cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
714
Views
0
Helpful
4
Replies
fearless.rabbit
Beginner

DNS forwarding problem

Hello everyone,

I have a simple network consisting of 3550 switch, whose only purpose is to separate vlans, and 2800 series router that deals with inter-vlan routing, acl filtering, and dhcp service for all vlans. The idea is to also add DNS forwarding/caching option, so every host inside the vlans can get their default gateway (router subinterface) as their DNS server. Router will not host any zones, just forward and cache queries from ISP DNS.

However, I followed all online instructions on how to configure this, and DNS is still not propagating through vlans. Hosts still have to manually put ISP DNS in order to have Internet. We have a single public IP address, and nat overload is configured. I edited a relevant portions of my configuration, so someone could narrow down the problem. My newbie guess is that ACL might be the issue, but Im not sure which one and why.

interface GigabitEthernet0/0

no ip address

ip broadcast-address 0.0.0.0

duplex auto

speed auto

!

interface GigabitEthernet0/0.2

encapsulation dot1Q 2

ip address 192.168.2.1 255.255.255.0

ip access-group 1 out

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/0.3

encapsulation dot1Q 3

ip address 192.168.5.1 255.255.255.0

ip access-group 2 out

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/0.4

encapsulation dot1Q 4

ip address 192.168.30.1 255.255.255.0

ip access-group 1 out

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/0.5

encapsulation dot1Q 5

ip address 192.168.10.1 255.255.255.0

ip access-group 1 out

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/0.6

encapsulation dot1Q 6

ip address 192.168.11.1 255.255.255.0

ip access-group 1 out

!

interface GigabitEthernet0/0.7

encapsulation dot1Q 7

ip address 192.168.20.1 255.255.255.0

ip access-group 3 out

!

interface GigabitEthernet0/0.8

encapsulation dot1Q 8

ip address 192.168.22.1 255.255.255.0

ip access-group 3 out

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/0.9

encapsulation dot1Q 9

ip address 192.168.40.1 255.255.255.0

ip access-group 4 out

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/0.10

encapsulation dot1Q 10

ip address 192.168.44.1 255.255.255.0

ip access-group 4 out

ip nat inside

ip virtual-reassembly

!

interface GigabitEthernet0/1

ip address X.X.X.X 255.255.255.252

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

!

!

!

!

!

ip dhcp pool LeecherPool

   network 192.168.40.0 255.255.255.0

   default-router 192.168.40.1

   dns-server 192.168.40.1

!

ip dhcp pool ForklanPool

   network 192.168.30.0 255.255.255.0

   default-router 192.168.30.1

   dns-server 192.168.30.1

!

ip dhcp pool SeclanPool

   network 192.168.10.0 255.255.255.0

   default-router 192.168.10.1

   dns-server 192.168.10.1

!

ip dhcp pool SecwlanPool

   network 192.168.11.0 255.255.255.0

   default-router 192.168.11.1

   dns-server 192.168.11.1

!

ip dhcp pool SafelanPool

   network 192.168.20.0 255.255.255.0

   default-router 192.168.20.1

   dns-server 192.168.20.1

!

ip dhcp pool SafewlanPool

   network 192.168.22.0 255.255.255.0

   default-router 192.168.22.1

   dns-server 192.168.22.1

!

ip dhcp pool RoamerPool

   network 192.168.44.0 255.255.255.0

   default-router 192.168.44.1

   dns-server 192.168.44.1

!

!

ip name-server 204.130.255.3

!

ip route 0.0.0.0 0.0.0.0 Y.Y.Y.Y

!

ip dns server

!

!

!

!

!

access-list 1 deny   192.168.40.0 0.0.0.255

access-list 1 deny   192.168.44.0 0.0.0.255

access-list 1 deny   192.168.20.0 0.0.0.255

access-list 1 deny   192.168.22.0 0.0.0.255

access-list 1 permit any

access-list 2 deny   192.168.40.0 0.0.0.255

access-list 2 deny   192.168.44.0 0.0.0.255

access-list 2 deny   192.168.30.0 0.0.0.255

access-list 2 permit any

access-list 3 deny   192.168.40.0 0.0.0.255

access-list 3 deny   192.168.44.0 0.0.0.255

access-list 3 permit any

access-list 4 deny   192.168.20.0 0.0.0.255

access-list 4 deny   192.168.22.0 0.0.0.255

access-list 4 permit any

access-list 5 permit 192.168.5.0 0.0.0.255

access-list 5 permit 192.168.2.0 0.0.0.255

access-list 5 permit 192.168.30.0 0.0.0.255

access-list 5 permit 192.168.10.0 0.0.0.255

access-list 5 permit 192.168.11.0 0.0.0.255

access-list 5 permit 192.168.40.0 0.0.0.255

access-list 5 permit 192.168.44.0 0.0.0.255

!

!

ip nat inside source list 5 interface GigabitEthernet0/1 overload

!

end

As you can see, I have subinterfaces on the trunk, dhcp pools for those vlans, and access lists to filter traffic. Access lists are source based, and pointed "out" on destination subinterface. There is also "ip domain lookup" command that I issued, but is not seen in the configuration file (?).

Any help will be greatly appreciated!

4 REPLIES 4
Edwin Summers
Participant

Is the portion of the config you posted only from the 2800?  Have you sniffed traffic and are queries reaching the 2800 and being forwarded?

ip domain lookup is enabled by default, which is probably why it isn't appearing when you show the config.  If you turned it off (no ip domain-lookup), you should see the command in the config.

Yes, the config is only from the router. I am configuring the device remotely, and have on-site technician for some basic cabling etc, so I cant run Wireshark unfortunately. It would be a good troubleshooting though.

Do you think ACLs can be the problem?

Hi,

If you the version of IOS on your router supports the feature you can use embedded packet capture to capture packets remotely on the router

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_packet_capture_ps6441_TSD_Products_Configuration_Guide_Chapter.html

As a test if you remove the outbound ACL from one on the sub-interfaces can you browse the Internet using DNS names?

Please remember to rate all posts that are helpful.

rassoul.ghaznavi
Beginner

Have you confirmed if the router is resolving the names itself?

Can you ping something like yahoo.com and see if it comes back with an ip address?