Filter
Top Products
10-4
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 10 Configuring Inspection of Basic Internet Protocols
DNS Inspection
policy-map type inspect dns name
Example:
ciscoasa(config)# policy-map type inspect
dns dns-map
Creates an inspection policy map in which you want to match
traffic directly.
You can specify multiple match commands in the policy map. For
information about the order of match commands, see the
“Defining Actions in an Inspection Policy Map” section on
page 2-4.
Step 2
match [not] header-flag [eq]
{f_well_known [f_well_known...] | f_value}
For direct match only:
{drop [log] | drop-connection [log]|
[enforce-tsig {[drop] [log]}] [mask [log]]
| log}
Example:
ciscoasa(config-pmap)# match header-flag
AA QR
ciscoasa(config-pmap-c)# mask log
ciscoasa(config-pmap-c)# enforce-tsig log
Matches a specific flag or flags that are set in the DNS header,
where the f_well_known argument is the DNS flag bit. The
f_value argument is the 16-bit value in hex starting with 0x. The
eq keyword specifies an exact match (match all); without the eq
keyword, the packet only needs to match one of the specified
headers (match any).
To specify traffic that should not match, use the match not
command.
If you are matching directly in the inspection policy map, specify
the action(s) for the match:
• drop [log]—Drops the packet. log also logs the packet.
• drop-connection [log]—Drops the packet and closes the
connection. log also logs the packet.
• enforce-tsig {[drop] [log]}—Enforces the TSIG resource
record in a message. drop drops a packet without the TSIG
resource record. log also logs the packet.
• mask [log]—Masks out the matching portion of the packet.
log also logs the packet.
• log—Logs the packet.
Step 3
match [not] dns-type
{eq {t_well_known | t_val}}
{range t_val1 t_val2}
For direct match only:
{drop [log] | drop-connection [log]|
enforce-tsig {[drop] [log]} | log}
Example:
ciscoasa(config-pmap)# match dns-type eq
aaaa
ciscoasa(config-pmap-c)# enforce-tsig log
Matches a DNS type, where the t_well_known argument is the
DNS flag bit. The t_val arguments are arbitrary values in the DNS
type field (0-65535). The range keyword specifies a range, and
the eq keyword specifies an exact match.
To specify traffic that should not match, use the match not
command.
If you are matching directly in the inspection policy map, specify
the action for the match:
• drop [log]—Drops the packet. log also logs the packet.
• drop-connection [log]—Drops the packet and closes the
connection. log also logs the packet.
• enforce-tsig {[drop] [log]}—Enforces the TSIG resource
record in a message. drop drops a packet without the TSIG
resource record. log also logs the packet.
• log—Logs the packet.
Command Purpose