Verifying And Monitoring Dns Inspection - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 22
Applying Application Layer Protocol Inspection
Create a policy map or modify an existing policy map that you want to use to apply the DNS inspection
Step 3
engine to FTP traffic. To do so, use the policy-map command, as follows.
hostname(config-cmap)# policy-map policy_map_name
hostname(config-pmap)#
where policy_map_name is the name of the policy map. The CLI enters the policy map configuration
mode and the prompt changes accordingly.
Enable DNS application inspection. To do so, use the inspect dns command, as follows.
Step 4
hostname(config-pmap-c)# inspect dns [maximum-length max-pkt-length]
To change the maximum DNS packet length from the default (512), use the maximum-length argument
and replace max-pkt-length with a numeric value. Longer packets are dropped. To disable checking the
DNS packet length, enter the inspect dns command without the maximum-length keyword.
Use the service-policy command to apply the policy map globally or to a specific interface, as follows:
Step 5
hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID]
hostname(config)#
where policy_map_name is the policy map you configured in
to traffic on all the interfaces, use the global option. If you want to apply the policy map to traffic on a
specific interface, use the interface interface_ID option, where interface_ID is the name assigned to the
interface with the nameif command.
The FWSM begins inspecting DNS traffic, as specified.
Example 22-4 Enabling and Configuring DNS Inspection
The following example creates a class map to match DNS traffic on the default port (53), and enables
DNS inspection in the sample_policy policy map, and applies DNS inspection to the outside interface.
hostname(config)# class-map dns_port
hostname(config-cmap)# match port udp eq 53
hostname(config-cmap)# policy-map sample_policy
hostname(config-pmap)# class dns_port
hostname(config-pmap-c)# inspect dns maximum-length 1500
hostname(config-pmap-c)# service-policy sample_policy interface outside
Verifying and Monitoring DNS Inspection
To view information about the current DNS connections, enter the following command:
hostname# show conn
For connections using a DNS server, the source port of the connection may be replaced by the IP address
of DNS server in the show conn command output.
A single connection is created for multiple DNS sessions, as long as they are between the same two
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the FWSM
within a limited period of time and there is no resource build-up. However, when you enter the show
conn command, you see the idle timer of a DNS connection being reset by a new DNS session. This is
due to the nature of the shared DNS connection and is by design.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
Step
3. If you want to apply the policy map
DNS Inspection
22-25
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
