{"id":826,"date":"2014-03-01T00:00:00","date_gmt":"2014-03-01T00:00:00","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2014\/03\/01\/cisco-asa-domain-fqdn-based-acls\/"},"modified":"2023-01-06T16:41:14","modified_gmt":"2023-01-06T16:41:14","slug":"cisco-asa-domain-fqdn-based-acls","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html","title":{"rendered":"Cisco ASA Permit\/Deny Traffic based on Domain Name (FQDN)"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_65 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<p class=\"ez-toc-title\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6624b2a917a74\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6624b2a917a74\"  aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#Introduction\" title=\"Introduction\">Introduction<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#Configuration\" title=\"Configuration\">Configuration<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#Configure_DNS\" title=\"Configure DNS\">Configure DNS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#Configure_Access_Policy\" title=\"Configure Access Policy\">Configure Access Policy<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#Show\" title=\"Show\">Show<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#ACL\" title=\"ACL\">ACL<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#Cache\" title=\"Cache\">Cache<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#Caveats\" title=\"Caveats\">Caveats<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#URL_Filtering\" title=\"URL Filtering\">URL Filtering<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#Security\" title=\"Security\">Security<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#Multiple_FQDNs\" title=\"Multiple FQDN`s \">Multiple FQDN`s <\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#Single_IP_Answers\" title=\"Single IP Answers\">Single IP Answers<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#Loadbalanced_DNS_TTLs\" title=\"Loadbalanced DNS TTLs\">Loadbalanced DNS TTLs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#Unreachable_DNS_Server\" title=\"Unreachable DNS Server\">Unreachable DNS Server<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#Expiry_Timeout\" title=\"Expiry Timeout\">Expiry Timeout<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\/#References\" title=\"References\">References<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"h3\"><span class=\"ez-toc-section\" id=\"Introduction\"><\/span><strong>Introduction<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Introduced within Cisco ASA version 8.4(2), Cisco added the ability to allow traffic based on the FQDN (i.e domain name).<br \/>\nThis feature works by the ASA resolving the IP of the FQDN via DNS which it then stores within its cache. Traffic is then either denied or permitted accordingly.<\/p>\n<p>Within this article will look at the configuration, caveats and some of the key commands required for troubleshooting.<\/p>\n<h2 class=\"h3\"><span class=\"ez-toc-section\" id=\"Configuration\"><\/span><strong>Configuration<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>There are 2 steps in configuring FQDN lookups. The first is to configure DNS, the access policy is then created.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Configure_DNS\"><\/span><strong>Configure DNS<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>To configure DNS the egress interface, the DNS servers IP (here it is 8.8.8.8) and <span class=\"content\">default domain name<\/span> is defined.<\/p>\n<pre>dns domain-lookup outside\r\nDNS server-group DefaultDNS\r\n\u00a0 name-server 8.8.8.8\r\n\u00a0 domain-name fir3net.com<\/pre>\n<h4><span class=\"ez-toc-section\" id=\"Configure_Access_Policy\"><\/span><strong>Configure Access Policy<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Next we define our FQDN via a network object group. This group is then specified within an ACL (as shown below).<\/p>\n<pre>object network obj-google.com\r\n\u00a0fqdn google.com\r\n\r\naccess-list acl-inside extended deny ip any object obj-google.com\r\naccess-list acl-inside extended permit ip any any log<\/pre>\n<h2 class=\"h3\"><span class=\"ez-toc-section\" id=\"Show\"><\/span><strong>Show<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>When troubleshooting there are 2 key commands, &#8216;show access-list &#8230;&#8217; and &#8216;show dns&#8217;.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"ACL\"><\/span><strong>ACL<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>To quickly see the IP`s that have been resolved and that have been added to the ACL, the command &#8216;show access-list &lt;ACL NAME&gt;&#8217; is used.