Solved

Restrict outbound DNS traffic

Posted on 2008-10-15
3
400 Views
Last Modified: 2012-05-05
How do i restrict all DNS access outbound on a PIX firewall except for a specific DNS server?
0
Comment
Question by:Muscella
3 Comments
 
LVL 71

Expert Comment

by:Chris Dent
ID: 22725575

Hey,

Depends a little on where you apply the rule. Lets assume the inside of an internal interface (for the sake of the example) and closest to the server you want to make the requests.

This rule will only allow the host 10.10.10.10 to make outbound DNS requests. All other internal clients will have to use that DNS service.

access-list your_acl_name extended permit udp host 10.10.10.10 any eq 53
accessl-list your_acl_name extended permit tcp host 10.10.10.10 any eq 53

TCP is included as it will be used when the response for a request is too big for UDP. Feel free not to include it in your rule-set, it's only worth knowing about in the rare situations where the response is too big.

Chris
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 22725754
You have to be careful when applying restrictive acls or you will block everything. You have to remember the implicit deny all at the end of any acl

Here's an example that will only allow dns server 10.100.110.10 out
access-list outbound_restriction permit udp host 10.100.110.10 any eq domain
access-list outbound_restriction deny udp any any eq domain
access-list outbound_restriction permit ip any any

access-group outbound_restriction in interface inside

0
 

Author Comment

by:Muscella
ID: 22733275
I think this will work.  Thanks!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ASA 5506 blocks telnet 11 33
Cisco Edge Routers for BGP 6 91
Cisco IOS upgrade c3560_backup and deletion of drwx 7 43
DNS Issues With Machines 2 35
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question