11-21-2016 04:34 PM - edited 03-08-2019 08:14 AM
Hello, I have an 800 series I'm going through the configuration on and have a question on how to get dns name resolution to work on the router itself. I'm not running a local dns server (I'm using the one from the ISP). After running autosecure on the router, dns resolution on the router itself doesm't seem to work anymore. Meaning if I login via SSH into the router to run diagnostics it doesn't resolve - for example if I do "ping www.cisco.com" its stuck on
Cisco891F#ping www.cisco.com
Translating "www.cisco.com"...domain server (X.X.X.X) !--- X.X.X.X is my ISP's modem
% Unrecognized host or address, or protocol not running.
I can ping X.X.X.X directly (and 23.72.0.170, which is www.cisco.com)
On the LAN side, the PCs are provided with the same dns server (X.X.X.X), and name-resolution seems to be working there, so the router is letting dns queries through, but doesn't seem to be able to use the name server directly.
I can provide the relevant configuration info, if there isn't something obvious i'm missing.
Thanks,
Nick.
Solved! Go to Solution.
11-22-2016 10:14 AM
ip domain lookup |
ip name-server |
ip domain name |
Make sure all above commands are enabled.
Please see http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/24182-reversedns.html
Good luck!
11-21-2016 11:35 PM
Hi, use command (in configuration mode) "ip name-server x.x.x.x" where x.x.x.x is IP address of some DNS server
11-22-2016 06:55 AM
It has been quite a while since I have looked at autosecure and I am not sure exactly what it is doing. But it is pretty obvious that part of what it does to make the router more secure is to not use DNS for resolving names to IP addresses. I know that one perspective about making a router more secure is to remove all non essential services. So disabling DNS resolution reduces the things that might possible be used to attack the router. But I agree with your point that having name resolution makes management of the network and troubleshooting more convenient. So I would suggest that you have a look at the current config of the router, find what autosecure disabled, and enable it.
HTH
Rick
11-22-2016 10:14 AM
ip domain lookup |
ip name-server |
ip domain name |
Make sure all above commands are enabled.
Please see http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/24182-reversedns.html
Good luck!
11-22-2016 11:33 AM
Thanks, that was the link I was trying to find. There is an incoming access list on the internet facing interface. I didn't think this was the problem seeing as the PCs work fine. I added the following to the acl:
permit udp any any eq domain
permit udp any eq domain any
So I don't quite understand why this works now, but it does. The only other item on the configuration is "ip inspect dns-timeout 7". Not the highest priority for me at the moment, but would be nice to understand the inconsistency.
Thanks,
Nick.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide