Deny WAN HTTP/S to all systems except Proxy:

!Permit HTTP port 80 traffic
access-list 102 deny tcp any any eq 80
access-list 102 permit tcp any {proxy address} eq 80

!Permit HTTPS port 443 traffic
access-list 102 deny tcp any any eq 443
access-list 102 permit tcp any {proxy address} eq 443

Deny WAN DNS to all systems except DNS server:

access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 deny 53 any any
access-list 101 deny 55 any any
access-list 101 deny 77 any any
access-list 101 deny 103 any any
!— insert any other previously applied ACL entries here
!— you must permit other protocols through to allow normal
!— traffic — previously defined permit lists will work
!— or you may use the permit ip any any shown here
access-list 101 permit ip any any

Does “IP helper-address” help to much?

! We want this protocol.
ip forward-protocol udp bootpc
!
! We don’t want these.
no ip forward-protocol udp biff
no ip forward-protocol udp bootps
no ip forward-protocol udp discard
no ip forward-protocol udp dnsix
no ip forward-protocol udp domain
no ip forward-protocol udp echo
no ip forward-protocol udp isakmp
no ip forward-protocol udp mobile-ip
no ip forward-protocol udp nameserver
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-ss
no ip forward-protocol udp non500-isakmp
no ip forward-protocol udp ntp
no ip forward-protocol udp pim-auto-rp
no ip forward-protocol udp rip
no ip forward-protocol udp snmp
no ip forward-protocol udp snmptrap
no ip forward-protocol udp sunrpc
no ip forward-protocol udp syslog
no ip forward-protocol udp tacacs
no ip forward-protocol udp talk
no ip forward-protocol udp tftp
no ip forward-protocol udp time
no ip forward-protocol udp who
no ip forward-protocol udp xdmcp