Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
311
Views
0
Helpful
5
Replies

firewall checks

carl_townshend
Spotlight
Spotlight

‎02-18-2008 01:19 AM - edited ‎03-05-2019 09:13 PM

Hi all, can anyone tell if when using asa firewalls, do they verify the reverse address using dns when connections sourced from outside are being made? I have seen this on other firewall vendors, is this standard firewall practice ?

cheers

Labels:
0 Helpful
5 Replies 5

Danilo Dy
VIP Alumni
VIP Alumni

‎02-18-2008 01:45 AM

Hi Carl,

There are firewalls who has this feature of Reverse DNS Lookup to find out where the IP Address comes from. Usually this is beneficial in the logging.

However this can cause performance problem. If the Reverse DNS Lookup does not resolve, then performance is degraded as the request times out because the firewall has to wait for the reply especially if this is recursive querying.

If the firewall is hosting a popular website, the amount of load to perform Reverse DNS Lookup for all the IP Address that hit the firewall maybe too much for the firewall to process.

Regards,

Dandy

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to Danilo Dy

‎02-18-2008 03:09 AM

is this enabled by default on asa? and if not how do we enable it ?

0 Helpful

Danilo Dy
VIP Alumni
VIP Alumni
In response to carl_townshend

‎02-18-2008 06:39 AM

Hi Carl,

AFAIK, although a properly configured PIX and ASA permits Domain Name System (DNS) traffic through to allow for inside and outside devices to do DNS, the PIX and ASA itself does not resolve names.

The DNS Client in PIX and ASA is for VPN/WebVPN use. DDNS is for DHCP hosts.

Regards,

Dandy

0 Helpful

cisco24x7
Level 6
Level 6
In response to Danilo Dy

‎02-18-2008 08:38 AM

"If the firewall is hosting a popular website, the amount

of load to perform Reverse DNS Lookup for all the IP

Address that hit the firewall maybe too much for the

firewall to proces"

That's true but if your firewall is running on

dual quad-core processors with clustering technologies

such as ClusterXL, then this is not an issue at all.

"the PIX and ASA itself does not resolve names."

This issue will come up time and time again especially

for customers who want to migrate from other firewall

vendors such as checkpoint firewall to Cisco, only

to find out that Cisco does not support DNS domain in

the rulebase. For example, this can not be done with

ASA:

Source Destination service Action Track

.test.com 1.1.1.1 http Accept log

0 Helpful

carl_townshend
Spotlight
Spotlight
In response to cisco24x7

‎02-19-2008 03:04 AM

can you use the asa as a dns proxy to forward domain requests on ?

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card