Using the ASA DNS Class Map to Mitigate DNS Cache Poisoning

ASA and PIX appliance operating systems version 7.2 introduced the concept of a Layer 7 class map. This feature is solely intended for what is commonly referred to as DPI (Deep Packet Inspection). One such protocol which lends itself to such scrutiny is the Domain Name System (DNS). This post will highlight some of the inspection features for DNS.

Before we examine the specific configuration area of interest, namely the DNS Class Map, let’s take a look at an applicable and known security threat – namely, DNS Cache Poisoning. This was brought to the forefront at the Black Hat Conference on August 6, 2008 by Dan Kaminsky. While the reference cited below provides both the historical as well as the technical details of this exploit, a DNS “spoofed reply” is the chief mechanism deployed. As with most “spoofed” packets, a susceptible DNS server would “trust” the domain name information provided without validating it first.

Shown below is an excellent breakdown of a DNS packet format which I found on the web:

When the ASA is configured for granular inspection of DNS packets using the Layer 7 Class Maps in ASDM, the fields and values available correspond to the protocol layout above. These class maps are found underneath the Objects menu tab in the Firewall configuration sub-area.

As shown below, when the class map is configured, there are numerous criteria that can be entered to qualify the fields of interest:

If the Header Flag is chosen and the administrator wants to match on a DNS Query being performed, the following selections should be made:

Note that in this example what was chosen was NOT the QR flag; in other words, with QR=1 the DNS packet is a response. Also note the RD or Recursion Desired flag which could be used with a reconnaissance tool like nslookup. The next page shows the possible selections for the Type criteria which the author believes to be most effective and preventing cache poisoning:

The TSIG field shown above is a Transaction Signature (RFC2845). This field could be used to ensure that two exchanging name servers are “trusted” as they would be configured with the same keys.

Besides using a field such as the TSIG, the administrator could combine the DNS class map with a set of regular expressions (regex) for permitted domains and associate the DNS activity which is outside of the permitted constraints with both drop and log actions.

Author: Doug McKillip

References

In this article

Join the Conversation