dn – dz

dnscrypt

To enable DNScrypt to encrypt connections between the device and Cisco Umbrella, use the dnscrypt command in DNS inspection policy map parameters configuration mode. To disable DNScrypt, use the no form of this command.

dnscrypt

no dnscrypt

Syntax Description

This command has no arguments or keywords.

Command Default

DNScrypt is disabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.10(1)

This command was added.

Usage Guidelines

Use this command when configuring a DNS inspection policy map.

Enabling DNScrypt starts the key-exchange thread with the Umbrella resolver. The key-exchange thread performs the handshake with the resolver every hour and updates the device with a new secret key.

Because DNScrypt uses UDP/443, you must ensure that the class map used for DNS inspection includes that port. Note that the default inspection class already includes UDP/443 for DNS inspection.

Examples

The following example enables Umbrella using the default policy, and also enables DNScrypt, in the default inspection policy map used in global DNS inspection. The global DNS inspection already applies to UDP/443.


ciscoasa(config)# policy-map type inspect dns preset_dns_map
 
ciscoasa(config-pmap)# parameters
 
ciscoasa(config-pmap-p)# umbrella
 
ciscoasa(config-pmap-p)# dnscrypt

dns domain-lookup

To enable the ASA to send DNS requests to a DNS server to perform a name lookup for supported commands, use the dns domain-lookup command in global configuration mode. To disable DNS requests, use the no form of this command.


Note


The ASA has limited support for using the DNS server, depending on the feature. For example, most commands require you to enter an IP address and can only use a name when you manually configure the name command to associate a name with an IP address and enable use of the names using the names command.

dns domain-lookup interface_name

no dns domain-lookup interface_name

Syntax Description

interface_name

Specifies the name of the configured interface.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.4(2)

This command was added.

Usage Guidelines

Make sure to enable DNS lookup on all interfaces that will be used to access DNS servers.

After you enable DNS lookup, specify DNS servers for the default server group using the dns server-group DefaultDNS server group command, and then the name-server command. You can change the default server group using the dns-group command.

Other server groups can be associated with specific domains. A DNS request that matches a domain associated with a DNS server group will use that group. For example, if you want traffic destined to inside eng.cisco.com servers to use an inside DNS server, you can map eng.cisco.com to an inside DNS group. All DNS requests that do not match a domain mapping will use the default DNS server group, which has no associated domains. For example, the DefaultDNS group can include a public DNS server available on the outside interface. Other DNS server groups can be configured for VPN tunnel groups. See the tunnel-group command for more information.

Some ASA features require use of a DNS server to access external servers by domain name; for example, the Botnet Traffic Filter feature requires a DNS server to access the dynamic database server and to resolve entries in the static database; and Cisco Smart Software Licensing needs DNS to resolve the License Authority address. Other features, such as the ping or traceroute command, let you enter a name that you want to ping or traceroute, and the ASA can resolve the name by communicating with a DNS server. Many SSL VPN and certificate commands also support names. You also must configure DNS servers to use fully qualified domain names (FQDN) network objects in access rules.

Examples

The following example enable the ASA to send DNS requests to a DNS server to perform a name lookup for the management, inside, and dmz interfaces.


ciscoasa(config)# dns domain-lookup management
ciscoasa(config)# dns domain-lookup inside
ciscoasa(config)# dns domain-lookup dmz
ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server-group)# name-server 10.1.1.1 management
ciscoasa(config-dns-server-group)# name-server 10.10.1.1 10.20.2.2

dns expire-entry-timer

To remove the IP address of a resolved FQDN after its TTL expires, use the dns expire-entry-timer command in global configuration mode. To remove the timer, use the no form of this command.

dns expire-entry-timer minutes minutes

no dns expire-entry-timer minutes minutes

Syntax Description

minutes minutes

Specifies the timer time in minutes. Valid values range from 1 to 65535 minutes.

Command Default

By default, the DNS expire-entry-timer value is 1 minute.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration mode

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.4(2)

This command was added.

Usage Guidelines

The command specifies the time to remove the IP address of a resolved FQDN after its TTL expires. When the IP address is removed, the ASA recompiles the tmatch lookup table.

Specifying this command is only effective when the associated network object for the DNS is activated.

The default DNS expire-entry-timer value is 1 minute, which means that IP addresses are removed 1 minute after the TTL of the DNS entry expires.


Note


The default setting might result in frequent recompilation of the tmatch lookup table when the resolved TTL of common FQDN hosts, such as www.sample.com, is a short time period. You can specify a long DNS expire-entry timer value to reduce the frequency of recompilation of the tmatch lookup table while maintaining security.

Examples

The following example removes resolved entries after 240 minutes:


ciscoasa(config)# dns expire-entry-timer minutes 240

dns-group

To specify the default DNS group, use the dns-group command in global configuration mode. To specify the DNS server group per tunnel group, use the dns-group command in tunnel-group webvpn-attributes configuration mode. To restore the default DNS group, use the no form of this command.

dns-groupname

no dns-group

Syntax Description

name

Specifies the name of the default DNS server group. The default group cannot have any associated domains in the dns-group-map .

Command Default

The default value is DefaultDNS.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Tunnel-group webvpn-attributes configuration

  • Yes

  • Yes

Command History

Release

Modification

7.1(1)

This command was added.

Usage Guidelines

You configure the default DNS group using the dns server-group command.

Examples

The following example shows a customization command that specifies the use of the DNS group named “dnsgroup1”:


ciscoasa(config)# tunnel-group test type webvpn
ciscoasa(config)# tunnel-group test webvpn-attributes
ciscoasa(config-tunnel-webvpn)# dns-group dnsgroup1
ciscoasa(config-tunnel-webvpn)# 

dns-group-map

To map DNS server groups to specific domains, use the dns-group-map command in global configuration mode. To remove the DNS group map, use the no form of this command.

dns-group-map

no dns-group-map

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.18(1)

Added this command.

