11-25-2013 06:59 AM - edited 03-07-2019 04:46 PM
I know that we can setup multiple DNS server under DHCP pool. But I like to make sure the order.
I have multiple branch offices.
Let us say that Branch 1 office has a router with 10.30.1.1 as default gateway.
Our internal DNS is 10.0.0.1 and 10.0.0.2 as Pri and Sec.
My order of DNS server is like below.
1. gateway
2. internal DNS
3. public DNS provided by ISP
I saw couple of issues that when I put internal DNS first. Particular situation is when IPsec is not working, users could not access internet through domain name because they had internal DNS which is not reachable.
But, when gateway is first order, I am not sure whether user are able to access internal website because gateway DNS doesn't have internal DNS records.
So, my question is that. what should be the best order for DNS setup under DHCP among default gateway, internal DNS and public DNS? Our current setup doesn't have even gateway address, it only has internal DNS addresses only.
ip dhcp pool ccp-pool1
network 10.30.1.0 255.255.255.0
domain-name test.org
default-router 10.30.1.1
netbios-name-server 10.30.1.1
dns-server 10.30.1.1 10.0.0.1 10.0.0.2 24.25.5.60
Solved! Go to Solution.
11-25-2013 10:31 AM
1) I believe that your logic is right.
2) you are welcome.
3) I see now how the link relates to question 3. Yes the difference between specifying a name server for the router itself with ip name-server or for client using dns-server is an important point.
I am glad that you tell us that you did have ip domain-lookup because that would have been my follow up question. Can you tell us exactly what the response from the router was when you attempted ping google.com? I suspect that it is something in your router config. Can you post a sanitized copy of the router config?
Thank you for the compliment - and for the points.
HTH
Rick
11-25-2013 08:07 AM
In most situations I would not expect to see the IP of the router listed in DHCP as a DNS server. In some few cases this is appropriate but I am not sure that your router does. And in most cases I would expect that Internal DNS would be listed first since it should have the internal information available and if it gets a request for something external it should be able to forward the request to an external server.
HTH
Rick
11-25-2013 08:55 AM
Thank you, Richard.
You are right. when I setup router IP for DNS server in DHCP pool. it did not work.
Let me ask regarding external DNS forwarding.
I like to know the process of exteranl DNS.
User --> Internal website --> OK with internal DNS
User --> External website --> Internal DNS forwarding to External DNS
We have our own external DNS (ns), in this case, if external DNS (ns) is down, every branch users are not able to resolve any external IP because internal DNS can't get reply from external DNS?
2nd question)
IPsec is split-tunneled, but in this case, every DNS request goes internal DNS which is located in HQ and goes back through IPsec? Usually Split tunnel doesn't go internet traffic through IPsec but internet directly.
3rd Question)
what is for ip name-server x.x.x.x when I setup ip name-server 8.8.8.8 and I tried to ping 8.8.8.8 from router, it didn't work. Am i missing something?
https://supportforums.cisco.com/thread/230711
Thanks for your time and knowledge.
11-25-2013 09:50 AM
I do not understand your question 1) about having external as well as internal DNS.
2) you have a choice to make here. I would probably use the option that users still go to the internal DNS even though it means that some of their traffic goes over the IPSec and not directly to Internet. Or you can decide to specify that remote users use external DNS.
3) We do not have enough information to answer this question. I would say in general that if you can not ping 8.8.8.8 from the router that there is probably some issue in the router configuration.
The link that you posted is about the difference in configuring a name server for the router itself to use or configuring a name server for clients to use. How does that relate to question 3?
HTH
Rick
11-25-2013 10:04 AM
Thanks Richard.
1st Question) User asking google.com --- (through IPsec) ---> reaching to internal DNS (i.e 10.5.5.1) --> since google.com is external, it forwards to our own external DNS (ns.test.com) ---> go back to user with google's IP
Is my logic right?
2nd Question) Thanks.
3rd Quesiton) I did "ping google.com" with ip name-server 8.8.8.8 from router itself, but I couldn't get a ping reply. The link was difference between ip name-server vs dns-server in dhcp. As i understood if I put ip name-server 8.8.8.8, I should able to ping (ping google.com) from router, but I couldn't. I had ip domain-lookup ip name-server 8.8.8.8. I was able to ping "ping 8.8.8.8, but ping google.com"
Your explanation is always helpful, Thanks Richard.
I found an article that DNS proxy from router (DNS = router). I may try this.
11-25-2013 10:31 AM
1) I believe that your logic is right.
2) you are welcome.
3) I see now how the link relates to question 3. Yes the difference between specifying a name server for the router itself with ip name-server or for client using dns-server is an important point.
I am glad that you tell us that you did have ip domain-lookup because that would have been my follow up question. Can you tell us exactly what the response from the router was when you attempted ping google.com? I suspect that it is something in your router config. Can you post a sanitized copy of the router config?
Thank you for the compliment - and for the points.
HTH
Rick
11-25-2013 12:19 PM
I apprecaite your thought.
You are right. when I took out ZBF from outside interface, it worked, which means my configuration was an issue for question 3. Thanks again.
11-25-2013 12:48 PM
Thanks for posting back with the update that the remaining issue was resolved when you removed ZBF. I am glad that my suggestions helped you to find the issues involved with this discussion. Thank you for using the rating system to mark this question as answered.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide