Options
DNS for internet queries and for internal domain lookup
Just deployed a small site across the country connected to our mpls. IP connectivity is fine. Site has dsl to internet and does not have a dns server on location. AD authentication is across the wan at this moment. I'm trying to set up the best way for dns internet queries to hit the dsl and dns internal domain queries to be forwarded to a dns server back in hq. Any suggestions are appreciated.
10.20.20.1 - router
10.1.10.1 - dsl router
172.16.16.1 - dc/dns
ip dhcp pool ***LAN***
network 10.20.20.0 255.255.255.0
default-router 10.20.20.1
domain-name company.com
netbios-name-server 172.16.16.1
dns-server 10.20.20.1
lease 7
ip domain lookup source-interface Serial0/0/0
ip domain name company.com
ip name-server 172.16.16.1
interface GigabitEthernet0/1
description ***DSL***
ip address 10.1.10.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface Serial0/0/0
description ***MPLS***
ip address 192.168.255.30 255.255.255.252
ip pim sparse-mode
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
ip dns server
ip nat inside source list OUTBOUND_INTERNET interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 10.1.10.1
ip access-list extended OUTBOUND_INTERNET
permit ip 10.20.20.0 0.0.0.255 any
10.20.20.1 - router
10.1.10.1 - dsl router
172.16.16.1 - dc/dns
ip dhcp pool ***LAN***
network 10.20.20.0 255.255.255.0
default-router 10.20.20.1
domain-name company.com
netbios-name-server 172.16.16.1
dns-server 10.20.20.1
lease 7
ip domain lookup source-interface Serial0/0/0
ip domain name company.com
ip name-server 172.16.16.1
interface GigabitEthernet0/1
description ***DSL***
ip address 10.1.10.2 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
interface Serial0/0/0
description ***MPLS***
ip address 192.168.255.30 255.255.255.252
ip pim sparse-mode
service-module t1 timeslots 1-24
service-module t1 remote-alarm-enable
ip dns server
ip nat inside source list OUTBOUND_INTERNET interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 10.1.10.1
ip access-list extended OUTBOUND_INTERNET
permit ip 10.20.20.0 0.0.0.255 any
Comments
-
Options
wave
Member Posts: 342
Can you not simply forward all queries to your DNS server on the other end of the WAN link? You wouldn't have to send your internet traffic over that link but you could use it for DNS queries.
When you query a DNS server you don't know whether it needs to go an internet facing name server or your internal NS, so you can't really control this with ACLs + route maps. You're either going to need a name server on site or at the other end of your WAN link.
Or...You could set your secondary DNS server on all your client machines to your DNS server @ HQ. When authenticating to AD your clients would query the internet based name server and fail, then they'd hit your secondary :P Not really the best solution. Or put all of your local entries in the hosts file on all of your workstations.
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP -
Options
Forsaken_GA
Member Posts: 4,024
-
Optionswave
Member Posts: 342
Forsaken_GA wrote: »
Whoa! Awesome. I just learned something new.
ROUTE Passed 1 May 2012
SWITCH Passed 25 September 2012
TSHOOT Passed 23 October 2012
Taking CCNA Security in April 2013 then studying for the CISSP -
Options
phoeneous
Member Posts: 2,333 ■■■■■■■□□□
-
Optionsphoeneous
Member Posts: 2,333 ■■■■■■■□□□
This is a no for me.Can you not simply forward all queries to your DNS server on the other end of the WAN link? You wouldn't have to send your internet traffic over that link but you could use it for DNS queries.
When you query a DNS server you don't know whether it needs to go an internet facing name server or your internal NS, so you can't really control this with ACLs + route maps. You're either going to need a name server on site or at the other end of your WAN link.
Or...You could set your secondary DNS server on all your client machines to your DNS server @ HQ. When authenticating to AD your clients would query the internet based name server and fail, then they'd hit your secondary :P Not really the best solution. Or put all of your local entries in the hosts file on all of your workstations. -
Options
ptilsen
Member Posts: 2,835 ■■■■■■■■■■
This is a no for me.
Why not? That's the way to do it in a Windows/AD environment. If you don't have a local DNS server, you send all DNS across the WAN. There is no way that I'm aware of to have a router interpret a DNS query and decide if it should go to one DNS server or another. You need a DNS server with a zone for your internal domain names. -
OptionsForsaken_GA
Member Posts: 4,024
There is no way that I'm aware of to have a router interpret a DNS query and decide if it should go to one DNS server or another. You need a DNS server with a zone for your internal domain names.
Newp. You need to look into the concept of a DNS forwarder, which basically just routes DNS queries based on pre-defined views.
The link I posted to earlier shows how to do it on a Cisco 12.4T router. Read it, and you shall be aware! -
Optionsptilsen
Member Posts: 2,835 ■■■■■■■■■■
I understand the concept of a DNS forwarder, but I didn't realize it was an option on a Cisco router in this manner. Interesting stuff.Forsaken_GA wrote: »Newp. You need to look into the concept of a DNS forwarder, which basically just routes DNS queries based on pre-defined views. -
OptionsForsaken_GA
Member Posts: 4,024
I understand the concept of a DNS forwarder, but I didn't realize it was an option on a Cisco router in this manner. Interesting stuff.
Yeah, it's a relatively recent feature. I personally prefer to deploy a small box as a DNS forwarder, but my network design philosophy tends to run towards making things modular instead of deploying all in one wonder boxes.
