Disecting ACL that allows DNS name resolution

insccisco · ‎01-21-2009

Can you guys please help me understand why the line

permit udp any eq domain host 65.65.65.44

which is part of the ACL applied to the outside interface in the IN direction allows my internal users to properly browse the internet sites by name?

If I dont have this statement, my internal users can't resolve anything by name. We use public DNS servers in our PC's tcp/ip settings like 4.2.2.2

I'm confused because everything outbound is allowed in my network and I know that when we browse to a site, for example google.com, the internal host places a DNS query to its DNS server, in this case 4.2.2.2 which is a public DNS server. So, the internal host sends out this query to port 53 to the public DNS, and because it is an outbound traffic, it is allowed and thus should not be asking for that statement to work... this is why Im confused.

Also, as far as I understand, returned traffic for a connection that originated o nthe inside is also allowed by this statement

permit tcp any any established

This is why I even get more confused but there must be something I am missing with regards to DNS resolution.

Any help or links that can help me understand this?

thanks in advance

torchris · ‎01-26-2009

Hello Sir,

Yes, the ASA is a stateful device for traffic that is originated from the trusted network, to the untrusted network.

The ASA perform inspection of this traffic to permit the return traffic to come back in(reflexive ACL).

Please try the following:

policy-map global_policy

class inspection_default

inspect dns

If this does not works, please send me the log message that you are getting.

insccisco · ‎01-27-2009

I think I left out a detail... I have this on an IOS (router).

No ASA.