Hi;

If I remove ip dns server, computer cannot access web.

Are you using you router as a DNS server? Do you have internal DNS server?

Masoud

yes, router as DNS server.

The problem is others are using your router as a DNS server also. There are two ways to fix this.

If you do not have DNS server, you can assign external DNS server to your clients.

Dns servers such as

8.8.8.8

8.8.8.4

4.2.2.2

4.4.4.4.

If you are assigning DNS by your router. You can do something like this and remove the previous command no ip dns server

Hi Masoud;

Could you kindly tell me how to setup reflexive ACL for block external queries?

Before using reflexive access-list, use a normal access-ist and test. Reflexive access-list may slow down your router depending on your router performance.

First try this.

I supposed you do not have any ACL on your WAN interface.

access-list 101 deny udp any host [Your router public IP] eq domain

access-list 101 deny tcp any host [Your router public IP] eq domain

access-list 101 permit ip any any

interface [WAN]

ip access-group 101 in

*******************************

If you have any problem with resolving DNS, you need to use the below configuration. it is just a sample. You may change it depending on your traffic. It inspects all traffic.

********************************

ip  access-list extended filter-outbond

permit tcp any any reflect CHECK-TRAFFIC

permit  udp any any reflect CHECK-TRAFFIC

permit icmp any any reflect CHECK-TRAFFIC



ip access-list extended filter-inbound

evaluate  CHECK-TRAFFIC



interface [wan interface]

ip access-group filter-inbound in

ip  access-group filter-outbond out

*************************************************

Hope it helps,

Masoud

Masoud;

Thanks a lot.

for this command, if I don't have a public IP what should I input?

access-list 101 deny udp any host [Your router public IP] eq domain

Now use google to get your WAN ip address. Later, call your ISP to check if you are always getting the same IP address or not. If not, ask the range IP and replace the range.

google- type what is my ip address.

 Are doing NAT on you router?

Masoud

Currently router use pppoe for internet connection...

edited

The first reflexive access-list works for all traffic.

If you just want to control you DNS traffic use this one.

******************************************

interface wan [dialer if you have]

 ip access-group filter-inbound in
 ip access-group filter-outbond out


ip access-list extended filter-inbound
 evaluate CHECK-TRAFFIC
 deny   tcp any any eq domain
 deny   udp any any eq domain
 permit ip any any

ip access-list extended filter-outbond
 permit tcp any any eq domain reflect CHECK-TRAFFIC
 permit udp any any eq domain reflect CHECK-TRAFFIC
 permit ip any any

***************************************************

Please give me your feedback

Masoud

Thaks a lot, I have already apply to my router.

Hello,

I just remembered something. That ACL is not going to work om PPPOE because you are using the same IP for the NAT and your interface IP. Try to use reflexive ACL instead and check the result. I will try to change the reflexive access-list to make it work only on DNS traffic. I will get back to you.

Masoud