Solved: DNS pros and cons for CUCM Cisco Unified CM Administration

Joshua · ‎04-28-2023

Hello thx in advance for any suggestions. I recently reviewed some suggestions that stated that once the initial install of Cisco Unified Communications Manager 14 is completed

it is best practice to turn off DNS for Cisco Unified Communications Manager, especially that endpoints like IP Phones should not have DNS hostnames in their configuration, additionally the CUCM Publisher and Subscriber should also not use DNS and that within the Enterprise Service parameters the IP address should be used and the hostnames removed from the Publisher and Subscriber hostname configuration. For Cisco Unified Communications Manager 14 is there specific reasons to use DNS hostnames for the Publisher and Subscriber or to have DNS setup with the IP Phone endpoints? What are the disadvantages of using DNS for the IP Phones and the Publisher and Subscriber hostnames as well as having DNS enabled?

Thank you for any suggestions,

Jonathan Schulenberg · ‎04-28-2023

Nothing glaring that I can think of but look through the SRND and Preferred Architecture for good measure. IP Phones have a local DNS cache just like any other client endpoint; they will query the DNS server(s) in their DHCP lease to resolve the CCM nodes referenced in their XML config file as well as any Phone Services. Which is to say: they don’t hit the DNS server for every single call.

One gotcha though: the default behavior of the session target command on IOS with DNS is to query for an SRV record, not A or AAAA. To force a “regular” A/AAAA query always suffix the transport layer port after the DNS FQDN. For example, session target dns:server.domain.tld:5060

View solution in original post

Jonathan Schulenberg · ‎04-28-2023

That guidance is outdated and should be withdrawn by whomever stated it. It’s true that nearly 20 years ago, back in the Windows era (3.x & 4.x), there was a recommendation to avoid DNS dependencies. At least for Cisco, that was withdrawn around the 8.x or 9.x releases when Jabber began requiring DNS to function properly. There are some CUCM features that you cannot remove DNS dependencies on now, even if you wanted to; the Secure Service URL Enterprise Parameters for example. (TLS handshake relies on the DNS FQDN query by the client matching the CN or a SAN in the server’s cert - which is always DNS FQDN, not an IPv4 address). In present day if DNS is down you have much bigger problems than CUCM; invest in a resilient DNS infrastructure (SSO too).

Joshua · ‎04-28-2023

Thank you for confirming the DNS rec to minimize or remove DNS is now outdated. Is there a recommendation for how to properly configure DNS for large enterprise systems with many different sites or anything especially important to avoid pitfalls or improper configuration for DNS ? Thank you

Jonathan Schulenberg · ‎04-28-2023

Nothing glaring that I can think of but look through the SRND and Preferred Architecture for good measure. IP Phones have a local DNS cache just like any other client endpoint; they will query the DNS server(s) in their DHCP lease to resolve the CCM nodes referenced in their XML config file as well as any Phone Services. Which is to say: they don’t hit the DNS server for every single call.

One gotcha though: the default behavior of the session target command on IOS with DNS is to query for an SRV record, not A or AAAA. To force a “regular” A/AAAA query always suffix the transport layer port after the DNS FQDN. For example, session target dns:server.domain.tld:5060

Joshua · ‎04-28-2023

Greatly appreciated the info and I’ll be sure to check that out have a great one