Cisco 1821 as DNS server

Hello I have a cisco 1821 router acting as remote access for vpnclients, LAN LAN VPN device and also
LAN router. All in one.
My LAN has a 192.168.23.0/24 addressing, and router has 2 IP Addresses, one on public IP on the public interface Fa0/1
and 192.168.203.1 on the private interface Fa0/0
I set up it as a name server for local LAN:
ip dns server
ip host pc10 192.168.203.10
ip host pc83 192.168.203.83
ip host c1821 192.168.203.1
I did this so that local PC on my lan can have a resolution for local addresses since I do not have a DNS server inside my line
and I do not have a Active Directory infrastructure.
on the public IP interface my router can be queried for LOCAL IP  resolution for my lan 192.168.203.0/24, I Tryed from outside using dig command.
I Wanted to prevent this. I cannot use an ACL because I would prevent DNS queries to work in general. trying to resolve
an external IP Address from inside my lan, I just want the router to refuse DNS resolution for any query coming to external interface,
while I Want to allow only queries coming form my local lan to internal interface.
is this possible in some way ?
thank you
Riccardo

You are asking your IOS device to act as a split-DNS server, providing RFC1918 addresses on internal interfaces, and global address (or no addresses) on the public inetrface.
Look at the "ip dns view" command so you can present differnt DNS responses by interface.
This article may help:
http://www.nil.com/ipcorner/RouterDNS/

Similar Messages

  • Cisco IOS as DNS server

    Dear Community!
    Could someone help me to fine-tuning DNS server configuration?
    I'm configuring an IOS router act as a DNS server with the following parameters:
    ip name-server [IP #1] [IP #2]
    ip dns server
    ip domain round-robin
    ip domain name [domain.net]
    The 1st DNS server is a public DNS server accessible from Internet, the 2nd one is a private corporate DNS server accessible from a site-2-site tunnel.
    The client PCs at the remote end of the IPSec tunnel should query public DNS names from public DNS server, and the records of our private DNS domain.
    Is it possible to configure a "policy" to query corporate DNS domain from a dedicated DNS server, and the other public DNS name from the public one?
    Thanks in advance!
    Best Regards,
    Belabacsi
    from Budapest, Hungary

    Sure, it's called DNS Proxy. It's not supported on all devices, so you'll have to check.
    http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123relnt/800/rn830xc3.htm
    DNS Proxy
    In virtual private network (VPN), Point-to-Point Protocol over Ethernet (PPPOE), etc. PCs connected to the LAN may get Dynamic Host Configuration Protocol (DHCP) parameters including the IP addresses of the Domain Name System (DNS) server prior to the router connecting to the WAN to get the information over IP Control Protocol (IPCP). The objective with Proxy DNS (or caching-only name server) enables the router to receive DNS queries on behalf of the real DNS servers and proxy for the hosts on the LAN connected users. This enables the DHCP server to immediately send the hosts the router's own LAN address in lieu of the DNS server's IP address. The router forwards the DNS queries from local users to real DNS servers after the WAN connection comes up and caches the DNS records in response. Over the time, cache includes the DNS information most often requested by the local resolvers and this can reduce the overhead of packets to the WAN.
    The router must obtain the correct DNS server information from the WAN in order for it to function as a proxy DNS server.
    The global configuration command ip dns server enables DNS proxy server functionality on the router, and causes it to forward DNS queries to the actual DNS servers. The global configuration command dns-server address causes the router to respond to DNS queries with its own IP address.
    HTH and please rate.

  • Obtaining DNS servers automatically on Cisco ADSL routers;" not static dns with command dns-server x.x.x.x" ?

    Obtaining DNS servers automatically on Cisco ADSL routers;" not static dns with command dns-server x.x.x.x" ?

