DNS lookup fails from 881 routers

Johan Olsson · ‎11-30-2013

Hi,

I have problem with dns lookup for my cisco 881 routers.
I have a copule off remote office with dynamic public ip adress and trying go get dynamic dns to work.

To updade the service the router need to connect to the dyn dns service by the domain name, but it fails.

And for example if I ping www.google.com I get the response:
Translating www.google.com...domain server (195.67.199.33) (195.67.199.34) (8.8.8.8)
% Unrecognized host or address, or protocol not running.

I have configured "ip domain name" with my domain and "ip name-server 8.8.8.8."

Can't figure out what's wrong and why the router can't resolve domain names. Any idéas?

(Name server 195.67.199.33 and 34 are from my ISP. Why are the router trying to use that when i have spceicied 8.8.8.8 as my ip name-server?
Both name servers are working if I use them from a pc behind the router so that's not the problem, but it wuld be interesting to know the router is trying to use them)

daniel.dib · ‎11-30-2013

I assume the first two addresses are received together with the IP from Telia. It looks like the Cisco router is querying all three servers when you are doing a lookup.

My guess is that you are receiving AAAA reply back but you only have IPv4 configured.

Daniel Dib
CCIE #37149

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

Richard Burts · ‎11-30-2013

Since you have told us that these routers have dynamic IP addresses it is logical to assume that .33 and .34 are passed to the router in the DHCP assignment that gives them their IP addresses.

It would be helpful to know what happens if the 881 attempts to ping some Internet resource via IP address (and not by name so that DNS is not part of what is involved). So for example, what happens if the router attempts to ping 8.8.8.8?

It might help us to understand what is going on if you would post the output of show ip interface brief. And seeing the config of the 881 might also be helpful.

HTH

Rick

HTH

Rick

Johan Olsson · ‎12-01-2013

Hi both,

I can ping by ip, both inside and outside hosts.
It's only the dns lookup that fails.

Tested to remove my inbound access list from the outside interface and then dns lookup works

Must I allow udp port 53 to the router? Shuldn't the ip inspect that i have configured on the outside interface allow that type of traffic? (i have both inspect for tcp and udp)

Inside host have no problem to do dns lookups when I have my access list enabled.

Richard Burts · ‎12-01-2013

It is helpful to know that ping by address works and that DNS works if you remove the access list. That certainly indicates that there needs to be an entry in the access list to permit DNS traffic to the router.

HTH

Rick

HTH

Rick

daniel.dib · ‎12-04-2013

IP Inspect will work for client initiated sessions. For router generated traffic you need to enable inspection of that.

Refer to this document:

http://www.cisco.com/en/US/docs/ios/sec_data_plane/configuration/guide/sec_insp_rtr_gen_trf.pdf

If you enabled it for UDP it should catch the DNS queries coming back in.

Daniel Dib
CCIE #37149

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.