×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DNS service in lan only

Unanswered Question
Feb 20th, 2012
User Badges:

Hello,


On my router, I am using the DNS server service to forward DNS query to the Internet provider DNS.


I have enabled the command "ip dns server" on my router and then on each workstation, I have set the router host IP on the DNS entry on the NIC card.


This is working perfectly except the issue is that TCP 53 and UPD 53 is also exposed to the Internet and it is not acceptable for some Internet provider.


Is there a way to limit the DNS flow only from LAN to WAN only?


Thank you

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jas2061461 Mon, 02/20/2012 - 09:32
User Badges:

I am not entirely sure what you are trying to limit?  If I am understanding you correctly, I would just configure DHCP to distribute a DNS server.  This way, you don't have to manually configure each work station to point to the router.  Then, DNS is limited to the LAN and the WAN can use a seperate DNS provider.  Is this on par with what you are asking?

infocis Mon, 02/20/2012 - 10:20
User Badges:

Hello,


The issue is about permiting the LAN only users to utilized the router DNS service. Since the router DNS service is binded to all interfaces, the WAN interface is listenning to queries from Internet and would act as a public DNS server. I only want the DNS service listening the LAN only and relay requests to appropriate DNS list (ip name-servers) .


Thanks

jas2061461 Mon, 02/20/2012 - 11:06
User Badges:

route-map Block_DNS permit 10

     match ip address 100


ip access-list 100 deny tcp [IP address that the DNS replies would be sent out] [WAN SNM] eq 53 any

ip access-list 100 deny udp [IP address that the DNS replies would be sent out] [WAN SNM] eq 53 any


interface [WAN interface]

ip policy route-map Block_DNS


Something like this should work.  Place it on ur Internet facing router. I'm at work, so I can't verify the syntax but it should be similar to what you need. You may need multiple ACL statements to deny traffic coming from multiple routers, as well. Let me know if this helps any or is at least in the right ballpark.

infocis Mon, 02/20/2012 - 11:51
User Badges:

Thanks, I  think we are getting to something here. Since the WAN is DHCP, we are force to deal with "any any"


I think we have to force the router DNS engine to pass throught the NAT table


Here is what we've tested


access-list 101 deny   udp any any eq domain

access-list 101 deny   tcp any any eq domain

access-list 101 permit ip any any



...

...

!remark permit udp traffic only

!remark permit tcp 53 only if server to server DNS list exchange is used

access-list 100 permit udp any any eq 53

...


route-map Block_DNS permit 10

     match ip address 100




Interface [WAN interface]

ip policy route-map Block_DNS

ip access-group 101 in

jas2061461 Mon, 02/20/2012 - 12:40
User Badges:

Using that route-map, it looks like you are permitting DNS traffic since you're using "permit" in the ACL and the route-map.  I thought you wanted to deny it.

jas2061461 Mon, 02/20/2012 - 12:44
User Badges:

Now that I think about it, you could just deny inbound traffic for DNS, which you did, and that would prevent any DNS replies from being sent out to the Internet. (since you are getting no requests)

infocis Mon, 02/20/2012 - 12:52
User Badges:

It is working now,


The router accept only request from the LAN side and forward the request to the Internet provider and get replies. The router does not respond anymore to DNS request from Internet.


Thanks giving me a hand.

Actions

This Discussion