An ACL is configured on the device to restrict destination addresses accessible to users; however, the DNS server address is blocked in the ACL. As a result, the query packets sent from users to the DNS server are discarded. The domain names cannot be resolved, so users cannot access the Internet.
The following rule is included:
rule 100 deny ip destination 10.102.192.0 0.0.0.255 //Reject the packets from network segment 10.102.192.0/24.
The DNS server address configured on user PCs is 10.102.192.68, which belongs to the network segment 10.102.192.0/24. Therefore, packets sent from users to the DNS server are discarded. The domain names cannot be resolved, so users cannot access the Internet.
rule 99 permit ip destination 10.102.192.68 0.0.0.0 //Permit the packets destined for the DNS server. rule 100 deny ip destination 10.102.192.0 0.0.0.255 //Reject the packets destined for network segment 10.102.192.0/24.
After rule 99 is added, the packets sent from users to the DNS server match rule 99 and pass. The domain names can be resolved, and users can access the Internet.