Solved: Cisco 1941 DNS Setup unwanted DNS servers entries.

ManIDE661 · ‎07-12-2021

I have a 1941 operating with a backup 3/4G Cellular and a primary WAN interface.

My issue is related to the DNS from my 3/4G interface persisting well after the interface is shutdown.

The Show hosts indicated 4 DNS entries when I'm running my primary WAN connection

I can see the DNS query is getting sent out to the 3/4G interface DNS entries (which is shutdown)

How can I prevent the unused DNS servers from persisting in the router?

My core problem is the routers CLI is resolving host names but my clients are not, The CLI is resolving after it first tries the 10.x.x.x DNS Servers, I'm not sure if these extra DNS are the issues or there is another issues.

Router info Below

Router1#show hosts
Default domain is not set
Name/address lookup uses domain service
Name servers are 10.4.58.204, 10.4.130.164, 111.220.1.1, 111.220.2.2

Router1#show ppp interface virtual-Access 2
PPP Serial Context Info
-------------------
Interface : Vi2
PPP Serial Handle: 0x33000002
PPP Handle : 0x8F000002
SSS Handle : 0x3F000003
AAA ID : 20
Access IE : 0x13000002
SHDB Handle : 0x0
State : Up
Last State : Binding
Last Event : LocalTerm

PPP Session Info
----------------
Interface : Vi2
PPP ID : 0x8F000002
Phase : UP
Stage : Local Termination
Peer Name : auth
Peer Address : 210.234.4.69
Control Protocols: LCP[Open] IPCP[Open]
Session ID : 2
AAA Unique ID : 20
SSS Manager ID : 0x3F000003
SIP ID : 0x33000002
PPP_IN_USE : 0x11

Vi2 LCP: [Open]
Our Negotiated Options
Vi2 LCP: MRU 1492
Vi2 LCP: MagicNumber
Peer's Negotiated Options
Vi2 LCP: MRU 1492
Vi2 LCP: AuthProto CHAP
Vi2 LCP: MagicNumber

Vi2 IPCP: [Open]
Our Negotiated Options
Vi2 IPCP: Address "my.ip.is.ok"
Vi2 IPCP: PrimaryDNS 111.220.1.1
Vi2 IPCP: SecondaryDNS 111.220.2.2
Peer's Negotiated Options
Vi2 IPCP: Address 210.234.4.69

Router1#debug domain
*Jul 12 09:04:12.031: DNS: Resending query id #9957
*Jul 12 09:04:12.031: DNS: Re-sending DNS query (type 1, id#49953) to 111.220.1.1
*Jul 12 09:04:12.031: DNS: Resending query id #45169
*Jul 12 09:04:12.031: DNS: Re-sending DNS query (type 1, id#40243) to 10.4.130.164
*Jul 12 09:04:12.031: DNS: Resending query id #23518
*Jul 12 09:04:12.031: DNS: Re-sending DNS query (type 1, id#5937) to 10.4.130.164
*Jul 12 09:04:12.031: DNS: Resending query id #45169
*Jul 12 09:04:12.031: DNS: Re-sending DNS query (type 1, id#32733) to 10.4.130.164
*Jul 12 09:04:12.031: DNS: Resending query id #23518
*Jul 12 09:04:12.031: DNS: Re-sending DNS query (type 1, id#32746) to 10.4.130.164
*Jul 12 09:04:12.031: DNS: Resending query id #33552
*Jul 12 09:04:12.031: DNS: Re-sending DNS query (type 1, id#41684) to 10.4.130.164
*Jul 12 09:04:12.031: DNS: Resending query id #46697
*Jul 12 09:04:12.031: DNS: Re-sending DNS query (type 28, id#52040) to 10.4.58.204
*Jul 12 09:04:12.031: DNS: Resending query id #33552
*Jul 12 09:04:12.031: DNS: Re-sending DNS query (type 1, id#11497) to 10.4.58.204
*Jul 12 09:04:12.043: DNS: Incoming UDP query (id#49953)
*Jul 12 09:04:12.043: DNS: Type 1 response (id#49953) for host <1.debian.pool.ntp.org> from 111.220.1.1(53)

paul driver · ‎07-12-2021

Hello
I assume your rtr is servicing dhcp for your clients if so try the following and swap the addressing below to represent your rtr

rtr
ip dhcp pool xxx
network 192.168.1.0 /24
default-router 192.168.1.254
dns-server 192.168.1.254
exit

no ip name server
ip dns server

int dialer x
ppp ipcp dns request

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

paul driver · ‎07-18-2021

Hello

I may need to revert back to my last know working config and rebuild again from there.

A related question and the root of all my problems, I cant get some web sites to work

The you need to make sure your not incurring fragmentation which could cause the issue your experiencing - try the following and reduce accordingly if you have additional header overheads such are GRE/IPSEC

int dialer 1
ip mtu 1492 < non tcp packets
ip tcp adjust-mss 1452 < tcp packets

or
ip mtu 1400
ip tcp adjust-mss 1360

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

View solution in original post

balaji.bandi · ‎07-12-2021

Name servers are 10.4.58.204, 10.4.130.164, 111.220.1.1, 111.220.2.2

where did you get this name server from your ISP ?

