Solved: Is there a way to disable DNA from having to insert ip domain lookup?

josephbdelossantos · ‎11-14-2024

Whenever I deploy template configuration, DNA always adds ip domain lookup. We have our devices setup with no ip domain lookup and my boss gets annoyed if he mistypes something and the device tries to resolve it.. Is there anyway I can tell DNA to not try to add that command?

thanks!

Preston Chilcote · ‎11-14-2024

I asked around Cisco and learned today that a better way of pleasing your boss (I think many of us share his sentiment) is to configure "transport preferred none" on all your vty's. Then you can let Cat Center do whatever it wants with the "ip domain lookup" command! one advantage of leaving domain lookup enabled is that traceroutes will try to show you hostnames instead of just IPs.

"transport preferred lat" is the default and was set back in the 90's when the line's on a cisco device were used for real (old) protocols, not just the ssh and (sometimes) telnet we've been using for the last 20 years. It's probably time we change the default to "none" as I've seen many users mention this frustration.

View solution in original post

Preston Chilcote · ‎11-14-2024

I asked around Cisco and learned today that a better way of pleasing your boss (I think many of us share his sentiment) is to configure "transport preferred none" on all your vty's. Then you can let Cat Center do whatever it wants with the "ip domain lookup" command! one advantage of leaving domain lookup enabled is that traceroutes will try to show you hostnames instead of just IPs.

"transport preferred lat" is the default and was set back in the 90's when the line's on a cisco device were used for real (old) protocols, not just the ssh and (sometimes) telnet we've been using for the last 20 years. It's probably time we change the default to "none" as I've seen many users mention this frustration.

josephbdelossantos · ‎11-14-2024

Thank you sp much

Konstantin Kabassanov · ‎01-04-2025

Hi, I'm also interested in a way to stop Catalyst center from pushing "ip domain lookup". In particular for switches that still need to be joined through rsh connections. With domain lookup activated, they fail with %RCMD-4-RCMDDNSFAIL: DNS hostname/ip address mismatch. [MY_PRIVATE_NET_IP] unknown to DNS. One should suggest me to put static host ip entries into switches confs, but this is not what I would like to do :). Thanks.

Konstantin Kabassanov · ‎01-16-2025

no ip rcmd domain-lookup is a way to solve the issue...

hadornj · ‎04-03-2025

I have this issue also, however for me it is a STIG issue. the STIG specifically calls this out and requires the "no ip domain config" command be implemented.

Preston Chilcote · ‎04-03-2025

@hadornj Would you mind sharing any public STIG docs where that is called out? I think they are calling out "ip domain" configs unnecessarily because they didn't know "transport preferred none" exists. The research I did on the subject says the security concern is over trying to connect to random host names if you typo on the CLI. As discussed above, "transport preferred none" is the more appropriate way to solve that problem so that other commands in IOS (like traceroute) can still benefit from dns lookups for better readability.

chaissos · ‎05-19-2025

I've been looking for a way to remove the "ip domain-lookup" command, too. We have Catalyst Center Version 2.3.7.7-70047. As with @hadornj, we have the same STIG requirements. Whenever the suite touches a switch it forces the command back into the config. It's a constant battle to have SolarWinds remove it - and then it just comes back again.

I don't understand why so many other options are being offered - none of which meet the STIG requirement. Is it really that hard-coded we can't fix it?

Preston Chilcote · ‎05-19-2025

@chaissos Are you sure this is still a STIG requirement? Chatgpt says this requirement is from 2018 and the link it gave me to the referenced finding ID "V-3020" is dead. I looked through the current STIG viewer for all the current Cisco related ones and I don't see any DNS related findings.

As I mentioned above, the correct way to fix this problem is actually to configure "transport preferred none" on the vty.

chaissos · ‎05-20-2025

@Preston Chilcote I tried your solution, and it doesn't fix the terribly slow response times from the switch to any commands entered, either in global enable or config mode. In a large, active network we're changing interfaces pretty regularly. Waiting for extensive periods just slows us all down. STIG requirement or not, everything just crawls.

This turns a quick, responsive switch into one that's about as slow as a Juniper. I never thought I'd make that comparison, but there you go.

If you can fix that, I'll be happy to implement a working solution throughout the network. Until then, we're just pushing "no ip domain lookup" over and over.

Preston Chilcote · ‎05-20-2025

@chaissos "transport preferred none" and "ip domain lookup" should only have an effect if you are mistyping commands. If you are seeing slowness in valid IOS commands, please open a TAC case for investigation. I don't know why "ip domain lookup" would have any effect on valid IOS commands.

chaissos · ‎05-20-2025

@Preston Chilcote Couple simple commands I used to test (from a new SSH connection):

sh run int gi1/0/1

sh run

conf t

Those should all be fine - unless it's expecting me to now enter the entire command (like show running-config). That would be a departure from everything Cisco has done with commands for a long time. We've been told for (how long how?) a really long time "write" was going away and get used to copy run start...but it's still there. For a lot of IT folks that have been configuring Cisco devices since the 90's, we still use the old form as long as it's supported.

Even just logging in takes longer than usual. We have ISE as the TACACS function, and it's normally pretty quick - not with the domain lookup enabled.

I can't explain it....wish I could. I could start debugging...if I had a lot of time to spare.

Preston Chilcote · ‎05-20-2025

Those shortened command formats are still fine to use.

You would know if IOS is not recognizing the commands because it will report something like this when a typo occurs:

Router> foo
Translating "foo"...domain server (255.255.255.255)

There are some TACACS related configs that could be causing your described behavior too. If you DM me a show run and show version from a device you know has seen slowness, I can take a quick look.