Configuring DNS

The Domain Name System (DNS) is a distributed database in which you can map host names to IP addresses through the DNS protocol from a DNS server. Each unique IP address can have an associated host name. The Cisco IOS XE software maintains a cache of host-name-to-address mappings for use by the connect, telnet, and ping EXEC commands, and related Telnet support operations. This cache speeds the process of converting names to addresses.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for Configuring DNS

To use DNS, you must have a DNS name server on your network.

Information About DNS

DNS Overview

If your network devices require connectivity with devices in networks for which you do not control name assignment, you can assign device names that uniquely identify your devices within the entire internetwork. The global naming scheme of the Internet, the DNS, accomplishes this task. This service is enabled by default. The following sections summarize DNS concepts and function:

Host Names for Network Devices

Each unique IP address can have an associated host name. DNS uses a hierarchical scheme for establishing host names for network nodes. This allows local control of the segments of the network through a client-server scheme. The DNS system can locate a network device by translating the host name of the device into its associated IP address.

Domains Names for Groups of Networks

IP defines a naming scheme that allows a device to be identified by its location in the IP. This is a hierarchical naming scheme that provides for domains. On the Internet, a domain is a portion of the naming hierarchy tree that refers to general groupings of networks based on organization type or geography. Domain names are pieced together with periods (.) as the delimiting characters. For example, Cisco is a commercial organization that the IP identifies by a com domain name, so its domain name is cisco.com. A specific device in this domain, the File Transfer Protocol (FTP) system, for example, is identified as ftp.cisco.com.

Name Servers

To keep track of domain names, IP has defined the concept of a name server. Name servers are programs that have complete information about their namespace portion of the domain tree and may also contain pointers to other name servers that can be used to lead to information from any other part of the domain tree. Name servers know the parts of the domain tree for which they have complete information. A name server may also store information about other parts of the domain tree. To map domain names to IP addresses, you must first identify the host names, then specify a name server, and enable the DNS service.

Cache

To speed the process of converting names to addresses, the name server maintains a database, called a cache, of host-name-to-address mappings for use by the connect, telnet, and ping EXEC commands, and related Telnet support operations. The cache stores the results from previous responses. Upon receiving a client-issued DNS query, it will check this local storage to see if the answer is available locally.

Name Resolvers

Name resolvers are programs that extract information from name servers in response to client requests. Resolvers must be able to access at least one name server. The resolver either uses that name server's information to answer a query directly or pursues the query using referrals to other names servers. A resolver will typically be a system routine that is directly accessible to user programs. Therefore, no protocol is necessary between the resolver and the user program.

Zones

The domain namespace is divided into areas called zones that are points of delegation in the DNS tree. A zone contains all domains from a certain point downward, except those for which other zones are authoritative.

Authoritative Name Servers

A name server is said to be an authority for the parts of the domain tree for which it has complete information. A zone usually has an authoritative name server, often more than one. An authoritative name server has been configured with host table information or has acquired host table information though a zone transfer (the action that occurs when a secondary DNS server starts up and updates itself from the primary server).

DNS Operation

Within an organization, you can have many name servers, but Internet clients can query only those that the root name servers know. The other name servers answer internal queries only.

A name server handles client-issued queries to the DNS server for locally defined hosts within a particular zone as follows:

  • An authoritative name server responds to DNS user queries for a domain name that is under its zone of authority by using the permanent and cached entries in its own host table. If the query is for a domain name that is under its zone of authority but for which it does not have any configuration information, the authoritative name server simply replies that no such information exists..

  • A name server that is not configured as the authoritative name server responds to DNS user queries by using information that it has cached from previously received query responses. If no device is configured as the authoritative name server for a zone, queries to the DNS server for locally defined hosts will receive nonauthoritative responses.

Name servers answer DNS queries (forward incoming DNS queries or resolve internally generated DNS queries) according to the forwarding and lookup parameters configured for the specific domain.

DNS Security

An alternating sequence of DNS public key (DNSKEY) RR sets and Delegation Signer (DS) RR sets forms a chain of signed data, with each link in the chain vouching for the next. A DNSKEY RR is used to verify the signature covering a DS RR and allows the DS RR to be authenticated. The DS RR contains a hash of another DNSKEY RR and this new DNSKEY RR is authenticated by matching the hash in the DS RR.

DNS Views

A DNS view is a set of parameters that specify how to handle a DNS query. A DNS view defines the following information:

  • Association with a VRF

  • Parameters for resolving internally generated DNS queries

  • Parameters for forwarding incoming DNS queries

  • Internal host table for answering queries or caching DNS responses


Note


The maximum number of DNS views and view lists depends on the memory of Cisco device. Configuring a large number of DNS views and view lists uses more device memory, and configuring a large number of views in the view lists uses more device processor time. For optimum performance, configure views and view list members that are required to support your Split DNS query forwarding or query resolution needs.


Restricted View Use Queries from the Associated VRF

A DNS view is always associated with a VRF— the global VRF or a named VRF, so as to limit the view usage in handling DNS queries that arrive on an interface matching a particular VRF:

  • A DNS view that is associated with the global VRF can be used only to handle DNS queries that arrive on an interface in the global address space.

  • A DNS view that is associated with a named VRF can be used only to handle DNS queries that arrive on an interface that matches the VRF with which the view is associated.


Note


Additional restrictions (described in DNS Views) can be placed on a view after it has been defined. Also, a single view can be referenced multiple times, with different restrictions added in each case. However, because the association of a DNS view with a VRF is specified in the DNS view definition, the VRF-specific view-use limitation is a characteristic of the DNS view definition itself and cannot be separated from the view.


Parameters for Resolving Internally Generated DNS Queries

  • Domain lookup—Enabling or disabling of DNS lookup to resolve hostnames for internally generated queries.

  • Default domain name—Default domain to append to hostnames without a dot.

  • Domain search list—List of domain names to try for hostnames without a dot.

  • Domain name for multicast lookups—IP address to use for multicast address lookups.

  • Domain name servers—List of name servers to use to resolve domain names for internally generated queries.

  • Resolver source interface—Source interface to use to resolve domain names for internally generated queries.

  • Round-robin rotation of IP addresses—Enabling or disabling of the use of a different IP address associated with the domain name in cache each time hostnames are looked up.

Parameters for Forwarding Incoming DNS Queries

The following parameters define how to forward incoming DNS queries:

  • Forwarding of queries—Enabling or disabling of forwarding of incoming DNS queries.

  • Forwarder addresses—List of IP addresses to use to forward incoming DNS queries.

  • Forwarder source interface—Source interface to use to forward incoming DNS queries.

Sometimes, when a source interface is configured on a device with the split DNS feature to forward DNS queries, the device does not forward the DNS queries through the configured interface. Hence, consider the following points while forwarding the DNS queries using the source interface:

  • DNS queries are forwarded to a broadcast address when a forwarding source interface is configured and the DNS forwarder is not configured.

  • The source IP address of the forwarded query should be set to the primary IP address of the interface configured, using the dns forwarding source-interface interface command. If no such configuration exists, then the source IP address of the forwarded DNS query will be the primary IP address of the outgoing interface. DNS forwarding should be done only when the source interface configured for the DNS forwarding is active.

  • The source IP address of the DNS query for the DNS resolver functionality is set using the domain resolver source-interface interface-type number command. If there is no DNS address configured, then queries will be broadcasted to the defined source interface. DNS resolving should be done only when the source interface configured for the DNS resolving is active. See "Specifying a Source Interface to Forward DNS Queries" for the configuration steps.

DNS View Lists

A DNS view list is an ordered list of DNS views in which additional usage restrictions can be specified for any individual member in the list. The scope of these optional usage restrictions is limited to a specific member of a specific DNS view list. When the device must respond to a DNS query, the Cisco IOS software uses a DNS view list to select the DNS view that will be used to handle a DNS query.


Note


The maximum number of DNS views and view lists supported is not specifically limited but is dependent on the amount of memory on the Cisco device. Configuring a larger number of DNS views and view lists uses more device memory, and configuring a larger number of views in the view lists uses more device processor time. For optimum performance, configure no more views and view list members than needed to support your Split DNS query forwarding or query resolution needs.


Order in Which to Check the Members of a DNS View List

When a DNS view list is used to select a DNS view for handling a given DNS query, the Cisco IOS software checks each member of the view list--in the order specified by the list--and selects the first view list member whose restrictions permit the view to be used with the query that needs to be handled.

Usage Restrictions Defined for a DNS View in the View List

A DNS view list member can be configured with usage restrictions defined using access control lists (ACLs) that specify rules for selecting that view list member based on the query hostname or the query source host IP address. The two types of ACLs supported by the Split DNS view list definition are described in "DNS Name Groups".


Note


Multiple DNS view lists can be defined so that, for example, a given DNS view can be associated with different restrictions in each list. Also, different DNS view lists can include different DNS views.


Selection of the DNS View List

When the device that is acting as the DNS caching name server needs to respond to a DNS query, the Cisco IOS software uses a DNS view list to determine which DNS view can be used to handle the query:

  • If the device is responding to an incoming query that arrives on an interface for which a DNS view list is configured, the interface-specific DNS view list is used.

  • If the device is responding to an incoming query that arrives on an interface for which no specific DNS view list is configured, the default DNS view list is used.

If the device is responding to an internally generated query, no DNS view list is used to select a view; the global DNS view is used to handle the query.

The assignment of a DNS view list as the default or to an interface is described in "DNS View Groups".

Selection of a DNS View List Member

The view list members are compared, each in turn, to the characteristics of the DNS query that the device is responding to:

  1. If the query is from a different VRF than the view, the view cannot be used to address the query, so the view-selection process moves on to the next member of the view list.

  2. The specification of additional view-use restrictions is an optional setting for any view list member.

If the query list does not specify additional restrictions on the view, the view will be used to address the query, so the view-selection process is finished.

If the view list does specify additional restrictions on the view, the query is compared to those restrictions:

  • If the query characteristics fail any view-use restriction, the view cannot be used to address the query, so the view-selection process moves on to the next member of the view list.

  • If the query characteristics pass all the view-use restrictions, the view will be used to address the query. The view-selection process is finished.

  • If the view-selection process reaches the end of the selected DNS view list without finding a view list member that can handle the query, the device discards the query.

The first DNS view list member that is found to have restrictions that match the query characteristics is used to handle the query.

DNS Name Groups

The Split DNS feature supports two types of ACLs that can be used to restrict the use of a DNS view. A DNS name list or a standard IP ACL (or both) can be applied to a DNS view list member to specify view-use restrictions in addition to the VRF-specific restriction that is a part of the view definition itself.


Note


In this context, the term “group” is used to refer to the specification of a DNS name list or a standard IP ACL as a usage restriction on a view list member.


DNS View Usage Restrictions Based on the Query Hostname

A DNS name list is a named set of hostname pattern-matching rules, with each rule specifying the type of action to be performed if a query hostname matches the text string pattern in the rule. In order for a query hostname to match a name list, the hostname must match a rule that explicitly permits a matching pattern but the hostname cannot match any rules that explicitly deny a matching pattern.

DNS View Usage Restrictions Based on the Query Source IP Address

A standard IP ACL is a numbered or named set of host IP address-matching rules, with each rule specifying the type of action to be performed if an IP address matches the text string pattern in the rule. The Split DNS feature supports the use of a standard ACL as a view-use restriction based on the query source IP address. In order for a source IP address to match a name list, the IP address must match a rule that explicitly permits a matching pattern but the IP address cannot match any rules that explicitly deny a matching pattern.

DNS View Groups

The Split DNS feature provides two ways to specify the DNS view list that the Cisco IOS software is to use to select the DNS view that will be used to handle an incoming DNS query. For a query that arrives on an interface that is configured to use a particular DNS view list, the interface-specific DNS view list is used. Otherwise, the default DNS view list is used.


Note


In this context, the term “group” refers to the specification of a DNS view list as an interface-specific DNS view list or the default view list for the device.


Interface-specific View Lists

A DNS view list can be attached to a device interface. When an incoming DNS query arrives on that interface, the Cisco IOS software uses that view list to select a DNS view to use to handle the query.

Default DNS View List

A DNS view list can be configured as the default DNS view list for the device. When an incoming DNS query arrives on an interface that is not configured to use a specific view list, the Cisco IOS software uses the default view list to select the DNS view to use to handle the query.

How to Configure DNS

Mapping Host Names to IP Addresses

Perform this task to associate host names with IP addresses.

A name server is used to keep track of information associated with domain names. A name server can maintain a database of host name-to-address mappings. Each name can map to one or more IP addresses. In order to use this service to map domain names to IP addresses, you must specify a name server.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    ip host name [tcp-port-number] address1 [address2 ... address8] [mx ns srv]

    4.    Do one of the following:

    • ip domain name name
    • ip domain list name

    5.    ip name-server server-address1 [server-address2 ... server-address6]

    6.    ip domain lookup


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 ip host name [tcp-port-number] address1 [address2 ... address8] [mx ns srv]


    Example:
    Device(config)# ip host cisco-rtp 192.168.0.148
    Device(config)# ip host test mx 1 mx_record
    Device(config)# ip host test ns ns_record
    Device(config)# ip host test srv 0 0 0 srv_record 
     

    Defines a static host name-to-address mapping in the host name cache.

    • Typically, it is easier to refer to network devices by symbolic names rather than numerical addresses (services such as Telnet can use host names or addresses). Host names and IP addresses can be associated with one another through static or dynamic means.

    • Manually assigning host names to addresses is useful when dynamic mapping is not available.

    • Mail exchanger (mx) identifies the mail server that is responsible for handling e-mails for a given domain name.

    • Name server (ns) state the authoritative name servers for the given domain.

    • Service (srv) records specifies the location of a service.

     
    Step 4Do one of the following:
    • ip domain name name
    • ip domain list name


    Example:
    Device(config)# ip domain name cisco.com


    Example:
    Device(config)# ip domain list cisco1.com
     

    (Optional) Defines a default domain name that the Cisco IOS XE software will use to complete unqualified host names.

    or

    (Optional) Defines a list of default domain names to complete unqualified host names.

    • You can specify a default domain name that the Cisco IOS XE software will use to complete domain name requests. You can specify either a single domain name or a list of domain names. Any host name that does not contain a complete domain name will have the default domain name you specify appended to it before the name is looked up.

    Note   

    If there is no domain list, the domain name that you specified with the ip domain name global configuration command is used. If there is a domain list, the default domain name is not used. The ip domain list command is similar to the ip domain name command, except that with the ip domain list command you can define a list of domains, each to be tried in turn until the system finds a match.

     
    Step 5 ip name-server server-address1 [server-address2 ... server-address6]


    Example:
    Device(config)# ip name-server 172.16.1.111 172.16.1.2
     

    Specifies one or more hosts that supply name information.

    • Specifies one or more hosts (up to six) that can function as a name server to supply name information for DNS.

     
    Step 6 ip domain lookup


    Example:
    Device(config)# ip domain lookup
     

    (Optional) Enables DNS-based address translation.

    • DNS is enabled by default. Use this command if DNS has been disabled.

     
    What to Do Next

    The name lookup system can be statically configured using the commands described in this task. Some other functions in Cisco IOS XE, such as DHCP can dynamically modify the state of the name lookup system. Use the show hosts command to display the cached host names and the DNS configuration.

    Customizing DNS

    Perform this task to customize your DNS configuration.

