ACL question

steveo1985

If i create a extended ACL to block DNS what do i use?

access-list 110 deny tcp any host 172.16.30.5 eq 53

or

access-list 110 deny udp any host 172.16.30.5 eq 53

or

is there a different command as DNS falls into both TCP and UDP? would you put the list twice, once for each TCP and UDP or would you do this?

access-list 110 deny tcp udp any host 172.16.30.5 eq 53

Find more posts tagged with

SAVE $250 on Your Boot Camp — Use Code "EXAM26"

Exclusively for TechExams members for Infosec Boot Camps starting before April 30, 2026

View Boot Camps

Comments

mikearama

You're not wrong... two statements are required.

Here's a page I'd bookmarked a while back... CTRL-F down to the DNS section, and you'll see that both commands are required.

http://www.cisco.com/warp/public/707/tacl.html

Specifically...

!--- Deny all other DNS traffic.

access-list 110 deny udp any any eq 53
access-list 110 deny tcp any any eq 53

Mike

steveo1985

thanks

dtlokee

steveo1985 wrote:

If i create a extended ACL to block DNS what do i use?

access-list 110 deny tcp any host 172.16.30.5 eq 53

or

access-list 110 deny udp any host 172.16.30.5 eq 53

or

is there a different command as DNS falls into both TCP and UDP? would you put the list twice, once for each TCP and UDP or would you do this?

access-list 110 deny tcp udp any host 172.16.30.5 eq 53

Depends on what part of DNS you're trying to block. Queries are UDP and zone transfers are TCP. If you wanted to block both you would need two entries in the ACL