Cisco ASA DNS inspection for DSNSSEC

20 Jan

It is important to use DNS inspection and update it for up coming DNSSEC. Here is how to enable your ASA to work with DNSSEC.

Required: Cisco ASA running software version 8.2.2 or later
Cisco Documentation

CLI Configuration:

ciscoasa# configure terminal
ciscoasa(config)# policy-map type inspect dns preset_dns_map
ciscoasa(config-pmap)# parameters
ciscoasa(config-pmap-p)# message-length maximum client auto
ciscoasa(config-pmap-p)# write memory

You can now exit your SSH connection.

ciscoasa# show running-config

You should see this somewhere in your configuration now:

policy-map type inspect dns preset_dns_map
message-length maximum client auto
message-length maximum 512
policy-map global-policy
class global-class
inspect ftp
inspect icmp
inspect dns preset_dns_map


Note: The message-length maximum 512 should already be there from the inspection defaults.


ASDM Configuration:

Leave a Reply

Your email address will not be published. Required fields are marked *