-
Cisco IOS IP Addressing Services Command Reference
-
Introduction
-
ARP Commands
-
DHCP Commands: accounting (DHCP) through ip dhcp excluded-address
-
DHCP Commands: ip dhcp limit lease through lease
-
DHCP Commands: netbios-name-server through vrf (DHCP pool)
-
DNS Commands: ddns (DDNS-update-method) through ip dns server queue limit
-
DNS Commands: ip dns spoofing through view (DNS)
-
IP Addressing Commands
-
NAT Commands
-
NHRP Commands
-
Table Of Contents
ip dns spoofing
To enable Domain Name System (DNS) spoofing, use the ip dns spoofing command in global configuration mode. To disable DNS spoofing, use the no form of this command.
ip dns spoofing [ip-address]
no ip dns spoofing [ip-address]
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
12.3(2)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
DNS spoofing allows a router to act as a proxy DNS server and "spoof" replies to any DNS queries using either the configured IP address in the ip dns spoofing command or the IP address of the incoming interface for the query. This functionality is useful for devices where the interface toward the ISP is not up. Once the interface to the ISP is up, the router forwards DNS queries to the real DNS servers.
The router will respond to the DNS query with the configured IP address when queried for any host name other than its own but will respond to the DNS query with the IP address of the incoming interface when queried for its own host name.
The host name used in the DNS query is defined as the exact configured host name of the router specified by the hostname command, with no default domain appended. For example, in the following configuration:
ip domain name cisco.comhostname host1The system would respond with a DNS spoofing reply if queried for "host1" but not for "host1.cisco.com".
Examples
In the following example, the router will respond to a DNS query with an IP address of 192.168.15.1:
ip dns spoofing 192.168.15.1
ip dns view
To access or create the Domain Name System (DNS) view of the specified name associated with the specified Virtual Private Network (VPN) routing and forwarding (VRF) instance and then enter DNS view configuration mode so that forwarding and routing parameters can be configured for the view, use the ip dns view command in global configuration mode. To remove the definition of the specified DNS view and then return to global configuration mode, use the no form of this command.
ip dns view [vrf vrf-name] {default | view-name}
no ip dns view [vrf vrf-name] {default | view-name}
Syntax Description
Command Default
No new DNS view is accessed or created.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enters DNS view configuration mode—for the specified DNS view—so that forwarding parameters, resolving parameters, and the logging setting can be configured for that view. If the specified DNS view does not exist yet, it is automatically created.
Note
The maximum number of DNS views and view lists supported is not specifically limited but is dependent on the amount of memory on the Cisco router. Configuring a larger number of DNS views and view lists uses more router memory, and configuring a larger number of views in the view lists uses more router processor time. For optimum performance, configure no more views and view list members than needed to support your Split DNS query forwarding or query resolution needs.
The default view associated with the unnamed global VRF exists by default. This is the view that is referenced by using the ip dns view command without specifying a VRF and specifying the default keyword instead of a view-name argument. The default DNS view cannot be removed.
Different DNS views can be associated with the same VRF.
To enable debugging output for DNS view events, use the debug ip dns view command.
To display information about a particular DNS view or about all configured DNS views, including the number of times the DNS view was used, use the show ip dns view command.
Subsequent Operations on a DNS View Definition
After you use the ip dns view command to define a DNS view and enter DNS view configuration mode, you can configure DNS forwarder parameters, DNS resolution parameters, and system message logging for the view.
To configure the Cisco IOS DNS forwarder functionality, use the following commands:
•
•
•
To configure the Cisco IOS DNS resolver functionality, use the following commands:
•
•
•
•
•
•
•
•
•
To enable logging of a system message logging (syslog) message each time the DNS view is used, use the logging command.
Use of a DNS View Definition
After a DNS view is configured, the view can be added to a DNS view list (by using the ip dns view-list command) and usage restrictions for that view within that view list can configured (by using the restrict name-group and restrict source access-group commands).
Examples
The following example shows how to define the default DNS view in the global address space. This DNS view exists by default, and it is the view that has been in use since before the Split DNS feature was implemented.