<\/p>\n<pre>asa-skyn3t(config)# <strong>sh access-list acl-inside<\/strong>\r\naccess-list acl-inside; 13 elements; name hash: 0x3a87ecb6\r\naccess-list acl-inside line 1 extended deny ip any object obj-google.com (hitcnt=29) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any fqdn google.com (resolved) 0xbd27c0d0\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.104 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.99 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.96 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.100 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.110 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.101 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.105 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.102 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.98 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.103 (google.com) (hitcnt=0) 0x8aaa140d\r\n\u00a0 access-list acl-inside line 1 extended deny ip any host 173.194.34.97 (google.com) (hitcnt=29) 0x8aaa140d\r\naccess-list acl-inside line 2 extended permit ip any any log informational interval 300 (hitcnt=8531062) 0x433f2632<\/pre>\n<h4><span class=\"ez-toc-section\" id=\"Cache\"><\/span><strong>Cache<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>To view the cache the command &#8216;show dns&#8217; is used. This provides the remaining TTL for each of the cached responses.<\/p>\n<pre>asa-skyn3t(config)# sh dns\r\nName: google.com\r\n\u00a0 Address: 173.194.34.104\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.99\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.96\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.100\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.110\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.101\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.105\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.102\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.98\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.103\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58\r\n\u00a0 Address: 173.194.34.97\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 TTL 00:02:58<\/pre>\n<h2 class=\"h3\"><span class=\"ez-toc-section\" id=\"Caveats\"><\/span><strong>Caveats<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Now, lets look at some of the caveats that this feature brings,<\/p>\n<h4><span class=\"ez-toc-section\" id=\"URL_Filtering\"><\/span><strong>URL Filtering<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>As you will appreciate as this feature doesn&#8217;t look into the HTTP content (i.e URI or host header) it is important to understand that this feature is not a replacement for URL filtering.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Security\"><\/span><strong>Security<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>As the DNS protocol is used for FQDN to IP resolution this adds an additional attack vector (i.e cache poisoning attacks etc) to your environment. Because of this it is recommended to use a trusted (i.e internal) DNS server.<\/p>\n<h4 class=\"pCENB_CmdEnv_NoBold\"><span class=\"ez-toc-section\" id=\"Multiple_FQDNs\"><\/span><strong>Multiple FQDN`s <\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>As you will be aware multiple FQDN`s can reside on a single IP. Meaning that, though you may permit abc.com as xyz.com also resolves to the same IP. You are not only permitting access to abc.com but also xyz.com.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Single_IP_Answers\"><\/span><strong>Single IP Answers<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Many DNS servers respond with a single IP at a time, with each subsequent request resulting in different IP address being returned. As you will appreciate this isn&#8217;t ideal, as it can result in the ASA resolving a different IP to the client and traffic being intermittently allowed or denied.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Loadbalanced_DNS_TTLs\"><\/span><strong>Loadbalanced DNS TTLs<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Many DNS hosting providers present a server farm (pool) of DNS servers via a single IP address. For each DNS query that is sent, the request is loadbalanced across the pool of DNS servers. Based on this and also that the TTL value returned from a DNS caching server is the TTL value from its cache (where as an\u00a0authoritative servers which provides the TTL set on the actual record).<\/p>\n<p>Why does this matter ? Lets consider the following scenario,<\/p>\n<ol>\n<li>The ASA queries DNS for\u00a0xyz.com.<\/li>\n<li>The request is sent to a loadbalanced pool of DNS servers. DNS Server A responds with an answer of 1.1.1.1 with a TTL of 30 seconds.<\/li>\n<li>The client then queries DNS for xyz.com.<\/li>\n<li>The request is sent to a loadbalanced pool of DNS servers. DNS Server B responds with an answer of 1.1.1.1 with a TTL of 3600 seconds.<\/li>\n<li>The ASA DNS entry then expires 30 secs later.<\/li>\n<li>The ASA then queries DNS for xyz.com again.<\/li>\n<li>The request is sent to a loadbalanced pool of DNS servers. DNS Server A responds with an answer of 2.2.2.2.<\/li>\n<li>As the ASA still has a DNS cache entry of 2.2.2.2 but the client has an entry of 1.1.1.1 traffic will be incorrectly (depending on the ACL action) permitted or denied.<\/li>\n<\/ol>\n<p>In this situation you should look to configure the &#8220;expiry timeout value&#8221;. This will allow you to increase the TTL of the DNS entry within the ASA cache. Further details can e found within the &#8216;Expiry Timeout&#8217; section, further down.<\/p>\n<h4><span class=\"ez-toc-section\" id=\"Unreachable_DNS_Server\"><\/span><strong>Unreachable DNS Server<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>There are times when the DNS server is unreachable. Should this occur, and the ASA is unable to resolve the IP of the FQDN then the ACL will be marked as &#8216;inactive&#8217;, as shown below.