04-02-2020 09:33 AM
Hi,
is there any impact of disabling dns inspection on asa or in what scenarios we have to remove
policy-map global_policy
class inspection_default
no inspect dns
Thanks
04-02-2020 10:36 AM
ASA point of view :
DNS inspection on the ASA is enabled by default and performs a number of different functions that many people might not even recognize. When enabled, DNS inspection makes the life of the ASA administrator much easier and keeps the relationship with the DNS administrators and the internal user base much happier. Functions that it provides include the following:
DNS inspection can also be used to control the behavior of the ASA based on a number of different traffic-matching criteria.
Not sure what is the reason you would like to disable, until you see any reason here.
The ASA keeps a connection table for UDP connections to dynamically allow connections initiated from the inside to get a reply from the outside without getting blocked by the ASA. This is the nature of a stateful firewall. - if you disable, you need to have explicit ACL rules available for the DNS queries.
04-02-2020 11:08 AM
Hi,
" The ASA keeps a connection table for UDP connections to dynamically allow connections initiated from the inside to get a reply from the outside without getting blocked by the ASA. This is the nature of a stateful firewall. - if you disable, you need to have explicit ACL rules available for the DNS queries "
you mean if a client 10.0.2.10 is trying to access 8.8.8.8 then we need an acl if we disable dns inspection
the reason I am trying to disable
I have a dns filter policy in fg firewall , it sends the dns query to fortigate sdns server to get the category of the dns requested .
topology
I captured the traffic on asa using asdm ,
Traffic capture settings
Interface OUTSIDE
Outside source 45.75.200.89 (fortigate sdns ip)
Destination :0 0 0 0
the fortigate interface ip is 172.16.10.1
nat configured for fortigate internet access
nat (Inside,Outside) after-auto source dynamic 172.16.10.0 1.1.2.8
captured egress inside traffic attached
dns reply giving some error
does it mean the issue from asa ?,
is it the rightway of capturing or do we need to do anything ?
Thanks
04-02-2020 11:52 AM
Hi,
I've never had a reason to an of my customer to disable DNS inspection. Usually DNS inspection is removed because of a bug, or because it drops DNS requests and we don't know how to investigate and change the layer7 default settings for DNS inspection. Perform packet captures on the ingress and egress points of the ASA for DNS traffic (comparing the DNS live traffic with the default DNS inspection settings, could give the best hint on what parameters to change in order to fix it).
If you remove DNS inspection, DNS is UDP, DNS does not create secondary channels, so DNS will still work, the ASA will just treat the connection as UDP. This is, however, not recommended.
Regards,
Cristian Matei.
04-02-2020 12:29 PM
Thanks for the reply .
What you mean by secondary channel . I have attached a packet capture in my previous post , the dns query type is TXT record and the query response is giving server failure error . So i was doubting asa doing something
How to check asa drops certain traffic ?
Thanks
04-03-2020 07:20 AM
you mean if a client 10.0.2.10 is trying to access 8.8.8.8 then we need an acl if we disable dns inspection
Yes you need ACL for the DNS to get Queried to 8.8.8.8 - if you have implicity deny rules in place , until you doing NAT here.
Looked at your capture not give enough iunformation instead server falure, not sure what query you doing there.
best thing try nslookup and see you able to get queries from DNS Server, after disabling the DNS inspection.
04-03-2020 09:52 AM
"Yes you need ACL for the DNS to get Queried to 8.8.8.8 - if you have implicity deny rules in place , until you doing NAT here."
I am sorry I did not get this part , it would be great if you give an example
Thanks
04-03-2020 10:20 AM
what i was trying to explain was :
from your PC , when you do nslookup are you able to get query back for the DNS Resoltuin for cisco.com or google.com ?
if yes, then there is NAT or ACL rules in place to get your DNS Query from inside to outside.
if that fails, FW by default denies, so my suggestion you required to allow a ACL rules for the DNS queries to send to outside.
we are not sure, how is your network, i have seen in that post you also have Fortigate ? also ASA FW ?
04-03-2020 11:10 AM
Hi,
if yes, then there is NAT or ACL rules in place to get your DNS Query from inside to outside
yes I have dynamic nat there in place
When you nat or acl query , how does it that possible without NAT if the DNS server is reachable only via public IP (8.8.8.8)
the fortigate interface ip is 172.16.10.1
nat configured for fortigate internet access
nat (Inside,Outside) after-auto source dynamic 172.16.10.0 1.1.2.8
fortigate is in router mode so it sends all traffic to internet to asa
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide