I have this problem. My WAN sites get IP addresses from the DHCP server in the datacenter. DHCP says the DNS servers are the local corporate DNS servers (also in the DC). So what happens when the tunnel from the WAN site to the DC goes down?
Users can’t even surf facebook. Oh the horror. But really, users shouldn’t have their Internet access cut off just because the DC lost power or was sacrificed to a volcano god. Especially since we use hosted services. Email should always work, even if head office is down!
What we need is for DNS requests for myspace and reddit to go to the regular public DNS server, and requests for theservers.localdomain.lan to go to the corporate DNS servers.
Turns out there’s-an-app-for-that using dns-views within the router…
You start off by defining which stuff is “corporate” and which is public. And really; anything that isn’t corporate should be public, which makes it easier!
ip dns name-list 1 permit .*.CORPORATE.LAN ip dns name-list 1 permit 10\.IN-ADDR
These are regular expressions. I don’t know anything about regex except that it’s magical. The first one basically matches anything.corporate.lan which is clearly important, and the other one matches reverse lookups for addresses within 10.0.0.0/8. I bet somebody has a better regex for this because A) I don’t know DNS and B) I don’t know regex 😀
Next we have to define the DNS views where we describe which DNS servers to use for different cases.
ip dns view corporate-internal ! Corporate DNS system info domain list corporate.lan ! List of domains to append to short-name lookups domain name-server 10.0.0.11 ! DNS server 1 domain name-server 10.0.0.12 ! DNS server 2 domain resolver source-interface Tunnel1 ! Which interface to source the query from - must be "internal" domain round-robin ! Allows for round-robin replies (you'll know if you need this, safe default) dns forwarder 10.0.0.11 ! DNS server 1 dns forwarder 10.0.0.12 ! DNS server 2 dns forwarding source-interface Tunnel1 ! Again, internal interface ip dns view default ! non corporate DNS domain timeout 1 ! A shorter timeout (default is 3 seconds) domain resolver source-interface Vlan1 ! Could use the nat-outside interface also dns forwarder 18.104.22.168 ! Some public DNS servers dns forwarder 22.214.171.124 dns forwarding source-interface Vlan1
Now that the views are configured, it’s time for the view-list. This is where we tie the two snippets above together. It’s a bit like route-maps… Anyways, you restrict a view to certain name patterns (defined with the regex stuff), and it’s an ordered list so you can match specifics before matching broader rules.
ip dns view-list corporate-view view corporate-internal 10 restrict name-group 1 ! This matches the regex things view default 99
The default line is a catch-all that excludes nothing, so it’s a bit empty. The last bit is to enable the IOS DNS server and configure the interfaces.
ip dns server view-group corporate-view ip dns server interface Vlan1 ip dns view-group corporate-view end
Now for the complete working example:
ip name-server 126.96.36.199 ip name-server 188.8.131.52 ! interface Vlan1 ip dns view-group corporate-view ! ip dns view corporate-internal domain list corporate.lan domain name-server 10.0.0.11 domain name-server 10.0.0.12 domain resolver source-interface Tunnel1 domain round-robin dns forwarder 10.0.0.11 dns forwarder 10.0.0.12 dns forwarding source-interface Tunnel1 ! ip dns view default domain timeout 1 domain resolver source-interface Vlan1 dns forwarder 184.108.40.206 dns forwarder 220.127.116.11 dns forwarding source-interface Vlan1 ! ip dns view-list corporate-view view corporate-internal 10 restrict name-group 1 view default 99 ip dns name-list 1 permit .*.CORPORATE.LAN ip dns name-list 1 permit 10\.IN-ADDR ip dns server view-group corporate-view ip dns server