25-13
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 25 Configuring Application Layer Protocol Inspection
DNS Inspection
The following example shows how to define a DCERPC inspection policy map with the timeout
configured for DCERPC pinholes.
hostname(config)# policy-map type inspect dcerpc dcerpc_map
hostname(config-pmap)# timeout pinhole 0:10:00
hostname(config)# class-map dcerpc
hostname(config-cmap)# match port tcp eq 135
hostname(config)# policy-map global-policy
hostname(config-pmap)# class dcerpc
hostname(config-pmap-c)# inspect msrpc dcerpc-map
hostname(config)# service-policy global-policy global
DNS Inspection
This section describes DNS application inspection. This section includes the following topics:
• How DNS Application Inspection Works, page 25-13
• How DNS Rewrite Works, page 25-14
• Configuring DNS Rewrite, page 25-15
• Verifying and Monitoring DNS Inspection, page 25-20
How DNS Application Inspection Works
The security appliance tears down the DNS session associated with a DNS query as soon as the DNS
reply is forwarded by the security appliance. The security appliance also monitors the message exchange
to ensure that the ID of the DNS reply matches the ID of the DNS query.
When DNS inspection is enabled, which is the default, the security appliance performs the following
additional tasks:
• Translates the DNS record based on the configuration completed using the alias, static and nat
commands (DNS Rewrite). Translation only applies to the A-record in the DNS reply; therefore,
DNS Rewrite does not affect reverse lookups, which request the PTR record.
Note DNS Rewrite is not applicable for PAT because multiple PAT rules are applicable for each
A-record and the PAT rule to use is ambiguous.
• Enforces the maximum DNS message length (the default is 512 bytes and the maximum length is
65535 bytes). The security appliance performs reassembly as needed to verify that the packet length
is less than the maximum length configured. The security appliance drops the packet if it exceeds
the maximum length.
Note If you enter the inspect dns command without the maximum-length option, DNS packet size
is not checked
• Enforces a domain-name length of 255 bytes and a label length of 63 bytes.
To Next Page
Loading...
Need help?
General