How to stop dhcp lan user access to public dns in cisco router 2811

I am recently configured a cisco router 2811 for internet access to lan user. This router have two lan port. I port i configure for wan connection we have a lease line connection and other port i configure for dhcp lan connection to the user in LAN. i give opne dns to name server in cisco router and also in dhcp. Things going well but some user getting ip from dhcp but change the dns address to google. after chaning the dns to google they can access the restrict website. i want to route all the dns request to my cisco router name server. please provide the solution and i am beginer user to cisco routers.
I attach the my cisco rotuer configuration as attachement.

thanks
Manoj
Router-Configuration.txt
ManojtanwarAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ffleismaSenior Network EngineerCommented:
what you can do is apply some filtering like the one below:
configure terminal
!
access-list 100 deny tcp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
access-list 100 deny udp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
access-list 100 deny tcp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
access-list 100 deny udp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
access-list 100 deny tcp 192.168.50.0 0.0.1.255 any eq domain
access-list 100 deny udp 192.168.50.0 0.0.1.255 any eq domain
access-list 100 permit ip 192.168.50.0 0.0.1.255 any
!
interface FastEthernet0/1
ip access-group 100 in
!
end
!
wr
!

Open in new window

lines 3-6 permits DNS traffic (tcp/udp 53) to IP addresses 208.67.222.220 & 208.67.222.222
line 7-8 denies all DNS traffic (tcp/udp 53) to any other IP destination
line 9 permits all else traffic (http, https, etc, etc)
line 12 applies the ACL to incoming traffic to interface Fa0/1

Though this would be a simple method to do traffic filtering, it is more recommended to use a firewall to filter traffic as creating these rules can be very administratively challenging.
ffleismaSenior Network EngineerCommented:
Also, you have posted your configuration without "service-password encryption", username and password as seen clear text and public IP is not sanitized. If you could, remove your configuration attached or replace important details with *****

interface FastEthernet0/0
 ip address 115.x.x.x 255.255.255.224

username **** privilege 15 password 0 **** 

Open in new window

please do so ASAP to prevent unwanted people from accessing your device
ManojtanwarAuthor Commented:
Thanks for prompt response but after  apply these setting i cannot access any site

Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#$tcp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
Router(config)#$udp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
Router(config)#$tcp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
Router(config)#$udp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
Router(config)#access-list 100 deny tcp 192.168.50.0 0.0.1.255 any eq domain
Router(config)#access-list 100 deny udp 192.168.50.0 0.0.1.255 any eq domain
Router(config)#access-list 100 permit ip 192.168.50.0 0.0.1.255 any
Router(config)#interface FastEthernet0/1
Router(config-if)#ip access-group 100 in
Router(config-if)#end
Router#
*Mar 10 09:42:01.359: %SYS-5-CONFIG_I: Configured from console by consolewr
Building configuration...
[OK]
i do that in above manner please tell what wrong i do
thanks
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

ffleismaSenior Network EngineerCommented:
Remove the previous configuration:
configure terminal
!
no access-list 100 deny tcp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
no access-list 100 deny udp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
no access-list 100 deny tcp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
no access-list 100 deny udp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
no access-list 100 deny tcp 192.168.50.0 0.0.1.255 any eq domain
no access-list 100 deny udp 192.168.50.0 0.0.1.255 any eq domain
no access-list 100 permit ip 192.168.50.0 0.0.1.255 any
!

Open in new window

My mistake it is supposed to be as follows
configure terminal
!
access-list 100 permit tcp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
access-list 100 permit udp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
access-list 100 permit tcp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
access-list 100 permit udp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
access-list 100 deny tcp 192.168.50.0 0.0.1.255 any eq domain
access-list 100 deny udp 192.168.50.0 0.0.1.255 any eq domain
access-list 100 permit ip 192.168.50.0 0.0.1.255 any
!
interface FastEthernet0/1
ip access-group 100 in
!
end
!
wr
!

Open in new window

line 3-6 should be permit instead of deny
ManojtanwarAuthor Commented:
still not, after that i not getting ip from dhcp and all communication is stopped

Router#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#$t tcp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
Router(config)#$t udp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
Router(config)#$t tcp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
Router(config)#$t udp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
Router(config)#access-list 100 deny tcp 192.168.50.0 0.0.1.255 any eq domain
Router(config)#access-list 100 deny udp 192.168.50.0 0.0.1.255 any eq domain
Router(config)#access-list 100 permit ip 192.168.50.0 0.0.1.255 any
Router(config)#interface FastEthernet0/1
Router(config-if)#ip access-group 100 in
Router(config-if)#end
Router#wr
Building configuration...
ffleismaSenior Network EngineerCommented:
make sure that the last line is added

access-list 100 permit ip 192.168.50.0 0.0.1.255 any

Open in new window

it should show something like this
R1#show run | inc access-list 100
access-list 100 permit tcp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
access-list 100 permit udp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
access-list 100 permit tcp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
access-list 100 permit udp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
access-list 100 deny tcp 192.168.50.0 0.0.1.255 any eq domain
access-list 100 deny udp 192.168.50.0 0.0.1.255 any eq domain
access-list 100 permit ip 192.168.50.0 0.0.1.255 any