Usage Guidelines

After you enter the dns-group-map command, add server-group-to-domain mappings using the dns-to-domain command. A DNS request that matches a domain associated with a DNS server group will use that group. For example, if you want traffic destined to inside eng.cisco.com servers to use an inside DNS server, you can map eng.cisco.com to an inside DNS group. All DNS requests that do not match a domain mapping will use the default DNS server group, which has no associated domains. For example, the DefaultDNS group can include a public DNS server available on the outside interface.

Examples

The following example configures three mappings:


ciscoasa(config)# dns-group-map
ciscoasa(config-dns-group-map)# dns-to-domain group1 eng.cisco.com
ciscoasa(config-dns-group-map)# dns-to-domain group1 hr.cisco.com
ciscoasa(config-dns-group-map)# dns-to-domain group2 example.com

dns-guard

To enable the DNS guard function, which enforces one DNS response per query, use the dns-guard command in parameters configuration mode. To disable this feature, use the no form of this command.

dns-guard

no dns-guard

Syntax Description

This command has no arguments or keywords.

Command Default

DNS guard is enabled by default. This feature can be enabled when the inspect dns command is configured even if a policy-map type inspect dns command is not defined. To disable, the no dns-guard command must explicitly be stated in the policy map configuration. If the inspect dns command is not configured, the behavior is determined by the global dns-guard command.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Parameters configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Usage Guidelines

The identification field in the DNS header is used to match the DNS response with the DNS header. One response per query is allowed through the ASA.

Examples

The following example shows how to enable DNS guard in a DNS inspection policy map:


ciscoasa(config)# policy-map type inspect dns preset_dns_map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# dns-guard

dns-id

To configure a dns-id in a reference-identity object, use the dns-id command in ca-reference-identity mode. To delete a dns-id, use the no form of this command. You can access the ca-reference-identity mode by first entering the crypto ca reference-identity command to configure a reference-identity object..

dns-idvalue

no dns-id value

Syntax Description

value

Value of each reference-id.

dns-id

A subjectAltName entry of type dNSName. This is a DNS domain name. A DNS-ID reference identifier does not identify an application service.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

ca-reference-identity

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.6(2)

We introduced this command.

Usage Guidelines

Once a reference identity has been created, the four identifier types and their associated values can be added or deleted from the reference identity.

The reference identifiers cn-id and dns-id MAY NOT contain information identifying the application service and MUST contain information identifying the DNS domain name.

Examples

The following example creates a reference-identity for a syslog server:


ciscoasa(config)# crypto ca reference-identity syslogServer
ciscoasa(config-ca-ref-identity)# dns-id syslog1-bxb.cisco.com
ciscoasa(config-ca-ref-identity)# cn-id syslog1-bxb.cisco.com

dns name-server

To configure a DNS server for the default DNS server group, use the dns name-server command in global configuration mode. To remove the configuration, use the no form of this command. This command is equivalent to the name-server command.


Note


The ASA has limited support for using the DNS server, depending on the feature. For example, most commands require you to enter an IP address and can only use a name when you manually configure the name command to associate a name with an IP address and enable use of the names using the names command.

dns name-server ip_address [ ip_address2 ] [ ... ] [ ip_address6 ]

no dns name-server ip_address [ ip_address2 ] [ ... ] [ ip_address6 ]

Syntax Description

ip_address

Specifies the IPv4 or IPv6 address of the DNS server. You can specify up to 6 addresses.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

8.4(2)

This command was changed to add the DNS servers under the dns server-group DefaultDNS server group.

9.0(1)

Support for IPv6 addresses was added.

Usage Guidelines

To enable DNS lookup for an interface, configure the dns domain-lookup command. If you do not enable DNS lookup, the DNS servers are not used on that interface.

This command adds servers to the default DNS server group. By default, the default group is called DefaultDNS . You can change the default group using the dns-group command. See the following resulting configuration:


ciscoasa(config)# dns name-server 10.1.1.1
ciscoasa(config)# show running-config dns
dns server-group DefaultDNS
name-server ip_address

Some ASA features require use of a DNS server to access external servers by domain name; for example, the Botnet Traffic Filter feature requires a DNS server to access the dynamic database server and to resolve entries in the static database; and Cisco Smart Software Licensing needs DNS to resolve the License Authority address. Other features, such as the ping or traceroute command, let you enter a name that you want to ping or traceroute, and the ASA can resolve the name by communicating with a DNS server. Many SSL VPN and certificate commands also support names. You also must configure DNS servers to use fully qualified domain names (FQDN) network objects in access rules.

Examples

The following example configures a DNS server with an IPv6 address:


ciscoasa(config)# dns domain-lookup
ciscoasa(config)# dns name-server 8080:1:2::2

dns poll-timer

To specify the timer during which the ASA queries the DNS server to resolve fully qualified domain names (FQDN) that are defined in a network object group, use the dns poll-timer command in global configuration mode. To remove the timer, use the no form of this command.

dns poll-timer minutes minutes

no dns poll-timer minutes minutes

Syntax Description

minutes minutes

Specifies the timer in minutes. Valid values are from 1 to 65535 minutes.

Command Default

By default, the DNS timer is 240 minutes or 4 hours.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.4(2)

This command was added.

Usage Guidelines

This command specifies the timer during which the ASA queries the DNS server to resolve the FQDN that was defined in a network object group. A FQDN is resolved periodically when the poll DNS timer has expired or when the TTL of the resolved IP entry has expired, whichever comes first.

This command has effect only when at least one network object group has been activated.

Examples

The following example sets the DNS poll timer to 240 minutes:


ciscoasa(config)# dns poll-timer minutes 240

dns-server (group-policy)

To set the IP address of the primary and secondary DNS servers, use the dns-server command in group-policy configuration mode. To remove the attribute from the running configuration, use the no form of this command.

dns-server { value ip_address [ ip_address ] | none }

no dns-server

Syntax Description

none

Sets the dns-server command to a null value, thereby allowing no DNS servers. Prevents inheriting a value from a default or specified group policy.

value ip_address

Specifies the IP address of the primary and secondary DNS servers.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

This command allows inheritance of a DNS server from another group policy. To prevent inheriting a server, use the dns-server none command.

