cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
329
Views
5
Helpful
7
Replies
Highlighted
Beginner

dns client acl

2921 router, acting as an NTP client and a DNS client. setting up NTP told me my ACL needs to allow NTP back from the NTP server into the interface. so i did the same thing with DNS. 10.160.12.135 is the IP of the local interface.

 

i want the router 10.160.12.135 to be able to do nslookups on a dns server 10.160.12.6

 

interface Port-channel15.1
description mgmt interface
encapsulation dot1Q 207
ip address 10.160.12.135 255.255.255.192
ip access-group MGMT in

 

Extended IP access list MGMT
10 permit tcp 10.0.0.0 0.255.255.255 host 10.160.12.135 eq 22 log (618 matches)
20 permit udp 10.0.0.0 0.255.255.255 host 10.160.12.135 eq snmp log (228 matches)
30 permit udp 10.0.0.0 0.255.255.255 host 10.160.12.135 eq ntp (4623 matches)
35 permit icmp 10.0.0.0 0.255.255.255 host 10.160.12.135 (33 matches)
50 permit udp 10.0.0.0 0.255.255.255 host 10.160.12.135 eq domain (5 matches)
99 deny ip any any log (2858 matches)

 

if the access list is removed from the interface, DNS lookups work against my dns server 10.160.12.6. if the access list is applied IN on the interface, DNS lookups stop working. i can see the dns traffic from my router passing through my firewall to the dns server 10.160.12.6. this gets logged in the router: 

 

Sep 21 10:21:22 Sierra: %SEC-6-IPACCESSLOGP: list MGMT denied udp 10.160.12.6(53) -> 10.160.12.135(58453), 1 packet

 

and the number of matches on 99 deny goes up. 

 

why is "inbound" dns traffic not getting allowed by line 50 in my ACL? 

7 REPLIES 7
Highlighted
VIP Mentor

Hi @curtmcgirt 

The clue is actually in the SYSLOG message. Source Port is udp/53 (domain) destination port is 58453. Your ACL line number 50 is permitting destination port udp/50 not source port, so therefore this does not match and is dropped on line 99. You would need to amend rule line 50 with the source as udp/50 (domain) and don't specify the destination port.

 

HTH

Highlighted
Beginner

seems odd to open up all UDP ports inbound just to make outbound DNS queries. but i'll buy it. i guess i can remove my SNMP and NTP specific ACL entries. 

 

so the syntax is 

50 permit udp 10.0.0.0 0.255.255.255 10.160.12.135

 

?

Highlighted
VIP Mentor

An ACL on a router is not stateful, the traffic being blocked is the return traffic from the DNS server.

Highlighted
Beginner

looking at the DNS section of cisco's "Configure Commonly Used IP ACLs"

 

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html#anc15

 

what is the difference in these two syntaxes:

access-list 102 permit udp any any eq domain 
access-list 102 permit udp any eq domain any

 and would they work for my scenario, why or why not?

Highlighted
VIP Mentor

Yes. The second line is essentially what I suggested - permit UDP from any source and source port 53 (domain) to any destination

This is permitting the return traffic from the DNS server (with the DNS response), which is what the error message in your original post was indicating.

Highlighted

the second line still has "domain" in it. i thought your suggestion was to remove domain, ie

permit udp 10.0.0.0 0.255.255.255 10.160.12.135

 

can you help me translate these to english in my head?

 

permit udp any any eq domain

i think means "permit udp 53 from any source to any destination"

 

does

permit udp any eq domain any

mean "permit any udp from any source and permit 53 to any destination? 

 

 

Highlighted
VIP Mentor

My suggestion was to specify udp/50 as the source port not the destination port. Your destination port will be dynamic, so you'd have to leave it as any.

 

It means permit udp from any source network on port 50 to any destination. 

Content for Community-Ad
This widget could not be displayed.