topic Hi, in Network Security

globally vs class-map inspection

bluesea2010 — Tue, 12 Mar 2019 07:31:36 GMT

Hi,

What is the differences between enabling dns-guard globally or creating class-map inspection

firewall# configure terminal
firewall(config)# dns-guard
firewall(config)# exit
firewall#

class-map inspection_default
match default-inspection-traffic

policy-map type inspect dns preset_dns_map
parameters

dns-guard

Thanks

DNS guard allows you to

Dinesh Moudgil — Tue, 22 Mar 2016 01:03:57 GMT

DNS guard allows you to enforce check to restrtick one DNS response per query as stated here.

Whereas DNS inspection is more or less broad range of how DNS packets can be inspected on ASA and tweak and make checks on message length, domain-name length, and label length

Check this link for your reference.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Hi,

bluesea2010 — Tue, 22 Mar 2016 02:52:08 GMT

Hi,

Is it ok enabling both . ?

Does it help protecting from dns amplification attack ?

Thanks

You shall enable DNS guard

Dinesh Moudgil — Tue, 22 Mar 2016 03:25:30 GMT

You shall enable DNS guard for it and also setup regex to leverage MPF

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/inspect_basic.html#wp1335632

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Hi,

bluesea2010 — Wed, 23 Mar 2016 11:47:41 GMT

Hi,

here is my setup

we have local dns ( microsoft ) and configured forward there in microsoft
sometimes client use external dns (8.8.8.8).

I don't permit dns port to the outside world

Here is the output of show service-policy inspect dns

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns _default_dns_map, packet 222448193, lock fail 0, drop 53231, reset-drop 0, v6-fail-close 0
dns-guard, count 101342744
protocol-enforcement, drop 36883
nat-rewrite, count 0

Why i cant see id-randomization ?

Do i need to apply the policy on interface ?
if yes how can i do that ?

Thanks