Table Of Contents
Split DNS
Contents
Prerequisites for Split DNS
Restrictions for Split DNS
Information About Split DNS
Split DNS Feature Overview
Split DNS Use to Respond to DNS Queries: Benefits
Split DNS Operation
DNS Views
View Use Is Restricted to Queries from the Associated VRF
Parameters for Resolving Internally Generated DNS Queries
Parameters for Forwarding Incoming DNS Queries
DNS View Lists
DNS Name Groups
DNS View Groups
Router Response to DNS Queries in a Split DNS Environment
Response to Incoming DNS Queries per the Forwarding Parameters of the Selected DNS View
Response to Internally Generated DNS Queries per the Resolving Parameters of the Default Global DNS View
How to Configure Split DNS
Enabling Split DNS Debugging Output
Defining a DNS Name List
Defining a DNS View
Defining Static Entries in the Hostname Cache for a DNS View
Defining a DNS View List
Modifying a DNS View List
Adding a Member to a DNS View List Already in Use
Changing the Order of the Members of a DNS View List Already in Use
Specifying the Default DNS View List for the Router's DNS Server
Specifying a DNS View List for a Router Interface
Configuration Examples for Split DNS
Split DNS View Limited to Queries from a Specific VRF: Example
Split DNS View with Dynamic Name Server Configuration: Example
Split DNS View with Statically Configured Hostname Cache Entries: Example
Split DNS View with Round-Robin Rotation of Hostname Cache Entries: Example
Split DNS Configuration of ACLs That Can Limit DNS View Use: Example
Split DNS View Lists Configured with Different View-use Restrictions: Example
Split DNS Configuration of Default and Interface-specific View Lists: Example
Additional References
Related Documents
Standards
MIBs
RFCs
Technical Assistance
Command Reference
clear host
debug ip dns name-list
debug ip dns view
debug ip dns view-list
dns forwarder
dns forwarding
dns forwarding source-interface
domain list
domain lookup
domain multicast
domain name
domain name-server
domain name-server interface
domain retry
domain round-robin
domain timeout
ip dns name-list
ip dns server view-group
ip dns view
ip dns view-group
ip dns view-list
ip host
logging (DNS)
restrict authenticated
restrict name-group
restrict source access-group
show hosts
show ip dns name-list
show ip dns view
show ip dns view-list
view (DNS)
Feature Information for Split DNS
Glossary
Split DNS
First Published: June 19, 2006
Last Updated: June 19, 2006
The Split DNS feature enables a Cisco router to respond to Domain Name System (DNS) queries using a specific configuration and associated host table cache that are selected based on certain characteristics of the queries. In a Split DNS environment, multiple DNS databases can be configured on the router, and the Cisco IOS software can be configured to choose one of these DNS name server configurations whenever the router must respond to a DNS query by forwarding or resolving the query.
Finding Feature Information in This Module
Your Cisco IOS software release may not support all of the features documented in this module. To reach links to specific feature documentation in this module and to see a list of the releases in which each feature is supported, use the "Feature Information for Split DNS" section.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Split DNS
•Restrictions for Split DNS
•Information About Split DNS
•How to Configure Split DNS
•Configuration Examples for Split DNS
•Additional References
•Command Reference
•Feature Information for Split DNS
•Glossary
Prerequisites for Split DNS
No special equipment or software is needed to use the Split DNS feature. To use Split DNS to forward incoming DNS queries, you must have a client that issues DNS queries, a DNS caching name server on which the Split DNS features are to be configured, and a back-end DNS name server. Both of the DNS name server components reside in a Cisco router running the Cisco IOS DNS subsystem software. An example of this basic topology is illustrated in Figure 1.
Restrictions for Split DNS
Data Link Layer Redirection
The DNS forwarding functionality provided by Split DNS to the DNS server subsystem of the Cisco IOS software is available only for DNS packets that are directed to one of the IP addresses of the router that serves as the DNS caching name server. Split DNS does not support processing of packets intercepted at the data link layer (Layer 2) and then redirected to the DNS caching name server.
Information About Split DNS
To configure the Split DNS feature, you should understand the following concepts.
•Split DNS Feature Overview
•DNS Views
•DNS View Lists
•DNS Name Groups
•DNS View Groups
•Router Response to DNS Queries in a Split DNS Environment
Split DNS Feature Overview
The Split DNS feature enables a Cisco router to answer DNS queries using the internal DNS hostname cache specified by the selected virtual DNS name server or, for queries that cannot be answered from the information in the hostname cache, direct queries to specific, back-end DNS servers. The virtual DNS name server is selected based on certain characteristics of each query. Split DNS commands are used to configure a customer premise equipment (CPE) router that serves as the DNS server and forwarder for queries from hosts and as the DNS server and resolver for queries originated by the router itself.
