ACL to allow DNS

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#allowdns

That page shows how to allow DNS through an extended ACL. The second and fourth lines confuse me.. it declares DNS before a destination, why?

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

david_r

Source port of 53. CCNA books gloss over the source port option.

From the top of the page.

access-list access-list-number [dynamic dynamic-name [timeout minutes]]
  {deny | permit} protocol source source-wildcard destination destination-wildcard
  [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name][fragments]

It looks to me like that ACL would allow DNS servers on either network to communicate.

Danman32

You want the DNS server to be able to reply, don't you?
I suppose they could have used the Established clause for the TCP though. However, UDP is connectionless, so an access-list entry for the response from the server using UDP is needed, as there is no way to associate the response with the outgoing query from the router's point of view.