Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

DNS & VLANs

I have a network set up with two VLANs. Each VLAN connects to a common 1721 router. Neither of these VLANs can speak to each other (via subinterfaces and access lists). Now with the help of people here, I've figured out how to handle DHCP on the second VLAN via the router, but now I've realized another problem. My *DNS* server is also on the first VLAN (which the seond VLAN isn't allowed to speak to). Are there any suggestions about how I can resolve this little dilemma?

8 REPLIES
Purple

Re: DNS & VLANs

Why don't you punch a hole in your ACLs that lets DNS requests through but denies everything else.

YOu need to allow udp/53 in either direction.

Paresh

New Member

Re: DNS & VLANs

I'm hesitant to punch a hole through the ACLs is the only thing. The separation of the two VLANs is something sort of required by law. And how easy/difficult would it be to do that? Would it be securely isolated?

Purple

Re: DNS & VLANs

As long as you make your ACL really tight and only let UDP/53 through, then you are fine.

That will not let any other traffic through.

Paresh

Re: DNS & VLANs

Obviously you will have to start routing between the two subnets, if you want to use the DNS in subnet 1 from subnet 2. Cisco routers doesnt run DNS server, so you cannot use it to resolves names. You can do a controlled routing via access-lists. All you need to do is to allow port 53 (DNS) for DNS queries to pass between the two subnets.

Now on the DHCP scope you define for subnet 2, you can specify the DNS as DNS server in subnet 1.

int fa0/0

description Subnet 1

ip add 10.10.10.1 255.255.255.0

int fa0/1

description Subnet 2

ip add 10.10.20.1 255.255.255.0

ip dhcp pool Subnet2

network 10.10.20.0 /24

default-router 10.10.20.1

dns <><--- DNS server in subnet 1

wins <><--- if you need WINS

lease

HTH

Sankar

PS: please remember to rate posts!

Re: DNS & VLANs

Punching a hole for DNS can be a loophole for somebody to do a DOS attack on your DNS server. I would suggest then that you use an another DNS server.

Purple

Re: DNS & VLANs

Since you would already allow DNS traffic to the DNS service from external networks (in order to be able to resolve DNS queries), punching a hole to let through an internal network will not really create a security hole that is not there already.

Paresh

New Member

Re: DNS & VLANs

Thank you both for your responses. This was very helpful.

New Member

Re: DNS & VLANs

Just my 2 cents, but if you are blocking the two VLANs from talking to each other for security (OK - I know it's not much security, but it's some), then why not just add another VLAN and put just your DNS server in it? Then let both the other subnets only talk to the DNS subnet - sort of a DNS DMZ, if you will.

432
Views
21
Helpful
8
Replies
CreatePlease to create content