×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

DNS & VLANs

Unanswered Question
Feb 13th, 2006
User Badges:

I have a network set up with two VLANs. Each VLAN connects to a common 1721 router. Neither of these VLANs can speak to each other (via subinterfaces and access lists). Now with the help of people here, I've figured out how to handle DHCP on the second VLAN via the router, but now I've realized another problem. My *DNS* server is also on the first VLAN (which the seond VLAN isn't allowed to speak to). Are there any suggestions about how I can resolve this little dilemma?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (5 ratings)
Loading.
pkhatri Mon, 02/13/2006 - 14:59
User Badges:
  • Purple, 4500 points or more

Why don't you punch a hole in your ACLs that lets DNS requests through but denies everything else.


YOu need to allow udp/53 in either direction.


Paresh

dbrunsting Mon, 02/13/2006 - 15:03
User Badges:

I'm hesitant to punch a hole through the ACLs is the only thing. The separation of the two VLANs is something sort of required by law. And how easy/difficult would it be to do that? Would it be securely isolated?

pkhatri Mon, 02/13/2006 - 15:08
User Badges:
  • Purple, 4500 points or more

As long as you make your ACL really tight and only let UDP/53 through, then you are fine.


That will not let any other traffic through.


Paresh

thisisshanky Mon, 02/13/2006 - 15:01
User Badges:
  • Purple, 4500 points or more

Obviously you will have to start routing between the two subnets, if you want to use the DNS in subnet 1 from subnet 2. Cisco routers doesnt run DNS server, so you cannot use it to resolves names. You can do a controlled routing via access-lists. All you need to do is to allow port 53 (DNS) for DNS queries to pass between the two subnets.


Now on the DHCP scope you define for subnet 2, you can specify the DNS as DNS server in subnet 1.


int fa0/0

description Subnet 1

ip add 10.10.10.1 255.255.255.0


int fa0/1

description Subnet 2

ip add 10.10.20.1 255.255.255.0



ip dhcp pool Subnet2

network 10.10.20.0 /24

default-router 10.10.20.1

dns <><--- DNS server in subnet 1

wins <><--- if you need WINS

lease



HTH


Sankar


PS: please remember to rate posts!


thisisshanky Mon, 02/13/2006 - 15:06
User Badges:
  • Purple, 4500 points or more

Punching a hole for DNS can be a loophole for somebody to do a DOS attack on your DNS server. I would suggest then that you use an another DNS server.

pkhatri Mon, 02/13/2006 - 15:11
User Badges:
  • Purple, 4500 points or more

Since you would already allow DNS traffic to the DNS service from external networks (in order to be able to resolve DNS queries), punching a hole to let through an internal network will not really create a security hole that is not there already.


Paresh

dbrunsting Tue, 02/14/2006 - 06:07
User Badges:

Thank you both for your responses. This was very helpful.

raarons Tue, 02/14/2006 - 06:25
User Badges:

Just my 2 cents, but if you are blocking the two VLANs from talking to each other for security (OK - I know it's not much security, but it's some), then why not just add another VLAN and put just your DNS server in it? Then let both the other subnets only talk to the DNS subnet - sort of a DNS DMZ, if you will.

Actions

This Discussion