https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553135#M610357 <HTML><HEAD></HEAD><BODY><P>I have both of them already working like that.</P><P>Thanks</P><P></P><P>PS: What did you use to buid your site? I liked the organization like folders.</P></BODY></HTML> Sun, 03 Oct 2010 04:44:33 GMT argnetworking 2010-10-03T04:44:33Z https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553125#M610333 <P></P><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} </style> <![endif]--><P><SPAN lang="EN-US">Hello, I would like to know what is the recommended ACL to configure in a router, to give a public DNS service. </SPAN></P><P><SPAN lang="EN-US">I know the basic, permit eq domain, deny special use IP address (10.0.0.0/8, 192.168.0.0/16, ...), block everything else....</SPAN></P><P><SPAN lang="EN-US">Do I need to open upper ports?, any ACL with established?</SPAN></P><P><SPAN lang="EN-US">I would like suggestions to configure a solid ACL. </SPAN></P><P><SPAN lang="EN-US">Thanks, </SPAN></P><P><SPAN lang="EN-US">Gonzalo</SPAN></P> Mon, 11 Mar 2019 18:46:50 GMT https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553125#M610333 argnetworking 2019-03-11T18:46:50Z https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553126#M610334 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Do you mean allowing the internal network to contact an external DNS server?</P><P>If so, just need to open UDP domain on the ACL applied to the inside interface.</P><P></P><P>i.e</P><P>Internal network 10.1.1.0/24</P><P>External DNS 4.2.2.2</P><P></P><P>access-list INSIDE permit udp 10.1.1.0/24 host 4.2.2.2 eq 53</P><P>access-group INSIDE in interface INSIDE</P><P></P><P>The above ACL will only allow outbound DNS requests to port 53 on UDP to 4.2.2.2 from the internal LAN.</P><P>Remember that every other outbound traffic that needs to get out should be permitted on that ACL as well.</P><P></P><P>Federico.</P></BODY></HTML> Tue, 28 Sep 2010 21:04:00 GMT https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553126#M610334 Federico Coto Fajardo 2010-09-28T21:04:00Z https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553127#M610335 <HTML><HEAD></HEAD><BODY><P>no, I have to allow external users to get to the DNS (public DNS) behind a cisco router.</P></BODY></HTML> Tue, 28 Sep 2010 21:38:08 GMT https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553127#M610335 argnetworking 2010-09-28T21:38:08Z https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553128#M610336 <HTML><HEAD></HEAD><BODY><P>To allow external users to access an internal DNS, you do something like this:</P><P></P><P>ip access-list extended OUTSIDE</P><P>&nbsp; permit udp any host x.x.x.x eq 53</P><P></P><P>interface fasx/x</P><P>&nbsp; ip access-group OUTSIDE in</P><P></P><P>The above ACL only permits inbound DNS traffic on port 53 to host x.x.x.x (which is going to be the public IP assigned to the DNS server).</P><P></P><P>Now,</P><P>Referring to the ACL, you should specify all other traffic that should be permitted.</P><P></P><P>Normally what you do on an IOS router is to configure some sort of stateful behavior (like an ASA), to avoid having to open all ports in that ACL.</P><P>Easiest way is to use CBAC to permit the return traffic of the outside connections (and you only worry about permitting traffic that it's initiated from the outside world coming in).</P><P></P><P>Recommended way is Zone-Based Firewall.</P><P></P><P>Federico.</P></BODY></HTML> Tue, 28 Sep 2010 21:50:15 GMT https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553128#M610336 Federico Coto Fajardo 2010-09-28T21:50:15Z https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553129#M610337 <HTML><HEAD></HEAD><BODY><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} </style> <![endif]--><P>Federico,</P><P>Thanks for the replay, I have a working ACL but is too open. I would like to do it again and that is why I’m asking for recommendations. I inherited the configuration and I’m trying to do it the right way.</P><P>I can not apply any sort of stateful firewall because it is a DNS that has a lot of hits , and the CPU goes to the roof. So, my intention is to open only the necessary ports on the ACL.