Each time you issue the dns-server command, you overwrite the existing setting. For example, if you configure DNS server x.x.x.x and then configure DNS server y.y.y.y, the second command overwrites the first, and y.y.y.y becomes the sole DNS server. The same holds true for multiple servers. To add a DNS server rather than overwrite previously configured servers, include the IP addresses of all DNS servers when you enter this command.

Examples

The following example shows how to configure DNS servers with the IP addresses 10.10.10.15 and 10.10.10.45 for the group policy named FirstGroup.


ciscoasa
(config)# 
group-policy FirstGroup attributes
ciscoasa
(config-group-policy)#
 dns-server value 10.10.10.15 10.10.10.45

dns-server (ipv6 dhcp pool)

To provide the DNS server IP address to StateLess Address Auto Configuration (SLAAC) clients when you configure the DHCPv6 server, use the dns-server command in ipv6 dhcp pool configuration mode. To remove the DNS server, use the no form of this command.

dns-serverdns_ipv6_address

no dns-server dns_ipv6_address

Syntax Description

dns_ipv6_address

Specifies the DNS server IPv6 address.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ipv6 dhcp pool configuration

  • Yes

  • Yes

Command History

Release

Modification

9.6(2)

We introduced this command.

Usage Guidelines

For clients that use SLAAC in conjunction with the Prefix Delegation feature, you can configure the ASA to provide information in an ipv6 dhcp pool , including the DNS server, when they send Information Request (IR) packets to the ASA. The ASA only accepts IR packets, and does not assign addresses to the clients. Configure the DHCPv6 stateless server using the ipv6 dhcp server command; you specify an ipv6 dhcp pool name when you enable the server.

Configure Prefix Delegation using the ipv6 dhcp client pd command.

This feature is not supported in clustering.

Examples

The following example creates two IPv6 DHCP pools, and enables the DHCPv6 server on two interfaces:


ipv6 dhcp pool Eng-Pool
domain-name eng.example.com
dns-server 2001:DB8:1::1
ipv6 dhcp pool IT-Pool
domain-name it.example.com
dns-server 2001:DB8:1::1
interface gigabitethernet 0/0
ipv6 address dhcp setroute default
ipv6 dhcp client pd Outside-Prefix
interface gigabitethernet 0/1
ipv6 address Outside-Prefix ::1:0:0:0:1/64
ipv6 dhcp server Eng-Pool
ipv6 nd other-config-flag
interface gigabitethernet 0/2
ipv6 address Outside-Prefix ::2:0:0:0:1/64
ipv6 dhcp server IT-Pool
ipv6 nd other-config-flag

dns server-group

To create and configure a group of DNS servers, use the dns server-group command in global configuration mode. To remove a particular DNS server group, use the no form of this command.


Note


The ASA has limited support for using the DNS server, depending on the feature. For example, most commands require you to enter an IP address and can only use a name when you manually configure the name command to associate a name with an IP address and enable use of the names using the names command.

dns server-group name

nodnsserver-group

Syntax Description

name

Specifies the name of the DNS server group. The default group name used for ASA lookups is DefaultDNS .

Command Default

The default active server group for the ASA is DefaultDNS.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.1(1)

This command was added.

Usage Guidelines

To enable DNS lookup, configure the dns domain-lookup command. If you do not enable DNS lookup, the DNS servers are not used.

The ASA uses the dns server-group DefaultDNS server group for outgoing requests. You can change the active server group using the dns-group command. Other DNS server groups can be configured for VPN tunnel groups or other purposes. See the tunnel-group command for more information.

Some ASA features require use of a DNS server to access external servers by domain name; for example, the Botnet Traffic Filter feature requires a DNS server to access the dynamic database server and to resolve entries in the static database; and Cisco Smart Software Licensing needs DNS to resolve the License Authority address. Other features, such as the ping or traceroute command, let you enter a name that you want to ping or traceroute, and the ASA can resolve the name by communicating with a DNS server. Many SSL VPN and certificate commands also support names. You also must configure DNS servers to use fully qualified domain names (FQDN) network objects in access rules.

Examples

The following example configures a DNS server group named “DefaultDNS”:


ciscoasa(config)# dns server-group DefaultDNS
ciscoasa(config-dns-server-group)# domain-name cisco.com
ciscoasa(config-dns-server-group)# name-server 192.168.10.10
ciscoasa(config-dns-server-group)# retries 5
ciscoasa(config-dns-server-group)# timeout 7
ciscoasa(config-dns-server-group)# 

dns-to-domain

To map a DNS server groups to a specific domain, use the dns-to-domain command in dns-group-map configuration mode. To remove the mapping, use the no form of this command.

dns-to-domain dns_group_name domain

no dns-to-domain dns_group_name domain

Syntax Description

dns_group_name

Specifies the DNS group name from the dns server-group command that you want to use for the associated domain. Do not map any domains to the group you want to use for the default (for example, DefaultDNS).

domain

Specifies the domain for which you want to use the associated DNS server group.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Dns-group-map configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.18(1)

Added this command.

Usage Guidelines

By default, there is a default DNS server group called DefaultDNS. You can create multiple DNS server groups: one group is the default, while other groups can be associated with specific domains by using the dns-group-map and dns-to-domain commands. A DNS request that matches a domain associated with a DNS server group will use that group. You can create up to 30 mappings.

For example, if you want traffic destined to inside eng.cisco.com servers to use an inside DNS server, you can map eng.cisco.com to an inside DNS group. All DNS requests that do not match a domain mapping will use the default DNS server group, which has no associated domains. For example, the DefaultDNS group can include a public DNS server available on the outside interface.

Examples

The following example configures three mappings:


ciscoasa(config)# dns-group-map
ciscoasa(config-dns-group-map)# dns-to-domain group1 eng.cisco.com
ciscoasa(config-dns-group-map)# dns-to-domain group1 hr.cisco.com
ciscoasa(config-dns-group-map)# dns-to-domain group2 example.com

dns trusted-source

To define the DNS servers that can be trusted to resolve domain names in a network-service object, use the dns trusted-source command in global configuration mode. To remove a type of DNS server from the trusted list, use the no form of the command.

dns trusted-source { configured-servers | dhcp-client | dhcp-pools | dhcp-relay | ip_list }

Syntax Description

configured-servers

Specifies that servers configured in DNS server groups should be trusted. A configured server is any server specified in DNS groups or name-server commands.

dhcp-client

Specifies that the servers that are learned by snooping messages between a DHCP client and DHCP server are considered trusted DNS servers.

This option applies when you configure the dhcpd auto_config command to configure DHCP servers on inside interfaces using the information obtained from device interfaces that use DHCP client to obtain an IP address.

dhcp-pools

Specifies that the DNS servers that are configured in the DHCP pools for clients that obtain addresses through DHCP servers running on the device interfaces should be trusted.

These are the servers that are configured on the dhcpd dns command, and thus are IPv4 only.

dhcp-relay

Specifies that the servers that are learned by snooping DHCP relay messages between a DHCP client and DHCP server are considered trusted DNS servers.

ip_list

A space separated list of the IP addresses of DNS servers that should be trusted. You can list up to 12 IPv4 and IPv6 addresses. Specify any to cover all DNS servers. Use the no form of the command to remove a server.

Command Default

By default, all configured and learned DNS servers are trusted (that is, all of these options). You need to change this only if you want to limit the trusted list.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release Modification

9.17(1)

This command was introduced.

Usage Guidelines

If you configure domain names in network-service objects, the system snoops DNS request/response traffic to gather IP addresses for DNS domain names and caches the results. Any DNS request/response can be snooped.

The records snooped are A, AAAA, and MX. The time-to-live (TTL) of each resolved name is honored within limits: the minimum TTL is 2 minutes, the maximum is 24 hours. This ensures that the cache does not become stale.

For security reasons, you can limit the scope of DNS snooping by defining which DNS servers should be trusted. Any DNS traffic to non-trusted DNS servers is ignored and not used to obtain mappings for network-service objects. By default, all configured and learned DNS servers are trusted; you need to change this only if you want to limit the trusted list.

Examples

The following example explicitly trusts the DNS servers at 10.100.10.1 and 10.100.10.2.


ciscoasa(config)# dns trusted-source 10.100.10.1 10.100.10.2 

The following example removes DNS relay servers from the trusted server configuration.


ciscoasa(config)# no dns trusted-source dhcp-relay 

dns update

To start DNS lookup to resolve the designated hostnames without waiting for the expiration of the DNS poll timer, use the dns update command in privileged EXEC mode.

dns update [ host fqdn_name ] [ timeout seconds seconds ]

Syntax Description

host fqdn_name

Specifies the fully qualified domain name of the host on which to run DNS updates.

timeout seconds seconds

Specifies the timeout in seconds.

Command Default

By default, the timeout is 30 seconds.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC mode

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.4(2)

This command was added.

Usage Guidelines

This command immediately starts a DNS lookup to resolve the designated hostnames without waiting for the expiration of the DNS poll timer. When you run DNS update without specifying an option, all activated host groups and FQDN hosts are selected for DNS lookup. When the command finishes running, the ASA displays [Done] at the command prompt and generates a syslog message.

When the update operation starts, a starting update log is created. When the update operation finishes or is aborted after the timer has expired, another syslog message is generated. Only one outstanding DNS update operation is allowed.

Examples

The following example performs a DNS update:


ciscoasa# dns update
ciscoasa# ...
ciscoasa# [Done] dns update

domain

To configure a DNS domain name for a network-service object or object group, use the domain command in object configuration mode. Use the no form of this command to remove the domain from the configuration.domain domain_name [service]

domain domain_name [ service ]

no domain domain_name [ service ]

Syntax Description

domain_name

The DNS name, up to 253 characters. This can be fully-qualified (such as www.example.com) or partial (such as example.com), in which case the object matches all subdomains, that is, servers with the partial name (such as www.example.com, www1.example.com, long.server.name.example.com, and so forth). Connections will be matched against the longest name if an exact match is available. The domain name can resolve to multiple IP addresses.

service

(Optional.) Specify the service only if you want to limit the scope of the connections matched. By default, any connection to the resolved IP addresses for the domain name matches the object.

protocol [operator port]

where:

  • protocol is the protocol used in the connection, such as tcp, udp, ip, and so forth. Use ? to see the list of protocols.

  • (TCP/UDP only.) operator is one of the following:

    • eq equals the port number specified.

    • lt means any port less than the specified port number.

    • gt means any port greater than the specified port number.

    • range means any port between the two ports specified.

  • (TCP/UDP only.) port is the port number, 1-65535 or a mnemonic, such as www. Use ? to see the mnemonics. For ranges, you must specify two ports, with the first port being a lower number than the second port.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Object network-service configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release Modification

9.17(1)

This command was introduced.

Usage Guidelines

You must configure DNS servers and enable domain lookup services on the device interfaces so that the system can request IP addresses for the domain names.

Examples

The following example creates several network-service objects that include domain names.


object network-service outlook365
    description This defines Microsoft office365 'outlook' application.
  domain outlook.office.com tcp eq 443
object network-service webex
  domain webex.com tcp eq 443
object network-service partner
  subnet 10.34.56.0 255.255.255.0 ip

domain-name (dns server-group)

To set the default domain name to append to unqualified hostnames, use the domain-name command in dns server-group configuration mode. To remove the domain name, use the no form of this command.

domain-namename

no domain-name [ name ]

Syntax Description

name

Sets the domain name, up to 63 characters.

