![Cisco ASA 5508-X Configuration Manual Download Page 276](http://html.mh-extra.com/html/cisco/asa-5508-x/asa-5508-x_configuration-manual_63708276.webp)
13-2
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
DNS Inspection
DNS Inspection Actions
DNS inspection is enabled by default. You can customize DNS inspection to perform many tasks:
•
Translate the DNS record based on the NAT configuration. For more information, see
.
•
Enforce message length, domain-name length, and label length.
•
Verify the integrity of the domain-name referred to by the pointer if compression pointers are
encountered in the DNS message.
•
Check to see if a compression pointer loop exists.
•
Inspect packets based on the DNS header, type, class and more.
Defaults for DNS Inspection
DNS inspection is enabled by default, using the preset_dns_map inspection class map:
•
The maximum DNS message length is 512 bytes.
•
The maximum client DNS message length is automatically set to match the Resource Record.
•
DNS Guard is enabled, so the ASA tears down the DNS session associated with a DNS query as
soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to
ensure that the ID of the DNS reply matches the ID of the DNS query.
•
Translation of the DNS record based on the NAT configuration is enabled.
•
Protocol enforcement is enabled, which enables DNS message format check, including domain
name length of no more than 255 characters, label length of 63 characters, compression, and looped
pointer check.
See the following default DNS inspection commands:
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
dns-guard
protocol-enforcement
nat-rewrite
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
! ...
service-policy global_policy global
Configure DNS Inspection
DNS inspection is enabled by default. You need to configure it only if you want non-default processing.
If you want to customize DNS inspection, use the following process.
Summary of Contents for ASA 5508-X
Page 11: ...P A R T 1 Access Control ...
Page 12: ......
Page 157: ...P A R T 2 Network Address Translation ...
Page 158: ......
Page 233: ...P A R T 3 Service Policies and Application Inspection ...
Page 234: ......
Page 379: ...P A R T 4 Connection Management and Threat Detection ...
Page 380: ......