The following sections summarize Split DNS features:
•Split DNS Use to Respond to DNS Queries: Benefits
•Split DNS Operation
Split DNS Use to Respond to DNS Queries: Benefits
The following sections describe the primary Split DNS features:
•Selection of Virtual DNS Caching Name Server Configurations
•Ability to Offload Internet Traffic from the Corporate DNS Server
•Compatibility with NAT and PAT
Selection of Virtual DNS Caching Name Server Configurations
To configure a Split DNS environment, configure multiple DNS databases on the router and then configure the router to choose one of these virtual DNS server configurations whenever the router must respond to a DNS query by looking up or forwarding the query. The router that acts as the DNS forwarder or resolver is configured with multiple virtual DNS caching name server configurations, each associated with restrictions on the types of DNS queries that can be handled using that name server. The router can be configured to select a virtual forwarding or resolving DNS server configuration based on any combination of the following criteria:
•Query source port
•Query source interface Virtual Private Network (VPN) routing and forwarding (VRF) instance
•Query source authentication
•Query source IP address
•Query hostname
When the router must respond to a query, the Cisco IOS software selects a DNS name server by comparing the characteristics of the query to a list of name servers and their configured restrictions. After the appropriate name server is selected, the router addresses the query using the associated host table cache or forwarding parameters that are defined for that virtual name server.
Ability to Offload Internet Traffic from the Corporate DNS Server
When deployed in an enterprise network that supports many remote hosts with Internet VPN access to the central site, the Split DNS features of the Cisco IOS software enable the router to be configured to direct Internet queries to the Internet service provider (ISP) network, thus reducing the load on the corporate DNS server.
Compatibility with NAT and PAT
Split DNS is compatible with Network Address Translation (NAT) and Cisco IOS Port Address Translation (PAT) upstream interfaces. If NAT or PAT is enabled on the CPE router, DNS queries are translated (by address translation or port translation) to the appropriate destination address, such as an ISP DNS server or a corporate DNS server. When using split tunneling, the remote router routes the Internet-destined traffic directly, not forwarding it over the encrypted tunnel. With a remote client that uses split tunneling, it is possible for the router to direct DNS queries destined for the corporate DNS server to the pushed DNS server list from the central site if the tunnel is up and to direct DNS queries destined for the ISP DNS server to the outside public interface address if the tunnel is down.
Note Split tunneling requires additional security and firewall configuration to ensure the security of the remote site.
Split DNS Operation
A basic network topology for using Split DNS is illustrated in Figure 1. The network diagram shows a CPE router that connects to both an ISP DNS name server and a corporate DNS name server. The diagram also shows three of the CPE client machines that access the router.
Figure 1 A Basic Network Topology for Split DNS
The following sections summarize the network activities in a basic Split DNS environment:
•CPE Router Configuration
•DNS Query Issued by a CPE Client
•Virtual DNS Name Server Selection
•Response to the Client-issued DNS Query
CPE Router Configuration
Configuration of the CPE router consists of defining DNS caching name server configurations and defining sets of rules for selecting one of the configurations to use for a given DNS query.
•Each DNS caching name server definition specifies an internal DNS hostname cache, DNS forwarding parameters, and DNS resolving parameters.
•Each set of configuration-selection rules consist of a list of name server configurations, with usage restrictions attached to each configuration in the list. The router can be configured with a default set of selection rules, and any router interface can be configured to use a set of selection rules.
DNS Query Issued by a CPE Client
The CPE client can issue DNS queries that request access to the Internet or to the corporate site. The basic network topology in Figure 1 shows a CPE router that receives incoming DNS queries from three clients, through interfaces that are enabled with NAT. The three client machines represent typical users of a corporate network:
•PC of a remote teleworker accessing noncorporate Internet sites
•Home PC that is being used by a family member of a home teleworker
•PC of a worker at the corporate site
The clients access the corporate network through a VPN tunnel that originates at the corporate VPN gateway and terminates in the CPE router.
Note The advantage of establishing the VPN tunnel from the corporate access system to the CPE router (rather than the endpoint client system) is that every other computer on the home LAN can also use the same tunnel, making it unnecessary to establish multiple tunnels (one for each system). In addition, the client system end user can use the tunnel when accessing corporate systems, without having to explicitly bring the tunnel up and down each time.
Virtual DNS Name Server Selection
Given an incoming DNS query, the Cisco IOS software uses either the default selection rules or the interface-specific selection rules (depending on the interface on which the query arrived) to select one of the DNS name server configurations in the list. To make the selection, the Cisco IOS software matches the query characteristics to the usage restrictions for each DNS name server configuration in the list. The selected configuration specifies both a host table cache and forwarding parameters, and the router uses this information to handle the query.
Response to the Client-issued DNS Query
The router handles the DNS query using the parameters specified by the selected DNS name server configuration:
1. If the query can be answered using the information in the internal DNS hostname cache specified by the selected virtual DNS name server, the router responds to the query.
2. If the query cannot be answered from the information in the hostname cache but DNS forwarding is enabled for the selected virtual DNS name server, the router sends the query to each of the configured DNS forwarders.
3. If no DNS forwarders are configured for the selected configuration, the router forwards the query using the name servers configured for the virtual DNS name server. For the three client machines (shown in Figure 1) that request Internet access or access to the corporate site, the CPE router can forward those DNS queries to the appropriate DNS servers as follows:
–An Internet access request from the PC of the remote teleworker would be forwarded to the ISP DNS name server.
–Similarly, an Internet access request from the PC of the family member of the home teleworker also would be forwarded to the ISP DNS name server.
–A DNS request for access to the corporate site from a worker, though, would be forwarded to the corporate DNS name server.
4. If no domain name servers are configured for the virtual DNS name server, the router forwards the query to the limited broadcast address (255.255.255.255) so that the query is received by all hosts on the local network segment but not forwarded by routers.
DNS Views
A DNS view is a set of parameters that specify how to handle a DNS query. A DNS view defines the following information:
•Association with a VRF
•Option to write to system message logging (syslog) output each time the view is used
•Parameters for resolving internally generated DNS queries
•Parameters for forwarding incoming DNS queries
•Internal host table for answering queries or caching DNS responses
Note The maximum number of DNS views and view lists supported is not specifically limited but is dependent on the amount of memory on the Cisco router. Configuring a larger number of DNS views and view lists uses more router memory, and configuring a larger number of views in the view lists uses more router processor time. For optimum performance, configure no more views and view list members than needed to support your Split DNS query forwarding or query resolution needs.
The following sections describe DNS views in further detail.
View Use Is Restricted to Queries from the Associated VRF
A DNS view is always associated with a VRF, whether it is the global VRF (the VRF whose name is a NULL string) or a named VRF. The purpose of this association is to limit the use of the view to handling DNS queries that arrive on an incoming interface matches a particular VRF:
•The global VRF is the default VRF that contains routing information for the global IP address space of the provider network. Therefore, a DNS view that is associated with the global VRF can be used only to handle DNS queries that arrive on an incoming interface in the global address space.
•A named VRF contains routing information for a VPN instance on a router in the provider network. A DNS view that is associated with a named VRF can be used only to handle DNS queries that arrive on an incoming interface that matches the VRF with which the view is associated.
Note Additional restrictions (described in the "DNS View Lists" section) can be placed on a view after it has been defined. Also, a single view can be referenced multiple times, with different restrictions added in each case. However, because the association of a DNS view with a VRF is specified in the DNS view definition, the VRF-specific view-use limitation is a characteristic of the DNS view definition itself and cannot be separated from the view.
Parameters for Resolving Internally Generated DNS Queries
The following parameters define how to resolve internally generated DNS queries:
•Domain lookup—Enabling or disabling of DNS lookup to resolve hostnames for internally generated queries.
•Default domain name—Default domain to append to hostnames without a dot.
•Domain search list—List of domain names to try for hostnames without a dot.
•Domain name for multicast lookups—IP address to use for multicast address lookups.
•Lookup timeout—Time (in seconds) to wait for a DNS response after sending or forwarding a query.
•Lookup retries—Number of retries when sending or forwarding a query.
•Domain name servers—List of name servers to use to resolve domain names for internally generated queries.
•Resolver source interface—Source interface to use to resolve domain names for internally generated queries.
•Round-robin rotation of IP addresses—Enabling or disabling of the use of a different IP address associated with the domain name in cache each time hostnames are looked up.
Parameters for Forwarding Incoming DNS Queries
The following parameters define how to forward incoming DNS queries:
•Forwarding of queries—Enabling or disabling of forwarding of incoming DNS queries.
•Forwarder addresses—List of IP addresses to use to forward incoming DNS queries.
•Forwarder source interface—Source interface to use to forward incoming DNS queries.
DNS View Lists
A DNS view list is an ordered list of DNS views in which additional usage restrictions can be specified for any individual member in the list. The scope of these optional usage restrictions is limited to a specific member of a specific DNS view list. When the router must respond to a DNS query, the Cisco IOS software uses a DNS view list to select the DNS view that will be used to handle a DNS query.
Note The maximum number of DNS views and view lists supported is not specifically limited but is dependent on the amount of memory on the Cisco router. Configuring a larger number of DNS views and view lists uses more router memory, and configuring a larger number of views in the view lists uses more router processor time. For optimum performance, configure no more views and view list members than needed to support your Split DNS query forwarding or query resolution needs.
Order in Which to Check the Members of a DNS View List
When a DNS view list is used to select a DNS view for handling a given DNS query, the Cisco IOS software checks each member of the view list—in the order specified by the list—and selects the first view list member whose restrictions permit the view to be used with the query that needs to be handled.
