Configuring advanced DNS inspection;
regex server1_reg "www\.server1\.com"
!
class-map type inspect dns match-all dns_class
match not domain-name regex server1_reg
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no message-length maximum server
dns-guard
protocol-enforcement
nat-rewrite // default is enabled
no id-randomization
no id-mismatch
no tsig enforced
class dns_class // matches the L7 class-map
drop log
match header-flag RD
mask
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
!
service-policy global_policy global
NAT rewrite is an important feature under DNS inspection. If NAT rewrite is enabled and is required in a particular situation, make sure the Static NAT statement has the ‘dns’ keyword appended to it. So, for NAT rewrite to work you need it to be enabled under the DNS inspection parameters and also in the Static NAT. Example below;
object network h10.1.1.10 host 10.1.1.10 nat (IN,OUT) static 2.2.2.10 dns
Difference between drop and drop-connection;
Drop – The packet is dropped by the ASA but the connection entry remains in the conn table.%ASA-4-410003: DNS Classification: Dropped DNS request (id 27123) from IN:10.1.101.20/1045 to OUT:10.1.102.20/53; matched Class 21: dns_class
ASA-FW)# show conn
7 in use, 21 most used
UDP OUT 10.1.102.20:53 IN 10.1.101.20:1045, idle 0:00:11, bytes 0, flags -
Drop-connection – The connection itself is dropped by the ASA so no connection entry is maintained in the conn table.
%ASA-4-410003: DNS Classification: Dropped DNS request (id 25716) from IN:10.1.101.20/1045 to OUT:10.1.102.20/53; matched Class 21: dns_class
%ASA-4-507003: udp flow from IN:10.1.101.20/1045 to OUT:10.1.102.20/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.
ASA-FW(config-pmap-c)# show conn
6 in use, 21 most used
Verification;
ASA-FW# sh service-policy inspect dns
Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns preset_dns_map, packet 32, drop 22, reset-drop 0
message-length maximum client auto, drop 0
message-length maximum 512, drop 0
dns-guard, count 4
protocol-enforcement, drop 0
nat-rewrite, count 3
class dns_class (match-any)
Match: domain-name regex server1_reg, 7 packets
drop log, packet 22
match header-flag RD
mask, packet 8