Router(config)# ip dns view defaultThe following example shows how to define the default DNS view associated with VRF vpn101, creating the view if it does not already exist:
Router(config)# ip dns view vrf vpn101 defaultThe following example shows how to define the DNS view user2 in the global address space, creating the view if it does not already exist:
Router(config)# ip dns view user2The following example shows how to define the DNS view user2 associated with VRF vpn101, creating the view if it does not already exist:
ip dns view vrf vpn101 user2Related Commands
ip dns view-group
To attach a Domain Name System (DNS) view list to the interface, use the ip dns view-group command in interface configuration mode. To disable the attachment of a DNS view list to an interface, use the no form of this command.
ip dns view-group view-list-name
no ip dns view-group view-list-name
Syntax Description
view-list-name
Name of an existing DNS view list.
Note
Command Default
No DNS view list is attached to the interface. If a default DNS view list is configured, that view list is used to handle incoming DNS queries. If no view list has been configured either on this specific interface or for the system, incoming DNS queries are handled using the default global view.
Command Modes
Interface configuration
Command History
Usage Guidelines
This command configures the router to use the specified DNS view list to choose which DNS view to use to handle incoming DNS queries that arrive on the interface.
Only one DNS view list can be assigned to a given interface. However, a single DNS view list can be assigned to any number of interfaces so that the same ordered list of DNS views (along with the restrictions specified in the view list) can be checked by multiple interfaces.
A DNS view list can also be configured as the default DNS view list (by using the ip dns server view-group command) to determine which DNS view the router will use to handle a given incoming DNS query that arrives on an interface that is not configured with a DNS view list.
Note
When an incoming DNS query is received through the interface, the Cisco IOS software will check the members of the DNS view list—in the order specified in the view list—to determine if the usage restrictions on any view list member allow the view to be used to forward the incoming query:
•
•
If the hostname cache for the view contains the information needed to answer the query, the router will respond to the query with the hostname IP address in that internal cache. Otherwise, provided DNS forwarding is enabled for the DNS view, the router will forward the query to the configured name servers (each in turn, until a response is received), and the response will be both added to the hostname cache and sent back to the originator of the query.
•
Examples
The following example shows how to configure the router so that each time a DNS query arrives through interface ethernet0 the usage restrictions for the members of the DNS view list userlist2 are checked in the order specified by the view list definition. The router uses the first view list member whose usage restrictions allow that DNS view to forward the query.
Router(config)# interface ethernet0Router(config-if)# ip dns view-group userlist2Related Commands
ip dns view-list
To access or create the Domain Name System (DNS) view list of the specified name and then enter DNS view list configuration mode so that DNS views can be added to or removed from the ordered list of DNS view members, use the ip dns view-list command in global configuration mode. To remove the definition of the specified DNS view list, use the no form of this command.
ip dns view-list view-list-name
no dns view-list view-list-name
Syntax Description
view-list-name
Text string (not to exceed 64 characters) that uniquely identifies the DNS view list to be created.
Command Default
No DNS view list is accessed or created.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enters DNS view list configuration mode—for the specified view list—so that individual view list members (DNS views and their order numbers within the view list) can be accessed in, added to, or deleted from that view list. If the specified DNS view list does not exist yet, it is automatically created.
Note
To display information about a specific DNS view list or all currently configured DNS view lists, use the show ip dns view-list command.
Subsequent Operations on a DNS View List
After you use the ip dns view-list command to define a DNS view list and enter DNS view list configuration mode, you can use the view command to access a view list member or add a DNS view as a new view list member at the end of the list. Each view list member specifies a DNS view and a value that indicates the relative order for checking that view when the DNS view list is used. to determine if it can be used to address a DNS query.
For any DNS view list member, you can use the restrict authenticated, restrict name-group, and restrict source access-group commands to configure usage restrictions for the DNS view list member. These restrictions are based on query source authentication, the query hostname, and the query source host IP address, respectively.
Purpose of a DNS View List
When a DNS view list is used to select a DNS view to use to handle a given DNS query, the Cisco IOS software checks each DNS view in the DNS view list—in the order specified in the view list—to determine if the usage restrictions for that view allow the view to be used to address that particular DNS query.
The first DNS view with configured usage restrictions that allow its use for the DNS query will be used to resolve or forward the query. That is, the router will use the configuration parameters for that DNS view to either respond to the query (by using the name cache belonging to the DNS view) or forward the query to the configured name servers. If no DNS view in the view list is qualified to handle the query, the router does not send or forward the query.