Usage Restrictions Defined for a DNS View in the View List
A DNS view list member can be configured with usage restrictions defined using access control lists (ACLs) that specify rules for selecting that view list member based on the query hostname or the query source host IP address. The two types of ACLs supported by the Split DNS view list definition are described in the "DNS Name Groups" section.
Note Multiple DNS view lists can be defined so that, for example, a given DNS view can be associated with different restrictions in each list. Also, different DNS view lists can include different DNS views.
Selection of the DNS View List
When the router that is acting as the DNS caching name server needs to respond to a DNS query, the Cisco IOS software uses a DNS view list to determine which DNS view can be used to handle the query:
•If the router is responding to an incoming query that arrives on an interface for which a DNS view list is configured, the interface-specific DNS view list is used.
•If the router is responding to an incoming query that arrives on an interface for which no specific DNS view list is configured, the default DNS view list is used.
If the router is responding to an internally generated query, no DNS view list is used to select a view; the global DNS view is used to handle the query.
The assignment of a DNS view list as the default or to an interface is described in the "DNS View Groups" section.
Selection of a DNS View List Member
The view list members are compared, each in turn, to the characteristics of the DNS query that the router is responding to:
1. If the query is from a different VRF than the view, the view cannot be used to address the query, so the view-selection process moves on to the next member of the view list.
2. The specification of additional view-use restrictions is an optional setting for any view list member.
If the query list does not specify additional restrictions on the view, the view will be used to address the query, so the view-selection process is finished.
If the view list does specify additional restrictions on the view, the query is compared to those restrictions:
•If the query characteristics fail any view-use restriction, the view cannot be used to address the query, so the view-selection process moves on to the next member of the view list.
•If the query characteristics pass all the view-use restrictions, the view will be used to address the query. The view-selection process is finished.
3. If the view-selection process reaches the end of the selected DNS view list without finding a view list member that can handle the query, the router discards the query.
The first DNS view list member that is found to have restrictions that match the query characteristics is used to handle the query.
DNS Name Groups
The Split DNS feature supports two types of ACLs that can be used to restrict the use of a DNS view. A DNS name list or a standard IP ACL (or both) can be applied to a DNS view list member to specify view-use restrictions in addition to the VRF-specific restriction that is a part of the view definition itself.
Note In this context, the term "group" is used to refer to the specification of a DNS name list or a standard IP ACL as a usage restriction on a view list member.
DNS View Usage Restrictions Based on the Query Hostame
A DNS name list is a named set of hostname pattern-matching rules, with each rule specifying the type of action to be performed if a query hostname matches the text string pattern in the rule. In order for a query hostname to match a name list, the hostname must match a rule that explicitly permits a matching pattern but the hostname cannot match any rules that explicitly deny a matching pattern.
DNS View Usage Restrictions Based on the Query Source IP Address
A standard IP ACL is a numbered or named set of host IP address-matching rules, with each rule specifying the type of action to be performed if an IP address matches the text string pattern in the rule. The Split DNS feature supports the use of a standard ACL as a view-use restriction based on the query source IP address. In order for a source IP address to match a name list, the IP address must match a rule that explicitly permits a matching pattern but the IP address cannot match any rules that explicitly deny a matching pattern.
DNS View Groups
The Split DNS feature provides two ways to specify the DNS view list that the Cisco IOS software is to use to select the DNS view that will be used to handle an incoming DNS query. For a query that arrives on an interface that is configured to use a particular DNS view list, the interface-specific DNS view list is used. Otherwise, the default DNS view list is used.
Note In this context, the term "group" refers to the specification of a DNS view list as an interface-specific DNS view list or the default view list for the router.
Interface-specific View Lists
A DNS view list can be attached to a router interface. When an incoming DNS query arrives on that interface, the Cisco IOS software uses that view list to select a DNS view to use to handle the query.
Default DNS View List
A DNS view list can be configured as the default DNS view list for the router. When an incoming DNS query arrives on an interface that is not configured to use a specific view list, the Cisco IOS software uses the default view list to select the DNS view to use to handle the query.
Router Response to DNS Queries in a Split DNS Environment
By introducing support of DNS views—and the ability to configure the router to select from a list of appropriate views for a given DNS query—the Split DNS feature enables different hosts and subsystems to use different virtual DNS caching name servers, each with their own, separate DNS cache and each accessible from a single router that acts as the DNS forwarder and resolver. Thus, each DNS view defines a different DNS database on a single router. Furthermore, because the Split DNS feature separates the configuration of DNS query forwarding and resolving parameters, it is a simple matter to configure the router to respond more freely to queries from internal clients while limiting response to queries from external clients.
The following sections provide detailed descriptions of how the router responds to DNS queries in a Split DNS environment.
Response to Incoming DNS Queries per the Forwarding Parameters of the Selected DNS View
Given an incoming DNS query, the Cisco IOS software uses the DNS view list configured for that interface to select the DNS view list to use to handle the query. If no view list is configured for the interface, the default DNS view list is used instead.
