This seemed simple enough but I have to be missing something. I have the following config to block all DNS request from the inside that are not going to the allowed external DNS server.
access-list INSIDE-ACCESS-OUT extended permit udp any object open-dns1 eq domain
access-list INSIDE-ACCESS-OUT extended permit udp any object open-dns2 eq domain
access-list INSIDE-ACCESS-OUT extended permit tcp any object open-dns1 eq domain
access-list INSIDE-ACCESS-OUT extended permit tcp any object open-dns2 eq domain
access-list INSIDE-ACCESS-OUT extended deny udp any any eq domain
access-list INSIDE-ACCESS-OUT extended deny tcp any any eq domain
access-list INSIDE-ACCESS-OUT extended permit ip any any
access-group INSIDE-ACCESS-OUT out interface inside
DNS can still get out to any server and packet tracer doesn't show the ACL being hit.
Best Answer
Your ACL is applied backwards. You're applying it to packets going out the inside interface (From the internet to your internal hosts). This should fix it: