I was trying to set up a SOHO router for a small client the other day and was having difficulty getting the DNS server to function the way I wanted on the router. I could get the DNS server to run on the Cisco Router, but it would only work on external domains. Any static record I added would not be resolvable for clients.
For starters, I will assume you have your own Cisco router running 12.4+ IOS firmware with ipservices.
- First, let’s set up DHCP on the Router
R1(config)# interface fastEthernet 0/1 R1(config)# ip address 10.0.0.1 255.255.255.0 R1(config)# no shutdown
- Enable DHCP service on that interface
R1(config)# ip dhcp-server 10.0.0.1
- Configure DHCP settings
R1(config)# ip dhcp pool dhcp-pool R1(config-dhcp)# network 10.0.0.0 255.255.255.0 R1(config-dhcp)# domain-name yourdomain.local R1(config-dhcp)# dns-server 10.0.0.1 R1(config-dhcp)# default-router 10.0.0.1 R1(config-dhcp)# lease 7
- Here we set the network from which IPs will be handed out by the DHCP service with the network 10.0.0.0 255.255.255.0 statement.
- We set the domain-name to yourdomain.local (this is very important for DNS to work), you may choose a different domain name, make sure it is qualified (i.e. me.com, you.com, us.local).
- We set the dns-server IP address which will be the internal interface of the the router. For me 10.0.0.1 is VLan1’s IP.
- Lastly we set the default-router as this router, this is what the DHCP server will assign as the default gateway on clients.
- OPTIONAL: I put a lease of 7 days, this is optional.
Second, we need to add the DHCP exclusion list. You have to add this even if you are not excluding any IPs in the network range from the previous step.
ip dhcp excluded-address 10.0.0.0 10.0.0.10
Note: Here i am excluding 10.0.0.0 – 10.0.0.10. Make sure you at least exclude the routers IP address!!
Set up the DNS forwarders first. These are DNS servers that you will use when you can not respond authoritatively to your client’s DNS requests. (Pretty much any name that does not belong within the yourdomain.local will be passed “forwarded” to these.)
- Activate the DNS server, this will only be available if you are running an IOS with ipservices.
R1(config)# ip dns server
Notice: If you do don’t have the ip dns server option, make sur eyou are running ipservices IOS
- Let’s use Open-DNS’s free public TLD DNS servers.
R1(config)#ip dns view default R1(config-dns)# domain timeout 1 R1(config-dns)# domain retry 0 R1(config-dns)# domain yourdomain.local R1(config-dns)# dns forwarder 220.127.116.11 R1(config-dns)# dns forwarder 18.104.22.168
Note: I also set a domain timeout of 1 second, and a domain retry of 0 so if the domain cannot be found it will not keep trying. I also said to use round-robin to choose the forwarder out of the pair for each query.
Make a DNS authoratative zone!! This is the key part to get the DNS working for internal name resources.
ip dns primary yourdomain.local soa 10.0.0.1 email@example.com
Ok, here we are starting a new SOA(start of authority) zone. We are telling the DNS server that we own the yourdomain.local and clients asking for anything in this zone should ask us. You can have as many SOA zones as you want, and hand them out to different networks connecting to your router.
NOTE: Without this statement the router will only act as a DNS forwarder. It will not be able to resolve internal client names and resources, such as mycomputer.yourdomain.local would be forwarded to the DNS forwarders you set up in the previous step. This is not what we want to happen.
OPTIONAL:Set the router’s own DNS settings, and adding static A record hosts to the zone.
R1(config)# ip domain name yourdomain.local R1(config)# ip host myserver.yourdomain.local 10.0.0.5 R1(config)# ip host myserver2.yourdomain.local 10.0.0.6
NOTE: For each A record, you will need the Fully-Qualified Domain Name (include the .yourdomain.local) If you do not clients will not be able to query for it because it will not match their query because the .yourdomain.local will automatically be appended.
There you have it! Try pinging myserver from your Router…Then try doing an nslookup of mysever on one of your clients.
R1#ping myserver source vlan 1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.5, timeout is 2 seconds: Packet sent with a source address of 10.0.0.1 !!!!!