02-18-2008 01:19 AM - edited 03-05-2019 09:13 PM
Hi all, can anyone tell if when using asa firewalls, do they verify the reverse address using dns when connections sourced from outside are being made? I have seen this on other firewall vendors, is this standard firewall practice ?
cheers
02-18-2008 01:45 AM
Hi Carl,
There are firewalls who has this feature of Reverse DNS Lookup to find out where the IP Address comes from. Usually this is beneficial in the logging.
However this can cause performance problem. If the Reverse DNS Lookup does not resolve, then performance is degraded as the request times out because the firewall has to wait for the reply especially if this is recursive querying.
If the firewall is hosting a popular website, the amount of load to perform Reverse DNS Lookup for all the IP Address that hit the firewall maybe too much for the firewall to process.
Regards,
Dandy
02-18-2008 03:09 AM
is this enabled by default on asa? and if not how do we enable it ?
02-18-2008 06:39 AM
Hi Carl,
AFAIK, although a properly configured PIX and ASA permits Domain Name System (DNS) traffic through to allow for inside and outside devices to do DNS, the PIX and ASA itself does not resolve names.
The DNS Client in PIX and ASA is for VPN/WebVPN use. DDNS is for DHCP hosts.
Regards,
Dandy
02-18-2008 08:38 AM
"If the firewall is hosting a popular website, the amount
of load to perform Reverse DNS Lookup for all the IP
Address that hit the firewall maybe too much for the
firewall to proces"
That's true but if your firewall is running on
dual quad-core processors with clustering technologies
such as ClusterXL, then this is not an issue at all.
"the PIX and ASA itself does not resolve names."
This issue will come up time and time again especially
for customers who want to migrate from other firewall
vendors such as checkpoint firewall to Cisco, only
to find out that Cisco does not support DNS domain in
the rulebase. For example, this can not be done with
ASA:
Source Destination service Action Track
.test.com 1.1.1.1 http Accept log
02-19-2008 03:04 AM
can you use the asa as a dns proxy to forward domain requests on ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: