Firepower FTD DNS Security
1. Require Threat (IPS) license
2. Add a new DNS Policy or Edit "Default DNS Policy"
2.1 Disable the non-editable "Global Block List for DNS". It has "any" Source, which will preempt any new DNS policy rules, and has no way to change the rule order.
2.2 Select IS DNS lists
2.3 Default Action is "Domain Not Found", "sink hole" is another action to help identify the DNS client.
3. Attach the DNS Policy to ACP
4. Verify DNS Logging
To prevent legitimate DNS queries from unnecessarily filling the connection log database, we recommend creating a dedicated ACP rule that allows DNS traffic to trusted DNS servers with connection logging disabled.
DNS policy Logging setting below then will only generates DNS violation events.
Or Analysis > Connections > Security-Related Events
5. Enable reputation enforcement on DNS traffic
This option is enabled by default on the Advanced tab of each new ACP. This option slightly modifies URL filtering behavior and is applicable only when URL filtering is enabled and configured.
The system evaluates domain category and reputation early in URL transactions, when the browser looks up the domain name to get the IP address
Step 1
Step 2
In the same policy, for each access control rule that has URL category and reputation blocking configured:
Application conditions—If the application condition is anything other than any (or empty), add DNS to that list. Other DNS-related options are not relevant for this purpose. ???? will this block all DNS query??
Port condition—If the port/protocol condition is anything other than any (or empty), add DNS_over_TCP and DNS_over_UDP.
Step 3
Save your changes.
Comments
Post a Comment