Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
540
Views
3
Helpful
4
Replies

ip dns server and limiting outside interface access

emuman100
Level 1
Level 1

‎08-28-2025 10:10 AM

I would like to use the IOS-XE DNS server on a router to act as a Internet DNS forwarder where it would forward DNS requests to name servers both in the cache and negotiated from DHCP and IPCP on outside Internet-facing interfaces. Currently, this works quite well with the following abbreviated configuration:

ip name-server x.x.x.x
ip name-server y.y.y.y

ip dns server



interface Port-channel2
ip address dhcp

interface Cellular0/2/0
ip address negotiated

interface Dialer1
ip address negotiated

 

The issue is, however, the dns server is open on those outside interfaces. I had a ddos attack via dns that wiped out a lower bandwidth interface. How can I use acls to prevent outside querying of the DNS server? Or, is there a better and more secure way of doing this while still using the IOS DNS server as a DNS forwarder?

Thanks.

 

Labels:
4 Replies 4

MHM Cisco World
VIP
VIP

‎08-28-2025 10:17 AM

Use ACL apply to WAN interface allow only DNS incoming from two name servers you use.

MHM

0 Helpful

emuman100
Level 1
Level 1
In response to MHM Cisco World

‎08-28-2025 12:23 PM

In this case, there would be no reason for any outside incoming DNS requests and those would not be to the name servers, but the IOS DNS server. Can an acl be used to block incoming DNS requests on outside interfaces without interfering with the functionality of the IOS DNS server or impacting that traffic originating from the IOS DNS server?

MHM Cisco World
VIP
VIP
In response to emuman100

‎08-28-2025 12:31 PM

Example 

ip access-list extended DNS_FILTER
remark Allow DNS queries only to 8.8.8.8
permit udp 192.168.1.0 0.0.0.255 host 8.8.8.8 eq 53
permit tcp 192.168.1.0 0.0.0.255 host 8.8.8.8 eq 53
remark Allow DNS replies from 8.8.8.8
permit udp host 8.8.8.8 eq 53 192.168.1.0 0.0.0.255
permit tcp host 8.8.8.8 eq 53 192.168.1.0 0.0.0.255
remark Deny all other DNS traffic
deny udp any any eq 53
deny tcp any any eq 53
remark Allow other traffic normally
permit ip any any 

emuman100
Level 1
Level 1

‎09-02-2025 03:36 AM

In this case, I just want to block outside DNS requests but allow DNS requests originating from 192.168.1.0 0.0.0.255 and not just allow traffic to and from a specific DNS server. Is that possible?

0 Helpful
Customers Also Viewed These Support Documents