Command Default

The default domain name is default.domain.invalid.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Dns server-group configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.1(1)

This command was introduced.

Usage Guidelines

The ASA appends the domain name as a suffix to unqualified names. For example, if you set the domain name to “example.com,” and specify a syslog server by the unqualified name of “jupiter,” then the ASA qualifies the name to “jupiter.example.com.”

Examples

The following example sets the domain to “example.com” for “dnsgroup1”:


ciscoasa(config)# dns server-group dnsgroup1
ciscoasa(config-dns-server-group)# domain-name example.com

domain-name (global)

To set the default domain name, use the domain-name command in global configuration mode. To remove the domain name, use the no form of this command.

domain-name name

no domain-name [ name ]

Syntax Description

name

Sets the domain name, up to 63 characters.

Command Default

The default domain name is default.domain.invalid.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The ASA appends the domain name as a suffix to unqualified names. For example, if you set the domain name to “example.com” and specify a syslog server by the unqualified name of “jupiter,” then the ASA qualifies the name to “jupiter.example.com.” For multiple context mode, you can set the domain name for each context, as well as within the system execution space.

Examples

The following example sets the domain to example.com:


ciscoasa(config)# domain-name example.com

domain-name (ipv6 dhcp pool)

To provide the domain name to StateLess Address Auto Configuration (SLAAC) clients when you configure the DHCPv6 server, use the domain-name command in ipv6 dhcp pool configuration mode. To remove the domain name, use the no form of this command.

domain-namedomain_name

no domain-name domain_name

Syntax Description

domain_name

Specifies the domain name.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ipv6 dhcp pool configuration

  • Yes

  • Yes

Command History

Release

Modification

9.6(2)

We introduced this command.

Usage Guidelines

For clients that use SLAAC in conjunction with the Prefix Delegation feature, you can configure the ASA to provide information in an ipv6 dhcp pool , including the domain name, when they send Information Request (IR) packets to the ASA. The ASA only accepts IR packets, and does not assign addresses to the clients. Configure the DHCPv6 stateless server using the ipv6 dhcp server command; you specify an ipv6 dhcp pool name when you enable the server.

Configure Prefix Delegation using the ipv6 dhcp client pd command.

This feature is not supported in clustering.

Examples

The following example creates two IPv6 DHCP pools, and enables the DHCPv6 server on two interfaces:


ipv6 dhcp pool Eng-Pool
domain-name eng.example.com
dns-server 2001:DB8:1::1
ipv6 dhcp pool IT-Pool
domain-name it.example.com
dns-server 2001:DB8:1::1
interface gigabitethernet 0/0
ipv6 address dhcp setroute default
ipv6 dhcp client pd Outside-Prefix
interface gigabitethernet 0/1
ipv6 address Outside-Prefix ::1:0:0:0:1/64
ipv6 dhcp server Eng-Pool
ipv6 nd other-config-flag
interface gigabitethernet 0/2
ipv6 address Outside-Prefix ::2:0:0:0:1/64
ipv6 dhcp server IT-Pool
ipv6 nd other-config-flag

domain-password

To configure the IS-IS routing domain authentication password, use the domain-password command in router isis configuration mode. To disable a password, use the no form of this command.

domain-name password [ authenticate snp { validate | send-only } ]

no domain-name password

Syntax Description

password

Password you assign.

authenticate snp

(Optional) Causes the system to insert the password into SNP PDUs.

validate

(Optional) Causes the system to insert the password into the SNPs and check the password in SNPs that it receives.

send-only

(Optional) Causes the system only to insert the password into the SNPs, but not check the password in SNPs that it receives. Use this keyword during a software upgrade to ease the transition.

Command Default

No domain password is specified and no authentication is enabled for exchange of Level 2 routing information.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router isis configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.6(1)

This command was added.

Usage Guidelines

This password is exchanged as plain text and thus this feature provides only limited security.

This password is inserted in Level 2 (area router level) PDU link-state packets (LSPs), complete sequence number PDUs (CSNPs), and partial sequence number PDUs (PSNPs).

If you do not specify the authenticate snp keyword along with either the validate or send-only keyword, then the IS-IS routing protocol does not insert the password into SNPs.

Examples

The following example assigns an authentication password to the routing domain and specifies that the password be inserted in SNPs and checked in SNPs that the system receives:


ciscoasa(config)# router isis
ciscoasa(config-router)# domain-password users2j45 authenticate snp validate

downgrade

To downgrade your software version, use the downgrade command in global configuration mode.

downgrade [ /noconfirm ] old_image_url old_config_url [ activation-key old_key ]

Syntax Description

activation-key old_key

(Optional) If you need to revert the activation key, then you can enter the old activation key.

old_config_url

Specifies the path to the saved, pre-migration configuration (by default this was saved on disk0).

old_image_url

Specifies the path to the old image on disk0, disk1, tftp, ftp, or smb.

/noconfirm

(Optional) Downgrades without prompting.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.3(1)

This command was added.

Usage Guidelines

This command is a shortcut for completing the following functions:

  1. Clearing the boot image configuration (clear configure boot ).

  2. Setting the boot image to be the old image (boot system ).

  3. (Optional) Entering a new activation key (activation-key ).

  4. Saving the running configuration to startup (write memory ). This sets the BOOT environment variable to the old image, so when you reload, the old image is loaded.

  5. Copying the old configuration to the startup configuration (copy old_config_url startup-config ).

  6. Reloading (reload ).

Examples

The following example downgrades without confirming:


ciscoasa(config)# downgrade /noconfirm disk0:/asa821-k8.bin disk0:/8_2_1_0_startup_cfg.sav

download-max-size


Note


The download-max-size command does not work. Do not use it. However, you might see it in the running configuration, and it is available in the CLI.

