Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
0
Helpful
2
Replies

ASA DNS inspection

lowen
Level 1
Level 1

‎07-29-2009 05:15 AM - edited ‎03-11-2019 09:00 AM

Is it possible to identify dynamic dns update packets using a class-map (and thus write a policy to drop them)? I see "match header-flag", "match dns-type", and "match dns-class" in the command reference, but I can't find anywhere that these values are documented. I think one or more of these could be used to identify the dynamic update messages, but I can't find anything that really describes the differences, or documents the well-know values.

Labels:
0 Helpful
2 Replies 2

Collin Clark
VIP Alumni
VIP Alumni

‎07-29-2009 06:06 AM

Most dynamic DNS updates don't use DNS (UDP/TCP 53) as the transfer protocol. Here's an example from NO-IP.

What port does the dynamic update client use?

The No-IP supported update clients communicate to our update server via TCP port 8245. If you are using a firewall you need to configure it to allow this port.

Hope it helps.

0 Helpful

lowen
Level 1
Level 1
In response to Collin Clark

‎07-29-2009 09:34 AM

Well, I guess there's some confusion over terminology here, but that's not what I'm asking about. I don't care about the client-based commercial services. I'm wanting to block incoming standards-based (rfc 2136) dynamic updates to my dns servers. A little scanning of the rfc tells me that dynamic updates use an opcode of 5 in the dns packet header. What I'm trying to figure out is how to create a class-map that will recognize that value, and then drop the packet when recognized.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card