cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
71617
Views
85
Helpful
7
Replies
dbuckley77
Beginner

NO ip-domain lookup

Is it best practice to disable ip domain lookup on switches and routers.  I see the ip name server commands issued but should I also issue the no ip-domain lookup as well and why or why not?

7 REPLIES 7
Peter Paluch
Hall of Fame Cisco Employee

Hi,

The no ip domain lookup command is usually seen in configurations. By default, any single word entered on a command line that is not recognized as a valid command is considered as a hostname by the router, and the router will by default try to telnet to that hostname. This is extremely annoying, especially when you do a simple typo, as the router will try to translate that typo into an IP address. If you do not have a DNS server configured, the command line will stall for several seconds until the DNS request times out.

Quite frankly, it does not make much sense to have both ip name-server and no ip domain lookup configured. The no ip domain lookup tells the router to stop interacting with any DNS servers entirely. Having a DNS server configured is then a useless thing because it is not going to be used, anyway.

What could be considered a more proper way of doing things, however, is this: Have the DNS server configured using the ip name-server command, and at the same time, on all lines (con 0, aux 0, vty 0 15), deactivate the automatic action of telnetting into all "words" that look like hostnames:

line con 0
 transport preferred none
line aux 0
 transport preferred none
line vty 0 15
 transport preferred none

This way, you can have your cake, and eat it, too :)

Best regards,
Peter

Great explanation, Peter! Thanks!
John Hobbs
Houston, TX USA
- a Friendly American

Thanks for explanation! Great for novice! Great for me!

thanks much!

Hi Peter,

 

It's really a great explanation, but I think we still need to configure ip domain-name command in case that we need to enable ssh on the switch/ router. So it does make sense sometimes to enable ip domain-name to be used later on for ssh configuration and then put no ip domain lookup command to stop the router or switch from querying dns for typo.

 

Regards,

Hossam

Hi,

  

   You don't need to configure a domain name to generate SSH keys. The SSH keys need a label/name (in order to be later recalled from other containers, like crypto trustpoints), and unless you specify the label when you generate the keys, it will take the "hostname.domain-name" label, thus the so called requirement to configure domain-name.

   Go on a device, don't configure domain-name, and generate the keys but specify a label when doing it. It will work.

 

Regards,

Cristian Matei.

You explained well, thanks.