Chapter 3
Configuring Application Protocol Inspection
Application Inspection Protocol Overview
DNS Inspection
OL-16202-01
This section provides an overview of the application inspection protocols
supported by the ACE and contains the following topics:
DNS Inspection
•
•
FTP Inspection
HTTP Deep Packet Inspection
•
ICMP Inspection
•
ILS Inspection
•
RTSP Inspection
•
SCCP Inspection
•
SIP Inspection
•
Domain Name System (DNS) inspection performs the following tasks:
Monitors the message exchange to ensure that the ID of the DNS response
•
matches the ID of the DNS query.
Allows one DNS response for each DNS query in a UDP connection. The
•
ACE removes the DNS session associated with the DNS query as soon as the
DNS reply is forwarded.
Translates the DNS A-record based on the NAT configuration. Only forward
•
lookups are translated using NAT; the ACE does not handle pointer (PTR)
records.
The DNS rewrite function is not applicable for PAT because multiple PAT
Note
rules apply to each A-record. Using multiple PAT rules makes it difficult
for the ACE to properly choose the correct PAT rule.
Performs a maximum DNS packet length check to verify that the maximum
•
length of a DNS reply is no greater than the value specified in the inspect dns
command.
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
Application Protocol Inspection Overview
3-9