Cisco 7604 Configuration Guide - Page 441
Verifying and Monitoring DNS Inspection
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 441 highlights
Chapter 22 Applying Application Layer Protocol Inspection DNS Inspection Step 3 Step 4 Step 5 Create a policy map or modify an existing policy map that you want to use to apply the DNS inspection engine to FTP traffic. To do so, use the policy-map command, as follows. hostname(config-cmap)# policy-map policy_map_name hostname(config-pmap)# where policy_map_name is the name of the policy map. The CLI enters the policy map configuration mode and the prompt changes accordingly. Enable DNS application inspection. To do so, use the inspect dns command, as follows. hostname(config-pmap-c)# inspect dns [maximum-length max-pkt-length] To change the maximum DNS packet length from the default (512), use the maximum-length argument and replace max-pkt-length with a numeric value. Longer packets are dropped. To disable checking the DNS packet length, enter the inspect dns command without the maximum-length keyword. Use the service-policy command to apply the policy map globally or to a specific interface, as follows: hostname(config-pmap-c)# service-policy policy_map_name [global | interface interface_ID] hostname(config)# where policy_map_name is the policy map you configured in Step 3. If you want to apply the policy map to traffic on all the interfaces, use the global option. If you want to apply the policy map to traffic on a specific interface, use the interface interface_ID option, where interface_ID is the name assigned to the interface with the nameif command. The FWSM begins inspecting DNS traffic, as specified. Example 22-4 Enabling and Configuring DNS Inspection The following example creates a class map to match DNS traffic on the default port (53), and enables DNS inspection in the sample_policy policy map, and applies DNS inspection to the outside interface. hostname(config)# class-map dns_port hostname(config-cmap)# match port udp eq 53 hostname(config-cmap)# policy-map sample_policy hostname(config-pmap)# class dns_port hostname(config-pmap-c)# inspect dns maximum-length 1500 hostname(config-pmap-c)# service-policy sample_policy interface outside Verifying and Monitoring DNS Inspection To view information about the current DNS connections, enter the following command: hostname# show conn For connections using a DNS server, the source port of the connection may be replaced by the IP address of DNS server in the show conn command output. A single connection is created for multiple DNS sessions, as long as they are between the same two hosts, and the sessions have the same 5-tuple (source/destination IP address, source/destination port, and protocol). DNS identification is tracked by app_id, and the idle timer for each app_id runs independently. Because the app_id expires independently, a legitimate DNS response can only pass through the FWSM within a limited period of time and there is no resource build-up. However, when you enter the show conn command, you see the idle timer of a DNS connection being reset by a new DNS session. This is due to the nature of the shared DNS connection and is by design. OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 22-25