Solved: ACL allowing udp 53 not allowing it

the-lebowski · ‎02-09-2018

This is the ACL applied inbound on the WAN interface. End user is having problems querying public DNS on UDP/53.

    10 deny ip 10.0.0.0 0.255.255.255 any
    20 deny ip 172.16.0.0 0.0.15.255 any
    30 deny ip 192.168.0.0 0.0.255.255 any (229 matches)
    40 deny ip host 255.255.255.255 any
    50 permit icmp any any echo (16 matches)
    60 permit icmp any any echo-reply (57 matches)
    70 permit icmp any any time-exceeded (142 matches)
    80 permit icmp any any unreachable (783 matches)
    90 permit icmp any any traceroute
    100 permit tcp object-group Public_IP host xxxxxxx eq 22
    110 permit icmp any any packet-too-big
    120 permit tcp any any established (1562026 matches)
    129 permit tcp any any eq domain (4311 matches)
    130 permit udp any any eq domain
    140 permit udp any any eq ntp (6 matches)
    150 permit udp any any eq isakmp (2787 matches)
    160 permit udp any any eq non500-isakmp (857 matches)
    170 permit esp any any (54104 matches)
    180 permit gre any any (45 matches)
    190 permit ip host xxxxxxxxx any
    200 permit ip host xxxxxxxxxxx any (3 matches)
    210 permit ip xxxxxxxxx.0 0.0.0.255 any (3511 matches)
    220 permit ip xxxxxxxx.0 0.0.0.255 any (482 matches)
    230 permit ip xxxxxxxx.0 0.0.15.255 any
    240 deny ip any any (7458 matches)

When its applied (and it has been for a long time) dig from a linux host using UDP does not work:

15:42:17.245017 IP (tos 0x0, ttl 64, id 23959, offset 0, flags [none], proto UDP (17), length 67)
    10.99.99.99.44922 > google-public-dns-a.google.com.domain: [bad udp cksum 0x2ac7 -> 0xcb1c!] 7507+ [1au] A? google.com. ar: . OPT UDPsize=4096 (39)
15:42:22.245071 IP (tos 0x0, ttl 64, id 24778, offset 0, flags [none], proto UDP (17), length 67)
    10.99.99.99.44922 > google-public-dns-a.google.com.domain: [bad udp cksum 0x2ac7 -> 0xcb1c!] 7507+ [1au] A? google.com. ar: . OPT UDPsize=4096 (39)
15:42:27.245219 IP (tos 0x0, ttl 64, id 25734, offset 0, flags [none], proto UDP (17), length 67)
    10.99.99.99.44922 > google-public-dns-a.google.com.domain: [bad udp cksum 0x2ac7 -> 0xcb1c!] 7507+ [1au] A? google.com. ar: . OPT UDPsize=4096 (39)

If I remove the ACL it works and I see the response from google:

15:41:10.874751 IP (tos 0x0, ttl 64, id 14883, offset 0, flags [none], proto UDP (17), length 67)
    10.99.99.99.50067 > google-public-dns-a.google.com.domain: [bad udp cksum 0x2ac7 -> 0xf955!] 56064+ [1au] A? google.com. ar: . OPT UDPsize=4096 (39)
15:41:10.880822 IP (tos 0x0, ttl 56, id 15134, offset 0, flags [none], proto UDP (17), length 83)
    google-public-dns-a.google.com.domain > 10.99.99.99.50067: [udp sum ok] 56064 q: A? google.com. 1/0/1 google.com. A 172.217.8.14 ar: . OPT UDPsize=512 (55)

Its got to be something easy but I can't seem to figure it out. With the ACL applied I dont see any packets coming back from the query but I do see the deny counter increment by 4 packets which is how many the client sends when attempting to query.

Jon Marshall · ‎02-09-2018

If you want to allow response from public DNS servers and your acl is applied inbound -

"permit udp any eq domain any"

Jon

View solution in original post

Jon Marshall · ‎02-09-2018

If you want to allow response from public DNS servers and your acl is applied inbound -

"permit udp any eq domain any"

Jon

the-lebowski · ‎02-09-2018

Tried that before with no luck, but just re-added that statement (119) and I still don't see packets coming back.

Extended IP access list Outside-ACL-2
    10 deny ip 10.0.0.0 0.255.255.255 any
    20 deny ip 172.16.0.0 0.0.15.255 any
    30 deny ip 192.168.0.0 0.0.255.255 any (285 matches)
    40 deny ip host 255.255.255.255 any
    50 permit icmp any any echo (19 matches)
    60 permit icmp any any echo-reply (57 matches)
    70 permit icmp any any time-exceeded (142 matches)
    80 permit icmp any any unreachable (789 matches)
    90 permit icmp any any traceroute
    100 permit tcp object-group Public_IP host 206.81.249.22 eq 22
    110 permit icmp any any packet-too-big
    119 permit udp any eq domain any
    120 permit tcp any any established (1848718 matches)
    129 permit tcp any any eq domain (4311 matches)
    130 permit udp any any eq domain
    140 permit udp any any eq ntp (6 matches)
    150 permit udp any any eq isakmp (3099 matches)
    160 permit udp any any eq non500-isakmp (857 matches)
    170 permit esp any any (64886 matches)
    180 permit gre any any (45 matches)
   ...............
 .................
    240 deny ip any any (7977 matches)

the-lebowski · ‎02-09-2018

I think I fixed this. In my first post there were those public IPs (190 - 230) allowed inbound and since google wasn't specified there I guess it was dropping that traffic. I removed those lines and kept the 'permit udp any eq domain any' and now its matching against that rule correctly.

But even with that rule and the specific public IPs shouldn't still have matched 119 before it even got to those public IP statements?

Jon Marshall · ‎02-09-2018

Not sure how that blocked it but glad to hear you got it working.

Jon