To specify the maximum size allowed for an object to download, use the download-max-size command in group-policy webvpn configuration mode. To remove this object from the configuration, use the no version of this command.

download-max-sizesize

no download-max-size

Syntax Description

size

Specifies the maximum size allowed for a downloaded object. The range is 0 through 2147483647. Setting the size to 0 effectively disallows object downloading.

Command Default

The default size is 2147483647.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy webvpn configuration mode

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

Examples

The following example sets the maximum size for a downloaded object to 1500 bytes:


ciscoasa
(config)#
 
group-policy test attributes
ciscoasa
(config-group-policy)#
 webvpn
ciscoasa
(config-group-webvpn)# 
download-max-size 1500

drop

To drop all packets that match the match command or class command, use the drop command in match or class configuration mode. To disable this action, use the no form of this command.

drop [ send-protocol-error ] [ log ]

no drop [ send-protocol-error ] [ log ]

Syntax Description

log

Logs the match. The syslog message number depends on the application.

send-protocol-error

Sends a protocol error message.

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Match and class configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Usage Guidelines

When using the Modular Policy Framework, drop packets that match a match command or class map by using the drop command in match or class configuration mode. This drop action is available in an inspection policy map (the policy-map type inspect command) for application traffic; however, not all applications allow this action.

An inspection policy map consists of one or more match and class commands. The exact commands available for an inspection policy map depends on the application. After you enter the match or class command to identify application traffic (the class command refers to an existing class-map type inspect command that in turn includes match commands), you can enter the drop command to drop all packets that match the match command or class command.

If you drop a packet, then no further actions are performed in the inspection policy map. For example, if the first action is to drop the packet, then it will never match any further match or class commands. If the first action is to log the packet, then a second action, such as dropping the packet, can occur. You can configure both the drop and the log action for the same match or class command, in which case the packet is logged before it is dropped for a given match.

When you enable application inspection using the inspect command in a Layer 3/4 policy map (the policy-map command), you can enable the inspection policy map that contains this action, for example, enter the inspect http http_policy_map command where http_policy_map is the name of the inspection policy map.

Examples

The following example drops packets and sends a log when they match the HTTP traffic class map. If the same packet also matches the second match command, it will not be processed because it was already dropped.


ciscoasa(config-cmap)# policy-map type inspect http http-map1
ciscoasa(config-pmap)# class http-traffic
ciscoasa(config-pmap-c)# drop log
ciscoasa(config-pmap-c)# match req-resp content-type mismatch
ciscoasa(config-pmap-c)# reset log

drop-connection

When using the Modular Policy Framework, drop packets and close the connection for traffic that matches a match command or class map by using the drop-connection command in match or class configuration mode. To disable this action, use the no form of this command.

drop-connection [ send-protocol-error ] [ log ]

no drop-connection [ send-protocol-error ] [ log ]

Syntax Description

send-protocol-error

Sends a protocol error message.

log

Logs the match. The system log message number depends on the application.

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Match and class configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Usage Guidelines

The connection will be removed from the connection database on the ASA. Any subsequent packets entering the ASA for the dropped connection will be discarded. This drop-connection action is available in an inspection policy map (the policy-map type inspect command) for application traffic; however, not all applications allow this action. An inspection policy map consists of one or more match and class commands. The exact commands available for an inspection policy map depends on the application. After you enter the match or class command to identify application traffic (the class command refers to an existing class-map type inspect command that in turn includes match commands), you can enter the drop-connection command to drop packets and close the connection for traffic that matches the match command or class command.

If you drop a packet or close a connection, then no further actions are performed in the inspection policy map. For example, if the first action is to drop the packet and close the connection, then it will never match any further match or class commands. If the first action is to log the packet, then a second action, such as dropping the packet, can occur. You can configure both the drop-connection and the log action for the same match or class command, in which case the packet is logged before it is dropped for a given match.

When you enable application inspection using the inspect command in a Layer 3/4 policy map (the policy-map command), you can enable the inspection policy map that contains this action. For example, enter the inspect http http_policy_map command, where http_policy_map is the name of the inspection policy map.

Examples

The following example drops packets, closes the connection, and sends a log when they match the http-traffic class map. If the same packet also matches the second match command, it will not be processed because it was already dropped.


ciscoasa(config-cmap)# policy-map type inspect http http-map1
ciscoasa(config-pmap)# class http-traffic
ciscoasa(config-pmap-c)# drop-connection log
ciscoasa(config-pmap-c)# match req-resp content-type mismatch
ciscoasa(config-pmap-c)# reset log

dtls port

To specify a port for DTLS connections, use the dtls port command from webvpn configuration mode. To remove the command from the configuration, use the no form of this command:

dtls port number

no dtls port number

Syntax Description

number

The UDP port number, from 1 to 65535.

Command Default

The default port number is 443.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Webvpn configuration

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

Usage Guidelines

This command specifies the UDP port to be used for SSL VPN connections using DTLS.

DTLS avoids latency and bandwidth problems associated with some SSL connections and improves the performance of real-time applications that are sensitive to packet delays.

Examples

The following example enters webvpn configuration mode and specifies port 444 for DTLS:


ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# dtls port 444

duplex

To set the duplex of a copper (RJ-45) Ethernet interface, use the duplex command in interface configuration mode. To restore the duplex setting to the default, use the no form of this command.

duplex { auto | full | half }

no duplex

Syntax Description

auto

Auto-detects the duplex mode.

full

Sets the duplex mode to full duplex.

half

Sets the duplex mode to half duplex.

Command Default

The default is auto detect.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was moved from a keyword of the interface command to an interface configuration mode command.

Usage Guidelines

Set the duplex mode on the physical interface only.

The duplex command is not available for fiber media.

If your network does not support auto detection, set the duplex mode to a specific value.

For RJ-45 interfaces on the ASA 5500 series, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled.

If you set the duplex to anything other than auto on PoE ports, if available, then Cisco IP phones and Cisco wireless access points that do not support IEEE 802.3af will not be detected and supplied with power.

