A recent change came through which required a geo-spatial map data server from an isolated network to cache maps from various public entities. The geo-spatial database calls upon various websites. The use of Bing, Google, government agencies, traffic management combine together to provide layered map data. With a static source references a dynamic entity the need to look beyond IP addressed destinations was required.
The Fully Qualified Domain Name (FQDN) access-lists were introduced in 8.4(2) and allow name to ip resolution for access-lists. This post outlines what is required to perform DNS lookup to enable FQDN ACLs.
A DNS server is required to perform the lookup and resolve the FQDN.
domain-name ciscoinferno.net dns domain-lookup inside DNS server-group SG-CI-DNS name-server 10.0.20.100 name-server 10.0.30.100 domain-name ciscoinferno.net <strong> </strong>
Now like any other object in the ASA we can reference the FQDN. This allows us to define the site in question.
object network OBJ-maps.google.com fqdn maps.google.com
As you would reference an object normally on the ASA you can reference the OBJ-maps.google.com. This has the nested FQDN.
access-list acl-inside permit ip any object OBJ-maps.google.com access-list acl-inside deny ip any any
To check access-list hit counts and what is in an access-list normally you would issue a show access-list . When you use a FQDN ACL it is a little different. This is a standard ASA access-list.
ASA5515X# sh access-list OLD-ACL access-list OLD-ACL line 10 extended deny ip 172.16.0.0 255.255.0.0 any (hitcnt=2314931) access-list OLD-ACL line 11 extended permit ip 192.168.0.0 255.255.0.0 any (hitcnt=29207)
This is a FQDN access-list. Notice the resolved addresses make entries themselves in the ACL.
ASA5515x# show access-list acl-inside access-list acl-inside line 1 permit ip any object OBJ-maps.google.com access-list acl-inside line 1 permit ip any fqdn maps.google.com (resolved) access-list acl-inside line 1 permit ip any host 74.125.238.104 (maps.google.com) (hitcnt=5810) access-list acl-inside line 1 permit ip any host 74.125.237.105 (maps.google.com) (hitcnt=3351) access-list acl-inside line 1 permit ip any host 74.125.238.110 (maps.google.com) (hitcnt=15) access-list acl-inside line 1 permit ip any host 74.125.237.96 (maps.google.com) (hitcnt=12) access-list acl-inside line 1 permit ip any host 74.125.238.97 (maps.google.com) (hitcnt=0) access-list acl-inside line 1 permit ip any host 74.125.237.98 (maps.google.com) (hitcnt=0) access-list acl-inside line 1 permit ip any host 74.125.238.99 (maps.google.com) (hitcnt=0) access-list acl-inside line 1 permit ip any host 74.125.237.100 (maps.google.com) (hitcnt=0) access-list acl-inside line 2 deny ip any any (hitcnt=259428)
This has definitely helped in the business problem we had. Now we rely on DNS servers we do expose ourselves to DNS hijacking. Additional filtering can be applied to narrow ip any to the specified host to include port information. This tightens the vector of attack. The next part looks at DNS packet information and tweaking FQDN resolution for look up improvement.
I assume this kind of configuration will become more of a necessity with IPv6?
Absolutely. It does make sense as DNS is an integral part of IPv6.
If you are going to use fqdn objects can only suggest you force a cache time of 1-2 hours.
Had lots of fun when one ASA came crashing down due to a cloud provider running DNS with a TTL of 10s where the ASA spent lots of CPU just refreshing DNS entries.
Make sure people are aware of the caching policy and the fact it only uses the first 4 or 8 or something entries returned as plays a bit screwy with some ms services which returns like 30 odd records.
Even more fun when people have internal and external DNS he he he will leave you to work out how to do that one ;).
Great article. As long as I’ve been using ASAs, I didn’t realize you could do this.
Yeah – I was sitting in a meeting listening to the requirements and thought to myself – surely this must exist. Juniper SRX has it too. Not uncommon by the widespread feature-set though I do wonder about its deployment penetration.
Im looking to allow traffic to a FQDN and block all other traffic with this config below:
object network OBJ-groupon.com
fqdn http://www.groupon.com
object-group network TM-US-M2M-Custom-Groupon
network-object host 10.234.18.24
access-list mobile-in line 40 extended permit ip object-group TM-US-M2M-Custom-Groupon object OBJ-groupon.com
access-list mobile-in line 41 extended deny ip object-group TM-US-M2M-Custom-Groupon any
dns domain-lookup transit1
DNS server-group DefaultDNS
name-server 172.17.1.101
domain-name ORD1.RACKSPACE.COM
I am getting the errors below:
access-list mobile-in line 40 extended permit ip object-group TM-US-M2M-Custom-Groupon object OBJ-groupon.com 0xca40640b
access-list mobile-in line 40 extended permit ip host 10.234.18.24 fqdn http://www.groupon.com (unresolved) (inactive)
What am I missing here? Any assistance would be appreciated. Thank you.