hi halijenn / experts
106007 Deny Inbound UDP from 220.127.116.11/32411 to 18.104.22.168/53 due to DNS Query
This is the error which customer is getting when he is having Public DNS Server inside the organization .Following static and ACL configured for the same .However when i do it from my end , i am able to see that it is getting resolved to a name But customer says that on public internet when he type in nslookup, and type server 22.214.171.124 he wait for the response and he never gets that.
object-group protocol DOMAIN
static (DMZ,Outside) 126.96.36.199 192.168.16.1 netmask 255.255.255.255
access-list Out2In extended permit object-group DOMAIN any host 188.8.131.52 eq domain
access-group Out2Inin in interface Outside
I have gone through the link for syslog 106007 , but i was not pretty sure if the explanation fits over here as i see the acls are configured . Please let me know what could be the probable reason .
You can configure "any" for the client, or you can have a more specific ip address (your customer's actual ip address). Just in case there are a lot of DNS query going towards the DNS server.
Further to that, i wouldn't worry too much about the port# in the ACL, just match it on UDP without port as I wouldn't think there would be other types of UDP traffic going towards the DNS server.
access-list capi permit udp host any
access-list capi permit udp any host
access-list capo permit udp host any
access-list capo permit udp any host