Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

DNS Inspection Denial of Service Vulnerability check

Hi Everyone,

I am checking this cisco link ---http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa for

DNS Inspection Denial of Service Vulnerability

Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.

To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the

show running-config access-list <acl_name>

command where

acl_name

is the name of the access-list used in the

class-map

to which the DNS inspection is applied.

This can be found by using the

show running-config class-map

and

show running-config policy-map

commands.

The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP.

ciscoasa# show running-config access-list
[...]
access-list DNS_INSPECT_ACL extended permit tcp any any
[...] 
OR
ciscoasa# show running-config access-list
[...]
access-list DNS_INSPECT_ACL extended permit ip any any
[...]
ciscoasa# show running-config class-map
!
class-map DNS_INSPECT_CP
 match access-list DNS_INSPECT
[...]
ciscoasa# show running-config policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  [...]
 class DNS_INSPECT_CP
  inspect dns preset_dns_map
!

Note: Cisco ASA Software will not inspect DNS packets over TCP by default.

show running-config policy-map

DNS Inspection Denial of Service Vulnerability

Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.

To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the show running-config access-list <acl_name>

command where acl_name

is the name of the access-list used in the class-map

to which the DNS inspection is applied.

This can be found by using the show running-config class-map

and show running-config policy-map

commands.

The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP.

ciscoasa# show running-config access-list
[...]
access-list DNS_INSPECT_ACL extended permit tcp any any
[...] 
OR
ciscoasa# show running-config access-list
[...]
access-list DNS_INSPECT_ACL extended permit ip any any
[...]
ciscoasa# show running-config class-map
!
class-map DNS_INSPECT_CP
 match access-list DNS_INSPECT
[...]
ciscoasa# show running-config policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  [...]
 class DNS_INSPECT_CP
  inspect dns preset_dns_map
!

Note: Cisco ASA Software will not inspect DNS packets over TCP by default.

I check my asa and ran the command

show running-config policy-map

policy-map global_policy

class inspection_default

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect dns

  inspect http

  inspect ftp

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map map

class inspection_default

Does this confirm that this asa is vulnerabile?

Regards

Mahesh

1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Re: DNS Inspection Denial of Service Vulnerability check

Hi,

The post says this

Cisco ASA Software is affected by this vulnerability if the DNS  Application Layer Protocol Inspection (ALPI) engine is configured to  inspect DNS packets over TCP. 

So it says that if the ASA is configured to inspect DNS over TCP then its vulnerable.

It also says

Note:

Cisco ASA Software will not inspect DNS packets over TCP by default.

And it seems you have not made any special configurations related to DNS inspection therefore your ASA should not be inspecting DNS that is using TCP therefore it should not be vulnerable. Atleast that is how it seems to me.

- Jouni

1 REPLY
Super Bronze

Re: DNS Inspection Denial of Service Vulnerability check

Hi,

The post says this

Cisco ASA Software is affected by this vulnerability if the DNS  Application Layer Protocol Inspection (ALPI) engine is configured to  inspect DNS packets over TCP. 

So it says that if the ASA is configured to inspect DNS over TCP then its vulnerable.

It also says

Note:

Cisco ASA Software will not inspect DNS packets over TCP by default.

And it seems you have not made any special configurations related to DNS inspection therefore your ASA should not be inspecting DNS that is using TCP therefore it should not be vulnerable. Atleast that is how it seems to me.

- Jouni

193
Views
0
Helpful
1
Replies
CreatePlease to create content