default domain name<\/span> is defined.<\/p>\ndns domain-lookup outside\r\nDNS server-group DefaultDNS\r\n\u00a0 name-server 8.8.8.8\r\n\u00a0 domain-name fir3net.com<\/pre>\n<\/span>Configure Access Policy<\/strong><\/span><\/h4>\nNext we define our FQDN via a network object group. This group is then specified within an ACL (as shown below).<\/p>\n
object network obj-google.com\r\n\u00a0fqdn google.com\r\n\r\naccess-list acl-inside extended deny ip any object obj-google.com\r\naccess-list acl-inside extended permit ip any any log<\/pre>\n<\/span>Show<\/strong><\/span><\/h2>\nWhen troubleshooting there are 2 key commands, ‘show access-list …’ and ‘show dns’.<\/p>\n
<\/span>ACL<\/strong><\/span><\/h4>\nTo quickly see the IP`s that have been resolved and that have been added to the ACL, the command ‘show access-list <ACL NAME>’ is used.<\/p>\n
asa-skyn3t(config)# sh access-list acl-inside<\/strong>\r\naccess-list acl-inside; 13 elements; name hash: 0x3a87ecb6\r\naccess-list acl-inside line 1 extended deny ip any object obj-google.com (hitcnt=29) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any fqdn google.com (resolved) 0xbd27c0d0\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.104 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.99 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.96 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.100 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.110 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.101 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.105 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.102 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.98 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.103 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.97 (google.com) (hitcnt=29) 0x8aaa140d\r\naccess-list acl-inside line 2 extended permit ip any any log informational interval 300 (hitcnt=8531062) 0x433f2632<\/pre>\n<\/span>Cache<\/strong><\/span><\/h4>\nTo view the cache the command ‘show dns’ is used. This provides the remaining TTL for each of the cached responses.<\/p>\n
asa-skyn3t(config)# sh dns\r\nName: google.com\r\n\u00a0 Address: 173.194.34.104\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.99\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.96\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.100\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.110\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.101\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.105\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.102\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.98\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.103\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.97\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58<\/pre>\n<\/span>Caveats<\/strong><\/span><\/h2>\nNow, lets look at some of the caveats that this feature brings,<\/p>\n
<\/span>URL Filtering<\/strong><\/span><\/h4>\nAs you will appreciate as this feature doesn’t look into the HTTP content (i.e URI or host header) it is important to understand that this feature is not a replacement for URL filtering.<\/p>\n
<\/span>Security<\/strong><\/span><\/h4>\nAs the DNS protocol is used for FQDN to IP resolution this adds an additional attack vector (i.e cache poisoning attacks etc) to your environment. Because of this it is recommended to use a trusted (i.e internal) DNS server.<\/p>\n
<\/span>Multiple FQDN`s <\/strong><\/span><\/h4>\nAs you will be aware multiple FQDN`s can reside on a single IP. Meaning that, though you may permit abc.com as xyz.com also resolves to the same IP. You are not only permitting access to abc.com but also xyz.com.<\/p>\n
<\/span>Single IP Answers<\/strong><\/span><\/h4>\nMany DNS servers respond with a single IP at a time, with each subsequent request resulting in different IP address being returned. As you will appreciate this isn’t ideal, as it can result in the ASA resolving a different IP to the client and traffic being intermittently allowed or denied.<\/p>\n
<\/span>Loadbalanced DNS TTLs<\/strong><\/span><\/h4>\nMany DNS hosting providers present a server farm (pool) of DNS servers via a single IP address. For each DNS query that is sent, the request is loadbalanced across the pool of DNS servers. Based on this and also that the TTL value returned from a DNS caching server is the TTL value from its cache (where as an\u00a0authoritative servers which provides the TTL set on the actual record).<\/p>\n
Why does this matter ? Lets consider the following scenario,<\/p>\n
\n- The ASA queries DNS for\u00a0xyz.com.<\/li>\n
- The request is sent to a loadbalanced pool of DNS servers. DNS Server A responds with an answer of 1.1.1.1 with a TTL of 30 seconds.<\/li>\n
- The client then queries DNS for xyz.com.<\/li>\n
- The request is sent to a loadbalanced pool of DNS servers. DNS Server B responds with an answer of 1.1.1.1 with a TTL of 3600 seconds.<\/li>\n
- The ASA DNS entry then expires 30 secs later.<\/li>\n
- The ASA then queries DNS for xyz.com again.<\/li>\n
- The request is sent to a loadbalanced pool of DNS servers. DNS Server A responds with an answer of 2.2.2.2.<\/li>\n
- As the ASA still has a DNS cache entry of 2.2.2.2 but the client has an entry of 1.1.1.1 traffic will be incorrectly (depending on the ACL action) permitted or denied.<\/li>\n<\/ol>\n
In this situation you should look to configure the “expiry timeout value”. This will allow you to increase the TTL of the DNS entry within the ASA cache. Further details can e found within the ‘Expiry Timeout’ section, further down.<\/p>\n