ASA DNS inspection

Unanswered Question
Jul 29th, 2009

Is it possible to identify dynamic dns update packets using a class-map (and thus write a policy to drop them)? I see "match header-flag", "match dns-type", and "match dns-class" in the command reference, but I can't find anywhere that these values are documented. I think one or more of these could be used to identify the dynamic update messages, but I can't find anything that really describes the differences, or documents the well-know values.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Collin Clark Wed, 07/29/2009 - 06:06

Most dynamic DNS updates don't use DNS (UDP/TCP 53) as the transfer protocol. Here's an example from NO-IP.

What port does the dynamic update client use?

The No-IP supported update clients communicate to our update server via TCP port 8245. If you are using a firewall you need to configure it to allow this port.

Hope it helps.

lowen Wed, 07/29/2009 - 09:34

Well, I guess there's some confusion over terminology here, but that's not what I'm asking about. I don't care about the client-based commercial services. I'm wanting to block incoming standards-based (rfc 2136) dynamic updates to my dns servers. A little scanning of the rfc tells me that dynamic updates use an opcode of 5 in the dns packet header. What I'm trying to figure out is how to create a class-map that will recognize that value, and then drop the packet when recognized.


This Discussion