Need to block all DNS traffic to the outside world except from the server VLAN
There is my challenge, I want to block all dns traffic to the outside. Basically, i want my users to be able to use only our DNS servers. Some of ours users by pass network policies by adding some opendns servers. I need to block all these servers. Is there a way to do that?
Re: Need to block all DNS traffic to the outside world except fr
You can apply an ACL to the inside interface to block all DNS traffic except from the subnet of your server VLAN. For example, if your server VLAN was assigned the IP subnet of 192.168.10.0/24, you can do something like:
access-list INSIDE_OUT permit udp 192.168.10.0 255.255.255.0 any eq domain (allows subnet 192.168.10.0/24 to query external DNS servers)
access-list INSIDE_OUT deny udp any any eq domain (blocks all other DNS requests from internal hosts)
access-list INSIDE_OUT permit ip any any (allow all other traffic)
access-group INSIDE_OUT in interface inside (applies access-list INSIDE_OUT to the inside interface)
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...