Solved

Cisco IOS DNS Configuration

Posted on 2010-11-11
11
2,307 Views
Last Modified: 2012-05-10
Hi Experts,

I recently switched to a CISCO 1941 Router and a new Ethernet Internet Connection which I have configured. Most of the configurations were done via the CP Express setup wizard.

The router has two Ethernet Interfaces, one for the WAN and one for the LAN.

We are using SBS 2008 as our DHCP, which is also being used as a DNS server.

With the current configuration, the LAN clients are not able to resolve any external addresses. So what I have done is added the 2 Name Servers provided by my ISP as DNS forwarders on the SBS server. I can resolve addresses when I ping on the router itself e.g. www.google.com.

With the old ADSL connection and router, I never had to add the name servers as a DNS Forwarder.

Is there something in my cisco configuration that is wrong?

Please see the running-config below:

------------------------------------------------------------------------
domain#show running-config
Building configuration...

Current configuration : 5880 bytes
!
! Last configuration change at 11:51:53 PCTime Fri Nov 12 2010 by cisco
! NVRAM config last updated at 17:31:39 PCTime Thu Nov 11 2010 by cisco
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname domain
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $@##@^$@#$@#42142352342343
!
no aaa new-model
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name domain.com.au
ip name-server 23.24.25.26
ip name-server 31.32.33.34
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2370012323
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2370012323
 revocation-check none
 rsakeypair TP-self-signed-2370012323
!
!
crypto pki certificate chain TP-self-signed-2370012323
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32333730 30363139 3333301E 170D3130 31313038 30323439
  34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  5EE9D066 06854464 2CCECBE6 36E31785 8F28E42E 7CF7E2AA D7C1B759 D48FB6DA
  C4D6BD21 FBC27DDF AA5CFDB8 7D4228A9 DE04D9CE 6858876E B7A78ECA 8F22CE80
  BE4AA8EC D4E0CD93 D34BF049 FB365DA4 F2A811AE 071B5285 1CDEC95D EAB72311
  54050203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  300D0609 2A864886 F70D0101 04050003 81810020 7D546AE8 4CE70C1C A2DF6B77
  E174EF47 77953795 9D65FD6E E6F377B7 408CAFCE FBB14FE1 77BA436D A10F33B2
  A4ADAD5F 8E57F696 743B9889 024AD08D 0A3691D7 D8CEE9AA 3EC0F437 6AD559EF
  0BC46CEE C843DFD2 EB040D8B D38C8C85 053B2F08 9E76E5E9 8A7ECC8A F42D555F
  98738FF5 806EC31C D367B534 E97F4A70 439875
        quit
license udi pid CISCO1941/K9 sn FKDFLSKJ12323KDFD
!
!
username cisco privilege 15 secret 5 $2342#$Sdflsdkjfskdfd.
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh port 3333 rotary 1
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$
 ip address 150.151.152.250 255.255.255.250
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http port 9999
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.1.2 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 192.168.1.2 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 192.168.1.2 987 interface GigabitEthernet0/1 987
ip nat inside source static tcp 192.168.1.2 3389 interface GigabitEthernet0/1 3389
ip nat inside source static tcp 192.168.1.2 3387 interface GigabitEthernet0/1 3387
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.2 1723 interface GigabitEthernet0/1 1723
ip nat inside source static tcp 192.168.1.226 22 interface GigabitEthernet0/1 22
ip nat inside source static tcp 192.168.1.11 8080 interface GigabitEthernet0/1 8080
ip nat inside source static tcp 192.168.1.3 80 interface GigabitEthernet0/1 80
ip route 0.0.0.0 0.0.0.0 150.151.152.250
!
ip access-list extended TelSSH
 permit tcp 192.168.1.0 0.0.0.255 any eq 3333 log
!
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
!
no cdp run

!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class TelSSH in
 privilege level 15
 login local
 rotary 1
 transport input ssh
!
scheduler allocate 20000 1000
end

domain#
------------------------------------------------------------------------

Thank you in advance.
0
Comment
Question by:gwlnimda
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 1

Expert Comment

by:TARJr
Comment Utility
Sounds like an issuecwith your DBS server, did you enable dns recursion so it will use the default forwarders...if the routers are passing ip traffic then they are not the problem with dns
0
 

Author Comment

by:gwlnimda
Comment Utility
Hi,

Thanks for the quick response.

DNS Recursion is enabled and is by default. I have not changed anything in our DNS server, the only difference in this pictures is the new Ethernet Internet connection and the Cisco 1941 Router.
0
 
LVL 1

Expert Comment

by:thaibn
Comment Utility
If you use forwarders and it is working, then DNS is not being filtered or problemmatic at the router level.  2008 Servers can function in 2 ways... forward the DNS request to other servers or resolve on its own.  If you want to have it resolve on its own, make sure that the root hint servers are all available.  You may need to re-install DNS on your server.
0
 
LVL 1

Expert Comment

by:TARJr
Comment Utility
test your SBS server at the command prompt type: nslookup and test the answers you get from the dns server, post some results.
0
 
LVL 7

Expert Comment

by:blue-screen
Comment Utility
What har5dware did the Cisco replace?  Most consumer grade home routers provide act as a DHCP server and a DNS proxy.  They provide their own address as a DNS server in the DHCP data, and they forward all DNS requests.

