ESMTP Inspection
To display the statistics for DNS application inspection, enter the show service-policy command. The
following is sample output from the show service-policy command.
hostname# show service-policy
Interface outside:
Service-policy: sample_policy
DNS Guard
When a client sends a DNS request to an external DNS server, only the first response is accepted by the
FWSM. All additional responses from other DNS servers are dropped by the FWSM.
After the client issues a DNS request, a dynamic hole allows UDP packets to return from the DNS server.
When the FWSM receives a response from the first DNS server, the connection that was created in the
accelerated path is dropped so that subsequent responses from other DNS servers are dropped by the
FWSM. The UDP DNS connection is deleted immediately rather than marking the connection for
deletion.
The FWSM creates a session-lookup key based on the source and destination IP address along with the
protocol and the DNS ID instead of the source and destination ports.
If the DNS client and DNS server use TCP for DNS, the connection is cleared like a normal TCP
connection.
However, if clients receive DNS responses from multiple DNS servers, you can disable the default DNS
behavior on a per context basis. When DNS Guard is disabled, a response from the first DNS server does
not delete the connection and the connection is treated as a normal UDP connection.
DNS Guard is enabled by default.
To disable DNS Guard, enter the following commands:
hostname(config)# no dns-guard
hostname(config)# show running-config | inc dns-guard
no dns-guard
hostname(config)#
ESMTP Inspection
ESMTP inspection detects attacks, including spam, phising, malformed message attacks, buffer
overflow/underflow attacks. It also provides support for application security and protocol conformance,
which enforce the sanity of the ESMTP messages as well as detect several attacks, block
senders/receivers, and block mail relay.
Configuring an ESMTP Inspection Policy Map for Additional Inspection Control
To specify actions when a message violates a parameter, create an ESMTP inspection policy map. You
can then apply the inspection policy map when you enable ESMTP inspection according to the
"Configuring Application Inspection" section on page
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
22-26
Class-map: dns_port
Inspect: dns maximum-length 1500, packet 0, drop 0, reset-drop 0
Chapter 22
Applying Application Layer Protocol Inspection
22-6.
OL-20748-01