Domain Name Inspection
To understand the DNS attack protection provided by Cisco Security Appliance, it helps to
understand how DNS can be exploited to cause a DoS attack. DNS queries are sent from the
attacker to each of the DNS servers. These queries contain the target’s spoofed address. The
DNS servers respond to the small query with a large response. These responses are routed to
the target, causing link congestion and possible denial of Internet connectivity.
The port assignment for DNS cannot be configured on the Cisco Security Appliance. DNS
requires application inspection so that DNS queries will not be subject to generic UDP
handling based on activity timeouts. The Security Appliance allows only a single DNS
response for outgoing DNS requests. Additionally, if an inside host queries multiple
independent name server, the Security Appliance will only allow on response to return to the
inside host. The UDP connections associated with DNS queries and responses are torn down
as soon as a reply to a DNS query is received, dropping all other responses and averting a
DoS attack. This functionality is called DNS inspection. DNS inspection is enabled by
default.
DNS inspection performs two tasks:
■ It monitors the message exchange to ensure that the ID of the DNS reply matches the ID
of the DNS query.
■ It translates the DNS A record on behalf of the alias command.
606 Chapter 19: IPS and Advanced Protocol Handling
Only forward lookups are translated using NAT, so pointer (PTR) records are not touched.
DNS zone transfers can also trigger built-in intrusion detection signatures on the Security
Appliance.
Cisco Security Appliances fully support NAT and PAT of DNS messages originating from
either inside (more-secure) or outside (less-secure) interfaces. This means that if a client on
an inside network requests DNS resolution of an inside address from a DNS server on an
outside interface, the DNS A record is translated correctly. This also means that the use of
the alias command is now unnecessary.
To enable DNS inspection, use the inspect dns command within a class-map. This command
is on by default in the inspection_default class-map:
inspect dns [maximum-length max_pkt_length]
Mail Inspection
An SMTP or ESMTP server responds to client requests with numeric reply codes and
optional human-readable strings. SMTP application inspection controls and reduces the
commands that the user can use, as well as the messages the server returns. SMTP inspection
performs three primary tasks:
■ It restricts SMTP requests to seven commands: HELO, MAIL, RCPT, DATA, RSET,
NOOP, and QUIT.
■ It restricts SMTP requests to eight extended SMTP commands: AUTH, DATA, EHLO,
ETRN, SAML, SEND, SOML, and VRFY.
■ It monitors the SMTP command-response sequence.
■ It generates an audit trail–audit record 108002 when an invalid character embedded in
the mail address is replaced. For more information, see RFC 821.
NOTE A pointer record is also called a reverse record. A PTR record associates an IP
address with a canonical name.
NOTE If the Security Appliance is protecting hosts that connect to Microsoft Windows
2003 DNS servers, the following inspect DNS command must be used:
inspect dns maximum-length 1280
Microsoft uses EDNS as the DNS server software on Windows 2003 servers. EDNS
violates the previous max-length attribute of 512, requiring the inspect dns maximumlength
1280 command to override.