    Ok Thank you Karsten

  • Dns-server / dhcp cisco 1700

    Hi,
    I wonder if i may run a few questions past you guys. We have a Cisco 1700 at one of our sites which is supposed to be managed but due to problems with the third party company i had to go there to perform some work.
    I wanted to add in a dns server ip. Because i don't have the enable secret (Third PTY won't tell us) i used the break command normally used for password recovery. then once in used "copy start run".
    Q. can i make config changes this way, save the changes then switch the config-register back and reload?
    I managed to make the changes - Dhcp pool - dns-server ip's, right? changed the config-reg back and reloaded. No connectivity. anyway i messed around with different ip's eventually put it back to to original powered of for 5 mins and on again and it was ok.
    Q: have i missed something out?
    Q: could reloading or powering off and on to quickly affect thigs?
    Q: Could the router be downloading it's config or something additional from a TFTP server? Is there anything i can check to confirm this on the config?
    This is the dns part of the config all i want to do is change 1.0.84.187 for 84.33, should be simple?
    ip dhcp pool 0
    network 172.16.0.0 255.255.0.0
    default-router 172.16.0.15
    dns-server 1.0.84.8 1.0.84.187 158.152.1.43 158.152.1.58
    domain-name parkside.net
    lease infinite
    Q: Is this part saying that 1.0.84.187 and 158.152.1.43 are not being used for dns?
    no ip domain lookup
    ip name-server 1.0.84.187
    ip name-server 158.152.1.43
    ip cef
    no scripting tcl init
    no scripting tcl encdir
    Sorry i know thats long winded. Any help on any part of my problem would be much appreciated.
    Kind regards
    J mac

    Hello,
    check for any lines starting with ´boot´ in the upper part of the configuration, it is very well possible that the router is configured to boot a specific file, or from a TFTP server.
    Regarding the change of the DNS server IP address, in DHCP pool configuration mode, first delete the existing line:
    no dns-server 1.0.84.8 1.0.84.187 158.152.1.43 158.152.1.58
    and reenter it:
    dns-server 1.0.84.8 1.0.84.33 158.152.1.43 158.152.1.58
    The DNS servers specified with the ´ip name-server´ command are used for non-DHCP clients.
    Regards,
    Nethelper

  • Cisco 877W acting a a DNS server. Does it answer external DNS queries coming from the WAN

    Hello,
    I have a Cisco 877W running on my ADSL2+ service at home.
    It is setup to act as a DNS server to answer DNS queries for my LAN and has the below commands as part of its configuration
    ip dns server
    ip dhcp pool LAN
       network 192.168.2.0 255.255.255.0
       default-router 192.168.2.254
       dns-server 8.8.8.8
    My question is, when I scan my WAN IP for open ports, port 53 (DNS) is open. Does this mean my router will be acting as a DNS server for anyone on the internet who directs DNS queries to my WAN IP?
    If so, am I able to turn off port 53 towards the Internet, or do I need to add an an access-list to only accept queries from my internal network.
    Thanks for your feedback.

    That's correct. The "ip dns server" command will answer queries on any interface.
    Given that your DHCP server is telling your clients to use Google DNS and not your router, I would just turn the router's DNS server off with the "no ip dns server" command.
    Setting up an ACL (and/or inspection or zone-based firewalling) on your Internet-facing interface is the best practice to protect your network in general, not just to prevent external DNS queries.

  • Internal DNS server and NAT routing issue.

    Hi -- I am not terribly experienced with DNS and I am running into an issue that I can't seem to resolve. My company.com DNS information is hosted by an outside ISP for email, web, etc... but I have configured an A record there to point to the public IP to my mac os x server (server.company.com).
    We have a cisco router configured with one to one NAT from the public IP to the internal IP for our server in a 192.168.15.x subnet. The same router is running DHCP and and NAT on that subnet under a different public IP provided by our ISP.
    Our server is running DNS with recursion and has a "company.private" zone set up for internal services and machine names. Thus, the server is accessible via "server.company.com" from the outside and "server.company.private" from the private LAN.
    The problem is that I would like to be able to access some services simply via "server.company.com" both inside and outside the private network. Now, accessing the "server.company.com" services from the private lan does not work because the name resolves to the external IP and the external IP cannot be used internally due to NAT.
    Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
    I know that I could manually duplicate all entries for our domain from my ISP and host the same entries for internal clients, but it would be much easier to only have our server handle requests for itself. The server is running OS X Server 10.4.11.
    Thanks

