Verifying DNS Lists - FMC

Sep 7, 2018 Cisco Firepower firewall FMC Network NGFW
Share on:

We are back with another post about Cisco's Firepower Management Center and this time we are working with the DNS list which if you have a protect license you can have your Firepower modules or your FTD (Firepower Threat Defense) devices look at DNS requests and deny the requests if they are malicious. These have to be applied on your access control policy to be able to use it and in this post we are going verify some of the domain names that are in this lists.

So this post is already assuming that you have an Access Control Policy deployed on a Firepower Module (ASA) or a FTD. We also are assuming that you have a DNS policy applied to the FM/FTD. These lists get downloaded about every two hours from Cisco and are updated regularly, best to keep it that way. :) However like everything there is always someone, some system, some program that fails to connect and more often than not it's usually this critical process that worked yesterday but doesn't today, so how do we check if we are hitting this?

There are two ways to check this we can look at the connection events (if you are logging which by default is yes) it will show DNS the events and depending on your policy you'll see the action taken. In this example we selected to use Domain Not Found for the action. In this example we can see Domain Not Found and we can also see the DNS category its hitting which is DNS Dga.

Note: I have edited this screenshot to show example.com instead of the malicious domain

We can verify the domain is in this list DNS Dga by connecting to the FMC via SSH and browse to the actual list which is located at /var/sf/sidns_download. When you browse to this location you'll see something like this:

 1admin@FMC:/var/sf/sidns_download$ 
 2admin@FMC:/var/sf/sidns_download$ ls
 3032ba433-c295-11e4-a919-d4ae5275b77b  Cisco_DNS_Intelligence_Feed
 41b117672-7453-478c-be31-b72e89ca2dde  IPRVersion.dat
 523f2a124-8278-4c03-8c9d-d28fe08b71ab  abdc925f-4f85-4504-90a7-c891979ad82a
 62CCDA18E-DDFF-4F5C-AF9A-F00985219707  b1df3aa8-2841-4c88-8e64-bfaacec7111f
 72b15cb6f-a3fc-4e0e-a342-ccc5e5804576  d7d996a6-6b92-4a56-8f10-e8506e432fb8
 830f9e69c-d64c-479c-821d-0e4edab8348d  health
 93e2af68e-5fc8-4b1c-b5bc-b4e7cab5abcd  health_status
105a0b6d6b-e2c3-436f-b4a1-48248b331d39  health_statuslock
115f8148f1-e5e4-427a-aa3b-ee1c2745d663  peers
1260f4e2ab-d96c-44a0-bd38-830252b65259  rep_dd.yaml
136ba968f4-7a25-4793-a2c8-7cc77f1f1074  tmp
14A27C6AAE-8E52-4174-A81A-47C59FECd3a5

Each of these UIDs correspond to DNS feed. For example b1df3aa8-2841-4c88-8e64-bfaacec7111f is for DNS Dga category. You can easily figure out which UID is tied to which DNS category by using the more command, notice the top of the file.

Note: I have replaced these domains with examples instead of the malicious domains

1admin@FMC:/var/sf/sidns_download$ more b1df3aa8-2841-4c88-8e64-bfaacec7111f
2#Cisco DNS and URL intelligence feed: DNS Dga
3example.info
4example.com
5example.net
6...

We can see in this example that the domain we where trying to resolve is in this blacklist. Usually you'll have to grep the file to find the domain as these lists can be big, to find a domain follow this command, I'm looking in the DNS Dga category.

1admin@FMC:/var/sf/sidns_download$ more b1df3aa8-2841-4c88-8e64-bfaacec7111f |grep example.com
2example.com
3admin@FMC:/var/sf/sidns_download$

This confirms it and we can can either whitelist it or drop the category and then redeploy polices, unless you run into a bug, which I have ran into with whitelisting as it does not seem to work with some older firepower code. Another upgrade is in the works, in the meantime I dropped the DNS category,  I hope this information is helpful, - Ryan