Cisco Router – How to Block External Access to the DNS Service Running on a Cisco Router?

access-control-listciscodomain-name-systemrouter

I have a Cisco (877) router acting as the main gateway for a network; it has a DSL connection and performs NAT from the internal network to its external, public IP address.

The router allows SSH access for management, and this has been limited using an access list:

access-list 1 permit <internal network range>

line vty 0 4
    transport input ssh
    access-class 1 in

The router's internal web server isn't enabled, but if it was, I know its access could be limited using the same logic:

ip http access-class 1

Now, the gotcha: this router also acts as a DNS server, forwarding queries to external servers:

ip name-server <ISP DNS 1>
ip name-server <ISP DNS 2>
ip dns server

My problem is: the router is perfectly happy to answer DNS queries when receiving them on its external interface.

How can I block this kind of traffic so that the router only answers DNS queries from the internal network?

Best Answer

!Deny DNS from Public 
 ip access-list extended ACL-IN_FROM-WAN
  remark allow OpenDNS lookups
  permit udp 208.67.222.222 0.0.0.0 any eq domain
  permit tcp 208.67.220.220 0.0.0.0 any eq domain
  remark deny all others and log the attempts
  deny   udp any any eq domain log
  deny   tcp any any eq domain log
  permit ip any any

! Apply to WAN interface
 int WAN
  ip access-group ACLIN-TO_WAN in

Answer

The short answer to your specific question of listing CNAMEs is that you cannot without permission to do zone transfers (see How to list all CNAME records for a given domain?).

That said, if your company's DNS server still supports the ANY query, you can use dig to list the other records by doing:

dig +noall +answer +multiline yourdomain.yourtld any

These ... +noall +answer +multiline ... are strictly optional and are simply output formatting flags to make the output more easily human readable (see dig man page ).

Example

$ dig +noall +answer +multiline bad.horse any

Returns:

bad.horse.              7200 IN A 162.252.205.157
bad.horse.              7200 IN CAA 0 issue "letsencrypt.org"
bad.horse.              7200 IN CAA 0 iodef "mailto:abuse@sandwich.net"
bad.horse.              7200 IN MX 10 mx.sandwich.net.
bad.horse.              7200 IN NS a.sn1.us.
bad.horse.              7200 IN NS b.sn1.us.
bad.horse.              7200 IN SOA a.sn1.us. n.sn1.us. (
                                2017032202 ; serial
                                1200       ; refresh (20 minutes)
                                180        ; retry (3 minutes)
                                1209600    ; expire (2 weeks)
                                60         ; minimum (1 minute)
                                )

Caveats (RFC8482)

Note that, since around 2019, most public DNS servers have stopped answering most DNS ANY queries usefully. For background on that, see: https://blog.cloudflare.com/rfc8482-saying-goodbye-to-any/

If ANY queries do not enumerate multiple records, the only option is to request each record type (e.g. A, CNAME, or MX) individually.

Best Answer

Related Solutions

Cisco 877 – How to Use as a VPN Server

DNS Records – How to List All DNS Records in a Domain Using Dig

Answer

Example

Caveats (RFC8482)

Related Topic