[c-nsp] Filtering traffic to destinations based off of DNSaddresses on an ASA?

Eric eric at roxanne.org
Wed Feb 15 23:31:09 EST 2012


Depending in your resolver, you can turn on client query logging and alert on that.  Alternatively, you could map the DNS to an internal captive portal or darknet and glean clients there.  

-- Eric

On Feb 9, 2012, at 1:57 PM, "Matthew Park" <Matthew.Park at exelisvis.com> wrote:

> I would use the caching resolver idea, but management also wants to have
> the activity logged and have e-mail based alerting.  I figured that I
> could handle on the ASA through SNMP traps.
> 
> --Matthew Park
> 
> -----Original Message-----
> From: Joseph Karpenko [mailto:karpenko at cisco.com] 
> Sent: Thursday, February 09, 2012 11:43 AM
> To: Matthew Park
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Filtering traffic to destinations based off of
> DNSaddresses on an ASA?
> 
> Quick and simple configuration using the DNS engine and MPF on the
> firewall.
> 
> However, I also prefer and recommend Matthew Huff's suggestion about
> configuring your recursive/caching resolver to be authoritative for
> the domain-label you're looking to filter and setting the records to
> 127.0.0.1.  ;-)
> 
> !
> regex domain1 "[Yy][Aa][Hh][Oo][Oo]\.[Cc][Oo][Mm]"
> regex domain2 "[Gg][Oo][Oo][Gg][Ll][Ee]\.[Cc][Oo][Mm]"
> !
> class-map type regex match-any dns_filter_class
>  match regex domain1
>  match regex domain2
> !
> class-map type inspect dns dns_inspect_class 
>  match not header-flag QR
>  match question
>  match domain-name regex class dns_filter_class
> !
> policy-map type inspect dns dns_inspect_policy
>  class dns_inspect_class
>    drop log
> !
> class-map inspection_default
>  match default-inspection-traffic
> !
> policy-map egress_policy
>  class inspection_default
>    inspect dns dns_inspect_policy
> !
> service-policy egress_policy interface inside
> !
> 
> 
> regards,
> 
> -- 
> 
> /karpenko
> 
> on 2012.02.09-10:49:23 -0700, Matthew Park <Matthew.Park at exelisvis.com>
> wrote:
>> Date: Thu, 9 Feb 2012 10:49:23 -0700
>> From: Matthew Park <Matthew.Park at exelisvis.com>
>> To: cisco-nsp at puck.nether.net
>> Subject: Re: [c-nsp] Filtering traffic to destinations based off of
>> DNSaddresses on an ASA?
>> Content-Type: text/plain; charset="us-ascii"
>> Content-Transfer-Encoding: 7bit
>> Errors-To: cisco-nsp-bounces at puck.nether.net
>> Sender: cisco-nsp-bounces at puck.nether.net
>> Return-Path: cisco-nsp-bounces at puck.nether.net
>> Content-Length: 4736
>> 
>> Steve,
>> 
>> Will this just block URLs or can it block all traffic to a domain?
>> The latter is what I'm looking for.
>> 
>> Say block ALL traffic (make a domain "Dead to me") to google.com
>> (no ping, nothing to mail.google.com, maps.google.com.. etc.)
>> 
>> Thanks for the quick reply!
>> 
>> --Matthew Park
>> 
>>> -----Original Message-----
>>> From: Steve McCrory [mailto:smccrory at gcicom.net] 
>>> Sent: Thursday, February 09, 2012 10:37 AM
>>> To: Matthew Park; cisco-nsp at puck.nether.net
>>> Subject: RE: [c-nsp] Filtering traffic to destinations based off of
>>> DNSaddresses on an ASA?
>>> 
>>> Matthew,
>>> 
>>> There is a URL filtering feature on the ASA which should be
>>> suffice for your requirements and does not require additional
>>> licenses. It is, however, limited to 100 URLs max.
>>> 
>>> A good guide can be found here:
>>> 
>>> https://supportforums.cisco.com/docs/DOC-1268
>>> 
>>> Below is a copy of the configuration we had to block access to
>>> facebook and youtube. I've listed the commands backwards from
>>> applying the service-policy to the interface. Hopefully you will
>>> be able to follow it but feel free to ask any questions you may
>>> have:
>>> 
>>> service-policy inside-policy interface inside
>>> !
>>> policy-map inside-policy
>>> class httptraffic
>>>  inspect http http_inspection_policy
>>> !
>>> class-map httptraffic
>>> match access-list inside_URL-block
>>> !
>>> access-list inside_URL-block extended permit tcp any any eq www 
>>> access-list inside_URL-block extended permit tcp any any eq 8080 
>>> !
>>> policy-map type inspect http http_inspection_policy
>>> parameters
>>> class BlockDomainsClass
>>>  reset log
>>> match request method connect
>>>  drop-connection log
>>> !
>>> class-map type inspect http match-all BlockDomainsClass
>>> match request header host regex class DomainBlockList
>>> !
>>> class-map type regex match-any DomainBlockList
>>> match regex domainlist1
>>> match regex domainlist2
>>> !
>>> regex domainlist1 "\.facebook\.com"
>>> regex domainlist2 "\.youtube\.com"
>>> 
>>> 
>>> Couple of extra things you may be interested to know:
>>> 
>>> - You can add additional URLs to the filter by defining them with
>>>  a regex and then referencing that regex in the class-map
>>>  DomainBlockList
>>> - If you wanted to bypass this filter for a particular user, you
>>>  can add a deny statement for their IP addresses to the
>>>  beginning of the inside_URL-block ACL. This obviously requires
>>>  that they have a static IP address.
>>> 
>>> Regards
>>> 
>>> Steven
>>> 
>>> 
>>>> -----Original Message-----
>>>> From: cisco-nsp-bounces at puck.nether.net
>>>> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Matthew Park
>>>> Sent: 09 February 2012 16:29
>>>> To: cisco-nsp at puck.nether.net
>>>> Subject: [c-nsp] Filtering traffic to destinations based off of
>>>> DNSaddresses on an ASA?
>>>> 
>>>> Hello all,
>>>> 
>>>> Does anyone know of a good way to make a filter (access-list or
>>>> whatever) on a Cisco ASA 5510 using a DNS address as the
>>>> destination rather than a set of IP addresses?
>>>> 
>>>> For example, block any internal hosts from browsing to
>>>> www.microsoft.com even though they have several webservers
>>>> mapped to that DNS address, essentially "blacklisting"
>>>> www.microsoft.com from the company.
>>>> 
>>>> I found Cisco's "Botnet Filter" that looks like it might work,
>>>> but before I buy a license for it, I was curious as to anyone
>>>> else's experiences with this filter or another method for
>>>> accomplishing this?
>>>> 
>>>> Matthew Park
>>>> Senior Systems Administrator
>>>> Exelis Visual Information Solutions
>>>> Matthew.Park at exelisvis.com
>>>> 
>> [   --------------- End of Included Message ---------------   ]
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list