Note
Use of a DNS View List for DNS Queries Incoming from a Particular Interface
Use the ip dns view-group command to configure the router to use a particular DNS view list to determine which DNS view to use to handle incoming DNS queries that arrive on that interface. Only one DNS view list can be assigned to a given interface. However, a single DNS view list can be assigned to any number of interfaces so that the same ordered list of DNS views (along with the restrictions specified in the view list) can be checked by multiple interfaces.
Use of a DNS View List as the Default DNS View List
Use the ip dns server view-list command to configure the default DNS view list. The router uses the default DNS view list to determine which DNS view to use to handle incoming DNS queries that arrive on an interface that is not configured with a DNS view list.
Examples
The following example shows how to remove the DNS view user1 from the DNS view list userlist5 and then add the view back to the view list, but with a different position indicator specified for that member within the view list. A usage restriction is also added to the view list member user1.
Router(config)# ip dns view-list userlist5Router(cfg-dns-view-list)# no view user1 30Router(cfg-dns-view-list)# view user1 10Router(cfg-dns-view-list)# restrict name-group 7Related Commands
ip domain list
To define a list of default domain names to complete unqualified names, use the ip domain list command in global configuration mode. To delete a name from a list, use the no form of this command.
ip domain list [vrf vrf-name] name
no ip domain list [vrf vrf-name] name
Syntax Description
Defaults
No domain names are defined.
Command Modes
Global configuration
Command History
Usage Guidelines
If there is no domain list, the domain name that you specified with the ip domain name global configuration command is used. If there is a domain list, the default domain name is not used. The ip domain list command is similar to the ip domain name command, except that with the ip domain list command you can define a list of domains, each to be tried in turn until the system finds a match.
If the ip domain list vrf command option is specified, the domain names are only used for name queries in the specified VRF.
The Cisco IOS software will still accept the previous version of the command, ip domain-list.
Examples
The following example shows how to add several domain names to a list:
ip domain list company.comip domain list school.eduThe following example shows how to add several domain names to a list in vpn1 and vpn2:
ip domain list vrf vpn1 company.comip domain list vrf vpn2 school.eduRelated Commands
ip domain lookup
To enable the IP Domain Naming System (DNS)-based host name-to-address translation, use the ip domain lookup command in global configuration mode. To disable the DNS, use the no form of this command.
ip domain lookup
no ip domain lookup
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Global configuration
Command History
Usage Guidelines
The Cisco IOS software will still accept the previous version of the command, which is ip domain-lookup.
Examples
The following example enables the IP DNS-based host name-to-address translation:
ip domain lookupRelated Commands
ip domain name
To define a default domain name that the Cisco IOS software uses to complete unqualified hostnames (names without a dotted-decimal domain name), use the ip domain name command in global configuration mode. To disable use of the Domain Name System (DNS), use the no form of this command.
ip domain name [vrf vrf-name] name
no ip domain name [vrf vrf-name] name
Syntax Description
Defaults
Enabled
Command Modes
Global configuration
Command History
Usage Guidelines
Any IP hostname that does not contain a domain name (that is, any name without a dot) will have the dot and cisco.com appended to it before being added to the host table.
If the ip domain name vrf command option is specified, the domain names are only used for name queries in the specified VRF.
The Cisco IOS software will still accept the previous version of the command, which is ip domain-name.
Examples
The following example shows how to define cisco.com as the default domain name:
ip domain name cisco.comThe following example shows how to define cisco.com as the default domain name for vpn1:
ip domain name vrf vpn1 cisco.comRelated Commands
ip domain retry
To specify the number of times to retry sending Domain Name System (DNS) queries, use the ip domain retry command in global configuration mode. To return to the default behavior, use the no form of this command.
ip domain retry number
no ip domain retry number
Syntax Description
number
Number of times to retry sending a DNS query to the DNS server. The range is from 0 to 100; the default is 2.
Defaults
number: 2 times
Command Modes
Global configuration
Command History
Usage Guidelines
If the ip domain retry command is not configured, the Cisco IOS software will only send DNS queries out twice.
Examples
The following example shows how to configure the router to send out 10 DNS queries before giving up:
ip domain retry 10Related Commands
ip domain round-robin
To enable round-robin functionality on DNS servers, use the ip domain round-robin command in global configuration mode. To disable round-robin functionality, use the no form of the command.
ip domain round-robin
no ip domain round-robin
Syntax Description
This command has no arguments or keywords.
