Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Close open DNS resolver?

Hi,

I have the following config running on an 881 which is connection to an ISP via an external ADSL modem. 

In it's current form, it is responding to any DNS request from any external IP address.  I need to close this.  I'm aware I can do this with an ACL but I'm not sure it should be responding in the first place.  Can anyone see a problem with the config?

Current configuration : 2804 bytes

!

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname jtg-rtr1

!

boot-start-marker

boot system flash:c880data-universalk9-mz.152-4.M2.bin

boot-end-marker

!

!

!

no aaa new-model

memory-size iomem 10

clock timezone GMT 0 0

clock summer-time BST recurring

!

!

!

!

!

ip dhcp excluded-address 172.16.1.1 172.16.1.99

!

ip dhcp pool mainPool

import all

network 172.16.1.0 255.255.255.0

default-router 172.16.1.1

dns-server 172.16.1.1

option 66 ascii 172.16.1.1

!

!

!

ip domain name router.local

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip cef

no ipv6 cef

!

!

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

!

!

!

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description ADSL WAN Interface

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface Vlan1

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1440

no autostate

!

interface Dialer1

description ADSL WAN Dialler

ip address negotiated

no ip unreachables

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication chap pap callin

ppp chap hostname [isp username]

ppp chap password [isp password]

ppp ipcp route default

no cdp enable

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source list 1 interface Dialer1 overload

!

access-list 1 permit 172.16.1.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

end

4 REPLIES

Close open DNS resolver?

Richard,

This line "ip dns server" doesn't need to be enabled to have your hosts get on the internet, but in fact starts the config for the router to answer dns queries. Try "no ip dns server" and see if that resolves your issue.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Re: Close open DNS resolver?

Hello

I agree with John regards removing that command
Also as your all importing options from the ISP dhcp you could also change the dhcp pool dns server to that of the ISP

Res
Paul

Sent from Cisco Technical Support iPad App

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

Re: Close open DNS resolver?

Hi Both,

Thanks for your comments.

Whilst I accept turning off dns-server will work in this particular setup, I am still keen to establish why it's acting in the way it is. 

For example, whilst dishing out my ISPs nameserver will work, I would rather my router did this internally.  Surely it must be possible to do this on the internal interface only.

Thanks,

Re: Close open DNS resolver?

There's not a way that I'm aware of easily to specify "only answer on this interface." You'll probably need to configure reflexive acls or cbac. This will allow the outbound traffic through (your internal hosts to use for forwarding), but should stop queries on the outside.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
1165
Views
0
Helpful
4
Replies