Firewalling, Security

Cisco ASA: DNS reply filtering

René Jorissen on August 28, 2009 7 Comments • Tags: #asa #cache #class #dns #drop #expression #filtering #inspect #inspection #map #policymap #regex #regular #request #url

Today I was asked to block access to multiple websites and the only device capable of doing this was the firewall. This customer is using a Cisco ASA firewall, which supports basic URL filtering. This customers wanted to block HTTP and HTTPS websites. HTTPS websites use a SSL tunnel from the end device to the end server, so the firewall isn’t capable of inspecting the SSL traffic. Instead of using URL inspection, I configured DNS inspection.

The ASA inspects the DNS request from the internal DNS server or end device to the external DNS server. I use regular expressions to match the FQDN of a website. Below is an example configuration of blocking access to the website (and applications using a DNS entry to this website)

regex “\.logmein\.com”
class-map type regex match-any DomainBlockList
description Blocked Domains
match regex
policy-map type inspect dns PM-DNS-inspect
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
policy-map global_policy
class inspection_default
inspect dns PM-DNS-inspect
service-policy global_policy global

A problem with this approach could be the DNS cache on the internal DNS server. This is domain name is queried before configuring the inspection, the domain will be available until the DNS cache from the DNS server expires. In urgent situation you can maybe clear the DNS cache yourself.

If a DNS reply is matched the ASA generates a syslog message, like shown below.

08-28-2009 15:33:31 Local4.Warning %ASA-4-410003: DNS Classification: Dropped DNS request (id 22251) from inside:DNS-SERVER/59256 to outside:UPSTREAM-DNS/53; matched Class 23: match domain-name regex class DomainBlockList

The following two tabs change content below.

René Jorissen

Co-owner and Solution Specialist at 4IP Solutions
René Jorissen works as Solution Specialist for 4IP in the Netherlands. Network Infrastructures are the primary focus. René works with equipment of multiple vendors, like Cisco, Aruba Networks, FortiNet, HP Networking, Juniper Networks, RSA SecurID, AeroHive, Microsoft and many more. René is Aruba Certified Edge Expert (ACEX #26), Aruba Certified Mobility Expert (ACMX #438), Aruba Certified ClearPass Expert (ACCX #725), Aruba Certified Design Expert (ACDX #760), CCNP R&S, FCNSP and Certified Ethical Hacker (CEF) certified. You can follow René on Twitter and LinkedIn.

Latest posts by René Jorissen (see all)

  1. kerlenpondi says:

    Hi, could you please explain this command:

    class-map type inspect dns match-all BlockDNSClass

    ?? it’s not use anywhere


  2. The command isn’t used in the configuration and therefore obsolete. I removed it from the configuration.

  3. Guus says:

    please Explain,
    Some script result failure.

  4. Hands down I’d recommend choosing a cheap ssl certificate. From what I’ve seen, they all function the same, and installation methods are reasonably similar, but the price varies dramatically. Wikipedia has a decent comparison of ssl certificate providers.

  5. I actually blog too and I am crafting a little something
    very close to this blog post, “Cisco ASA: DNS request filtering | Booches.
    nl”. Do you really mind in the event that Iimplement a lot of of
    your own concepts? Thanks for the post ,Jodi

  6. René says:

    No problem, Jodi. What is the URL of your blog?

  7. Gianluigi says:

    Hi Renè,

    congratulation for the great job! I implemented successfully your code, but now I’m trying to do the opposite thing. Allowing only specific domains, and blocking all the others.

    I’m trying with the not match command but It still blocks every url.
    What is missing?


Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.