    In a multiple server configuration without the DNS round-robin functionality, many programs will use the first host server/IP address for the whole time to live (TTL) of the cache while using the second and third host servers/IP addresses only in the event of host failure. This behavior presents a problem when a high volume of users all arrive at the first host during the TTL time. For example, the network access server (NAS) sends out a DNS query; the DNS servers reply with a list of the configured IP addresses to the NAS. The NAS then caches these IP addresses for a given time (for example, five minutes). All users that dial in during the five minute TTL time will land on one host, the first IP address in the list.

    In a multiple server configuration with the DNS round-robin functionality, the DNS server returns the IP address of all hosts to rotate between the cache of host names. During the TTL of the cache, users are distributed among the hosts. This functionality distributes calls across the configured hosts and reduces the amount of DNS queries.

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    ip domain timeout seconds

      4.    ip domain retry number

      5.    ip domain round-robin


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example:
      Device# configure terminal
       

      Enters global configuration mode.

       
      Step 3 ip domain timeout seconds


      Example:
      Device(config)# ip domain timeout 17
       

      (Optional) Specifies the amount of time to wait for a response to a DNS query.

      • If the ip domain timeout command is not configured, the Cisco IOS XE software will wait 3 seconds for a response to a DNS query.

       
      Step 4 ip domain retry number


      Example:
      Device(config)# ip domain retry 10
       

      (Optional) Specifies the number of times to retry sending DNS queries.

      • If the ip domain retry command is not configured, the Cisco IOS XE software will retry DNS queries twice.

       
      Step 5 ip domain round-robin


      Example:
      Device(config)# ip domain round-robin
       

      (Optional) Enables round-robin functionality on DNS servers.

       

      Disabling DNS Queries for ISO CLNS Addresses

      Perform this task to disable DNS queries for ISO CLNS addresses.

      If your device has both IP and ISO Connectionless Network Service (ISO CLNS) enabled and you want to use ISO CLNS network service access point (NSAP) addresses, you can use the DNS to query these addresses, as documented in RFC 1348. This feature is enabled by default.

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    no ip domain lookup nsap


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 configure terminal


        Example:
        Device# configure terminal
         

        Enters global configuration mode.

         
        Step 3 no ip domain lookup nsap


        Example:
        Device(config)# no ip domain lookup nsap
         

        Disables DNS queries for ISO CLNS addresses.

         

        Verifying DNS

        Perform this task to verify your DNS configuration.

        SUMMARY STEPS

          1.    enable

          2.    ping host

          3.    show hosts

          4.    debug ip domain


        DETAILED STEPS
           Command or ActionPurpose
          Step 1 enable


          Example:
          Device> enable
           

          Enables privileged EXEC mode.

          • Enter your password if prompted.

           
          Step 2 ping host


          Example:
          Device# ping cisco-rtp
           

          Diagnoses basic network connectivity.

          • After the DNS configuration is set, you can verify the DNS server by using a hostname to ping or telnet to a device.

           
          Step 3 show hosts


          Example:
          Device# show hosts
           

          Displays the default domain name, the style of name lookup service, a list of name server hosts, and the cached list of host names and addresses.

          • After a name is resolved using DNS, use the show hosts command to view the cached hostnames and the DNS configuration.

           
          Step 4 debug ip domain


          Example:
          Device# debug ip domain
           

          Enables DNS debugging and displays DNS debugging information.

          • To view more DNS debugging options such as DNS server response debugging and so on, use the question mark (?) online help function.

           

          Defining a DNS View

          Perform this task to define a DNS view. A DNS view definition can be used to respond to either an incoming DNS query or an internally generated DNS query.

          SUMMARY STEPS

            1.    enable

            2.    configure terminal

            3.    ip dns view [vrf vrf-name] {default | view-name}

            4.    [no] dns trust name

            5.    [no] domain lookup

            6.    Do one of the following:

            • domain name domain-name
            • domain list domain-name

            7.    Do one of the following:

            • domain name-server [vrf vrf-name] name-server-ip-address
            • domain name-server interface interface

            8.    domain multicast domain-name

            9.    [no] dns forwarding

            10.    dns forwarder [vrf vrf-name] forwarder-ip-address

            11.    dns forwarding source-interface interface

            12.    end


          DETAILED STEPS
             Command or ActionPurpose
            Step 1 enable


            Example:
            Device> enable
             

            Enables privileged EXEC mode.

            • Enter your password if prompted.

             
            Step 2 configure terminal


            Example:
            Device# configure terminal
             

            Enters global configuration mode.

             
            Step 3 ip dns view [vrf vrf-name] {default | view-name}


            Example:
            Device(config)# ip dns view vrf vpn101 
            user3 
             

            Defines a DNS view and enters DNS view configuration mode.

             
            Step 4 [no] dns trust name

            Example:
            Device(cfg-dns-view)# dns trust name
             

            (Optional) Enables or disables storage of trusted keys in a view and enters DNS view configuration mode. The dns trust key enables the DNS security feature.

             
            Step 5 [no] domain lookup

            Example:
            Device(cfg-dns-view)# domain lookup 
             

            (Optional) Enables or disables DNS-based hostname-to-address translation for internally generated DNS queries handled using the DNS view.

            Note   

            The domain lookup capability is enabled by default.

             
            Step 6Do one of the following:
            • domain name domain-name
            • domain list domain-name


            Example:
            Device(cfg-dns-view)# domain name example.com


            Example:
            Device(cfg-dns-view)# domain list example1.com
             

            (Optional) Defines a default domain name to be used by this DNS view to complete unqualified hostnames when addressing DNS queries.

            or

            (Optional) Defines a list of domain names to be used by this DNS view to complete unqualified hostnames when addressing DNS queries.

            • The device attempts to respond to the query using the parameters specified by the selected DNS view. First, the Cisco IOS software looks in the hostname cache associated with the view. If the query can be answered from that information, the device responds to the query. Otherwise, because the query cannot be answered using the hostname cache, the device forwards the query using the configured domain name servers.

            • If the device is using this view to handle a DNS query for an unqualified hostname and domain lookup is enabled for the view, the Cisco IOS software appends a domain name (either a domain name from the domain name list or the default domain name) in order to perform any of the following activities:
              • Looking up the hostname in the name server cache.
              • Forwarded the query to other name servers (whether to the hosts specified as DNS forwarders in the selected view or to the limited broadcast address).
            • You can specify a single, default domain name, an ordered list of domain names, or both. However, the default domain name is used only if the domain list is empty.

             
            Step 7Do one of the following:
            • domain name-server [vrf vrf-name] name-server-ip-address
            • domain name-server interface interface


            Example:
            Device(cfg-dns-view)# domain name-server 
            192.168.2.124


            Example:
            Device(cfg-dns-view)# domain name-server 
            interface FastEthernet0/1
             

            (Optional) Defines a list of name servers to be used by this DNS view to resolve internally generated DNS queries. The IP address of the name server can be an IPv4 or IPv6 address, and the IP address can be associated with a Virtual Private Network (VPN) routing and forwarding (VRF) instance.

            or

            (Optional) Defines an interface on which to acquire (through DHCP or PPP interaction on the interface) the IP address of a DNS server to add to the list of DNS name servers to be used by this DNS view to resolve internally generated DNS queries.

            • If both of these commands are configured, DHCP or PPP interaction on the interface causes another IP address to be added to the list.

             
            Step 8 domain multicast domain-name


            Example:
            Device(cfg-dns-view)# domain multicast 
            www.example8.com 
             

            (Optional) Specifies the IP address to use for multicast lookups handled using the DNS view.

             
            Step 9 [no] dns forwarding

            Example:
            Device(cfg-dns-view)# dns forwarding 
             

            (Optional) Enables or disables forwarding of incoming DNS queries handled using the DNS view.

            Note   

            The query forwarding capability is enabled by default.

             
            Step 10 dns forwarder [vrf vrf-name] forwarder-ip-address


            Example:
            Device(cfg-dns-view)# dns forwarder 192.168.3.240
             

            Defines a list of name servers to be used by this DNS view to forward incoming DNS queries.

            • The forwarder IP address can be an IPv4 or IPv6 address.

            • If no forwarding name servers are defined, then the configured list of domain name servers is used instead.

            • If no name servers are configured either, then queries are forwarded to the limited broadcast address.

             
            Step 11 dns forwarding source-interface interface


            Example:
            Device(cfg-dns-view)# dns forwarding 
            source-interface FastEthernet0/0
             

            Defines the interface on which to forward queries when this DNS view is used.

             
            Step 12 end


            Example:
            Device(cfg-dns-view)# end 
             

            Returns to privileged EXEC mode.

             

            Verifying DNS Views

            Perform this task to verify the DNS configuration.

            SUMMARY STEPS

              1.    enable

              2.    show ip dns view [vrf vrf-name] [default | view-name]

              3.    show ip dns server [vrf vrf-name] [default | view-name]

              4.    clear ip dns servers


            DETAILED STEPS
               Command or ActionPurpose
              Step 1 enable


              Example:
              Device> enable
               

              Enables privileged EXEC mode.

              • Enter your password if prompted.

               
              Step 2 show ip dns view [vrf vrf-name] [default | view-name]


              Example:
              Device# show ip dns view vrf vpn101 user3 
               

              Displays information about a particular DNS view, a group of views (with the same view name or associated with the same VRF), or all configured DNS views.

               
              Step 3show ip dns server [vrf vrf-name] [default | view-name]

              Example:
              Device# show ip dns server vrf vpn101 user3
               

              Displays information from name server cache.

               
              Step 4clear ip dns servers
               

              Cleans up server from name server cache.

               

              Defining a DNS View List

              Perform this task to define an ordered list of DNS views with optional, additional usage restrictions for each view list member. The device uses a DNS view list to select the DNS view that will be used to handle a DNS query.

              SUMMARY STEPS

                1.    enable

                2.    configure terminal

                3.    ip dns view-list view-list-name

                4.    ip dns name-list [number] [permit/deny] [name]

                5.    view [vrf vrf-name] {default | view-name} order-number

                6.    restrict name-group name-list-number

                7.    restrict source access-group acl-number

                8.    exit

                9.    end

                10.    show ip dns view-list view-list-name

                11.    show ip dns name-list number


              DETAILED STEPS
                 Command or ActionPurpose
                Step 1 enable


                Example:
                Device> enable
                 

                Enables privileged EXEC mode.

                • Enter your password if prompted.

                 
                Step 2 configure terminal


                Example:
                Device# configure terminal
                 

                Enters global configuration mode.

                 
                Step 3 ip dns view-list view-list-name


                Example:
                Device(config)# ip dns view-list userlist5
                 

                Defines a DNS view list and enters DNS view list configuration mode.

                 
                Step 4 ip dns name-list [number] [permit/deny] [name]


                Example:
                Device(config)# ip dns name-list 10
                 

                Defines a DNS name list and enters DNS name list configuration mode.

                 
                Step 5 view [vrf vrf-name] {default | view-name} order-number


                Example:
                Device(cfg-dns-view-list)# view vrf vpn101 
                user5 10 
                 

                Defines a DNS view list member and enters DNS view list member configuration mode.

                 
                Step 6 restrict name-group name-list-number


                Example:
                Device(cfg-dns-view-list-member)# restrict 
                name-group 500
                 

                (Optional) Specifies that this DNS view list member cannot be used to respond to a DNS query unless the query hostname matches a permit clause in the specified DNS name list and none of the deny clauses.

                • To define a DNS name list entry, use the ip dns name-list command.

                 
                Step 7 restrict source access-group acl-number


                Example:
                Device(cfg-dns-view-list-member)# restrict 
                access-group 99
                 

                (Optional) Specifies that this DNS view list member cannot be used to respond to a DNS query unless the source IP address of the DNS query matches the specified standard ACL.

                • To define a standard ACL entry, use the access-list command.

                 
                Step 8 exit


                Example:
                Device(cfg-dns-view-list-member)# exit 
                 

                Exits DNS view list member configuration mode.

                • To add another view list member to the list, go to Step 4.

                 
                Step 9 end


                Example:
                Device(cfg-dns-view-list)# end 
                 

                Returns to privileged EXEC mode.

                 
                Step 10 show ip dns view-list view-list-name


                Example:
                Device# show ip dns view-list userlist5
                 

                Displays information about a particular DNS view list or all configured DNS view lists.

                 
                Step 11 show ip dns name-list number


                Example:
                Device# show ip dns name-list 5
                 

                Displays information about a particular DNS name list or all configured DNS name lists.

                 

                Modifying a DNS View List

                To provide for efficient management of the order of the members in a view list, each view list member definition includes the specification of the position of that member within the list. That is, the order of the members within a view list is defined by explicit specification of position values rather than by the order in which the individual members are added to the list. This enables you to perform either of the following tasks without having to remove all the view list members and then redefine the view list membership in the desired order:

                Adding a Member to a DNS View List Already in Use

                Perform this optional task if you need to add another member to a DNS view list that is already in use.

                For example, suppose the DNS view list named userlist5 is already defined and in use as a default view list or as an interface-specific view list. Assume that the list consists of the following members:

                • DNS view user1 with position number 10

                • DNS view user2 with position number 20

                • DNS view user3 with position number 30

                If you need to add DNS view user4 as the second member of the list, add that view to the list with a position number value from 11 to 19. You do not need to remove the three existing members and then add all four members to the list in the desired order.

                SUMMARY STEPS

                  1.    enable

                  2.    show ip dns view-list view-list-name

                  3.    configure terminal

                  4.    ip dns view-list view-list-name

                  5.    view [vrf vrf-name] {default | view-name} order-number

                  6.    end

                  7.    show ip dns view-list view-list-name


                DETAILED STEPS
                   Command or ActionPurpose
                  Step 1 enable


                  Example:
                  Device> enable
                   

                  Enables privileged EXEC mode.

                  • Enter your password if prompted.

                   
                  Step 2 show ip dns view-list view-list-name


                  Example:
                  Device# show ip dns view-list userlist5 
                   

                  Displays information about a particular DNS view list or all configured DNS view lists.

                   
                  Step 3 configure terminal


                  Example:
                  Device# configure terminal
                   

                  Enters global configuration mode.

                   
                  Step 4 ip dns view-list view-list-name


                  Example:
                  Device(config)# ip dns view-list userlist5
                   

                  Defines a DNS view list and enters DNS view list configuration mode.

                   
                  Step 5 view [vrf vrf-name] {default | view-name} order-number


                  Example:
                  Device(cfg-dns-view-list)# view user4 15 
                   

                  Defines a DNS view list member and enters DNS view list member configuration mode.

                   
                  Step 6 end


                  Example:
                  Device(cfg-dns-view-list-member)# end 
                   

                  Returns to privileged EXEC mode.

                   
                  Step 7 show ip dns view-list view-list-name


                  Example:
                  Device# show ip dns view-list userlist5 
                   

                  Displays information about a particular DNS view list or all configured DNS view lists.

                   

                  Changing the Order of the Members of a DNS View List Already in Use

                  Perform this optional task if you need to change the order of the members of a DNS view list that is already in use.

                  For example, suppose the DNS view list named userlist5 is already defined and in use as a default view list or as an interface-specific view list. Assume that the list consists of the following members:

                  • DNS view user1 with position number 10

                  • DNS view user2 with position number 20

                  • DNS view user3 with position number 30

                  If you want to move DNS view user1 to the end of the list, remove that view from the list and then add it back to the list with a position number value greater than 30. You do not need to remove the three existing members and then add the members back to the list in the desired order.

                  SUMMARY STEPS

                    1.    enable

                    2.    show ip dns view-list view-list-name

                    3.    configure terminal

                    4.    ip dns view-list view-list-name

                    5.    no view [vrf vrf-name] {default | view-name} order-number

                    6.    view [vrf vrf-name] {default | view-name} order-number

                    7.    end

                    8.    show ip dns view-list view-list-name


                  DETAILED STEPS
                     Command or ActionPurpose
                    Step 1 enable


                    Example:
                    Device> enable
                     

                    Enables privileged EXEC mode.

                    • Enter your password if prompted.

                     
                    Step 2 show ip dns view-list view-list-name


                    Example:
                    Device# show ip dns view-list userlist5 
                     

                    Displays information about a particular DNS view list or all configured DNS view lists.

                     
                    Step 3 configure terminal


                    Example:
                    Device# configure terminal
                     

                    Enters global configuration mode.

                     
                    Step 4 ip dns view-list view-list-name


                    Example:
                    Device(config)# ip dns view-list userlist5
                     

                    Defines a DNS view list and enters DNS view list configuration mode.

                     
                    Step 5 no view [vrf vrf-name] {default | view-name} order-number


                    Example:
                    Device(cfg-dns-view-list)# no view user1 10 
                     

                    Removes a DNS view list member from the list.

                     
                    Step 6 view [vrf vrf-name] {default | view-name} order-number


                    Example:
                    Device(cfg-dns-view-list)# view user1 40 
                     

                    Defines a DNS view list member and enters DNS view list member configuration mode.

                     
                    Step 7 end


                    Example:
                    Device(cfg-dns-view-list-member)# end 
                     

                    Returns to privileged EXEC mode.

                     
                    Step 8 show ip dns view-list view-list-name


                    Example:
                    Device# show ip dns view-list userlist5 
                     

                    Displays information about a particular DNS view list or all configured DNS view lists.

                     

                    Specifying the Default DNS View List for the DNS Server of the Device

                    Perform this task to specify the default DNS view list for the device’s DNS server. The device uses the default DNS view list to select a DNS view to use to handle an incoming DNS query that arrives on an interface for which no interface-specific DNS view list has been defined.

                    SUMMARY STEPS

                      1.    enable

                      2.    configure terminal

                      3.    ip dns server view-group name-list-number

                      4.    exit

                      5.    show running-config


                    DETAILED STEPS
                       Command or ActionPurpose
                      Step 1 enable


                      Example:
                      Device> enable
                       

                      Enables privileged EXEC mode.

                      • Enter your password if prompted.

                       
                      Step 2 configure terminal


                      Example:
                      Device# configure terminal
                       

                      Enters global configuration mode.

                       
                      Step 3 ip dns server view-group name-list-number


                      Example:
                      Device(config)# ip dns server view-group 500
                       

                      Configures the default DNS view list for the device’s DNS server.

                       
                      Step 4 exit


                      Example:
                      Device(config)# exit 
                       

                      Exits global configuration mode.

                       
                      Step 5 show running-config


                      Example:
                      Device# show running-config
                       

                      Displays information about how DNS view lists are applied. The default DNS view list, if configured, is listed in the default DNS view information as the argument for the ip dns server view-group command.

                       

                      Specifying a DNS View List for a Device Interface

                      Perform this optional task if you need to specify a DNS view list for a particular device interface. The device uses that view list to select a DNS view to use to handle a DNS query that arrives on that interface.

                      SUMMARY STEPS

                        1.    enable

                        2.    configure terminal

                        3.    interface interface

                        4.    ip dns view-group view-list-name

                        5.    end

                        6.    show running-config


                      DETAILED STEPS
                         Command or ActionPurpose
                        Step 1 enable


                        Example:
                        Device> enable
                         

                        Enables privileged EXEC mode.

                        • Enter your password if prompted.

                         
                        Step 2 configure terminal


                        Example:
                        Device# configure terminal
                         

                        Enters global configuration mode.

                         
                        Step 3 interface interface


                        Example:
                        Device(config)# interface ATM2/0
                         

                        Configures an interface type and enter interface configuration mode so that the specific interface can be configured.

                         
                        Step 4 ip dns view-group view-list-name


                        Example:
                        Device(config-if)# ip dns view-group userlist5
                         

                        Configures the DNS view list for this interface on the device.

                         
                        Step 5 end


                        Example:
                        Device(config-if)# end 
                         

                        Returns to privileged EXEC mode.

                         
                        Step 6 show running-config


                        Example:
                        Device# show running-config
                         

                        Displays information about how DNS view lists are applied. Any DNS view lists attached to interfaces are listed in the information for each individual interface, as the argument for the ip dns view-group command.

                         

                        Specifying a Source Interface to Forward DNS Queries

                        Perform this optional task if you need to specify a source interface to forward the DNS queries.

                        SUMMARY STEPS

                          1.    enable

                          2.    configure terminal

                          3.    ip dns view [vrf vrf-name] {default | view-name}

                          4.    domain resolver source-interface interface-type number

                          5.    end


                        DETAILED STEPS
                           Command or ActionPurpose
                          Step 1 enable


                          Example:
                          Device> enable
                           

                          Enables privileged EXEC mode.

                          • Enter your password if prompted.

                           
                          Step 2 configure terminal


                          Example:
                          Device# configure terminal
                           

                          Enters global configuration mode.

                           
                          Step 3 ip dns view [vrf vrf-name] {default | view-name}


                          Example:
                          Device(config)# ip dns view vrf vpn32 user3
                           

                          Creates the DNS view of the specified name associated with the specified VRF instance and then enters DNS view configuration mode.

