firewall checks

Unanswered Question
Feb 18th, 2008
User Badges:

Hi all, can anyone tell if when using asa firewalls, do they verify the reverse address using dns when connections sourced from outside are being made? I have seen this on other firewall vendors, is this standard firewall practice ?


cheers

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Danilo Dy Mon, 02/18/2008 - 01:45
User Badges:
  • Blue, 1500 points or more

Hi Carl,


There are firewalls who has this feature of Reverse DNS Lookup to find out where the IP Address comes from. Usually this is beneficial in the logging.


However this can cause performance problem. If the Reverse DNS Lookup does not resolve, then performance is degraded as the request times out because the firewall has to wait for the reply especially if this is recursive querying.


If the firewall is hosting a popular website, the amount of load to perform Reverse DNS Lookup for all the IP Address that hit the firewall maybe too much for the firewall to process.


Regards,

Dandy

carl_townshend Mon, 02/18/2008 - 03:09
User Badges:

is this enabled by default on asa? and if not how do we enable it ?

Danilo Dy Mon, 02/18/2008 - 06:39
User Badges:
  • Blue, 1500 points or more

Hi Carl,


AFAIK, although a properly configured PIX and ASA permits Domain Name System (DNS) traffic through to allow for inside and outside devices to do DNS, the PIX and ASA itself does not resolve names.


The DNS Client in PIX and ASA is for VPN/WebVPN use. DDNS is for DHCP hosts.


Regards,

Dandy

cisco24x7 Mon, 02/18/2008 - 08:38
User Badges:
  • Silver, 250 points or more

"If the firewall is hosting a popular website, the amount

of load to perform Reverse DNS Lookup for all the IP

Address that hit the firewall maybe too much for the

firewall to proces"


That's true but if your firewall is running on

dual quad-core processors with clustering technologies

such as ClusterXL, then this is not an issue at all.


"the PIX and ASA itself does not resolve names."


This issue will come up time and time again especially

for customers who want to migrate from other firewall

vendors such as checkpoint firewall to Cisco, only

to find out that Cisco does not support DNS domain in

the rulebase. For example, this can not be done with

ASA:


Source Destination service Action Track

.test.com 1.1.1.1 http Accept log



carl_townshend Tue, 02/19/2008 - 03:04
User Badges:

can you use the asa as a dns proxy to forward domain requests on ?

Actions

This Discussion