Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
781
Views
0
Helpful
1
Replies

Snooping on DNS over TCP breaks service

nikolamitev
Level 1
Level 1

‎10-10-2013 04:13 AM - edited ‎03-10-2019 12:07 AM

Hi,

I have just enabled DNS snooping on our ASA5585-X in preparation for enabling Botnet filter.

Since we have a fair amount of DNS over TCP and to ensure that I don't leave an easy way around the new protection, I looked at enabling snooping on TCP port 53 as well. Unexpectedly, this resulted in all TCP/53 traffic being dropped. Removing 'botnet_snoop_class_tcp' from 'policy-map botnet_snoop_policy' immediately restores traffic. Is this a known limitation, a bug or a misconfiguration?

Related config:

class-map botnet_snoop_class_udp
match port udp eq 53

class-map botnet_snoop_class_tcp
match port tcp eq 53
!
policy-map botnet_snoop_policy
class botnet_snoop_class_udp
  inspect dns dynamic-filter-snoop

class botnet_snoop_class_tcp
  inspect dns dynamic-filter-snoop

!
service-policy botnet_snoop_policy interface outside

service-policy botnet_snoop_policy interface inside

Labels:
0 Helpful
1 Reply 1

Patrick Moubarak
Level 4
Level 4

‎10-15-2013 09:29 AM

Hi,

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/protect_botnet.html#wpxref14767

Restrictions

TCP DNS traffic is not supported.

Patrick

0 Helpful
Customers Also Viewed These Support Documents