Configuring advanced DNS inspection;
regex server1_reg "www\.server1\.com" ! class-map type inspect dns match-all dns_class match not domain-name regex server1_reg ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 no message-length maximum server dns-guard protocol-enforcement nat-rewrite // default is enabled no id-randomization no id-mismatch no tsig enforced class dns_class // matches the L7 class-map drop log match header-flag RD mask ! policy-map global_policy class inspection_default inspect dns preset_dns_map ! service-policy global_policy globalNAT rewrite is an important feature under DNS inspection. If NAT rewrite is enabled and is required in a particular situation, make sure the Static NAT statement has the ‘dns’ keyword appended to it. So, for NAT rewrite to work you need it to be enabled under the DNS inspection parameters and also in the Static NAT. Example below;
object network h10.1.1.10 host 10.1.1.10 nat (IN,OUT) static 126.96.36.199 dns
Difference between drop and drop-connection;Drop – The packet is dropped by the ASA but the connection entry remains in the conn table.
%ASA-4-410003: DNS Classification: Dropped DNS request (id 27123) from IN:10.1.101.20/1045 to OUT:10.1.102.20/53; matched Class 21: dns_class ASA-FW)# show conn 7 in use, 21 most used UDP OUT 10.1.102.20:53 IN 10.1.101.20:1045, idle 0:00:11, bytes 0, flags -Drop-connection – The connection itself is dropped by the ASA so no connection entry is maintained in the conn table.
%ASA-4-410003: DNS Classification: Dropped DNS request (id 25716) from IN:10.1.101.20/1045 to OUT:10.1.102.20/53; matched Class 21: dns_class %ASA-4-507003: udp flow from IN:10.1.101.20/1045 to OUT:10.1.102.20/53 terminated by inspection engine, reason - inspector disconnected, dropped packet. ASA-FW(config-pmap-c)# show conn 6 in use, 21 most used
ASA-FW# sh service-policy inspect dns Global policy: Service-policy: global_policy Class-map: inspection_default Inspect: dns preset_dns_map, packet 32, drop 22, reset-drop 0 message-length maximum client auto, drop 0 message-length maximum 512, drop 0 dns-guard, count 4 protocol-enforcement, drop 0 nat-rewrite, count 3 class dns_class (match-any) Match: domain-name regex server1_reg, 7 packets drop log, packet 22 match header-flag RD mask, packet 8