Re: DNS service in lan only

infocis · ‎02-20-2012

Hello,

On my router, I am using the DNS server service to forward DNS query to the Internet provider DNS.

I have enabled the command "ip dns server" on my router and then on each workstation, I have set the router host IP on the DNS entry on the NIC card.

This is working perfectly except the issue is that TCP 53 and UPD 53 is also exposed to the Internet and it is not acceptable for some Internet provider.

Is there a way to limit the DNS flow only from LAN to WAN only?

Thank you

jas2061461 · ‎02-20-2012

I am not entirely sure what you are trying to limit? If I am understanding you correctly, I would just configure DHCP to distribute a DNS server. This way, you don't have to manually configure each work station to point to the router. Then, DNS is limited to the LAN and the WAN can use a seperate DNS provider. Is this on par with what you are asking?

infocis · ‎02-20-2012

Hello,

The issue is about permiting the LAN only users to utilized the router DNS service. Since the router DNS service is binded to all interfaces, the WAN interface is listenning to queries from Internet and would act as a public DNS server. I only want the DNS service listening the LAN only and relay requests to appropriate DNS list (ip name-servers) .

Thanks

jas2061461 · ‎02-20-2012

route-map Block_DNS permit 10

match ip address 100

ip access-list 100 deny tcp [IP address that the DNS replies would be sent out] [WAN SNM] eq 53 any

ip access-list 100 deny udp [IP address that the DNS replies would be sent out] [WAN SNM] eq 53 any

interface [WAN interface]

ip policy route-map Block_DNS

Something like this should work. Place it on ur Internet facing router. I'm at work, so I can't verify the syntax but it should be similar to what you need. You may need multiple ACL statements to deny traffic coming from multiple routers, as well. Let me know if this helps any or is at least in the right ballpark.

infocis · ‎02-20-2012

Thanks, I think we are getting to something here. Since the WAN is DHCP, we are force to deal with "any any"

I think we have to force the router DNS engine to pass throught the NAT table

Here is what we've tested

access-list 101 deny udp any any eq domain

access-list 101 deny tcp any any eq domain

access-list 101 permit ip any any

...

!remark permit udp traffic only

!remark permit tcp 53 only if server to server DNS list exchange is used

access-list 100 permit udp any any eq 53

...

route-map Block_DNS permit 10

match ip address 100

Interface [WAN interface]

ip policy route-map Block_DNS

ip access-group 101 in

jas2061461 · ‎02-20-2012

Using that route-map, it looks like you are permitting DNS traffic since you're using "permit" in the ACL and the route-map. I thought you wanted to deny it.

jas2061461 · ‎02-20-2012

Now that I think about it, you could just deny inbound traffic for DNS, which you did, and that would prevent any DNS replies from being sent out to the Internet. (since you are getting no requests)

infocis · ‎02-20-2012

It is working now,

The router accept only request from the LAN side and forward the request to the Internet provider and get replies. The router does not respond anymore to DNS request from Internet.

Thanks giving me a hand.