Blocking DNS access on PIX 501

[dayron]

Hello. I am fairly new to pix and these may seem like silly questions.

1)I would like to block DNS resolution traffic from all clients except my internal DNS servers which forward outside requests. HOw do I do this?

2) Also is there a way to block internal DNS traffic to another internal host?

Example: I want to block every 192.168.11.x address from using 192.168.11.60's DNS.

 

[dopehead]

Well, no1 the function you are looking for is access-lists. an example for only allowing your internal dns access to other dns servers is :

access-list acl_inside permit udp host 192.168.11.60 any eq 53
access-list acl_inside permit tcp host 192.168.11.60 any eq 53
access-list acl_inside deny udp any any eq 53
access-list acl_inside deny tcp any any eq 53

access-list acl_inside permit ip any any

Apply to interface :

access-group acl_inside in interface inside

As for no2 : No, not in the pix, this would be some dns issue that you setup on your dns server.

Jan

Network Systems Engineer
CCNA/CQS/CCSP

 

[dayron]

THanks for the info. I will give it a try!