DIG on CentOS 7 (in addition to the nslookup). [TESTED]

Installation process

• To find a package name that provides dig utility:

yum whatprovides *bin/dig*

• To install the package:

yum -y install bind-utils

Examples

• To show A entries, the same as “nslookup cisco.com 8.8.8.8” or “nslookup -type=a cisco.com 8.8.8.8”

dig @8.8.8.8 +noall +answer cisco.com
cisco.com.              4563    IN      A       72.163.4.161

• To show NS entries, the same as “nslookup -type=ns cisco.com 8.8.8.8”:

dig @8.8.8.8 ns +noall +answer cisco.com
cisco.com.              1068    IN      NS      ns2.cisco.com.
cisco.com.              1068    IN      NS      ns1.cisco.com.
cisco.com.              1068    IN      NS      ns3.cisco.com.

• To show PTR records (+noall +answer are not applicable), the same as “nslookup -type=ptr 72.163.4.161 8.8.8.8”:

dig @8.8.8.8 -x 72.163.4.161

Cisco ASA as DNS server (DNS forwarder). [TESTED]

Cisco ASA does NOT support DNS server, but you can configure static NAT with port translation to configure ASA as DNS forwarder. Then you can point ASA’s IP address as DNS server for internal clients:

object network DNS-Server-8.8.8.8
 description Static NAT with port translation for DNS forwarding.
 host 8.8.8.8
 nat (outside,inside) static interface service udp 53 53

The good thing is you can apply DNS inspection along with this configuration to block DNS queries from some users to some domains.

Cisco ASA - URL Filtering (regular expressions, MPF, DNS inspection, FQDN ACLs). [TESTED]

The task is to block some of Web sites for subset of users.

Important Notes

Limitations

ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example:

Note: HTTPS filtering is not supported on ASA. ASA cannot do deep packet inspection or inspection based on regular expression for HTTPS traffic, because in HTTPS, content of packet is encrypted (SSL).

For example, you blocked http://gmail.com, but if the user can use https://gmail.com and get access to the site. Some sites has HTTP ONLY, but more and more sites have HTTPS also, like gmail.com, dropbox.com. You can block DNS queries using DNS inspection or use FQDN ACL. All possibilities are listed below.

Documentation

ASA/PIX 8.x: Block Certain Websites (URLs) Using Regular Expressions With MPF Configuration Example
ASA URL filtering without a Websense or N2H2/Smartfilter server

After class-map modification you MUST reapply policy

For example, you have all configured, but you want to do a little modification, add you regex:

regex block-certification.ru "certification\.ru"

class-map type inspect http match-any URL-FILTER-CLASS
 match request header host regex block-certification.ru

After that you MUST reapply policy-map like this:

policy-map global_policy
 class inspection_default
  no inspect http URL-FILTER-POLICY
  inspect http URL-FILTER-POLICY

Otherwise, it will block every http traffic with the following logs:

%ASA-4-507003: tcp flow from lan:192.168.0.208/50798 to wan:213.180.193.3/80 terminated by inspection engine, reason - reset unconditionally.
%ASA-6-302014: Teardown TCP connection 5728 for wan:213.180.193.3/80 to lan:192.168.0.208/50798 duration 0:00:00 bytes 0 Flow closed by inspection

You will see increasing of “reset-drop” counters:

ASA# show service-policy inspect http

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: http URL-FILTER-POLICY, packet 5316, drop 29, reset-drop 8, v6-fail-close 0
        protocol violations
          packet 0
        class URL-FILTER-CLASS (match-any)
          Match: request header host regex block-mail.ru, 5 packets
          Match: request header host regex block-odnoklassniki.ru, 8 packets
          Match: request header host regex block-gmail.com, 2 packets
          Match: request header host regex block-certification.ru, 0 packets
          drop-connection log, packet 0
ASA#

Example 1 - Block some domains for all users

regex block-odnoklassniki.ru "ok\.ru"
regex block-mail.ru "mail\.ru"
regex block-gmail.com "gmail\.com"

class-map type inspect http match-any URL-FILTER-CLASS
 match request header host regex block-mail.ru
 match request header host regex block-odnoklassniki.ru
 match request header host regex block-gmail.com

policy-map type inspect http URL-FILTER-POLICY
 class URL-FILTER-CLASS
  drop-connection log

policy-map global_policy
 class inspection_default
  inspect http URL-FILTER-POLICY

! Existed by default.
service-policy global_policy global

It works. Logs for “http://mail.ru”

%ASA-6-305011: Built dynamic TCP translation from lan:192.168.0.208/50049 to wan:10.0.0.150/50049
%ASA-7-609001: Built local-host wan:217.69.139.202
%ASA-6-302013: Built outbound TCP connection 4460 for wan:217.69.139.202/80 (217.69.139.202/80) to lan:192.168.0.208/50049 (10.0.0.150/50049)
%ASA-5-415008: HTTP - matched Class 25: URL-FILTER-CLASS in policy-map URL-FILTER-POLICY, header matched - Dropping connection from lan:192.168.0.208/50049 to wan: 217.69.139.202/80
%ASA-5-304001: 192.168.0.208 Accessed URL 217.69.139.202:http://mail.ru/
%ASA-4-507003: tcp flow from lan:192.168.0.208/50049 to wan:217.69.139.202/80 terminated by inspection engine, reason - disconnected, dropped packet.
%ASA-6-302014: Teardown TCP connection 4460 for wan:217.69.139.202/80 to lan:192.168.0.208/50049 duration 0:00:00 bytes 0 Flow closed by inspection
%ASA-7-609002: Teardown local-host wan:217.69.139.202 duration 0:00:00
%ASA-6-305012: Teardown dynamic TCP translation from lan:192.168.0.208/50049 to wan:10.0.0.150/50049 duration 0:00:00
%ASA-6-302014: Teardown TCP connection 4431 for wan:23.5.251.27/80 to lan:192.168.0.208/50043 duration 0:01:13 bytes 2433 TCP FINs
%ASA-6-305012: Teardown dynamic TCP translation from lan:192.168.0.208/50043 to wan:10.0.0.150/50043 duration 0:01:13
%ASA-6-106015: Deny TCP (no connection) from 192.168.0.208/50049 to 217.69.139.202/80 flags PSH ACK  on interface lan