Do you have Dual uplinks to go different ISP,. when you mention the order list, it go order 1- 4 DNS, keep trying all 4 1 by 1

Other option you can use DNS name Server, so if you go out any ISP DNS resolves automatically.

is this isue on Router ? or client also same ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

uwe.kadner · ‎07-12-2021

- What OS are you running on your clients?

- How does the network configuration related to DNS look like on your clients?

- Do the clients have static IP addressing configured?

- How does the routing table look like on your clients?

- Can you ping the DNS server IPs from your clients?

paul driver · ‎07-12-2021

Hello
I assume your rtr is servicing dhcp for your clients if so try the following and swap the addressing below to represent your rtr

rtr
ip dhcp pool xxx
network 192.168.1.0 /24
default-router 192.168.1.254
dns-server 192.168.1.254
exit

no ip name server
ip dns server

int dialer x
ppp ipcp dns request

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ManIDE661 · ‎07-13-2021

Q:Where did you get this name server from your ISP ?
A:There are assigned by the IPS via the "ppp ipcp dns request" command

Q:Do you have Dual uplinks to go different ISP,. when you mention the order list, it go order 1- 4 DNS, keep trying all 4 1 by 1
A:I don't actually have a dual link more a backup link only one works at any one time, so I would expected the rtr to drop the old DNS entries.

Q:is this isue on Router ? or client also same ?
A:The route is resolving the names only after it cycles through the DNS list but the Clients are not resolving at all.

Q:What OS are you running on your clients?
A:I have a mix but only testing on Win 7 Win 10.

Q:- How does the network configuration related to DNS look like on your clients?
A:The Clients were working and resolving host names but then they just stopped, when I cut back to my IPS supplied router I noted the 3/4G modem was locked up.

My DNS setup is this i Have a LAN and WLAN both have the same problem.

ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1

ip dhcp pool WLAN
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.1.1
!

Q:- Do the clients have static IP addressing configured?
All clients are DHCP from rtr

Q:- How does the routing table look like on your clients?
I don't fully understand the routing table, this below was mostly generated by the Routers GUI.

ip nat inside source route-map nat2backup interface Cellular0/0/0 overload
ip nat inside source route-map nat2primary interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 Cellular0/0/0 253
!
!
ip sla 1
icmp-echo 8.8.8.8 source-interface Dialer1
ip sla schedule 1 life forever start-time now
dialer-list 2 protocol ip permit
!
route-map track-primary-if permit 1
match ip address 197
set interface Dialer1
!
route-map nat2primary permit 1
match ip address 198
match interface Dialer1
!
route-map nat2backup permit 1
match ip address 198
match interface Cellular0/0/0
!
!
access-list 197 permit icmp any host 203.134.64.66
access-list 198 permit ip any any
!

Q:- Can you ping the DNS server IPs from your clients?
A: I can ping DNS by IP address, but the DNS which start with 10.x.x.x I cant as I'm running the WAN interface not the 3/4G and those DNS IP are private.

Q:I assume your rtr is servicing dhcp for your clients if so try the following and swap the addressing below to represent your rtr

rtr
ip dhcp pool xxx
network 192.168.1.0 /24
default-router 192.168.1.254
dns-server 192.168.1.254
exit

no ip name server
ip dns server

int dialer x
ppp ipcp dns request

A:

I think my setup already has these entries,

I will try adding the "no ip name server" and removing "ppp ipcp route default"

I will not have access to the router now till Thursday.

DHCP part

ip dhcp pool LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 192.168.1.1
!
ip dhcp pool WLAN
network 192.168.10.0 255.255.255.0

default-router 192.168.10.1
dns-server 192.168.1.1

WAN settings

!

interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in max-fragments 16 max-reassemblies 64 timeout 5
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname
ppp chap password
ppp pap sent-username password

ppp ipcp dns request
ppp ipcp route default

paul driver · ‎07-13-2021

Hello
Try and add the following also:

access-list xx permit icmp host <source ip> host 8.8.8.8 echo
route-map ipsla
match ip address xx
set interface dailer 1
set interface Null0
exit

ip local policy route-map ipsla

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ManIDE661 · ‎07-18-2021

Hi, put the router back into service.

And this time the 3/4G Cellular interface started as normal, This now looks to switch between the two sets of DNS Entry.

With the exception that it seems to drop the inactive service after some idle timeout

rtr#show host (Main Dialer1 routing traffic)
Default domain is not set
Name/address lookup uses domain service
Name servers are 111.220.1.1, 111.220.2.2

Once the 3/4G service come one line ( I normally shut the Gi 0/1/0 interface to initiate the change over)

rtr#show host (Cellular interface as primary)
Default domain is not set
Name/address lookup uses domain service
Name servers are 111.220.1.1, 111.220.2.2, 10.4.27.70, 10.4.149.70

I would have expected the DNS entries for this 3/4G backup service would have put first in the list, for some reason the 3/4G is not routing internet traffic (at the moment, will perform further testing shortly)

So basically looks like if/when the 3/4G service crashed then it doesn't release or update the DNS entries correctly, But I would need to test this next time this interface crashed

Paul I did add those entry's but I couldn't notice any real difference in the operation in the change over WAN->3/4G , I have left these entries in for now.

