I have a Cisco (877) router acting as the main gateway for a network; it has a DSL connection and performs NAT from the internal network to its external, public IP address.
The router allows SSH access for management, and this has been limited using an access list:
access-list 1 permit <internal network range>
line vty 0 4
transport input ssh
access-class 1 in
The router's internal web server isn't enabled, but if it was, I know its access could be limited using the same logic:
ip http access-class 1
Now, the gotcha: this router also acts as a DNS server, forwarding queries to external servers:
ip name-server <ISP DNS 1>
ip name-server <ISP DNS 2>
ip dns server
My problem is: the router is perfectly happy to answer DNS queries when receiving them on its external interface.
How can I block this kind of traffic so that the router only answers DNS queries from the internal network?
Best Answer