Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1234
Views
0
Helpful
3
Replies

Black listing websites using FQDN on ASA running 9.6.4

Go to solution
Richard Bradfield
Level 6
Level 6

‎10-06-2019 01:05 AM

There have been problems with Ransom ware sites,

we have list of site IP address that cause problems, so that is easy to add to a black list group

but some locations are only known by their FQDN from certain Domain servers

so we blocked that Domain server as well as the FQDN for the server.

so we note that when the ASA tries to get the IP address,

it talks to our internal DNS,which in turn tries Google, and Telstra which in turn come back with failure for that FQDN

but then it tries the blocked DNS server contunualy because it never gets a response, and the ASA keeps asking

It is doing its job ok the bad sites are blocked.

 

So my question is there a better way so the ASA does not keep trying?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎10-06-2019 02:18 AM

I don't know how you are doing it but if you are using DNS inspection on
ASA it won't try to resolve the domain. For example.

regex domain_logmein.com “\.logmein\.com”
!
class-map type regex match-any DomainBlockList
description Blocked Domains
match regex domain_logmein.com
!
policy-map type inspect dns PM-DNS-inspect
parameters
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
!
policy-map global_policy
class inspection_default
inspect dns PM-DNS-inspect
!
service-policy global_policy global

You also can you ASA botnet with static entries of domains to block the
requests.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎10-06-2019 02:18 AM

I don't know how you are doing it but if you are using DNS inspection on
ASA it won't try to resolve the domain. For example.

regex domain_logmein.com “\.logmein\.com”
!
class-map type regex match-any DomainBlockList
description Blocked Domains
match regex domain_logmein.com
!
policy-map type inspect dns PM-DNS-inspect
parameters
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
!
policy-map global_policy
class inspection_default
inspect dns PM-DNS-inspect
!
service-policy global_policy global

You also can you ASA botnet with static entries of domains to block the
requests.
0 Helpful

Go to solution
Richard Bradfield
Level 6
Level 6
In response to Mohammed al Baqari

‎10-06-2019 04:23 AM

Mohammed,

Thanks for the response, I will check this out

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎10-06-2019 02:51 AM

Is it the ASA itself that is trying to reach the blocked domains or hosts behind the ASA?  

The best option here would be to invest in Umbrella / Open DNS to do URL filtering, or a firewall, such as FTD with FMC, that also supports URL filtering.  That way you do not need to manually update URLs, or IPs in the ASA firewall rules this is done for you.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card