ACL to allow DNS

mzinzmzinz Member Posts: 328
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_configuration_example09186a0080100548.shtml#allowdns

That page shows how to allow DNS through an extended ACL. The second and fourth lines confuse me.. it declares DNS before a destination, why?
_______LAB________
2x 2950
2x 3550
2x 2650XM
2x 3640
1x 2801

Comments

  • david_rdavid_r Member Posts: 112
    Source port of 53. CCNA books gloss over the source port option.

    From the top of the page.
    access-list access-list-number [dynamic dynamic-name [timeout minutes]]
      {deny | permit} protocol source source-wildcard destination destination-wildcard
      [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name][fragments]
    

    It looks to me like that ACL would allow DNS servers on either network to communicate.
  • Danman32Danman32 Member Posts: 1,243
    You want the DNS server to be able to reply, don't you?
    I suppose they could have used the Established clause for the TCP though. However, UDP is connectionless, so an access-list entry for the response from the server using UDP is needed, as there is no way to associate the response with the outgoing query from the router's point of view.
Sign In or Register to comment.