Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

firewall checks

Hi all, can anyone tell if when using asa firewalls, do they verify the reverse address using dns when connections sourced from outside are being made? I have seen this on other firewall vendors, is this standard firewall practice ?

cheers

  • LAN Switching and Routing
5 REPLIES

Re: firewall checks

Hi Carl,

There are firewalls who has this feature of Reverse DNS Lookup to find out where the IP Address comes from. Usually this is beneficial in the logging.

However this can cause performance problem. If the Reverse DNS Lookup does not resolve, then performance is degraded as the request times out because the firewall has to wait for the reply especially if this is recursive querying.

If the firewall is hosting a popular website, the amount of load to perform Reverse DNS Lookup for all the IP Address that hit the firewall maybe too much for the firewall to process.

Regards,

Dandy

New Member

Re: firewall checks

is this enabled by default on asa? and if not how do we enable it ?

Re: firewall checks

Hi Carl,

AFAIK, although a properly configured PIX and ASA permits Domain Name System (DNS) traffic through to allow for inside and outside devices to do DNS, the PIX and ASA itself does not resolve names.

The DNS Client in PIX and ASA is for VPN/WebVPN use. DDNS is for DHCP hosts.

Regards,

Dandy

Silver

Re: firewall checks

"If the firewall is hosting a popular website, the amount

of load to perform Reverse DNS Lookup for all the IP

Address that hit the firewall maybe too much for the

firewall to proces"

That's true but if your firewall is running on

dual quad-core processors with clustering technologies

such as ClusterXL, then this is not an issue at all.

"the PIX and ASA itself does not resolve names."

This issue will come up time and time again especially

for customers who want to migrate from other firewall

vendors such as checkpoint firewall to Cisco, only

to find out that Cisco does not support DNS domain in

the rulebase. For example, this can not be done with

ASA:

Source Destination service Action Track

.test.com 1.1.1.1 http Accept log

New Member

Re: firewall checks

can you use the asa as a dns proxy to forward domain requests on ?

118
Views
0
Helpful
5
Replies
This widget could not be displayed.