Cisco ASA Regex that matches a "root" DNS query

Posted on 2010-08-17
Medium Priority
Last Modified: 2012-05-10
I am currently under a DDOS DNS attack. It is not clear if I am the victim or an unwilling participant in an attempt to DDOS someone else.

In any event, a query is sent to our DNS server looking for the "root". The DNS server has been configured to ignore the request other wise it would reply with the list of root servers.

I would like to configure our Cisco ASA to block the request at the firewall before it ever reaches the DNS server.

I would like to inspect DNS and check the "Domain Name" field for the root or "." However I can't seem to figure out how to create the Regex that would match when the query just contains the period character.

Can anyone provide assitance?

Question by:spencerturbine
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1

Expert Comment

ID: 33456767
To match a literal character, use the \ symbol.
Example, the regex for google.com would be google\.com

So in your case, you would just do \.

regex name \.

Expert Comment

ID: 33456779

Author Comment

ID: 33456785
This would match any Domain name query:

www.whatever.com - Match would succeed.

I need to match . and only a single .
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

LVL 14

Expert Comment

ID: 33456909
try like this example

regex domainlist1 "\.yahoo\.com"
regex domainlist2 "\.myspace\.com"
regex domainlist3 "\.youtube\.com"

class-map type regex match-any DomainBlockList
 match regex domainlist1
 match regex domainlist2
 match regex domainlist3

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList

policy-map type inspect http http_inspection_policy
class BlockDomainsClass
  reset log

policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy
service-policy inside-policy interface inside
LVL 14

Expert Comment

ID: 33456916

Author Comment

ID: 33457689

This is not really related to what I am looking for... I am not trying to match a full domain name.

I am trying to match a Root DNS query which is a single period. I need to create a RegEx that will match only and instance of a root query. All other querys must fail the RegEx.

I have no problems matching domain names with other Regexs, I only have a problem matching a root dns query.
LVL 14

Expert Comment

ID: 33457918
sorry Spencer , i dont have anyother options to help u
LVL 35

Expert Comment

by:Terry Woods
ID: 33459654

Author Comment

ID: 33468391
Sorry Terry, that does not appear to work.
LVL 35

Accepted Solution

Terry Woods earned 2000 total points
ID: 33470159
Interestingly, the $ doesn't appear in the list of special characters for this flavour of regular expressions (I was just hoping it would work anyway) - generally it is used to match the end of the line. Without a negative lookahead function to use instead, it makes it somewhat tricky to tell it not to match any more characters after the . character. This will match only strings starting with a . character:

There doesn't seem to be anything in the allowed pattern matching that would allow a match of . but not .blah though. You'd need either a negative lookahead or the end of string placeholder ($) to manage that.

Author Closing Comment

ID: 33475314
I am going to accept you answer as it would appear that you are correct when you say this cannot be done.

Featured Post

WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question