Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Is it necessary to permit udp eq domain through firewall?

In the firewall configuration I inherited, I see the firewall allows inbound DNS packets when coming from a designated external DNS server, for example:

access-list 101 permit udp host 206.13.31.12 eq domain host <myNetOutsideAddress>

Is it necessary or desirable to do this? If this were TCP I think the answer would be "no" since DNS is a connectionless protocol, but for udp I am unsure.

My network has an internal DNS server for internal name lookup, but the internal names are not usable nor intended to be used from outside.

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Is it necessary to permit udp eq domain through firewall?

No - this will allow any "un-triggered/un-requested" DNS updates to be sent to your DNS server.

If any clients on your "inside" need to resolve, as long as you are not blocking inside<>outside then the DNS reply that was initiated from the inside will be dynamically allowed thru.

HTH>

1 REPLY

Re: Is it necessary to permit udp eq domain through firewall?

No - this will allow any "un-triggered/un-requested" DNS updates to be sent to your DNS server.

If any clients on your "inside" need to resolve, as long as you are not blocking inside<>outside then the DNS reply that was initiated from the inside will be dynamically allowed thru.

HTH>

1499
Views
0
Helpful
1
Replies