Issues with using FQDN as destination in ASA ACL

Craddockc · ‎06-30-2017

Community,

I'm reaching out to get feedback on what circumstances we should be using FQDNs as a destination in the ACL. Ive come across this article that shows the pitfalls of doing so:

https://supportforums.cisco.com/document/66011/using-hostnames-dns-access-lists-configuration-steps-caveats-and-troubleshooting

The issue were seeing is that when the ASA resolves the IP for the FQDN it could get a different IP from DNS that the client gets, resulting in a ACL drop by the Firewall. The only way I can see the FQDN working consistently is if

1) The FQDN only ever gets resolved to a single IP. Even if that IP changes its guaranteed that both the host and the ASA will have the same destination IP.

or

2) The DNS server returns every possible IP it can resolve to. In the case where the DNS server can return a multitude of different IPs but only hands out 1 IP at any one time, the only way around this to me would be to use an "Any" in the destination.

Can anyone shed some light on how they might be getting around this issue? Are there any inherent issues with using "Any" as a destination as long as you restrict it to only the necessary ports?

Thanks.

Philip D'Ath · ‎07-04-2017

The ASA requests all the IP addresses, and blocks all of them.

The feature works really well.

Craddockc · ‎07-07-2017

Philip,

Apparently I have some false assumptions about how DNS works. However, I am seeing instances where the ASA is only entering a single IP address for a certain FQDN while the client has a different IP address for that FQDN. Ive also observed behavior where the firewall will have varying numbers of IPs after resolution. For instance take the URL api.mailgun.net below. Notice how on one pass it has 6 IPs but on the very next pass it had 12. Im trying to understand the dyanmics of what causes this behavior so I can better understand when to use FQDNs in my ACLs.

qts-fwprod-1a# show dns

Name: api.mailgun.net
Address: 52.25.141.59 TTL 00:00:01
Address: 54.218.45.94 TTL 00:00:01
Address: 34.208.24.212 TTL 00:00:01
Address: 52.26.236.92 TTL 00:00:01
Address: 52.35.213.92 TTL 00:00:01
Address: 52.10.111.90 TTL 00:00:01
Name: xfer-atl.pinnacledatasystems.com
Address: 50.204.234.102 TTL 00:59:48

qts-fwprod-1a# show dns

Name: api.mailgun.net
Address: 52.25.141.59 TTL 00:00:39
Address: 54.218.45.94 TTL 00:00:39
Address: 34.208.24.212 TTL 00:00:39
Address: 52.26.236.92 TTL 00:00:39
Address: 52.35.213.92 TTL 00:00:39
Address: 52.10.111.90 TTL 00:00:39
Address: 34.192.224.226 TTL 00:01:38
Address: 34.194.139.124 TTL 00:01:38
Address: 54.174.201.242 TTL 00:01:38
Address: 34.198.162.177 TTL 00:01:38
Address: 52.54.100.199 TTL 00:01:38
Address: 34.200.161.192 TTL 00:01:38
Name: xfer-atl.pinnacledatasystems.com
Address: 50.204.234.102 TTL 00:59:22

Please also note the FQDN prod.dw.us.fdcnet.biz which is the FQDN behind the motivation for this post. Please notice on a certain pass it returns IP 208.72.254.254 but on a different pass it will return 216.66.222.254. If the DNS server truly does hand out every possible IP, why is the ASA not entering them all consistently?

qts-fwprod-1a# show dns

Name: prod.dw.us.fdcnet.biz
Address: 208.72.254.254 TTL 00:02:25

qts-fwprod-1a# show dns

Name: prod.dw.us.fdcnet.biz
Address: 216.66.222.254 TTL 00:02:11

The way my ASA is behaving doesnt give me any kind of confidence in using FQDNs as destinations.

Philip D'Ath · ‎07-07-2017

Is your ASA and your clients using the same DNS server? If not, make them the same.

Craddockc · ‎07-18-2017

Philip,

Thanks so much for the replies. They are using the same DNS server. In the case of the prod.dw.us.fdcnet.biz URL, any idea why it will return one IP and then another but never both simultaneously? Is this something on the DNS side? Thanks.

Philip D'Ath · ‎07-18-2017

I always get exactly the same result when I query prod.dw.us.fdcnet.biz. But perhaps it is a geo-graphic load balancer and the result depends on where you are in the world.

hashimwajid1 · ‎07-25-2017

Hi Philip

i want to configure FQDN ACL for office365 on ASA 9.6 IOS. can you tell me how to configure it.

thanks

Philip D'Ath · ‎07-07-2017

I would say api.mailgun.net is sitting behind an Amazon load balancer.

It is ok for the IP addresses to vary somewhat from quest to request, especially as they are using small TTLs. As long as your clients make the DNS request at around the same time as your ASA does it should all work out fine - especially if they are using the same DNS server. The first person will cause a request to be made and cached - and the ASA should get that same cached result.

If your ASA and clients are using different DNS servers the results will be more variable.

Philip D'Ath · ‎07-04-2017

Also note that a DNS server does not hand out "1 IP at a time". It returns all of the IP addresses.

It is the resolver library on your machine that only returns 1 of all the answers returned.