03-15-2017 12:32 PM - edited 03-12-2019 02:04 AM
Hi,
I am trying to limit all of my DNS queries from my inside network to only go to certain DNS Servers on the internet and deny any other DNS request. So in the ASDM I crated 2 network objects and created a network group with the 2 DNS servers I want to use.
Currently the only ACL I see in the asdm below the inside interface is the implicit rule: permit all traffic to less secure networks etc.
what would be the best way for me to block all dns traffic going to any other DNS servers except the ones I permit?
Solved! Go to Solution.
03-15-2017 02:10 PM
lets assume you want to permit dns traffic only to 8.8.8.8
access-list inside_in extended permit udp any host 8.8.8.8. eq 53
access-list inside_in extended deny udp any any eq 53
access-list inside_in extended permit ip any any
access-group inside_in interface inside
--
Please remember to select a correct answer and rate helpful posts
03-15-2017 02:10 PM
lets assume you want to permit dns traffic only to 8.8.8.8
access-list inside_in extended permit udp any host 8.8.8.8. eq 53
access-list inside_in extended deny udp any any eq 53
access-list inside_in extended permit ip any any
access-group inside_in interface inside
--
Please remember to select a correct answer and rate helpful posts
03-15-2017 02:12 PM
object-group network DNS-SERVER
host 208.67.222.222
host 208.67.220.220
!
object-group service DNS-PORTS
service udp destination eq 53
service tcp destination eq 53
!
access-list INSIDE-ACCESS-IN permit object-group DNS-PORTS any object-group DNS-SERVER
access-list INSIDE-ACCESS-IN deny object-group DNS-PORTS any any
access-list INSIDE-ACCESS-IN permit ip any any
03-17-2023 01:50 AM
Correct, need both TCP and UDP for DNS (zone transfers, queries above 128 bytes (large records))
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide