Follow by Email

Tuesday, October 18, 2011


Cisco currently supports four inspection features for DNS:-
  • DNS Guard
  • DNS packet length verification
  • DNS A-record translation
  • DNS application layer policies

DNS Guard ensures that only a single DNS response to a DNS query is permitted back into your network. When a DNS client generates a DNS query, it uses UDP. The DNS server uses UDP to reply.

DNS Guard also prevents Protect against DNS spoofing and cache poisoning.

NOTE:- DNS Guard is the exception to using an idle timer for UDP connections to determine if they are done. Also, in version 6 and earlier, you could not disable DNS Guard. In version 7, it is enabled by default, but you can disable it.DNS DoS attacks, stopping a flood of DNS replies from coming back into your network, since a flood of UDP traffic on the connection will keep it in the conn table.
With DNS Guard the appliance adds an entry in the conn table when it sees the client DNS query, which is used to permit the DNS reply from the server.


DNS Packet Length Verification :-
512 bytes by default According to the RFC, 512 bytes should be the maximum. If packets were larger than this, then they might be non-DNS packets, and the appliance would drop them by default.

Starting in version 7 of the OS, the appliances check to make sure that the DNS packet length doesn’t exceed 

Corresponding static command to use DNS Doctoring:
ciscoasa(config)# static (inside,outside) dns

DNS Application Layer Policies :- Starting in version 7, the appliances support many DNS application layer policies you can implement, including
  • Filter packets based on DNS header information, domain names, resource record types, and record classes.
  • Mask the Recursion Desired (RD) and Recursion Available (RA) flags in the DNS header to protect a server if it supports one or more internal zones.
  • Look for and prevent a mismatch in the number of DNS responses when compared with queries, which could indicate a cache poisoning attack.
  • Ensure that a Transaction Signature (TS) is included in all DNS messages.

No comments:

Post a Comment

Post a Comment