Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Need to block all DNS traffic to the outside world except from the server VLAN

Hi Pros,

            There is my challenge, I want to block all dns traffic to the outside. Basically, i want my users to be able to use only our DNS servers. Some of ours users by pass network policies by adding some opendns servers. I need to block all these servers. Is there a way to do that?

Thanks,

J.P.E

1 REPLY
Cisco Employee

Re: Need to block all DNS traffic to the outside world except fr

Hello,

You can apply an ACL to the inside interface to block all DNS traffic except from the subnet of your server VLAN.  For example, if your server VLAN was assigned the IP subnet of 192.168.10.0/24, you can do something like:

access-list INSIDE_OUT permit udp 192.168.10.0 255.255.255.0 any eq domain (allows subnet 192.168.10.0/24 to query external DNS servers)

access-list INSIDE_OUT deny udp any any eq domain (blocks all other DNS requests from internal hosts)

access-list INSIDE_OUT permit ip any any (allow all other traffic)

access-group INSIDE_OUT in interface inside (applies access-list INSIDE_OUT to the inside interface)

Hope that helps.

589
Views
0
Helpful
1
Replies