Make sure the DHCP information provided by the DHCP server includes the correct information for the name server.

http://technet.microsoft.com/en-us/library/cc756865%28WS.10%29.aspx#scopedns
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 17

Expert Comment

by:mikecr
Comment Utility
Testing/checking procedure:

1. Can you ping IP address on the internet from a workstation? I.e., 4.2.2.2 (Cisco's DNS Server)
2. Did you change the DHCP scope to reflect the new router as their gateway?
3. Can the SBS server ping anything on the internet by name using it's own DNS? Can you ping on the internet if you assign the ISP's DNS to the server?
4. Does name resolution work internally when pinging other clients by DNS name?
5. Does name resolution on the internet work if you use the ISP's DNS ip on the workstation?
6. While attempting to ping anything on the internet by name, do "show ip nat translations" on the router and see if nat is showing UDP 53 traffic from the client/server.
7. Remove all static nat statements from the router and just use the global nat. Do you have the same problem?
0
 

Author Comment

by:gwlnimda
Comment Utility
The device replaced was a Netcoom 3G10WVT Gateway that was used while waiting for our Ethernet Connection to be installed. My SBS Server worked fine with this. It was only when we switched over to the Cisco Router that this started happening.

Testing/checking procedure:

1. Can you ping IP address on the internet from a workstation? I.e., 4.2.2.2 (Cisco's DNS Server)
Yes

2. Did you change the DHCP scope to reflect the new router as their gateway?
No, same scope.

3. Can the SBS server ping anything on the internet by name using it's own DNS? Can you ping on the internet if you assign the ISP's DNS to the server?
No, Yes.

4. Does name resolution work internally when pinging other clients by DNS name?
Yes.

5. Does name resolution on the internet work if you use the ISP's DNS ip on the workstation?
Yes.

6. While attempting to ping anything on the internet by name, do "show ip nat translations" on the router and see if nat is showing UDP 53 traffic from the client/server.
Yes.

7. Remove all static nat statements from the router and just use the global nat. Do you have the same problem?
Was like this from the first time the router was setup.

Even if I didn't have an SBS server with a DNS server, I should still be able to resolve addresses if I set up a static IP on one of the workstations and use 192.168.1.1 as the DNS server?

Is there a setting missing on the router to forward any dns requests to the external name servers?
0
 
LVL 7

Assisted Solution

by:blue-screen
blue-screen earned 250 total points
Comment Utility
Even if I didn't have an SBS server with a DNS server, I should still be able to resolve addresses if I set up a static IP on one of the workstations and use 192.168.1.1 as the DNS server?

NO.  Not by default, at least.  You would need to set up the IOS device to act as a DNS server or at least a DNS forwarder.  Your old device probably did that by default.

To activate the local DNS server you need the global config command

ip dns server

Which is off by default.

If the SBS server's DNS server  is configured to use 192.168.1.1 as the DNS forwarder, that will cause you problems.  Either find that setting in the DNS server settings on SBS and change it, or set the IOS box to do DNS service (the former is a better solution)

It is probably also possible in the Cisco Configuration Professional GUI.  I can walk you through that if needed.
0
 

Accepted Solution

by:
gwlnimda earned 0 total points
Comment Utility
Hi,

I never added 192.168.1.1 as a DNS forwarder, only the ISP's external DNS servers.

I have removed these DNS servers from the forwarders list, restarted the DNS service, cleared the cache and it is still resolving. I believe it is still cached somewhere if anything. I will schedule a time to power down the server and restart it just to make sure.

I also did some research on root hints, eventually I got around to running the Configure a DNS Server Wizard, choose Configure Root Hints Only and ran it. After that I saw that a root hint was missing and just got added again.

I hope that was the cause of my problem.

I will advise once I restart the server.
0
 

Author Comment

by:gwlnimda
Comment Utility
I restarted the SBS server and everything still seems fine.

I conclude that it must have been an issue with my DNS server.

Thank you all.
0
 

Author Closing Comment

by:gwlnimda
Comment Utility
Solved by using Configure a DNS Server Wizard to rebuild root hints.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I will assume you are running a non-server version of some sort of Windows throughout this article. There are many flavors of Windows since Windows Server 2000 - 2008, XP Home & Pro, Vista Home & Pro, and Windows 7 Starter, Home, Pro, Ultimate, etc.…
One of the most often confused topics in the area DNS is the idea of GLUE records. Specifically, what they are, when they are needed, when they are provided, and how they are created. First, WHAT IS GLUE? To understand GLUE, you must first under…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now