How Dns Application Inspection Works; How Dns Rewrite Works - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
DNS Inspection
How DNS Application Inspection Works
The security appliance tears down the DNS session associated with a DNS query as soon as the DNS
reply is forwarded by the security appliance. The security appliance also monitors the message exchange
to ensure that the ID of the DNS reply matches the ID of the DNS query.
When DNS inspection is enabled, which is the default, the security appliance performs the following
additional tasks:
•
Note
•
Note
•
•
•
A single connection is created for multiple DNS sessions, as long as they are between the same two
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs
independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the security
appliance within a limited period of time and there is no resource build-up. However, if you enter the
show conn command, you will see the idle timer of a DNS connection being reset by a new DNS session.
This is due to the nature of the shared DNS connection and is by design.
How DNS Rewrite Works
When DNS inspection is enabled, DNS rewrite provides full support for NAT of DNS messages
originating from any interface.
If a client on an inside network requests DNS resolution of an inside address from a DNS server on an
outside interface, the DNS A-record is translated correctly. If the DNS inspection engine is disabled, the
A-record is not translated.
As long as DNS inspection remains enabled, you can configure DNS rewrite using the alias, static, or
nat commands. For details about the configuration required see the
on page
Cisco Security Appliance Command Line Configuration Guide
25-14
Translates the DNS record based on the configuration completed using the alias, static and nat
commands (DNS Rewrite). Translation only applies to the A-record in the DNS reply; therefore,
DNS Rewrite does not affect reverse lookups, which request the PTR record.
DNS Rewrite is not applicable for PAT because multiple PAT rules are applicable for each
A-record and the PAT rule to use is ambiguous.
Enforces the maximum DNS message length (the default is 512 bytes and the maximum length is
65535 bytes). The security appliance performs reassembly as needed to verify that the packet length
is less than the maximum length configured. The security appliance drops the packet if it exceeds
the maximum length.
If you enter the inspect dns command without the maximum-length option, DNS packet size
is not checked
Enforces a domain-name length of 255 bytes and a label length of 63 bytes.
Verifies the integrity of the domain-name referred to by the pointer if compression pointers are
encountered in the DNS message.
Checks to see if a compression pointer loop exists.
25-15.
Chapter 25
Configuring Application Layer Protocol Inspection
"Configuring DNS Rewrite" section
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
