[c-nsp] Filtering traffic to destinations based off of DNSaddresses on an ASA?

Matthew Park Matthew.Park at exelisvis.com
Thu Feb 9 13:57:11 EST 2012


I would use the caching resolver idea, but management also wants to have
the activity logged and have e-mail based alerting.  I figured that I
could handle on the ASA through SNMP traps.

--Matthew Park

-----Original Message-----
From: Joseph Karpenko [mailto:karpenko at cisco.com] 
Sent: Thursday, February 09, 2012 11:43 AM
To: Matthew Park
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Filtering traffic to destinations based off of
DNSaddresses on an ASA?

Quick and simple configuration using the DNS engine and MPF on the
firewall.

However, I also prefer and recommend Matthew Huff's suggestion about
configuring your recursive/caching resolver to be authoritative for
the domain-label you're looking to filter and setting the records to
127.0.0.1.  ;-)

!
regex domain1 "[Yy][Aa][Hh][Oo][Oo]\.[Cc][Oo][Mm]"
regex domain2 "[Gg][Oo][Oo][Gg][Ll][Ee]\.[Cc][Oo][Mm]"
!
class-map type regex match-any dns_filter_class
  match regex domain1
  match regex domain2
!
class-map type inspect dns dns_inspect_class 
  match not header-flag QR
  match question
  match domain-name regex class dns_filter_class
!
policy-map type inspect dns dns_inspect_policy
  class dns_inspect_class
    drop log
!
class-map inspection_default
  match default-inspection-traffic
!
policy-map egress_policy
  class inspection_default
    inspect dns dns_inspect_policy
!
service-policy egress_policy interface inside
!


regards,

-- 

/karpenko

on 2012.02.09-10:49:23 -0700, Matthew Park <Matthew.Park at exelisvis.com>
wrote:
> Date: Thu, 9 Feb 2012 10:49:23 -0700
> From: Matthew Park <Matthew.Park at exelisvis.com>
> To: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Filtering traffic to destinations based off of
>  DNSaddresses on an ASA?
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 7bit
> Errors-To: cisco-nsp-bounces at puck.nether.net
> Sender: cisco-nsp-bounces at puck.nether.net
> Return-Path: cisco-nsp-bounces at puck.nether.net
> Content-Length: 4736
> 
> Steve,
> 
> Will this just block URLs or can it block all traffic to a domain?
> The latter is what I'm looking for.
> 
> Say block ALL traffic (make a domain "Dead to me") to google.com
> (no ping, nothing to mail.google.com, maps.google.com.. etc.)
> 
> Thanks for the quick reply!
> 
> --Matthew Park
> 
>> -----Original Message-----
>> From: Steve McCrory [mailto:smccrory at gcicom.net] 
>> Sent: Thursday, February 09, 2012 10:37 AM
>> To: Matthew Park; cisco-nsp at puck.nether.net
>> Subject: RE: [c-nsp] Filtering traffic to destinations based off of
>>  DNSaddresses on an ASA?
>> 
>> Matthew,
>> 
>> There is a URL filtering feature on the ASA which should be
>> suffice for your requirements and does not require additional
>> licenses. It is, however, limited to 100 URLs max.
>> 
>> A good guide can be found here:
>> 
>> https://supportforums.cisco.com/docs/DOC-1268
>> 
>> Below is a copy of the configuration we had to block access to
>> facebook and youtube. I've listed the commands backwards from
>> applying the service-policy to the interface. Hopefully you will
>> be able to follow it but feel free to ask any questions you may
>> have:
>> 
>> service-policy inside-policy interface inside
>> !
>> policy-map inside-policy
>>  class httptraffic
>>   inspect http http_inspection_policy
>> !
>> class-map httptraffic
>>  match access-list inside_URL-block
>> !
>> access-list inside_URL-block extended permit tcp any any eq www 
>> access-list inside_URL-block extended permit tcp any any eq 8080 
>> !
>> policy-map type inspect http http_inspection_policy
>>  parameters
>>  class BlockDomainsClass
>>   reset log
>>  match request method connect
>>   drop-connection log
>> !
>> class-map type inspect http match-all BlockDomainsClass
>>  match request header host regex class DomainBlockList
>> !
>> class-map type regex match-any DomainBlockList
>>  match regex domainlist1
>>  match regex domainlist2
>> !
>> regex domainlist1 "\.facebook\.com"
>> regex domainlist2 "\.youtube\.com"
>> 
>> 
>> Couple of extra things you may be interested to know:
>> 
>> - You can add additional URLs to the filter by defining them with
>>   a regex and then referencing that regex in the class-map
>>   DomainBlockList
>> - If you wanted to bypass this filter for a particular user, you
>>   can add a deny statement for their IP addresses to the
>>   beginning of the inside_URL-block ACL. This obviously requires
>>   that they have a static IP address.
>> 
>> Regards
>> 
>> Steven
>> 
>> 
>>> -----Original Message-----
>>> From: cisco-nsp-bounces at puck.nether.net
>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Park
>>> Sent: 09 February 2012 16:29
>>> To: cisco-nsp at puck.nether.net
>>> Subject: [c-nsp] Filtering traffic to destinations based off of
>>>  DNSaddresses on an ASA?
>>> 
>>> Hello all,
>>> 
>>> Does anyone know of a good way to make a filter (access-list or
>>> whatever) on a Cisco ASA 5510 using a DNS address as the
>>> destination rather than a set of IP addresses?
>>> 
>>> For example, block any internal hosts from browsing to
>>> www.microsoft.com even though they have several webservers
>>> mapped to that DNS address, essentially "blacklisting"
>>> www.microsoft.com from the company.
>>> 
>>> I found Cisco's "Botnet Filter" that looks like it might work,
>>> but before I buy a license for it, I was curious as to anyone
>>> else's experiences with this filter or another method for
>>> accomplishing this?
>>> 
>>> Matthew Park
>>> Senior Systems Administrator
>>> Exelis Visual Information Solutions
>>> Matthew.Park at exelisvis.com
>>> 
> [   --------------- End of Included Message ---------------   ]




More information about the cisco-nsp mailing list