https://community.cisco.com/t5/network-security/pix-dns-hostname-blocking-configuration/m-p/172006#M605824 <HTML><HEAD></HEAD><BODY><P></P><P> I see. So what is the best way to deal with restricting access to DNS names that resolve to multiple and/or dynamic IP's? </P><P> Are there any alternatives to manually maintaining a host file/access list?</P><P></P><P> Thanks for your help!</P><P></P><P>-P </P></BODY></HTML> Mon, 19 May 2003 23:43:11 GMT woodp 2003-05-19T23:43:11Z https://community.cisco.com/t5/network-security/pix-dns-hostname-blocking-configuration/m-p/172004#M605820 <P></P><P> I started out on a mission to block instant messaging- (AIM, Yahoo, MSN)</P><P></P><P> To avoid an endless list of IP's, I was planning on blocking the login servers by DNS name. I soon discovered that our PIX cannot resolve any hostnames. It can ping to the outside world just fine, but it cannot ping any hostname, including itself. DNS server configuration seems to be a different beast altogether on PIX.</P><P></P><P> Am I missing something? How should I go about making this possible?</P><P></P><P> Thanks!</P><P> -Paul</P><P></P><P>Some brief info: </P><P></P><P>Cisco PIX Firewall Version 6.2(2)</P><P>Cisco PIX Device Manager Version 2.1(1)</P><P></P><P>Hardware: PIX-525, 256 MB RAM, CPU Pentium III 600 MHz</P><P>Flash E28F128J3 @ 0x300, 16MB</P><P>BIOS Flash AM29F400B @ 0xfffd8000, 32KB </P><P></P><P></P> Fri, 21 Feb 2020 06:45:04 GMT https://community.cisco.com/t5/network-security/pix-dns-hostname-blocking-configuration/m-p/172004#M605820 woodp 2020-02-21T06:45:04Z https://community.cisco.com/t5/network-security/pix-dns-hostname-blocking-configuration/m-p/172005#M605823 <HTML><HEAD></HEAD><BODY><P>Hi Paul,</P><P></P><P>No, you are right.</P><P></P><P>Unlike router, you cannot configure PIX to use any DNS server for name ressolution. But, what you can do though is use the following command to name your ips:</P><P></P><P>name <IP_ADDRESS> <NAME></NAME></IP_ADDRESS></P><P></P><P>So, if you define, name <A class="jive-link-custom" href="http://www.test.com" target="_blank">www.test.com</A> 10.1.1.1 then you can ping this address by the <A class="jive-link-custom" href="http://www.test.com." target="_blank">www.test.com.</A> No need to use the ip address.</P><P></P><P>But, defining a seperate dns server for name ressolution is not possible on the PIX Firewall. </P><P></P><P>I hope this answers your question. Thanks,</P><P></P><P>Mynul</P></BODY></HTML> Mon, 19 May 2003 22:38:07 GMT https://community.cisco.com/t5/network-security/pix-dns-hostname-blocking-configuration/m-p/172005#M605823 mhoda 2003-05-19T22:38:07Z https://community.cisco.com/t5/network-security/pix-dns-hostname-blocking-configuration/m-p/172006#M605824 <HTML><HEAD></HEAD><BODY><P></P><P> I see. So what is the best way to deal with restricting access to DNS names that resolve to multiple and/or dynamic IP's? </P><P> Are there any alternatives to manually maintaining a host file/access list?</P><P></P><P> Thanks for your help!</P><P></P><P>-P </P></BODY></HTML> Mon, 19 May 2003 23:43:11 GMT https://community.cisco.com/t5/network-security/pix-dns-hostname-blocking-configuration/m-p/172006#M605824 woodp 2003-05-19T23:43:11Z https://community.cisco.com/t5/network-security/pix-dns-hostname-blocking-configuration/m-p/172007#M605825 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The best and only solution is to use url filtering. You can filter the web traffic based on domain name, ip addresses or specific keyword etc... </P><P></P><P>Here is the a link that explains:</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008c103.html#xtocid9" target="_blank">http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008c103.html#xtocid9</A></P><P></P><P>With the newer version of Pix code, this feature has been improved a lot. Please refer to the command reference of the version you are running. PIX can support web sense and N2H2 url filtering server.</P><P></P><P>Unlike NBAR feature on the router, PIX cannot do similiar things like packet marking and dropping rather it relies on external web filtering servers like Web Sense or N2H2.</P><P></P><P>I hope this helps ! Thanks,</P><P></P><P>Mynul</P></BODY></HTML> Tue, 20 May 2003 02:48:17 GMT https://community.cisco.com/t5/network-security/pix-dns-hostname-blocking-configuration/m-p/172007#M605825 mhoda 2003-05-20T02:48:17Z