DNS not functioning properly.

Brendan Wood · ‎07-21-2012

My DNS is giving me plenty of errors such as:

4

Jul 21 2012

18:57:45

172.21.20.2

58390

66.49.220.95

53

Deny udp src dmz:172.21.20.2/58390 dst outside:66.49.220.95/53 by access-group "dmz_access_in" [0x0, 0x0]

4

Jul 21 2012

18:59:23

172.21.20.2

59567

67.55.0.11

53

Deny udp src dmz:172.21.20.2/59567 dst outside:67.55.0.11/53 by access-group "dmz_access_in" [0x0, 0x0]

Was wondering if anyone can suggest changes to make to fix this DNS issue. My DNS servers are external to my network and are located at

66.49.220.95 and

67.55.0.11.

Thanks.

nkarthikeyan · ‎07-21-2012

Hi Brendan,

There is a small mistake with your config. You have an ACL like the below

access-list dmz_access_in extended deny ip object-group SRV-DMZ-GROUP 172.20.20.0 255.255.254.0

access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group SRV-DMZ-GROUP

!

You are denying the entire IP packet in the line 1. So it blocks all the traffic to go out. Also DNS uses UDP not the tcp.

Please have the premit rule in the 1st. Apply the below mentioned ACL.

ACL

=====

no access-list dmz_access_in

access-list dmz_access_in extended permit udp object-group SRV-DMZ-GROUP host 66.49.220.95 eq 53

access-list dmz_access_in extended permit udp object-group SRV-DMZ-GROUP host 67.55.0.11eq 53

access-list dmz_access_in extended permit object-group SRV-DMZ-GROUP object-group DM_INLINE_SERVICE_2

access-list dmz_access_in extended deny ip object-group SRV-DMZ-GROUP 172.20.20.0 255.255.254.0

!

I have modified little as per the requirement. Your dns issue will get resolved with this acl's applied.

Please do rate if the given info helps.

By

Karthik