11-2
Cisco ASA Series Firewall ASDM Configuration Guide
Chapter 11 Configuring Inspection of Basic Internet Protocols
DNS Inspection
• Configuring DNS Inspection, page 11-16
Information About DNS Inspection
• General Information About DNS, page 11-2
• DNS Inspection Actions, page 11-2
General Information About DNS
A single connection is created for multiple DNS sessions, as long as they are between the same two
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs
independently. Because the app_id expires independently, a legitimate DNS response can only pass
through the ASA within a limited period of time and there is no resource build-up.
DNS Inspection Actions
DNS inspection is enabled by default. You can customize DNS inspection to perform many tasks:
• Translate the DNS record based on the NAT configuration. For more information, see the “DNS and
NAT” section on page 3-31.
• Enforce message length, domain-name length, and label length.
• Verify the integrity of the domain-name referred to by the pointer if compression pointers are
encountered in the DNS message.
• Check to see if a compression pointer loop exists.
• Inspect packets based on the DNS header, type, class and more.
Default Settings for DNS Inspection
DNS inspection is enabled by default, using the preset_dns_map inspection class map:
• The maximum DNS message length is 512 bytes.
• The maximum client DNS message length is automatically set to match the Resource Record.
• DNS Guard is enabled, so the ASA tears down the DNS session associated with a DNS query as
soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to
ensure that the ID of the DNS reply matches the ID of the DNS query.
• Translation of the DNS record based on the NAT configuration is enabled.
• Protocol enforcement is enabled, which enables DNS message format check, including domain
name length of no more than 255 characters, label length of 63 characters, compression, and looped
pointer check.