Jason Mader

Cisco router

Comment on using Cisco access lists with tinydns and dnscache

Based on the dns_transmit library interface I use reflexive access list statements like: 

 permit udp 128.164.26.0 0.0.0.255 gt 1023 any eq domain reflect packets timeout 45  ! allow udp dns responses
 permit tcp 128.164.26.0 0.0.0.255 gt 1023 any eq domain reflect packets timeout 10  ! allow bigger tcp dns responses
This should be applied on egress traffic so that the responses can be allowed back in.

There is also J. de Boyne Pollard's frequently given answer about The DNS shaped holes that one cuts into firewalls.

Priority queuing

Example of a priority queue to lower the priority of a special SSH connection used for our high bandwidth flows:

On the main campus router 

interface atm0
  priority-group 1
!
priority-list 1 protocol ip low tcp 2022
priority-list 1 queue-limit 20 40 80 40
and on the virginia campus router 
interface atm0
  priority-group 1
!
priority-list 1 protocol ip low tcp 2022
priority-list 1 queue-limit 20 40 80 40