What to do when a Cisco ACL blocks access to external DNS servers

See how to resolve a problem involving a Cisco access control list that won't allow internal systems to access external DNS servers.


In the Technical Q&A, member posted a detailed description of a problem with a Cisco router: "I am creating an IP extended access control list (ACL) on a Cisco 1700 series router. The ACL is to be applied on Serial0 (WAN interface) and will filter incoming (Internet to network) packets for security purposes. Standard ports 25, 80, 110, and 443 are permitted, as well as one port for VPN. Specified ports are opened for both TCP and UDP. In addition, 'established' connections are also permitted. The problem comes on DNS. Port 53 is supposed to be the standard DNS port. I have opened port 53 for UDP and TCP, yet as soon as the filter is applied, no internal machine can do DNS resolution (note: our DNS server is an external provider's machine). If I remove the ACL, the 'Internet comes back on' as one developer stated. Command line DNS also fails, so it is definitely DNS that is dying because of the ACL. All statements in the ACL are permits at this point, allowing the implicit 'Deny any any' to cover what I do not manually open. So its not a misconfigured deny statement. No filters are applied to the LAN interface, so they default to 'permit any any' in both directions. There is no outgoing filter on the WAN interface, so it also has 'permit any any' permissions."


Member Srikrishna provided the missing statement that was needed to allow DNS requests to pass through the ACL:

access-list ### permit udp host "" any gt 1023

Srikrishna also commented, "DNS works on UDP. Try opening higher ports from the server."

In response, said, "This resolved my issue perfectly. With the host command I can specify that the response is from the server required."


The text of discussion posts from TechRepublic members has been slightly edited for spelling, punctuation, and clarity.

Editor's Picks

Free Newsletters, In your Inbox