redirect DNS request

Marco83 · ‎04-26-2021

Hi All,

How can forward any DNS requests to my internal DNS server?

The router is configured with a NAT address of the LAN network on the WAN interface.

My DNS server is 192.168.255.1 (remote site)

interface WAN
ip add 10.10.10.1 255.255.255.252
ip nat outside

interface LAN
ip add 192.168.0.1 255.255.255.0
ip nat inside

ip nat inside source list 1 interface WAN overload

access-list 1 permit 192.168.0.0 0.0.0.255

ip route 0.0.0.0 0.0.0.0 10.10.10.2

Thanks,

balaji.bandi · ‎04-26-2021

How do you reach this network ? "My DNS server is 192.168.255.1 (remote site)"

Via WAN ? or VPN ?

ip route 0.0.0.0 0.0.0.0 10.10.10.2 - is this route to connect other side (where the DNS Server Located ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marco83 · ‎04-27-2021

The server DNS 192.168.255.1 is reachable via VPN MPLS (other branch connected in a MPLS Service Provider).

ip route 0.0.0.0 0.0.0.0 10.10.10.2 - is this route to connect other side (where the DNS Server Located ?) -----> no, is the default route vs PE interface.

Thank you

Marco

balaji.bandi · ‎04-27-2021

As long as VPN Tunnel UP user can able to resolve the DNS IP address to resolve - that should work.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marco83 · ‎04-27-2021

I do not have a VPN tunnel, my branches are connected via L3 VPN any to any.

All LAN host browse internet with google DNS but this is wrong.

All branch routers must redirect all DNS request to my internal DNS (I cannot change DNS on hosts )

Thank you

M

balaji.bandi · ‎04-27-2021

All branch routers must redirect all DNS request to my internal DNS (I cannot change DNS on hosts )

Sure you can setup in DHCP what DNS Server to use - Hope you are using DHCP Server for the IP allocaiton ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marco83 · ‎04-27-2021

More hosts have a static IP, the customer would like to redirect all DNS requests for a security feature.

It is possibile configure it on a router? The customer does not want configure it on a firewall because it is a small device

Sorry for my english!

balaji.bandi · ‎04-27-2021

You mean all the users device already configured google DNS 8.8.8.8 ?

Then you need to do Dummy 8.8.8.8 Punch Hole locally or do some NAT

You can use NAT with redirection. Change its destination IP from 8.8.8.8 -> 192.168.255.1 with redirect target IP

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marco83 · ‎04-29-2021

No, the customer use many DNS Servers (google, opendns, etc)

I don't know what the dns the hosts uses.

This command permit NAT 1:1 from 8.8.8.8 to 172.16.1.1 (customer DNS)

""" ip nat outside source static udp 172.16.1.1 53 8.8.8.8 53 """ NAT 1:1

It is possible configure NAT N:1 ? (N= dns google and other):(1= customer DNS)

Thank you

balaji.bandi · ‎04-29-2021

Not that i am aware that going to work. that way - you can do below test all redirect DNS request to Local DNS Server.

Access-list to match dns requests
===========
ip access-list extended mydns
permit udp any any eq 53

Route-Map to match access List
================================
route-map redirect_mydns 10
match ip address mydns
set ip next-hop 192.168.88.100
route-map redirect_mydns permit 20

apply the rule on Layer 3 Interface where it leaving the traffic
interface G0/0
ip policy route-map redirect_mydns

Verification
=============
#sh access-list
#sh route-map
#sh access-list mydns

EDIT : found nat example may be helpful :

object network OBJ_ANY
subnet 0.0.0.0 0.0.0.0

object network OpenDNS_UDP
host x.x.x.x -- your DNS IP

object service DNS_UDP
service udp destination eq 53

nat (inside,outside) source dynamic any interface destination static OBJ_ANY OpenDNS_UDP service DNS_UDP DNS_UDP

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help