Restrict outbound DNS traffic

How do i restrict all DNS access outbound on a PIX firewall except for a specific DNS server?
MuscellaAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
lrmooreConnect With a Mentor Commented:
You have to be careful when applying restrictive acls or you will block everything. You have to remember the implicit deny all at the end of any acl

Here's an example that will only allow dns server 10.100.110.10 out
access-list outbound_restriction permit udp host 10.100.110.10 any eq domain
access-list outbound_restriction deny udp any any eq domain
access-list outbound_restriction permit ip any any

access-group outbound_restriction in interface inside

0
 
Chris DentPowerShell DeveloperCommented:

Hey,

Depends a little on where you apply the rule. Lets assume the inside of an internal interface (for the sake of the example) and closest to the server you want to make the requests.

This rule will only allow the host 10.10.10.10 to make outbound DNS requests. All other internal clients will have to use that DNS service.

access-list your_acl_name extended permit udp host 10.10.10.10 any eq 53
accessl-list your_acl_name extended permit tcp host 10.10.10.10 any eq 53

TCP is included as it will be used when the response for a request is too big for UDP. Feel free not to include it in your rule-set, it's only worth knowing about in the rare situations where the response is too big.

Chris
0
 
MuscellaAuthor Commented:
I think this will work.  Thanks!
0
All Courses

From novice to tech pro — start learning today.