Minimum Cisco Access Control List for DNS Servers
WARNING: These ACLs block RFC MUST and SHOULD required packets.
However, the blocked RFC required packets are normally only used for diagnostic and informational purposes, and do not affect DNS application performance.
Recursive (Caching, Resolving) Single Interface DNS server
This is the most likely configuration used by single DNS systems answering queries from both internal and external clients.
See footnote about ephemeral ports or Should use Stateful Packet InspectionThis is the Access Control List for packets
TO the DNS server.!--- Deny your address space from an outside source (RFC2827) !--- Note: Multi-homed networks should check asymetric routing !--- in the event of internal network partitions access-list 110 deny ip host <DNS Server> any !--- Deny special-use address sources (RFC3330) access-list 110 deny ip 0.0.0.0 0.255.255.255 any access-list 110 deny ip 127.0.0.0 0.255.255.255 any access-list 110 deny ip 192.0.2.0 0.0.0.255 any access-list 110 deny ip 224.0.0.0 31.255.255.255 any access-list 110 deny ip host 255.255.255.255 any !--- Deny link-local address sources (RFC3927) access-list 110 deny ip 169.254.0.0 0.0.255.255 any !--- Deny fragments from ICMP datagrams. ICMP error datagrams !--- are normally 576 bytes or less and are not fragmented !--- on the modern Internet. !--- Note: According to RFC1122 and RFC1812, ICMP datagrams may !--- be 65535 bytes long and fragmented into packets as small !--- as 68 bytes. !--- Note: ICMP Echo datagrams may be large and fragemented for !--- network troubleshooting, but large Echo datagrams are not !--- required for normal DNS application performance. access-list 110 deny icmp any any fragements !--- Allow ICMP PMTU messages from indeterminate routers !--- which may use any registered or private unicast addresses access-list 110 permit icmp any host <DNS Server> packet-too-big !--- Deny private address sources from external networks (RFC1918) !--- Note: If private addresses are used for internal networks !--- must be adjusted appropriately access-list 110 deny ip 10.0.0.0 0.255.255.255 any access-list 110 deny ip 172.16.0.0 0.15.255.255 any access-list 110 deny ip 192.168.0.0 0.0.255.255 any !--- Allow specific ICMP types to DNS server access-list 110 permit icmp any host <DNS Server> echo access-list 110 permit icmp any host <DNS Server> port-unreachable !--- Allow TCP and UDP fragements to the DNS Server even though !--- they do not include tcp/udp port information because !--- DNS datagrams may be fragmented. !--- Note: The Server may respond with ICMP reassembly-timeout if !--- the initial fragment containing the port information is !--- dropped or blocked by an ACL access-list 110 permit udp any host <DNS Server> fragments access-list 110 permit tcp any host <DNS Server> fragments !--- Allow DNS queries to DNS server access-list 110 permit udp any host <DNS Server> eq domain access-list 110 permit tcp any host <DNS Server> eq domain !--- Allow DNS replies to DNS server !--- with server using ephemeral port range within 32768-65535 !--- Note: Using port 53 for other protocols is possible !--- Note: Server will respond with TCP RST or ICMP port-unreachable !--- for closed ports in the permitted port range access-list 110 permit udp any eq domain host <DNS Server> gt 32767 access-list 110 permit tcp any eq domain host <DNS Server> gt 32767 established !--- Explicitly deny everything else access-list 110 deny ip any anyThis is the Access Control List for packets
FROM the DNS server.!--- Deny fragments from ICMP datagrams. ICMP error datagrams !--- are normally 576 bytes or less and are not fragmented !--- on the modern Internet. !--- Note: Echo-reply datagrams may be large and fragemented for !--- network troubleshooting, but large Echo-reply datagrams are !--- not required for normal DNS application performance. access-list 111 deny icmp any any fragements !--- Allow ICMP PMTU messages only from routers which should use !--- a registered or NATed address as the source !--- Note: If your network uses a single MTU, only the !--- first router will send an ICMP packet-too-big message. access-list 111 permit icmp host <Router> any packet-too-big !--- Allow specific ICMP types from DNS server access-list 111 permit icmp host <DNS Server> any echo-reply access-list 111 permit icmp host <DNS Server> any port-unreachable !--- Allow TCP and UDP fragements from the DNS Server even though !--- they do not include tcp/udp port information because !--- DNS datagrams may be fragmented. !--- Note: The remote system may send an ICMP reassembly-timeout !--- if the initial fragment containing the port information is !--- dropped or blocked by an ACL access-list 111 permit udp host <DNS Server> any fragments access-list 111 permit tcp host <DNS Server> any fragments !--- Allow DNS replies from DNS server access-list 111 permit udp host <DNS Server> eq domain any access-list 111 permit tcp host <DNS Server> eq domain any !--- Allow DNS queries from DNS server !--- with server using ephemeral port range within 32768-65535 !--- Note: Using port 53 for other protocols is possible !--- Note: Server will respond with TCP RST or ICMP port-unreachable !--- for closed ports in the permitted port range access-list 111 permit udp host <DNS Server> gt 32767 any eq domain access-list 111 permit tcp host <DNS Server> gt 32767 any eq domain !--- Explicitly deny everything else !--- Note: Because we only allowed explicit sources, this prevents !--- spoofing from internal networks (RFC2827) access-list 111 deny ip any any*Ephemeral ports: The default range on older systems was 1024-5000. It is suggested to change the ephemeral port range on the system to a high range e.g. 32768-65535 avoiding ports used by other applications running on the same server. Review your DNS software and operating system documentation for instructions how to change port ranges. DNS software which use pools of source ports increase the difficulty of blind DNS reply attacks.
Stateful Packet Inspection and system stacks must match packets across icmp and udp or tcp protocols to mitigate blind attacks.
*Broadcast/Multicast: Although some DNS RFCs reference the use of broadcast/multicast, no DNS servers I know reply to broadcast or multicast queries. A new protocol called mDNS (multicast DNS) uses TCP/UDP port 5353 and is separate from DNS.
Contact