Using the configured or default view list, the router software selects the first view list member that is associated with the same VRF as the query and whose usage restrictions match the query characteristics. After the DNS view is selected, the router handles the query according to the parameters configured in the selected view.
1. The router uses the DNS view list that is specified for the interface on which the DNS query arrives:
a. If a DNS view list is attached to the interface, the router uses the specified DNS view list.
b. If no DNS view list is attached to the interface, the router uses the default DNS view list.
2. The router uses the DNS view list to select a DNS view to use to address the query. Each view list member is checked, in the order defined by the view list, as follows:
a. If the view list member is associated with a different VRF from that of the incoming interface for the DNS query that needs to be resolved, the view-selection process moves on to the next member of the view list.
b. If all the usage restrictions on the view list member match the other characteristics of the DNS query to be resolved, the view is selected to handle the query.
Otherwise, the view-selection process moves on to the next member of the view list.
If no member of the default DNS view list is qualified to address the query, the router does nothing further with the query.
3. The router attempts to respond to the query using the parameters specified by the selected DNS view:
a. The Cisco IOS software looks in the hostname cache associated with the view. If the query can be answered from that information, the router responds to the query.
b. If the query cannot be answered using the hostname cache, the Cisco IOS software checks whether the DNS forwarding of queries is enabled for the view. If DNS forwarding is enabled, the router sends the query to each of the configured DNS forwarders.
c. If no DNS forwarders are configured for the view, the router forwards the query using the configured domain name servers.
d. If no domain name servers are configured for the view, the router forwards incoming DNS queries to the limited broadcast address (255.255.255.255) so that the queries are received by all hosts on the local network segment but not forwarded by routers.
Response to Internally Generated DNS Queries per the Resolving Parameters of the Default Global DNS View
Given an internally generated DNS query to resolve, the Cisco IOS software uses the default DNS view to handle the query:
•When a hostname must be resolved for a query that does not specify a VRF, the router uses the unnamed DNS view associated with the global VRF (the default VRF that contains routing information for the global IP address space of the provider network).
•When a hostname must be resolved for a Cisco IOS command that specifies a VRF to use, the router uses the unnamed DNS view associated with that VRF.
The router attempts to respond to the query using the DNS resolving parameters specified by that view:
1. If the query specifies an unqualified hostname, the Cisco IOS software completes the hostname using the domain name list or the default domain specified by the view.
2. The Cisco IOS software looks in the hostname cache associated with the view. If the query can be answered from that information, the router responds to the query.
3. Otherwise, because the query cannot be answered using the hostname cache, the Cisco IOS software checks whether the DNS forwarding of queries is enabled for the view. If so, the router sends the query to each of the configured name servers, using the timeout period and number of retries specified for the view.
4. Otherwise, the router does not respond to the query.
How to Configure Split DNS
This section describes the following tasks:
•Enabling Split DNS Debugging Output (optional)
•Defining a DNS Name List (optional)
•Defining a DNS View (required)
•Defining Static Entries in the Hostname Cache for a DNS View (optional)
•Defining a DNS View List (required)
•Modifying a DNS View List (optional)
–Adding a Member to a DNS View List Already in Use (optional)
–Changing the Order of the Members of a DNS View List Already in Use (optional)
•Specifying the Default DNS View List for the Router's DNS Server (required)
•Specifying a DNS View List for a Router Interface (optional)
Enabling Split DNS Debugging Output
Enabling a Split DNS debug command enables output to be written at every occurrence of a DNS name list event, a DNS view event, or a DNS view list event. The router continues to generate such output until you enter the corresponding no debug command. You can use the output from the Split DNS debug commands to diagnose and resolve internetworking problems associated with Split DNS operations.
Note By default, the network server sends the output from the debug commands to the console. Sending output to a terminal (virtual console) produces less overhead than sending it to the console. Use the terminal monitor privileged EXEC command to send output to a terminal. For more information about redirecting debug command output, see the "Using Debug Commands" chapter of the Cisco IOS Debug Command Reference.
A DNS name list event can be of any of the following:
•The addition or removal of a DNS name list entry (a hostname pattern and action to perform on an incoming DNS query for a hostname that matches the pattern).
•The removal of a DNS name list.
A DNS view event can be any of the following:
•The addition or removal of a DNS view definition.
•The addition or removal of a DNS forwarding name server setting for a DNS view.
•The addition or removal of a DNS resolver setting for a DNS view.
•The enabling or disabling of logging of a syslog message each time a DNS view is used.
A DNS view list event can be any of the following:
•The addition or removal of a DNS view list definition.
•The addition or removal of a DNS view list member (a DNS view and the relative order in which it is to be checked in the view list) to or from a DNS view list.
•The setting or clearing of a DNS view list assignment as the default view list for the router or to a specific interface on the router.
