Domain Name System

Domain Name System (DNS) implementations require application inspection to allow the DNS queries not to rely on the generic UDP handling based on activity timeouts. As a security mechanism, the UDP connections associated with DNS queries and responses are torn down as soon as a reply to a DNS query has been received in the Cisco ASA. This is similar to the DNS Guard feature in Cisco PIX Firewall.

Cisco ASA DNS inspection provides the following benefits:

• Guarantees that the ID of the DNS reply matches the ID of the DNS query.
• Allows the translation of DNS packets using NAT.
• Reassembles the DNS packet to verify its length. The Cisco ASA allows DNS packets up to 65,535 bytes. When necessary, reassembly is done to verify that the packet length is less than the maximum length specified by the user. The packet is dropped if it is not compliant.

To enable DNS inspection, use the inspect dns command. You can also specify the maximum DNS packet length, as shown in Example 8-7.

Example 8-7. Enabling DNS Inspection

Chicago(config)# policy-map global_policy

Chicago(config-pmap)# class inspection_default

Chicago(config-pmap-c)# inspect dns maximum-length 1024

Note

The maximum DNS packet length can be configured in a range from 512 to 65,535 bytes. The default packet size is 512 bytes. It is recommended to use a maximum size of 1024 bytes, because several DNS applications use sizes larger than 512 bytes.