Tuesday, November 13, 2007

Cisco IOS: Configuration Examples for Split DNS


Split DNS [Cisco IOS Software Releases 12.4 T] - Cisco Systems


Split DNS (pdf)


The Split DNS feature enables a Cisco router to answer DNS queries using the internal DNS hostname cache specified by the selected virtual DNS name server or, for queries that cannot be answered from the information in the hostname cache, direct queries to specific, back-end DNS servers. The virtual DNS name server is selected based on certain characteristics of each query. Split DNS commands are used to configure a customer premise equipment (CPE) router that serves as the DNS server and forwarder for queries from hosts and as the DNS server and resolver for queries originated by the router itself.


Configuration Examples for Split DNS


This section provides the following configuration examples:


Split DNS View Limited to Queries from a Specific VRF: Example
Split DNS View with Dynamic Name Server Configuration: Example
Split DNS View with Statically Configured Hostname Cache Entries: Example
Split DNS View with Round-Robin Rotation of Hostname Cache Entries: Example
Split DNS Configuration of ACLs That Can Limit DNS View Use: Example
Split DNS View Lists Configured with Different View-use Restrictions: Example
Split DNS Configuration of Default and Interface-specific View Lists: Example


Split DNS View Limited to Queries from a Specific VRF: Example

The following example shows how to define two different VRFs and then define two different DNS views that are associated with those VRFs:



ip vrf vpn101 
 description VRF vpn101 for example purposes
 rd 10:112
 exit
!
ip vrf vpn102 
 description VRF vpn102 for example purposes
 rd 10:128
 exit
!
ip dns view vrf vpn101 
exit
!
ip dns view vrf vpn102 user1
exit

The two DNS views are both named user1, but each view is associated with a different VRF.
The default DNS view associated with VRF vpn101 is limited to handling DNS queries from VRF vpn101 only. This view will be used by the resolver for commands which specify a VRF, such as ping vrf vpn101 www.example.com.


The DNS view user1 associated with VRF vpn102 is limited to handling DNS queries from VRF vpn102 only. This view will only be used if specified inside a DNS view list that is configured for use by the DNS server globally or for a specific interface.


The two DNS views in this example can be configured with the same DNS resolving and forwarding parameters, or they can be configured with different DNS resolving and forwarding parameters.




Split DNS View with Dynamic Name Server Configuration: Example



The following example shows how to populate the list of resolving name servers for the default DNS view in the global namespace with three statically defined IP addresses. The example also shows how to configure the router to be able to dynamically acquire, through DHCP or PPP interaction on FastEthernet slot 0, port 1, name server IP addresses to add to the list of resolving name servers for that view:



ip dns view default 
 domain lookup
 domain name-server 192.168.2.204
 domain name-server 192.168.2.205
 domain name-server 192.168.2.206
 domain name-server interface FastEthernet0/0


Split DNS View with Statically Configured Hostname Cache Entries: Example



The following example shows how to statically add three hostname-to-address mappings for the host www.example.com in the DNS hostname cache for the DNS view user5 that is associated with VRF vpn101:



clear host all * 
 ip host vrf vpn101 view user5 www.example.com 192.168.2.10 192.168.2.20 192.168.2.30 
 exit
show hosts vrf vpn101 view user5








Note It does not matter whether the VRF vpn101 has been defined. The hostname cache for this DNS view will be automatically created, and the hostname will be added to the cache.






Split DNS View with Round-Robin Rotation of Hostname Cache Entries: Example



When resolving DNS queries using a DNS view for which the hostname cache contains hostnames that are associated with multiple IP addresses, the router sends those queries to the first associated IP address in the hostname cache. By default, the other associated addresses in the hostname cache are used only in the event of host failure.




The round-robin rotation of hostname cache entries specifies that each time a hostname in the internal cache is accessed, the list of IP addresses associated with that hostname should be rotated such that the second IP address in the list becomes the first one and the first one is moved to the end of the list. For a more detailed description of round-robin functionality, see the description of the ip domain round-robin command in the Cisco IOS IP Addressing Services Command Reference.




The following example shows how to define the hostname www.example.com with three IP addresses and then enable round-robin rotation for the default DNS view associated with the global VRF. Each time that hostname is referenced internally or queried by a DNS client sending a query to the Cisco IOS DNS server on this system, the order of the IP addresses associated with the host www.example.com will be changed. Because most client applications look only at the first IP address associated with a hostname, this results in different clients using each of the different addresses and thus distributing the load among the three different IP addresses.



ip host view www.example.com 192.168.2.10 192.168.2.20 192.168.2.30 
! 
ip dns view default 
 domain lookup 
 domain round-robin

Split DNS Configuration of ACLs That Can Limit DNS View Use: Example



The following example shows how to configure one DNS name list and one standard IP ACL:


A DNS name list is a list of hostname pattern-matching rules that can be used to restrict the use of a DNS view list member.
A standard IP ACL is a list of IP addresses that can be used to restrict the use of a DNS view list member.


Both types of lists can be used to limit the types of DNS queries that a DNS view is allowed to handle.



! Define a DNS name-list
!
ip dns name-list 151 deny .*.example1.net 
! (Note: The view fails this list if the query hostname matches this)
!
ip dns name-list 151 permit .*.example1.com 
ip dns name-list 151 permit www.example1.org 
! (Note: All other access implicitly denied)
!
! Define a standard IP ACL




!




access-list 71 deny 192.168.2.64 0.0.0.63 




! (Note: The view fails this list if the query source IP matches this)




!




access-list 71 permit 192.168.2.128 0.0.0.63 




! (Note: All other access implicitly denied)








Using this configuration example, suppose that the first member of a DNS view list is configured to use DNS name list 151 as a usage restriction. Then, if the router were to use that DNS view list to select the DNS view to use to handle a given DNS query, the view-selection steps would begin as follows:




1. If the DNS query is for a hostname that matches the string *.example1.net, the first DNS view list member is immediately rejected and the view-selection process moves on to the second member of DNS view list.




2. If the DNS query is for a hostname that matches the string *.example1.com, the first DNS view list member is selected to handle the query.




3. If the DNS query is for a hostname that matches the string www.example1.org, the first DNS view list member is selected to handle the query. Otherwise, the first DNS view list member is rejected and the view-selection process moves on to the second member of DNS view list.




Continuing to use this configuration example, suppose that this same DNS view list member is also configured to use standard IP ACL 71 as a usage restriction. Then, even if the query hostname matched DNS name list 151, the query source IP address would have to match standard IP ACL 71 before that view would be selected to handle the query. To validate this second usage restriction, the DNS view-selection steps would continue as follows:




1. If the DNS query source IP address matches 192.168.2.64, the first DNS view list member is selected to handle the query.




2. If the DNS query source IP address matches 192.168.2.128, the first DNS view list member is selected to handle the query. Otherwise, the first DNS view list member is rejected and the view-selection process moves on to the second member of the DNS view list.




Split DNS View Lists Configured with Different View-use Restrictions: Example



The following example shows how to define two DNS view lists, userlist1 and userlist2. Both view lists comprise the same three DNS views:




DNS view user1 that is associated with the usergroup10 VRF




DNS view user2 that is associated with the usergroup20 VRF




DNS view user3 that is associated with the usergroup30 VRF




Both view lists contain the same DNS views, specified in the same order:



ip dns view-list userlist15 




 view vrf usergroup100 user1 10 




  restrict name-group 121 




  exit




view vrf usergroup200 user2 20 




  restrict name-group 122 




  exit




view vrf usergroup300 user3 30 




  restrict name-group 123 




  exit




!




exit




ip dns view-list userlist16 




 view vrf usergroup100 user1 10 




  restrict name-group 121 




  restrict source access-group 71 




  exit




 view vrf usergroup200 user2 20 




  restrict name-group 122 




  restrict source access-group 72 




  exit




 view vrf usergroup300 user3 30 




  restrict name-group 123 




  restrict source access-group 73 




  exit




exit








The two DNS view lists differ, though, in the usage restrictions placed on their respective view list members. DNS view list userlist15 places only query hostname restrictions on its members while view list userlist16 restricts each of its members on the basis of the query hostname and the query source IP address:




Because the members of userlist15 are restricted only based on the VRF from which the query originates, userlist15 is typical of a view list that can be used to select a DNS view for handling DNS requests from internal clients.




Because the members of userlist16 are restricted not only by the query VRF and query hostname but also by the query source IP address, userlist16 is typical of a view list that can be used to select a DNS view for handling DNS requests from external clients.




Split DNS Configuration of Default and Interface-specific View Lists: Example



The following example shows how to configure the default DNS view list and two interface-specific view lists:



ip dns server view-group userlist1 




! 




interface FastEthernet 0/0 




 ip dns view-group userlist2




 exit




! 




interface FastEthernet 0/1




 ip dns view-group userlist3 




 exit








The Cisco IOS software uses the DNS view list named userlist1 to select the DNS view to use to respond to incoming queries that arrive on router interfaces that are not configured to use a specific view list. View list userlist1 is configured as the default DNS view list for the router.




The Cisco IOS software uses the DNS view list named userlist2 to select the DNS view to use for incoming queries that arrive on port 0 of the FastEthernet card in slot 0.




The Cisco IOS software uses the DNS view list named userlist3 to select the DNS view to use for incoming queries that arrive on port 1 of the FastEthernet card in slot 0.


Posted by at