Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1340
Views
0
Helpful
3
Replies

Cisco Router ACL Security Issue

Bob Smith
Level 1
Level 1

‎07-03-2011 11:02 AM - edited ‎03-07-2019 01:04 AM

I received a cisco router for my cablevision service. I recently discovered that the router is somehow acting like a DNS server on the WAN. I tried to create an access list to deny this but have been unsuccessfu:

FE0 is my PC (which is on vlan1), and my cable modem is on GE0.

Two questions regarding this issue, 1. Why does the ACL still permit DNS traffic to come to my router from the internet (and ask my router for a DNS question), and 2. Since I found this issue by fluke, how would I know if there are other potentially harmful services like this running on my router, that I may stumble upon in the future?

I worry that I may have misconfigured the router thus opening it up for a potential security related issues. I just happened to find this issue out of chance.

Also, are there any other ACLs that should be added? I figured that because I've configured a overloaded NAT, it was secure.

Thanks in advance.

Labels:
0 Helpful
3 Replies 3

Thotsaphon Lueangwattanaphong
Level 7
Level 7

‎07-03-2011 11:18 AM

Hi,

   You don't want people out there to use your router as a proxy DNS. Right? Please try this for testing.

!

access-list 100 deny udp any any eq 53

access-list 100 deny tcp any any eq 53

access-list 100 permit ip any any

!

HTH,

Toshi

0 Helpful

Bob Smith
Level 1
Level 1
In response to Thotsaphon Lueangwattanaphong

‎07-03-2011 11:33 AM

If I apply that rule to "in" on GigabitEthernet0 (WAN), it doesn't work, and IOS still acts as a proxy dns to people on the internet. If I apply that rule to "out" on GigabitEthernet0, I am unable to get DNS requests out, which is expected.

I don't know why it doesn't work for the "in" group as it should. This sounds like a bug in the IOS software.

0 Helpful

Thotsaphon Lueangwattanaphong
Level 7
Level 7
In response to Bob Smith

‎07-03-2011 11:48 AM

Hi,

     You should not apply it on outbound direction. It's going to block your DNS request to 8.8.8.8 and 8.8.4.4. Have you blocked both tcp/53 and udp/53 on inbound direction?

!

access-list 100 deny udp any any eq 53 log

access-list 100 deny tcp any any eq 53 log

access-list 100 permit ip any any

!

interface gig0

ip access-group 100 in

!

   Please clarify what you mean it doesn't work. You are going to deny DNS request from outside. We just add the log keyword for testing.

HTH,

Toshi

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card