Showing results for 
Search instead for 
Did you mean: 

dns client acl

2921 router, acting as an NTP client and a DNS client. setting up NTP told me my ACL needs to allow NTP back from the NTP server into the interface. so i did the same thing with DNS. is the IP of the local interface.


i want the router to be able to do nslookups on a dns server


interface Port-channel15.1
description mgmt interface
encapsulation dot1Q 207
ip address
ip access-group MGMT in


Extended IP access list MGMT
10 permit tcp host eq 22 log (618 matches)
20 permit udp host eq snmp log (228 matches)
30 permit udp host eq ntp (4623 matches)
35 permit icmp host (33 matches)
50 permit udp host eq domain (5 matches)
99 deny ip any any log (2858 matches)


if the access list is removed from the interface, DNS lookups work against my dns server if the access list is applied IN on the interface, DNS lookups stop working. i can see the dns traffic from my router passing through my firewall to the dns server this gets logged in the router: 


Sep 21 10:21:22 Sierra: %SEC-6-IPACCESSLOGP: list MGMT denied udp ->, 1 packet


and the number of matches on 99 deny goes up. 


why is "inbound" dns traffic not getting allowed by line 50 in my ACL? 

VIP Mentor

Hi @curtmcgirt 

The clue is actually in the SYSLOG message. Source Port is udp/53 (domain) destination port is 58453. Your ACL line number 50 is permitting destination port udp/50 not source port, so therefore this does not match and is dropped on line 99. You would need to amend rule line 50 with the source as udp/50 (domain) and don't specify the destination port.




seems odd to open up all UDP ports inbound just to make outbound DNS queries. but i'll buy it. i guess i can remove my SNMP and NTP specific ACL entries. 


so the syntax is 

50 permit udp



VIP Mentor

An ACL on a router is not stateful, the traffic being blocked is the return traffic from the DNS server.


looking at the DNS section of cisco's "Configure Commonly Used IP ACLs"


what is the difference in these two syntaxes:

access-list 102 permit udp any any eq domain 
access-list 102 permit udp any eq domain any

 and would they work for my scenario, why or why not?

VIP Mentor

Yes. The second line is essentially what I suggested - permit UDP from any source and source port 53 (domain) to any destination

This is permitting the return traffic from the DNS server (with the DNS response), which is what the error message in your original post was indicating.


the second line still has "domain" in it. i thought your suggestion was to remove domain, ie

permit udp


can you help me translate these to english in my head?


permit udp any any eq domain

i think means "permit udp 53 from any source to any destination"



permit udp any eq domain any

mean "permit any udp from any source and permit 53 to any destination? 



VIP Mentor

My suggestion was to specify udp/50 as the source port not the destination port. Your destination port will be dynamic, so you'd have to leave it as any.


It means permit udp from any source network on port 50 to any destination. 

Content for Community-Ad
This widget could not be displayed.