use ACL's to restrict zone transfers?

[johnPostel]

Hello, I am fairly new to cisco routers. I work for a small office which has a cisco router. We have two DNS servers on the internal network. Here's my situation: I want to restrict zone transfers from all untrusted sources. Essentially what i want to do is have just the primary + secondary DNS servers be able to talk to each other, and refuse incoming traffic on port 53. I hear I can use "extended" ACL's to accomplish this, but I'm not sure how. I'm very grateful for any suggestions or help!

 

[gconnect]

dns zone transfers use tcp port 53

access-list 101 permit tcp host pri-dns-ip host sec-dns-ip eq 53
access-list 101 deny tcp any any eq 53

....and whatever other acl rules you have set

 

[rbelt]

you should set up your DNS servers to only allow transfers to specific locations (addresses) -- this should be done regardless of the implementation of acls!

//RB

 

[gconnect]

rbelt is right (i am thinking too much in the router-world), plus it would save you a headache as far as the router config goes.

the 'allow-transfer' directive is what you would need if you are using Bind (Linux/Unix). This can also be done in the DNS MMC in Win2K server

http://www.tfug.org/helpdesk/security/bind.html