cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1052
Views
0
Helpful
8
Replies

Close incoming DNS queries - help with securing DNS.

John Adams
Level 1
Level 1

Hello. I've got an 887va that is used for ADSL. Everything works fine. It's a basic setup to allow internal users to get onto the internet.

I've recently ran a NMAP and NESSUS scan against the external WAN IP and everything now looks fine apart from DNS.

It looks like from anywhere externally on the internet you can perform an nslookup using my router external WAN IP. I've tested and this is indeed the case.

I'd like to turn that inciming DNS lookup feature off - I don't believe it is needed for anything. I'd rather not set up the CBAC or ZBF just for this.

Please note my internal users MUST be able to still be able to browse to sites like www.yahoo.com and have it resolved correctly.

I look forward to hearing from you on how I achieve this.

I've included my entire config below and put the interesting parts in bold:

!
! Last configuration change at 17:31:15 GMT Wed Jan 8 2014 by admin
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname xxxxxxxx
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 xxxxxxxxxxx
enable password 7 xxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone GMT 0 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-xxxxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxxxxxxxxx
revocation-check none
rsakeypair TP-self-signed-xxxxxxxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxxxxxxxxx
certificate self-signed 01
  xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
                quit
!
!
!
ip dhcp excluded-address 192.168.0.1 192.168.0.10
!
ip dhcp pool myDHCPpool
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 192.168.0.1
!
!
!
ip domain name xxxxxxx.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip cef
no ipv6 cef
!
!
license udi pid CISCO887VA-K9 sn xxxxxxxxxxxxxx
!
!
username admin privilege 15 secret  xxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
!
!
controller VDSL 0
!
!
!
!
!
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
description Uplink to Switch
switchport access vlan 50
no ip address
!
interface FastEthernet1
switchport access vlan 50
no ip address
shutdown
!
interface FastEthernet2
switchport access vlan 50
no ip address
shutdown
!
interface FastEthernet3
switchport access vlan 50
no ip address
shutdown
!
interface Vlan1
no ip address
!
interface Vlan50
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp chap hostname user@xxxxxxxxx.com
ppp chap password 7 xxxxxxxx
no cdp enable
!
ip forward-protocol nd
no ip http server
ip http access-class 10
ip http secure-server
!
ip dns server
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 10 permit xx.xx.xx.xx (External IP)
access-list 10 permit yy.yy.yy.yy (External IP)
access-list 10 permit 192.168.0.0 0.0.0.255
dialer-list 1 protocol ip permit
!
snmp-server community nagios-RVR RO 10
snmp-server location xxx
snmp-server contact xxxx
!
!
!
!
line con 0
login authentication local_auth
no modem enable
line aux 0
login authentication local_auth
line vty 0 4
access-class 10 in
password 7 xxxxxxxxxxxxx
login authentication local_auth
transport input ssh
!
ntp server 1.uk.pool.ntp.org
!
end

8 Replies 8

cadet alain
VIP Alumni
VIP Alumni

Hi,

Can you do this:

no ip domain-lookup

no ip name-server 8.8.8.8

no ip name-server 8.8.4.4

ip dhcp pool myDHCPpool

no dns-server 192.168.0.1

dns-server 8.8.8.8 8.8.4.4

If you have Windows clients they have already a cache by default so it won't be a problem and hopefully it should solve your query.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks Alain,

I have many Windows users on laptops and PCs but we also support all sorts of mobile phones (iphone, android, windows).

Will this be a problem for the phones?

So by doing this my users on their laptops and phones (android, iphones, window phones) will still be able to get onto sites like www.yahoo.com by name.

How come I don't need the ip domain-lookup, ip name-server and dns-server commands?

I guess with this approach my clients within their ipconfig /all would show the dns servers as 8.8.8.8 and 8.8.4.4

Hi,

I guess with this approach my clients within their ipconfig /all would show the dns servers as 8.8.8.8 and 8.8.4.4

Correct.

I don't know about phones implementations but if they are not caching you will have more DNS traffic

Apparently from my google searches it seems they are all implementing caches so you won't increase your DNS traffic by doing so.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks Alain,

So it's only a case of increased DNS traffic, rather than something not working?

If so I will try this and update the thread.

Hi,

Yes you're correct.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hi - I have ran these commands;

no ip domain-lookup

no ip name-server 8.8.8.8

no ip name-server 8.8.4.4

ip dhcp pool myDHCPpool

no dns-server 192.168.0.1

dns-server 8.8.8.8 8.8.4.4

Everything works - I can still get the internet on my phone and laptop etc.

However I can still telnet on tcp53 from external.

I notice I still have this line (in bold). Is this still required??? What will deleting it do? Might this be the reason why?

ip forward-protocol nd

no ip http server

ip http access-class 10

ip http secure-server

!

ip dns server

ip nat inside source list 1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

Thank you.

Hi,

if you gave your clients the addresses of external DNS servers you don't need to have your router as a DNS server so you can get rid of this command.

Normally after that you shouldn't see your router respond to udp/tcp on port 53.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thanks Alain,

I have entered the command 'no ip dns server' to remove the 'ip dns server' line.

However I can still telnet from the internet to my WAN IP on tcp 53?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco