Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
59-10
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 59 Configuring the Botnet Traffic Filter
Configuring the Botnet Traffic Filter
Enabling DNS Snooping
This procedure enables inspection of DNS packets and enables Botnet Traffic Filter snooping, which
compares the domain name with those on the dynamic database or static database, and adds the name
and IP address to the Botnet Traffic Filter DNS reverse lookup cache. This cache is then used by the
Botnet Traffic Filter when connections are made to the suspicious address.
Prerequisites
In multiple context mode, perform this procedure in the context execution space.
You must first configure DNS inspection for traffic that you want to snoop using the Botnet Traffic
Filter. See the “DNS Inspection” section on page 47-1 and Chapter 36, “Configuring a Service
Policy,” for detailed information about configuring advanced DNS inspection options using the
Modular Policy Framework.
Note You can also configure DNS snooping directly in the Configuration > Firewall > Service
Policy Rules > Rule Actions > Protocol Inspection > Select DNS Inspect Map dialog box by
checking the Enable Botnet traffic filter DNS snooping check box.
Restrictions
TCP DNS traffic is not supported.
Default DNS Inspection Configuration and Recommended Configuration
The default configuration for DNS inspection inspects all UDP DNS traffic on all interfaces, and does
not have DNS snooping enabled.
We suggest that you enable DNS snooping only on interfaces where external DNS requests are going.
Enabling DNS snooping on all UDP DNS traffic, including that going to an internal DNS server, creates
unnecessary load on the ASA.
For example, if the DNS server is on the outside interface, you should enable DNS inspection with
snooping for all UDP DNS traffic on the outside interface.
Detailed Steps
Step 1 Choose the Configuration > Firewall > Botnet Traffic Filter > DNS Snooping pane.
All existing service rules that include DNS inspection are listed in the table.
Step 2 For each rule for which you want to enable DNS snooping, in the DNS Snooping Enabled column, check
the check box.
Step 3 Click Apply.
What to Do Next
See the “Enabling Traffic Classification and Actions for the Botnet Traffic Filter” section on page 59-11.