I am trying to setup NTP on a 2921 router to get time from various NIST time sources via URL instead IP address. However, I cannot seem to get DNS initialized on this router receiving the error message DNSIX: Dnsix is not enabled from the show dns command. Here is my relevant config.
ip domain list vrf MGT <domain-name>.com ip domain lookup source-interface GigabitEthernet0/2 ip domain name <domain-name>.com ip name-server vrf MGT <internal name server IP> ip name-server vrf MGT <internal name server IP>
interface GigabitEthernet0/2 description MGMT ip vrf forwarding MGT ip address <omitted> 255.255.255.0 ip access-group MGT_ACCESS in no ip redirects no ip proxy-arp ip verify unicast reverse-path load-interval 30 duplex auto speed auto no mop enabled
ip access-list standard MGT_ACCESS permit host <internal name server IP> permit host <internal name server IP> ... deny any log
This is what I get when testing:
ROUTER#ping time.nist.org Translating "time.nist.org"...domain server (255.255.255.255) % Unrecognized host or address, or protocol not running.
Perhaps seeing more of the config of the router would help us identify the cause of this issue. In particular I am interested in seeing the access list that you apply to the interface. Also a better understanding of the topology of the network would be helpful.
The DNS lookup isn't working because the path to the name servers is via the management VRF and it won't split as configured. There isn't any need to pursue this any further because the router isn't capable of doing what I need it to. That being using a URL to reach an NTP server. I was hoping the router would work in a similar fashion as DNS lookup on an ASA firewall. You can create an network object on an ASA referencing a URL which when applied to an ACE will have the ASA perform a DNS lookup. From an ASA you can run the show DNS command and it will show the URL, the IP Address DNS returned and the TTL time for said lookup. Once the TTL value expires it will perform a new lookup. The routers will not do that. They will perform a one time lookup and place the IP address of the config in place of the host name entered. This will vary slightly between some models and code but none of the routers I have tried this on will keep and monitor the TTL value and perform a new lookup. Sh DNS on the routers doesn't ever show anything. With this being the case it doesn't do any good to perform dynamic lookup's on the routers. Hopefully someone at Cisco will see the value in this and add this as a feature request.