Solved: DNS ACL help with Cisco 1921 ISR

Chellis Dodge · ‎09-28-2012

Hello All,

I'm having some issues with an access control list that is blocking incoming DNS from OpenDNS.com, I have this ACL applied to incomming traffic on the Gi0/0 interface that is attached to our ADSL modem. I am using c1900-universalk9-mz.SPA.152-4.M1.bin as my System File.

The Juicy Details:

ip name-server 208.67.220.220

ip name-server 208.67.222.222

SFCISCO#sh ip access-lists FROMINTERNET

Extended IP access list FROMINTERNET
    10 permit tcp host 208.67.220.220 any eq domain
    20 permit udp host 208.67.220.220 any eq domain
    30 permit tcp host 208.67.222.222 any eq domain
    40 permit udp host 208.67.222.222 any eq domain

.........BREAK.......................

900 deny ip any any log

SFCISCO#terminal monitor

SFCISCO#ping www.ebay.com
Translating "www.ebay.com"...domain server (208.67.220.220) (208.67.222.222)
% Unrecognized host or address, or protocol not running.

Sep 28 21:36:06.654: %SEC-6-IPACCESSLOGP: list FROMINTERNET denied udp 208.67.220.220(53) -> X.X.X.X(51303), 5 packets
Sep 28 21:36:06.654: %SEC-6-IPACCESSLOGP: list FROMINTERNET denied udp 208.67.222.222(53) -> X.X.X.X(62144), 5 packets

---------

However if I modify the ACL to have these commands the DNS request resolves the IP address normally

10 permit ip host 208.67.220.220 any log

20 permit ip host 208.67.222.222 any log

SFCISCO#ping www.yahoo.com
Translating "www.yahoo.com"...domain server (208.67.220.220) [OK]

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.30.38.140, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 364/395/420 ms

Sep 28 21:53:56.627: %SEC-6-IPACCESSLOGP: list FROMINTERNET permitted udp 208.67.220.220(53) -> X.X.X.X(49156), 1 packet

Any reason why eq domain would not be working?

Thanks for you help in advance!

-Chellis

Karsten Iwen · ‎09-29-2012

The answers for the DNS-queries will always come *from* port 53, so the Incoming ACL should look like this:

10 permit tcp host 208.67.220.220 eq 53 any

20 permit udp host 208.67.220.220 eq 53 any

30 permit tcp host 208.67.222.222 eq 53 any

40 permit udp host 208.67.222.222 eq 53 any

As this router is directly connected to the internet, the better solution would be to configure the IOS firewall where the return-traffic would be allowed automaticallly (Sec License needed):

ip inspect name FW tcp router-traffic

ip inspect name FW udp router-trtaffic

ip inspect name FW icmp router-traffic

ip inspect name FW ftp

ip access-list extended INTERNET-IN

deny ip any any

int gig 0/0

descr Connection to internet

ip access-group INTERNET-IN in

ip inspect FW out

View solution in original post

Chellis Dodge · ‎09-28-2012

Also to further clarify I can Ping websites by IP address, however DNS is hitting our deny ip any any at the bottom of our internet ACL when it comes back in. There is no ACL applied to traffic coming into the Gi 0/0 interface that would be causing any problems.

Harish Balakrishnan · ‎09-28-2012

Hello Chellis,

Could you try the following ACL and let me know the results

permit udp host 208.67.220.220 any eq domain

permit udp host 208.67.220.220 eq domain any

permit tcp host 208.67.220.220 any eq domain

permit tcp host 208.67.220.220 eq domain any

Regards

Harish.

Please rate all helpful posts!

Karsten Iwen · ‎09-29-2012