Defaults
Round robin is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
In a multiple server configuration without the DNS round-robin functionality, the first host server/IP address is used for the whole time to live (TTL) of the cache, and uses the second and third only in the event of host failure. This behavior presents a problem when a high volume of users all arrive at the first host during the TTL time. The network access server (NAS) then sends out a DNS query; the DNS servers reply with a list of the configured IP addresses to the NAS. The NAS then caches these IP addresses for a given time (for example, five minutes). All users that dial in during the five minute TTL time will land on one host, the first IP address in the list.
In a multiple server configuration with the DNS round-robin functionality, the DNS server returns the IP address of all hosts to rotate between the cache of host names. During the TTL of the cache, users are distributed among the hosts. This functionality distributes calls across the configured hosts and reduces the amount of DNS queries.
Examples
The following example allows a Telnet to www.company.com to connect to each of the three IP addresses specified in the following order: the first time the Telnet command is given, it would connect to 10.0.0.1; the second time the command is given, it would connect to 10.1.0.1; and the third time the command is given, it would connect to 10.2.0.1. In each case, the other two addresses would also be tried if the first one failed; this is the normal operation of the Telnet command.
ip host www.server1.com 10.0.0.1 10.1.0.1 10.2.0.1ip domain round-robinip domain timeout
To specify the amount of time to wait for a response to a DNS query, use the ip domain timeout command in global configuration mode. To return to the default behavior, use the no form of this command.
ip domain timeout seconds
no ip domain timeout seconds
Syntax Description
seconds
Time, in seconds, to wait for a response to a DNS query. The range is from 0 to 3600; the default is 3.
Defaults
seconds: 3 seconds
Command Modes
Global configuration
Command History
Usage Guidelines
If the ip domain timeout command is not configured, the Cisco IOS software will only wait 3 seconds for a response to a DNS query.
Examples
The following example shows how to configure the router to wait 50 seonds for a response to a DNS query:
ip domain timeout 50Related Commands
ip host-list
To specify a list of hosts that will receive Dynamic Domain Name System (DDNS) updates of address (A) and pointer (PTR) Resource Records (RRs) and to enter host-list configuration mode, use the ip host-list command in global configuration mode. To disable the host list, use the no form of this command.
ip host-list host-list-name [vrf vrf-name]
no ip host-list host-list-name [vrf vrf-name]
Syntax Description
Defaults
No IP host list is configured.
Command Modes
Global configuration
Command History
Usage Guidelines
The interface configuration overrides the global configuration.
Examples
The following example shows how to configure a list of hosts:
ip host-list testhost vrf testgroupRelated Commands
host (host-list)
Specifies a list of hosts that will receive DDNS updates of A and PTR RR.
ip name-server
To specify the address of one or more name servers to use for name and address resolution, use the ip name-server command in global configuration mode. To remove the addresses specified, use the no form of this command.
ip name-server [vrf vrf-name] server-address1 [server-address2...server-address6]
no ip name-server [vrf vrf-name] server-address1 [server-address2...server-address6]
Syntax Description
Command Default
No name server addresses are specified.
Command Modes
Global configuration
Command History
Examples
The following example shows how to specify IPv4 hosts 172.16.1.111 and 172.16.1.2 as the name servers:
ip name-server 172.16.1.111 172.16.1.2This command will be reflected in the configuration file as follows:
ip name-server 172.16.1.111ip name-server 172.16.1.2The following example shows how to specify IPv4 hosts 172.16.1.111 and 172.16.1.2 as the name servers for vpn1:
Router(config)# ip name-server vrf vpn1 172.16.1.111 172.16.1.2
The following example shows how to specify IPv6 hosts 3FFE:C00::250:8BFF:FEE8:F800 and 2001:0DB8::3 as the name servers:
ip name-server 3FFE:C00::250:8BFF:FEE8:F800 2001:0DB8::3This command will be reflected in the configuration file as follows:
ip name-server 3FFE:C00::250:8BFF:FEE8:F800ip name-server 2001:0DB8::3Related Commands
logging (DNS)
To enable logging of a system message logging (syslog) message each time the Domain Name System (DNS) view is used, use the logging command in DNS view configuration mode. To disable logging of a syslog message each time the DNS view is used, use the no form of this command.
logging
no logging
Syntax Description
This command has no arguments or keywords.
