Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
759
Views
0
Helpful
1
Replies

Need to block all DNS traffic to the outside world except from the server VLAN

Jean Paul Enerst
Level 3
Level 3

‎09-09-2010 03:43 PM - edited ‎03-11-2019 11:38 AM

Hi Pros,

            There is my challenge, I want to block all dns traffic to the outside. Basically, i want my users to be able to use only our DNS servers. Some of ours users by pass network policies by adding some opendns servers. I need to block all these servers. Is there a way to do that?

Thanks,

J.P.E

Labels:
0 Helpful
1 Reply 1

Allen P Chen
Level 5
Level 5

‎09-09-2010 05:08 PM

Hello,

You can apply an ACL to the inside interface to block all DNS traffic except from the subnet of your server VLAN.  For example, if your server VLAN was assigned the IP subnet of 192.168.10.0/24, you can do something like:

access-list INSIDE_OUT permit udp 192.168.10.0 255.255.255.0 any eq domain (allows subnet 192.168.10.0/24 to query external DNS servers)

access-list INSIDE_OUT deny udp any any eq domain (blocks all other DNS requests from internal hosts)

access-list INSIDE_OUT permit ip any any (allow all other traffic)

access-group INSIDE_OUT in interface inside (applies access-list INSIDE_OUT to the inside interface)

Hope that helps.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card