ACL question
steveo1985
Member Posts: 60 ■■□□□□□□□□
in CCNA & CCENT
If i create a extended ACL to block DNS what do i use?
access-list 110 deny tcp any host 172.16.30.5 eq 53
or
access-list 110 deny udp any host 172.16.30.5 eq 53
or
is there a different command as DNS falls into both TCP and UDP? would you put the list twice, once for each TCP and UDP or would you do this?
access-list 110 deny tcp udp any host 172.16.30.5 eq 53
access-list 110 deny tcp any host 172.16.30.5 eq 53
or
access-list 110 deny udp any host 172.16.30.5 eq 53
or
is there a different command as DNS falls into both TCP and UDP? would you put the list twice, once for each TCP and UDP or would you do this?
access-list 110 deny tcp udp any host 172.16.30.5 eq 53
Comments
-
mikearama
Member Posts: 749
You're not wrong... two statements are required.
Here's a page I'd bookmarked a while back... CTRL-F down to the DNS section, and you'll see that both commands are required.
http://www.cisco.com/warp/public/707/tacl.html
Specifically...
!--- Deny all other DNS traffic.
access-list 110 deny udp any any eq 53
access-list 110 deny tcp any any eq 53
MikeThere are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
dtlokee
Member Posts: 2,378 ■■■■□□□□□□
steveo1985 wrote:If i create a extended ACL to block DNS what do i use?
access-list 110 deny tcp any host 172.16.30.5 eq 53
or
access-list 110 deny udp any host 172.16.30.5 eq 53
or
is there a different command as DNS falls into both TCP and UDP? would you put the list twice, once for each TCP and UDP or would you do this?
access-list 110 deny tcp udp any host 172.16.30.5 eq 53
Depends on what part of DNS you're trying to block. Queries are UDP and zone transfers are TCP. If you wanted to block both you would need two entries in the ACLThe only easy day was yesterday!
