Re: Permit only DNS traffic through CISCO Router

Anonymous Tue, 22 Jun 1999 17:14:24 -0700
Thank you all for your help.  My problem has been resolved with a slight
modification to the permit udp statement.

Jim Lemieux







"Tarkan Hocaoglu" <[EMAIL PROTECTED]> on 06/17/99 12:04:12 PM
                                                                                
                                                                                
                                                                                


                                                              
                                                              
                                                              
 To:      [EMAIL PROTECTED], [EMAIL PROTECTED]     
                                                              
 cc:      "st�ph" <[EMAIL PROTECTED]>(bcc:          
          Security/CT/ERNotes)                                
                                                              
                                                              
                                                              
 Subject: Re: Permit only DNS traffic through CISCO Router    
                                                              








-----Message d'origine-----
De : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
� : [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date : jeudi 17 juin 1999 17:34
Objet : Re: Permit only DNS traffic through CISCO Router


>
>
>[EMAIL PROTECTED] wrote:
>>I am trying to modify my access-list so that we allow DNS queries to
traverse
>>the network but no other UDP traffic.
>>
>>This is what I have coded but it doesn't work:
>>
>>access-list 105 permit udp any any eq 53
>>access-list 105 deny udp any any
>>
>>What we are trying to do is allow our internal DNS servers to query our
>external
>>DNS servers if the request is not in local cache.  We put a sniffer on it
and
>>found that the request was going from port 53 to port 53.  This is
different
>>behavior than a client request.

Hi,

You're right DNS client and DNS server have different behavior.

Here the different direction of communication between 2 DNS servers :

incoming service : query or response between 2 servers via UDP : source port
53 - dest port 53
outgoing service : query or response between 2 servers via UDP : source port
53 - dest port 53
incoming service : query from external server to internal server via TCP and
zone transfer request from ext.secondary server : source port > 1023 - dest
port 53
incoming service : answer from internal server to external server via TCP
and zone transfer response to ext. secondary server : source port 53 - dest
port > 1023
outgoing service : query from internal server to external server via TCP :
source port > 1023 - dest port 53
outgoing service : answer from external server to internal server via TCP :
source port 53 - dest port > 102

you should allow all these connection through your Cisco router.

-----------------------------------------------------
Tarkan HOCAOGLU
e-mail stage : [EMAIL PROTECTED]
-----------------------------------------------------


-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]



-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
Re: Permit only DNS traffic through CISCO Router

Reply via email to