Perform this optional task if you want to enable the writing of an event message to syslog output for DNS name list events, view events, or view list events:
SUMMARY STEPS
1. enable
2. debug ip dns name-list
3. debug ip dns view
4. debug ip dns view-list
5. show debugging
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
debug ip dns name-list
Example:
Router# debug ip dns name-list
|
(Optional) Enables the writing of DNS name list event messages.
•Debugging output for DNS name lists is disabled by default.
•To disable debugging output for DNS name list events, use the no form of this command.
|
Step 3
|
debug ip dns view
Example:
Router# debug ip dns view
|
(Optional) Enables the writing of DNS view event messages.
•Debugging output for DNS views is disabled by default.
•To disable debugging output for DNS view events, use the no form of this command.
|
Step 4
|
debug ip dns view-list
Example:
Router# debug ip dns view-list
|
(Optional) Enables the writing of DNS view list event messages.
•Debugging output for DNS view lists is disabled by default.
•To disable debugging output for DNS view list events, use the no form of this command.
|
Step 5
|
show debugging
Example:
Router# show debugging
|
Displays the state of each debugging option.
|
Defining a DNS Name List
Perform this optional task if you need to define a DNS name list. A DNS name list is a list of hostname pattern-matching rules that could be used as an optional usage restriction on a DNS view list member.
SUMMARY STEPS
1. enable
2. configure terminal
3. no ip dns name-list name-list-number [{deny | permit} pattern]
4. ip dns name-list name-list-number {deny | permit} pattern
5. exit
6. show ip dns name-list [name-list-number]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
no ip dns name-list name-list-number
[{deny | permit} pattern]
Example:
Router(config)# no ip dns name-list 500
|
(Optional) Clears any previously defined DNS name list.
•To clear only an entry in the list, specify the deny or permit clause.
•To clear the entire list, omit any clauses.
|
Step 4
|
ip dns name-list name-list-number
{deny | permit} pattern
Example:
Router(config)# ip dns name-list 500 deny
.*.example.com
|
Creates a new entry in the specified DNS name list.
•The pattern argument specifies a regular expression that will be compared to the query hostname. For a detailed description of regular expressions and regular expression pattern-matching characters, see the appendix titled "Regular Expressions" in the Cisco IOS Terminal Services Configuration Guide.
•The deny keyword specifies that any name matching the specified pattern immediately terminates matching the name list with a negative result. The permit keyword specifies that any name matching the specified pattern immediately terminates matching the name list with a positive result.
•Enter this command multiple times as needed to create multiple deny and permit clauses.
•To apply a DNS name list to a DNS view list member, use the restrict name-group command.
|
Step 5
|
exit
Example:
Router(config)# exit
|
Exits global configuration mode.
|
Step 6
|
show ip dns name-list [name-list-number]
Example:
show ip dns name-list
|
Displays a particular DNS name list or all configured name lists.
|
Defining a DNS View
Perform this task to define a DNS view. A DNS view definition can be used to respond to either an incoming DNS query or an internally generated DNS query.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip dns view [vrf vrf-name] {default | view-name}
4. [no] logging
5. [no] domain lookup
6. domain name domain-name
or
domain list domain-name
7. domain name-server name-server-ip-address
or
domain name-server interface interface
8. domain multicast domain-name
9. domain retry number
10. domain timeout seconds
11. [no] dns forwarding
12. dns forwarder [vrf vrf-name] forwarder-ip-address
13. dns forwarding source-interface interface
14. end
15. show ip dns view [vrf vrf-name] [default | view-name]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
ip dns view [vrf vrf-name]
{default | view-name}
Example:
Router(config)# ip dns view vrf vpn101
user3
|
Defines a DNS view and enters DNS view configuration mode.
|
Step 4
|
[no] logging
Example:
Router(cfg-dns-view)# logging
|
(Optional) Enables or disables logging of a syslog message each time the DNS view is used.
Note View-specific event logging is disabled by default.
|
Step 5
|
[no] domain lookup
Example:
Router(cfg-dns-view)# domain lookup
|
(Optional) Enables or disables DNS-based hostname-to-address translation for internally generated DNS queries handled using the DNS view.
Note The domain lookup capability is enabled by default.
|
Step 6
|
domain name domain-name
or
domain list domain-name
Example:
Router(cfg-dns-view)# domain name example.com
or
Example:
Router(cfg-dns-view)# domain list example1.com
|
(Optional) Defines a default domain name to be used by this DNS view to complete unqualified hostnames when addressing DNS queries.
or
(Optional) Defines a list of domain names to be used by this DNS view to complete unqualified hostnames when addressing DNS queries.
•The router attempts to respond to the query using the parameters specified by the selected DNS view. First, the Cisco IOS software looks in the hostname cache associated with the view. If the query can be answered from that information, the router responds to the query. Otherwise, because the query cannot be answered using the hostname cache, the router forwards the query using the configured domain name servers.
