Classic IOS as a DNS Server

There is an occasional need for a DNS server in the absence of a dedicated host. This may occur in the following situations–

  • Using PAT, Public DNS may return a non-RFC1918 address for internal server
  • Lab/Demo Environment
  • Other Name Resolution challenges in SOHO, SMB or Branch Office

When these corner-case challenges present, an IOS router may be beneficial by providing basic DNS functions. Assuming the router already has Internet connectivity, the configuration is straightforward–

//enable the dns server functionality
IOS-DNS(config)#ip dns server 

//if public requests should be resolved, configure one or more name
//servers as resolvers and confirm domain-lookups are enabled
IOS-DNS(config)#ip name-server 8.8.8.8 8.8.4.4
IOS-DNS(config)#ip domain-lookup

At this point the router should perform DNS resolution by relaying requests to the public name servers in the configuration. Hosts could use any IP address on the device in their DNS configuration. ACLs should be used to block DNS requests to interfaces that aren’t servicing clients.

To create DNS records for local resolution, the ip host command can be used.

IOS-DNS(config)#ip host ?
  WORD  Name of host
  view  Specify view
  vrf   Specify VRF

IOS-DNS(config)#ip host www.example.com ?
     Default telnet port number
  A.B.C.D     Host IP address
  additional  Append addresses
  mx          Configure a MX record
  ns          Configure an NS record
  srv         Configure a SRV record

Examples

//'A' Record Configuration
IOS-DNS(config)#ip host www.example.com 192.168.1.100

//'NS' record (SOA)
IOS-DNS(config)#ip host example.com ns ns.example.com
IOS-DNS(config)#ip host ns.example.com 192.168.1.1

//'MX' record with a priority of 10
IOS-DNS(config)#ip host mail.example.com 192.168.1.200
IOS-DNS(config)#ip host example.com mx 10 mail.example.com

Configuration validation can be achieved using nslookup on a host

//start nslookup and set the server address
Pauls-LT:~ paulstewart$ nslookup
> server 192.168.1.1
Default server: 192.168.1.1
Address: 192.168.1.1#53

//check the A record
> set ty=a 
> www.example.com.
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
Name:	www.example.com
Address: 192.168.1.100

//validate the NS record
> set ty=ns
> example.com.
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
example.com	nameserver = ns.example.com.

Authoritative answers can be found from:
ns.example.com	internet address = 192.168.1.1

//check the MX record 
> set ty=mx
> example.com.
Server:		192.168.1.1
Address:	192.168.1.1#53

Non-authoritative answer:
example.com	mail exchanger = 10 mail.example.com.

Authoritative answers can be found from:
mail.example.com	internet address = 192.168.1.200

This is a very simple configuration that may allow an administrator a quick and easy way to work around specific challenges. Some use cases may require customization based on the interface receiving the requests. For a more advanced configuration, split-dns can be configured using DNS views. As with any configuration, care should be taken to ensure that it is secured and services only accessible where required.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To. Bookmark the permalink.

2 Responses to Classic IOS as a DNS Server

  1. James Cabe says:

    I have done this same thing but put SCEP and NTP on the same. This is useful on a VM for pushing these services out to remote locations. I try to use it with our installs all the time. Unfortunately it allows insecure updates and can be susceptible to poisoning.

Comments are closed.