0

One of the routers that I administer is getting bombarded with external DNS queries from the internet. This is a network border router which has a DNS server configured. There is an interface facing the internet which is getting all these DNS queries.

I've created the below ACL to only allow known traffic from the internet to get through the router.

interface GigabitEthernet0/0/0.1001
 description external internet
 encapsulation dot1Q 1001
 ip address XX.XX.XX.XX XX.XX.XX.XX
 ip nat outside
 ip access-group WAN_IN in

==============================================

ip access-list extended WAN_IN
 remark --- PERMIT_BUSINESS_TRAFFIC
 permit tcp any any established
 remark --- PERMIT_CORESCAN_VOCUS_PUBLIC_IP
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 remark --- PERMIT_CORESCAN_IINET_PUBLIC_IP
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 remark --- PERMIT_DNS_QUERIES
 permit udp any eq domain any gt 1023
 remark --- PERMIT_AWS_VPN_TUN1
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 remark --- PERMIT_AWS_VPN_TUN2
 permit ip host XX.XX.XX.XX host XX.XX.XX.XX
 remark --- DENY_ALL
 deny   ip any any

I can see that the ACL is working (I can see all the hits from the ACL) as it blocked some DNS queries but there some DNS queries especially from this domain (PEACECORPS.GOV) that somehow it always manages to pass through the ACL.

The way I'm seeing the queries is by capturing the traffic from the router and analyzing it using wireshark.

When analyzing the traffic I can that the query gets to the router but the router is not answering the query which is good, but my question is, is there any way that I can block the queries to get to router at all? I thought that a simple ACL would do the job but it's not.

Bellow is the packet capture for income requests 

192.223.30.89   XXX.XXX.XXX.XXX DNS 89  Standard query 0x2fc9 ANY PEACECORPS.GOV OPT
192.223.30.89   XXX.XXX.XXX.XXX DNS 89  Standard query 0x2fc9 ANY PEACECORPS.GOV OPT
192.223.30.89   XXX.XXX.XXX.XXX DNS 89  Standard query 0x2fc9 ANY PEACECORPS.GOV OPT
192.223.30.89   XXX.XXX.XXX.XXX DNS 89  Standard query 0x2fc9 ANY PEACECORPS.GOV OPT
201.105.153.70  XXX.XXX.XXX.XXX DNS 83  Standard query 0x2281 ANY aids.gov OPT

Bellow is the packet capture for outgoing 

213.139.53.28   XXX.XXX.XXX.XXX DNS 85  Standard query 0xd224 ANY paypal.com OPT
73.78.192.30    XXX.XXX.XXX.XXX DNS 82  Standard query 0x3b63 ANY doc.gov OPT
202.179.0.18    XXX.XXX.XXX.XXX DNS 89  Standard query 0x6ffd ANY PEACECORPS.GOV
OPT
76.184.25.55    XXX.XXX.XXX.XXX DNS 89  Standard query 0x2953 ANY PEACECORPS.GOV OPT

The XXX.XXX.XXX.XXX represents my public ip as the destination.

Thanks for the help.

Peter Franca
  • 1
  • 1
  • How are you capturing traffic? Perhaps you're capturing before the ACL is applied. Your ACL should block any DNS queries. Can you post a sample capture? – Ron Trunk May 20 '20 at 17:09
  • Hi @RonTrunk I'm using the built-in Cisco packet capture to capture Income traffic and outgoing as well. In both scenario I can see the DNS queries but my routers does not respond to them. I'll add some of the capture results on my questions above. Hope that helps. Thanks for the help. – Peter Franca May 21 '20 at 05:00
  • I'm fairly certain (tried, but can't confirm) that the packet capture point is prior to the ACL. so you're seeing traffic that is being denied by the ACL. In other words, things are working just fine. – Ron Trunk May 21 '20 at 14:42
  • I didn't think about this possibility, and that make sense, if the packet capture occurs prior the ACL being applied I will still see the requests. I just made another test as a proof of concept. I logged the ACL entry that denies the queries and I can see all the IPs from outside being denied then I took another packet capture and I could match the external IP. I think we can consider this resolved. Thank you so much @RonTrunk for sharing your knowledge with me. – Peter Franca May 22 '20 at 04:04

0 Answers0