Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2482
Views
0
Helpful
4
Replies

Close open DNS resolver?

richard.wilkinson
Level 1
Level 1

‎02-21-2014 08:11 AM - last edited on ‎03-25-2019 03:41 PM by Community Manager

Hi,

I have the following config running on an 881 which is connection to an ISP via an external ADSL modem. 

In it's current form, it is responding to any DNS request from any external IP address.  I need to close this.  I'm aware I can do this with an ACL but I'm not sure it should be responding in the first place.  Can anyone see a problem with the config?

Current configuration : 2804 bytes

!

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname jtg-rtr1

!

boot-start-marker

boot system flash:c880data-universalk9-mz.152-4.M2.bin

boot-end-marker

!

!

!

no aaa new-model

memory-size iomem 10

clock timezone GMT 0 0

clock summer-time BST recurring

!

!

!

!

!

ip dhcp excluded-address 172.16.1.1 172.16.1.99

!

ip dhcp pool mainPool

import all

network 172.16.1.0 255.255.255.0

default-router 172.16.1.1

dns-server 172.16.1.1

option 66 ascii 172.16.1.1

!

!

!

ip domain name router.local

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip cef

no ipv6 cef

!

!

!

!

ip ssh time-out 60

ip ssh authentication-retries 2

csdb tcp synwait-time 30

csdb tcp idle-time 3600

csdb tcp finwait-time 5

csdb tcp reassembly max-memory 1024

csdb tcp reassembly max-queue-length 16

csdb udp idle-time 30

csdb icmp idle-time 10

csdb session max-session 65535

!

!

!

!

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

description ADSL WAN Interface

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface Vlan1

ip address 172.16.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1440

no autostate

!

interface Dialer1

description ADSL WAN Dialler

ip address negotiated

no ip unreachables

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

ppp authentication chap pap callin

ppp chap hostname [isp username]

ppp chap password [isp password]

ppp ipcp route default

no cdp enable

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source list 1 interface Dialer1 overload

!

access-list 1 permit 172.16.1.0 0.0.0.255

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

end

Labels:
0 Helpful
4 Replies 4

John Blakley
VIP Alumni
VIP Alumni

‎02-21-2014 10:27 AM

Richard,

This line "ip dns server" doesn't need to be enabled to have your hosts get on the internet, but in fact starts the config for the router to answer dns queries. Try "no ip dns server" and see if that resolves your issue.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful

paul driver
VIP
VIP

‎02-21-2014 11:07 AM

Hello

I agree with John regards removing that command
Also as your all importing options from the ISP dhcp you could also change the dhcp pool dns server to that of the ISP

Res
Paul

Sent from Cisco Technical Support iPad App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

richard.wilkinson
Level 1
Level 1

‎02-24-2014 04:47 AM

Hi Both,

Thanks for your comments.

Whilst I accept turning off dns-server will work in this particular setup, I am still keen to establish why it's acting in the way it is. 

For example, whilst dishing out my ISPs nameserver will work, I would rather my router did this internally.  Surely it must be possible to do this on the internal interface only.

Thanks,

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to richard.wilkinson

‎02-24-2014 08:10 AM

There's not a way that I'm aware of easily to specify "only answer on this interface." You'll probably need to configure reflexive acls or cbac. This will allow the outbound traffic through (your internal hosts to use for forwarding), but should stop queries on the outside.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***
0 Helpful
Customers Also Viewed These Support Documents