Solved: DNS on a Cisco 2951

roncro · ‎03-10-2024

Hello,

I have a Cisco 2951 and it works as a "DNS forwarder" for my local network. It looks like 'someone' is sending DNS requests from the outside.

I see msgs like:

2024-03-01T01:13:23.953850-07:00 gateway 516: Mar 1 08:13:22.938: %DNSSERVER-3-TOOSHORT: DNS query from 167.86.118.247 too short
2024-03-01T02:02:07.551098-07:00 gateway 517: Mar 1 09:02:06.550: %DNSSERVER-3-BADQUERY: Bad DNS query from 107.170.240.50

Can I configure the router so that it doesn't listen/accept DNS requests from the outside?

thanks,

Ron

liviu.gheorghe · ‎03-10-2024

Hello @roncro ,

You can configure an inbound access list on your interface connecting to the Internet:

ip access-list extended Deny-DNS
deny tcp any any eq 53
deny udp any any eq 53
permit ip any any

This is ok as long as you are not hosting a DNS server that needs to receive queries from other DNS servers on the internet.

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

View solution in original post

Richard Burts · ‎03-12-2024

Yes you do need to assign the acl to the interface using access-group in.

HTH

Rick

View solution in original post

liviu.gheorghe · ‎03-10-2024

Hello @roncro ,

You can configure an inbound access list on your interface connecting to the Internet:

ip access-list extended Deny-DNS
deny tcp any any eq 53
deny udp any any eq 53
permit ip any any

This is ok as long as you are not hosting a DNS server that needs to receive queries from other DNS servers on the internet.

Hope this helps.

Regards, LG
*** Please Rate All Helpful Responses ***

roncro · ‎03-10-2024

That's something I was looking for, I just want to block incoming requests. I am not hosting a DNS server here (except for some 'hard coded' local addresses on the Cisco 2951)

I'll try that later, thanks!

Ron

roncro · ‎03-12-2024

My WAN interface is:

interface GigabitEthernet0/0
description WAN
ip address dhcp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto

I think I need to add:

"ip access-group Deny-DNS in" to block/deny incoming DNS requests from the internet/wan side?

Ron

Richard Burts · ‎03-12-2024

Yes you do need to assign the acl to the interface using access-group in.

HTH

Rick

Richard Burts · ‎03-12-2024

I am glad that our suggestions have been helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick

roncro · ‎03-12-2024

I noticed this community/forum is a really great place to ask questions, some people here are VERY knowledgeable.

So thank you! and others on your level for willing to help people out.

Ron

Richard Burts · ‎03-12-2024

Ron

You are quite welcome. I agree that this is a great place to ask questions. When I was early in my process of learning about Cisco and about networking I found a forum very similar to this and learned a lot from it. Now I like to share what I know and help others to increase their understanding. I hope that you will have a similar experience.

HTH

Rick

Gopinath_Pigili · ‎03-10-2024

Hello roncro,

It looks like you have a DNS server on your router and it's being bombarded with requests from the outside world. If you have no need for the router to be a DNS server, turn it of with the "no ip dns server" configuration command.

If you need internal DNS to be served by the router, but have no requirement to provide DNS to the Internet, you can deny DNS requests on the inbound ACL of your Internet-facing interfaces. The ACL configuration is already given by iviu.gheorghe

Best regards
******* If This Helps, Please Rate *******

roncro · ‎03-10-2024

That is what I was expecting, and indeed what it is that I want to do. I need some DNS locally, instead of host files, but do not want to handle requests from the WAN side, So I am indeed going to use liviu.gheorghe's suggestion