Examples

The following example sets the duplex mode to full duplex:


ciscoasa(config)# interface gigabitethernet0/1
ciscoasa(config-if)# speed 1000
ciscoasa(config-if)# duplex full
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# security-level 100
ciscoasa(config-if)# ip address 10.1.1.1 255.255.255.0
ciscoasa(config-if)# no shutdown

dynamic-access-policy-config

To configure a DAP record and the access policy attributes associated with it, use the dynamic-access-policy-config command in global configuration mode. To remove an existing DAP configuration, use the no form of this command.

dynamic-access-policy-config name | activate

no dynamic-access-policy-config

Syntax Description

activate

Activates the DAP selection configuration file.

name

Specifies the name of the DAP record. The name can be up to 64 characters long and cannot contain spaces.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration (name)

  • Yes

  • Yes

  • Yes

  • Yes

Privileged EXEC (activate)

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

Use the dynamic-access-policy-config command in global configuration mode to create one or more DAP records. To activate a DAP selection configuration file, use the dynamic-access-policy-config command with the activate argument.

When you use this command, you enter dynamic-access-policy-record mode, in which you can set attributes for the named DAP record. The commands you can use in dynamic-access-policy-record mode include the following:

  • action

  • description

  • network-acl

  • priority

  • user-message

  • webvpn

Examples

The following example shows how to configure the DAP record named user1:


ciscoasa
(config)
# dynamic-access-policy-config user1
ciscoasa
(config-dynamic-access-policy-record)#
 

dynamic-access-policy-record

To create a DAP record and populate it with access policy attributes, use the dynamic-access-policy-record command in global configuration mode. To remove an existing DAP record, use the no form of this command.

dynamic-access-policy-recordname

no dynamic-access-policy-record name

Syntax Description

name

Specifies the name of the DAP record. The name can be up to 64 characters long and cannot contain spaces.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

Usage Guidelines

Use the dynamic-access-policy-record command in global configuration mode to create one or more DAP records. When you use this command, you enter dynamic-access-policy-record mode, in which you can set attributes for the named DAP record. The commands you can use in dynamic-access-policy-record mode include the following:

  • action (continue , terminate , or quarantine )

  • description

  • network-acl

  • priority

  • user-message

  • webvpn

Examples

The following example shows how to create a DAP record named Finance.


ciscoasa
(config)
# dynamic-access-policy-record Finance
ciscoasa
(config-dynamic-access-policy-record)#
 

dynamic-authorization

To enable RADIUS dynamic authorization (change of authorization) services for the AAA server group, use the dynamic-authorization command in aaa-server group configuration mode. To disable dynamic authorization, use the no form of this command.

dynamic-authorization [ port number ]

no dynamic-authorization [ port number ]

Syntax Description

port number

(Optional) Specifies the dynamic authorization port on the ASA. It can range from 1024 to 65535.

Command Default

The default listening port is 1700. By default dynamic-authorization is not enabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

aaa-server group configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.2(1)

This command was added.

Usage Guidelines

Use this command to configure a RADIUS server group for ISE Change of Authorization (CoA). Once defined, the corresponding RADIUS server group will be registered for CoA notification and the ASA will listen to the port for the CoA policy updates from ISE.

The ISE Change of Authorization (CoA) feature provides a mechanism to change the attributes of an authentication, authorization, and accounting (AAA) session after it is established. When a policy changes for a user or user group in AAA, CoA packets can be sent directly to the ASA from the ISE to reinitialize authentication and apply the new policy. An Inline Posture Enforcement Point (IPEP) is no longer required to apply access control lists (ACLs) for each VPN session established with the ASA.

When an end user requests a VPN connection, the ASA authenticates the user to the ISE and receives a user ACL that provides limited access to the network. An accounting start message is sent to the ISE to register the session. Posture assessment occurs directly between the NAC agent and the ISE. This process is transparent to the ASA. The ISE sends a policy update to the ASA via a CoA “policy push.” This identifies a new user ACL that provides increased network access privileges. Additional policy evaluations may occur during the lifetime of the connection, transparent to the ASA, via subsequent CoA updates.

Examples

The following example shows how to configure an ISE server group for dynamic authorization (CoA) updates and hourly periodic accounting. Included is the tunnel group configuration that configures password authentication with ISE.


ciscoasa(config)# aaa-server ise protocol radius
ciscoasa(config-aaa-server-group)# interim-accounting-update periodic 1
ciscoasa(config-aaa-server-group)# dynamic-authorization
ciscoasa(config-aaa-server-group)# exit
ciscoasa(config)# aaa-server ise (inside) host 10.1.1.3
ciscoasa(config-aaa-server-host)# key sharedsecret
ciscoasa(config-aaa-server-host)# exit
ciscoasa(config)# tunnel-group aaa-coa general-attributes
ciscoasa(config-tunnel-general)# address-pool vpn
ciscoasa(config-tunnel-general)# authentication-server-group ise
ciscoasa(config-tunnel-general)# accounting-server-group ise
ciscoasa(config-tunnel-general)# exit

The following example shows how to configure a tunnel group for local certificate validation and authorization with ISE. In this case, you include the authorize-only command in the server group configuration, because the server group will not be used for authentication.


ciscoasa(config)# aaa-server ise protocol radius
ciscoasa(config-aaa-server-group)# authorize-only
ciscoasa(config-aaa-server-group)# interim-accounting-update periodic 1
ciscoasa(config-aaa-server-group)# dynamic-authorization
ciscoasa(config-aaa-server-group)# exit
ciscoasa(config)# aaa-server ise (inside) host 10.1.1.3
ciscoasa(config-aaa-server-host)# key sharedsecret
ciscoasa(config-aaa-server-host)# exit
ciscoasa(config)# tunnel-group aaa-coa general-attributes
ciscoasa(config-tunnel-general)# address-pool vpn
ciscoasa(config-tunnel-general)# authentication certificate
ciscoasa(config-tunnel-general)# authorization-server-group ise
ciscoasa(config-tunnel-general)# accounting-server-group ise
ciscoasa(config-tunnel-general)# exit

dynamic-filter ambiguous-is-black

To treat Botnet Traffic Filter greylisted traffic as blacklisted traffic for dropping purposes, use the dynamic-filter ambiguous-is-black command in global configuration mode. To allow greylisted traffic, use the no form of this command.

dynamic-filter ambiguous-is-black

no dynamic-filter ambiguous-is-black

Syntax Description

This command has no arguments or keywords.

