How to block external access to the DNS service running on a Cisco router?
!Deny DNS from Public
ip access-list extended ACL-IN_FROM-WAN
remark allow OpenDNS lookups
permit udp 208.67.222.222 0.0.0.0 any eq domain
permit tcp 208.67.220.220 0.0.0.0 any eq domain
remark deny all others and log the attempts
deny udp any any eq domain log
deny tcp any any eq domain log
permit ip any any
! Apply to WAN interface
int WAN
ip access-group ACLIN-TO_WAN in
Related videos on Youtube
07 : 08
01 : 35
11 : 49
09 : 52
03 : 27
Massimo
"Against stupidity, the Gods themselves fight in vain." https://www.linkedin.com/in/massimo-pascucci
Updated on September 18, 2022Comments
-
Massimo over 1 year
I have a Cisco (877) router acting as the main gateway for a network; it has a DSL connection and performs NAT from the internal network to its external, public IP address.
The router allows SSH access for management, and this has been limited using an access list:
access-list 1 permit <internal network range> line vty 0 4 transport input ssh access-class 1 inThe router's internal web server isn't enabled, but if it was, I know its access could be limited using the same logic:
ip http access-class 1Now, the gotcha: this router also acts as a DNS server, forwarding queries to external servers:
ip name-server <ISP DNS 1> ip name-server <ISP DNS 2> ip dns serverMy problem is: the router is perfectly happy to answer DNS queries when receiving them on its external interface.
How can I block this kind of traffic so that the router only answers DNS queries from the internal network?
-
Massimo about 10 yearsOk, so this is not to be handled at the service level (like SSH and HTTP) but at the interface level?
-
ETL about 10 yearsI really don't see any other way.
-
Massimo about 10 yearsI tried, but there's a problem: I can successfully block incoming UDP/53 packets on the external interface... but then DNS replies from Internet DNS servers are blocked too!
-
ETL about 10 yearsMaybe post your ACL and how you applied it.
-
Massimo about 10 yearsA deny for UDP/53 packets coming from anywhere, applied as an input ACL to the external interface. Unfortunately, UDP is connectionless, thus the router can't tell if a packet is a new DNS query coming from a complete stranger, or an answer to a query it started iself...
-
ETL about 10 yearsWhen you say "DNS replies are blocked" you mean of the PCs on the inside right? So you should be able to make the ACL allow those but deny packets to the external interface.
-
Massimo about 10 yearsNo, no, I'm talking about when the router performs a DNS query to an external server (remember, it's acting as a DNS forwarder to my ISP). But then it can't get its reply back. Even a ping to an external name from the router itself doesn't work, because it's unable to resolve the name.
-
ETL about 10 years@Massimo - check out my edit.
-
Snowlockk almost 10 yearsWhile in theory this answers the question it would be best if you explained what this is.
-
Massimo almost 9 yearsThis ACL works, but it causes a problem: it's impossible to perform DNS queries to any other server from inside the network, because the reply can't come back. How can this be avoided?
-
Massimo almost 8 yearsSorry, this is completely wrong. This ACL would also block DNS replies from reaching the router when it (or some machine inside the LAN) performs DNS queries to external servers, effectively blocking DNS resolution.
-
user3524983 about 7 yearsSorry YOU are completely wrong. This is ACL Lists 101. Man, perform your due diligence before you ding somebody. This is exactly the setup I run. I know it works.
