DNS Security Protection Parameters
DNS in my opinion is the cornerstone of Internet communication. Anything from web browsing, email communication, file transfer, multimedia access etc is based on DNS. After the recent discovery of Dan Kaminsky’s DNS major security issue, protection of DNS service is of critical importance. Fortunately, the Cisco ASA firewall provides several dns security features that can be used to enhance DNS security. These security parameters can be configured under the modular policy framework of the ASA as described below:
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
dns-guard
!– Enable dns-guard to verify that DNS query and
!– response transaction IDs match and only one DNS
!– response is allowed through the firewall for
!– each query.
!message-length maximum 512
!– Enable a maximum message length to help defeat DNS
!– amplification attacks. Note: This is the default
!– configuration and value based on RFC 1035.
!
id-mismatch count 10 duration 2 action log
exit
!– Enable id-mismatch to count DNS transaction ID
!– mismatches within a specified period of time
!– and generate a syslog when the defined threshold
!– has been reached.
!
match header-flag RD
drop
!– Check for DNS query messages with the recursion
!– desired (RD) flag set in the DNS header and drop
!– those packets to avoid being used as a recursive
!– resolver.
!id-randomization
!– Enable id-randomization to generate unpredictable
!– DNS transaction IDs in DNS messages and protect
!– DNS servers and resolvers with poor randomization
!– of DNS transaction IDs.!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
– CLI Output Truncated –
!
service-policy global_policy global
Tagged with: dns guard • dns id randomization • dns protection • dns security
Filed under: Cisco ASA Configuration
Like this post? Subscribe to my RSS feed and get loads more!
Leave a Reply