Whitelist with DNS filtering

nunovaz · ‎06-16-2015

I’m trying to implement a whitelist with DNs Inspect in Service Policy Rules. I can do a Blacklist with the sites the users cannot access. But when I try to invert the logic and implement a Whitelist I end up with everything blocked.

I create a DNS inspect map with two class maps. First Class match websites A and B and log the packet, the second class match everything and drops and log the packet.

I always get hits in the second class and everything gets blocked even site A and B. Do the DNS Inspect Map continues to process the class after the first match? What I’m doing wrong?

Thanks in advance.

Vibhor Amrodia · ‎06-16-2015

Hi,

Can you share the relevant configuration from the ASA device ?

Thanks and Regards,

Vibhor Amrodia

nunovaz · ‎06-17-2015

Hello Vibhor,

Here is the relevant configuration:

regex whitelist1 "\.siteA\.com"
regex whitelist2 "\.siteB\.com"

regex blockall "\."

class-map type inspect dns match-any DNS-Whitelist
match not domain-name regex whitelist1
match not domain-name regex whitelist2

class-map type inspect dns match-any DNS-BlockAll
match not domain-name regex blockall

policy-map type inspect dns dns-inspect-new
parameters
message-length maximum 512
class DNS-Whitelist
log
class DNS-BlockAll
drop log
policy-map outside-policy
class outside-class
inspect dns dns-inspect-new
!
service-policy outside-policy interface outside