Disecting ACL that allows DNS name resolution

Unanswered Question
Jan 21st, 2009
User Badges:

Can you guys please help me understand why the line


permit udp any eq domain host 65.65.65.44


which is part of the ACL applied to the outside interface in the IN direction allows my internal users to properly browse the internet sites by name?


If I dont have this statement, my internal users can't resolve anything by name. We use public DNS servers in our PC's tcp/ip settings like 4.2.2.2


I'm confused because everything outbound is allowed in my network and I know that when we browse to a site, for example google.com, the internal host places a DNS query to its DNS server, in this case 4.2.2.2 which is a public DNS server. So, the internal host sends out this query to port 53 to the public DNS, and because it is an outbound traffic, it is allowed and thus should not be asking for that statement to work... this is why Im confused.


Also, as far as I understand, returned traffic for a connection that originated o nthe inside is also allowed by this statement


permit tcp any any established


This is why I even get more confused but there must be something I am missing with regards to DNS resolution.


Any help or links that can help me understand this?


thanks in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
torchris Mon, 01/26/2009 - 12:58
User Badges:

Hello Sir,


Yes, the ASA is a stateful device for traffic that is originated from the trusted network, to the untrusted network.

The ASA perform inspection of this traffic to permit the return traffic to come back in(reflexive ACL).


Please try the following:


policy-map global_policy

class inspection_default

inspect dns



If this does not works, please send me the log message that you are getting.

insccisco Tue, 01/27/2009 - 11:28
User Badges:

I think I left out a detail... I have this on an IOS (router).


No ASA.

Actions

This Discussion