Is it possible to identify dynamic dns update packets using a class-map (and thus write a policy to drop them)? I see "match header-flag", "match dns-type", and "match dns-class" in the command reference, but I can't find anywhere that these values are documented. I think one or more of these could be used to identify the dynamic update messages, but I can't find anything that really describes the differences, or documents the well-know values.
Well, I guess there's some confusion over terminology here, but that's not what I'm asking about. I don't care about the client-based commercial services. I'm wanting to block incoming standards-based (rfc 2136) dynamic updates to my dns servers. A little scanning of the rfc tells me that dynamic updates use an opcode of 5 in the dns packet header. What I'm trying to figure out is how to create a class-map that will recognize that value, and then drop the packet when recognized.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...