Solved: Route Map for DNS

Pete89 · ‎08-09-2010

I have a 3845 with a T1 that we use for Public DNS queries and zone transfers with a ISP. The defualt route on the router points to the other side on the T1.

Recently we added a DS3 that will be used for VPN users. So, from what I understand, since I wont be able to use route-maps for VPN users because the traffic hits the router encrypted, I will have to do it for the DNS traffic.

What I want to do is make the DS3 the defualt route, have DNS traffic go through the T1, and Bob's your uncle.

This is what I have done so far:

route-map rmap_DNS_traffic permit 10
match ip address DNS_traffic
set ip next-hop 63.63.63.62

ip access-list extended DNS_traffic

permit tcp any eq domain any
permit udp any eq domain any

interface Serial1/0
description Qwest DS3 - VPN traffic
ip address 63.63.63.63 255.255.255.252
ip nat outside
ip access-group inbound_qwest_DS3 in

interface Serial0/0/0:1
description Qwest - T1 - DNS traffic
ip address 88.88.88.88 255.255.255.252
ip access-group inbound_qwest_t1 in
ip nat outside
ip virtual-reassembly
ip policy route-map rmap_DNS_traffic

no ip route 0.0.0.0 0.0.0.0 63.63.63.62
ip route 0.0.0.0 0.0.0.0 88.88.88.87

But this is not working. Anyone see what I am doing wrong?

Thanks,

Pedro

Jon Marshall · ‎08-09-2010

pener1963 wrote:

OK Jon. Note taking. I thought the route map had to be applied to the OUTGOING interface, but if thats not so, it will go on this interface:

interface GigabitEthernet0/0.10

Description - To Edge Firewall

encapsulation dot1Q 10

172.31.1.8 255.255.255.240

ip policy route-map rmap_DNS_traffic

Question

Would it be easier to just add the ips of the servers them selves to the Access List? i.e.:

ip access-list extended DNS_traffic

permit ip host 192.168.40.11 any
permit ip host 192.168.40.12 any

route-map rmap_DNS_traffic permit 10
match ip address DNS_traffic
set ip next-hop 63.63.63.62

Instead of the source port which is what I did before:

ip access-list extended DNS_traffic

permit tcp any eq domain any
permit udp any eq domain any

It would certainly be better to use the IP's and if you want to route all traffic for these 2 ips down the T1 then yes use "ip any any". But if you only want to route the DNS traffic you will need to use the ports. Either way i would use the IPs and not "any".

Jon

View solution in original post

Jon Marshall · ‎08-09-2010

pener1963 wrote:

I have a 3845 with a T1 that we use for Public DNS queries and zone transfers with a ISP. The defualt route on the router points to the other side on the T1.

Recently we added a DS3 that will be used for VPN users. So, from what I understand, since I wont be able to use route-maps for VPN users because the traffic hits the router encrypted, I will have to do it for the DNS traffic.

What I want to do is make the DS3 the defualt route, have DNS traffic go through the T1, and Bob's your uncle.

This is what I have done so far:

route-map rmap_DNS_traffic permit 10
match ip address DNS_traffic
set ip next-hop 63.63.63.62

ip access-list extended DNS_traffic

permit tcp any eq domain any
permit udp any eq domain any

interface Serial1/0
description Qwest DS3 - VPN traffic
ip address 63.63.63.63 255.255.255.252
ip nat outside
ip access-group inbound_qwest_DS3 in

interface Serial0/0/0:1
description Qwest - T1 - DNS traffic
ip address 88.88.88.88 255.255.255.252
ip access-group inbound_qwest_t1 in
ip nat outside
ip virtual-reassembly
ip policy route-map rmap_DNS_traffic

no ip route 0.0.0.0 0.0.0.0 63.63.63.62
ip route 0.0.0.0 0.0.0.0 88.88.88.87

But this is not working. Anyone see what I am doing wrong?

Thanks,

Pedro

This is a very confusing post.

