Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

DNS reply filtering

Hi,

Am trying to make DNS filtering work as URL filtering cannot permit https traffic.

Config is as per below. The thing is that it blocks every url at the moment instead of just test  - gmail.com as per regex

It looks simple on the paper but cannot make it work (

regex test "gmail\.com"

access-list http-user-vlan414-acl extended permit object-group http-inspect-ports 10.4.14.0 255.255.255.0 any

class-map type regex match-any DomainBlockList
description blocked domains
match regex test
!

class-map http-user-vlan414-class

match access-list http-user-vlan414-acl

!
policy-map type inspect dns vlan414-policy
parameters
message-length maximum 512
match domain-name regex class DomainBlockList
drop-connection log
!
policy-map http-main-policy-vlan414
class http-user-vlan414-class
inspect dns vlan414-policy

service-policy http-main-policy-vlan414 interface vlan414

7 REPLIES
New Member

DNS reply filtering

DNS server sits on the other side of the firewall:

client -> firewall -> DNS server

New Member

DNS reply filtering

if to rework it into :

policy-map http-main-policy-vlan414
class inspection_default   -  have replaced with default class, then it starts somehow to work, still not perfect
inspect dns vlan414-policy

so am not sure why it doesn't like the class with ACL , maybe somehow related to inspect dns that you have under default..

New Member

DNS reply filtering

have sorted it myself, seems documentation is misleading a bit

DNS reply filtering

Hello Arunas,

I was about to ask for some outputs

Glad to know you have it up and running, can you share the solution and mark the question as answered so future users can learn from your experience.

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

DNS reply filtering

Working example:

regex domainlist  "example\.com"

class-map type regex match-any vlan414-url-whitelist

description allowed domains

match regex domainlist

policy-map type inspect dns vlan414-policy

parameters

  message-length maximum 512

match not domain-name regex class vlan414-url-whitelist

  drop-connection log

policy-map http-main-policy-vlan414

class inspection_default

  inspect dns vlan414-policy

service-policy http-main-policy-vlan414 interface vlan414

New Member

DNS reply filtering

Though what I cannot make work - is to use ACL to define which machines are allowed to open url ?

Have tried following :

class-map http-user-vlan414-class

match any - have played with any and ACL, still no luck

policy-map http-main-policy-vlan414

class http-user-vlan414-class -> so here basically substituting class inspection_default with http-user-vlan414-class

  inspect dns vlan414-policy

So if am applying differetn class under policy-map my traffic stops immediately

Any help welcome)

DNS reply filtering

Hello Arunas,

So If u set:

class-map http-user-vlan414-class

match any -

policy-map http-main-policy-vlan414

class http-user-vlan414-class

  inspect dns vlan414-policy

Okey but have you applied to a service-policy?

What do you mean traffic drops?

Check my blog at http:laguiadelnetworking.com for further information.

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
287
Views
0
Helpful
7
Replies