Solved

Cisco ASA Regex that matches a "root" DNS query

Posted on 2010-08-17
11
1,041 Views
Last Modified: 2012-05-10
I am currently under a DDOS DNS attack. It is not clear if I am the victim or an unwilling participant in an attempt to DDOS someone else.

In any event, a query is sent to our DNS server looking for the "root". The DNS server has been configured to ignore the request other wise it would reply with the list of root servers.

I would like to configure our Cisco ASA to block the request at the firewall before it ever reaches the DNS server.

I would like to inspect DNS and check the "Domain Name" field for the root or "." However I can't seem to figure out how to create the Regex that would match when the query just contains the period character.

Can anyone provide assitance?

Thanks
0
Comment
Question by:spencerturbine
  • 4
  • 3
  • 2
  • +1
11 Comments
 
LVL 1

Expert Comment

by:ShattyP
Comment Utility
To match a literal character, use the \ symbol.
Example, the regex for google.com would be google\.com

So in your case, you would just do \.

regex name \.
0
 
LVL 1

Expert Comment

by:ShattyP
Comment Utility
0
 

Author Comment

by:spencerturbine
Comment Utility
This would match any Domain name query:

www.whatever.com - Match would succeed.

I need to match . and only a single .
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
try like this example

regex domainlist1 "\.yahoo\.com"
regex domainlist2 "\.myspace\.com"
regex domainlist3 "\.youtube\.com"

class-map type regex match-any DomainBlockList
 match regex domainlist1
 match regex domainlist2
 match regex domainlist3

class-map type inspect http match-all BlockDomainsClass
 match request header host regex class DomainBlockList

policy-map type inspect http http_inspection_policy
class BlockDomainsClass
  reset log


policy-map inside-policy
 class httptraffic
  inspect http http_inspection_policy
service-policy inside-policy interface inside
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 

Author Comment

by:spencerturbine
Comment Utility
anoopkmr:

This is not really related to what I am looking for... I am not trying to match a full domain name.

I am trying to match a Root DNS query which is a single period. I need to create a RegEx that will match only and instance of a root query. All other querys must fail the RegEx.

I have no problems matching domain names with other Regexs, I only have a problem matching a root dns query.
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
sorry Spencer , i dont have anyother options to help u
0
 
LVL 35

Expert Comment

by:Terry Woods
Comment Utility
Would:
^\.$
work?
0
 

Author Comment

by:spencerturbine
Comment Utility
Sorry Terry, that does not appear to work.
0
 
LVL 35

Accepted Solution

by:
Terry Woods earned 500 total points
Comment Utility
Interestingly, the $ doesn't appear in the list of special characters for this flavour of regular expressions (I was just hoping it would work anyway) - generally it is used to match the end of the line. Without a negative lookahead function to use instead, it makes it somewhat tricky to tell it not to match any more characters after the . character. This will match only strings starting with a . character:
^\.

There doesn't seem to be anything in the allowed pattern matching that would allow a match of . but not .blah though. You'd need either a negative lookahead or the end of string placeholder ($) to manage that.
0
 

Author Closing Comment

by:spencerturbine
Comment Utility
I am going to accept you answer as it would appear that you are correct when you say this cannot be done.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now