cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
968
Views
0
Helpful
2
Replies

ASA DNS inspection

lowen
Level 1
Level 1

Is it possible to identify dynamic dns update packets using a class-map (and thus write a policy to drop them)? I see "match header-flag", "match dns-type", and "match dns-class" in the command reference, but I can't find anywhere that these values are documented. I think one or more of these could be used to identify the dynamic update messages, but I can't find anything that really describes the differences, or documents the well-know values.

2 Replies 2

Collin Clark
VIP Alumni
VIP Alumni

Most dynamic DNS updates don't use DNS (UDP/TCP 53) as the transfer protocol. Here's an example from NO-IP.

What port does the dynamic update client use?

The No-IP supported update clients communicate to our update server via TCP port 8245. If you are using a firewall you need to configure it to allow this port.

Hope it helps.

Well, I guess there's some confusion over terminology here, but that's not what I'm asking about. I don't care about the client-based commercial services. I'm wanting to block incoming standards-based (rfc 2136) dynamic updates to my dns servers. A little scanning of the rfc tells me that dynamic updates use an opcode of 5 in the dns packet header. What I'm trying to figure out is how to create a class-map that will recognize that value, and then drop the packet when recognized.

Review Cisco Networking for a $25 gift card