Networks

Our forums are currently in maintenance mode and the ability to post is disabled. We will be back up and running as soon as possible. Thanks for your patience!

General discussion

Locked

Configuring ACL on router for DNS

By drsysadmin ·
Am configuring a router to allow DNS queries from inside the network to an exterior DNS server. Have opened tcp/udp on port 53, however, DNS resolution is still not occurring. My understanding was that DNS was on port 53. Have tried dynamic DNS (port 2164) and multicast DNS (port 5353 and 5354) as well, still with no luck. Am at a loss as to what port needs to be open on the router to allow DNS queries. Thanks!

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to Configuring ACL on router ...

run the command show access-lists . in the access lists your group list 101 permit tcp any host <ip addesss> eq 53 or 101 permit udp any host <ip address> eq 53 should be in the list. since you have disabled the access list with the command no ip access-group 101 and you get connections, yeah the problem is in the access list. do you have an in access list 101 and an out access list 101 or no statement so the list applies for both directions? the list is read top to bottom so somewhere in there is the offending rule.

Collapse -

by CG IT In reply to

ah found it you put the access list on the ethernet interface with the in but you didn't apply one for out. the in at the end applies the access list for inbound only and you need one for out or don't put the in at the end of the command statement which will make the list apply for both directions.

Collapse -

by CG IT In reply to

hope you followed that. to recap after you created your access list and then went to apply it to the ethernet interface you put "in" at the end of the statement ip access-lists 101 "in" and that makes the list apply only for inbound. you don't have a corresponding "out" access list. so you can do one of 2 things. create an out access list and apply it to the interface of apply the access list without any "in"/"out" at the end which would then apply the access list for traffic in both directions.

Collapse -

by CG IT In reply to

rusty with Cisco stuff so sorry for all the banter on DNS, ACL, etc. I mostly deal with Windows network junk so took a wee bit more to catch on that the DNS issue with ACLs were for your 1700 access router.

Collapse -

by CG IT In reply to

it is my understanding that there is an implicit deny if not allowed. so with an in access list and the absence of an out list out traffic would be denied.

I'm rusty with cisco stuff so but thats my understanding with ACLs .

Collapse -

by drsysadmin In reply to

Poster rated this answer.
Needed to clarify for CG IT to understand detail of issue.

Collapse -

by drsysadmin In reply to Configuring ACL on router ...

The ACL is not going onto my Ethernet0 (local) interface - the ACL is applied to SERIAL0 - the WAN interface. The ACL is applied "in" - so its filtering packets coming IN to the network through Serial0. As long as I do not apply an ACL "out", all traffic is permitted outgoing. I have no ACL at all on Ethernet0, nor do I have an outbound ACL on Serial0. The only filter being applied is "IN"coming from the internet, through Serial0, then permitted into my network.
Here is the ACL in total:

access-list 101 permit tcp any 99.99.99.99 0.0.0.255 eq 80
access-list 101 permit udp any 99.99.99.99 0.0.0.255 eq 80
access-list 101 permit tcp any 99.99.99.99 0.0.0.255 eq 25
access-list 101 permit udp any 99.99.99.99 0.0.0.255 eq 25
access-list 101 permit tcp any 99.99.99.99 0.0.0.255 eq 53
access-list 101 permit udp any 99.99.99.99 0.0.0.255 eq 53
access-list 101 permit tcp any 99.99.99.99 0.0.0.255 eq 110
access-list 101 permit udp any 99.99.99.99 0.0.0.255 eq 110
access-list 101 permit tcp any 99.99.99.99 0.0.0.255 eq 443
access-list 101 permit udp any 99.99.99.99 0.0.0.255 eq 443
access-list 101 permit tcp any 99.99.99.99 0.0.0.255 eq 1701
access-list 101 permit udp any 99.99.99.99 0.0.0.255 eq 1701

this is applied via:
ip access-group 101 in

Which kills the internet.
have also tried the same setup with:

access-list 102 permit IP any any
ip access-group 102 out

No change.
Your right, there is an implicit deny statement on the end of every ACL, which is why the port must be manually opened.

Collapse -

by drsysadmin In reply to Configuring ACL on router ...

Closing closing and moving to Network Security. Assistance appreciated, but after review the other area's may be more appropriate for the subject matter. Hopefully a resolution will be found - its likely something obvious I am missing.
Thanks for the attempts.
Dr. Sys

Collapse -

by drsysadmin In reply to Configuring ACL on router ...

This question was closed by the author

Related Discussions

Related Forums