https://community.cisco.com/t5/network-security/dns-not-functioning-properly/m-p/1997865#M401804 <HTML><HEAD></HEAD><BODY><P> Hi Brendan,</P><P></P><P>There is a small mistake with your config. You have an ACL like the below</P><P></P><P>access-list dmz_access_in extended deny ip object-group SRV-DMZ-GROUP 172.20.20.0 255.255.254.0</P><P>access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group SRV-DMZ-GROUP </P><P>!</P><P></P><P>You are denying the entire IP packet in the line 1. So it blocks all the traffic to go out. Also DNS uses UDP not the tcp.</P><P></P><P>Please have the premit rule in the 1st. Apply the below mentioned ACL.</P><P>ACL</P><P>=====</P><P>no access-list dmz_access_in</P><P>access-list dmz_access_in extended permit udp object-group SRV-DMZ-GROUP host 66.49.220.95 eq 53</P><P>access-list dmz_access_in extended permit udp object-group SRV-DMZ-GROUP host 67.55.0.11eq 53</P><P>access-list dmz_access_in extended permit&nbsp; object-group SRV-DMZ-GROUP object-group DM_INLINE_SERVICE_2</P><P>access-list dmz_access_in extended deny ip object-group SRV-DMZ-GROUP 172.20.20.0 255.255.254.0</P><P>!</P><P></P><P>I have modified little as per the requirement. Your dns issue will get resolved with this acl's applied.</P><P></P><P>Please do rate if the given info helps.</P><P></P><P>By</P><P></P><P>Karthik</P></BODY></HTML> Sun, 22 Jul 2012 06:05:06 GMT nkarthikeyan 2012-07-22T06:05:06Z https://community.cisco.com/t5/network-security/dns-not-functioning-properly/m-p/1997864#M401803 <P>My DNS is giving me plenty of errors such as:</P><P></P><TABLE><TBODY><TR><TD>4</TD><TD>Jul 21 2012</TD><TD>18:57:45</TD><TD><BR /></TD><TD>172.21.20.2</TD><TD>58390</TD><TD>66.49.220.95</TD><TD>53</TD><TD>Deny udp src dmz:172.21.20.2/58390 dst outside:66.49.220.95/53 by access-group "dmz_access_in" [0x0, 0x0]</TD></TR></TBODY></TABLE><P></P><TABLE><TBODY><TR><TD>4</TD><TD>Jul 21 2012</TD><TD>18:59:23</TD><TD><BR /></TD><TD>172.21.20.2</TD><TD>59567</TD><TD>67.55.0.11</TD><TD>53</TD><TD>Deny udp src dmz:172.21.20.2/59567 dst outside:67.55.0.11/53 by access-group "dmz_access_in" [0x0, 0x0]</TD></TR></TBODY></TABLE><P></P><P>Was wondering if anyone can suggest changes to make to fix this DNS issue.&nbsp; My DNS servers are external to my network and are located at </P><P>66.49.220.95 and </P><P>67.55.0.11.</P><P></P><P>Thanks.</P> Mon, 11 Mar 2019 23:33:08 GMT https://community.cisco.com/t5/network-security/dns-not-functioning-properly/m-p/1997864#M401803 Brendan Wood 2019-03-11T23:33:08Z https://community.cisco.com/t5/network-security/dns-not-functioning-properly/m-p/1997865#M401804 <HTML><HEAD></HEAD><BODY><P> Hi Brendan,</P><P></P><P>There is a small mistake with your config. You have an ACL like the below</P><P></P><P>access-list dmz_access_in extended deny ip object-group SRV-DMZ-GROUP 172.20.20.0 255.255.254.0</P><P>access-list dmz_access_in extended permit object-group DM_INLINE_SERVICE_2 object-group SRV-DMZ-GROUP </P><P>!</P><P></P><P>You are denying the entire IP packet in the line 1. So it blocks all the traffic to go out. Also DNS uses UDP not the tcp.</P><P></P><P>Please have the premit rule in the 1st. Apply the below mentioned ACL.</P><P>ACL</P><P>=====</P><P>no access-list dmz_access_in</P><P>access-list dmz_access_in extended permit udp object-group SRV-DMZ-GROUP host 66.49.220.95 eq 53</P><P>access-list dmz_access_in extended permit udp object-group SRV-DMZ-GROUP host 67.55.0.11eq 53</P><P>access-list dmz_access_in extended permit&nbsp; object-group SRV-DMZ-GROUP object-group DM_INLINE_SERVICE_2</P><P>access-list dmz_access_in extended deny ip object-group SRV-DMZ-GROUP 172.20.20.0 255.255.254.0</P><P>!</P><P></P><P>I have modified little as per the requirement. Your dns issue will get resolved with this acl's applied.</P><P></P><P>Please do rate if the given info helps.</P><P></P><P>By</P><P></P><P>Karthik</P></BODY></HTML> Sun, 22 Jul 2012 06:05:06 GMT https://community.cisco.com/t5/network-security/dns-not-functioning-properly/m-p/1997865#M401804 nkarthikeyan 2012-07-22T06:05:06Z