topic Re: ZBF with dynamic DNS names in Network Security

ZBF with dynamic DNS names

kzajdlew — Thu, 02 Feb 2023 14:57:15 GMT

I am looking for explenation/documentation what actually happens when i implement something like this :

parameter-map type protocol-info example_allow
server name example.com
server name *.example.com
server name www.example.com
class-map type inspect match-any example_allow
description allowing certain websites
match protocol http example_allow
match protocol https example_allow
class type inspect example_allow
inspect

+ dns coniguration with ip domain lookup enabled

i am putting it on policymap , zones everything configured correctly and acctually i would like to achieve that people who goes from zone internal2external lets say can only reach this example.com website. I believe that :

show parameter-map type protocol-info dns-cache zone-pair internal2external

will show me maping of dns with ip ...

So quetion, is it working in that way ? 🙂 i cannot find details whats the influance on performance , how often lookup will be executed, if it somehow may cause longer delay .. is it basic feature or it require something additional in compare to basic l3/l4 zbf..

Many thanks in advance for sheding some light on this topic.

p.s. currently we use only static entries - access lists with ip addresses what for internal services lets say is fine but for dynamic, internet... not scalable at all

Re: ZBF with dynamic DNS names

MHM Cisco World — Thu, 02 Feb 2023 15:24:10 GMT

can you more elaborate ?
DNS work with IP
ZoneFirewall can inspect :-
1- IP via ACL
2- Protocol

so even if DNS change IP you can still use protocol instead to inspect the traffic.

Re: ZBF with dynamic DNS names

kzajdlew — Thu, 02 Feb 2023 16:22:06 GMT

I am not sure if i understood you correctly. In short i am looking for solution where i could replace static ip addresses in access lists with dynamic dns objects e.g putting teams.microsoft.com instead of using mutiplce ip addresses like 52.113.194.132 leading to teams..

p.s. i am beginner with zbf 🙂

Re: ZBF with dynamic DNS names

MHM Cisco World — Thu, 02 Feb 2023 16:29:25 GMT

what TCP/UDP you inspect ?

Re: ZBF with dynamic DNS names

kzajdlew — Thu, 02 Feb 2023 18:06:43 GMT

as example :

tcp eq 443
tcp eq www
udp eq 3478
udp eq 3479
udp eq 3480
udp eq 3481

Re: ZBF with dynamic DNS names

MHM Cisco World — Thu, 02 Feb 2023 18:38:03 GMT

I will share config with you

Re: ZBF with dynamic DNS names

MHM Cisco World — Thu, 02 Feb 2023 19:08:23 GMT

this simple lab, R1 config with ZoneFirewall but I use Protocol not IP for inspection.
I allow only port telnet and ICMP.
I try telnet from R3 to R2 success
I try ping from R3 to R2 success
I try traceroute from R3 to R2 failed, because the traceroute is not allow for inspection.

class-map type inspect match-any Port
match protocol telnet
match protocol icmp
!
!
policy-map type inspect policy
class type inspect Port
inspect
class class-default
drop log
!
zone security IN
zone security OUT
zone-pair security IN-to-OUT source IN destination OUT
service-policy type inspect policy

Re: ZBF with dynamic DNS names

kzajdlew — Thu, 02 Feb 2023 19:57:49 GMT

Unfortunately this is not what i was looking for. Maybe i described it wrongly but i am not interested in services/ports/protocols but "destination objects".

For example in your lab let say that router r2 has a dns name r2.test.com and webservice enabled.. i would like to have posibility to create a rule to allow http only to domain *.test.com... so for instance from r3 i should able to http to this r2 even though his ip could change but name would remian same.. so r1 should make a dns query from time to time to keep it in dns cache and dynamicly put in firewall rule

example of domain object in checkpoint security gateway :

Domains

A Domain object lets you define a host or DNS domain by its name only. It is not necessary to have the IP address of the site.

You can use the Domain object in the source and destination columns of an Access Control Policy.

You can configure a Domain object in two ways:

-Select FQDN

In the object name, use the Fully Qualified Domain Name (FQDN). Use the format .x.y.z (with a dot "." before the FQDN). For example, if you use .www.example.com then the Gateway matches www.example.com

This option is supported for R80.10 and higher, and is the default. It is more accurate and faster than the non-FQDN option.

Security Gateway looks up the FQDN with a direct DNS query, and uses the result in the Rule Base

-Clear FQDN

This option enforces the domain and its sub-domains. In the object name, use the format .x.y for the name. For example, use .example.com or .example.co.uk for the name. If you use .example.com, then the Gateway matches www.example.com and support.example.com

The Gateway does the name resolution using DNS reverse lookups, which can be inaccurate. The Gateway uses the result in the Rule Base, and caches the result to use again.

Re: ZBF with dynamic DNS names

MHM Cisco World — Thu, 02 Feb 2023 19:59:33 GMT

Now I get it, I will check solutionm, update you soon

Re: ZBF with dynamic DNS names

kzajdlew — Thu, 02 Feb 2023 20:00:34 GMT

ok, thank you very much

Re: ZBF with dynamic DNS names

kzajdlew — Thu, 09 Feb 2023 14:14:55 GMT

so far i ve not received a feedback which will help me with this topic, anything would be welcome

Re: ZBF with dynamic DNS names

MHM Cisco World — Sun, 12 Feb 2023 20:54:02 GMT

policy-map is using class-map which can use
protocol <<- this as we see above not suitable for your case
ACL <<- here you can use ACL to permit/deny hostname https://blog.ipspace.net/2008/11/using-hostnames-in-ip-access-lists.html

try using ACL for hostname as link above with class-map.

hope this help you.
thanks

Re: ZBF with dynamic DNS names

kzajdlew — Mon, 13 Feb 2023 08:29:01 GMT

Hi,

This seems to be static and without any scalibilty = dns lookup take place probably only at the begining and putting ip in place. I am looking for somethng dynamic

Re: ZBF with dynamic DNS names

MHM Cisco World — Tue, 14 Feb 2023 00:41:15 GMT

but if your DNS server return time TTL then the ZFW will ask hostname in periodic time

Re: ZBF with dynamic DNS names

kzajdlew — Tue, 14 Feb 2023 13:21:19 GMT

but what if DNS loabalnce traffic between multiple ips ?