Configuring A Dns Inspection Policy Map For Additional Inspection Control - Cisco PIX 500 Series Configuration Manual

Chapter 25 Configuring Application Layer Protocol Inspection

Configuring a DNS Inspection Policy Map for Additional Inspection Control

DNS application inspection supports DNS message controls that provide protection against DNS
spoofing and cache poisoning. User configurable rules allow filtering based on DNS header, domain
name, resource record type and class. Zone transfer can be restricted between servers with this function,
for example.
The Recursion Desired and Recursion Available flags in the DNS header can be masked to protect a
public server from attack if that server only supports a particular internal zone. In addition, DNS
randomization can be enabled avoid spoofing and cache poisoning of servers that either do not support
randomization, or utilize a weak pseudo random number generator. Limiting the domain names that can
be queried also restricts the domain names which can be queried, which protects the public server
further.
A configurable DNS mismatch alert can be used as notification if an excessive number of mismatching
DNS responses are received, which could indicate a cache poisoning attack. In addition, a configurable
check to enforce a Transaction Signature be attached to all DNS messages is also supported.
To specify actions when a message violates a parameter, create a DNS inspection policy map. You can
then apply the inspection policy map when you enable DNS inspection according to the
Application Inspection" section on page
To create a DNS inspection policy map, perform the following steps:
(Optional) Add one or more regular expressions for use in traffic matching commands according to the
Step 1
"Creating a Regular Expression" section on page
commands described in
(Optional) Create one or more regular expression class maps to group regular expressions according to
Step 2
the
(Optional) Create a DNS inspection class map by performing the following steps.
Step 3
A class map groups multiple traffic matches. Traffic must match all of the match commands to match
the class map. You can alternatively identify match commands directly in the policy map. The difference
between creating a class map and defining the traffic match directly in the inspection policy map is that
the class map lets you create more complex match criteria, and you can reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the
match not command specifies the string "example.com," then any traffic that includes "example.com"
does not match the class map.
For the traffic that you identify in this class map, you can specify actions such as drop, drop-connection,
reset, mask, set the rate limit, and/or log the connection in the inspection policy map.
If you want to perform different actions for each match command, you should identify the traffic directly
in the policy map.
a.
b.
OL-12172-03
Step 3.
"Creating a Regular Expression Class Map" section on page
Create the class map by entering the following command:
hostname(config)# class-map type inspect dns [match-all | match-any] class_map_name
hostname(config-cmap)#
Where class_map_name is the name of the class map. The match-all keyword is the default, and
specifies that traffic must match all criteria to match the class map. The match-any keyword
specifies that the traffic matches the class map if it matches at least one of the criteria. The CLI
enters class-map configuration mode, where you can enter one or more match commands.
(Optional) To add a description to the class map, enter the following command:
hostname(config-cmap)# description string
25-5.
21-6. See the types of text you can match in the match
21-9.
Cisco Security Appliance Command Line Configuration Guide
DNS Inspection
"Configuring
25-21