    Is there a way to configure my internal DNS server to respond with the appropriate private address when receiving a query only to "server.company.com" and forward requests on for anything else on "company.com"?
    Ordinarily, no. Once your server thinks it is responsible for a zone (e.g. company.com) then it will answer all queries for that domain and never pass them upstream. Therefore you'd have to replicate all the zone data, including all the public records, and maintain them both.
    The one possible exception to this (I haven't tried) is to create a zone for server.company.com that has your internal address. In theory (like I said, I haven't tried this), the server should respond to 'server.company.com' lookups with its own zone data and defer all other lookups (including other company.com names since they're not in a zone it controls). Might be worth trying.

  • How to create A record on DNS server

    How do i create an A record on the DNS server (windows server 2008) that would resolve into two ip addresses: PUB & SUB ip addresses respectivly, to enable EM redundancy in Cisco Unified Communications Manager 6.1.
    Right now when the PUB failover to the SUB the EM does not work. the Phone services as well as the global directory does not work. the CUCM is fully integrated to LDAP.
    Cisco recomends using an SLB but right now i am trying to use the DNS option. what i need now is how to create the A record on the DNS that would resolve into the two ip address of the PUB and SUB.

    You can do this but your results won't be quite as expected.  I've played around with this and you'll see that the request for when you press the services button will go to server A, then when you click on the EM service your request will go to server B, then the login back to server A even though you started the login session with server B and back and forth, then with the authentication information, etc.  Also DNS doesn't know about the state of your servers.  If a server is down you'll still have issues if the name resolves to the down IP address.  As far as I've seen DNS will always round robin with multiple records for the same name (unless you use an SRV record).

  • Load balancing 2 DNS server

    how to configure the CSS to load balance 2 DNS server ?

    first configure the services like this :
    service dns1
    ip address x.x.x.x
    active
    service dns2
    ip address x.x.x.x
    active
    Then configure the content rule
    owner mycompany
    content dns
    vip address x.x.x.x
    add service dns1
    add service dns2
    active
    Then we need to setup something for the dns answer
    group dns
    vip address x.x.x.x !!!!! same as for the content rule
    add service dns1
    add service dns2
    portmap disable
    The portmap disable requires software 5.03(33) or above.
    The command is also in 5.01
    http://www.cisco.com/en/US/products/hw/contnetw/ps789/prod_release_note09186a00800ba0c6.html

  • Can't specify DHCP DNS server ip with a 255 in it

    I tried to add 64.102.255.44 a valid ip addres and a public DNS server to my DHCP configuration but the web interface says ip must be in the range 0-254. How can I report this bug?

    Not sure which router you have, but I have a WRT54G V5 that I was able to add that IP address as a Static DNS Server without a problem....
    You may need to call the Linksys/Cisco tech support number or use an online chat to report the bug...
    Tomato 1.25vpn3.4 (SgtPepperKSU MOD) on a Buffalo WHR-HP-G54
    D-Link DSM-320 (Wired)
    Wii (Wireless) - PS3 (Wired), PSP (Wireless) - XBox360 (Wired)
    SonyBDP-S360 (Wired)
    Linksys NSLU2 Firmware Unslung 6.10 Beta unslung to a 2Gb thumb, w/1 Maxtor OneTouch III 200Gb
    IOmega StorCenter ix2 1TB NAS
    Linksys WVC54G w/FW V2.12EU
    and assorted wired and wireless PCs and laptops