Command Default

This command is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.2(2)

This command was added.

Usage Guidelines

If you configured the dynamic-filter enable command and then the dynamic-filter drop blacklist command, this command treats greylisted traffic as blacklisted traffic for dropping purposes. If you do not enable this command, greylisted traffic will not be dropped.

Ambiguous addresses are associated with multiple domain names, but not all of these domain names are on the blacklist. These addresses are on the greylist.

Examples

The following example monitors all port 80 traffic on the outside interface, and then drops blacklisted and greylisted traffic at a threat level of moderate or greater:


ciscoasa(config)# access-list dynamic-filter_acl extended permit tcp any any eq 80
ciscoasa(config)# dynamic-filter enable interface outside classify-list dynamic-filter_acl
ciscoasa(config)# dynamic-filter drop blacklist interface outside
ciscoasa(config)# dynamic-filter ambiguous-is-black

dynamic-filter blacklist

To edit the Botnet Traffic Filter blacklist, use the dynamic-filter blacklist command in global configuration mode. To remove the blacklist, use the no form of this command.

dynamic-filter blacklist

no dynamic-filter blacklist

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.2(1)

This command was added.

Usage Guidelines

After you enter the dynamic-filter blacklist configuration mode, you can manually enter domain names or IP addresses (host or subnet) that you want to tag as bad names in a blacklist using the address and name commands. You can also enter names or IP addresses in a whitelist (see the dynamic-filter whitelist command), so that names or addresses that appear on both the dynamic blacklist and whitelist are identified only as whitelist addresses in syslog messages and reports. Note that you see syslog messages for whitelisted addresses even if the address is not also in the dynamic blacklist.

Static blacklist entries are always designated with a Very High threat level.

When you add a domain name to the static database, the ASA waits 1 minute, and then sends a DNS request for that domain name and adds the domain name/IP address pairing to the DNS host cache . (This action is a background process, and does not affect your ability to continue configuring the ASA). We recommend also enabling DNS packet inspection with Botnet Traffic Filter snooping (see the inspect dns dynamic-filter-snooping command). The ASA uses Botnet Traffic Filter snooping instead of the regular DNS lookup to resolve static blacklist domain names in the following circumstances:

  • The ASA DNS server is unavailable.

  • A connection is initiated during the 1-minute waiting period before the ASA sends the regular DNS request.

If DNS snooping is used, when an infected host sends a DNS request for a name on the static database, the ASA looks inside the DNS packets for the domain name and associated IP address and adds the name and IP address to the DNS reverse lookup cache.

The static database lets you augment the dynamic database with domain names or IP addresses that you want to blacklist.

If you do not enable Botnet Traffic Filter snooping, and one of the above circumstances occurs, then that traffic will not be monitored by the Botnet Traffic Filter.


Note


This command requires ASA use of a DNS server; see the dns domain-lookup and dns server-group commands.

Examples

The following example creates entries for the blacklist and whitelist:


ciscoasa(config)# dynamic-filter blacklist
ciscoasa(config-llist)# name bad1.example.com
ciscoasa(config-llist)# name bad2.example.com
ciscoasa(config-llist)# address 10.1.1.1 255.255.255.0
ciscoasa(config-llist)# dynamic-filter whitelist
ciscoasa(config-llist)# name good.example.com
ciscoasa(config-llist)# name great.example.com
ciscoasa(config-llist)# name awesome.example.com
ciscoasa(config-llist)# address 10.1.1.2
 255.255.255.255

dynamic-filter database fetch

To test the download of the dynamic database for the Botnet Traffic Filter, use the dynamic-filter database fetch command in privileged EXEC mode.

dynamic-filter database fetch

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.2(1)

This command was added.

Usage Guidelines

The actual database is not stored on the ASA; it is downloaded and then discarded. Use this command for testing purposes only.

Examples

The following example tests the download of the dynamic database:


ciscoasa# dynamic-filter database fetch

dynamic-filter database find

To check if a domain name or IP address is included in the dynamic database for the Botnet Traffic Filter, use the dynamic-filter database find command in privileged EXEC mode.

dynamic-filter database find string

Syntax Description

string

The string can be the complete domain name or IP address, or you can enter part of the name or address, with a minimum search string of 3 characters. Regular expressions are not supported for the database search.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.2(1)

This command was added.

Usage Guidelines

If there are multiple matches, the first two matches are shown. To refine your search for a more specific match, enter a longer string.

Examples

The following example searches on the string “example.com,” and finds one match:


ciscoasa# dynamic-filter database find bad.example.com
   bad.example.com
Found 1 matches

The following example searches on the string “bad,” and finds more than two matches:


ciscoasa# dynamic-filter database find bad
   bad.example.com
   bad.example.net
Found more than 2 matches, enter a more specific string to find an exact
match

dynamic-filter database purge

To manually delete the Botnet Traffic Filter dynamic database from running memory, use the dynamic-filter database purge command in privileged EXEC mode.

dynamic-filter database purge

Syntax Description

This command has no arguments or keywords.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.2(1)

This command was added.

Usage Guidelines

The database files are stored in running memory; they are not stored in flash memory. If you need to delete the database, use the dynamic-filter database purge command.

Before you can purge the database files, disable use of the database using the no dynamic-filter use-database command.

Examples

The following example disables use of the database, and then purges the database:


ciscoasa(config)# no dynamic-filter use-database
ciscoasa(config)# dynamic-filter database purge