What to do when a Cisco ACL blocks access to external DNS servers
Takeaway: See how to resolve a problem involving a Cisco access control list that won't allow internal systems to access external DNS servers.
Problem
In the Technical Q&A, member drsysadmin@hotmail.com posted a detailed description of a problem with a Cisco router: "I am creating an IP extended access control list (ACL) on a Cisco 1700 series router. The ACL is to be applied on Serial0 (WAN interface) and will filter incoming (Internet to network) packets for security purposes. Standard ports 25, 80, 110, and 443 are permitted, as well as one port for VPN. Specified ports are opened for both TCP and UDP. In addition, 'established' connections are also permitted. The problem comes on DNS. Port 53 is supposed to be the standard DNS port. I have opened port 53 for UDP and TCP, yet as soon as the filter is applied, no internal machine can do DNS resolution (note: our DNS server is an external provider's machine). If I remove the ACL, the 'Internet comes back on' as one developer stated. Command line DNS also fails, so it is definitely DNS that is dying because of the ACL. All statements in the ACL are permits at this point, allowing the implicit 'Deny any any' to cover what I do not manually open. So its not a misconfigured deny statement. No filters are applied to the LAN interface, so they default to 'permit any any' in both directions. There is no outgoing filter on the WAN interface, so it also has 'permit any any' permissions."
Solution
Member Srikrishna provided the missing statement that was needed to allow DNS requests to pass through the ACL:
access-list ### permit udp host "ip.of.name.server" any gt 1023
Srikrishna also commented, "DNS works on UDP. Try opening higher ports from the server."
In response, drsysadmin@hotmail.com said, "This resolved my issue perfectly. With the host command I can specify that the response is from the server required."
Note
The text of discussion posts from TechRepublic members has been slightly edited for spelling, punctuation, and clarity.
SponsoredWhite Papers, Webcasts, and Downloads
- Microsoft SQL Server 2005: Deployment and Tests in an iSCSI SAN Dell EqualLogic
- TechRepublic SolutionBase: Expanding storage options with Windows Storage Server TechRepublic
- Next Generation Mobility Now Sprint
- The Shortcut Guide to Managing Disk Fragmentation - Chapter 1 Diskeeper
- Does fragmentation affect SANs, NAS, and RAID? Diskeeper
Article Categories
- Security
- Security Solutions, IT Locksmith
- Networking and Communications
- E-mail Administration NetNote, Cisco Routers and Switches
- CIO and IT Management
- Project Management, CIO Issues, Strategies that Scale
- Desktops, Laptops & OS
- Windows 2000 Professional, Microsoft Word, Microsoft Excel, Microsoft Access, Windows XP,
- Data Management
- Oracle, SQL Server
- Servers
- Windows NT, Linux NetNote, Windows Server 2003
- Career Development
- Geek Trivia
- Software/Web Development
- Web Development Zone, Visual Basic, .NET
