MS DNS and Border ACL

Unanswered Question
Oct 10th, 2007

I just setup an 871 router, but cannot do any dns resolution out this interface. I am using MS Server 2003 R2 as my local DNS server. It uses the root dns servers. Also, I would like for people with laptops to use additional dns servers.

If I set specific dns servers up, and set my machine up only to use these servers it works fine. But I want to use multiple DNS servers and don't necessarily want to add them all into my acl.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
treebug00 Wed, 10/10/2007 - 14:02

I guess I should rephrase the question:

What is a good (secure) practice for permitting udp replies on the inbound acl of the router?

permit udp any host eq domain any gt 1023

What if you want to allow all domain replies, but only want to allow them through if someone on the inside interface initiated the udp request? I know udp is connectionless and am assuming that initiated packets wont match anything in the translation table and would be dropped. Is this best practice from a security standpoint (besides limiting my external DNS servers)?

is this the answer?

permit udp any eq domain any gt 1023

Thanks,

Danilo Dy Thu, 10/11/2007 - 06:51

Hi,

No, you don't need to open any port for return packet whether the connection is thru TCP or UDP. You will be inviting hackers to your network!

I think, there are some misconception about connectionless protocols i.e. UDP.

Lets look at both connection-oriented and connectionless.

1. Connection-oriented

- means that when devices communicate, they perform handshaking to set up an end-to-end connection before transmitting information.

2. Connectionless

- means that no effort is made to set up a dedicated end-to-end connection before transmitting information.

- this means that the source will send information to the destination without knowing the destination is there and/or capable of sending a reply.

- in some cases that the destination is not there and/or not capable or sending a reply, the source will keep sending the information until it receive a reply or application TTL expires.

Regards,

Dandy

Jon Marshall Thu, 10/11/2007 - 09:45

Hi

If you are referring to a normal acl and not the IOS firewall then yes you do need to open the ports in an inbound direction for DNS responses. If you don't then they won't get through.

Reflexive access-lists can be used for some form of session filtering ie. only allow traffic back in for a connection that has been initiated. See this link for more details

http://www.cisco.com/en/US/docs/ios/12_2/security/command/reference/srfreflx.html

Or you can go the whole way and use the IOS firewall CBAC. This is a stateful firewall and you can control what is allowed back in based on what has gone out.

Note that even with a stateful firewall UDP is really only pseudo-state ie. when the firewall sees a DNS request go out it records the src/dst IP and src/dst port and sets a timer. If the return packer is received before the timer expires it is allowed in ( assuming the ip and ports match ). If the timer has expired before the return packet gets to the firewall it is dropped.

HTH

Jon

You will need 2 ACL's most likely...

outbound (from inside):

permit udp any any eq domain

inbound (from outside)) for replies:

permit udp any eq domain any

That should do it. Or, a better practice would be to run your MS DNS Server as your internal root (have the root hints for external or forward outside) so you can lock up that ACL a little.

Actions

This Discussion