Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5167
Views
11
Helpful
3
Replies

Cisco ASA Create ACL for DNS

Go to solution
Louis Adams
Level 1
Level 1

‎03-15-2017 12:32 PM - edited ‎03-12-2019 02:04 AM

Hi,

I am trying to limit all of my DNS queries from my inside network to only go to certain DNS Servers on the internet and deny any other DNS request.  So in the ASDM I crated 2 network objects and created a network group with the 2 DNS servers I want to use.

Currently the only ACL I see in the asdm below the inside interface is the implicit rule: permit all traffic to less secure networks etc.

what would be the best way for me to block all dns traffic going to any other DNS servers except the ones I permit? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎03-15-2017 02:10 PM

lets assume you want to permit dns traffic only to 8.8.8.8

access-list inside_in extended permit udp any host 8.8.8.8. eq 53

access-list inside_in extended deny udp any any eq 53

access-list inside_in extended permit ip any any

access-group inside_in interface inside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marius Gunnerud
VIP
VIP

‎03-15-2017 02:10 PM

lets assume you want to permit dns traffic only to 8.8.8.8

access-list inside_in extended permit udp any host 8.8.8.8. eq 53

access-list inside_in extended deny udp any any eq 53

access-list inside_in extended permit ip any any

access-group inside_in interface inside

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎03-15-2017 02:12 PM 

object-group network DNS-SERVER
 host 208.67.222.222
 host 208.67.220.220
!
object-group service DNS-PORTS
 service udp destination eq 53
 service tcp destination eq 53
!
access-list INSIDE-ACCESS-IN permit object-group DNS-PORTS any object-group DNS-SERVER
access-list INSIDE-ACCESS-IN deny object-group DNS-PORTS any any
access-list INSIDE-ACCESS-IN permit ip any any

Go to solution
BrianSekleckiGE
Level 1
Level 1
In response to Karsten Iwen

‎03-17-2023 01:50 AM

Correct, need both TCP and UDP for DNS (zone transfers, queries above 128 bytes (large records))

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card