As they said: > > [EMAIL PROTECTED] wrote: > >I am trying to modify my access-list so that we allow DNS queries to traverse > >the network but no other UDP traffic. > > > >This is what I have coded but it doesn't work: > > > >access-list 105 permit udp any any eq 53 > >access-list 105 deny udp any any > > > >What we are trying to do is allow our internal DNS servers to query our > external > >DNS servers if the request is not in local cache. We put a sniffer on it and > >found that the request was going from port 53 to port 53. This is different > >behavior than a client request. Of course, the traffic must be able to traverse both directions. Can't tell from your IOS config statements which direction they apply to or whether there are filters in the other direction. > > First, if you use the "log" operand on the deny statements the blocked packets > will appear in the log. This is useful when you need to understand why some > desired traffic is being blocked. Make sure you log the denies in both directions, or you may be scratching your head. > > Second, for dns to work correctly you also need to allow tcp. Perhaps you've > done that elsewhere, but I'll show it below. Many agree that the best practice is to allow tcp only among the fellow NSs for your zones, since DNS typically uses tcp only for zone transfers. > > The following access list excerpt assumes the destination addresses (the second > address in each statement) are the ones being protected and are being allowed to > send but not receive dns queries: > > access-list 121 permit udp any any eq domain > access-list 121 permit udp any any range 1024 5999 > access-list 121 permit tcp any any established > access-list 121 deny any any log > > Tony Rall The second address in the first statement can receive but not send dns queries. Not sure what the intent of the next two are WRT dns. -- W.C. Epperson "I have great faith in fools. Chief of Systems Engineering Self-confidence, my friends call it." Security Officer Emeritus --Edgar Allen Poe-- Curmudgeon-for-Life Virginia Dept. of Education [EMAIL PROTECTED] - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