Open in new window

ManojtanwarAuthor Commented:
I do the exact and show access list from router


Router#show access-list
Standard IP access list 1
    10 permit 192.168.50.0, wildcard bits 0.0.0.255 (228326 matches)
Extended IP access list 100
    10 permit tcp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
    20 permit udp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
    30 permit tcp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
    40 permit udp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
    50 deny tcp 192.168.50.0 0.0.1.255 any eq domain
    60 deny udp 192.168.50.0 0.0.1.255 any eq domain
    70 permit ip 192.168.50.0 0.0.1.255 any (6 matches)
ffleismaSenior Network EngineerCommented:
with the above mentioned configuration, are you able to do the following
ping 8.8.8.8
telnet 208.117.231.148 80
ping google.com
nslookup yahoo.com

can you test and provide the result of "nslookup yahoo.com" when the ACL is applied?
ManojtanwarAuthor Commented:
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\DHBVN>ping 8.8.8.8

Pinging 8.8.8.8 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 8.8.8.8:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

C:\Users\DHBVN>ping google.com
Ping request could not find host google.com. Please check the name and try again

C:\Users\DHBVN>telnet 208.117.231.148 80
Connecting To 208.117.231.148...Could not open connection to the host, on port 8
0: Connect failed
C:\>nslookup yahoo.com
Server:  UnKnown
Address:  fec0:0:0:ffff::1

*** UnKnown can't find yahoo.com: No response from server

i cannot get ip from dhcp also

i can give my team viewer with console connection if u want


.
ffleismaSenior Network EngineerCommented:
hmmm that is odd, from your "show access-list" above

Router#show access-list
Standard IP access list 1
    10 permit 192.168.50.0, wildcard bits 0.0.0.255 (228326 matches)
Extended IP access list 100
    10 permit tcp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
    20 permit udp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
    30 permit tcp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
    40 permit udp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
    50 deny tcp 192.168.50.0 0.0.1.255 any eq domain
    60 deny udp 192.168.50.0 0.0.1.255 any eq domain
    70 permit ip 192.168.50.0 0.0.1.255 any (6 matches) 

Open in new window


there are no hits for the other rules.

What you can try next, can you do the following on a host and provide the output:
ipconfig /release
ipconfig /renew
ipconfig /all
and once again test internet connectivity
ManojtanwarAuthor Commented:
sorry my rebot accidently it goes intially stage can i recover it from intial stage or i have to configure from start
ffleismaSenior Network EngineerCommented:
you mean you have rebooted the router and configuration was not saved previously?

oh thats bad, you'll have to reconfigure it again, anyway your configuration is attached here, you'll just have to copy and paste everything and it should be fine.
ManojtanwarAuthor Commented:
sorry for the delay
 
when i remove this command on fe 0/1 ip access-group 100 in i get back dhcp on
ffleismaSenior Network EngineerCommented:
the access-group is the one doing the filtering for TCP/UDP 53, which is DNS traffic.
interface FastEthernet 0/1
 ip access-group 100

Open in new window

However it should not affect DHCP as long as the following access-list are configured
access-list 100 permit tcp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
access-list 100 permit udp 192.168.50.0 0.0.1.255 host 208.67.222.222 eq domain
access-list 100 permit tcp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
access-list 100 permit udp 192.168.50.0 0.0.1.255 host 208.67.222.220 eq domain
access-list 100 deny tcp 192.168.50.0 0.0.1.255 any eq domain
access-list 100 deny udp 192.168.50.0 0.0.1.255 any eq domain
access-list 100 permit ip 192.168.50.0 0.0.1.255 any
access-list 100 permit udp any host 255.255.255.255 eq bootps
access-list 100 permit udp any host 255.255.255.255 eq bootpc

Open in new window

I have added the last line "access-list 100 permit udp any host 255.255.255.255 eq bootps and access-list 100 permit udp any host 255.255.255.255 eq bootpc" which should allow DHCP request coming from your host.
Now I've simulated your router configuration on GNS3, hosts behind the router should not have a problem getting DHCP IP. If in case you have applied the access-list, try renewing the host PC ipconfig and provide the output you are having for the following:
ipconfig/release
ipconfig/renew
ipconfig/all
nslookup google.com
telnet 208.117.231.187 80
If in case the host cannot get an IP address, kindly try to test having a statically configured IP address on the host and then test for internet connectivity.
nslookup google.com
telnet 208.117.231.187 80
After testing, kindly verify if traffic was hitting the router via
show access-list
Let us know how it goes, and will try to check from there.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ManojtanwarAuthor Commented:
Thanks its working
Natty GregIn Theory (IT)Commented:
whenever you do change config make sure to type wr then enter to save config b4 reload
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.