https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195359#M1065644 Very very clear. Thank you so much Karsten <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Sat, 07 Oct 2017 10:42:59 GMT Jiramate.Petcharat 2017-10-07T10:42:59Z https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195322#M1065638 <P>I have a job to upgrade ASA to customer. (From 8.6 &gt; 9.6..)</P> <P>&nbsp;</P> <P>I saw in ASA version 9.0.2(and earlier) in section of DNS&nbsp;Inspection command they didn't have "tcp-inspection".</P> <P>&nbsp;</P> <P><STRONG><FONT face="courier new,courier" size="2">policy-map type inspect dns preset_dns_map</FONT></STRONG><BR /><STRONG><FONT face="courier new,courier" size="2">&nbsp; parameters</FONT></STRONG><BR /><STRONG><FONT face="courier new,courier" size="2">&nbsp; &nbsp; message-length maximum client auto</FONT></STRONG><BR /><STRONG><FONT face="courier new,courier" size="2">&nbsp; &nbsp; message-length maximum 512</FONT></STRONG></P> <P>&nbsp;</P> <P>But after I upgrade it to 9.6.3 thay have&nbsp; "no tcp-inspection" command show up.</P> <P>&nbsp;</P> <P><STRONG><FONT face="courier new,courier" size="2">policy-map type inspect dns preset_dns_map</FONT></STRONG><BR /><STRONG><FONT face="courier new,courier" size="2">&nbsp; parameters</FONT></STRONG><BR /><STRONG><FONT face="courier new,courier" size="2">&nbsp; &nbsp; message-length maximum client auto</FONT></STRONG><BR /><STRONG><FONT face="courier new,courier" size="2">&nbsp; &nbsp; message-length maximum 512</FONT></STRONG><BR /><STRONG><FONT face="courier new,courier" size="2">&nbsp; &nbsp; <FONT color="#FF0000">no tcp-inspection</FONT></FONT></STRONG></P> <P>&nbsp;</P> <P>This ASA is act like a firewall of server farm(so I think it's may have a DNS Server in INSIDE, that may need to use TCP), Is it should configure "<SPAN>tcp-inspection</SPAN>" on DNS inspect paremeters ?</P> <P>&nbsp;</P> <P>Before, I had been implement ASA for other&nbsp;site, I saw it have "no tcp-inspection" too, and DNS server of that site is work fine.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>PS:: From configuration guide, version 9.6 says in Defaults for DNS Inspection "<SPAN>DNS over TCP inspection is disabled.</SPAN>". But in version 9.0 and 8.6 they didn't say anything.</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-basic.html#ID-2092-00000007" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/firewall/asa-96-firewall-config/inspect-basic.html#ID-2092-00000007</A></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/inspect_basic.html#10154" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/inspect_basic.html#10154</A></P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/inspect_basic.html#wp1335632" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/inspect_basic.html#wp1335632</A></P> Fri, 21 Feb 2020 14:27:07 GMT https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195322#M1065638 Jiramate.Petcharat 2020-02-21T14:27:07Z https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195345#M1065639 <P>Today, DNS should be allowed to <A href="http://ipj.dreamhosters.com/wp-content/uploads/issues/2014/ipj17-1.pdf" target="_self">run over both UDP and TCP</A>. Many Admins didn‘t adopt this yet, but blocking TCP for DNS is considered a misconfiguration.</P> <P>If you allow TCP-transport, you should also apply security-measures for DNS for this transport.</P> <P>What to do:</P> <UL> <LI>If you don‘t allow any outbound TCP/53 for DNS, then you don‘t need tcp-inspection. But you should think about correcting that.</LI> <LI>If you allow TCP-based DNS, then you should think about doing tcp-inspection to apply security also for TCP-transport.</LI> </UL> Sat, 07 Oct 2017 09:13:21 GMT https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195345#M1065639 Karsten Iwen 2017-10-07T09:13:21Z https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195353#M1065640 <P>Thank you for your very clear explanation Karsten.</P> <P>&nbsp;</P> <P>Can I ask you more for my more clear ?</P> <P>&nbsp;</P> <UL> <LI>If they didn't use TCP for DNS(<SPAN>Actually, I'm not sure), but I have put configure "tcp-inspection", It will impact to the&nbsp;DNS traffic or network security ?</SPAN></LI> <LI><SPAN>If they use&nbsp;TCP&nbsp;for DNS(Other site, I had implement), but I did't put "tcp-inspection",&nbsp;It will impact to the&nbsp;DNS&nbsp;traffic or network security ?&nbsp;&nbsp;</SPAN>(I still confure because that site can use DNS server, but I don't know, may be DNS server admin may use other way to communicate with Public DNS? Or they can&nbsp;<SPAN>communicate but did't inspect, cause lacking of security ?</SPAN>&nbsp;)</LI> </UL> <P>&nbsp;</P> Sat, 07 Oct 2017 09:45:27 GMT https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195353#M1065640 Jiramate.Petcharat 2017-10-07T09:45:27Z https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195355#M1065641 <P>If there is no DNS over TCP, this command should have no effect at all.</P> <P>If there is is DNS over TCP but it is not configured, then there is no impact of functionality, but limited security for DNS.</P> Sat, 07 Oct 2017 10:01:15 GMT https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195355#M1065641 Karsten Iwen 2017-10-07T10:01:15Z https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195357#M1065642 <P>So. For my understanding now.</P> <UL> <LI>It should be/can configure, whether it use TCP or not ?</LI> <LI>After apply "tcp-inspection" for this network (that already use TCP for DNS and work well), after I had upgrade, It will not impact the DNS traffic ?</LI> </UL> <P>Am I right in understand?</P> Sat, 07 Oct 2017 10:15:33 GMT https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195357#M1065642 Jiramate.Petcharat 2017-10-07T10:15:33Z https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195358#M1065643 <P>After configuring it it will have an impact if there are protocol-anomalies or DNS-based attacks. After implementing it I would take a close look if everything runs right. especially if you run an outdated DNS-resolver. Early implementations of DNS over TCP were not that solid. With up-to-date operating systems there should be no problem with tcp-inspection.</P> Sat, 07 Oct 2017 10:28:51 GMT https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195358#M1065643 Karsten Iwen 2017-10-07T10:28:51Z https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195359#M1065644 Very very clear. Thank you so much Karsten <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> Sat, 07 Oct 2017 10:42:59 GMT https://community.cisco.com/t5/network-security/is-tcp-inspection-is-necessary-for-dns-inspection/m-p/3195359#M1065644 Jiramate.Petcharat 2017-10-07T10:42:59Z