Re: dns client acl

curtmcgirt · ‎09-21-2020

2921 router, acting as an NTP client and a DNS client. setting up NTP told me my ACL needs to allow NTP back from the NTP server into the interface. so i did the same thing with DNS. 10.160.12.135 is the IP of the local interface.

i want the router 10.160.12.135 to be able to do nslookups on a dns server 10.160.12.6

interface Port-channel15.1
description mgmt interface
encapsulation dot1Q 207
ip address 10.160.12.135 255.255.255.192
ip access-group MGMT in

Extended IP access list MGMT
10 permit tcp 10.0.0.0 0.255.255.255 host 10.160.12.135 eq 22 log (618 matches)
20 permit udp 10.0.0.0 0.255.255.255 host 10.160.12.135 eq snmp log (228 matches)
30 permit udp 10.0.0.0 0.255.255.255 host 10.160.12.135 eq ntp (4623 matches)
35 permit icmp 10.0.0.0 0.255.255.255 host 10.160.12.135 (33 matches)
50 permit udp 10.0.0.0 0.255.255.255 host 10.160.12.135 eq domain (5 matches)
99 deny ip any any log (2858 matches)

if the access list is removed from the interface, DNS lookups work against my dns server 10.160.12.6. if the access list is applied IN on the interface, DNS lookups stop working. i can see the dns traffic from my router passing through my firewall to the dns server 10.160.12.6. this gets logged in the router:

Sep 21 10:21:22 Sierra: %SEC-6-IPACCESSLOGP: list MGMT denied udp 10.160.12.6(53) -> 10.160.12.135(58453), 1 packet

and the number of matches on 99 deny goes up.

why is "inbound" dns traffic not getting allowed by line 50 in my ACL?

Rob Ingram · ‎09-21-2020

Hi @curtmcgirt

The clue is actually in the SYSLOG message. Source Port is udp/53 (domain) destination port is 58453. Your ACL line number 50 is permitting destination port udp/50 not source port, so therefore this does not match and is dropped on line 99. You would need to amend rule line 50 with the source as udp/50 (domain) and don't specify the destination port.

HTH

curtmcgirt · ‎09-21-2020

seems odd to open up all UDP ports inbound just to make outbound DNS queries. but i'll buy it. i guess i can remove my SNMP and NTP specific ACL entries.

so the syntax is

50 permit udp 10.0.0.0 0.255.255.255 10.160.12.135

?

Rob Ingram · ‎09-21-2020

An ACL on a router is not stateful, the traffic being blocked is the return traffic from the DNS server.

curtmcgirt · ‎09-22-2020

looking at the DNS section of cisco's "Configure Commonly Used IP ACLs"

https://www.cisco.com/c/en/us/support/docs/ip/access-lists/26448-ACLsamples.html#anc15

what is the difference in these two syntaxes:

access-list 102 permit udp any any eq domain 
access-list 102 permit udp any eq domain any

and would they work for my scenario, why or why not?

Rob Ingram · ‎09-22-2020

Yes. The second line is essentially what I suggested - permit UDP from any source and source port 53 (domain) to any destination

This is permitting the return traffic from the DNS server (with the DNS response), which is what the error message in your original post was indicating.

curtmcgirt · ‎09-22-2020

the second line still has "domain" in it. i thought your suggestion was to remove domain, ie

permit udp 10.0.0.0 0.255.255.255 10.160.12.135

can you help me translate these to english in my head?

permit udp any any eq domain

i think means "permit udp 53 from any source to any destination"

does

permit udp any eq domain any

mean "permit any udp from any source and permit 53 to any destination?

Rob Ingram · ‎09-22-2020

My suggestion was to specify udp/50 as the source port not the destination port. Your destination port will be dynamic, so you'd have to leave it as any.

It means permit udp from any source network on port 50 to any destination.