# class pub_server_map

hostname(config-pmap-c)# drop log

hostname(config-pmap-c)# match header-flag RD

hostname(config-pmap-c)# mask log

hostname(config)# class-map dns_serv_map

hostname(config-cmap)# match default-inspection-traffic

hostname(config)# policy-map pub_policy

hostname(config-pmap)# class dns_serv_map

hostname(config-pmap-c)# inspect dns serv_prot

hostname(config)# service-policy pub_policy interface dmz

Verifying and Monitoring DNS Inspection

To view information about the current DNS connections, enter the following command:

hostname# show conn

For connections using a DNS server, the source port of the connection may be replaced by the IP address
of DNS server in the show conn command output.

A single connection is created for multiple DNS sessions, as long as they are between the same two
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.

Because the app_id expires independently, a legitimate DNS response can only pass through the security
appliance within a limited period of time and there is no resource build-up. However, when you enter the
show conn command, you see the idle timer of a DNS connection being reset by a new DNS session.
This is due to the nature of the shared DNS connection and is by design.

To display the statistics for DNS application inspection, enter the show service-policy command. The
following is sample output from the show service-policy command:

hostname# show service-policy

Interface outside: