cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10993
Views
12
Helpful
21
Replies

DNS query fails behind DHCP/NAT-Router (ISR 861)

volkeningheim
Level 1
Level 1

Dear community,

in my simple network setup, I cannot resolve DNS queries from inside my NATted network. On the router I can ping both IP-addresses and names. Ping from the  local machine works for IP-Adresses but not for names. When doing nslookup, addresses are not found and a SERVFAIL  message is returned.

I use a Cisco ISR 861 Router to connect our local LAN to the Internet (The WAN of the 861 is connected to another DHCP/NAT-Router, which in turn connects to the ISP-Modem). Addresses in the local LAN are DHCP-distributed, the DNS-Servers from my ISP are configured on the Router and the DNS-Information is distributed correctly to my local LAN machines (as I can verify by doing nslookup on Linux).

In the Forum I was not able to find appropriate hints. I'm new to Cisco and quite desperate about this issue, having spent many hours to get things running. Can anyone please help me to find out which part of my config could be wrong? The running-configuration is appended.

Thanks, Benjamin

1 Accepted Solution

Accepted Solutions

Benjamin

I tried the DNS servers you are using and get the same error messages. Can you try using a public DNS server in your nslookup and see if it works eg on windows

nslookup www.sun.com 8.8.8.8   <-- where 8.8.8.8 is the google public DNS server

Jon

View solution in original post

21 Replies 21

acampbell
VIP Alumni
VIP Alumni

Benjamin,

This router you have shown the config for has NO ip routes

Can you add

!

ip route 0.0.0.0 0.0.0.0 fastethernet 4 name DEFAULT-ROUTE

!

Regards,
Alex.
Please rate useful posts.

Regards, Alex. Please rate useful posts.

Thanks for your answer. However, the problem is the same with or without the default route set. Any further ideas?

NB:

I have added the default route by

# ip route 0.0.0.0 0.0.0.0 192.168.0.1

Strangely, when using the interface instead of 192.168.0.1, ping into internet doesn't work. Anyway, the default route should be set by DHCP from the 192.168.0.1 router, right?

Abzal
Level 7
Level 7

Hi Benjamin,

Try to change your local pool.

ip dhcp pool pool1

   import all

   network 192.168.22.0 255.255.255.0

   default-router 192.168.22.1

   dns-server 192.168.22.1 80.69.98.110 217.20.112.194 217.70.142.66

I'm not sure if it is working solution but you can try.

Hope it will help.

Please rate helpful posts.

Best regards,
Abzal

In my setup, 192.168.22.1 is not a name-server.

John Blakley
VIP Alumni
VIP Alumni

Along with what others have posted, I'd recommend you tighten the acl down a bit for your nat rule. You should change your acl 1 from

access-list 1 permit any

TO:

access-list 1 permit ip 192.168.22.0 0.0.0.255 any

I wouldn't recommend changing the dns-server settings just yet. The router itself isn't set up to answer dns queries...

HTH,

John

**** Please rate useful posts *****

HTH, John *** Please rate all useful posts ***

That's a good point. But I wanted to keep the setup as open as possible until the DNS-Issue is solved.

I've seen routers have issues when you have the "any any" line configured for natting. If you have a single subnet on the lan side, then doing "permit ip 192.168.22.0 0.0.0.255 any" is effectively the same thing. Have you done this yet?

HTH, John *** Please rate all useful posts ***

Yes, I have (I had to change the number of the access-list to at least 100).

It didn't solve the problem.

Okay...

Can you post:

sh ip nat trans

Can you resolve from the router? You have name servers set up, so can you try to ping www.google.com and see if that's successful from the router?

Thanks!

John

HTH, John *** Please rate all useful posts ***

This is the "sh ip nat trans" output from a nslookup query run on a local linux machine:

Pro Inside global      Inside local       Outside local      Outside global

udp 192.168.0.89:35742 192.168.22.2:35742 217.70.142.66:53   217.70.142.66:53

udp 192.168.0.89:43202 192.168.22.2:43202 217.20.112.194:53  217.20.112.194:53

udp 192.168.0.89:52408 192.168.22.2:52408 217.20.112.194:53  217.20.112.194:53

udp 192.168.0.89:53609 192.168.22.2:53609 217.70.142.66:53   217.70.142.66:53

udp 192.168.0.89:57384 192.168.22.2:57384 80.69.98.110:53    80.69.98.110:53

udp 192.168.0.89:60834 192.168.22.2:60834 80.69.98.110:53    80.69.98.110:53

The nslookup output is:

;; Got recursion not available from 80.69.98.110, trying next server

;; Got SERVFAIL reply from 217.20.112.194, trying next server

;; Got recursion not available from 80.69.98.110, trying next server

;; Got SERVFAIL reply from 217.20.112.194, trying next server

Server:        217.70.142.66

Address:    217.70.142.66#53

** server can't find heise.de.intern: SERVFAIL

From the router, addresses can be resolved.

Benjamin

I tried the DNS servers you are using and get the same error messages. Can you try using a public DNS server in your nslookup and see if it works eg on windows

nslookup www.sun.com 8.8.8.8   <-- where 8.8.8.8 is the google public DNS server

Jon

Very good point. Obviously my addresses were sort of broken. Thanks!

I'm only wondering why DNS-resolving is working on the Router? Maybe it automatically uses a different server obtained by DHCP?

Is there maybe a way to let the dns-servers be configured automatically, so that I don't have to bother about correctness?

What is handing out the DHCP addresses ? is it your router ?

I am slightly confused because i assume you are handing out the same DNS servers that your router is using ? Is this not the case ?

As to your answer about doing it automatically, not really. You need to enter the correct public DNS servers into the DHCP scope so your clients get the correct address.

The alternative approach which is quite common is to have a server(s) internally for DHCP and DNS. Your clients then use the internal server for DNS. This server is then configured to forward DNS queries to your ISP DNS servers. However you still need to configure correct DNS servers on the internal DNS server.

Which one you use really depends on the size of your network etc. A large network will usually have a lot of internal servers etc. which need to be resolved so you have internal DNS servers for this and configure them to forward unknown DNS queries to your ISP.

Jon

I configured the ISR 861 Router to  handle out the same three DNS-Servers to its DHCP-Clients as it is  using itself. That's why I'm wondering why address resolution was  working on the Router but not from the hosts inside its network. I was  thinking that maybe the ISR 861, as a DHCP-Client, used another  DNS-Server obtained by DHCP, which I didn't tell him explicitly.

Ben

Review Cisco Networking for a $25 gift card