Re: Permit only DNS traffic through CISCO Router

[Anonymous]

-----Message d'origine-----
De : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
� : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date : jeudi 17 juin 1999 17:34
Objet : Re: Permit only DNS traffic through CISCO Router


>
>
>[EMAIL PROTECTED] wrote:
>>I am trying to modify my access-list so that we allow DNS queries to
traverse
>>the network but no other UDP traffic.
>>
>>This is what I have coded but it doesn't work:
>>
>>access-list 105 permit udp any any eq 53
>>access-list 105 deny udp any any
>>
>>What we are trying to do is allow our internal DNS servers to query our
>external
>>DNS servers if the request is not in local cache.  We put a sniffer on it
and
>>found that the request was going from port 53 to port 53.  This is
different
>>behavior than a client request.

Hi,

You're right DNS client and DNS server have different behavior.

Here the different direction of communication between 2 DNS servers :

incoming service : query or response between 2 servers via UDP : source port
53 - dest port 53
outgoing service : query or response between 2 servers via UDP : source port
53 - dest port 53
incoming service : query from external server to internal server via TCP and
zone transfer request from ext.secondary server : source port > 1023 - dest
port 53
incoming service : answer from internal server to external server via TCP
and zone transfer response to ext. secondary server : source port 53 - dest
port > 1023
outgoing service : query from internal server to external server via TCP :
source port > 1023 - dest port 53
outgoing service : answer from external server to internal server via TCP :
source port 53 - dest port > 102

you should allow all these connection through your Cisco router.

-----------------------------------------------------
Tarkan HOCAOGLU
e-mail stage : [EMAIL PROTECTED]
-----------------------------------------------------


-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]