cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
507
Views
5
Helpful
10
Replies
Highlighted
Beginner

VRF - DNS issue

I have two internet connections. I put comcast into its own vrf. ATT is in global routing table. I use PBR to route some traffic to comcast and some to ATT. Everything works, BUT DNS queries which are send to comcast VRF. All the traffic through VRF works (TCP, UDP, ICMP) but I can't push dns through it.

I use 8.8.8.8 and 1.1.1.1 ans DNS.

 

When I created local DNS  server which uses ATT - global routing path. It works.

 

SHORT: DNS queries do not go through VRF.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Beginner

Re: VRF - DNS issue

If i am right, your nat should be something like this :
ip nat inside source list nat-deset interface gi0/0 vrf comcast overload

View solution in original post

10 REPLIES 10
Highlighted
Beginner

Re: VRF - DNS issue

I found the problem, but I have no idea how to solve it.

DNS queries from subnet 192.168.10.0/24 do not get nat it. 

All other packets from the subnet 192.168.10.0./24 do get nat it.

I have no idea why NAT does not work for DNS query packets.   From the client I can ping DNS server without problem, but when I do sniifertrace I do see that DNS query passes with NAT.

Highlighted
Beginner

Re: VRF - DNS issue

Hello,

 

Could you clarify some points please ?

When you said everything is working, you said, from both inside interface ? gi0/1 and gi0/2?

 

According to the configuration, you have 192.168.10.0 nated from gi0/1, where it is located ? from another core connected and routed through OSPF ?

 

From which source network are you trying? 192.168.10.0/24 ? 

 

On Gi0/2 you are sending all internet trafic to 192.168.11.254, is that correct?

 

Note :Don't know if you wanna match RFC1918 networks in your ACL PBR, but this line is incorrect :

deny ip 192.168.10.0 0.0.0.255 172.30.0.0 0.0.255.255

should be :
deny ip 192.168.10.0 0.0.0.255 172.16.0.0 0.15.255.255

 

Thanks,

Highlighted
Beginner

Re: VRF - DNS issue

yes I send all traffic from gig0/2 to 192.168.11.254 NO ISSUE HERE.

 

For simplicty:

2 subnets coming from gig 0/1

      192.168.200.0/24 should go out int fast 0/0/3 (VLAN 50) and it goes NO ISSUE HERE

      192.168.10.0/24 should go out int gig 0/0. I am doing sniffer between int gig 0/0 and comcast router. I can see that all packets from 192.168.10.0/24 do get nat it to IP 73.168.139.247 which is on int gig0/0. BUT DNS query packets do not get nat it.

 

On the picture both packets(ICMP AND DNS come from the same host)

Highlighted
Beginner

Re: VRF - DNS issue

Can you post the result for 

show ip nat translation ?

 

You can also try a

ip access 100 permit 192.168.10.92 0.0.0.0

debug ip packet 100

on the router, just be sure to put the good acl to match your source ip

Highlighted
Beginner

Re: VRF - DNS issue

I have no idea why NAT skips DNS traffic. 

PBR2 and then nat-deset should match all IP traffic including DNS query right?

Highlighted
Beginner

Re: VRF - DNS issue

according to your debug,
udp 73.168.*.*:64305 192.168.10.92:64305 1.1.1.1:53 1.1.1.1:53
udp 73.168.*.*:64305 192.168.10.92:64305 8.8.8.8:53 8.8.8.8:53
nat seems to be good, 73.168.139.247 is ip address on gi0/0 ?
So please post a
sho ip route vrf comcast
Highlighted
Beginner

Re: VRF - DNS issue

Yes, it is the IP

Highlighted
Beginner

Re: VRF - DNS issue

If i am right, your nat should be something like this :
ip nat inside source list nat-deset interface gi0/0 vrf comcast overload

View solution in original post

Highlighted
Beginner

Re: VRF - DNS issue

It WORKS!  THANK YOU

but

When I deleted the first one 

ip nat inside source list nat-deset interface GigabitEthernet0/0 overload. It did not work

I need both and then everything works

 

Do you have any logical explanation why I need both of them?

Highlighted
Beginner

Re: VRF - DNS issue

I am glad it is working now.
I have no explanation right now why you need both nat statement and a little bit tired to test it (again) on lab :)

I will see that another time !
Content for Community-Ad