Reflexive access lists will accomplish this because a dynamic opening is
created in your inbound access allowing the dns traffic back in. I'm
currently using this with Port Address Translation (not that PAT has
anything to do with it working or not) and it works great.
So for example, lets say you originate a UDP dns request for
www.microsoft.com with a source port of 12345 and a destination port of 53.
For the reply to come back in, the reflexive access list creates a dynamic
opening allowing traffic from your dns servers IP address and source port 53
and a destination port of 12345.
Under most circumstances you don't need to allow for other dns servers to
come back in because your local workstations will only query specified dns
servers either manually configured or configured with DHCP. If these dns
servers do not know the location of the url you're requesting, the query is
forwarded to another dns server until the url is resolved. The reply to the
dns query however will only be received from the dns server that was
originally queried by the workstation.
BTW you can only use the reflexive parameter with extended named access
lists.
Best regards,
Brian Morkert
-----Original Message-----
From: Brian W. [mailto:[EMAIL PROTECTED]]
Sent: Thursday, November 02, 2000 9:05 AM
To: Brian Morkert
Cc: [EMAIL PROTECTED]; '[EMAIL PROTECTED]'
Subject: RE: DNS and access-list
If you want to allow your users to receive traffic from other dns servers,
don't you need to allow in traffic with port 53 as the source??
Brian
On Wed, 1 Nov 2000, Brian Morkert wrote:
> You can accomplish this by allowing traffic on ports greater than 1023.
Do
> this with the following statement(s).
>
> permit tcp any any gt 1023
> permit udp any any gt 1023
>
> Or...
> you could use reflexive access-lists.
>
> For reflexive access-lists:
> Put the following statement in an outbound access-list and apply it to the
> interface. "my-packets" can be any name you want.
>
> permit ip any any reflect my-packets
>
> Then on your inbound access-list put the following statement as the last
> statement in the list.
>
> evaluate my-packets.
>
> The reflexive access-list is probably a better solution for this
> application.
>
> Best regards,
> Brian Morkert
> CCNA, MCSE
> -----Original Message-----
> From: Curtis Call [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, November 01, 2000 9:11 AM
> To: [EMAIL PROTECTED]
> Subject: Re: DNS and access-list
>
>
> You mentioned that you have an access-list allowing port 53 for tcp or udp
> but the question is are you filtering the response that is coming back
from
> the DNS server. Do you have access-lists filtering traffic coming from
that
> direction? It will be responding to a dynamic port number (it's
destination
> won't be 53, it'll be whatever your computer decides) so I don't know a
way
> to include that into an access-list unless you can force your computer to
> always use a certain port when performing DNS queries (which is something
> that I don't know how to setup).
>
> ---------- Original Message ----------------------------------
> From: "SH Wesson" <[EMAIL PROTECTED]>
> Reply-To: "SH Wesson" <[EMAIL PROTECTED]>
> Date: Wed, 01 Nov 2000 16:19:31 GMT
>
> >I want to allow a particular server to do DNS queries such that when they
> >type www.cisco.com or something like that, it will go to the specify DNS
> >server and find the ip address. I have an access list allowing port 53
for
>
> >tcp and udp and it doesn't work. Can anyone help. Thanks.
> >_________________________________________________________________________
> >Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
> >
> >Share information about yourself, create your own public profile at
> >http://profiles.msn.com.
> >
> >_________________________________
> >FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> >Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
> >
>
> _________________________________
> FAQ, list archives, and subscription info:
> http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
> _________________________________
> FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
> Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
>
_________________________________
FAQ, list archives, and subscription info:
http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
_________________________________
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