•If the router is using this view to handle a DNS query for an unqualified hostname and domain lookup is enabled for the view, the Cisco IOS software appends a domain name (either a domain name from the domain name list or the default domain name) in order to perform any of the following activities:
–Looking up the hostname in the name server cache.
–Forwarded the query to other name servers (whether to the hosts specified as DNS forwarders in the selected view or to the limited broadcast address).
•You can specify a single, default domain name, an ordered list of domain names, or both. However, the default domain name is used only if the domain list is empty.
|
Step 7
|
domain name-server name-server-ip-address
or
domain name-server interface interface
Example:
Router(cfg-dns-view)# domain name-server
192.168.2.124
or
Example:
Router(cfg-dns-view)# domain name-server
interface FastEthernet0/1
|
(Optional) Defines a list of name servers to be used by this DNS view to resolve internally generated DNS queries.
or
(Optional) Defines an interface on which to acquire (through DHCP or PPP interaction on the interface) the IP address of a DNS server to add to the list of DNS name servers to be used by this DNS view to resolve internally generated DNS queries.
•If both of these commands are configured, DHCP or PPP interaction on the interface causes another IP address to be added to the list.
|
Step 8
|
domain multicast domain-name
Example:
Router(cfg-dns-view)# domain multicast
www.example8.com
|
(Optional) Specifies the IP address to use for multicast lookups handled using the DNS view.
|
Step 9
|
domain retry number
Example:
Router(cfg-dns-view)# domain retry 4
|
(Optional) Defines the number of times to perform a retry when using this DNS view to send or forward DNS queries.
Note The number of retries is 2 by default.
|
Step 10
|
domain timeout seconds
Example:
Router(cfg-dns-view)# domain timeout 5
|
(Optional) Defines the number of seconds to wait for a response to a DNS query sent or forwarded when using this DNS view.
Note The time to wait is 3 seconds by default.
|
Step 11
|
[no] dns forwarding
Example:
Router(cfg-dns-view)# dns forwarding
|
(Optional) Enables or disables forwarding of incoming DNS queries handled using the DNS view.
Note The query forwarding capability is enabled by default.
|
Step 12
|
dns forwarder [vrf vrf-name]
forwarder-ip-address
Example:
Router(cfg-dns-view)# dns forwarder
192.168.3.240
|
Defines a list of name servers to be used by this DNS view to forward incoming DNS queries.
•If no forwarding name servers are defined, then the configured list of domain name servers is used instead.
•If no name servers are configured either, then queries are forwarded to the limited broadcast address.
|
Step 13
|
dns forwarding source-interface interface
Example:
Router(cfg-dns-view)# dns forwarding
source-interface FastEthernet0/0
|
Defines the interface on which to forward queries when this DNS view is used.
|
Step 14
|
end
Example:
Router(cfg-dns-view)# end
|
Returns to privileged EXEC mode.
|
Step 15
|
show ip dns view [vrf vrf-name]
[default | view-name]
Example:
Router# show ip dns view vrf vpn101 user3
|
Displays information about a particular DNS view, a group of views (with the same view name or associated with the same VRF), or all configured DNS views.
|
Defining Static Entries in the Hostname Cache for a DNS View
Typically, it is easier to refer to network devices by symbolic names rather than numerical addresses (services such as Telnet can use hostnames or addresses). Hostnames and IP addresses can be associated with one another through static or dynamic means. Manually assigning hostnames-to-address mappings is useful when dynamic mapping is not available.
Perform this optional task if you need to define static entries in the DNS hostname cache for a DNS view.
SUMMARY STEPS
1. enable
2. clear host [view view-name | vrf vrf-name | all] {hostname | *}
3. configure terminal
4. ip host [vrf vrf-name] [view view-name] hostname
{ip-address1 [ip-address2...ip-address8] | additional ip-address9 [ip-address10...ip-addressn]}
5. exit
6. show hosts [vrf vrf-name] [view view-name] [all | hostname] [summary]
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
clear host [view view-name | vrf vrf-name |
all] {hostname | *}
Example:
Router# clear host all *
|
(Optional) Removes static hostname-to-address mappings from the hostname cache for the specified DNS view or all configured views.
•Use the view keyword and view-name argument to specify the DNS view whose hostname cache is to be cleared. Default is the default DNS view associated with the specified or global VRF.
•Use the vrf keyword and vrf-name argument to specify the VRF associated with the DNS view whose hostname cache is to be cleared. Default is the global VRF (that is, the VRF whose name is a NULL string) with the specified or default DNS view.
•Use the all keyword to specify that hostname-to-address mappings are to be deleted from the hostname cache of every configured DNS view.
•Use the hostname argument to specify the name of the host for which hostname-to-address mappings are to be deleted from the specified hostname cache.
