ASA - DNS Inspection

Assumptions

All changes we do in global service-police but you can change it if you wish

After modyfing policy-map remember to reload service-policy(no service-policy global_policy global) next (service-policy global_policy global)

 

Standard DNS Inspection on ASA is enabled by default. 

ASA inspect DNS query in the following way:

  • Tear down dns query as soon as DNS reply is forwarder by the ASA
  • Asa checks DNS messages to be sure id of DNS reply matches id of DNS query
  • Translate DNS records(only A records) using alias,static nad nat command(DNS Rewrite)
  • Enforce maximum DNS message lenght to 512 bytes(default).The maximum  lenght is 65535 bytes.If message is longer then configured length packet is dropped.
  • Enforce a domain-name lenght to 255 bytes and label length to 63 bytes.
  • Verifies the integrity of the domain-name reffered to by the pointer if compression pointers are encountered in the DNS message
  • CHecks to see if a compression pointer loops exists

 

EXAMPLE 1

  • Do not resolve records of youtube.com and facebook.com domains and resolve the rest.

 

(config)# regex youtube "youtube\.com"

(config)# regex facebook "facebook\.com"

(config)# class-map type regex match-any rejected_domains

(config-cmap)# description "Rejected Domains"

(config-cmap)# match regex youtube

(config-cmap)# match regex facebook

(config-cmap)# exit

 

 (config)# policy-map type inspect dns preset_dns_map

(config-pmap)# match domain-name regex class rejected_domains

(config-pmap-c)# drop log

(config-pmap-c)# exit

(config-pmap)# exit

 

 Test

dns-inspection1.PNG
ASA Logs

Mar 05 2013 20:57:01 FWL-001 : %ASA-4-410003: DNS Classification: Dropped DNS request (id 7) from inside:x.x.x.x/52169 to outside:8.8.8.8/53; matched Class 26: match domain-name regex class rejected_domains

Current configuration

policy-map type inspect dns preset_dns_map
parameters
message-length maximum 768
id-mismatch action log
match domain-name regex class rejected_domains
drop log

 

EXAMPLE 2

  • Allow full  zone transfers only

(config)#policy-map type inspect dns preset_dns_map

(config-pmap)# (config-pmap)# match not dns-type eq AXFR

(config-pmap-c)# drop log

 

TEST

 ~$ nslookup 

> www.wp.pl
;; connection timed out; no servers could be reached

Asa Logs

%ASA-4-410003: DNS Classification: Dropped DNS request (id 16310) from inside:10.10.1.10/57601 to outside:8.8.8.8/53; matched Class 22: match not dns-type eq AXFR

 

EXAMPLE 3

  • Block query for A records

 

(config)#policy-map type inspect dns preset_dns_map

(config-pmap)# (config-pmap)# match dns-type eq A

(config-pmap-c)# drop log

 

 TEST

# host -la danpol.net x.x.x.x


Trying "danpol.net"
Using domain server:
Name: x.x.x.x
Address: x.x.x.x#53
Aliases:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29133
;; flags: qr aa; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;danpol.net. IN AXFR

;; ANSWER SECTION:
.....

.....

.....

.....

output ommited

Received 475 bytes from x.x.x.x#53 in 41 ms

Zone transfer is possible however query for A records not(see below)

# host www.interia.pl
;; connection timed out; no servers could be reached

 

Asa Logs

ar 07 2013 14:23:35: %ASA-4-410003: DNS Classification: Dropped DNS request (id 51099) from inside:10.10.1.10/42964 to outside:8.8.8.8/53; matched Class 28: match dns-type eq A

 

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.