I have the following statements at the top side of an ACL on a Cisco 3825:
10 permit udp host 184.108.40.206 any eq domain log
20 permit udp host 220.127.116.11 any log
I am attempting DNS resolution against the global DNS root 18.104.22.168 for testing of a development network. Both of the above statements are applied inbound to the WAN link of the edge router. When I attempt DNS resolution, only line 20 matches. Line 10 generates no match and the packet is ultimately denied if line 20 is removed from the ACL.
Can anyone tell me why line 10 would not be matching DNS replies from 22.214.171.124 and how to overcome the problem? I am concerned that this problem will begin to extend to other services as I expand the ACL to include www, 443, ftp, smtp, etc. and do not want to open a gaping hole in the front end that basicly equates to a "permit ip any any" statement in order to make these work.