  • Configure single CSS as authoritative dns server

    Hi Experts,
    I have one CSS11501 acting as the load balancer. And all the servers are in private network behind it. We need to configure an authoritative dns server for this web domain. I want to use this CSS to be the dns server. I saw that there are some advance configuration notes about configuring dns server
    http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11000series/v6.10/configuration/advanced/guide/DNS.html
    I wonder if I only use a single server, what the configuration is needed? is there an example. Most of the documents have the example for multiple CSS in global server load balancing environment.
    We currently only have standard feature license. I wonder if we have to purchase the 'enhanced feature set' to implement this function?
    Only the command 'add dns xxx.xxx.com' under content rule could be used in the standard software. Is this sufficient enough to be as dns server?
    Thanks for your help in advance.

    licensing hasn't changed for the CSS in a long time.
    So this old document still applies
    http://www.cisco.com/en/US/partner/products/hw/contnetw/ps789/products_tech_note09186a0080094a76.shtml
    The Enhanced feature set contains all  components of the Standard       feature set and also includes:
    Network Address Translation (NAT) Peering
    Domain Name Service (DNS)
    Demand-Based Content Replication (Dynamic Hot Content           Overflow)
    Content Staging and Replication
    Network Proximity DNS
    Content Routing Agent
    Client Side Accelerator
    Gilles.

