The following object-group consists the latest IANA ROOT DNS Servers which can be used on the Cisco ASA firewalls.
IANA Root DNS Servers (IPv4/IPv6)
object-group network IANA-ROOT-DNS
description IANA Root DNS Servers (IPv4/IPv6)
network-object host 188.8.131.52
network-object host 2001:503:ba3e::2:30
network-object host 184.108.40.206
network-object host 2001:500:84::b
network-object host 220.127.116.11
network-object host 2001:500:2::c
network-object host 18.104.22.168
network-object host 2001:500:2d::d
network-object host 22.214.171.124
network-object host 126.96.36.199
network-object host 2001:500:2f::f
network-object host 188.8.131.52
network-object host 184.108.40.206
network-object host 2001:500:1::803f:235
network-object host 220.127.116.11
network-object host 2001:7fe::53
network-object host 18.104.22.168
network-object host 2001:503:c27::2:30
network-object host 22.214.171.124
network-object host 2001:7fd::1
network-object host 126.96.36.199
network-object host 2001:500:3::42
network-object host 188.8.131.52
network-object host 2001:dc3::35
When it comes to firewall rules, there are a number of things I follow as best practice. To start with, you need to make sure you have all the necessary information in place before writing your firewall rules.
Ask yourself the following questions… If you don’t have the answers, go back to the drawing board and get all the necessary information.
- Do you have all the necessary ports required for the firewall?
- Do you have all the IP/Subnet information?
Make the ACLs short and sweet
It is always a best practice to avoid using IP addresses in ACLs.
- Make sure that the ACLs are intuitive to anyone who is not familiar with your network.
- You should be able to understand how the firewalling is done by reading the ACLs.
This will guide you through adding and removing interfaces from VSAN Database. Even though I have tested this on Cisco MDS 9124, the process is virtually the same on the Cisco Nexus platforms with a slight difference on interface names.
When you issue the command show VSAN membership will tell you which VSAN member an interface is part of.
Interfaces are usually in VSAN 1 being the default and it can be moved to other VSAN by using the following commend.
vsan 100 interface fc1/1
If you want to remove an interface from a particular VSAN, you need to move it back to VSAN 1.
T he following method is useful when you have cloned a Linux VM and end up with a interface other than eth0. This usually happen when you are cloning or creating a VM from template with interface name eth0 and the cloned copy will have eth1 and not eth0 as the interface name. According to VMware, this is by design and can only be fixed by the following method.
Start up the VM and open up the following file with your favourite text editor and find the interface you want to remove.
The following post shows how to specifically allow specific DNS servers on a Cisco ASA firewall. In this example, I am using Google DNS to be allowed through the firewall.
object-group service DNS-PORTS
service-object udp destination eq domain
object-group network GOOGLE-DNS
network-object host 184.108.40.206
network-object host 220.127.116.11
access-list ACL_in extended permit object-group DNS-PORTS NETWORK 255.255.255.0 object-group GOOGLE-DNS
The design of Windows 10 allows the Operating System to send DNS queries to all the available interfaces on the machine. The OS does not take into account the network interface priority nor does it take into account any default route.
This design is somewhat okay until we face a VPN scenario where the DNS request has to go through the VPN tunnel for security reasons and this will allow a hacker to intercept a DNS request and modify the reply to perform a man-in-the-middle attack.
The easy fix it to add a DWORD name of
DisableSmartNameResolution with a value of
0 under the following path.
This involves adding the following code to the
.htaccess file within the root of the WordPress installation directory and add each IP addresses to a new line and IP subnet in the CIDR format.
The below code is displayed as an image due to WordPress limitation.
I have had the pleasure to be given the opportunity to participate in the #TryLGG4 program. I am someone who usually change my phone every 9-12 months and am currently a LG G3 user. I was not looking for any upgrade because I felt that all current devices on the market can’t match what a G3 offers. This all changed when I had the chance to use the LG G4. Here are my thoughts of the device as I opened the box.
2) Ergonomic design
3) Interchangeable battery
4) Expandable storage
The following post will explain one of the recommended method of filtering unwanted traffic from the internet to the internal network.
Most administrators filter RFC-1918 traversing from the internet to internal networks, while they are allowing a list of bogons prefixes which is defined in RFC-3330. These addresses are _not_ publically assigned, therefore should not see them as source IP destined to your internal network. Furthermore, it is a best practice from a security prospective to filter these ranges in case you are targeted with a spoofing attack.
As a reference to this post, please check RFC-3330 which contains all the prefixes in question.
When it comes to Cisco ASA, both Port-Object and Service-Object achieve the same result. However, application of extended Access Control List (ACL) and calling the Port-Object or Service-Object would differ in the ACL statement.
Below, we look at two tcp protocols, namely www and https defined using Port-Object and Service-Object as follows…
object-group service WEB-PORTS tcp
port-object eq www
port-object eq https