Solved: Is there a way to disable DNA from having to insert ip domain lookup?

josephbdelossantos · ‎11-14-2024

Whenever I deploy template configuration, DNA always adds ip domain lookup. We have our devices setup with no ip domain lookup and my boss gets annoyed if he mistypes something and the device tries to resolve it.. Is there anyway I can tell DNA to not try to add that command?

thanks!

Preston Chilcote · ‎11-14-2024

I asked around Cisco and learned today that a better way of pleasing your boss (I think many of us share his sentiment) is to configure "transport preferred none" on all your vty's. Then you can let Cat Center do whatever it wants with the "ip domain lookup" command! one advantage of leaving domain lookup enabled is that traceroutes will try to show you hostnames instead of just IPs.

"transport preferred lat" is the default and was set back in the 90's when the line's on a cisco device were used for real (old) protocols, not just the ssh and (sometimes) telnet we've been using for the last 20 years. It's probably time we change the default to "none" as I've seen many users mention this frustration.

View solution in original post

Preston Chilcote · ‎11-14-2024

I asked around Cisco and learned today that a better way of pleasing your boss (I think many of us share his sentiment) is to configure "transport preferred none" on all your vty's. Then you can let Cat Center do whatever it wants with the "ip domain lookup" command! one advantage of leaving domain lookup enabled is that traceroutes will try to show you hostnames instead of just IPs.

"transport preferred lat" is the default and was set back in the 90's when the line's on a cisco device were used for real (old) protocols, not just the ssh and (sometimes) telnet we've been using for the last 20 years. It's probably time we change the default to "none" as I've seen many users mention this frustration.

josephbdelossantos · ‎11-14-2024

Thank you sp much

Konstantin Kabassanov · ‎01-04-2025

Hi, I'm also interested in a way to stop Catalyst center from pushing "ip domain lookup". In particular for switches that still need to be joined through rsh connections. With domain lookup activated, they fail with %RCMD-4-RCMDDNSFAIL: DNS hostname/ip address mismatch. [MY_PRIVATE_NET_IP] unknown to DNS. One should suggest me to put static host ip entries into switches confs, but this is not what I would like to do :). Thanks.

Konstantin Kabassanov · ‎01-16-2025

no ip rcmd domain-lookup is a way to solve the issue...

hadornj · ‎04-03-2025

I have this issue also, however for me it is a STIG issue. the STIG specifically calls this out and requires the "no ip domain config" command be implemented.

Preston Chilcote · ‎04-03-2025

@hadornj Would you mind sharing any public STIG docs where that is called out? I think they are calling out "ip domain" configs unnecessarily because they didn't know "transport preferred none" exists. The research I did on the subject says the security concern is over trying to connect to random host names if you typo on the CLI. As discussed above, "transport preferred none" is the more appropriate way to solve that problem so that other commands in IOS (like traceroute) can still benefit from dns lookups for better readability.