DNS inspection is enabled by default. You need to configure it only if you want non-default processing. The following sections describe DNS application inspection.
Defaults for DNS Inspection
DNS inspection is enabled by default, using the preset_dns_map inspection class map:
The maximum DNS message length is 512 bytes.
The maximum client DNS message length is automatically set to match the Resource Record.
DNS Guard is enabled, so the ASA tears down the DNS session associated with a DNS query as soon as the DNS reply is forwarded by the ASA. The ASA also monitors the message exchange to ensure that the ID of the DNS reply matches the ID of the DNS query.
Translation of the DNS record based on the NAT configuration is enabled.
Protocol enforcement is enabled, which enables DNS message format check, including domain name length of no more than 255 characters, label length of 63 characters, compression, and looped pointer check.
See the following default DNS inspection commands:
class-map inspection_default match default-inspection-traffic policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 dns-guard protocol-enforcement nat-rewrite policy-map global_policy class inspection_default inspect dns preset_dns_map ! ... service-policy global_policy global
Configure DNS Inspection Policy Map
You can create a DNS inspection policy map to customize DNS inspection actions if the default inspection behavior is not sufficient for your network.
Before you begin
Some traffic matching options use regular expressions for matching purposes. If you intend to use one of those techniques, first create the regular expression or regular expression class map.
(Optional) Create a DNS inspection class map by performing the following steps.
A class map groups multiple traffic matches. You can alternatively identify match commands directly in the policy map. The difference between creating a class map and defining the traffic match directly in the inspection policy map is that the class map lets you create more complex match criteria, and you can reuse class maps.
To specify traffic that should not match the class map, use the match not command. For example, if the match not command specifies the string “example.com,” then any traffic that includes “example.com” does not match the class map.
For the traffic that you identify in this class map, you specify actions to take on the traffic in the inspection policy map.
If you want to perform different actions for each match command, you should identify the traffic directly in the policy map.
Create a DNS inspection policy map: policy-map type inspect dns policy_map_name
Where the policy_map_name is the name of the policy map. The CLI enters policy-map configuration mode.
(Optional) Add a description to the policy map: description string
To apply actions to matching traffic, perform the following steps.
To configure parameters that affect the inspection engine, perform the following steps:
The following example shows a how to use a new inspection policy map in the global default configuration:
regex domain_example “example\.com” regex domain_foo “foo\.com” ! define the domain names that the server serves class-map type inspect regex match-any my_domains match regex domain_example match regex domain_foo ! Define a DNS map for query only class-map type inspect dns match-all pub_server_map match not header-flag QR match question match not domain-name regex class my_domains policy-map type inspect dns new_dns_map class pub_server_map drop log match header-flag RD mask log parameters message-length maximum client auto message-length maximum 512 dns-guard protocol-enforcement nat-rewrite policy-map global_policy class inspection_default no inspect dns preset_dns_map inspect dns new_dns_map service-policy global_policy global
What to do next
You can now configure an inspection policy to use the map. See Configure Application Layer Protocol Inspection.