Solved: Allowing DNS Requests from DMZ to Interal DNS Server

Brian Webb · ‎12-14-2016

I'm trying to figure out what I need to allow through to get our servers in the DMZ to talk to the DNS Server. Here is the config for my DMZ ACL:

access-list DMZ-In extended permit ip object 10.104.1.0 object DC1
access-list DMZ-In extended permit icmp any any
access-list DMZ-In extended deny ip any 10.104.0.0 255.255.0.0
access-list DMZ-In extended permit ip any any

I've got it set right now to allow all traffic from the 10.104.1.0 network to DC1, and of course DNS will resolve. But I would like to tighten that so no one could use that server to pivot into the rest of our network. The commands I thought would do the trick were:

access-list DMZ-In extended permit udp object 10.104.1.0 eq domain object DC1 eq domain
access-list DMZ-In extended permit tcp object 10.104.1.0 eq domain object DC1 eq domain

I've tried any combination of the two and they don't seem to work. Also worth noting, I confirmed the port used for DNS was 53 and when you put the number in for the ACL, it just converts it to domain. Do you guys have any ideas? Thanks in advance.

mattjones03 · ‎12-14-2016

Hi Brian,

Give the following a go;

access-list DMZ-In extended permit udp object 10.104.1.0 object DC1 eq domain

access-list DMZ-In extended permit tcp object 10.104.1.0 object DC1 eq domain

Your traffic will not be source port domain but will be for the destination.

View solution in original post

mattjones03 · ‎12-14-2016

Hi Brian,

Give the following a go;

access-list DMZ-In extended permit udp object 10.104.1.0 object DC1 eq domain

access-list DMZ-In extended permit tcp object 10.104.1.0 object DC1 eq domain

Your traffic will not be source port domain but will be for the destination.

Brian Webb · ‎12-14-2016

Nice and simple, thanks for the tip!

mattjones03 · ‎12-14-2016

Your welcome.