VRF-Aware DNS

The VRF-Aware DNS feature enables the configuration of a Virtual Private Network (VPN) routing and forwarding instance (VRF) table so that the domain name system (DNS) can forward queries to name servers using the VRF table rather than the named DNS server in the global IP address space. This feature allows DNS requests to be resolved within the appropriate Multiprotocol Label Switching (MPLS) VPN.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Information About VRF-Aware DNS

Domain Name System

Domain Name System (DNS) is a standard that defines a domain naming procedure used in TCP/IP. A domain is a hierarchical separation of the network into groups and subgroups with domain names identifying the structure. The named groups consist of named objects, usually devices like IP hosts, and the subgroups are domains. DNS has three basic functions:

  • Name space: This function is a hierarchical space organized from a single root into domains. Each domain can contain device names or more specific information. A special syntax defines valid names and identifies the domain names.

  • Name registration: This function is used to enter names into the DNS database. Policies are outlined to resolve conflicts and other issues.

  • Name resolution: This function is a distributed client and server name resolution standard. The name servers are software applications that run on a server and contain the resource records (RRs) that describe the names and addresses of those entities in the DNS name space. A name resolver is the interface between the client and the server. The name resolver requests information from the server about a name. A cache can be used by the name resolver to store learned names and addresses.

A DNS server can be a dedicated device or a software process running on a device. The server stores and manages data about domains and responds to requests for name conflict resolutions. In a large DNS implementation, there can be a distributed database over many devices. A server can be a dedicated cache.

VRF Mapping and VRF-Aware DNS

To keep track of domain names, IP has defined the concept of a name server, whose job is to hold a cache (or database) of names appended to IP addresses. The cached information is important because the requesting DNS will not need to query for that information again, which is why DNS works well. If a server had to query each time for the same address because it had not saved any data, the queried servers would be flooded and would crash.

A gateway for multiple enterprise customers can be secured by mapping the remote users to a VRF domain. Mapping means obtaining the IP address of the VRF domain for the remote users. By using VRF domain mapping, a remote user can be authenticated by a VRF domain-specific AAA server so that the remote-access traffic can be forwarded within the VRF domain to the servers on the corporate network.

To support traffic for multiple VRF domains, the DNS and the servers used to resolve conflicts must be VRF aware. VRF aware means that a DNS subsystem will query the VRF name cache first, then the VRF domain, and store the returned RRs in a specific VRF name cache. Users are able to configure separate DNS name servers per VRF.

VRF-aware DNS forwards queries to name servers using the VRF table. Because the same IP address can be associated with different DNS servers in different VRF domains, a separate list of name caches for each VRF is maintained. The DNS looks up the specific VRF name cache first, if a table has been specified, before sending a query to the VRF name server. All IP addresses obtained from a VRF-specific name cache are routed using the VRF table.

How to Configure VRF-Aware DNS

Defining a VRF Table and Assigning a Name Server to Enable VRF-Aware DNS

Perform this task to define a VRF table and assign a name server.

A VRF-specific name cache is dynamically created if one does not exist whenever a VRF-specific name server is configured by using the ip name-server vrf command option or a permanent name entry is configured by using the ip host vrf command option. The VRF name cache is removed whenever all name server and permanent entries in the VRF are disabled.

It is possible that multiple name servers are configured with the same VRF name. The system will send queries to those servers in turn until any of them responds, starting with the server that sent a response the last time.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ip vrf vrf-name
  4. rd route-distinguisher
  5. exit
  6. ip name-server [vrf vrf-name ] server-address1 [server-address2...server-address6 ]
  7. ip domain lookup [vrf vrf-name ]

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Router> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Router# configure terminal

Enters global configuration mode.

Step 3

ip vrf vrf-name

Example:


Router(config)# ip vrf vpn1

Defines a VRF table and enters VRF configuration mode.

  • The vrf-name argument can be up to 32 characters.

Step 4

rd route-distinguisher

Example:


Router(config-vrf)# rd 100:21

Creates routing and forwarding tables for a VRF.

Step 5

exit

Example:


Router(config-vrf)# exit

Exits VRF configuration mode.

Step 6

ip name-server [vrf vrf-name ] server-address1 [server-address2...server-address6 ]

Example:


Router(config)# ip name-server vrf vpn1 172.16.1.111 172.16.1.2

Assigns the address of one or more name servers to a VRF table to use for name and address resolution.

  • The vrf keyword is optional but must be specified if the name server is used with VRF. The vrf-name argument assigns a name to the VRF.

Step 7

ip domain lookup [vrf vrf-name ]

Example:


Router(config)# ip domain lookup vrf

(Optional) Enables DNS-based address translation.

  • DNS is enabled by default. You only need to use this command if DNS has been disabled.

Mapping VRF-Specific Hostnames to IP Addresses

Perform this task to map VRF-specific hostnames to IP addresses.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. Do one of the following:
    • ip domain name [vrf vrf-name ] name
    • ip domain list [vrf vrf-name ] name

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

Do one of the following:

  • ip domain name [vrf vrf-name ] name
  • ip domain list [vrf vrf-name ] name

Example:


Device(config)# ip domain name vrf vpn1 cisco.com

Example:


Device(config)# ip domain list vrf vpn1 cisco.com

Defines a default domain name that the software will use to complete unqualified hostnames.

or

Defines a list of default domain names to complete unqualified hostnames.

  • You can specify a default domain name that the software will use to complete domain name requests. You can specify either a single domain name or a list of domain names. Any hostname that does not contain a complete domain name will have the default domain name you specify appended to it before the name is looked up.

  • The vrf keyword and vrf-name argument specify a default VRF domain name.

  • The ip domain list command can be entered multiple times to specify more than one domain name to append when doing a DNS query. The system will append each in turn until it finds a match.

Configuring a Static Entry in a VRF-Specific Name Cache

Perform this task to configure a static entry in a VRF-specific name cache.

A VRF-specific name cache is dynamically created if one does not exist whenever a name server is configured for the VRF by using the ip name-server vrf command option or a permanent name entry is configured by using the ip host vrf command option. The VRF name cache is removed whenever all name server and permanent entries in the VRF are disabled.

SUMMARY STEPS

  1. enable
  2. configure terminal
  3. ip host vrf [vrf-name ] name [tcp -port ] address1 [address2 ... address8 ] [mx ns srv ]

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

configure terminal

Example:


Device# configure terminal

Enters global configuration mode.

Step 3

ip host vrf [vrf-name ] name [tcp -port ] address1 [address2 ... address8 ] [mx ns srv ]

Example:


Device(config)# ip host vrf vpn3 company1.com 172.16.2.1
Device(config)# ip host test mx 1 mx_record
Device(config)# ip host test ns ns_record
Device(config)# ip host test srv 0 0 0 srv_record

Defines a static hostname-to-address mapping in the host cache.

  • The IP address of the host can be an IPv4 or IPv6 address, and the IP address can be associated with a Virtual Private Network (VPN) routing and forwarding (VRF) instance.

  • If the vrf keyword and vrf-name arguments are specified, then a permanent entry is created only in the VRF-specific name cache.

  • Mail exchanger (mx) identifies the mail server that is responsible for handling e-mails for a given domain name.

  • Name server (ns) state the authoritative name servers for the given domain.

  • Service (srv) records specifies the location of a service.

Verifying the Name Cache Entries in the VRF Table

Perform this task to verify the name cache entries in the VRF table.

SUMMARY STEPS

  1. enable
  2. show hosts [vrf vrf-name ] {all | hostname } [summary ]
  3. clear host [vrf vrf-name ] {all | hostname }

DETAILED STEPS

  Command or Action Purpose
Step 1

enable

Example:


Device> enable

Enables privileged EXEC mode.

  • Enter your password if prompted.

Step 2

show hosts [vrf vrf-name ] {all | hostname } [summary ]

Example:


Device# show hosts vrf vpn2

  • Displays the default domain name, the style of name lookup service, a list of name server hosts, the cached list of hostnames and addresses, and the cached list of hostnames and addresses specific to a particular Virtual Private Network (VPN).

  • The vrf keyword and vrf-name argument only display the entries if a VRF name has been configured.

  • If you enter the show hosts command without specifying any VRF, only the entries in the global name cache will display.

Step 3

clear host [vrf vrf-name ] {all | hostname }

Example:


Device# clear host vrf vpn2

(Optional) Deletes entries from the hostname-to-address global address cache or VRF name cache.

Configuration Examples for VRF-Aware DNS

Example: VRF-Specific Name Server Configuration

The following example shows how to specify a VPN named vpn1 with the IP addresses of 172.16.1.111 and 172.16.1.2 as the name servers: 


ip name-server vrf vpn1 172.16.1.111 172.16.1.2

Example: VRF-Specific Domain Name List Configuration

The following example shows how to add several domain names to a list in vpn1 and vpn2. The domain name is only used for name queries in the specified VRF. 


ip domain list vrf vpn1 company.com
ip domain list vrf vpn2 school.edu

If there is no domain list, the domain name that you specified with the ip domain name global configuration command is used. If there is a domain list, the default domain name is not used. The ip domain list command is similar to the ip domain name command, except that with the ip domain list command you can define a list of domains, each to be tried in turn until a match is found.

VRF-Specific Domain Name Configuration Example

The following example shows how to define cisco.com as the default domain name for a VPN named vpn1. The domain name is only used for name queries in the specified VRF. 


ip domain name vrf vpn1 cisco.com

Any IP hostname that does not contain a domain name (that is, any name without a dot) will have the dot and cisco.com appended to it before being looked up.

VRF-Specific IP Host Configuration Example

The following example shows how to define two static hostname-to-address mappings in the host cache for vpn2 and vpn3: 


ip host vrf vpn2 host2 10.168.7.18
ip host vrf vpn3 host3 10.12.0.2

Additional References

Related Documents

Related Topic

Document Title

VRF-aware DNS configuration tasks: Enabling VRF-aware DNS, mapping VRF-specific hostnames to IP addresses, configuring a static entry in a VRF-specific hostname cache, and verifying the hostname cache entries in the VRF table

"VRF-Aware DNS" module

DNS configuration tasks

"Configuring DNS" module

DNS commands: complete command syntax, command mode, command history, defaults, usage guidelines, and examples

Cisco IOS IP Addressing Services Command Reference

Standards

Standard

Title

None

--

MIBs

MIB

MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs

RFCs

RFC

Title

No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.

--

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for VRF-Aware DNS

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1. Feature Information for DNS

Feature Name

Releases

Feature Configuration Information

VRF-Aware DNS

Cisco IOS XE Release 2.1

The VRF-Aware DNS feature enables the configuration of a Virtual Private Network (VPN) routing and forwarding instance (VRF) table so that the domain name system (DNS) can forward queries to name servers using the VRF table rather than the named DNS server in the global IP address space. This feature allows DNS requests to be resolved within the appropriate Multiprotocol Label Switching (MPLS) VPN.