General discussion

Locked

Configuring ACL on router for DNS

By drsysadmin ·
Am configuring a router to allow DNS queries from inside the network to an exterior DNS server. Have opened tcp/udp on port 53, however, DNS resolution is still not occurring. My understanding was that DNS was on port 53. Have tried dynamic DNS (port 2164) and multicast DNS (port 5353 and 5354) as well, still with no luck. Am at a loss as to what port needs to be open on the router to allow DNS queries. Thanks!

This conversation is currently closed to new comments.

19 total posts (Page 1 of 2)   01 | 02   Next
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Configuring ACL on router ...

whats the error that shows up in the event viewer under DNS? what exterior DNS server are you trying to contact? a root server? a site within your domain DNS server? what resolution is not taking place? a name to ip? an ip to name? MX? alias?

more information is needed.

Collapse -

by CG IT In reply to

also what router? are you using a Cisco Access router, a consumer level router, Symantec Gateway Server, RRAS server? are you running a proxy server? ISA server, a firewall service?

Collapse -

by drsysadmin In reply to

Poster rated this answer.
Was a request for more info.

Collapse -

by KenV In reply to Configuring ACL on router ...

There is a free tool called Active Ports (simple to find using google etc.) that will help you determine which port is being used. One question I had was are you sure it's the router causing the DNS resolution failure? Have you configured the pc to go to the external server? Might be an obvious step but had to ask.

Collapse -

by drsysadmin In reply to

Poster rated this answer.
Was a request for more info.

Collapse -

by drsysadmin In reply to Configuring ACL on router ...

OK, the problem is that internal network machines cannot do standard DNS (Name resolution to IP) lookups to an exterior, data line provider DNS server (Bellsouth). In effect, it stops all network clients from accessing the internet since no name resolution occurs. Since I am writing my ACL, here is what occurs. I include port 53 as PERMITted for udp and tcp from ANY to my IP and subnet class. I have also tried to PERMIT tcp and udp from any to any on port 53 - still no joy.
Now, without the ACL in place - all the machines on the network are able to succeed with DNS queries - ie- my users have the internet. However, I need the ACL in place for obvious security reasons. When no ACL is in place - all ports are open. So what I need to know is what port I am inadvertantly closing (due to the implicit deny any any statement at the end of an ACL) so that I can PERMIT the appropriate port/ports to allow my users to do DNS name to IP resolution.

Note that I am running a Cisco 1700 Series router. While I do have other security devices running, as soon as I take the ACL off the router interface everything goes back to working fine, so the problem has to be the ACL I have applied. If the problem was somewhere else, it wouldn't appear/disappear with the application and removal of the ACL on the router.

Thanks.

Collapse -

by CG IT In reply to Configuring ACL on router ...

hate to say this but you still haven't given us proper information. the access control list your creating is for what? for the cisco 1700 series access router? are you using the access-group command, if in fact your creating the access control list for the 1700? what does "show access-lists" show when use that command line statement for the 1700 access server?

might be the routing protocol not converging within the routing domain or a misconfigured extended access control list. the later if hosts cant can't access services beyond the lan [textbook Cisco troubleshooting stuff].

an ACL in a Windows environment applies to access to resources in that environment. and ACL on a Cisco router is a whole different thing.

again which one you creating?

Collapse -

by CG IT In reply to

my advise is to get your hands on config maker 2000 and use that to configure the Cisco 1700.

Collapse -

by drsysadmin In reply to

Poster rated this answer.
Attempted - config-maker drew up an access list similiar to mine - tried utilizing it - blasted thing still didn't work. The idea was sound - and appreciated - just didn't fix the problem.

Collapse -

by drsysadmin In reply to Configuring ACL on router ...

OK - the ACL is on the cisco Router - specifically my external interface (T1). Its function is security - filtering incoming packets coming into my router for transmission to my network. I am using an extended ACL since I am filtering by protocol, source (which is "any"), destination and port #. Specifically, all ACL statements are permits for tcp or udp from "any" to my network on specific ports since at the end there is an implicit deny any any. This ensure that ONLY what I want to come in, can do so. Standard stuff - ports 80, 443, 25, and 110 are permitted since I am allowing web and email to connect. However, DNS functions operate on a different port. My previous experience has been DNS requires port 53 - but allowing TCP and UDP through on port 53 still does not allow for internal network clients to utilize an external, bellsouth DNS server for name to ip resolution.

As for how the access-list is created -
in config from terminal - global config prompt

access-list 101 permit tcp any 99.99.99.0 0.0.0.255 eq 80
access-list 101 permit udp any 99.99.99.0 0.0.0.255 eq 80

same thing for all the other ports - including 53
each port has 2 entries - one for TCP, one for UDP

once the complete access-list 101 has been input -it is applied on the appropriate interface using the standard command of:

ip access-group 101 in

As soon as I do this - the internet ceases to exist for my internal users. I then have to

no access-list 101

to restore the connection of my users to the internet. Any internal machine fails in trying to ping or nslookup an exterior name - such as yahoo.com - meaning DNS is the issue. Since there is no filter on the router for traffic going OUT, the problem is that the DNS response is not coming through the interface and back to the requesting machine.
Ideas?

Back to Networks Forum
19 total posts (Page 1 of 2)   01 | 02   Next

Related Discussions

Related Forums