Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3436
Views
5
Helpful
7
Replies

DNS in DHCP Pool (Internal DNS issue)

Go to solution
Kyujin Choi
Level 1
Level 1

‎11-25-2013 06:59 AM - edited ‎03-07-2019 04:46 PM

I know that we can setup multiple DNS server under DHCP pool. But I like to make sure the order.

    

I have multiple branch offices.

Let us say that Branch 1 office has a router with 10.30.1.1 as default gateway.

Our internal DNS is 10.0.0.1 and 10.0.0.2 as Pri and Sec.

My order of DNS server is like below.

1. gateway

2. internal DNS

3. public DNS provided by ISP

I saw couple of issues that when I put internal DNS first. Particular situation is when IPsec is not working, users could not access internet through domain name because they had internal DNS which is not reachable.

But, when gateway is first order, I am not sure whether user are able to access internal website because gateway DNS doesn't have internal DNS records.

So, my question is that. what should be the best order for DNS setup under DHCP among default gateway, internal DNS and public DNS?  Our current setup doesn't have even gateway address, it only has internal DNS addresses only.      

ip dhcp pool ccp-pool1

network 10.30.1.0 255.255.255.0

domain-name test.org

default-router 10.30.1.1

netbios-name-server 10.30.1.1

dns-server  10.30.1.1 10.0.0.1 10.0.0.2 24.25.5.60

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kyujin Choi

‎11-25-2013 10:31 AM

1) I believe that your logic is right.

2) you are welcome.

3) I see now how the link relates to question 3. Yes the difference between specifying a name server for the router itself with ip name-server or for client using dns-server is an important point.

I am glad that you tell us that you did have ip domain-lookup because that would have been my follow up question. Can you tell us exactly what the response from the router was when you attempted ping google.com? I suspect that it is something in your router config. Can you post a sanitized copy of the router config?

Thank you for the compliment - and for the points.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎11-25-2013 08:07 AM

In most situations I would not expect to see the IP of the router listed in DHCP as a DNS server. In some few cases this is appropriate but I am not sure that your router does. And in most cases I would expect that Internal DNS would be listed first since it should have the internal information available and if it gets a request for something external it should be able to forward the request to an external server.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Kyujin Choi
Level 1
Level 1
In response to Richard Burts

‎11-25-2013 08:55 AM

Thank you, Richard.

You are right. when I setup router IP for DNS server in DHCP pool. it did not work.

Let me ask regarding external DNS forwarding.

  I like to know the process of exteranl DNS.

User --> Internal website --> OK with internal DNS

User --> External website --> Internal DNS forwarding to External DNS

We have our own external DNS (ns), in this case, if external DNS (ns) is down, every branch users are not able to resolve any external IP because internal DNS can't get reply from external DNS?

2nd question)

IPsec is split-tunneled, but in this case, every DNS request goes internal DNS which is located in HQ and goes back through IPsec? Usually Split tunnel doesn't go internet traffic through IPsec but internet directly.

3rd Question)

what is for ip name-server x.x.x.x   when I setup ip name-server 8.8.8.8 and I tried to ping 8.8.8.8 from router, it didn't work. Am i missing something?

https://supportforums.cisco.com/thread/230711

Thanks for your time and knowledge.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kyujin Choi

‎11-25-2013 09:50 AM

I do not understand your question 1) about having external as well as internal DNS.

2) you have a choice to make here. I would probably use the option that users still go to the internal DNS even though it means that some of their traffic goes over the IPSec and not directly to Internet. Or you can decide to specify that remote users use external DNS.

3) We do not have enough information to answer this question. I would say in general that if you can not ping 8.8.8.8 from the router that there is probably some issue in the router configuration.

The link that you posted is about the difference in configuring a name server for the router itself to use or configuring a name server for clients to use. How does that relate to question 3?

HTH

Rick

HTH

Rick

Go to solution
Kyujin Choi
Level 1
Level 1
In response to Richard Burts

‎11-25-2013 10:04 AM

Thanks Richard.

1st Question) User asking google.com --- (through IPsec) ---> reaching to internal DNS (i.e 10.5.5.1) --> since google.com is external, it forwards to our own external DNS (ns.test.com) ---> go back to user with google's IP

  Is my logic right?

2nd Question) Thanks.

3rd Quesiton) I did "ping google.com" with ip name-server 8.8.8.8 from router itself, but I couldn't get a ping reply. The link was difference between ip name-server vs dns-server in dhcp. As i understood if I put ip name-server 8.8.8.8, I should able to ping (ping google.com) from router, but I couldn't. I had ip domain-lookup   ip name-server 8.8.8.8. I was able to ping "ping 8.8.8.8, but ping google.com"

Your explanation is always helpful, Thanks Richard.

I found an article that DNS proxy from router (DNS = router). I may try this.

http://stack.nil.com/ipcorner/RouterDNS/

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kyujin Choi

‎11-25-2013 10:31 AM

1) I believe that your logic is right.

2) you are welcome.

3) I see now how the link relates to question 3. Yes the difference between specifying a name server for the router itself with ip name-server or for client using dns-server is an important point.

I am glad that you tell us that you did have ip domain-lookup because that would have been my follow up question. Can you tell us exactly what the response from the router was when you attempted ping google.com? I suspect that it is something in your router config. Can you post a sanitized copy of the router config?

Thank you for the compliment - and for the points.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
Kyujin Choi
Level 1
Level 1
In response to Richard Burts

‎11-25-2013 12:19 PM

I apprecaite your thought.

You are right. when I took out ZBF from outside interface, it worked, which means my configuration was an issue for question 3. Thanks again.

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to Kyujin Choi

‎11-25-2013 12:48 PM

Thanks for posting back with the update that the remaining issue was resolved when you removed ZBF. I am glad that my suggestions helped you to find the issues involved with this discussion. Thank you for using the rating system to mark this question as answered.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card