We help IT Professionals succeed at work.

Proper ACL for DNS access

Medium Priority
99 Views
Last Modified: 2020-01-30
I am working with a simple ACL, denying traffic to a subnet, outside of DNS services. However I am unable to get it to work correctly unless I use IP instead of TCP or UDP

The DNS server is a simple BIND server

This does not work:

ip access-list extended "Guest Vlan Access"
     10 permit udp 10.160.0.0 0.0.255.255 eq 53 10.10.4.21 0.0.0.0
     20 permit tcp 10.160.0.0 0.0.255.255 eq 53 10.10.4.21 0.0.0.0
     30 deny ip 10.160.0.0 0.0.255.255 10.10.0.0 0.0.255.255 log
     40 permit ip 10.160.0.0 0.0.255.255 0.0.0.0 255.255.255.255
   exit



This works but opens up more than I want:

ip access-list extended "Guest Vlan Access"
     11 permit ip 10.160.0.0 0.0.255.255 10.10.4.21 0.0.0.0
     30 deny ip 10.160.0.0 0.0.255.255 10.10.0.0 0.0.255.255 log
     40 permit ip 10.160.0.0 0.0.255.255 0.0.0.0 255.255.255.255
   exit


Ideas?
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2018
Commented:
if 10.10.4.21 is DNS server and 10.160.0.0/16 is source range

ip access-list extended "Guest Vlan Access"
     10 permit udp 10.160.0.0 0.0.255.255 host 10.10.4.21  eq 53
     20 permit tcp 10.160.0.0 0.0.255.255 host 10.10.4.21 eq 53
     30 deny ip 10.160.0.0 0.0.255.255 10.10.0.0 0.0.255.255 log
     40 permit ip 10.160.0.0 0.0.255.255 any
   exit
Raymond NortonWAN Admin

Author

Commented:
Thank you!! Explains why I had issues on another config.