You shall enable DNS guard

bluesea2010 · ‎03-21-2016

Hi,

What is the differences between enabling dns-guard globally or creating class-map inspection

firewall# configure terminal
firewall(config)# dns-guard
firewall(config)# exit
firewall#

class-map inspection_default
match default-inspection-traffic

policy-map type inspect dns preset_dns_map
parameters

dns-guard

Thanks

Dinesh Moudgil · ‎03-21-2016

DNS guard allows you to enforce check to restrtick one DNS response per query as stated here.

Whereas DNS inspection is more or less broad range of how DNS packets can be inspected on ASA and tweak and make checks on message length, domain-name length, and label length

Check this link for your reference.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

bluesea2010 · ‎03-21-2016

Hi,

Is it ok enabling both . ?

Does it help protecting from dns amplification attack ?

Thanks

Dinesh Moudgil · ‎03-21-2016

You shall enable DNS guard for it and also setup regex to leverage MPF

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/inspect_basic.html#wp1335632

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

bluesea2010 · ‎03-23-2016

Hi,

here is my setup

we have local dns ( microsoft ) and configured forward there in microsoft
sometimes client use external dns (8.8.8.8).

I don't permit dns port to the outside world

Here is the output of show service-policy inspect dns

Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns _default_dns_map, packet 222448193, lock fail 0, drop 53231, reset-drop 0, v6-fail-close 0
dns-guard, count 101342744
protocol-enforcement, drop 36883
nat-rewrite, count 0

Why i cant see id-randomization ?

Do i need to apply the policy on interface ?
if yes how can i do that ?

Thanks

globally vs class-map inspection