1) You say you want to use T1 for DNS traffic and yet the route-map next-hop is set to the DS3 next-hop ?

2) What is the IP address of the DNS server ?

3) where is the DNS server in location to your router ie. which interface does it come in on ?

Jon

Pete89 · ‎08-09-2010

Opps my bad. For obvious reasons I cant copy right from the config....but you are right, it should read:

route-map rmap_DNS_traffic permit 10
match ip address DNS_traffic
set ip next-hop 88.88.88.87

ip access-list extended DNS_traffic

permit tcp any eq domain any
permit udp any eq domain any

interface Serial1/0
description Qwest DS3 - VPN traffic
ip address 63.63.63.63 255.255.255.252
ip nat outside
ip access-group inbound_qwest_DS3 in

interface Serial0/0/0:1
description Qwest - T1 - DNS traffic
ip address 88.88.88.88 255.255.255.252
ip access-group inbound_qwest_t1 in
ip nat outside
ip virtual-reassembly
ip policy route-map rmap_DNS_traffic

no ip route 0.0.0.0 0.0.0.0 63.63.63.62

ip route 0.0.0.0 0.0.0.0 88.88.88.87

The IPs of the DNS servers are 192.168.40.11 and .12

The DNS servers are on the other side of the FW. There is a route on the 3845 for them:

ip route 192.168.40.0 255.255.255.0 172.31.1.4

Sorry about that. All this is confusing enough.

Jon Marshall · ‎08-09-2010

Pedro

The IPs of the DNS servers are 192.168.40.11 and .12

The DNS servers are on the other side of the FW. There is a route on the 3845 for them:

ip route 192.168.40.0 255.255.255.0 172.31.1.4

Sorry about that. All this is confusing enough.

You need to apply the route-map to the incoming interface for the DNS servers ie. you are trying to send the DNS servers traffic down the T1 link but you have applied the route-map to the T1 link. You need to apply it to the interface on the router that the DNS traffic comes from ie. the interface that connects to 172.31.1.4 by the looks of it.

Jon

Pete89 · ‎08-09-2010

OK Jon. Note taking. I thought the route map had to be applied to the OUTGOING interface, but if thats not so, it will go on this interface:

interface GigabitEthernet0/0.10

Description - To Edge Firewall

encapsulation dot1Q 10

172.31.1.8 255.255.255.240

ip policy route-map rmap_DNS_traffic

Question

Would it be easier to just add the ips of the servers them selves to the Access List? i.e.:

ip access-list extended DNS_traffic

permit ip host 192.168.40.11 any
permit ip host 192.168.40.12 any

route-map rmap_DNS_traffic permit 10
match ip address DNS_traffic
set ip next-hop 63.63.63.62

Instead of the source port which is what I did before:

ip access-list extended DNS_traffic

permit tcp any eq domain any
permit udp any eq domain any

Jon Marshall · ‎08-09-2010

pener1963 wrote:

OK Jon. Note taking. I thought the route map had to be applied to the OUTGOING interface, but if thats not so, it will go on this interface:

interface GigabitEthernet0/0.10

Description - To Edge Firewall

encapsulation dot1Q 10

172.31.1.8 255.255.255.240

ip policy route-map rmap_DNS_traffic

Question

Would it be easier to just add the ips of the servers them selves to the Access List? i.e.:

ip access-list extended DNS_traffic

permit ip host 192.168.40.11 any
permit ip host 192.168.40.12 any

route-map rmap_DNS_traffic permit 10
match ip address DNS_traffic
set ip next-hop 63.63.63.62

Instead of the source port which is what I did before:

ip access-list extended DNS_traffic

permit tcp any eq domain any
permit udp any eq domain any

It would certainly be better to use the IP's and if you want to route all traffic for these 2 ips down the T1 then yes use "ip any any". But if you only want to route the DNS traffic you will need to use the ports. Either way i would use the IPs and not "any".

Jon