Using 2600 Router to select different DNS at different times of day

Talha Abbasi · ‎01-21-2015

Hello all.

Stuck in a situation, and need some advice.

We use OpenDNS for our DNS services. However, we want to use GoogleDNS at the end of the business day, and then revert back to OpenDNS the next morning, start of business day.

My thinking is to use time-range ACLs on port 53 to accomplish this. All clients are set to acquire DNS automatically via the DHCP (our Cisco 2600 router is also acting as DHCP).

Below are chunks from the running-config (of our test router):

DHCP setup

ip dhcp pool DHCP
import all
network 192.168.25.0 255.255.255.0
default-router 192.168.25.254
dns-server 208.67.220.220 8.8.8.8
lease 3

ip name-server 8.8.8.8

Time Range setup

time-range GoogleDNS
periodic weekdays 16:00 to 11:59
!
time-range OpenDNS
periodic weekdays 00:00 to 15:59

ACL Statements

permit udp any host 208.67.220.220 eq domain time-range OpenDNS
permit udp any host 8.8.8.8 eq domain time-range GoogleDNS
deny udp any any eq domain

Assign ACL to Router interface

interface FastEthernet0/1
ip access-group Permit_Deny in

The router has the correct clock time via the configured NTP server.

We are getting inconsistent results from our client machines, as in some machines use OpenDNS, some use GoogleDNS, etc.

Any advice/guidance to get this to work is highly appreciated.

Jon Marshall · ‎01-22-2015

What do the acls show when you switch over between DNS servers ie. if you adding logging for just those lines you might see what the router is doing.

I assume that all traffic has to go via the fa0/1 interface to get out to the internet ?

There may be an alternative if this doesn't work but that depends on whether your router can act as a DNS server ie.

router(config)# ip dns server

if it could then you could set the DNS server in the DHCP pool to be the router.

Then you could use an EEM applet to change the name server your router forwards queries to based on the time of day.

I should say I have never done that so I can't guarantee it would work and it really depends on whether you router supports that command.

But it is a possible option.

Jon

Talha Abbasi · ‎01-22-2015

Hi Jon,

Thank you for response.

The ACL's show (inactive) or (active) depending on the time-range allocated.

We are using the router as a DNS as well within the DHCP pool configuration.

So with further testing what we are seeing is that machines connected via hardwire, that normally dont shut off, seem to switch back and forth between the two DNS'

Machines via wifi, that disconnect at end of day and then reconnect in the morning, we are seeing different results.

One thing, I'm thinking, we can do is manually insert the two DNS Ip addresses in each client, will test.

Thanks for the response.

Jon Marshall · ‎01-22-2015

We are using the router as a DNS as well within the DHCP pool configuration.

I can't see that in your configuration ?

Jon

Talha Abbasi · ‎01-22-2015

Jon,

I might be getting confused here, but is this what you mean?

DHCP setup

ip dhcp pool DHCP
import all
network 192.168.25.0 255.255.255.0
default-router 192.168.25.254
dns-server 208.67.220.220 8.8.8.8
lease 3

ip name-server 8.8.8.8

Jon Marshall · ‎01-22-2015

No what I meant was you router may be able to act as a DNS server.

The DHCP configuration is simply handing out DNS IPs to the clients.

What I was suggesting was if your router could act as a DNS server then you could put the router IP address in the DHCP pool.

Then you can configure which DNS server(s) your router uses to send queries to.

If you could do that then you could run an EEM applet based on the time and modify the configuration of your router so you can control which DNS server it uses to send queries to.

However I don't have access to an IOS that supports the command "ip dns server" so I cannot test it.

It was just a suggestion as to what might be possible.

Jon

Talha Abbasi · ‎01-23-2015

ah ok. sorry for my confusion.

will test it out.

just as an update, its seems that the setup mentioned in my original post seems to be working now, consistent results and no complaints from the users.

but will check out your suggestion as well.

thanks again for the help.

Jon Marshall · ‎01-23-2015

Okay, thanks for letting me know.

To be honest if your solution is working I would stick with that one :-)

Jon