7-5
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 7 Inspection of Basic Internet Protocols
DNS Inspection
The
drop-connection
keyword drops the packet and closes the connection.
The
mask
keyword masks out the matching portion of the packet. This action is available for header
flag matches only.
The
log
keyword, which you can use alone or with one of the other keywords, sends a system log
message.
The
enforce-tsig
{[
drop
] [
log
]} keyword enforces the presence of the TSIG resource record in a
message. You can drop a packet without the TSIG resource record, log it, or drop and log it. You can
use this option in conjunction with the mask action for header flag matches; otherwise, this action
is exclusive with the other actions.
You can specify multiple
class
or
match
commands in the policy map. For information about the order
of
class
and
match
commands, see
Defining Actions in an Inspection Policy Map, page 2-4
.
For example:
hostname(config)# policy-map type inspect dns dns-map
hostname(config-pmap)# class dns-class-map
hostname(config-pmap-c)# drop
hostname(config-pmap-c)# match header-flag eq aa
hostname(config-pmap-c)# drop log
Step 5
To configure parameters that affect the inspection engine, perform the following steps:
a.
To enter parameters configuration mode, enter the following command:
hostname(config-pmap)#
parameters
hostname(config-pmap-p)#
b.
Set one or more parameters. You can set the following options; use the
no
form of the command to
disable the option:
•
dns-guard
—Enables DNS Guard. The ASA tears down the DNS session associated with a DNS
query as soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message
exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.
•
id-mismatch
count
number
duration
seconds
action log
—Enables logging for excessive DNS
ID mismatches, where the
count
number
duration
seconds
arguments specify the maximum
number of mismatch instances per second before a system message log is sent.
•
id-randomization
—Randomizes the DNS identifier for a DNS query.
•
message-length maximum
{
length
|
client
{
length
|
auto
} |
server
{
length
|
auto
}}—Sets the
maximum DNS message length, from 512 to 65535 bytes. You can also set the maximum length
for client or server messages. The
auto
keyword sets the maximum length to the value in the
Resource Record.
•
nat-rewrite
—Translates the DNS record based on the NAT configuration.
•
protocol-enforcement
—Enables DNS message format check, including domain name length of
no more than 255 characters, label length of 63 characters, compression, and looped pointer
check.
•
tsig enforced action
{[
drop
] [
log
]}—Requires a TSIG resource record to be present. You can
drop
a non-conforming packet,
log
the packet, or both.
For example:
hostname(config-pmap)# parameters
hostname(config-pmap-p)# dns-guard
hostname(config-pmap-p)# message-length maximum 1024
hostname(config-pmap-p)# nat-rewrite
hostname(config-pmap-p)# protocol-enforcement
Summary of Contents for ASA 5512-X
Page 5: ...P A R T 1 Service Policies and Access Control ...
Page 6: ......
Page 51: ...P A R T 2 Network Address Translation ...
Page 52: ......
Page 127: ...P A R T 3 Application Inspection ...
Page 128: ......
Page 255: ...P A R T 4 Connection Settings and Quality of Service ...
Page 256: ......
Page 303: ...P A R T 5 Advanced Network Protection ...
Page 304: ......
Page 339: ...P A R T 6 ASA Modules ...
Page 340: ......