Dear Terence,

thank you for your reply. We were trying to avoid route leaking from the Global VRF to my_vrf and assumed that the command

ip name-server vrf my_vrf 192.168.1.1

would send domain lookups into this VRF as shown with

show host vrf my_vrf
Name lookup view: my_vrf
Default domain is not set
Name/address lookup uses domain service
Name servers are 192.168.1.100
Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age Type Address(es)

We are wondering what the intended use of these commands is.

Is there a possibility to avoid route leaking and still reach a domain server that is in a VRF.

thanks, aurinoco_cisco

Hi Aurinoco,

The command "ip name-server vrf my_vrf 192.168.1.1" implies that the dns server 192.168.1.1 is in vrf "my_vrf" and only that specific vrf unless some sort of route leaking is done. Basically when you configure a vrf, all services related to that specific vrf needs to be vrf aware. 

HTH.

Regards,

Terence

Dear Terence,

thank you once again!!

Does this mean that it is the domain-lookup service that is not VRF aware, and we therefore can't use a DNS server in a VRF without route leaking?

best,

aurinoco_cisco

We have the same problem, we are running fuji latest release 16.8.1a. We have even configured "source interface vrf" for dns, and even with this it doesn't work.

I think because it is for the following reasons:

* we have 3 VRF: global, IT & mgmt

* only IT & mgmt have ip interfaces. the global does not have any ip interfaces.

ip name-server vrf IT 1.1.1.1 2.2.2.2

ip name-server vrf Mgmt-vrf 1.1.1.1 2.2.2.2
ip domain list vrf IT DOMAIN1.COM
ip domain list vrf Mgmt-vrf DOMAIN1.COM

no ip domain lookup (=assuming this disabled dns lookup in the global vrf only)
ip domain lookup vrf IT source-interface Loopback0 (Lo0 = part of vrf IT)
ip domain lookup vrf Mgmt-vrf source-interface GigabitEthernet0/0 (Gi0/0= part of vrf Mgmt-vrf)
ip domain name vrf IT DOMAIN1.COM
ip domain name vrf Mgmt-vrf DOMAIN1.COM

because the global does not have any ip interfaces, we have not defined anything for dns in the "default" vrf.

however, it seems the "no ip domain-lookup" disables DNS in all VRFs:

ping SERVER1

% Unrecognized host or address, or protocol not running.

ping vrf IT SERVER1

% Unrecognized host or address, or protocol not running.

ping vrf Mgmt-vrf SERVER1

% Unrecognized host or address, or protocol not running.

i think this is wrong.

Anyway, after enabling "ip domain lookup", dns does not work in the default vrf (as expected)

it does not work in the Mgmt-vrf

and in the IT vrf it sometimes works and sometimes not (then you get: protocol not running ??)

I don't know why this is, both VRF are configured alike. Both have a default route towards the destination.

I am connected to the router via the Gi0/0 interface (so via Mgmt-vrf). Don't know if this makes a difference.

Also "show ip dns servers" gives inconsistent output:

#sh ip dns servers

IP VRF TTL(s) RTT(ms) RTO(ms) EDNS DNSSEC RECURSION
-----------------------------------------------------------------------------
1.1.1.1 Mgmt-vr 683 1000 64000 Yes Yes Yes
2.2.2.2 IT 869 1451 1451 No Yes Yes
2.2.2.2 Mgmt-vr 685 1000 119000 Yes Yes Yes

note how EDNS is different in the IT and Mgmt-vrf , although it are the same dns servers

I will update this with my case. I was working with Cisco tech and it seems that vrf aware DNS is not supported on specific platform/ IOS image version in my case

Hello,

I have the same issue with WS-3850-12S-E, both IOS-XE 3.7.0 & 3.7.5. Is there any list of firmware versions or appliances which are not working ?

Has anybody resolved it e.g. with TAC? or is it fixed in some specific release?

Thank you for reply.

BR Martin Orlich