•Use the * keyword to specify that all the hostname-to-address mappings are to be deleted from the specified hostname cache.
|
Step 3
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 4
|
ip host [vrf vrf-name] [view view-name]
hostname {ip-address1
[ip-address2...ip-address8] | additional
ip-address9 [ip-address10...ip-addressn]}
Example:
Router(config)# ip host vrf vpn101 view user3
www.example.com 192.168.2.111 192.168.2.112
|
Defines static hostname-to-address mappings in the DNS hostname cache for a DNS view.
•More than one DNS view can be associated with a VRF. To uniquely identify a DNS view, specify both the view name and the VRF with which it is associated.
•Use the hostname argument to specify the name of the host for which hostname-to-address mappings are to be added to the specified hostname cache.
•To bind more than eight addresses to a hostname, you can use the ip host command again and use the additional keyword.
|
Step 5
|
exit
Example:
Router(config)# exit
|
Exits global configuration mode.
|
Step 6
|
show hosts [vrf vrf-name] [view view-name]
[all | hostname] [summary]
Example:
Router# show hosts vrf vpn101 view user3
www.example.com
|
(Optional) Displays the default domain name, the style of name lookup service, a list of name server hosts, and the cached list of hostnames and addresses specific to a particular DNS view or for all configured DNS views.
•More than one DNS view can be associated with a VRF. To uniquely identify a DNS view, specify both the view name and the VRF with which it is associated.
•Use the all keyword if the specified hostname cache information is to be displayed for all configured DNS views.
•Use the hostname argument if the specified name cache information displayed is to be limited to entries for a particular hostname.
|
Defining a DNS View List
Perform this task to define an ordered list of DNS views with optional, additional usage restrictions for each view list member. The router uses a DNS view list to select the DNS view that will be used to handle a DNS query.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip dns view-list view-list-name
4. view [vrf vrf-name] {default | view-name} order-number
5. restrict name-group name-list-number
6. restrict source access-group acl-number
7. exit
8. end
9. show ip dns view-list view-list-name
DETAILED STEPS
| |
Command or Action
|
Purpose
|
Step 1
|
enable
Example:
Router> enable
|
Enables privileged EXEC mode.
•Enter your password if prompted.
|
Step 2
|
configure terminal
Example:
Router# configure terminal
|
Enters global configuration mode.
|
Step 3
|
ip dns view-list view-list-name
Example:
Router(config)# ip dns view-list userlist5
|
Defines a DNS view list and enters DNS view list configuration mode.
|
Step 4
|
view [vrf vrf-name] {default | view-name}
order-number
Example:
Router(cfg-dns-view-list)# view vrf vpn101
user5 10
|
Defines a DNS view list member and enters DNS view list member configuration mode.
|
Step 5
|
restrict name-group name-list-number
Example:
Router(cfg-dns-view-list-member)# restrict
name-group 500
|
(Optional) Specifies that this DNS view list member cannot be used to respond to a DNS query unless the query hostname matches a permit clause in the specified DNS name list and none of the deny clauses.
•To define a DNS name list entry, use the ip dns name-list command.
|
Step 6
|
restrict source access-group acl-number
Example:
Router(cfg-dns-view-list-member)# restrict
access-group 99
|
(Optional) Specifies that this DNS view list member cannot be used to respond to a DNS query unless the source IP address of the DNS query matches the specified standard ACL.
•To define a standard ACL entry, use the access-list command.
|
Step 7
|
exit
Example:
Router(cfg-dns-view-list-member)# exit
|
Exits DNS view list member configuration mode.
•To add another view list member to the list, go to Step 4.
|
Step 8
|
end
Example:
Router(cfg-dns-view-list)# end
|
Returns to privileged EXEC mode.
|
Step 9
|
show ip dns view-list view-list-name
Example:
Router# show ip dns view-list userlist5
|
Displays information about a particular DNS view list or all configured DNS view lists.
|
Modifying a DNS View List
To provide for efficient management of the order of the members in a view list, each view list member definition includes the specification of the position of that member within the list. That is, the order of the members within a view list is defined by explicit specification of position values rather than by the order in which the individual members are added to the list. This enables you to perform either of the following tasks without having to remove all the view list members and then redefine the view list membership in the desired order:
•Adding a Member to a DNS View List Already in Use
•Changing the Order of the Members of a DNS View List Already in Use
Adding a Member to a DNS View List Already in Use
Perform this optional task if you need to add another member to a DNS view list that is already in use.
For example, suppose the DNS view list named userlist5 is already defined and in use as a default view list or as an interface-specific view list. Assume that the list consists of the following members:
•DNS view user1 with position number 10
•DNS view user2 with position number 20
•DNS view user3 with position number 30
If you need to add DNS view user4 as the second member of the list, add that view to the list with a position number value from 11 to 19. You do not need to remove the three existing members and then add all four members to the list in the desired order.
SUMMARY STEPS
