DNS inspection is enabled by default. You need to configure it only if you want non-default processing. The following sections describe DNS application inspection.
Defaults for DNS Inspection
DNS inspection is enabled by default, using the preset_dns_map inspection class map:
The maximum DNS message length is 512 bytes.
The maximum client DNS message length is automatically set to match the Resource Record.
DNS Guard is enabled, so the ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.
Translation of the DNS record based on the NAT configuration is enabled.
Protocol enforcement is enabled, which enables DNS message format check, including domain name length of no more than 255 characters, label length of 63 characters, compression, and looped pointer check.
Configure DNS Inspection Policy Map
You can create a DNS inspection policy map to customize DNS inspection actions if the default inspection behavior is not sufficient for your network.
You can optionally create a DNS inspection class map to define the traffic class for DNS inspection. The other option is to define the traffic classes directly in the DNS inspection policy map. The difference between creating a class map and defining the traffic match directly in the inspection map is that you can create more complex match criteria and you can reuse class maps. Although this procedure explains inspection maps, the matching criteria used in class maps are the same as those explained in the step relating to the Inspection tab. You can configure DNS class maps by selecting , or by creating them while configuring the inspection map.
You can configure inspection maps while creating service policies, in addition to the procedure explained below. The contents of the map are the same regardless of how you create it.
Before you begin
Some traffic matching options use regular expressions for matching purposes. If you intend to use one of those techniques, first create the regular expression or regular expression class map.
Do one of the following:
For new maps, enter a name (up to 40 characters) and description. When editing a map, you can change the description only.
In the Security Level view of the DNS Inspect Map dialog box, select the level that best matches your desired configuration. The default level is Low.
If one of the preset levels matches your requirements, you are now done. Just click OK, skip the rest of this procedure, and use the map in a service policy rule for DNS inspection.
If you need to customize the settings further, click Details, and continue with the procedure.
Click the Protocol Conformance tab and choose the desired options:
Click the Filtering tab and choose the desired options.
Click the Mismatch Rate tab and choose whether to enable logging when the DNS ID mismatch rate exceeds the specified threshold. For example, you could set a threshold of 30 mismatches per 3 seconds.
Click the Inspections tab and define the specific inspections you want to implement based on traffic characteristics.
You can define traffic matching criteria based on DNS class maps, by configuring matches directly in the inspection map, or both.
Click OK in the DNS Inspect Map dialog box.
You can now use the inspection map in a DNS inspection service policy.
What to do next
You can now configure an inspection policy to use the map. See Configure Application Layer Protocol Inspection.