For several years I’ve been using VRFs for all management functions. This greatly improves security since all management functions can be locked down to a certain interface, and also recover-ability in the even of routing problems. The downside I keep finding is certain things either don’t work, or require special work-rounds. Case in point: DNS resolution.
Per Cisco, VRF-aware DNS functionality has been supported for quite a while. However, I’m completely stumped on how to actually use it. Sample config on an 2921 router running IOS 15.5(3)M4:
ip vrf Mgmt-intf rd 12345:123 ! ip domain-lookup ip domain list vrf Mgmt-intf mydomain.com ip name-server vrf Mgmt-intf 10.20.30.40 ! interface Port-channel1.123 encapsulation dot1Q 123 ip vrf forwarding Mgmt-intf ip address 10.20.30.100 255.255.255.0 ! ip domain-lookup vrf Mgmt-intf source-interface po1.123
Still no joy. Really seems there was a goof here in enabling this feature. I’ll complain to Cisco and hopefully it will be fixed by the time I die.
Hi John,
I experienced the same issue and finally found that it works in VRF using a Split DNS config with VRF aware views.
Hope that helped.
LikeLike
Can you link to an example? I’m familiar with Split DNS & internal vs. external views in BIND, but not sure what that means in Cisco
LikeLike
this is an example config:
ip host vrf a view DNS-VIEW-VRF host1 x.x.x.x
ip host vrf a view DNS-VIEW-VRF host2 y.y.y.y
ip host vrf a view DNS-VIEW-VRF hostn n.n.n.n
ip dns view vrf a DNS-VIEW-VRF
domain name-server vrf a z.z.z.z
domain name-server vrf a p.p.p.p
ip dns view-list DNS-VIEW-VRF
view vrf a DNS-VIEW-VRF-1
interface X
ip dns view-group DNS-VIEW-VRF
LikeLike
Still no joy
Router#ping http://www.google.com
Translating “www.google.com”…domain server (255.255.255.255)
% Unrecognized host or address, or protocol not running.
LikeLike