  • Cisco Pix 501 / DNS - DNS resolution stops working over time

    Hello,
    I currently have a Cisco Pix 501 with the configuration listed below. It  connects to the public internet via a cable modem and acts as a DCHP  server for the local LAN.
    When it first turns on, all computers obtain the correct IP settings and  can access the internet. Within 10-15 minutes, computers begin to loose  access to the Internet. What’s strange is that each computer that lost  Internet access can ping the remote address but cannot perform an  nslookup. (it shows as Server UnKnown)
    The DNS server is 167.206.254.2 which is the external dns server  provided by my ISP. I can ping this address but the local computer is  unable to use it for domain to ip resolution.
    Then network used to have an existing Windows Small Business Server that  was a DNS and WINS Server. I ran dcpromo to remove the role of the  server and uninstalled dns via add/remove components.
    Can someone please help me determine why the computers over time loose  the ability to resolve domain names and therefore loose internet access?  Can there be some bad DNS entries created? Is there anything I can run  on the local computers to further troubleshoot dns errors? Is it  possible that the existing Windows SBS server is still running DNS and  therefore causing conficts in some way?
    One thing to note is that when I reset the Pix 501, everything begins to  work again but only for a short time until one by one each computer can  no longer resolve domain names. Also, I noticed that once someone  connects via VPN and disconnects, one of the local computers looses the  ability to resolve DNS.
    Cisco Pix Config
    PIX# show config
    : Saved
    : Written by enable_15 at 08:55:56.390 UTC Fri Mar 15 2013
    PIX Version 6.3(5)
    interface ethernet0 auto
    interface ethernet1 100full
    nameif ethernet0 outside security0
    nameif ethernet1 inside security100
    enable password chiuzjKkSD33lwEw encrypted
    passwd chiuzjKkSD33lwEw encrypted
    hostname PIX
    fixup protocol dns maximum-length 512
    fixup protocol ftp 21
    fixup protocol h323 h225 1720
    fixup protocol h323 ras 1718-1719
    fixup protocol http 80
    fixup protocol rsh 514
    fixup protocol rtsp 554
    fixup protocol sip 5060
    fixup protocol sip udp 5060
    fixup protocol skinny 2000
    fixup protocol smtp 25
    fixup protocol sqlnet 1521
    fixup protocol tftp 69
    names        
    access-list VPNGROUP_splitTunnelAcl permit ip 192.168.2.0 255.255.255.0 any
    access-list inside_outbound_nat0_acl permit ip 192.168.2.0 255.255.255.0 192.168.3.0 255.255.255.128
    access-list outside_cryptomap_dyn_30 permit ip any 192.168.3.0 255.255.255.128
    access-list ping_acl permit icmp any any
    pager lines 24
    logging timestamp
    logging monitor debugging
    logging buffered debugging
    logging history debugging
    logging queue 0
    icmp permit any echo-reply outside
    icmp permit any unreachable outside
    icmp permit any echo outside
    mtu outside 1500
    mtu inside 1500
    ip address outside dhcp setroute
    ip address inside 192.168.2.1 255.255.255.0
    ip audit info action alarm
    ip audit attack action alarm
    ip local pool VPN 192.168.3.2-192.168.3.100 mask 255.255.255.0
    pdm location 192.168.2.0 255.255.255.0 inside
    pdm location 192.168.3.0 255.255.255.0 inside
    pdm logging informational 512
    no pdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list inside_outbound_nat0_acl
    nat (inside) 1 192.168.2.0 255.255.255.0 0 0
    access-group ping_acl in interface outside
    timeout xlate 0:05:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
    timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
    timeout sip-disconnect 0:02:00 sip-invite 0:03:00
    timeout uauth 0:05:00 absolute
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ max-failed-attempts 3
    aaa-server TACACS+ deadtime 10
    aaa-server RADIUS protocol radius
    aaa-server RADIUS max-failed-attempts 3
    aaa-server RADIUS deadtime 10
    aaa-server LOCAL protocol local
    aaa-server ACS protocol tacacs+
    aaa-server ACS max-failed-attempts 3
    aaa-server ACS deadtime 10
    aaa authentication ssh console LOCAL
    aaa authentication telnet console LOCAL
    http server enable
    http 192.168.2.0 255.255.255.0 inside
    http 192.168.3.0 255.255.255.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    no snmp-server enable traps
    floodguard enable
    sysopt connection permit-ipsec
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto dynamic-map VPNMAP 10 set transform-set ESP-3DES-MD5
    crypto dynamic-map VPNMAP 30 match address outside_cryptomap_dyn_30
    crypto dynamic-map VPNMAP 30 set transform-set ESP-3DES-MD5
    crypto map MYMAP 10 ipsec-isakmp dynamic VPNMAP
    crypto map MYMAP client authentication LOCAL
    crypto map MYMAP interface outside
    isakmp enable outside
    isakmp identity address
    isakmp nat-traversal 20
    isakmp policy 10 authentication pre-share
    isakmp policy 10 encryption des
    isakmp policy 10 hash md5
    isakmp policy 10 group 1
    isakmp policy 10 lifetime 86400
    isakmp policy 30 authentication pre-share
    isakmp policy 30 encryption 3des
    isakmp policy 30 hash md5
    isakmp policy 30 group 2
    isakmp policy 30 lifetime 86400
    vpngroup VPNGRP idle-time 1800
    vpngroup VPNGROUP address-pool VPN
    vpngroup VPNGROUP dns-server 167.206.254.2
    vpngroup VPNGROUP wins-server 192.168.2.50
    vpngroup VPNGROUP default-domain advancedarthritiscarecenter.local
    vpngroup VPNGROUP split-tunnel VPNGROUP_splitTunnelAcl
    vpngroup VPNGROUP idle-time 1800
    vpngroup VPNGROUP password ********
    telnet 192.168.2.0 255.255.255.0 inside
    telnet 192.168.3.0 255.255.255.0 inside
    telnet timeout 30
    ssh 192.168.2.0 255.255.255.0 inside
    ssh 192.168.3.0 255.255.255.0 inside
    ssh timeout 60
    console timeout 0
    dhcpd address 192.168.2.2-192.168.2.33 inside
    dhcpd dns 167.206.254.2 167.206.254.2
    dhcpd lease 7200
    dhcpd ping_timeout 750
    dhcpd enable inside
    username admin password pO9NW1GJpm4IIIFK encrypted privilege 15
    username andrew password A340D92MQ0zV0hGs encrypted privilege 15
    terminal width 80
    Cryptochecksum:aacfb7d8ae07a6075baf8656a724fbec

    Wow...i didn't realize this was possible. I will certainly check the logs tomorrow via the existing thread but just to confirm, is this only true if DHCP is enabled on PIX?
    In other words, I managed to work around this issue by applying static IP's to all computers and the internet works just fine.