<\/p>\n<pre>asa# sh access-list acl-inside\r\naccess-list acl-inside; 5 elements; name hash: 0xf4313c68\r\naccess-list acl-inside line 1 extended permit ip any object obj-google.com 0xb541940f\r\n\u00a0 access-list acl-inside line 1 extended permit ip any fqdn google.com (<strong>unresolved<\/strong>) (<strong>inactive<\/strong>) 0x54f9d97f\r\naccess-list acl-inside line 2 extended permit ip host 192.168.100.200 any (hitcnt=0) 0x923a45a3\r\naccess-list acl-inside line 5 extended deny ip any any (hitcnt=12) 0x7b5326c0<\/pre>\n<h4><span class=\"ez-toc-section\" id=\"Expiry_Timeout\"><\/span><strong>Expiry Timeout<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Though not a direct caveat, the way in which the use of the &#8216;expiry timeout value&#8217; is good to know.<br \/>\nThe &#8216;expiry timeout value&#8217; defines the additional time that the ASA will wait once the original TTL has expired, before it removes the entry from its cache.<\/p>\n<pre>dns expire-entry-timer minutes &lt;minute&gt;<\/pre>\n<p><strong>Example<\/strong> : The command &#8216;dns expire-entry-timer minutes 2&#8217; is used.\u00a0 The DNS server returns an IP of 1.1.1.1 with a TTL of 5 minutes. The ASA then adds this entry to its cache with a TTL of 7 minutes.\u00a0 After the 5 minutes (the original TTL) has expired the ASA re-queries DNS*.<\/p>\n<p><em>* If a different IP is returned this is added to the cache along with the existing cache entries.<\/em><\/p>\n<p><strong><em>Note<\/em><\/strong> : Both the minimum and default DNS expire-entry-timer value is 1 minute.<\/p>\n<h2 class=\"h3\"><span class=\"ez-toc-section\" id=\"References\"><\/span><strong>References<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><a href=\"https:\/\/supportforums.cisco.com\/docs\/DOC-17014\">https:\/\/supportforums.cisco.com\/docs\/DOC-17014<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Introduction Introduced within Cisco ASA version 8.4(2), Cisco added the ability to allow traffic based on the FQDN (i.e domain name). This feature works by the ASA resolving the IP of the FQDN via DNS which it then stores within its cache. Traffic is then either denied or permitted accordingly. Within this article will look &#8230; <a title=\"Cisco ASA Permit\/Deny Traffic based on Domain Name (FQDN)\" class=\"read-more\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\" aria-label=\"Read more about Cisco ASA Permit\/Deny Traffic based on Domain Name (FQDN)\">Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Cisco ASA Permit\/Deny Traffic based on Domain Name (FQDN) - Fir3net<\/title>\n<meta name=\"description\" content=\"Introduction Introduced within Cisco ASA version 8.4(2), Cisco added the ability to allow traffic based on the FQDN (i.e domain name). This feature works\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cisco ASA Permit\/Deny Traffic based on Domain Name (FQDN) - Fir3net\" \/>\n<meta property=\"og:description\" content=\"Introduction Introduced within Cisco ASA version 8.4(2), Cisco added the ability to allow traffic based on the FQDN (i.e domain name). This feature works\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\" \/>\n<meta property=\"og:site_name\" content=\"Fir3net\" \/>\n<meta property=\"article:published_time\" content=\"2014-03-01T00:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-01-06T16:41:14+00:00\" \/>\n<meta name=\"author\" content=\"Rick Donato\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rick Donato\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\"},\"author\":{\"name\":\"Rick Donato\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037\"},\"headline\":\"Cisco ASA Permit\/Deny Traffic based on Domain Name (FQDN)\",\"datePublished\":\"2014-03-01T00:00:00+00:00\",\"dateModified\":\"2023-01-06T16:41:14+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\"},\"wordCount\":818,\"publisher\":{\"@id\":\"https:\/\/www.fir3net.com\/#organization\"},\"articleSection\":[\"Cisco Firewalls\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\",\"url\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\",\"name\":\"Cisco ASA Permit\/Deny Traffic based on Domain Name (FQDN) - Fir3net\",\"isPartOf\":{\"@id\":\"https:\/\/www.fir3net.com\/#website\"},\"datePublished\":\"2014-03-01T00:00:00+00:00\",\"dateModified\":\"2023-01-06T16:41:14+00:00\",\"description\":\"Introduction Introduced within Cisco ASA version 8.4(2), Cisco added the ability to allow traffic based on the FQDN (i.e domain name). This feature works\",\"breadcrumb\":{\"@id\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.fir3net.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"https:\/\/www.fir3net.com\/security\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Firewalls\",\"item\":\"https:\/\/www.fir3net.com\/security\/firewalls\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Cisco Firewalls\",\"item\":\"https:\/\/www.fir3net.com\/security\/firewalls\/cisco\"},{\"@type\":\"ListItem\",\"position\":5,\"name\":\"Cisco ASA Permit\/Deny Traffic based on Domain Name (FQDN)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.fir3net.com\/#website\",\"url\":\"https:\/\/www.fir3net.com\/\",\"name\":\"Fir3net\",\"description\":\"Keeping you in the know\",\"publisher\":{\"@id\":\"https:\/\/www.fir3net.