Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA DNS inspection

Is it possible to identify dynamic dns update packets using a class-map (and thus write a policy to drop them)? I see "match header-flag", "match dns-type", and "match dns-class" in the command reference, but I can't find anywhere that these values are documented. I think one or more of these could be used to identify the dynamic update messages, but I can't find anything that really describes the differences, or documents the well-know values.


Re: ASA DNS inspection

Most dynamic DNS updates don't use DNS (UDP/TCP 53) as the transfer protocol. Here's an example from NO-IP.

What port does the dynamic update client use?

The No-IP supported update clients communicate to our update server via TCP port 8245. If you are using a firewall you need to configure it to allow this port.

Hope it helps.

New Member

Re: ASA DNS inspection

Well, I guess there's some confusion over terminology here, but that's not what I'm asking about. I don't care about the client-based commercial services. I'm wanting to block incoming standards-based (rfc 2136) dynamic updates to my dns servers. A little scanning of the rfc tells me that dynamic updates use an opcode of 5 in the dns packet header. What I'm trying to figure out is how to create a class-map that will recognize that value, and then drop the packet when recognized.