Using hostnames in IP access lists

When I was configuring the access list that should prevent spammers from misusing my workstations, I obviously had to figure out the IP address of the ISP’s SMTP server (access lists and object groups accept IP addresses). I almost started nslookup on my Linux workstation, but then decided to try entering a hostname in an IOS ACL … and it works. Unfortunately, IOS performs a DNS lookup when you enter the hostname (assuming you have configured the ip name-server) and stores the resulting IP address in the ACL definition:

rtr(config)#ip access-list extended InsideList
rtr(config-ext-nacl)#permit tcp any host smtp.example.com eq smtp
Translating "smtp.example.com"...domain server (192.168.0.1) [OK]
rtr(config-ext-nacl)#do show access-list InsideList
Extended IP access list InsideList
    10 permit tcp any host 192.168.2.3 eq smtp

You can enter hostnames in ACLs or network object groups. In both cases, the name is immediately translated into an IP address.

6 comments:

  1. Ivan,

    "Unfortunately, IOS performs a DNS lookup when you enter the hostname..."

    I'm not sure why you prefaced that statement with "unfortunately". Surely you don't want IOS to put the hostname in the ACL and do a reverse DNS lookup on every packet entering/exiting your interface to see if it matches, right?

    The behavior is the same as any, I think, any other device I've used in a similar fashion. Why the "unfortunately"? Maybe I am missing something?

    ReplyDelete
  2. I also see it as "unfortunately". And I wish there would be a solution like the "set peer ... dynamic"-config of a crypto-map to resolve the name the moment it is used. For sure, the lookup shouldn't be done on every packet. But it could be done in a fashin like a host uses a "Lifetime" to resolve the address and cache it then.

    ReplyDelete
  3. Hi there!

    The "trick" is nice, and it's working in your case now. But what if the server is using some round-robin technology? Your router will put into ACL the first IP which is resolved, but maybe second time another IP will be delivered and since this is not matched, the packets will be discarded. Am I right?
    Overall nice blog and very interesting posts. I will comment some of them if I may :)
    Good luck!

    ReplyDelete
  4. I have used this in past with known DNS records (to avoid the round robin problems) by editing the config off-line and loading it direct into the startup config. I know it's far from ideal, but for small sites where a reboot can happen occasionally I've found it useful.

    ReplyDelete
  5. Maybe we can do DNS lookups in TCL and work around the issue with EEM ?

    ReplyDelete
  6. @Xavier: Sure we can. Anything can be done in Tcl :) ... apart from UDP communication.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.