Cisco Split DNS On a Router

I have this problem. My WAN sites get IP addresses from the DHCP server in the datacenter. DHCP says the DNS servers are the local corporate DNS servers (also in the DC). So what happens when the tunnel from the WAN site to the DC goes down?

Users can’t even surf facebook. Oh the horror. But really, users shouldn’t have their Internet access cut off just because the DC lost power or was sacrificed to a volcano god. Especially since we use hosted services. Email should always work, even if head office is down!

What we need is for DNS requests for myspace and reddit to go to the regular public DNS server, and requests for theservers.localdomain.lan to go to the corporate DNS servers.

Turns out there’s-an-app-for-that using dns-views within the router…

You start off by defining which stuff is “corporate” and which is public. And really; anything that isn’t corporate should be public, which makes it easier!

ip dns name-list 1 permit .*.CORPORATE.LAN
ip dns name-list 1 permit 10\.IN-ADDR

These are regular expressions. I don’t know anything about regex except that it’s magical. The first one basically matches anything.corporate.lan which is clearly important, and the other one matches reverse lookups for addresses within 10.0.0.0/8. I bet somebody has a better regex for this because A) I don’t know DNS and B) I don’t know regex 😀

Next we have to define the DNS views where we describe which DNS servers to use for different cases.

ip dns view corporate-internal  ! Corporate DNS system info
 domain list corporate.lan      ! List of domains to append to short-name lookups
 domain name-server 10.0.0.11   ! DNS server 1
 domain name-server 10.0.0.12   ! DNS server 2
 domain resolver source-interface Tunnel1     ! Which interface to source the query from - must be "internal"
 domain round-robin            ! Allows for round-robin replies (you'll know if you need this, safe default)
 dns forwarder 10.0.0.11       ! DNS server 1
 dns forwarder 10.0.0.12       ! DNS server 2
 dns forwarding source-interface Tunnel1     ! Again, internal interface
ip dns view default            ! non corporate DNS
 domain timeout 1              ! A shorter timeout (default is 3 seconds)
 domain resolver source-interface Vlan1  ! Could use the nat-outside interface also
 dns forwarder 208.67.222.222  ! Some public DNS servers
 dns forwarder 208.67.220.220
 dns forwarding source-interface Vlan1

Now that the views are configured, it’s time for the view-list. This is where we tie the two snippets above together. It’s a bit like route-maps… Anyways, you restrict a view to certain name patterns (defined with the regex stuff), and it’s an ordered list so you can match specifics before matching broader rules.

ip dns view-list corporate-view
 view corporate-internal 10
  restrict name-group 1    ! This matches the regex things
 view default 99

The default line is a catch-all that excludes nothing, so it’s a bit empty. The last bit is to enable the IOS DNS server and configure the interfaces.

ip dns server view-group corporate-view
ip dns server
interface Vlan1
 ip dns view-group corporate-view
end

Now for the complete working example:

ip name-server 208.67.222.222
ip name-server 208.67.220.220
!
interface Vlan1
 ip dns view-group corporate-view
!
ip dns view corporate-internal
 domain list corporate.lan
 domain name-server  10.0.0.11
 domain name-server  10.0.0.12
 domain resolver source-interface Tunnel1
 domain round-robin
 dns forwarder 10.0.0.11
 dns forwarder 10.0.0.12
 dns forwarding source-interface Tunnel1
!
ip dns view default
 domain timeout 1
 domain resolver source-interface Vlan1
 dns forwarder 208.67.222.222
 dns forwarder 208.67.220.220
 dns forwarding source-interface Vlan1
!
ip dns view-list corporate-view
 view corporate-internal 10
  restrict name-group 1
 view default 99
ip dns name-list 1 permit .*.CORPORATE.LAN
ip dns name-list 1 permit 10\.IN-ADDR
ip dns server view-group corporate-view
ip dns server
Advertisements

One response to “Cisco Split DNS On a Router

  1. Thanks for this sample. That was exactly what i was looking for.
    I just had to change “corporate” to make it work, but far easier than using the cisco documentation…
    Philippe

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s