Solved: Locking down port 53 for Outbound Traffic

Terence Lockette · ‎11-08-2013

I have what I believe to be an easy question. I want to lock down port 53 for outbound access to 3 of our internal DNS servers so that they're the only hosts that can service requests in the outbound direction. Any other host that attempts to service DNS queries outbound should be blocked. How would I accomplish this? Would it be as simple as creating an ACL on the inside interface?

Regards,

Terence

Jouni Forss · ‎11-08-2013

Hi,

So if users and servers are behind the same interface then it means that the users DNS queries to the internal servers are not seen by the ASA. So we dont have a risk of blocking DNS traffic between users and servers.

The below partial ACL should accomplish what you want.

It first creates a "object-group" that groups your Internal DNS servers
We then allow TCP/UDP/53 only from the DNS servers defined in the "object-group" we created.
We then block ALL other TCP/UDP/53 traffic

object-group network INTERNAL-DNS-SERVERS

description Internal DNS servers

network-object host 10.10.10.10

network-object host 10.10.10.11

network-object host 10.10.10.12

access-list INSIDE-IN remark Allow DNS traffic for Internal DNS servers

access-list INSIDE-IN permit udp object-group INTERNAL-DNS-SERVERS any eq 53

access-list INSIDE-IN permit tcp object-group INTERNAL-DNS-SERVERS any eq 53

access-list INSIDE-IN remark Block all other DNS traffic

access-list INSIDE-IN deny udp any any eq 53

access-list INSIDE-IN deny tcp any any eq 53

access-list INSIDE-IN remark Other firewall rules

access-group INSIDE-IN in interface inside

And yes you would need to attach the ACL with the "access-group" command. But then again I presume you already have an interface ACL, correct? If not then you would naturally continue the above ACL with statements that allow all other traffic or you would block traffic from your LAN.

If you have an existing ACL named "INSIDE-IN" for example then you would add the above with "line" numbers to the top of the ACL like this

access-list INSIDE-IN line 1 remark Allow DNS traffic for Internal DNS servers

access-list INSIDE-IN line 2 permit udp object-group INTERNAL-DNS-SERVERS any eq 53

access-list INSIDE-IN line 3 permit tcp object-group INTERNAL-DNS-SERVERS any eq 53

access-list INSIDE-IN line 4 remark Block all other DNS traffic

access-list INSIDE-IN line 5 deny udp any any eq 53

access-list INSIDE-IN line 6 deny tcp any any eq 53

access-list INSIDE-IN line 7 remark Other firewall rules

- Jouni

View solution in original post

Jouni Forss · ‎11-08-2013

Hi,

The exact configuration needed depends on the current network setup.

Do you have multiple LAN/DMZ interfaces on the ASA?
If the above is true then are the DNS servers behind different interface than the users?

If you wanted to only allow DNS traffic outbound for the DNS servers you could use the following ACL format. This configuration should apply if your users and servers are behind the same interface and also if the servers were behind their own interface on the ASA. Though in that case you would need different ACL for the interface with users behind them. (look below)

object-group network INTERNAL-DNS-SERVERS

description Internal DNS servers

network-object host 10.10.10.10

network-object host 10.10.10.11

network-object host 10.10.10.12

access-list INSIDE-IN remark Allow DNS traffic for Internal DNS servers

access-list INSIDE-IN permit udp object-group INTERNAL-DNS-SERVERS any eq 53

access-list INSIDE-IN permit tcp object-group INTERNAL-DNS-SERVERS any eq 53

access-list INSIDE-IN remark Block all other DNS traffic

access-list INSIDE-IN deny udp any any eq 53

access-list INSIDE-IN deny tcp any any eq 53

access-list INSIDE-IN remark Other firewall rules

You would have to make sure that you enter these rules to the top of the ACL so that no other rule would override what they do.

Then again if you had a situation where you had users behind other interface then you would have to build their ACL a bit differently

object-group network INTERNAL-DNS-SERVERS

description Internal DNS servers

network-object host 10.10.10.10

network-object host 10.10.10.11

network-object host 10.10.10.12

access-list LAN-IN remark Allow DNS traffic to Internal DNS servers

access-list LAN-IN permit udp any object-group INTERNAL-DNS-SERVERS eq 53

access-list LAN-IN permit tcp any object-group INTERNAL-DNS-SERVERS eq 53

access-list LAN-IN remark Block all other DNS traffic

access-list LAN-IN deny udp any any eq 53

access-list LAN-IN deny tcp any any eq 53

access-list LAN-IN remark Other firewall rules

The above ACL when inserted to the top of the existing ACL then you would now allow DNS traffic to your internal DNS servers and then block all other DNS traffic.

Hope this helps

Feel free to ask more if needed though

- Jouni

Terence Lockette · ‎11-08-2013

Jouni,

Thanks for your response. We have a single LAN interface and a single DMZ interface but no users are behind the DMZ. We actually use this DMZ interface as a VPN passthrough for a third failover link in the event that both our WAN links to a vendor fails. Then all traffic would route through the DMZ interface from the Internet back to our vendor. So since our firewall contains all of our users behind the inside interface, I should be ok with implementing the above ACLs to my firewall? Wouldn't I have to apply this with the access-group command as well?

Jouni Forss · ‎11-08-2013

Hi,

So if users and servers are behind the same interface then it means that the users DNS queries to the internal servers are not seen by the ASA. So we dont have a risk of blocking DNS traffic between users and servers.

The below partial ACL should accomplish what you want.

It first creates a "object-group" that groups your Internal DNS servers
We then allow TCP/UDP/53 only from the DNS servers defined in the "object-group" we created.
We then block ALL other TCP/UDP/53 traffic

object-group network INTERNAL-DNS-SERVERS

description Internal DNS servers

network-object host 10.10.10.10

network-object host 10.10.10.11

network-object host 10.10.10.12

access-list INSIDE-IN remark Allow DNS traffic for Internal DNS servers

access-list INSIDE-IN permit udp object-group INTERNAL-DNS-SERVERS any eq 53

access-list INSIDE-IN permit tcp object-group INTERNAL-DNS-SERVERS any eq 53

access-list INSIDE-IN remark Block all other DNS traffic

access-list INSIDE-IN deny udp any any eq 53

access-list INSIDE-IN deny tcp any any eq 53

access-list INSIDE-IN remark Other firewall rules

access-group INSIDE-IN in interface inside

And yes you would need to attach the ACL with the "access-group" command. But then again I presume you already have an interface ACL, correct? If not then you would naturally continue the above ACL with statements that allow all other traffic or you would block traffic from your LAN.

If you have an existing ACL named "INSIDE-IN" for example then you would add the above with "line" numbers to the top of the ACL like this

access-list INSIDE-IN line 1 remark Allow DNS traffic for Internal DNS servers

access-list INSIDE-IN line 2 permit udp object-group INTERNAL-DNS-SERVERS any eq 53

access-list INSIDE-IN line 3 permit tcp object-group INTERNAL-DNS-SERVERS any eq 53

access-list INSIDE-IN line 4 remark Block all other DNS traffic

access-list INSIDE-IN line 5 deny udp any any eq 53

access-list INSIDE-IN line 6 deny tcp any any eq 53

access-list INSIDE-IN line 7 remark Other firewall rules

- Jouni

Terence Lockette · ‎11-08-2013

Awesome,

That's exactly what I needed to know. Thanks Jouni and I'll rate the post once I confirm that all is working without any issues.

Regards,

Terence

Terence Lockette · ‎11-16-2013

Jouni,

I tested it out the above config and it works in my lab environment. I'll implement the config change on Monday. Thanks again for your help!

Regards,

Terence