Deny DNS except for internal dns servers 1

[doior]

Any suggestions on how to deny dns for internal hosts? Would like to enforce that all hosts on the inside use the internal dns servers and do not bypass by statically using external dns servers.

Tried this but it did not work. Could not surf.

.12 & .14 are the internal dns servers


access-list acl-outbound permit tcp any host 192.x.x.12 eq domain
access-list acl-outbound permit udp any host 192.x.x.12 eq domain
access-list acl-outbound permit tcp any host 192.x.x.14 eq domain
access-list acl-outbound permit tcp any host 192.x.x.14 eq domain
access-list acl-outbound deny udp any any eq domain
access-list acl-outbound deny tcp any any eq domain
access-list acl-outbound permit ip any any

 

[chicocouk]

You need to allow your dns servers to contact other dns servers on the web to forward requests for domains for which they're not authorative. Your ACL doesn't allow that, it allows any host to contact the DNS servers, and then blocks any internal host from contacting any external dns servers (including your internal dns servers)

In other words, rather than

access-list acl-outbound permit tcp any host 192.x.x.12 eq domain

you should have (eg)

access-list acl-outbound permit tcp host 192.x.x.12 any eq domain





CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP

 

[doior]

This worked. Thank you!