</P><P></P><P>Thanks,</P><P>Gonzalo</P></BODY></HTML> Wed, 29 Sep 2010 02:31:55 GMT https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553129#M610337 argnetworking 2010-09-29T02:31:55Z https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553130#M610340 <HTML><HEAD></HEAD><BODY><P>Check this link for the most current public facing ACL we use. It matches the DISA standard so it should be pretty secure. You will have to tweak a couple of things like allowing BGP.</P><P></P><P><A class="jive-link-external-small" href="http://www.packetpros.com/cisco_kb/DIACAP_ACL.html">http://www.packetpros.com/cisco_kb/DIACAP_ACL.html</A></P><P></P><P>Hope it helps.</P></BODY></HTML> Wed, 29 Sep 2010 14:23:57 GMT https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553130#M610340 Collin Clark 2010-09-29T14:23:57Z https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553131#M610342 <HTML><HEAD></HEAD><BODY><P><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman"; mso-ansi-language:#0400; mso-fareast-language:#0400; mso-bidi-language:#0400;} </style> <![endif]--></P><P class="MsoNormal">Collin, thanks a lot, it is great, that it is exactly one of the parts I was looking for. Now I only need to know if there are any other recommendations on specific ACLs for DNS service.</P><P></P><P class="MsoNormal">Thanks,</P><P></P><P class="MsoNormal">Gonzalo</P></BODY></HTML> Wed, 29 Sep 2010 21:30:58 GMT https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553131#M610342 argnetworking 2010-09-29T21:30:58Z https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553132#M610346 <HTML><HEAD></HEAD><BODY><P>Are you doing any DNS transfers or are they simply look ups?</P></BODY></HTML> Thu, 30 Sep 2010 13:37:39 GMT https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553132#M610346 Collin Clark 2010-09-30T13:37:39Z https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553133#M610350 <HTML><HEAD></HEAD><BODY><P>Both, transfers and look ups?</P></BODY></HTML> Thu, 30 Sep 2010 14:09:50 GMT https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553133#M610350 argnetworking 2010-09-30T14:09:50Z https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553134#M610353 <HTML><HEAD></HEAD><BODY><P>For transfers from another DNS server to yours (make sure this is correct, can be very dangerous) -</P><P></P><P><SPAN style="font-family: courier new,courier;"> permit tcp host [remote dns server] host [your dns servers public IP] eq 53</SPAN></P><P></P><P>For external people querying your DNS servers for dns lookups -</P><P></P><P> <SPAN style="font-family: courier new,courier;">permit udp any host [your dns server public IP] eq 53</SPAN></P><P></P><P>Hope that helps.</P></BODY></HTML> Thu, 30 Sep 2010 14:22:15 GMT https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553134#M610353 Collin Clark 2010-09-30T14:22:15Z https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553135#M610357 <HTML><HEAD></HEAD><BODY><P>I have both of them already working like that.</P><P>Thanks</P><P></P><P>PS: What did you use to buid your site? I liked the organization like folders.</P></BODY></HTML> Sun, 03 Oct 2010 04:44:33 GMT https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553135#M610357 argnetworking 2010-10-03T04:44:33Z https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553136#M610358 <HTML><HEAD></HEAD><BODY><P>It's call Tigra Tree Menu-</P><P><A class="jive-link-external-small" href="http://www.softcomplex.com/products/tigra_tree_menu/">http://www.softcomplex.com/products/tigra_tree_menu/</A></P></BODY></HTML> Tue, 05 Oct 2010 13:21:55 GMT https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/1553136#M610358 Collin Clark 2010-10-05T13:21:55Z https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/4731132#M1095571 <P>hello i have similar Q, i need all users/PC int the net int diffrent site and vlans have access only&nbsp; to the internal DNS server</P><P>i have 3 routers one main&nbsp; the other 2 connect&nbsp; to the main router.</P><P>what i need to do?</P><P>&nbsp;</P> Thu, 01 Dec 2022 18:13:55 GMT https://community.cisco.com/t5/network-security/acl-for-dns-service/m-p/4731132#M1095571 RoeeM 2022-12-01T18:13:55Z