Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
284
Views
5
Helpful
4
Replies

globally vs class-map inspection

bluesea2010
Level 5
Level 5

‎03-21-2016 02:35 PM - edited ‎03-12-2019 12:31 AM

Hi,

What is the differences between enabling  dns-guard globally or creating  class-map inspection 

firewall# configure terminal
firewall(config)# dns-guard
firewall(config)# exit
firewall#



class-map inspection_default
match default-inspection-traffic

policy-map type inspect dns preset_dns_map
parameters

dns-guard

Thanks

Labels:
0 Helpful
4 Replies 4

Dinesh Moudgil
Cisco Employee
Cisco Employee

‎03-21-2016 06:03 PM

DNS guard allows you to enforce check to restrtick one DNS response per query as stated here.

Whereas DNS inspection is more or less broad range of how DNS packets can be inspected on ASA and tweak and make checks on message length, domain-name length, and label length

Check this link for your reference.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

bluesea2010
Level 5
Level 5
In response to Dinesh Moudgil

‎03-21-2016 07:52 PM

Hi,

Is it ok enabling  both . ?

Does it help protecting from  dns amplification attack ?

Thanks

0 Helpful

Dinesh Moudgil
Cisco Employee
Cisco Employee
In response to bluesea2010

‎03-21-2016 08:25 PM

You shall enable DNS guard for it and also setup regex to leverage  MPF

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/inspect_basic.html#wp1335632

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/
0 Helpful

bluesea2010
Level 5
Level 5
In response to Dinesh Moudgil

‎03-23-2016 04:47 AM

Hi,

here is my setup

we have local dns ( microsoft ) and configured forward there in microsoft
sometimes client use external dns (8.8.8.8).

I don't permit dns port to the outside world


Here is the output of show service-policy inspect dns


Global policy:
Service-policy: global_policy
Class-map: inspection_default
Inspect: dns _default_dns_map, packet 222448193, lock fail 0, drop 53231, reset-drop 0, v6-fail-close 0
dns-guard, count 101342744
protocol-enforcement, drop 36883
nat-rewrite, count 0


Why i cant see id-randomization ?

Do i need to apply the policy on interface ?
if yes how can i do that ?

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card