ACL for DNS Service

Answered Question
Sep 28th, 2010
User Badges:


/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hello, I would like to know what is the recommended ACL to configure in a router, to give a public DNS service.

I know the basic, permit eq domain, deny special use IP address (10.0.0.0/8, 192.168.0.0/16, ...), block everything else....

Do I need to open upper ports?, any ACL with established?

I would like suggestions to configure a solid ACL.

Thanks,

Gonzalo

Correct Answer by Collin Clark about 6 years 8 months ago

For transfers from another DNS server to yours (make sure this is correct, can be very dangerous) -


permit tcp host [remote dns server] host [your dns servers public IP] eq 53


For external people querying your DNS servers for dns lookups -


permit udp any host [your dns server public IP] eq 53


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Tue, 09/28/2010 - 14:04
User Badges:
  • Green, 3000 points or more

Hi,


Do you mean allowing the internal network to contact an external DNS server?

If so, just need to open UDP domain on the ACL applied to the inside interface.


i.e

Internal network 10.1.1.0/24

External DNS 4.2.2.2


access-list INSIDE permit udp 10.1.1.0/24 host 4.2.2.2 eq 53

access-group INSIDE in interface INSIDE


The above ACL will only allow outbound DNS requests to port 53 on UDP to 4.2.2.2 from the internal LAN.

Remember that every other outbound traffic that needs to get out should be permitted on that ACL as well.


Federico.

argnetworking Tue, 09/28/2010 - 14:38
User Badges:

no, I have to allow external users to get to the DNS (public DNS) behind a cisco router.

Federico Coto F... Tue, 09/28/2010 - 14:50
User Badges:
  • Green, 3000 points or more

To allow external users to access an internal DNS, you do something like this:


ip access-list extended OUTSIDE

  permit udp any host x.x.x.x eq 53


interface fasx/x

  ip access-group OUTSIDE in


The above ACL only permits inbound DNS traffic on port 53 to host x.x.x.x (which is going to be the public IP assigned to the DNS server).


Now,

Referring to the ACL, you should specify all other traffic that should be permitted.


Normally what you do on an IOS router is to configure some sort of stateful behavior (like an ASA), to avoid having to open all ports in that ACL.

Easiest way is to use CBAC to permit the return traffic of the outside connections (and you only worry about permitting traffic that it's initiated from the outside world coming in).


Recommended way is Zone-Based Firewall.


Federico.

argnetworking Tue, 09/28/2010 - 19:31
User Badges:
/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Federico,

Thanks for the replay, I have a working ACL but is too open. I would like to do it again and that is why I’m asking for recommendations. I inherited the configuration and I’m trying to do it the right way.

I can not apply any sort of stateful firewall because it is a DNS that has a lot of hits , and the CPU goes to the roof. So, my intention is to open only the necessary ports on the ACL.


Thanks,

Gonzalo

argnetworking Wed, 09/29/2010 - 14:30
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Collin, thanks a lot, it is great, that it is exactly one of the parts I was looking for. Now I only need to know if there are any other recommendations on specific ACLs for DNS service.


Thanks,


Gonzalo

Collin Clark Thu, 09/30/2010 - 06:37
User Badges:
  • Purple, 4500 points or more

Are you doing any DNS transfers or are they simply look ups?

Correct Answer
Collin Clark Thu, 09/30/2010 - 07:22
User Badges:
  • Purple, 4500 points or more

For transfers from another DNS server to yours (make sure this is correct, can be very dangerous) -


permit tcp host [remote dns server] host [your dns servers public IP] eq 53


For external people querying your DNS servers for dns lookups -


permit udp any host [your dns server public IP] eq 53


Hope that helps.

argnetworking Sat, 10/02/2010 - 21:44
User Badges:

I have both of them already working like that.

Thanks


PS: What did you use to buid your site? I liked the organization like folders.

Actions

This Discussion

Related Content