Using FQDNs in ASA ACLs

Starting on 8.4(2) of ASA software, a new object type has been included and represents a FQDN -Fully Qualified Domain Name. Now we can insert ACEs in our ACLs with this object type. That brings up an enormous power.

If we want this feature working good, our ASA has to be able to query DNS servers and get IP addresses back, so leaving name-servers not configured is not an option here.

Let’s see.

Define name servers

These will be used by the ASA to get the real IP addresses of the host names in the ACE configuration. The name resolution happens when the ACEis evaluated.

# domain-name cisco.lab
# dns domain-lookup inside
# dns server-group GrupoDNS1
# name-server 192.168.10.10
# domain-name cisco.lab

Create FQDN objects

Quite similar to any other object.

# object network www.google.com
# fqdn www.google.com

Add the object to the ACE

Let’s reference our FQDN object in the needed ACL entries.

# access-list inside_in deny ip any object www.google.com
# access-list inside_in permit ip any any

Checking

Once the ACL is used at least in one ASA policy, ASA will start to query the name servers to get the IP addresses of the hostnames. Let’s recall that an ACL does not stop or permit traffic itself, it just classifies. By issuing show access-list, we will see the ACL entries along with the real time translation:

# show access-list inside_in 
access-list inside_in 2 elements name hash: 0xa3a4620c 
access-list inside_in line 1 deny ip any object www.google.com eq 80 
access-list inside_in line 1 deny ip any fqdn www.google.com (resolved) 
access-list inside_in line 1 deny ip any host 209.85.148.99 (www.google.com) (hitcnt=32)
access-list inside_in line 1 deny ip any host 209.85.148.147 (www.google.com) (hitcnt=11)
access-list inside_in line 2 permit ip any any (hitcnt=7534)

Besides, show dns command will show us translation table existing in the ASA:

# 
show dns
 Name: www.google.com Address: 209.85.148.99            TTL 07:23:44 Address: 209.85.148.147         TTL 07:23:44

Notes

Consider the following aspects we should not oversee if we don’t want undesired side effects.

• This does NOT substitute URL-Filtering.
• If DNS replies have a very short TTL -Time To Live, it will force ASA to query more times the DNS server, increasing the load. We can alter this behavior by issuing the command dns expire-entry-timer minutes.
• Many hostnames resolve the same IP address. Back to 1. Does not replace URL-Filtering, because it is not able nor it is designed to separate sent content. Maybe blocking one hostname we are blocking a different hostname that resolves the same IP address.
• Multiple DNS names for the same webiste. Meaning so we block, ie. www.XYZ.com. If this website has multiple IP addresses, we might be able to access the website anyway.