Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
363
Views
0
Helpful
1
Replies

DNS Inspection Denial of Service Vulnerability check

Go to solution
mahesh18
Level 6
Level 6

‎11-08-2013 09:38 AM - edited ‎03-11-2019 08:02 PM

Hi Everyone,

I am checking this cisco link ---http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20131009-asa for

DNS Inspection Denial of Service Vulnerability

Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.

To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the

show running-config access-list <acl_name>

command where

acl_name

is the name of the access-list used in the

class-map

to which the DNS inspection is applied.

This can be found by using the

show running-config class-map

and

show running-config policy-map

commands.

The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP. 

ciscoasa# show running-config access-list
[...]
access-list DNS_INSPECT_ACL extended permit tcp any any
[...]
OR
ciscoasa# show running-config access-list
[...]
access-list DNS_INSPECT_ACL extended permit ip any any
[...]
ciscoasa# show running-config class-map
!
class-map DNS_INSPECT_CP
 match access-list DNS_INSPECT
[...]
ciscoasa# show running-config policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  [...]
 class DNS_INSPECT_CP
  inspect dns preset_dns_map
!

Note: Cisco ASA Software will not inspect DNS packets over TCP by default.

show running-config policy-map

DNS Inspection Denial of Service Vulnerability

Cisco ASA Software is affected by this vulnerability if the DNS Application Layer Protocol Inspection (ALPI) engine is configured to inspect DNS packets over TCP.

To verify if the DNS ALPI engine is inspecting DNS packets over TCP, use the show running-config access-list <acl_name>

command where acl_name

is the name of the access-list used in the class-map

to which the DNS inspection is applied.

This can be found by using the show running-config class-map

and show running-config policy-map

commands.

The following example shows Cisco ASA Software with the DNS ALPI engine configured to inspect DNS packets over TCP. 

ciscoasa# show running-config access-list
[...]
access-list DNS_INSPECT_ACL extended permit tcp any any
[...]
OR
ciscoasa# show running-config access-list
[...]
access-list DNS_INSPECT_ACL extended permit ip any any
[...]
ciscoasa# show running-config class-map
!
class-map DNS_INSPECT_CP
 match access-list DNS_INSPECT
[...]
ciscoasa# show running-config policy-map
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect ftp
  inspect h323 h225
  [...]
 class DNS_INSPECT_CP
  inspect dns preset_dns_map
!

Note: Cisco ASA Software will not inspect DNS packets over TCP by default.

I check my asa and ran the command

show running-config policy-map

policy-map global_policy

class inspection_default

  inspect rsh

  inspect rtsp

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect dns

  inspect http

  inspect ftp

policy-map type inspect dns migrated_dns_map_1

parameters

  message-length maximum 512

policy-map map

class inspection_default

Does this confirm that this asa is vulnerabile?

Regards

Mahesh

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-08-2013 10:23 AM

Hi,

The post says this

Cisco ASA Software is affected by this vulnerability if the DNS  Application Layer Protocol Inspection (ALPI) engine is configured to  inspect DNS packets over TCP.

So it says that if the ASA is configured to inspect DNS over TCP then its vulnerable.

It also says

Note:
Cisco ASA Software will not inspect DNS packets over TCP by default.

And it seems you have not made any special configurations related to DNS inspection therefore your ASA should not be inspecting DNS that is using TCP therefore it should not be vulnerable. Atleast that is how it seems to me.

- Jouni

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎11-08-2013 10:23 AM

Hi,

The post says this

Cisco ASA Software is affected by this vulnerability if the DNS  Application Layer Protocol Inspection (ALPI) engine is configured to  inspect DNS packets over TCP.

So it says that if the ASA is configured to inspect DNS over TCP then its vulnerable.

It also says

Note:
Cisco ASA Software will not inspect DNS packets over TCP by default.

And it seems you have not made any special configurations related to DNS inspection therefore your ASA should not be inspecting DNS that is using TCP therefore it should not be vulnerable. Atleast that is how it seems to me.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card