ACL for DNS Service

Answered Question
Sep 28th, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Hello, I would like to know what is the recommended ACL to configure in a router, to give a public DNS service.

I know the basic, permit eq domain, deny special use IP address (10.0.0.0/8, 192.168.0.0/16, ...), block everything else....

Do I need to open upper ports?, any ACL with established?

I would like suggestions to configure a solid ACL.

Thanks,

Gonzalo

I have this problem too.
0 votes
Correct Answer by Collin Clark about 6 years 2 months ago

For transfers from another DNS server to yours (make sure this is correct, can be very dangerous) -

permit tcp host [remote dns server] host [your dns servers public IP] eq 53

For external people querying your DNS servers for dns lookups -

permit udp any host [your dns server public IP] eq 53

Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Federico Coto F... Tue, 09/28/2010 - 14:04

Hi,

Do you mean allowing the internal network to contact an external DNS server?

If so, just need to open UDP domain on the ACL applied to the inside interface.

i.e

Internal network 10.1.1.0/24

External DNS 4.2.2.2

access-list INSIDE permit udp 10.1.1.0/24 host 4.2.2.2 eq 53

access-group INSIDE in interface INSIDE

The above ACL will only allow outbound DNS requests to port 53 on UDP to 4.2.2.2 from the internal LAN.

Remember that every other outbound traffic that needs to get out should be permitted on that ACL as well.

Federico.

argnetworking Tue, 09/28/2010 - 14:38

no, I have to allow external users to get to the DNS (public DNS) behind a cisco router.

Federico Coto F... Tue, 09/28/2010 - 14:50

To allow external users to access an internal DNS, you do something like this:

ip access-list extended OUTSIDE

  permit udp any host x.x.x.x eq 53

interface fasx/x

  ip access-group OUTSIDE in

The above ACL only permits inbound DNS traffic on port 53 to host x.x.x.x (which is going to be the public IP assigned to the DNS server).

Now,

Referring to the ACL, you should specify all other traffic that should be permitted.

Normally what you do on an IOS router is to configure some sort of stateful behavior (like an ASA), to avoid having to open all ports in that ACL.

Easiest way is to use CBAC to permit the return traffic of the outside connections (and you only worry about permitting traffic that it's initiated from the outside world coming in).

Recommended way is Zone-Based Firewall.

Federico.

argnetworking Tue, 09/28/2010 - 19:31
/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Federico,

Thanks for the replay, I have a working ACL but is too open. I would like to do it again and that is why I’m asking for recommendations. I inherited the configuration and I’m trying to do it the right way.

I can not apply any sort of stateful firewall because it is a DNS that has a lot of hits , and the CPU goes to the roof. So, my intention is to open only the necessary ports on the ACL.

Thanks,

Gonzalo

argnetworking Wed, 09/29/2010 - 14:30

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;}

Collin, thanks a lot, it is great, that it is exactly one of the parts I was looking for. Now I only need to know if there are any other recommendations on specific ACLs for DNS service.

Thanks,

Gonzalo

Correct Answer
Collin Clark Thu, 09/30/2010 - 07:22

For transfers from another DNS server to yours (make sure this is correct, can be very dangerous) -

permit tcp host [remote dns server] host [your dns servers public IP] eq 53

For external people querying your DNS servers for dns lookups -

permit udp any host [your dns server public IP] eq 53

Hope that helps.

argnetworking Sat, 10/02/2010 - 21:44

I have both of them already working like that.

Thanks

PS: What did you use to buid your site? I liked the organization like folders.

Actions

This Discussion