Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Outbound DNS ACL

I have an 2 internal DNS servers that forward requests to 2 DNS servers on the Internet. All other DNS requests to other Internet DNS servers are blocked by my outbound ACL. I receive thousands of syslog warnings daily about blocked DNS requests due to this ACL.


1. Is this the best way to setup DNS? This is really safe but at the same time causing 10k plus messages per day? Is this causing network congestion at the PIX?

2. Is there a "best practices" approach for DNS that would not result in such heavy syslogging?



New Member

Re: Outbound DNS ACL


> 1. Is this the best way to setup DNS?

Yes, I think that this is a good setup.

> I receive thousands of syslog warnings daily ...

You should troubleshoot using the info from these messages.

Can you give us more info about the blocked requests?

If they originate from an internal workstation/server, you then should check the configuration of that host.

Note that some server applications (like mail servers) have a DNS client with its own configuration besides the DNS configuration of the machine itself.

Note also that some DNS traffic is blocked by the pix built in DNS guard, for example if you get more then 1 reply for a DNS query, the pix will let only the first one through. Or if the DNS reply takes too much time, the pix will time out and tear-down the connection.


New Member

Re: Outbound DNS ACL

I believe the problem is that I am using recursion to resolve queries that are not resolved by my forwarders. I notice a lot of the denies are to the root DNS servers. The other denies to the other DNS servers are probably referrals to DNS servers from the root DNS servers.

1. Should I turn off recursion and only use forwarders for DNS queries. (This is effectively what I have because all queries to all other DNS servers besides my two DNS servers that I use as forwarders are being blocked).

2. Should I allow my internal DNS servers to query any Internet DNS server?

Which one is recommended. I guess it could be a question of security vs perfomance?