The DNS configuration "challenges"

With the introduction of DNS views in IOS release 12.4(9)T, a number of additional DNS-related configuration commands were introduced. As IOS still supports all the older configuration commands (and the DHCP-acquired DNS servers), the results are not as obvious as one would hope. The IOS documentation is pretty explicit (a nice surprise :), but I still had a bit of a headache figuring it all out, so you might be in the same position.

Let's start with the DNS resolvers (the DNS name servers the router itself uses when it needs to change a name into an IP address or vice versa):
  • You can configure the DNS resolvers with the ip name-server global configuration command or the domain name-server configuration command within the ip dns view default.
  • Both lists are merged and combined with the IP addresses acquired from the DHCP reply messages to get the final list of the DNS resolvers. You can inspect the final list with the show ip dns view default command.
  • The DNS name servers from the DHCP replies never appear in the router configuration.
  • If the same IP address is specified with the ip name-server and domain name-server command, only the global (ip name-server) command will appear in the router configuration.

The rules for DNS forwarders (the DNS servers the router uses to answer incoming DNS queries) are a bit different:

  • The DNS view the current DNS query should use is determined based on view-list assigned to incoming interface (with the ip dns view-group interface configuration command) or the global view-list (specified with the ip dns server view-group global configuration command).
  • The incoming query is (sequentially) sent to the IP addresses configured as dns forwarders in the selected view. No other DNS servers are used.
  • If the selected view has no dns forwarders, but contains domain name-servers, they are used as forwarders.
  • If the selected view has no dns forwarders or domain name-servers, the query is forwarded as IP broadcast ... unless the selected view is the default view, in which case the first DNS server computed according to the the previous bullet list is used (only one DNS server is used in this case, even if you have configured multiple DNS servers with the ip name-server configuration command).

6 comments:

  1. Does anybody know if there is the possibility to override the upstream DNS server's TTL value?
    Sometimes, DNS queries are being answered with a TTL value of 0, and the router does not store them (or marks them as expired the second they arrive). So the router will send out a query to the same host the next time. Is there any remedy against this?
    Thanks alot for your help!
  2. As far as I'm aware, IOS cannot do that. Usually there's a good reason the reply is sent back with TTL=0 (for example, multi-server load balancing implemented with DNS).
  3. OK then -- thanks alot for your answer!
  4. I have set up caching dns server on a Cisco 876. Problem is that requests are accepted on all interfaces, including the outside interface. What's a good method to limit the router to only handle requests arriving on specific interfaces? Thanks!
  5. @Anonymous#3: Inbound access list (ACL) on the outside interface(s).

    Having an ACL that blocks all unwanted traffic is mandatory on interfaces connected to a public network (for example, the Internet).
  6. actually ACLs are not looked at when using the ip dns server on IOS

    best way i have found is to set up NAT on the outside interface, and just NAT all incoming traffic on port 53 to a dummy address
Add comment
Sidebar