05-26-2015 11:15 AM - edited 03-08-2019 12:11 AM
Is it best practice to disable ip domain lookup on switches and routers. I see the ip name server commands issued but should I also issue the no ip-domain lookup as well and why or why not?
05-26-2015 11:43 AM
Hi,
The no ip domain lookup command is usually seen in configurations. By default, any single word entered on a command line that is not recognized as a valid command is considered as a hostname by the router, and the router will by default try to telnet to that hostname. This is extremely annoying, especially when you do a simple typo, as the router will try to translate that typo into an IP address. If you do not have a DNS server configured, the command line will stall for several seconds until the DNS request times out.
Quite frankly, it does not make much sense to have both ip name-server and no ip domain lookup configured. The no ip domain lookup tells the router to stop interacting with any DNS servers entirely. Having a DNS server configured is then a useless thing because it is not going to be used, anyway.
What could be considered a more proper way of doing things, however, is this: Have the DNS server configured using the ip name-server command, and at the same time, on all lines (con 0, aux 0, vty 0 15), deactivate the automatic action of telnetting into all "words" that look like hostnames:
line con 0 transport preferred none line aux 0 transport preferred none line vty 0 15 transport preferred none
This way, you can have your cake, and eat it, too :)
Best regards,
Peter
10-27-2018 03:20 PM
02-28-2019 05:02 AM
Thanks for explanation! Great for novice! Great for me!
11-29-2019 07:00 PM
thanks much!
02-27-2020 06:50 AM
Hi Peter,
It's really a great explanation, but I think we still need to configure ip domain-name command in case that we need to enable ssh on the switch/ router. So it does make sense sometimes to enable ip domain-name to be used later on for ssh configuration and then put no ip domain lookup command to stop the router or switch from querying dns for typo.
Regards,
Hossam
03-01-2020 03:55 PM
Hi,
You don't need to configure a domain name to generate SSH keys. The SSH keys need a label/name (in order to be later recalled from other containers, like crypto trustpoints), and unless you specify the label when you generate the keys, it will take the "hostname.domain-name" label, thus the so called requirement to configure domain-name.
Go on a device, don't configure domain-name, and generate the keys but specify a label when doing it. It will work.
Regards,
Cristian Matei.
06-24-2020 06:16 AM
You explained well, thanks.
04-02-2023 04:50 AM
Really nice explanation from Peter!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide