13-6
Cisco ASA Series Firewall CLI Configuration Guide
Chapter 13 Inspection of Basic Internet Protocols
DNS Inspection
Example
The following example shows a how to define a DNS inspection policy map.
regex domain_example “example\.com”
regex domain_foo “foo\.com”
! define the domain names that the server serves
class-map type inspect regex match-any my_domains
match regex domain_example
match regex domain_foo
! Define a DNS map for query only
class-map type inspect dns match-all pub_server_map
match not header-flag QR
match question
match not domain-name regex class my_domains
policy-map type inspect dns new_dns_map
class pub_server_map
drop log
match header-flag RD
mask log
parameters
message-length maximum client auto
message-length maximum 512
dns-guard
protocol-enforcement
nat-rewrite
Configure the DNS Inspection Service Policy
The default ASA configuration includes DNS inspection on the default port applied globally on all
interfaces. A common method for customizing the inspection configuration is to customize the default
global policy. You can alternatively create a new service policy as desired, for example, an
interface-specific policy.
Procedure
Step 1 If necessary, create an L3/L4 class map to identify the traffic for which you want to apply the inspection.
class-map name
match parameter
Example:
hostname(config)# class-map dns_class_map
hostname(config-cmap)# match access-list dns
In the default global policy, the inspection_default class map is a special class map that includes default
ports for all inspection types (match default-inspection-traffic). If you are using this class map in
either the default policy or for a new service policy, you can skip this step.
For information on matching statements, see Identify Traffic (Layer 3/4 Class Maps), page 11-13.
Step 2 Add or edit a policy map that sets the actions to take with the class map traffic.
To Next Page
Loading...
Need help?
General
