13-4
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
DNS Inspection
•
match
[
not
]
header-flag
[
eq
] {
f_name
[
f_name
...] |
f_value
}—Matches the DNS flag. The
f_name
argument is the DNS flag name, one of the following:
AA
(Authoritative Answer),
QR
(Query),
RA
(Recursion Available),
RD
(Recursion Desired),
TC
(Truncation). The
f_value
argument is the 16-bit value in hex starting with 0x, from 0x0 to 0xffff. The
eq
keyword
specifies an exact match (match all); without the
eq
keyword, the packet only needs to match
one of the specified headers (match any). For example,
match header-flag AA QR
.
•
match
[
not
]
dns-type {eq
{
t_name
|
t_value
} |
range
t_value1
t_value2
}—Matches the DNS
type. The
t_name
argument is the DNS type name, one of the following:
A
(IPv4 address),
AXFR
(full zone transfer),
CNAME
(canonical name),
IXFR
(incremental zone transfer),
NS
(authoritative name server),
SOA
(start of a zone of authority) or
TSIG
(transaction signature).
The
t_value
arguments are arbitrary values in the DNS type field (0-65535). The
range
keyword
specifies a range, and the
eq
keyword specifies an exact match. For example:
match dns-type
eq A
.
•
match
[
not
]
dns-class {eq
{
in
|
c_value
} |
range
c_value1
c_value2
}—Matches the DNS class.
The class is either
in
(for Internet) or
c_value,
an arbitrary value from 0 to 65535 in the DNS
class field. The
range
keyword specifies a range, and the
eq
keyword specifies an exact match.
For example:
match dns-class eq in
.
•
match
[
not
] {
question
|
resource-record
{
answer
|
authority
|
additional
}}—Matches a DNS
question or resource record. The
question
keyword specifies the question portion of a DNS
message. The
resource-record
keyword specifies one of these sections of the resource record:
answer
,
authority
, or
additional
. For example:
match resource-record answer
.
•
match
[
not
]
domain-name regex
{
regex_name
|
class
class_name
}—Matches the DNS
message domain name list against the specified regular expression or regular expression class.
d.
Enter
exit
to leave class map configuration mode.
Step 2
Create a DNS inspection policy map, enter the following command:
hostname(config)#
policy-map type inspect dns
policy_map_name
hostname(config-pmap)#
Where the
policy_map_name
is the name of the policy map. The CLI enters policy-map configuration
mode.
Step 3
(Optional) To add a description to the policy map, enter the following command:
hostname(config-pmap)#
description
string
Step 4
To apply actions to matching traffic, perform the following steps.
a.
Specify the traffic on which you want to perform actions using one of the following methods:
•
If you created a DNS class map, specify it by entering the following command:
hostname(config-pmap)#
class
class_map_name
hostname(config-pmap-c)#
•
Specify traffic directly in the policy map using one of the
match
commands described for DNS
class maps. If you use a
match not
command, then any traffic that does not match the criterion
in the
match not
command has the action applied.
b.
Specify the action you want to perform on the matching traffic by entering the following command:
hostname(config-pmap-c)# {
drop
[
log
] |
drop-connection
[
log
]|
enforce-tsig
{[
drop
] [
log
]} |
mask
[
log
] |
log
}
Not all options are available for each
match
or
class
command. See the CLI help or the command
reference for the exact options available.
The
drop
keyword drops all packets that match.
Содержание ASA 5508-X
Страница 11: ...P A R T 1 Access Control ...
Страница 12: ......
Страница 60: ...4 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 4 Access Rules History for Access Rules ...
Страница 157: ...P A R T 2 Network Address Translation ...
Страница 158: ......
Страница 204: ...9 46 Cisco ASA Series Firewall CLI Configuration Guide Chapter 9 Network Address Translation NAT History for NAT ...
Страница 232: ...10 28 Cisco ASA Series Firewall CLI Configuration Guide Chapter 10 NAT Examples and Reference DNS and NAT ...
Страница 233: ...P A R T 3 Service Policies and Application Inspection ...
Страница 234: ......
Страница 379: ...P A R T 4 Connection Management and Threat Detection ...
Страница 380: ......
Страница 400: ...16 20 Cisco ASA Series Firewall CLI Configuration Guide Chapter 16 Connection Settings History for Connection Settings ...
Страница 414: ...17 14 Cisco ASA Series Firewall CLI Configuration Guide Chapter 17 Quality of Service History for QoS ...