Domain Name System (DNS) implementations require application inspection to allow the DNS queries not to rely on the generic UDP handling based on activity timeouts. As a security mechanism, the UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received in the Cisco ASA. This is similar to the DNS Guard feature in Cisco PIX Firewall.
Cisco ASA DNS inspection provides the following benefits:
To enable DNS inspection, use the inspect dns command. You can also specify the maximum DNS packet length, as shown in Example 8-7.
Example 8-7. Enabling DNS Inspection
Chicago(config)# policy-map global_policy Chicago(config-pmap)# class inspection_default Chicago(config-pmap-c)# inspect dns maximum-length 1024
The maximum DNS packet length can be configured in a range from 512 to 65,535 bytes. The default packet size is 512 bytes. It is recommended to use a maximum size of 1024 bytes, because several DNS applications use sizes larger than 512 bytes.