11-28-2015 05:19 AM - edited 03-05-2019 02:49 AM
Hi All;
I found lots of messages like below in my 1941 router:
%DNSSERVER-3-BADQUERY: Bad DNS query from <IP address>.
How can I get ride of it?
11-28-2015 05:34 AM
Hello,
Please check "show run | include dns.
do you have see something like this?
ip dns server
Try to remove it.
no ip dns server.
Masoud
11-28-2015 05:46 AM
Hi;
If I remove ip dns server, computer cannot access web.
11-28-2015 05:53 AM
Are you using you router as a DNS server? Do you have internal DNS server?
Masoud
11-28-2015 06:01 AM
yes, router as DNS server.
11-28-2015 06:17 AM
The problem is others are using your router as a DNS server also. There are two ways to fix this.
If you do not have DNS server, you can assign external DNS server to your clients.
Dns servers such as
8.8.8.8
8.8.8.4
4.2.2.2
4.4.4.4.
If you are assigning DNS by your router. You can do something like this and remove the previous command no ip dns server
11-28-2015 06:27 AM
Hi Masoud;
Could you kindly tell me how to setup reflexive ACL for block external queries?
11-28-2015 06:45 AM
Before using reflexive access-list, use a normal access-ist and test. Reflexive access-list may slow down your router depending on your router performance.
First try this.
I supposed you do not have any ACL on your WAN interface.
access-list 101 deny udp any host [Your router public IP] eq domain
access-list 101 deny tcp any host [Your router public IP] eq domain
access-list 101 permit ip any any
interface [WAN]
ip access-group 101 in
*******************************
If you have any problem with resolving DNS, you need to use the below configuration. it is just a sample. You may change it depending on your traffic. It inspects all traffic.
********************************
ip access-list extended filter-outbond
permit tcp any any reflect CHECK-TRAFFIC
permit udp any any reflect CHECK-TRAFFIC
permit icmp any any reflect CHECK-TRAFFIC
ip access-list extended filter-inbound
evaluate CHECK-TRAFFIC
interface [wan interface]
ip access-group filter-inbound in
ip access-group filter-outbond out
*************************************************
Hope it helps,
Masoud
11-28-2015 07:00 AM
Masoud;
Thanks a lot.
for this command, if I don't have a public IP what should I input?
access-list 101 deny udp any host [Your router public IP] eq domain
11-28-2015 07:21 AM
Now use google to get your WAN ip address. Later, call your ISP to check if you are always getting the same IP address or not. If not, ask the range IP and replace the range.
google- type what is my ip address.
Are doing NAT on you router?
Masoud
11-28-2015 07:21 AM
Currently router use pppoe for internet connection...
11-28-2015 08:01 AM
edited
11-28-2015 08:25 AM
The first reflexive access-list works for all traffic.
If you just want to control you DNS traffic use this one.
******************************************
interface wan [dialer if you have]
ip access-group filter-inbound in
ip access-group filter-outbond out
ip access-list extended filter-inbound
evaluate CHECK-TRAFFIC
deny tcp any any eq domain
deny udp any any eq domain
permit ip any any
ip access-list extended filter-outbond
permit tcp any any eq domain reflect CHECK-TRAFFIC
permit udp any any eq domain reflect CHECK-TRAFFIC
permit ip any any
***************************************************
Please give me your feedback
Masoud
11-28-2015 10:25 PM
Thaks a lot, I have already apply to my router.
11-28-2015 08:56 AM
Hello,
I just remembered something. That ACL is not going to work om PPPOE because you are using the same IP for the NAT and your interface IP. Try to use reflexive ACL instead and check the result. I will try to change the reflexive access-list to make it work only on DNS traffic. I will get back to you.
Masoud
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide