DNS Inspection
DNS Inspection
This section describes how to manage DNS application inspection. This section includes the following
topics:
•
•
•
•
•
•
How DNS Application Inspection Works
The FWSM tears down the DNS session associated with a DNS query as soon as the DNS reply is
forwarded by the FWSM. The FWSM also monitors the message exchange to ensure that the ID of the
DNS reply matches the ID of the DNS query.
When DNS inspection is enabled, which is the default, the FWSM performs the following additional
tasks:
•
Note
•
Note
•
•
•
A single connection is created for multiple DNS sessions, as long as they are between the same two
hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and
protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs
independently.
Because the app_id expires independently, a legitimate DNS response can only pass through the FWSM
within a limited period of time and there is no resource build-up. However, if you enter the show conn
command, you will see the idle timer of a DNS connection being reset by a new DNS session. This is
due to the nature of the shared DNS connection and is by design.
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-18
How DNS Application Inspection Works, page 22-18
How DNS Rewrite Works, page 22-19
Configuring DNS Rewrite, page 22-20
Configuring DNS Inspection, page 22-24
Verifying and Monitoring DNS Inspection, page 22-25
DNS Guard, page 22-26
Translates the DNS record based on the configuration completed using the alias, static and nat
commands (DNS Rewrite). Translation only applies to the A-record in the DNS reply; therefore,
DNS Rewrite does not affect reverse lookups, which request the PTR record.
DNS Rewrite is not applicable for PAT because multiple PAT rules are applicable for each
A-record and the PAT rule to use is ambiguous.
Enforces the maximum DNS message length (the default is 512 bytes and the maximum length is
65535 bytes). The FWSM performs reassembly as needed to verify that the packet length is less than
the maximum length configured. The FWSM drops the packet if it exceeds the maximum length.
If you enter the inspect dns command without the maximum-length option, the DNS packet
size is not checked.
Enforces a domain-name length of 255 bytes and a label length of 63 bytes.
Verifies the integrity of the domain-name referred to by the pointer if compression pointers are
encountered in the DNS message.
Checks to see if a compression pointer loop exists.
Chapter 22
Applying Application Layer Protocol Inspection
OL-20748-01