For several years I’ve been using VRFs for all management functions.  This greatly improves security since all management functions can be locked down to a certain interface, and also recover-ability in the even of routing problems.  The downside I keep finding is certain things either don’t work, or require special work-rounds. Case in point: DNS resolution.

Per Cisco, VRF-aware DNS functionality has been supported for quite a while.  However, I’m completely stumped on how to actually use it.  Sample config on an 2921 router running IOS 15.5(3)M4:

ip vrf MGMT
 rd 12345:123
ip domain-lookup 
ip domain list vrf MGMT
ip name-server vrf MGMT

You can see the problem is in the first line.  There’s no way to specify DNS lookups should happen via the VRF called ‘MGMT’. Instead they’re happening via the default VRF.

So how I try setting a specific source interface which is a member of this VRF:

interface Port-channel1.123
 encapsulation dot1Q 123
 ip vrf forwarding MGMT
 ip address
ip domain-lookup source-interface po1.123

Still no joy.  Really seems there was a goof here in enabling this feature.  I’ll complain to Cisco and hopefully it will be fixed by the time I die.