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.fir3net.com\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.fir3net.com\/#organization\",\"name\":\"Fir3net\",\"url\":\"https:\/\/www.fir3net.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png\",\"contentUrl\":\"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png\",\"width\":390,\"height\":88,\"caption\":\"Fir3net\"},\"image\":{\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037\",\"name\":\"Rick Donato\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.fir3net.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g\",\"caption\":\"Rick Donato\"},\"description\":\"Rick Donato is a Network Automation Architect\/Evangelist and the founder of Packet Coders.\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Cisco ASA Permit\/Deny Traffic based on Domain Name (FQDN) - Fir3net","description":"Introduction Introduced within Cisco ASA version 8.4(2), Cisco added the ability to allow traffic based on the FQDN (i.e domain name). This feature works","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html","og_locale":"en_US","og_type":"article","og_title":"Cisco ASA Permit\/Deny Traffic based on Domain Name (FQDN) - Fir3net","og_description":"Introduction Introduced within Cisco ASA version 8.4(2), Cisco added the ability to allow traffic based on the FQDN (i.e domain name). This feature works","og_url":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html","og_site_name":"Fir3net","article_published_time":"2014-03-01T00:00:00+00:00","article_modified_time":"2023-01-06T16:41:14+00:00","author":"Rick Donato","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Rick Donato","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html#article","isPartOf":{"@id":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html"},"author":{"name":"Rick Donato","@id":"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037"},"headline":"Cisco ASA Permit\/Deny Traffic based on Domain Name (FQDN)","datePublished":"2014-03-01T00:00:00+00:00","dateModified":"2023-01-06T16:41:14+00:00","mainEntityOfPage":{"@id":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html"},"wordCount":818,"publisher":{"@id":"https:\/\/www.fir3net.com\/#organization"},"articleSection":["Cisco Firewalls"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html","url":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html","name":"Cisco ASA Permit\/Deny Traffic based on Domain Name (FQDN) - Fir3net","isPartOf":{"@id":"https:\/\/www.fir3net.com\/#website"},"datePublished":"2014-03-01T00:00:00+00:00","dateModified":"2023-01-06T16:41:14+00:00","description":"Introduction Introduced within Cisco ASA version 8.4(2), Cisco added the ability to allow traffic based on the FQDN (i.e domain name). This feature works","breadcrumb":{"@id":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.fir3net.com\/Firewalls\/Cisco\/cisco-asa-domain-fqdn-based-acls.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.fir3net.com\/"},{"@type":"ListItem","position":2,"name":"Security","item":"https:\/\/www.fir3net.com\/security"},{"@type":"ListItem","position":3,"name":"Firewalls","item":"https:\/\/www.fir3net.com\/security\/firewalls"},{"@type":"ListItem","position":4,"name":"Cisco Firewalls","item":"https:\/\/www.fir3net.com\/security\/firewalls\/cisco"},{"@type":"ListItem","position":5,"name":"Cisco ASA Permit\/Deny Traffic based on Domain Name (FQDN)"}]},{"@type":"WebSite","@id":"https:\/\/www.fir3net.com\/#website","url":"https:\/\/www.fir3net.com\/","name":"Fir3net","description":"Keeping you in the know","publisher":{"@id":"https:\/\/www.fir3net.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.fir3net.com\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.fir3net.com\/#organization","name":"Fir3net","url":"https:\/\/www.fir3net.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png","contentUrl":"https:\/\/www.fir3net.com\/wp-content\/uploads\/Fir3net-Background-Logo-compressed.png","width":390,"height":88,"caption":"Fir3net"},"image":{"@id":"https:\/\/www.fir3net.com\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.fir3net.com\/#\/schema\/person\/ab35009601b7687ee1c5310be6038037","name":"Rick Donato","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.fir3net.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d75d69a54c0ca3b32c24c3a9703b623c?s=96&d=mm&r=g","caption":"Rick Donato"},"description":"Rick Donato is a Network Automation Architect\/Evangelist and the founder of Packet Coders."}]}},"_links":{"self":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts\/826"}],"collection":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/comments?post=826"}],"version-history":[{"count":1,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts\/826\/revisions"}],"predecessor-version":[{"id":3424,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/posts\/826\/revisions\/3424"}],"wp:attachment":[{"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/media?parent=826"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/categories?post=826"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.fir3net.com\/wp-json\/wp\/v2\/tags?post=826"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}