11/30/2021»»Tuesday

Firepower Dns Policy

11/30/2021

Cisco FTD DNS based Security Intelligence allows you to identify a suspicious DNS query and blacklist the resolution of the dubious domain. When using DNS security provided by the FTD, it blocks the request for the suspicious domain before an HTTP connection is even established, saving resources.

Firepower dns policy meaningDns

Oct 26, 2017 Rules in a DNS policy are numbered, starting at 1. The ASA FirePOWER module matches traffic to DNS rules in top-down order by ascending rule number. When you create a DNS policy, the ASA FirePOWER module populates it with a default Global DNS Whitelist rule, and a default Global DNS Blacklist rule. Rules in a DNS policy are numbered, starting at 1. The ASA FirePOWER module matches traffic to DNS rules in top-down order by ascending rule number. When you create a DNS policy, the ASA FirePOWER module populates it with a default Global DNS Whitelist rule, and a default Global DNS Blacklis t rule.

  1. July 5, 2018 How to find the list of IP, URL, and DNS entries in the Cisco Firepower Feed. Share Share via LinkedIn, Twitter, Facebook, Email. Customers and students always ask me how to see what is in the Firepower objects updated by the Cisco feed, so this blog will show you how to find this information.
  2. Dear,we noticed that cisco firepower FTD 2130 is sending DNS requests to the open DNS 208.67.222.222 which is not required and we didn't configured.we need to disable this featrue, please advice COVID-19 Response - Stealthwatch use cases for managing a sh.
  3. The Sinkhole action returns a sinkhole object's IPv4 or IPv6 address in response to the DNS query. The sinkhole server can log, or log and block, follow-on c.

DNS Filtering can be performed in 3 ways: –

  • Cisco TALOS maintains a database of known bad DNS domains, these are updated and downloaded regularly by the FMC as a feed.
  • Filtered manually from the FMC Connection Events page using Global DNS Whitelist and Global DNS Blacklist.
  • A custom DNS Feed/List

A DNS Policy is defined which can take the following actions: –

Action

Description

Whitelist

Allows matching traffic to pass

Monitor

Does not affect traffic flow, traffic is neither whitelisted nor blacklisted. Traffic is evaluated against other rules to determine whether it would permit or deny.

Drop (Blacklist)

Drops the traffic

Domain Not Found (Blacklist)

Returns a non-existent domain name (NXDOMAIN) response to the DNS query

Sinkhole (Blacklist)

DNS returns a sinkhole IP address in response to the query. The sinkhole can log, or log and block

This blogpost covers creating a custom DNS list and demonstrating using the TALOS feed to block known malware.

Firepower Configuration

Create DNS Lists

  • Create a text file called DNF-List.txt for a list of domains to test the Domain Not Found action
  • Add the FQDN’s to be blacklisted (Domain Not Found) – e.g. yahoo.co.uk
  • Save the text file to the local computer

Create Custom DNS Feed

  • Login to the FMC
  • Navigate to Objects > Object Management > Security Intelligence > DNS Lists and Feeds
  • Click Add DNS Lists and Feeds
  • Name the List appropriately, e.g. Custom-DNF-List
  • From the Type: drop-down list, select List
  • Click Browse and select the text file called DNF-List.txt created previously
  • Click Upload, once uploaded select Save

Create Sinkhole

  • Navigate to Objects > Object Management > Sinkhole
  • Click Add Sinkhole
  • Name the Sinkhole appropriately, e.g. DNS-Sinkhole
  • Enter an IPv4 address (publicly routable e.g. 11.11.11.11 so the traffic would be routed outside of the local network)
  • Click Block and Log Connections to Sinkhole
  • Leave Type as None
  • Click Save

Create a DNS Policy

  • Navigate to Policies > Access Control > DNS
  • Click Add DNS Policy
  • Click Add DNS Rule
  • Enter and appropriate name e.g. DNF
  • Ensure Enabled is checked
  • Select the Action as Domain Not Found
  • Define the Source Zone(s) as the Inside Zone
  • Click the DNS tab
  • Select the custom DNS list called Custom-DNF-List previously created
  • Click Add once complete
  • Click Save
  • Click Add DNS Rule
  • Enter and appropriate name e.g. Malware
  • Ensure Enabled is checked
  • Select the Action as Sinkhole
  • A drop-down list called Sinkhole will appear, select the custom Sinkhole previously created
  • Define the Source Zone(s) as the Inside Zone
  • Click the DNS tab
  • Select the built-in Cisco Security Intelligence feed called DNS Malware
  • Click Add once complete
  • Click Save to save the policy

Attach the DNS Policy to the Access Control Policy

  • Navigate to Policies > Access Control > Access Control
  • Modify the existing Access Control Policy
  • Click the Security Intelligencetab
  • From the DNS Policy drop-down list select the DNS Policy previously created
  • Click Save

Deploy the Policy

  • Deploy the Policy to the FTD

Verification

  • Run wireshark on a workstation and filter on DNS
  • Run nslookup on www.yahoo.co.uk (this domain was defined in the Domain Not Found list)

The output of the nslookup will confirm the response “Non-existent domain”

The output of the wireshark capture will confirm the response “no such name”.

  • Login to the CLI of the FTD and enter expert mode
  • Change the current directory to the Security Intelligence directory with the command cd
    /var/sf/sidns_download
  • List the contents of the directory using the command ls -l

Each file represents a DNS Security Intelligence List/Feed used when creating the DNS Policy, within each file contains thousands of domains.

  • Use the command grep ‘Malware’ <FILENAME> with each file until the correct file has been determined
  • Use the command cat <FILENAME> to list all the current domains identified as hosting Malware
  • Run wireshark on a workstation and filter on DNS
  • Run nslookup on a couple of the domains from the list

The output of the nslookup will confirm the address of the sinkhole 11.11.11.11

The output of the wireshark capture will confirm the sinkhole address 11.11.11.11

Firepower Dns Policy Failed

Access the Security Intelligence Events on the FMC. You will confirm the DNS queries matched the correct action Sinkhole or Domain Not Found.

Firepower Dns Policy Meaning

Global DNS Whitelist/Blacklist

To manually add a website to the Global DNS Whitelist/Blacklist

  • Open the Connection Events and locate the DNS Query to be listed.
  • Locate the DNS Query
  • Right click and select either “Blacklist DNS Requests….” Or “Whitelist DNS Requests….”

Firepower Dns Policy Failed

  • To un-list Navigate to Objects > Object Management > Security Intelligence > DNS Lists and Feeds
  • Select the appropriate list “Global-Whitelist-for-DNS” or “Global-Blacklist-for-DNS” and edit