                           
                          Step 4 domain resolver source-interface interface-type number


                          Example:
                          Device(cfg-dns-view)# domain resolver source-interface fastethernet 0/0
                           

                          Sets the source IP address of the DNS queries for the DNS resolver functionality.

                           
                          Step 5 end


                          Example:
                          Device(config-if)# end 
                           

                          (Optional) Returns to privileged EXEC mode.

                           

                          Configuration Examples for DNS

                          Example: Creating a Domain List with Alternate Domain Names

                          The following example establishes a domain list with several alternate domain names:

                          ip domain list csi.com
                          ip domain list telecomprog.edu
                          ip domain list merit.edu

                          Example: Mapping Host Names to IP Addresses

                          The following example configures the host-name-to-address mapping process. IP DNS-based translation is specified, the addresses of the name servers are specified, and the default domain name is given.

                          ! IP DNS-based host name-to-address translation is enabled
                          ip domain lookup
                          ! Specifies hosts 192.168.1.111 and 192.168.1.2 as name servers
                          ip name-server 192.168.1.111 192.168.1.2
                          ! Defines cisco.com as the default domain name the device uses to complete
                          ! Set the name for unqualified host names
                          ip domain name cisco.com

                          Example: Customizing DNS

                          The following example shows the ip dns servers.

                          show ip dns server
                          
                             IP            VRF      TTL(s)   RTT(ms)  RTO(ms)  EDNS  DNSSEC  RECURSION
                          -----------------------------------------------------------------------------
                          2::1             red      628      1451     1451      Yes     Yes     Yes   
                          172.168.10.1              875      1787     1787      Yes     Yes     Yes   
                          2.2.2.1          red      606      1447     1447      Yes     Yes     Yes   
                          1::1                      207      300      300       Yes     Yes     Yes   
                          1.1.1.1                   179      242      242       Yes     Yes     Yes 

                          Example: Split DNS View Lists Configured with Different View-use Restrictions

                          The following example shows how to define two DNS view lists, userlist1 and userlist2. Both view lists comprise the same three DNS views:

                          • DNS view user1 that is associated with the usergroup10 VRF

                          • DNS view user2 that is associated with the usergroup20 VRF

                          • DNS view user3 that is associated with the usergroup30 VRF

                          Both view lists contain the same DNS views, specified in the same order:

                          ip dns view-list userlist15 
                           view vrf usergroup100 user1 10 
                            restrict name-group 121 
                            exit
                          view vrf usergroup200 user2 20 
                            restrict name-group 122 
                            exit
                          view vrf usergroup300 user3 30 
                            restrict name-group 123 
                            exit
                          !
                          exit
                          ip dns view-list userlist16 
                           view vrf usergroup100 user1 10 
                            restrict name-group 121 
                            restrict source access-group 71 
                            exit
                           view vrf usergroup200 user2 20 
                            restrict name-group 122 
                            restrict source access-group 72 
                            exit
                           view vrf usergroup300 user3 30 
                            restrict name-group 123 
                            restrict source access-group 73 
                            exit
                          exit
                          

                          The two DNS view lists differ, though, in the usage restrictions placed on their respective view list members. DNS view list userlist15 places only query hostname restrictions on its members while view list userlist16 restricts each of its members on the basis of the query hostname and the query source IP address:

                          • Because the members of userlist15 are restricted only based on the VRF from which the query originates, userlist15 is typical of a view list that can be used to select a DNS view for handling DNS requests from internal clients.

                          • Because the members of userlist16 are restricted not only by the query VRF and query hostname but also by the query source IP address, userlist16 is typical of a view list that can be used to select a DNS view for handling DNS requests from external clients.

                          Additional References for Configuring DNS

                          Related Documents

                          Related Topic Document Title

                          Master Command List

                          Cisco IOS Master Command List

                          IP Addressing Services Command Reference

                          Cisco IOS IP Addressing Services Command Reference

                          Standards and RFCs

                          Standard/RFC Title

                          RFC 1348

                          DNS NSAP Resource Records

                          MIBs

                          MIB MIBs Link

                          No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.

                          To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

                          http:/​/​www.cisco.com/​go/​mibs

                          Technical Assistance

                          Description Link

                          The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

                          To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

                          Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

                          http:/​/​www.cisco.com/​support

                          Feature Information for Configuring DNS

                          The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

                          Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

                          Table 1 Feature Information for Configuring DNS

                          Feature Name

                          Releases

                          Feature Configuration Information

                          Configuring DNS

                          Cisco IOS XE Release 2.1

                          The Domain Name System (DNS) is a distributed database in which you can map host names to IP addresses through the DNS protocol from a DNS server. Each unique IP address can have an associated host name. The Cisco IOS XE software maintains a cache of host name-to-address mappings. This cache speeds the process of converting names to addresses.

                          Cisco IOS XE Release 3.13S

                          In Cisco IOS XE Release 3.13S, support was added for the Cisco ASR 1000 Series Routers.

                          The following commands were introduced or modified: debug ip domain, debug ip domain replies.

                          Cisco IOS XE Release 3.16S

                          In Cisco IOS XE Release 3.13S, support was added for the Cisco ASR 1000 Series Routers.

                          The following commands were introduced or modified: dns trust, clear ip dns servers.