Command Default
No syslog message is logged when the DNS view is used.
Command Modes
DNS view configuration
Command History
Usage Guidelines
This command enables the logging of syslog messages for the DNS view.
To display the logging setting for a DNS view, use the show ip dns view command.
Examples
The following example shows how to enable logging of a syslog message each time the DNS view named user3 that is associated with the VRF vpn32 is used:
Router(config)# ip dns view vrf vpn32 user3Router(cfg-dns-view)# loggingRelated Commands
restrict authenticated
To specify that a Domain Name System (DNS) view list member cannot be used to respond to an incoming DNS query if the DNS view and the DNS client have not been authenticated, use the restrict authenticated command in DNS view list member configuration mode. To remove this restriction from a DNS view list member, use the no form of this command.
restrict authenticated
no restrict authenticated
Syntax Description
This command has no arguments or keywords.
Command Default
When determining whether the DNS view list member can be used to respond to an incoming DNS query, the Cisco IOS software does not check that the DNS view and the DNS client have been authenticated.
Command Modes
DNS view list member configuration
Command History
Usage Guidelines
This command restricts the DNS view list member from responding to an incoming DNS query unless the Cisco IOS software has verified the authentication status of the client. The view list member is rejected, and the view-selection process proceeds to the next view in the view list, if the client is not authenticated. The router that is running Split DNS determines the query client authentication status by calling any DNS client authentication functions that have been registered with Split DNS.
A client can be authenticated within a Cisco IOS environment by various methods, such as Firewall Authentication Proxy, 802.1x, and wireless authentication. Some DNS authentication functions might inspect only the source IP address or MAC address and the VRF information, while other functions might inspect the source IP address or MAC address, the VRF information, and the DNS view name.
Note
A DNS view list member can also be restricted from responding to an incoming DNS query based on the query source IP address (configured by using the restrict source access-group command) or the query hostname (configured by using the restrict name-group command).
Note
To display the usage restrictions for a DNS view list member, use the show ip dns view-list command.
Examples
The following example shows how to create the DNS view list userlist5 so that it contains the two DNS views:
Router(config)# ip dns view-list userlist5Router(cfg-dns-view-list)# view vrf vpn101 user1 20Router(cfg-dns-view-list-member)# exitRouter(cfg-dns-view-list)# view vrf vpn201 user2 35Router(cfg-dns-view-list-member)# restrict authenticatedBoth view list members are restricted from responding to an incoming DNS query unless the query is from the same VRF as the VRF with which the view is associated.
The first view list member (the view named user1 and associated with the VRF vpn101) has no further restrictions placed on its use.
The second view list member (the view named user2 and associated with the VRF vpn201) is further restricted from responding to an incoming DNS query unless the Cisco IOS software can verify the authentication status of the client.
Related Commands
restrict name-group
To specify that a Domain Name System (DNS) view list member cannot be used to respond to a DNS query unless the query hostname matches a permit clause in a particular DNS name list and none of the deny clauses, use the restrict name-group command in DNS view list member configuration mode. To remove this restriction from a DNS view list member, use the no form of this command.
restrict name-group name-list-number
no restrict name-group name-list-number
Syntax Description
Command Default
When determining whether the DNS view list member can be used to respond to an incoming DNS query, the Cisco IOS software does not check that the query hostname matches a permit clause in a particular DNS name list.
Command Modes
DNS view list member configuration
Command History
Usage Guidelines
This command restricts the DNS view list member from responding to an incoming DNS query if a permit clause in the specified DNS name list specifies a regular expression that matches the query hostname. The view list member is rejected, and the view-selection process proceeds to the next view in the view list, if an explicit deny clause in the name list (or the implicit deny clause at the end of the name list) matches the query hostname. To configure a DNS name list, use the ip dns name-list command.
A DNS view list member can also be restricted from responding to an incoming DNS query based on the source IP address of the incoming DNS query. To configure this type of restriction, use the restrict source access-group command.
Note
To display the usage restrictions for a DNS view list member, use the show ip dns view-list command.
