Cisco Systems and the ASA Services Module Network Router User Manual


 
26-11
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 26 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Default DNS Inspection Configuration and Recommended Configuration
The default configuration for DNS inspection inspects all UDP DNS traffic on all interfaces, and does
not have DNS snooping enabled.
We suggest that you enable DNS snooping only on interfaces where external DNS requests are going.
Enabling DNS snooping on all UDP DNS traffic, including that going to an internal DNS server, creates
unnecessary load on the ASA.
For example, if the DNS server is on the outside interface, you should enable DNS inspection with
snooping for all UDP DNS traffic on the outside interface. See the “Examples” section for the
recommended commands for this configuration.
Detailed Steps
Command Purpose
Step 1
class-map name
Example:
ciscoasa(config)# class-map
dynamic-filter_snoop_class
Creates a class map to identify the traffic for which you want to
inspect DNS.
Step 2
match parameters
Example:
ciscoasa(config-cmap)# match port udp eq
domain
Specifies traffic for the class map. See the “Identifying Traffic
(Layer 3/4 Class Maps)” section on page 1-12 for more
information about available parameters. For example, you can
specify an ACL for DNS traffic to and from certain addresses, or
you can specify all UDP DNS traffic.
Step 3
policy-map name
Example:
ciscoasa(config)# policy-map
dynamic-filter_snoop_policy
Adds or edits a policy map so you can set the actions to take with
the class map traffic.
Step 4
class name
Example:
ciscoasa(config-pmap)# class
dynamic-filter_snoop_class
Identifies the class map you created in Step 1.