For several years I’ve been using VRFs for all management functions.  This greatly improves security since all management functions can be locked down to a certain interface, and also recover-ability in the even of routing problems.  The downside I keep finding is certain things either don’t work, or require special work-rounds. Case in point: DNS resolution.

Per Cisco, VRF-aware DNS functionality has been supported for quite a while.  However, I’m completely stumped on how to actually use it.  Sample config on an 2921 router running IOS 15.5(3)M4:

ip vrf MGMT
 rd 12345:123
!
ip domain-lookup 
ip domain list vrf MGMT mydomain.com
ip name-server vrf MGMT 10.20.30.40

You can see the problem is in the first line.  There’s no way to specify DNS lookups should happen via the VRF called ‘MGMT’. Instead they’re happening via the default VRF.

So how I try setting a specific source interface which is a member of this VRF:

interface Port-channel1.123
 encapsulation dot1Q 123
 ip vrf forwarding MGMT
 ip address 10.20.30.100 255.255.255.0
!
ip domain-lookup source-interface po1.123

Still no joy.  Really seems there was a goof here in enabling this feature.  I’ll complain to Cisco and hopefully it will be fixed by the time I die.

Advertisements