DNS reply filtering

arunas.usonis · ‎08-06-2013

Hi,

Am trying to make DNS filtering work as URL filtering cannot permit https traffic.

Config is as per below. The thing is that it blocks every url at the moment instead of just test - gmail.com as per regex

It looks simple on the paper but cannot make it work (

regex test "gmail\.com"

access-list http-user-vlan414-acl extended permit object-group http-inspect-ports 10.4.14.0 255.255.255.0 any

class-map type regex match-any DomainBlockList
description blocked domains
match regex test
!

class-map http-user-vlan414-class

match access-list http-user-vlan414-acl

!
policy-map type inspect dns vlan414-policy
parameters
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
!
policy-map http-main-policy-vlan414
class http-user-vlan414-class
inspect dns vlan414-policy

service-policy http-main-policy-vlan414 interface vlan414

arunas.usonis · ‎08-06-2013

DNS server sits on the other side of the firewall:

client -> firewall -> DNS server

arunas.usonis · ‎08-06-2013

if to rework it into :

policy-map http-main-policy-vlan414
class inspection_default - have replaced with default class, then it starts somehow to work, still not perfect
inspect dns vlan414-policy

so am not sure why it doesn't like the class with ACL , maybe somehow related to inspect dns that you have under default..

arunas.usonis · ‎08-06-2013

have sorted it myself, seems documentation is misleading a bit

Julio Carvajal · ‎08-06-2013

Hello Arunas,

I was about to ask for some outputs

Glad to know you have it up and running, can you share the solution and mark the question as answered so future users can learn from your experience.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

arunas.usonis · ‎08-07-2013

Working example:

regex domainlist "example\.com"

class-map type regex match-any vlan414-url-whitelist

description allowed domains

match regex domainlist

policy-map type inspect dns vlan414-policy

parameters

message-length maximum 512

match not domain-name regex class vlan414-url-whitelist

drop-connection log

policy-map http-main-policy-vlan414

class inspection_default

inspect dns vlan414-policy

service-policy http-main-policy-vlan414 interface vlan414

arunas.usonis · ‎08-07-2013

Though what I cannot make work - is to use ACL to define which machines are allowed to open url ?

Have tried following :

class-map http-user-vlan414-class

match any - have played with any and ACL, still no luck

policy-map http-main-policy-vlan414

class http-user-vlan414-class -> so here basically substituting class inspection_default with http-user-vlan414-class

inspect dns vlan414-policy

So if am applying differetn class under policy-map my traffic stops immediately

Any help welcome)

Julio Carvajal · ‎08-07-2013

Hello Arunas,

So If u set:

class-map http-user-vlan414-class

match any -

policy-map http-main-policy-vlan414

class http-user-vlan414-class

inspect dns vlan414-policy

Okey but have you applied to a service-policy?

What do you mean traffic drops?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC