spencerturbine
asked on
Cisco ASA Regex that matches a "root" DNS query
I am currently under a DDOS DNS attack. It is not clear if I am the victim or an unwilling participant in an attempt to DDOS someone else.
In any event, a query is sent to our DNS server looking for the "root". The DNS server has been configured to ignore the request other wise it would reply with the list of root servers.
I would like to configure our Cisco ASA to block the request at the firewall before it ever reaches the DNS server.
I would like to inspect DNS and check the "Domain Name" field for the root or "." However I can't seem to figure out how to create the Regex that would match when the query just contains the period character.
Can anyone provide assitance?
Thanks
In any event, a query is sent to our DNS server looking for the "root". The DNS server has been configured to ignore the request other wise it would reply with the list of root servers.
I would like to configure our Cisco ASA to block the request at the firewall before it ever reaches the DNS server.
I would like to inspect DNS and check the "Domain Name" field for the root or "." However I can't seem to figure out how to create the Regex that would match when the query just contains the period character.
Can anyone provide assitance?
Thanks
And here is a link to help you:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html#wp1101685
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mpc.html#wp1101685
ASKER
This would match any Domain name query:
www.whatever.com - Match would succeed.
I need to match . and only a single .
www.whatever.com - Match would succeed.
I need to match . and only a single .
try like this example
regex domainlist1 "\.yahoo\.com"
regex domainlist2 "\.myspace\.com"
regex domainlist3 "\.youtube\.com"
class-map type regex match-any DomainBlockList
match regex domainlist1
match regex domainlist2
match regex domainlist3
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
policy-map type inspect http http_inspection_policy
class BlockDomainsClass
reset log
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
service-policy inside-policy interface inside
regex domainlist1 "\.yahoo\.com"
regex domainlist2 "\.myspace\.com"
regex domainlist3 "\.youtube\.com"
class-map type regex match-any DomainBlockList
match regex domainlist1
match regex domainlist2
match regex domainlist3
class-map type inspect http match-all BlockDomainsClass
match request header host regex class DomainBlockList
policy-map type inspect http http_inspection_policy
class BlockDomainsClass
reset log
policy-map inside-policy
class httptraffic
inspect http http_inspection_policy
service-policy inside-policy interface inside
or u can follow the link below
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080940e04.shtml
ASKER
anoopkmr:
This is not really related to what I am looking for... I am not trying to match a full domain name.
I am trying to match a Root DNS query which is a single period. I need to create a RegEx that will match only and instance of a root query. All other querys must fail the RegEx.
I have no problems matching domain names with other Regexs, I only have a problem matching a root dns query.
This is not really related to what I am looking for... I am not trying to match a full domain name.
I am trying to match a Root DNS query which is a single period. I need to create a RegEx that will match only and instance of a root query. All other querys must fail the RegEx.
I have no problems matching domain names with other Regexs, I only have a problem matching a root dns query.
sorry Spencer , i dont have anyother options to help u
Would:
^\.$
work?
^\.$
work?
ASKER
Sorry Terry, that does not appear to work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am going to accept you answer as it would appear that you are correct when you say this cannot be done.
Example, the regex for google.com would be google\.com
So in your case, you would just do \.
regex name \.