Using a router as a DNS proxy server

A Cisco router running IOS release 12.3 can act as a proxy DNS server - when you configure ip dns server and ip name-server ip-address, it starts forwarding any received DNS requests to the upstream name server.

The router does not act as a recursive server, it just propagates the requests. For example, if the client asks for A record for www.nil.com and the upstream DNS server responds with a NS record for the .com tree, the router will not perform recursive DNS lookups to get the answer (and the resolver code in most clients will fail). The upstream DNS server has to be willing to perform recursive lookups for you.

You can use this functionality (potentially in combination with other external proxies) to set up an environment where the clients do not need to access the Internet directly.

5 comments:

  1. swampie51@gmail.com20 July, 2009 00:08

    *DONT_KNOW*

    it's a pity the recursive lookups seem to not function for reverse-lookups. It gave me a headache for a while and then I gave up. If anyone has an answer I would be keen to test it..

    ReplyDelete
  2. Ivan Pepelnjak21 July, 2009 13:04

    As I wrote in the post - IOS just forwards the requests to an external DNS server. It performs no recursion whatsoever.

    ReplyDelete
  3. swampie51@gmail.com21 July, 2009 20:50

    Not sure if that is true..

    If the router forwards the request as a forwarder then it relies on the server to respond back to it and then it replies to your request.. that kinda = recursion as it certainly is not iterative ;)

    and even a dns server that was configured for stub and or a forwarder should respond based on the response from the server..?

    great website and appreciate your views and comments

    Julian

    ReplyDelete
  4. Ivan Pepelnjak21 July, 2009 22:32

    A "recursive DNS server" and a "forwarding DNS server" are well-defined concepts. Follow the links in the first NOTE in this IP Corner article: http://www.nil.com/ipcorner/RouterDNS/ for more information.

    IOS is a forwarding, but not a recursive DNS server. BTW, I'm using this functionality in my home office and never had any IPv4 issues (and I'm doing some pretty crazy testing stuff every now and then). IPv6 is unfortunately a completely different story.

    ReplyDelete

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Ivan Pepelnjak, CCIE#1354, is the chief technology advisor for NIL Data Communications. He has been designing and implementing large-scale data communications networks as well as teaching and writing books about advanced technologies since 1990. See his full profile, contact him or follow @ioshints on Twitter.