Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
70432
Views
0
Helpful
12
Replies

ACL for DNS Service

Go to solution
argnetworking
Level 1
Level 1

‎09-28-2010 01:39 PM - edited ‎03-11-2019 11:46 AM

Hello, I would like to know what is the recommended ACL to configure in a router, to give a public DNS service.

I know the basic, permit eq domain, deny special use IP address (10.0.0.0/8, 192.168.0.0/16, ...), block everything else....

Do I need to open upper ports?, any ACL with established?

I would like suggestions to configure a solid ACL.

Thanks,

Gonzalo

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to argnetworking

‎09-30-2010 07:22 AM

For transfers from another DNS server to yours (make sure this is correct, can be very dangerous) -

permit tcp host [remote dns server] host [your dns servers public IP] eq 53

For external people querying your DNS servers for dns lookups -

permit udp any host [your dns server public IP] eq 53

Hope that helps.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎09-28-2010 02:04 PM

Hi,

Do you mean allowing the internal network to contact an external DNS server?

If so, just need to open UDP domain on the ACL applied to the inside interface.

i.e

Internal network 10.1.1.0/24

External DNS 4.2.2.2

access-list INSIDE permit udp 10.1.1.0/24 host 4.2.2.2 eq 53

access-group INSIDE in interface INSIDE

The above ACL will only allow outbound DNS requests to port 53 on UDP to 4.2.2.2 from the internal LAN.

Remember that every other outbound traffic that needs to get out should be permitted on that ACL as well.

Federico.

0 Helpful

Go to solution
argnetworking
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-28-2010 02:38 PM

no, I have to allow external users to get to the DNS (public DNS) behind a cisco router.

0 Helpful

Go to solution
Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to argnetworking

‎09-28-2010 02:50 PM

To allow external users to access an internal DNS, you do something like this:

ip access-list extended OUTSIDE

  permit udp any host x.x.x.x eq 53

interface fasx/x

  ip access-group OUTSIDE in

The above ACL only permits inbound DNS traffic on port 53 to host x.x.x.x (which is going to be the public IP assigned to the DNS server).

Now,

Referring to the ACL, you should specify all other traffic that should be permitted.

Normally what you do on an IOS router is to configure some sort of stateful behavior (like an ASA), to avoid having to open all ports in that ACL.

Easiest way is to use CBAC to permit the return traffic of the outside connections (and you only worry about permitting traffic that it's initiated from the outside world coming in).

Recommended way is Zone-Based Firewall.

Federico.

0 Helpful

Go to solution
argnetworking
Level 1
Level 1
In response to Federico Coto Fajardo

‎09-28-2010 07:31 PM

Federico,

Thanks for the replay, I have a working ACL but is too open. I would like to do it again and that is why I’m asking for recommendations. I inherited the configuration and I’m trying to do it the right way.

I can not apply any sort of stateful firewall because it is a DNS that has a lot of hits , and the CPU goes to the roof. So, my intention is to open only the necessary ports on the ACL.

Thanks,

Gonzalo

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎09-29-2010 07:23 AM

Check this link for the most current public facing ACL we use. It matches the DISA standard so it should be pretty secure. You will have to tweak a couple of things like allowing BGP.

http://www.packetpros.com/cisco_kb/DIACAP_ACL.html

Hope it helps.

0 Helpful

Go to solution
argnetworking
Level 1
Level 1
In response to Collin Clark

‎09-29-2010 02:30 PM

Collin, thanks a lot, it is great, that it is exactly one of the parts I was looking for. Now I only need to know if there are any other recommendations on specific ACLs for DNS service.

Thanks,

Gonzalo

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to argnetworking

‎09-30-2010 06:37 AM

Are you doing any DNS transfers or are they simply look ups?

0 Helpful

Go to solution
argnetworking
Level 1
Level 1
In response to Collin Clark

‎09-30-2010 07:09 AM

Both, transfers and look ups?

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to argnetworking

‎09-30-2010 07:22 AM

For transfers from another DNS server to yours (make sure this is correct, can be very dangerous) -

permit tcp host [remote dns server] host [your dns servers public IP] eq 53

For external people querying your DNS servers for dns lookups -

permit udp any host [your dns server public IP] eq 53

Hope that helps.

0 Helpful

Go to solution
argnetworking
Level 1
Level 1
In response to Collin Clark

‎10-02-2010 09:44 PM

I have both of them already working like that.

Thanks

PS: What did you use to buid your site? I liked the organization like folders.

0 Helpful

Go to solution
RoeeM
Level 1
Level 1

‎12-01-2022 10:13 AM

hello i have similar Q, i need all users/PC int the net int diffrent site and vlans have access only  to the internal DNS server

i have 3 routers one main  the other 2 connect  to the main router.

what i need to do?

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card