  • DNS server with double NAT

    Hi All,
    We are in a process of migrating to a new ISP.
    With the new ISP, we have no options but double NAT (one in Cisco router and one in Firewall).
    In the test environment for the new ISP (double NAT) a desktop behind the firewall getting a dynamic IP address (which includes DNS server 192.168.0.3) resolved an external web site too long, but when I changed the DNS ip address to 8.8.8.8 it resolved quickly
    as normal.
    In the current live production every thing works as expected. 
    Any help/ idea would be appreciated.
    Cheers

    I would agree with Christopher.
    You can also make sure that your DNS servers do not have public DNS IPs set in their IP settings. Instead, public DNS IPs should be set as forwarders. Also, make sure that you use your ISP DNS servers instead of other public DNS servers for external DNS
    resolution.
    For troubleshooting DNS lookups, you can use NSlookup with debug mode for more details. I have started a Wiki about that here: http://social.technet.microsoft.com/wiki/contents/articles/29184.nslookup-for-beginners.aspx
    This posting is provided AS IS with no warranties or guarantees , and confers no rights.
    Ahmed MALEK
    My Website Link
    My Linkedin Profile
    My MVP Profile

  • DNS Server does not resolve new generic Top Level Domain names- CNR configuration issue?

    Hi all,
    I am not sure if this is the correct community to post this question, but I will give it a try. I noticed that the users of my network cannot resolve web sites using new top level domain names, like ".education", ".international", etc. I have an internal DNS server made by Infoblox and a Cisco CNR v6.3.3.1 as an external DNS server. Infoblox uses CNR as its forwarder and CNR uses the root DNS servers for queries.
    I would think that CNR was the problem because it is an obsolete product but after speaking with a fellow engineer at another organization where they still use an older version of CNR than mine, they have no problems at all. So now I am thinking it is a setting either on Infoblox, or on CNR I need to change. I can see Infoblox is forwarding the requests to CNR but that's about it. I am not sure if CNR is discarding the request. When I do an nslookup from a PC in my network it does not matter if I set my DNS server to be the Infoblox or the CNR. Neither resolves the URL.
    Then again, no matter what I lookup using the CNR as my DNS, I only get a response with the root DNS names and IPs!
    Any help is appreciated!

    Hi Constantinos,
    Have you taken a look at the infoblox community site?  We've just reposted your question there and alerted some internal SMEs that should provide a solution soon.  
    https://community.infoblox.com/forum/ddi/dns-server-does-not-resolve-new-generic-top-level-domain-names-cnr-configuration-issue
    Best,
    Eric

  • DNS Server in IOS?

    Does any version of the IOS include a DNS server? To make a long story short, I just need one record to be resolved on a non-routed subnet and am hoping I have can have a router act as a DNS server.

    see the following link for ios dns support for ns records:
    http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087ae3.html
    (ios 12.2)

  • Dns server-group DefaultDNS

    I have Cisco ASA 5510 , to configure DNS , this command ( dns server-group DefaultDNS) is not working
    dns query is not working in asa5510, (not name resolviong  but i can ping any IP of any website)
    I configure only this option is showing.
    Mail-ASA(config)# dns ?
    configure mode commands/options:
      domain-lookup  Enable/Disable DNS host-to-address translation
      name-server    Specify DNS servers
      retries        Configure DNS retries
      timeout        Configure DNS query timeout
    Mail-ASA(config)# dns
    Please help me. Thnaks

    http://20best.blogspot.com/2011/08/commercial-banks-in-uae.html You are right,
    I have to upgrade it.

Maybe you are looking for