How does your entry differ from the original ones ?

With that said I think I have introduced a problem where now the 3/4G server is not routing internet traffic , the clients are resolving host names but no internet connectivity, I will need track this down in the morning I have included a quick rundown of my changes which preceded the 3/4G failure.

Note:

I found the router was pinggable from the outside so I changes the access listed on Dialer1 interface. only

I removed the dialer-group 1 entry and added two new assess-lists, since this change the 3/4G service is not working.

I did reinstate the old entries but still not working currently running the new setup

Do I need to do a reload when performing this types of cli entries ?

My setup

Primary WAN interface

Old Settings

interface Dialer1
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly in max-fragments 16 max-reassemblies 64 timeout 5
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable

…….

New Setting

interface Dialer1
mtu 1492
ip address negotiated
ip access-group No-PING in
ip access-group 198 out
ip nat outside
ip virtual-reassembly in max-fragments 16 max-reassemblies 64 timeout 5
encapsulation ppp
dialer pool 1
no cdp enable

………..

Backup Service

3/4G backup interface

interface Cellular0/0/0
description 3G Link to Vodafone-AP
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string hspa-R7
dialer-group 2
async mode interactive

ip access-list extended No-PING
permit icmp any any echo-reply
deny icmp any any
permit ip any any

access-list 198 permit ip any any

Did I do something wrong?

paul driver · ‎07-18-2021

Hello

@ManIDE661 wrote:
Did I do something wrong?

Where is the ppp authentication?
int dialer 1
ip mtu 1492
ip tcp adjust-mss 1452
ppp authentication chap pap callin
ppp chap hostname
ppp chap password
ppp pap sent-username password

How does your entry differ from the original ones ?

Regards your dns query, My initial suggestion would make your rtr the dns root for your clients and also a forwarder for any dns requests it couldn't not resolve itself upstream towards your ISP.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ManIDE661 · ‎07-18-2021

They are their, I just didn't included then as they contained the usernames and passwords.

My first post shows the results of Router1#show ppp interface virtual-Access 2

the PPP authentication is for Dialer1 which the Gi 0/1/0 interface AKA WAN interface and that can be seen to be negotiating

This is the Cellular 3/4G interface setup

interface Cellular0/0/0
description 3G Link to Vodafone-AP
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer string hspa-R7
dialer-group 2
async mode interactive

Here is the PAP profile for the interface.

PDP Type = IPv4
Access Point Name (APN) = live.vodafone.com
Authentication = PAP
Username: anonymous
Password: password
Primary DNS address = 0.0.0.0
Secondary DNS address = 0.0.0.0

I may need to revert back to my last know working config and rebuild again from there.

A related question and the root of all my problems, I cant get some web sites to work

And after so many hour it would looks like sites that return multiple host IP are the one which don't work.

I have cross checked 5 on the non working site and they all return more that one IP.

eBay works but Netflix will not, below are the nslookup outputs,

Is this normal or am I missing something in my setup ?

I'm pretty sure the DNS entries will sort them self out once I fix the Cellular interface isues

C:\Users>nslookup www.netflix.com
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
Name:    dualstack.apiproxy-website-nlb-prod-1-bcf28d21f4bbcf2c.elb.us-west-2.amazonaws.com
Addresses: 2600:1f14:62a:de84:880a:88cc:a16:5423
          2600:1f14:62a:de85:d7:e7a1:8f7d:f6f5
          2600:1f14:62a:de83:c61a:d6e:18b0:65f7
          44.237.234.25
          44.242.60.85
          44.234.232.238
Aliases: www.netflix.com
          www.dradis.netflix.com
          www.us-west-2.internal.dradis.netflix.com

C:\Users>nslookup www.ebay.com.au
Server: UnKnown
Address: 192.168.1.1

Non-authoritative answer:
Name: e11847.g.akamaiedge.net
Address: 23.223.49.102
Aliases: www.ebay.com.au
slot11847.ebay.com.edgekey.net

paul driver · ‎07-18-2021

Hello

I may need to revert back to my last know working config and rebuild again from there.

A related question and the root of all my problems, I cant get some web sites to work

The you need to make sure your not incurring fragmentation which could cause the issue your experiencing - try the following and reduce accordingly if you have additional header overheads such are GRE/IPSEC

int dialer 1
ip mtu 1492 < non tcp packets
ip tcp adjust-mss 1452 < tcp packets

or
ip mtu 1400
ip tcp adjust-mss 1360

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

ManIDE661 · ‎07-18-2021

Thank you for your help I was about to ditch this Cisco but now it will stay.

I had changed ip mtu 1452 before but it still didn't work, so I cant thank you enough.

I will sort the 3/4G issue this week.

Manny.