ASA FQDN access-lists Part 1

A recent change came through which required a geo-spatial map data server from an isolated network to cache maps from various public entities. The geo-spatial database calls upon various websites.  The use of Bing, Google, government agencies, traffic management combine together to provide layered map data.  With a static source references a dynamic entity the need to look beyond IP addressed destinations was required.

The Fully Qualified Domain Name (FQDN) access-lists were introduced in 8.4(2) and allow name to ip resolution for access-lists. This post outlines what is required to perform DNS lookup to enable FQDN ACLs.

A DNS server is required to perform the lookup and resolve the FQDN.

domain-name ciscoinferno.net
dns domain-lookup inside
DNS server-group SG-CI-DNS
    name-server 10.0.20.100
    name-server 10.0.30.100
    domain-name ciscoinferno.net <strong> </strong>

Now like any other object in the ASA we can reference the FQDN. This allows us to define the site in question.

object network OBJ-maps.google.com
   fqdn maps.google.com

As you would reference an object normally on the ASA you can reference the OBJ-maps.google.com. This has the nested FQDN.

access-list acl-inside permit ip any object OBJ-maps.google.com
access-list acl-inside deny ip any any

To check access-list hit counts and what is in an access-list normally you would issue a show access-list . When you use a FQDN ACL it is a little different.  This is a standard ASA access-list.

ASA5515X# sh access-list OLD-ACL
access-list OLD-ACL line 10 extended deny ip 172.16.0.0 255.255.0.0 any (hitcnt=2314931)
access-list OLD-ACL line 11 extended permit ip 192.168.0.0 255.255.0.0 any (hitcnt=29207)

This is a FQDN access-list. Notice the resolved addresses make entries themselves in the ACL.

ASA5515x# show access-list acl-inside
 access-list acl-inside line 1 permit ip any object OBJ-maps.google.com 
 access-list acl-inside line 1 permit ip any fqdn maps.google.com (resolved) 
 access-list acl-inside line 1 permit ip any host 74.125.238.104 (maps.google.com) (hitcnt=5810) 
 access-list acl-inside line 1 permit ip any host 74.125.237.105 (maps.google.com) (hitcnt=3351) 
 access-list acl-inside line 1 permit ip any host 74.125.238.110 (maps.google.com) (hitcnt=15) 
 access-list acl-inside line 1 permit ip any host 74.125.237.96 (maps.google.com) (hitcnt=12) 
 access-list acl-inside line 1 permit ip any host 74.125.238.97 (maps.google.com) (hitcnt=0) 
 access-list acl-inside line 1 permit ip any host 74.125.237.98 (maps.google.com) (hitcnt=0) 
 access-list acl-inside line 1 permit ip any host 74.125.238.99 (maps.google.com) (hitcnt=0) 
 access-list acl-inside line 1 permit ip any host 74.125.237.100 (maps.google.com) (hitcnt=0) 
 access-list acl-inside line 2 deny ip any any (hitcnt=259428)

This has definitely helped in the business problem we had. Now we rely on DNS servers we do expose ourselves to DNS hijacking. Additional filtering can be applied to narrow ip any to the specified host to include port information. This tightens the vector of attack. The next part looks at DNS packet information and tweaking FQDN resolution for look up improvement.

 

8 thoughts on “ASA FQDN access-lists Part 1

  1. rfairclough says:

    If you are going to use fqdn objects can only suggest you force a cache time of 1-2 hours.
    Had lots of fun when one ASA came crashing down due to a cloud provider running DNS with a TTL of 10s where the ASA spent lots of CPU just refreshing DNS entries.

    Make sure people are aware of the caching policy and the fact it only uses the first 4 or 8 or something entries returned as plays a bit screwy with some ms services which returns like 30 odd records.

    Even more fun when people have internal and external DNS he he he will leave you to work out how to do that one ;).

    • Yeah – I was sitting in a meeting listening to the requirements and thought to myself – surely this must exist. Juniper SRX has it too. Not uncommon by the widespread feature-set though I do wonder about its deployment penetration.

  2. Pingback: URL
  3. dan hoye says:

    Im looking to allow traffic to a FQDN and block all other traffic with this config below:

    object network OBJ-groupon.com
    fqdn http://www.groupon.com

    object-group network TM-US-M2M-Custom-Groupon
    network-object host 10.234.18.24

    access-list mobile-in line 40 extended permit ip object-group TM-US-M2M-Custom-Groupon object OBJ-groupon.com

    access-list mobile-in line 41 extended deny ip object-group TM-US-M2M-Custom-Groupon any

    dns domain-lookup transit1
    DNS server-group DefaultDNS
    name-server 172.17.1.101
    domain-name ORD1.RACKSPACE.COM

    I am getting the errors below:

    access-list mobile-in line 40 extended permit ip object-group TM-US-M2M-Custom-Groupon object OBJ-groupon.com 0xca40640b
    access-list mobile-in line 40 extended permit ip host 10.234.18.24 fqdn http://www.groupon.com (unresolved) (inactive)

    What am I missing here? Any assistance would be appreciated. Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *

*