Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Disecting ACL that allows DNS name resolution

Can you guys please help me understand why the line

permit udp any eq domain host

which is part of the ACL applied to the outside interface in the IN direction allows my internal users to properly browse the internet sites by name?

If I dont have this statement, my internal users can't resolve anything by name. We use public DNS servers in our PC's tcp/ip settings like

I'm confused because everything outbound is allowed in my network and I know that when we browse to a site, for example, the internal host places a DNS query to its DNS server, in this case which is a public DNS server. So, the internal host sends out this query to port 53 to the public DNS, and because it is an outbound traffic, it is allowed and thus should not be asking for that statement to work... this is why Im confused.

Also, as far as I understand, returned traffic for a connection that originated o nthe inside is also allowed by this statement

permit tcp any any established

This is why I even get more confused but there must be something I am missing with regards to DNS resolution.

Any help or links that can help me understand this?

thanks in advance

New Member

Re: Disecting ACL that allows DNS name resolution

Hello Sir,

Yes, the ASA is a stateful device for traffic that is originated from the trusted network, to the untrusted network.

The ASA perform inspection of this traffic to permit the return traffic to come back in(reflexive ACL).

Please try the following:

policy-map global_policy

class inspection_default

inspect dns

If this does not works, please send me the log message that you are getting.

New Member

Re: Disecting ACL that allows DNS name resolution

I think I left out a detail... I have this on an IOS (router).