Vro configuration and DNS server configuration steps

Many people may not know how Cisco IOS works. It does not matter. The following describes the router configuration and DNS server in Cicso IOS. Recently, a friend sent me an email asking him to know how to use Cicso IOS to block a specific website.

He wrote: "I have a Cisco 2600 instance, which is usually used as an Internet server. Now I want to block some specific websites. What should I do ?" This is not a very difficult task-as long as you know how Cisco IOS works. Here I will guide you on how to do this and tell you what you should pay attention to when using this method.

Step 1: configure a DNS server

We do not know the specific IP address of the website, and we do not want to know. No problem -- Cisco IOS will find the address and fill it in. To do this, we need to configure at least one DNS server on the router. To configure a DNS server, use the ip name-server command. The following is an example: Router (config) # ip name-server 1.1.1.1 2.2.2.2.

In this example, we have configured a primary DNS server 1.1.1.1 and a backup DNS server 2.2.2.2 so that the router can resolve the domain name. This will not affect any traffic on the vro. When we need to Ping a domain name, the router configuration will use these DNS servers.

 
 

  
  
Type escape sequence to abort.  
  
  
Sending 5, 100-byte ICMP Echos to 216.239.113.101, timeout is 2 seconds:  
  
  
!!!!!  
  
  
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms  
  
  
Router#  
  
  
 
 
 

Step 2: Create an ACL

To really block access to a website, we must create an access control list (ACL) to define what we want to block. Finally, because of the implicit prohibition of ACL, all other communications except WWW will be disabled. If you want to know which IP addresses are attempting to access a blocked website, you can use the LOG keyword to record relevant information. The following is an example.

Step 3: Avoid "omission"

Note one thing. After entering the first line of the above ACL, pay attention to how the vro configuration uses the DNS server to resolve the domain name. Then it will replace the host name in the ACL with the IP address obtained from the DNS domain name. Let's take a closer look at the Configuration:

 
 

  
  
Router# sh run | inc access-list 101  
  
  
access-list 101 deny tcp any host 66.116.109.62 eq www 
 
 

This is a good function, but it may be caused by several reasons. First, this IP address is only the first IP address in the DNS server response. If this is a large website with multiple servers such as a search engine), and the ACL only contains the first IP address that the DNS first responds to-you will have to manually block the remaining IP addresses.

Step 4: Implement ACL

Creating an ACL does not mean that the vro configuration is used. We must also implement the ACL. Next, suppose we want to create an ACL to prevent the internal lan from accessing a wide area network such as the Internet ). Therefore, we should use the source address of the ACL instead of the target address. Similarly, for the purpose of design, we need to implement this ACL in the Out direction of the router configuration. The following is an example.
 

 
 

  
  
Router(config)# int serial 0/0  
  
  
Router(config-if)# ip access-group 101 out