To review statistics:

ASA# show service-policy inspect http

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: http URL-FILTER-POLICY, packet 4610, drop 14, reset-drop 0, v6-fail-close 0
        protocol violations
          packet 0
        class URL-FILTER-CLASS (match-any)
          Match: request header host regex block-mail.ru, 5 packets
          Match: request header host regex block-odnoklassniki.ru, 8 packets
          Match: request header host regex block-gmail.com, 1 packets
          drop-connection log, packet 14
ASA#

Example 2 - Block some domains for IP for some IPs or some interfaces

regex block-odnoklassniki.ru "ok\.ru"
regex block-mail.ru "mail\.ru"
regex block-gmail.com "gmail\.com"

class-map type inspect http match-any URL-FILTER-CLASS
 match request header host regex block-mail.ru
 match request header host regex block-odnoklassniki.ru
 match request header host regex block-gmail.com

policy-map type inspect http URL-FILTER-POLICY
 class URL-FILTER-CLASS
  drop-connection log

policy-map global_policy
 class inspection_default
  inspect http URL-FILTER-POLICY

access-list ACL-HTTP extended permit tcp any any eq www

class-map HTTP-TRAFFIC
 match access-list ACL-HTTP

policy-map LAN-POLICY
 class HTTP-TRAFFIC
  inspect http URL-FILTER-POLICY

service-policy LAN-POLICY interface lan

Example 3 - How to block DNS queries

For example, you configured HTTP inspection to block “gmail.com”, but some users still use https://gmail.com and you can do nothing about it. The next step is to use DNS inspection to block DNS queries. It will work if Cisco ASA is acting as DNS forwarder or just passing thru DNS queries. And again, uses can use hosts file to avoid DNS inspection. Anyways, here is an example:

regex block-gmail.com "gmail.com"

class-map type regex match-any DOMAIN-BLOCKLIST-CLASS
 match regex block-gmail.com

policy-map type inspect dns DNS-ISPECT-POLICY
 match domain-name regex class DOMAIN-BLOCKLIST-CLASS
  drop-connection log

policy-map global_policy
 class inspection_default
  no inspect dns preset_dns_map
  inspect dns DNS-ISPECT-POLICY

To check statistics:

ASA# show service-policy inspect dns

Global policy:
  Service-policy: global_policy
    Class-map: inspection_default
      Inspect: dns DNS-ISPECT-POLICY, packet 14, drop 4, reset-drop 0, v6-fail-close 0
        dns-guard, count 5
        protocol-enforcement, drop 0
        nat-rewrite, count 0
        match domain-name regex class DOMAIN-BLOCKLIST-CLASS
          drop-connection log, packet 4
ASA#

Normally, you will see the following syslog messages:

%ASA-4-410003: DNS Classification: Dropped DNS request (id 2) from lan:192.168.0.208/58835 to wan:8.8.8.8/53; matched Class 28: match domain-name regex class DOMAIN-BLOCKLIST-CLASS
%ASA-4-507003: udp flow from lan:192.168.0.208/58835 to wan:8.8.8.8/53 terminated by inspection engine, reason - inspector disconnected, dropped packet.

Example 4 - Using FQDN ACL

Using hostnames (DNS) in access-lists - configuration steps, caveats and troubleshooting

dns domain-lookup wan
DNS server-group DefaultDNS
 name-server 8.8.8.8
 domain-name example.ru

object network OBJ-gmail.com
 fqdn gmail.com

access-list LAN_IN extended deny ip any object OBJ-gmail.com
access-list LAN_IN extended permit ip any any

access-group LAN_IN in interface lan

Verification:

ASA# show dns
Name: gmail.com
  Address: 74.125.239.53                                 TTL 00:01:48
  Address: 74.125.239.54                                 TTL 00:01:48
ASA#
ASA# show access-list LAN_IN
access-list LAN_IN; 4 elements; name hash: 0xdc702f96
access-list LAN_IN line 1 extended deny ip any object OBJ-gmail.com (hitcnt=81) 0xf3e34503
  access-list LAN_IN line 1 extended deny ip any fqdn gmail.com (resolved) 0x916b5e2f
  access-list LAN_IN line 1 extended deny ip any host 74.125.239.53 (gmail.com) (hitcnt=39) 0xf3e34503
  access-list LAN_IN line 1 extended deny ip any host 74.125.239.54 (gmail.com) (hitcnt=42) 0xf3e34503
access-list LAN_IN line 2 extended permit ip any any (hitcnt=19) 0xa4b30ce0
ASA#

Syslog message:

%ASA-4-106023: Deny tcp src lan:192.168.0.10/51465 dst wan:74.125.239.54/443(gmail.com) by access-group "LAN_IN" [0xf3e34503, 0xf3e34503]

Admin area