09-28-2012 02:59 PM - edited 03-11-2019 05:01 PM
Hello All,
I'm having some issues with an access control list that is blocking incoming DNS from OpenDNS.com, I have this ACL applied to incomming traffic on the Gi0/0 interface that is attached to our ADSL modem. I am using c1900-universalk9-mz.SPA.152-4.M1.bin as my System File.
The Juicy Details:
ip name-server 208.67.220.220
ip name-server 208.67.222.222
SFCISCO#sh ip access-lists FROMINTERNET
Extended IP access list FROMINTERNET
10 permit tcp host 208.67.220.220 any eq domain
20 permit udp host 208.67.220.220 any eq domain
30 permit tcp host 208.67.222.222 any eq domain
40 permit udp host 208.67.222.222 any eq domain
.........BREAK.......................
900 deny ip any any log
SFCISCO#terminal monitor
SFCISCO#ping www.ebay.com
Translating "www.ebay.com"...domain server (208.67.220.220) (208.67.222.222)
% Unrecognized host or address, or protocol not running.
Sep 28 21:36:06.654: %SEC-6-IPACCESSLOGP: list FROMINTERNET denied udp 208.67.220.220(53) -> X.X.X.X(51303), 5 packets
Sep 28 21:36:06.654: %SEC-6-IPACCESSLOGP: list FROMINTERNET denied udp 208.67.222.222(53) -> X.X.X.X(62144), 5 packets
---------
However if I modify the ACL to have these commands the DNS request resolves the IP address normally
10 permit ip host 208.67.220.220 any log
20 permit ip host 208.67.222.222 any log
SFCISCO#ping www.yahoo.com
Translating "www.yahoo.com"...domain server (208.67.220.220) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 72.30.38.140, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 364/395/420 ms
Sep 28 21:53:56.627: %SEC-6-IPACCESSLOGP: list FROMINTERNET permitted udp 208.67.220.220(53) -> X.X.X.X(49156), 1 packet
Any reason why eq domain would not be working?
Thanks for you help in advance!
-Chellis
Solved! Go to Solution.
09-29-2012 01:19 AM
The answers for the DNS-queries will always come *from* port 53, so the Incoming ACL should look like this:
10 permit tcp host 208.67.220.220 eq 53 any
20 permit udp host 208.67.220.220 eq 53 any
30 permit tcp host 208.67.222.222 eq 53 any
40 permit udp host 208.67.222.222 eq 53 any
As this router is directly connected to the internet, the better solution would be to configure the IOS firewall where the return-traffic would be allowed automaticallly (Sec License needed):
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-trtaffic
ip inspect name FW icmp router-traffic
ip inspect name FW ftp
ip access-list extended INTERNET-IN
deny ip any any
int gig 0/0
descr Connection to internet
ip access-group INTERNET-IN in
ip inspect FW out
09-28-2012 03:05 PM
Also to further clarify I can Ping websites by IP address, however DNS is hitting our deny ip any any at the bottom of our internet ACL when it comes back in. There is no ACL applied to traffic coming into the Gi 0/0 interface that would be causing any problems.
09-28-2012 11:28 PM
Hello Chellis,
Could you try the following ACL and let me know the results
permit udp host 208.67.220.220 any eq domain
permit udp host 208.67.220.220 eq domain any
permit tcp host 208.67.220.220 any eq domain
permit tcp host 208.67.220.220 eq domain any
Regards
Harish.
Please rate all helpful posts!
09-29-2012 01:19 AM
The answers for the DNS-queries will always come *from* port 53, so the Incoming ACL should look like this:
10 permit tcp host 208.67.220.220 eq 53 any
20 permit udp host 208.67.220.220 eq 53 any
30 permit tcp host 208.67.222.222 eq 53 any
40 permit udp host 208.67.222.222 eq 53 any
As this router is directly connected to the internet, the better solution would be to configure the IOS firewall where the return-traffic would be allowed automaticallly (Sec License needed):
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-trtaffic
ip inspect name FW icmp router-traffic
ip inspect name FW ftp
ip access-list extended INTERNET-IN
deny ip any any
int gig 0/0
descr Connection to internet
ip access-group INTERNET-IN in
ip inspect FW out
10-01-2012 08:27 AM
Thanks, it's been a few years since I've written an ACL I forgot the eq 53 needed to go into the source portion of the ACL. The Sec License is out of the question as this is a poor mans firewall. Thanks for your help gents
02-05-2014 08:43 AM
The Best reply for me.
If the DNS queries are generated from the router, the best practice is configure ip inspect with the "router-traffic" final command.
Thank you very much
Great
Regards
Alessandro Bertacco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide