ASA FQDN access-list Part 2

My previous post focused on using access-lists that we based upon Fully Qualified Domain Names. This recently has posed a solution for some works that have been undertaken. Even though it might seem quite straight forward to implement – there are some considerations that need to be addressed before implementation.

DNS Time To Live

There are quite a few websites which we deal with daily that live behind a load balancer. This allows the provider to deliver resiliency to their service.  This also means they have low TTL times on DNS query answers. In the case of (my focus for work) this was 96 seconds.

Screen Shot 2013-08-13 at 8.32.37 PM

This time works rather well in my environment but I do need to consider CPU load on continuous polling. This is especially true if you are using something like Akamai or Facebook. These sites use 6 and 12 seconds respectively. This can cause quite a load upon your ASA.

Trust thy DNS

Now this should go without saying. Trust your DNS server. Your new rules are being made from DNS records. These DNS records resolve to IP addresses which are used to create access lists. If your DNS was compromised or poison you might actually be allowing in traffic that you aren’t expecting.

A low latency, trusted (internal) server is a great place to start.

I am not your URL filter

It is good to note that although this can permit or deny based upon FQDN it is not a URL filter mechanism. These are some reasons why you should not use it as a URL filter.

  • The FQDN access-list purely provides dynamic entries for ACLs.
  • Intermittent access based on low DNS TTL time + ASA TTL time.
  • Multiple host names for single IP address
  • Multiple names for a single site.

If you need URL filtering enable it through the features of the ASA or set up a proxy sever such as squid.

You might need to spend a little time with the packet captures identifying the average TTL for the sites you required. It is important that you are aware of the caveats and requirements before you implement this. The real benefits I feel are for the next generation of internet services  where IPv6 and DNS AAAA records are used though why not capitalise now!


Leave a Reply

Your email address will not be published. Required fields are marked *