DNS Advanced Inspection (CCIE Notes)

Posted on by Shoaib Merchant

Configuring advanced DNS inspection;

regex server1_reg "www\.server1\.com"
!
class-map type inspect dns match-all dns_class
 match not domain-name regex server1_reg
!
policy-map type inspect dns preset_dns_map
 parameters
 message-length maximum client auto
 message-length maximum 512
 no message-length maximum server
 dns-guard
 protocol-enforcement
 nat-rewrite                // default is enabled
 no id-randomization
 no id-mismatch
 no tsig enforced
 class dns_class            // matches the L7 class-map
  drop log
 match header-flag RD
  mask
!
policy-map global_policy
 class inspection_default
 inspect dns preset_dns_map
!
service-policy global_policy global
NAT rewrite is an important feature under DNS inspection. If NAT rewrite is enabled and is required in a particular situation, make sure the Static NAT statement has the ‘dns’ keyword appended to it. So, for NAT rewrite to work you need it to be enabled under the DNS inspection parameters and also in the Static NAT. Example below;
object network h10.1.1.10
 host 10.1.1.10
 nat (IN,OUT) static 2.2.2.10 dns

Difference between drop and drop-connection;

Drop – The packet is dropped by the ASA but the connection entry remains in the conn table.
%ASA-4-410003: DNS Classification: Dropped DNS request (id 27123) from IN:10.1.101.20/1045 to OUT:10.1.102.20/53; matched Class 21: dns_class

ASA-FW)# show conn
7 in use, 21 most used
UDP OUT 10.1.102.20:53 IN 10.1.101.20:1045, idle 0:00:11, bytes 0, flags -
Drop-connection – The connection itself is dropped by the ASA so no connection entry is maintained in the conn table.
%ASA-4-410003: DNS Classification: Dropped DNS request (id 25716) from IN:10.1.101.20/1045 to OUT:10.1.102.20/53; matched Class 21: dns_class
%ASA-4-507003: udp flow from IN:10.1.101.20/1045 to OUT:10.1.102.20/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.

ASA-FW(config-pmap-c)# show conn
6 in use, 21 most used

Verification;

ASA-FW# sh service-policy inspect dns 
Global policy: 
 Service-policy: global_policy
 Class-map: inspection_default
 Inspect: dns preset_dns_map, packet 32, drop 22, reset-drop 0
 message-length maximum client auto, drop 0
 message-length maximum 512, drop 0
 dns-guard, count 4
 protocol-enforcement, drop 0
 nat-rewrite, count 3
 class dns_class (match-any) 
 Match: domain-name regex server1_reg, 7 packets
 drop log, packet 22
 match header-flag RD 
 mask, packet 8

Bookmark to follow my CCIE Security v4 journey -> https://networkology.net/tag/ccie

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s