Note
Examples
The following example shows how to specify that DNS view user3 associated with the global VRF, when used as a member of the DNS view list userlist5, cannot be used to respond to an incoming DNS query unless the query hostname matches the DNS name list identified by the number 1:
Router(config)# ip dns view-list userlist5Router(cfg-dns-view-list)# view user3 40Router(cfg-dns-view-list-member)# restrict name-group 1Related Commands
restrict source access-group
To specify that a Domain Name System (DNS) view list member cannot be used to respond to a DNS query unless the source IP address of the DNS query matches a standard access control list (ACL), use the restrict source access-group command in DNS view list member configuration mode. To remove this restriction from a DNS view list member, use the no form of this command.
restrict source access-group {acl-name | acl-number}
no restrict source access-group {acl-name | acl-number}
Syntax Description
acl-name
String (not to exceed 64 characters) that specifies a standard ACL.
acl-number
Integer from 1 to 99 that specifies a standard ACL.
Command Default
When determining whether the DNS view list member can be used to respond to an incoming DNS query, the Cisco IOS software does not check that the source IP address of the DNS query belongs to a particular standard ACL.
Command Modes
DNS view list member configuration
Command History
Usage Guidelines
This command restricts the DNS view list member from responding to an incoming DNS query if the query source IP address matches the specified standard ACL. To configure a standard ACL, use the access-list (IP standard) command.
A DNS view list member can also be restricted from responding to an incoming DNS query based on the the query hostname. To configure this type of restriction, use the restrict name-group command.
Note
To display the usage restrictions for a DNS view list member, use the show ip dns view-list command.
Note
Examples
The following example shows how to specify that DNS view user4 associated with the global VRF, when used as a member of the DNS view list userlist7, cannot be used to respond to an incoming DNS query unless the query source IP address matches the standard ACL number 6:
Router(config)# ip dns view-list userlist7Router(cfg-dns-view-list)# view user4 40Router(cfg-dns-view-list-member)# restrict source access-group 6Related Commands
show ip ddns update
To display information about the Dynamic Domain Name System (DDNS) updates, use the show ip ddns update command in privileged EXEC mode.
show ip ddns update [interface-type number]
Syntax Description
Command Modes
Privileged EXEC
Command History
12.3(8)YA
This command was introduced.
12.3(14)T
This command was integrated into Cisco IOS Release 12.3(14)T.
Examples
The following output shows the IP DDNS update method on loopback interface 100 and the destination:
Router# show ip ddns updateDynamic DNS Update on Loopback100:Update Method Name Update Destinationtesting 10.1.2.3Related Commands
ip ddns update method
Specifies a method of DDNS updates of A and PTR RRs and the maximum interval between the updates.
show ip ddns update method
To display information about the Dynamic Domain Name System (DDNS) update method, use the show ip ddns update method command in privileged EXEC mode.
show ip ddns update method [method-name]
Syntax Description
Command Modes
Privileged EXEC
Command History
12.3(8)YA
This command was introduced.
12.3(14)T
This command was integrated into Cisco IOS Release 12.3(14)T.
Examples
The following is sample output from the show ip ddns update method command:
Router# show ip ddns update methodDynamic DNS Update Method: testDynamic DNS update in IOS internal name cacheRelated Commands
show ip dns name-list
To display a particular Domain Name System (DNS) name list or all configured DNS name lists, use the show ip dns name-list command in privileged EXEC mode.
show ip dns name-list [name-list-number]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Display a DNS name list to view the ordered list of pattern-matching rules it defines. Each rule in the name list specifies a regular expression and the type of action to be taken if the query hostname matches that expression.
If the output from this command extends beyond the bottom of the screen, press the Space bar to continue or press the Q-key to terminate command output.
Examples
The following is sample output from the show ip dns name-list command:
Router# show ip dns name-listip dns name-list 1deny WWW.EXAMPLE1.COMpermit WWW.EXAMPLE.comip dns name-list 2deny WWW.EXAMPLE2.COMpermit WWW.EXAMPLE3.COMTable 25 describes the significant fields shown for each DNS name list in the display.
Related Commands
show ip dns primary
To display the authority record parameters configured for the Domain Name System (DNS) server, use the show ip dns primary command in user EXEC or privileged EXEC mode.
show ip dns primary
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC
Privileged EXECCommand History
Examples
The following example shows how to configure the router as a DNS server and then display the authority record parameters for the DNS server:
Router(conf)# ip dns serverRouter(conf)# ip dns primary example.com soa ns1.example.com mb1.example.comRouter(conf)# ip host example.com ns ns1.example.comRouter(conf)# ip host ns1.example.com 209.165.201.1Router(conf)# exitRouter# show ip dns primaryPrimary for zone example.com:SOA information:Zone primary (MNAME): ns1.example.comZone contact (RNAME): mb1.example.comRefresh (seconds): 21600Retry (seconds): 900Expire (seconds): 7776000Minimum (seconds): 86400Table 26 describes the significant fields shown in the display.
