dns acls

Discussion in 'Cisco' started by meme, Jan 15, 2004.

  1. meme

    meme Guest

    Ok, Im a bit rusty on my acls. I have a machine in a DMZ which needs to
    be a dns client to a server on the other side of my 8xx router.

    I currently have the below config'ed in. This is a web server and rules for
    inbound connections work fine (ie. 80, 443, etc) from the outside world
    basically using the same rule structure below.

    access-list 102 permit tcp any host x.x.x.x eq domain
    access-list 102 permit udp any host x.x.x.x eq domain
    access-list 103 permit tcp host x.x.x.x any eq domain
    access-list 103 permit udp host x.x.x.x any eq domain


    Do I have to do anything special to allow my webserver to do dns look up's?
    hmmmm dns lookups return on random ports?
     
    meme, Jan 15, 2004
    #1
    1. Advertising

  2. In article <bu77tq$cj2$>,
    "meme" <> wrote:

    > Ok, Im a bit rusty on my acls. I have a machine in a DMZ which needs to
    > be a dns client to a server on the other side of my 8xx router.
    >
    > I currently have the below config'ed in. This is a web server and rules for
    > inbound connections work fine (ie. 80, 443, etc) from the outside world
    > basically using the same rule structure below.
    >
    > access-list 102 permit tcp any host x.x.x.x eq domain
    > access-list 102 permit udp any host x.x.x.x eq domain
    > access-list 103 permit tcp host x.x.x.x any eq domain
    > access-list 103 permit udp host x.x.x.x any eq domain


    Which one of these is for the client->server versus server->client
    direction? You specify the DNS port as the destination in both, but
    that doesn't make sense. The DNS port is only on the server, not the
    client. So the client->server ACL should be:

    access-list ### permit tcp host <client> host <server> eq domain
    access-list ### permit udp host <client> host <server> eq domain

    The server->client ACL should be:

    access-list ### permit tcp host <server> eq domain host <client>
    access-list ### permit udp host <server> eq domain host <client>

    --
    Barry Margolin,
    Arlington, MA
     
    Barry Margolin, Jan 16, 2004
    #2
    1. Advertising

  3. meme

    mridula_pappu

    Joined:
    Sep 15, 2007
    Messages:
    1
    hi ,

    was just wondering if you could solve this for me...to get me more clear understanding

    assuming my company network has an IP network address of 204.85.11.0/24, and a DNS service hosted on a server with the IP address 204.85.10.2 which is inside the perimeter of the company’s network. On the boarder of the company’s internal network is a screening router which directly faces the Internet. one needs to update the access control list of this screening router to allow the company’s internal DNS server to be accessible from Internet hosts for performing DNS queries, and for allowing the internal DNS service to query other DNS services on the Internet. what kind of a ruleset can be written to achieve this using Cisco IOS Extended ACLs. can u pls just give the functionality of the rule as well...and how it works:lollypop:
     
    mridula_pappu, Sep 15, 2007
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Lars Bonnesen
    Replies:
    9
    Views:
    7,384
    chris
    Apr 8, 2006
  2. none
    Replies:
    5
    Views:
    3,225
  3. Jose Padilla

    DNS question - reverse DNS getting cluttered

    Jose Padilla, Jan 21, 2004, in forum: Computer Support
    Replies:
    0
    Views:
    617
    Jose Padilla
    Jan 21, 2004
  4. Replies:
    1
    Views:
    1,121
    Rohan
    Nov 18, 2006
  5. juska
    Replies:
    1
    Views:
    1,551
    hdeboo
    Nov 12, 2007
Loading...

Share This Page