Domain Name System

This section covers the Domain Name System (DNS) and sample DNS configurations used on Cisco IOS routers.

The primary use of DNS is to manage Internet names across the World Wide Web. To enable users or clients to use names instead of 32-bit IP addresses, the TCP/IP model designers developed DNS to translate names into IP addresses.

DNS uses TCP and UDP port number 53. TCP port 53 is also used for DNS zone transfers. UDP 53 is used for DNS lookups and browsing.

In a large IP environment, network users need a way to connect to hosts without having to remember 32-bit IP addresses—that is where DNS comes into play. DNS provides a service that allows users to use a host's name in place of an IP address to connect to the host. When DNS services are running, the host's name is used to request its IP address from a DNS server. A DNS server is a host that is running the DNS service, and it is configured to do the translation for the user transparently. In other words, the user never sees the DNS request and host name-to-IP address translation. The client simply connects to a host name, and the DNS server does the translation. For example, the website www.cisco.com is translated to the IP address 198.133.219.25.

DNS is a distributed database where organizations can use a predefined name or extension for all their devices. Nations can use extensions to define hosts residing in their country. For example, the extension for Australia is defined as .au. To reach the Cisco website in Australia, a user would type www.cisco.com.au in a web browser.

A regulatory body called the Internet Policy Registration Authority manages domain names. Internet Corporation for Assigned Names and Numbers (ICANN), a certificate authority, also manages domain names.

Similar to DNS, Cisco routers can be configured to locally look up names so that network administrators can simply type a name rather than an IP address. Local names can also be configured for devices.

To illustrate a local name lookup on a Cisco IOS router, look at the following Cisco router command that provides a host lookup. (Note: a router will not provide DNS server responses to client devices such as PCs or UNIX hosts.)

ip host name [tcp-port-number] ip-address1 [ip-address2...ip-address8]

You can assign more than one IP address to any given name.

Example 2-1 displays three hosts and their corresponding IP addresses. Example 2-1 Local IP Host Configuration on a Cisco Router

ip

host

Router1

131

108

1

1

ip

host

Router2

131

108

1

2

ip

host

Router3

131

108

1

3

The three locally defined hosts (remember, these are available only to the local router; they are not DNS entries and thus are not available to other devices) named Router1, Router2, and Router3 are translated into IP addresses 131.108.1.1, 131.108.1.2, and 131.108.1.3.

When a network administrator types in the local host name defined in the global configuration, the router translates the name to an IP address. Example 2-2 displays a network administrator Telneting from Router R1 to the remote host, Router2.

Example 2-2 Local DNS Translation

R1#router2

Translating "router2"

Trying Router2 (131.108.1.2)..

. Open

User Access Verification

Password: *****

Router2>

When the network administrator types the local name router2 (defined local names are not case sensitive) at the exec prompt, the Cisco IOS router does a local host lookup for the name router2 and translates the address to 131.108.1.2.

What would happen if you were to type a name that is not configured locally? Example 2-3 displays the sample output from a Cisco router when an unknown name (ccie, in this case) is typed at the exec prompt.

Example 2-3 Name Translation for ccie

R1#ccie

Translating "ccie".

.domain server (255.255.255

255)

Translating "ccie"..

.domain server (255.255.255

255)

(255.255.255.255)%

Unknown command or computer

name,

or unable to find computer address

R1#

From the privileged exec prompt on Router R1 in Example 2-3, R1 performs a DNS entry lookup via a broadcast packet to 255.255.255.255. After no response (assuming no DNS server responds), R1 then does a local DNS lookup, discovers there is no DNS translation, and provides the following error message:

% Unknown command or computer name, or unable to find computer address

Scalability issues with local host configuration can become a nightmare in a large network. Thankfully, DNS servers can be placed around the network (typically in the core infrastructure) to ensure that only a few devices in the network require the full table of names and IP address translations. The World Wide Web has DNS servers that provide DNS mappings for websites.

DNS has become so important that one DNS server typically is not enough for an organization, because of the need for redundancy in case the primary DNS server fails. For example, typically an organization provides an internal protected DNS server for internal DNS requests and an external DNS server for external DNS resolutions.

NOTE By default, Cisco routers search for a DNS server. To disable this feature, use the Cisco IOS global configuration command no ip domain-lookup. This stops the router from querying a DNS server whenever a name translation is required. This command is a definite time saver for the CCIE Security lab exam.

To enable a Cisco IOS router to perform DNS lookup to a remote DNS server, the following steps are required:

Step 1 For local name entries (available to the router only; not the same as a DNS entry), you must specify any local host mapping with the following Cisco IOS command (note that tcp-port-number is used for connections on a TCP port number other than the default, 23):

ip host name [tcp-port-number] ip-address1 [ip-address2...ip-address8]

Step 2 Specify the domain name or a domain list (Cisco routers can be configured with multiple domain names) with the following Cisco IOS commands:

• ip domain-name name—Defines a default domain name that the Cisco IOS software uses to complete unqualified host names

• ip domain-list name—Defines a list of default domain names to complete unqualified host names

Step 3 Specify the DNS server or servers with the following Cisco IOS command:

ip name-server server-addressl [server-address2...server-address6]

Devices such as PCs can also be configured for DNS servers and domain names. Example 2-4 configures a router named R1 with the domain name cisco.com. The domain name servers are 131.108.255.1 and 131.108.255.2.

Example 2-4 DNS Configuration

R1(config)#ip domain-name cisco.com R1(config)#ip name-server 131.108.255.1 R1(config)#ip name-server 131.108.255.2

When a network administrator types a name (not a valid Cisco IOS command, of course), the Cisco router attempts to translate the name into an IP address—first from any defined local names, second from the DNS server with the IP address 131.108.255.1, and third from the DNS server 131.108.255.2.

Example 2-5 displays a successful DNS query and translation to the host named ccie (another Cisco router) from the DNS server 131.108.255.1.

Example 2-5 DNS Query from the Exec Prompt R1#ccie

! Administrator types ccie Translating "ccie"

! Query is sent to first configured DNS server

User Access Verification

CCIE>

NOTE In Example 2-5, a Telnet connection requires a password authentication phase (a requirement for all Telnet-based connections, for that matter). You can disable the Telnet login password on Cisco routers with the command no login under the line vty 0 4 line configuration, as follows:

line vty 0 4 no login

0 0

Post a comment