Related Commands
show ip dns statistics
To display packet statistics for the Domain Name System (DNS) server, use the show ip dns statistics command in user EXEC or privileged EXEC mode.
show ip dns statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
User EXEC (>)
Privileged EXEC (#)Command History
Usage Guidelines
Use this command to display the number of DNS requests received and dropped by the DNS server and the number of DNS responses sent by the DNS server.
Examples
The following is sample output from the show ip dns statistics command:
Router# show ip dns statisticsDNS requests received = 818725 ( 818725 + 0 )DNS requests dropped = 0 ( 0 + 0 )DNS responses replied = 0 ( 0 + 0 )Forwarder queue statistics:Current size = 0Maximum size = 400Drops = 804613Director queue statistics:Current size = 0Maximum size = 0Drops = 0Table 27 describes the significant fields shown in the display.
show ip dns view
To display configuration information about a Domain Name System (DNS) view or about all configured DNS views, including the number of times the DNS view was used, the DNS resolver settings, the DNS forwarder settings, and whether logging is enabled, use the show ip dns view command in privileged EXEC mode.
show ip dns view [vrf vrf-name] [default | view-name]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Display DNS view information to view its DNS resolver settings, DNS forwarder settings, and whether logging is enabled.
If the output from this command extends beyond the bottom of the screen, press the Space bar to continue or press the Q-key to terminate command output.
Because different DNS views can be associated with the same VRF, omitting both the default keyword and the view-name argument causes this command to display information about all the views associated with the global or named VRF.
Examples
The following is sample output from the show ip dns view command:
Router# show ip dns viewDNS View default parameters:Logging is on (view used 102 times)DNS Resolver settings:Domain lookup is enabledDefault domain name: example.comDomain search list: example1.com example2.com example3.comDomain name for multicast lookups: 192.0.2.10Lookup timeout: 7 secondsLookup retries: 5Domain name-servers:192.168.2.204192.168.2.205192.168.2.206Round-robin'ing of IP addresses is enabledDNS Server settings:Forwarding of queries is enabledForwarder addresses:192.168.2.11192.168.2.12192.168.2.13Forwarder source interface: FastEthernet0/1DNS View user5 parameters:Logging is on (view used 10 times)DNS Resolver settings:Domain lookup is enabledDefault domain name: example5.netDomain search list:Lookup timeout: 3 secondsLookup retries: 2Domain name-servers:192.168.2.104192.168.2.105DNS Server settings:Forwarding of queries is enabledForwarder addresses:192.168.2.204DNS View user1 vrf vpn101 parameters:Logging is on (view used 7 times)DNS Resolver settings:Domain lookup is enabledDefault domain name: example1.comDomain search list:Lookup timeout: 3 secondsLookup retries: 2Domain name-servers:192.168.2.100DNS Server settings:Forwarding of queries is enabledForwarder addresses:192.168.2.200 (vrf vpn201)Table 28 describes the significant fields shown for each DNS view in the display.
show ip dns view-list
To display information about a Domain Name System (DNS) view list or about all configured DNS view lists, use the show ip dns view-list command in privileged EXEC mode.
show ip dns view-list [view-list-name]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
If the output from this command extends beyond the bottom of the screen, press the Space bar to continue or press the Q-key to terminate command output.
IP DNS view lists are defined by using the ip dns view-list command.
To display information about how DNS view lists are applied, use the show running-config command:
•
•
Examples
The following is sample output from the show ip dns view-list command:
Router# show ip dns view-listView-list userlist1:View user1 vrf vpn101:Evaluation order: 10Restrict to source ACL: 71Restrict to ip dns name-list: 151View user2 vrf vpn102:Evaluation order: 20Restrict to source ACL: 71Restrict to ip dns name-list: 151View user3 vrf vpn103:Evaluation order: 30Restrict to source ACL: 71Restrict to ip dns name-list: 151View-list userlist2:View user1 vrf vpn101:Evaluation order: 10Restrict to ip dns name-list: 151View user2 vrf vpn102:Evaluation order: 20Restrict to ip dns name-list: 151View user3 vrf vpn103:Evaluation order: 30Restrict to ip dns name-list: 151Table 29 describes the significant fields shown for each DNS view list in the display.
