topic Re: inspect dns in Network Security

inspect dns

kp-tkr2014 — Thu, 02 Apr 2020 16:33:28 GMT

Hi,

is there any impact of disabling dns inspection on asa or in what scenarios we have to remove

policy-map global_policy

class inspection_default

no inspect dns

Thanks

Re: inspect dns

balaji.bandi — Thu, 02 Apr 2020 17:36:55 GMT

ASA point of view :

DNS Inspection

DNS inspection on the ASA is enabled by default and performs a number of different functions that many people might not even recognize. When enabled, DNS inspection makes the life of the ASA administrator much easier and keeps the relationship with the DNS administrators and the internal user base much happier. Functions that it provides include the following:

Translates DNS record information based on the configuration of the NAT commands alias, static, and nat; this is referred to often as DNS rewrite. This translation affects only DNS A records and does not affect DNS PTR records.
Enforces a maximum DNS message length. (The default is 512 bytes.)
Enforces the domain name length of 255 bytes.

DNS inspection can also be used to control the behavior of the ASA based on a number of different traffic-matching criteria.

Not sure what is the reason you would like to disable, until you see any reason here.

The ASA keeps a connection table for UDP connections to dynamically allow connections initiated from the inside to get a reply from the outside without getting blocked by the ASA. This is the nature of a stateful firewall. - if you disable, you need to have explicit ACL rules available for the DNS queries.

Re: inspect dns

kp-tkr2014 — Thu, 02 Apr 2020 18:08:14 GMT

Hi,

" The ASA keeps a connection table for UDP connections to dynamically allow connections initiated from the inside to get a reply from the outside without getting blocked by the ASA. This is the nature of a stateful firewall. - if you disable, you need to have explicit ACL rules available for the DNS queries "

you mean if a client 10.0.2.10 is trying to access 8.8.8.8 then we need an acl if we disable dns inspection

the reason I am trying to disable

I have a dns filter policy in fg firewall , it sends the dns query to fortigate sdns server to get the category of the dns requested .

topology

I captured the traffic on asa using asdm ,

Traffic capture settings

Interface OUTSIDE

Outside source 45.75.200.89 (fortigate sdns ip)

Destination :0 0 0 0

the fortigate interface ip is 172.16.10.1

nat configured for fortigate internet access

nat (Inside,Outside) after-auto source dynamic 172.16.10.0 1.1.2.8

captured egress inside traffic attached

dns reply giving some error

does it mean the issue from asa ?,

is it the rightway of capturing or do we need to do anything ?

Thanks

Re: inspect dns

Cristian Matei — Thu, 02 Apr 2020 18:52:51 GMT

Hi,

I've never had a reason to an of my customer to disable DNS inspection. Usually DNS inspection is removed because of a bug, or because it drops DNS requests and we don't know how to investigate and change the layer7 default settings for DNS inspection. Perform packet captures on the ingress and egress points of the ASA for DNS traffic (comparing the DNS live traffic with the default DNS inspection settings, could give the best hint on what parameters to change in order to fix it).

If you remove DNS inspection, DNS is UDP, DNS does not create secondary channels, so DNS will still work, the ASA will just treat the connection as UDP. This is, however, not recommended.

Regards,

Cristian Matei.

Re: inspect dns

kp-tkr2014 — Thu, 02 Apr 2020 19:29:35 GMT

Hi @Cristian Matei

Thanks for the reply .

What you mean by secondary channel . I have attached a packet capture in my previous post , the dns query type is TXT record and the query response is giving server failure error . So i was doubting asa doing something

How to check asa drops certain traffic ?

Thanks

Re: inspect dns

balaji.bandi — Fri, 03 Apr 2020 14:20:19 GMT

you mean if a client 10.0.2.10 is trying to access 8.8.8.8 then we need an acl if we disable dns inspection

Yes you need ACL for the DNS to get Queried to 8.8.8.8 - if you have implicity deny rules in place , until you doing NAT here.

Looked at your capture not give enough iunformation instead server falure, not sure what query you doing there.

best thing try nslookup and see you able to get queries from DNS Server, after disabling the DNS inspection.

Re: inspect dns

kp-tkr2014 — Fri, 03 Apr 2020 16:52:55 GMT

Hi @balaji.bandi

"Yes you need ACL for the DNS to get Queried to 8.8.8.8 - if you have implicity deny rules in place , until you doing NAT here."

I am sorry I did not get this part , it would be great if you give an example

Thanks

Re: inspect dns

balaji.bandi — Fri, 03 Apr 2020 17:20:30 GMT

what i was trying to explain was :

from your PC , when you do nslookup are you able to get query back for the DNS Resoltuin for cisco.com or google.com ?

if yes, then there is NAT or ACL rules in place to get your DNS Query from inside to outside.

if that fails, FW by default denies, so my suggestion you required to allow a ACL rules for the DNS queries to send to outside.

we are not sure, how is your network, i have seen in that post you also have Fortigate ? also ASA FW ?

Re: inspect dns

kp-tkr2014 — Fri, 03 Apr 2020 18:10:42 GMT

Hi,

if yes, then there is NAT or ACL rules in place to get your DNS Query from inside to outside

yes I have dynamic nat there in place

When you nat or acl query , how does it that possible without NAT if the DNS server is reachable only via public IP (8.8.8.8)

the fortigate interface ip is 172.16.10.1
nat configured for fortigate internet access
nat (Inside,Outside) after-auto source dynamic 172.16.10.0 1.1.2.8

fortigate is in router mode so it sends all traffic to internet to asa

Thanks