Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Cisco IOS DNS Configuration

Posted on 2010-11-11
11
Medium Priority
?
2,447 Views
Last Modified: 2012-05-10
Hi Experts,

I recently switched to a CISCO 1941 Router and a new Ethernet Internet Connection which I have configured. Most of the configurations were done via the CP Express setup wizard.

The router has two Ethernet Interfaces, one for the WAN and one for the LAN.

We are using SBS 2008 as our DHCP, which is also being used as a DNS server.

With the current configuration, the LAN clients are not able to resolve any external addresses. So what I have done is added the 2 Name Servers provided by my ISP as DNS forwarders on the SBS server. I can resolve addresses when I ping on the router itself e.g. www.google.com.

With the old ADSL connection and router, I never had to add the name servers as a DNS Forwarder.

Is there something in my cisco configuration that is wrong?

Please see the running-config below:

------------------------------------------------------------------------
domain#show running-config
Building configuration...

Current configuration : 5880 bytes
!
! Last configuration change at 11:51:53 PCTime Fri Nov 12 2010 by cisco
! NVRAM config last updated at 17:31:39 PCTime Thu Nov 11 2010 by cisco
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname domain
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $@##@^$@#$@#42142352342343
!
no aaa new-model
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name domain.com.au
ip name-server 23.24.25.26
ip name-server 31.32.33.34
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2370012323
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2370012323
 revocation-check none
 rsakeypair TP-self-signed-2370012323
!
!
crypto pki certificate chain TP-self-signed-2370012323
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32333730 30363139 3333301E 170D3130 31313038 30323439
  34395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  5EE9D066 06854464 2CCECBE6 36E31785 8F28E42E 7CF7E2AA D7C1B759 D48FB6DA
  C4D6BD21 FBC27DDF AA5CFDB8 7D4228A9 DE04D9CE 6858876E B7A78ECA 8F22CE80
  BE4AA8EC D4E0CD93 D34BF049 FB365DA4 F2A811AE 071B5285 1CDEC95D EAB72311
  54050203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  300D0609 2A864886 F70D0101 04050003 81810020 7D546AE8 4CE70C1C A2DF6B77
  E174EF47 77953795 9D65FD6E E6F377B7 408CAFCE FBB14FE1 77BA436D A10F33B2
  A4ADAD5F 8E57F696 743B9889 024AD08D 0A3691D7 D8CEE9AA 3EC0F437 6AD559EF
  0BC46CEE C843DFD2 EB040D8B D38C8C85 053B2F08 9E76E5E9 8A7ECC8A F42D555F
  98738FF5 806EC31C D367B534 E97F4A70 439875
        quit
license udi pid CISCO1941/K9 sn FKDFLSKJ12323KDFD
!
!
username cisco privilege 15 secret 5 $2342#$Sdflsdkjfskdfd.
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh port 3333 rotary 1
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
interface GigabitEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$
 ip address 150.151.152.250 255.255.255.250
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
!
ip forward-protocol nd
!
ip http server
ip http port 9999
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.1.2 25 interface GigabitEthernet0/1 25
ip nat inside source static tcp 192.168.1.2 443 interface GigabitEthernet0/1 443
ip nat inside source static tcp 192.168.1.2 987 interface GigabitEthernet0/1 987
ip nat inside source static tcp 192.168.1.2 3389 interface GigabitEthernet0/1 3389
ip nat inside source static tcp 192.168.1.2 3387 interface GigabitEthernet0/1 3387
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip nat inside source static tcp 192.168.1.2 1723 interface GigabitEthernet0/1 1723
ip nat inside source static tcp 192.168.1.226 22 interface GigabitEthernet0/1 22
ip nat inside source static tcp 192.168.1.11 8080 interface GigabitEthernet0/1 8080
ip nat inside source static tcp 192.168.1.3 80 interface GigabitEthernet0/1 80
ip route 0.0.0.0 0.0.0.0 150.151.152.250
!
ip access-list extended TelSSH
 permit tcp 192.168.1.0 0.0.0.255 any eq 3333 log
!
logging trap debugging
access-list 1 remark INSIDE_IF=GigabitEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
!
no cdp run

!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to
use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 access-class TelSSH in
 privilege level 15
 login local
 rotary 1
 transport input ssh
!
scheduler allocate 20000 1000
end

domain#
------------------------------------------------------------------------

Thank you in advance.
0
Comment
Question by:gwlnimda
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
  • 2
  • +2
11 Comments
 
LVL 1

Expert Comment

by:TARJr
ID: 34117601
Sounds like an issuecwith your DBS server, did you enable dns recursion so it will use the default forwarders...if the routers are passing ip traffic then they are not the problem with dns
0
 

Author Comment

by:gwlnimda
ID: 34117731
Hi,

Thanks for the quick response.

DNS Recursion is enabled and is by default. I have not changed anything in our DNS server, the only difference in this pictures is the new Ethernet Internet connection and the Cisco 1941 Router.
0
 
LVL 1

Expert Comment

by:thaibn
ID: 34117774
If you use forwarders and it is working, then DNS is not being filtered or problemmatic at the router level.  2008 Servers can function in 2 ways... forward the DNS request to other servers or resolve on its own.  If you want to have it resolve on its own, make sure that the root hint servers are all available.  You may need to re-install DNS on your server.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 1

Expert Comment

by:TARJr
ID: 34120360
test your SBS server at the command prompt type: nslookup and test the answers you get from the dns server, post some results.
0
 
LVL 7

Expert Comment

by:blue-screen
ID: 34121570
What har5dware did the Cisco replace?  Most consumer grade home routers provide act as a DHCP server and a DNS proxy.  They provide their own address as a DNS server in the DHCP data, and they forward all DNS requests.

Make sure the DHCP information provided by the DHCP server includes the correct information for the name server.

http://technet.microsoft.com/en-us/library/cc756865%28WS.10%29.aspx#scopedns
0
 
LVL 17

Expert Comment

by:mikecr
ID: 34124149
Testing/checking procedure:

1. Can you ping IP address on the internet from a workstation? I.e., 4.2.2.2 (Cisco's DNS Server)
2. Did you change the DHCP scope to reflect the new router as their gateway?
3. Can the SBS server ping anything on the internet by name using it's own DNS? Can you ping on the internet if you assign the ISP's DNS to the server?
4. Does name resolution work internally when pinging other clients by DNS name?
5. Does name resolution on the internet work if you use the ISP's DNS ip on the workstation?
6. While attempting to ping anything on the internet by name, do "show ip nat translations" on the router and see if nat is showing UDP 53 traffic from the client/server.
7. Remove all static nat statements from the router and just use the global nat. Do you have the same problem?
0
 

Author Comment

by:gwlnimda
ID: 34133036
The device replaced was a Netcoom 3G10WVT Gateway that was used while waiting for our Ethernet Connection to be installed. My SBS Server worked fine with this. It was only when we switched over to the Cisco Router that this started happening.

Testing/checking procedure:

1. Can you ping IP address on the internet from a workstation? I.e., 4.2.2.2 (Cisco's DNS Server)
Yes

2. Did you change the DHCP scope to reflect the new router as their gateway?
No, same scope.

3. Can the SBS server ping anything on the internet by name using it's own DNS? Can you ping on the internet if you assign the ISP's DNS to the server?
No, Yes.

4. Does name resolution work internally when pinging other clients by DNS name?
Yes.

5. Does name resolution on the internet work if you use the ISP's DNS ip on the workstation?
Yes.

6. While attempting to ping anything on the internet by name, do "show ip nat translations" on the router and see if nat is showing UDP 53 traffic from the client/server.
Yes.

7. Remove all static nat statements from the router and just use the global nat. Do you have the same problem?
Was like this from the first time the router was setup.

Even if I didn't have an SBS server with a DNS server, I should still be able to resolve addresses if I set up a static IP on one of the workstations and use 192.168.1.1 as the DNS server?

Is there a setting missing on the router to forward any dns requests to the external name servers?
0
 
LVL 7

Assisted Solution

by:blue-screen
blue-screen earned 1000 total points
ID: 34133983
Even if I didn't have an SBS server with a DNS server, I should still be able to resolve addresses if I set up a static IP on one of the workstations and use 192.168.1.1 as the DNS server?

NO.  Not by default, at least.  You would need to set up the IOS device to act as a DNS server or at least a DNS forwarder.  Your old device probably did that by default.

To activate the local DNS server you need the global config command

ip dns server

Which is off by default.

If the SBS server's DNS server  is configured to use 192.168.1.1 as the DNS forwarder, that will cause you problems.  Either find that setting in the DNS server settings on SBS and change it, or set the IOS box to do DNS service (the former is a better solution)

It is probably also possible in the Cisco Configuration Professional GUI.  I can walk you through that if needed.
0
 

Accepted Solution

by:
gwlnimda earned 0 total points
ID: 34142765
Hi,

I never added 192.168.1.1 as a DNS forwarder, only the ISP's external DNS servers.

I have removed these DNS servers from the forwarders list, restarted the DNS service, cleared the cache and it is still resolving. I believe it is still cached somewhere if anything. I will schedule a time to power down the server and restart it just to make sure.

I also did some research on root hints, eventually I got around to running the Configure a DNS Server Wizard, choose Configure Root Hints Only and ran it. After that I saw that a root hint was missing and just got added again.

I hope that was the cause of my problem.

I will advise once I restart the server.
0
 

Author Comment

by:gwlnimda
ID: 34150561
I restarted the SBS server and everything still seems fine.

I conclude that it must have been an issue with my DNS server.

Thank you all.
0
 

Author Closing Comment

by:gwlnimda
ID: 34182492
Solved by using Configure a DNS Server Wizard to rebuild root hints.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question