Support User Manuals

Cisco Systems ASA 5585-X Network Router User Manual

Open as PDF

of 2086

47-9

Cisco ASA 5500 Series Configuration Guide using ASDM

Chapter 47 Configuring Inspection of Basic Internet Protocols

DNS Inspection

Configuration > Global Objects > Inspect Maps > DNS

The DNS pane lets you view previously configured DNS application inspection maps. A DNS map lets

you change the default configuration values used for DNS application inspection.

DNS application inspection supports DNS message controls that provide protection against DNS

spoofing and cache poisoning. User configurable rules allow certain DNS types to be allowed, dropped,

and/or logged, while others are blocked. Zone transfer can be restricted between servers with this

function, for example.

The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a

public server from attack if that server only supports a particular internal zone. In addition, DNS

randomization can be enabled avoid spoofing and cache poisoning of servers that either do not support

randomization, or utilize a weak pseudo random number generator. Limiting the domain names that can

be queried also restricts the domain names which can be queried, which protects the public server

further.

A configurable DNS mismatch alert can be used as notification if an excessive number of mismatching

DNS responses are received, which could indicate a cache poisoning attack. In addition, a configurable

check to enforce a Transaction Signature be attached to all DNS messages is also supported.

Fields

• DNS Inspect Maps—Table that lists the defined DNS inspect maps.

• Add—Configures a new DNS inspect map. To edit a DNS inspect map, choose the DNS entry in the

DNS Inspect Maps table and click Customize.

• Delete—Deletes the inspect map selected in the DNS Inspect Maps table.

• Security Level—Select the security level (high, medium, or low).

–

Low—Default.

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: disabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: disabled

TSIG resource record: not enforced

–

Medium

DNS Guard: enabled

NAT rewrite: enabled

Protocol enforcement: enabled

ID randomization: enabled

Message length check: enabled

Message length maximum: 512

Mismatch rate logging: enabled

TSIG resource record: not enforced

–

High

previous next