Cisco ASA Regex that matches a "root" DNS query

I am currently under a DDOS DNS attack. It is not clear if I am the victim or an unwilling participant in an attempt to DDOS someone else.

In any event, a query is sent to our DNS server looking for the "root". The DNS server has been configured to ignore the request other wise it would reply with the list of root servers.

I would like to configure our Cisco ASA to block the request at the firewall before it ever reaches the DNS server.

I would like to inspect DNS and check the "Domain Name" field for the root or "." However I can't seem to figure out how to create the Regex that would match when the query just contains the period character.

Can anyone provide assitance?

Thanks
spencerturbineAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ShattyPCommented:
To match a literal character, use the \ symbol.
Example, the regex for google.com would be google\.com

So in your case, you would just do \.

regex name \.
0
ShattyPCommented:
0
spencerturbineAuthor Commented:
This would match any Domain name query:

www.whatever.com - Match would succeed.

I need to match . and only a single .
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

anoopkmrCommented:
try like this example

regex domainlist1 "\.yahoo\.com"
regex domainlist2 "\.myspace\.com"
regex domainlist3 "\.youtube\.com"

class-map type regex match-any DomainBlockList
 match regex domainlist1
 match regex domainlist2
 match regex domainlist3

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList

policy-map type inspect http http_inspection_policy
class BlockDomainsClass
  reset log


policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy
service-policy inside-policy interface inside
0
spencerturbineAuthor Commented:
anoopkmr:

This is not really related to what I am looking for... I am not trying to match a full domain name.

I am trying to match a Root DNS query which is a single period. I need to create a RegEx that will match only and instance of a root query. All other querys must fail the RegEx.

I have no problems matching domain names with other Regexs, I only have a problem matching a root dns query.
0
anoopkmrCommented:
sorry Spencer , i dont have anyother options to help u
0
Terry WoodsIT GuruCommented:
Would:
^\.$
work?
0
spencerturbineAuthor Commented:
Sorry Terry, that does not appear to work.
0
Terry WoodsIT GuruCommented:
Interestingly, the $ doesn't appear in the list of special characters for this flavour of regular expressions (I was just hoping it would work anyway) - generally it is used to match the end of the line. Without a negative lookahead function to use instead, it makes it somewhat tricky to tell it not to match any more characters after the . character. This will match only strings starting with a . character:
^\.

There doesn't seem to be anything in the allowed pattern matching that would allow a match of . but not .blah though. You'd need either a negative lookahead or the end of string placeholder ($) to manage that.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
spencerturbineAuthor Commented:
I am going to accept you answer as it would appear that you are correct when you say this cannot be done.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.