I've never heard of this done... but I was curious...
I'm using a Cisco 831 with IOS 12.3.8T3 (latest and greatest)
Can I create dynamic ACLs based on domain names?
Example:
I often need access to my home network from other places (work and school).
Work is easy, I create an ACL to allow my work IPs inbound.
School is a bit more complicated... there are quite a few IPs.
They have a public IP for every machine.
I can allow the whole netblock, but I don't want to do that.... if I don't have to.
Here is what I want to do:
Register a dynamic DNS domain name... somedomain.dyndns.org
allow inbound connections from somedomain.dyndns.org on the router.
I can run a dynamic dns updating program on the machine I want to connect with.
The records update pretty quickly, so that wouldn't be a problem.
How would I create an ACL that would allow inbound from a certain domain, not IP?
When I've tried this before, it would only allow me to do this with source/dest ip...
Would this create too much overhead? It would have to resolve every IP?
Or would it just have to resolve the IP IF it was trying to access VPN or the service/port I specify in the ACL?
Are there any security concerns if I were to do this? People can't spoof the domain name? They'd have to update the record. They would have to guess which domain names I allow and the username and password to update it...
In the past, I've just been allowing the whole netblock and monitoring my logs....
I still have the services secured behind the router... but I want to keep it as tight as possible. I've always applied security with a layered approach.
Just a thought that popped into my head...