Need to block all DNS traffic to the outside world except from the server VLAN

Unanswered Question
Sep 9th, 2010
User Badges:

Hi Pros,

            There is my challenge, I want to block all dns traffic to the outside. Basically, i want my users to be able to use only our DNS servers. Some of ours users by pass network policies by adding some opendns servers. I need to block all these servers. Is there a way to do that?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Allen P Chen Thu, 09/09/2010 - 17:08
User Badges:
  • Cisco Employee,


You can apply an ACL to the inside interface to block all DNS traffic except from the subnet of your server VLAN.  For example, if your server VLAN was assigned the IP subnet of, you can do something like:

access-list INSIDE_OUT permit udp any eq domain (allows subnet to query external DNS servers)

access-list INSIDE_OUT deny udp any any eq domain (blocks all other DNS requests from internal hosts)

access-list INSIDE_OUT permit ip any any (allow all other traffic)

access-group INSIDE_OUT in interface inside (applies access-list INSIDE_OUT to the inside interface)

Hope that helps.


This Discussion