Related Commands
show ip host-list
To display the assigned hosts in a list, use the show ip host-list command in privileged EXEC mode.
show ip host-list [host-list-name]
Syntax Description
Command Modes
Privileged EXEC
Command History
12.3(8)YA
This command was introduced.
12.3(14)T
This command was integrated into Cisco IOS Release 12.3(14)T.
Examples
The following is sample output from the show ip host-list command example for the abctest group:
Router# show ip host-list abctestHost list: abctestddns.abc.test10.2.3.4ddns2.unit.test10.3.4.5ddns3.com10.3.3.3e.org1.org.2.org3.com10.5.5.5 (VRF: def)Related Commands
update dns
To dynamically update the Domain Name System (DNS) with address (A) and pointer (PTR) Resource Records (RRs) for some address pools, use the update dns command in global configuration mode. To disable dynamic updates, use the no form of this command.
update dns [both | never] [override] [before]
no update dns [both | never] [override] [before]
Syntax Description
Defaults
No updates are performed.
Command Modes
DHCP pool configuration
Command History
12.3(8)YA
This command was introduced.
12.3(14)T
This command was integrated into Cisco IOS Release 12.3(14)T.
Usage Guidelines
If you configure the update dns both override command, the DHCP server will perform DDNS updates for both PTR and A RRs associated with addresses assigned from an address pool, even if the DHCP client specified in the FQDN that the server should not.
If the server is configured using this command with or without any of the other keywords, and if the server does not see an FQDN option in the DHCP interaction, then it will assume that the client does not understand DDNS and act as though it were configured to update both A and PTR records on behalf of the client.
Examples
The following example shows how to configure the DHCP to never update the A and PTR RRs:
update dns neverRelated Commands
ip ddns update method
Specifies a method of DDNS updates of A and PTR RRs and the maximum interval between the updates.
view (DNS)
To access or create the specified Domain Name System (DNS) view list member in the DNS view list and then enter DNS view list member configuration mode, use the view command in DNS view list configuration mode. To remove the specified DNS view list member from the DNS view list, use the no form of this command.
view [vrf vrf-name] {default | view-name} order-number
no view [vrf vrf-name] {default | view-name} order-number
Syntax Description
Command Default
No DNS view is accessed or created.
Command Modes
DNS view list configuration
Command History
Usage Guidelines
This command enters DNS view list member configuration mode—for the specified view list member—so that usage restrictions can be configured for that view list member. If the DNS view list member does not exist yet, the specified DNS view is added to the DNS view list along with the value that indicates the order in which the view list member is to be checked (relative to the other DNS views in the view list) whenever the router needs to determine which DNS view list member to use to address a DNS query.
Note
Note
The view command can be entered multiple times to specify more than one DNS view in the DNS view list.
To display information about a DNS view list, use the show ip dns view-list command.
Subsequent Operations on a DNS View List Member
After you use the view command to define a DNS view list member and enter DNS view list member configuration mode, you can use any of the following commands to configure usage restrictions for the DNS view list member:
•
•
•
These optional, additional restrictions are based on query source authentication, the query hostname, and the query source host IP address, respectively. If none of these optional restrictions are configured for the view list member, the only usage restriction on the view list member is the usage restriction based on its association with a VRF.
Reordering of DNS View List Members
To provide for efficient management of the order of the members in a view list, each view list member definition includes the specification of the position of that member within the list. That is, the order of the members within a view list is defined by explicit specification of position values rather than by the order in which the individual members are added to the list. This enables you to add members to an existing view list or reorder the members within an existing view list without having to remove all the view list members and then redefine the view list membership in the desired order:
Examples
The following example shows how to add the view user3 to the DNS view list userlist5 and assign this view member the order number 40 within the view list. Next, the view user2, associated with the VRF vpn102 and assigned the order number 20 within the view list, is removed from the view list.
Router(config)# ip dns view-list userlist5Router(cfg-dns-view-list)# view user3 40Router(cfg-dns-view-list-member)# exitRouter(cfg-dns-view-list)# no view vrf vpn102 user2 20Related Commands
