Name Server Problems

I recently switched from Road Runner to Earthlink cabldemodem.

When I did, I spoke with Earthlink and got the IP addresses of
their name-servers. As my PC is on a static NAT address, I configured
it to use the two name-servers I gave them. The result was that the
PC resolved names just fine.

For my 831 router, I logged in and made my way to the global
configuration prompt. When I entered 'ip name-server ' followed by
the IP addresses of their two name servers and pressed enter. I went
back to privileged exec mode and tried to telnet into another system.
The router tried, but never got any address resolution.

Any ideas?


Fred

Fred Atkinson

On Sun, 2 Jan 2005, Fred Atkinson wrote:

> I recently switched from Road Runner to Earthlink cabldemodem.
>
> When I did, I spoke with Earthlink and got the IP addresses of
> their name-servers. As my PC is on a static NAT address, I configured
> it to use the two name-servers I gave them. The result was that the
> PC resolved names just fine.
>
> For my 831 router, I logged in and made my way to the global
> configuration prompt. When I entered 'ip name-server ' followed by
> the IP addresses of their two name servers and pressed enter. I went
> back to privileged exec mode and tried to telnet into another system.
> The router tried, but never got any address resolution.
>
> Any ideas?
>
Can you ping the two name servers from your 831?

Doan

"Fred Atkinson" <> wrote in message
news:...
> For my 831 router, I logged in and made my way to the global
> configuration prompt. When I entered 'ip name-server ' followed by
> the IP addresses of their two name servers and pressed enter. I went
> back to privileged exec mode and tried to telnet into another system.
> The router tried, but never got any address resolution.

You had to have removed the others (no ip name-server x.x.x.x), but it
should have tried all 4 if it couldn't reach the first.

While it is doing the resolution, it should list the DNS servers it is
trying. Is it using the right ones? Also, check to see if

"no ip domain lookup" is set. Some folks use that to prevent typos from
attempting name resolution. Set "ip domain lookup" to fix.
To prevent typos from strating connections, better to use "transport prefer
none" on the vty lines and console.

>You had to have removed the others (no ip name-server x.x.x.x), but it
>should have tried all 4 if it couldn't reach the first.

I did.

>While it is doing the resolution, it should list the DNS servers it is
>trying. Is it using the right ones? Also, check to see if

It did. They were.

>"no ip domain lookup" is set. Some folks use that to prevent typos from
>attempting name resolution. Set "ip domain lookup" to fix.

It is set the way you suggested.

>To prevent typos from strating connections, better to use "transport prefer
>none" on the vty lines and console.

That is the approach I took.

The strange thing is that when I do a 'show run', I never see
the name servers configured in it. Weird.

But, when I telnet to a domain name, it shows the IP addresses
I specified as the servers it is trying to use to resolve my DNS.

They are the same DNS IP addresses I've got configured in my
network settings.


Fred

On Mon, 03 Jan 2005 00:38:24 +0000, Fred Atkinson wrote:

> The strange thing is that when I do a 'show run', I never see
> the name servers configured in it. Weird.
>
> But, when I telnet to a domain name, it shows the IP addresses
> I specified as the servers it is trying to use to resolve my DNS.

Sorry if you already answered this - I couldn't find it in the thread.
Since you don't see the name servers in the running-config, are you using
DHCP on your outside interface? You can check with:

router#show dhcp server
DHCP server: ANY (255.255.255.255)
Leases: 23
Offers: 2 Requests: 26 Acks: 23 Naks: 1
Declines: 0 Releases: 0 Bad: 0
DNS0: 5.6.7.8, DNS1: 1.2.3.4
Subnet: 255.255.254.0

If you are using DHCP, then the DN servers you're seeing should show up in
the "show" output, as shown above. If they are there, and you are using
DHCP, then are you using NAT using your outside interface as the global
NAT adddress. If you further have a lower numbered interface that is not
in your NAT access-list, then you might be having a problem with NAT for
outside DNS queries. You might try using:

ip domain-lookup source-interface interface9

where "interface9" is the inside, NATted interface. This will allow the
router to translate the source address of the DNS query to a NATted
external address.

>Sorry if you already answered this - I couldn't find it in the thread.
>Since you don't see the name servers in the running-config, are you using
>DHCP on your outside interface? You can check with:

Yes, I am running DHCP. Sorry I didn't make that clear. Here
it is:

#show dhcp server
DHCP server: ANY (255.255.255.255)
Leases: 2
Offers: 2 Requests: 4 Acks: 2 Naks: 0
Declines: 0 Releases: 0 Bad: 0
DNS0: 207.69.188.185, DNS1: 207.69.188.186
Subnet: 255.255.255.128 DNS Domain: earthlink.net

>If you are using DHCP, then the DN servers you're seeing should show up in
>the "show" output, as shown above. If they are there, and you are using
>DHCP, then are you using NAT using your outside interface as the global
>NAT adddress. If you further have a lower numbered interface that is not
>in your NAT access-list, then you might be having a problem with NAT for
>outside DNS queries. You might try using:
>
>ip domain-lookup source-interface interface9
>
>where "interface9" is the inside, NATted interface. This will allow the
>router to translate the source address of the DNS query to a NATted
>external address.

I made this change as you suggested. Ethernet 0 is my inside
NAT interface. I used 'ip domain-lookup source-interface ethernet 0'.

It seems to be translating now, but I can't successfully ping
or telnet to any site as yet. I may try rebooting the router to see
if anything changes.

Thanks, this is a step forward.


Fred

On Mon, 03 Jan 2005 03:12:56 +0000, Fred Atkinson wrote:

>>Sorry if you already answered this - I couldn't find it in the thread.
>>Since you don't see the name servers in the running-config, are you using
>>DHCP on your outside interface? You can check with:
>
> Yes, I am running DHCP. Sorry I didn't make that clear. Here
> it is:
>
> #show dhcp server
> DHCP server: ANY (255.255.255.255)
> Leases: 2
> Offers: 2 Requests: 4 Acks: 2 Naks: 0
> Declines: 0 Releases: 0 Bad: 0
> DNS0: 207.69.188.185, DNS1: 207.69.188.186
> Subnet: 255.255.255.128 DNS Domain: earthlink.net
>
>>If you are using DHCP, then the DN servers you're seeing should show up in
>>the "show" output, as shown above. If they are there, and you are using
>>DHCP, then are you using NAT using your outside interface as the global
>>NAT adddress. If you further have a lower numbered interface that is not
>>in your NAT access-list, then you might be having a problem with NAT for
>>outside DNS queries. You might try using:
>>
>>ip domain-lookup source-interface interface9
>>
>>where "interface9" is the inside, NATted interface. This will allow the
>>router to translate the source address of the DNS query to a NATted
>>external address.
>
> I made this change as you suggested. Ethernet 0 is my inside
> NAT interface. I used 'ip domain-lookup source-interface ethernet 0'.
>
> It seems to be translating now, but I can't successfully ping
> or telnet to any site as yet. I may try rebooting the router to see
> if anything changes.

Assuming you mean you cannot ping or traceroute from the router, this may
also be a NAT issue. If so, try an extended ping using the inside NAT
interface (ethernet0) as the source:

#ping
Protocol [ip]:
Target IP address: 1.2.3.4
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: ethernet0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
Packet sent with a source address of 2.3.4.5
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms

or

telnet 1.2.3.4 /source-interface ethernet0

Posting your config (again, apologies if you've already done so) might
speed up a resolution.

>Assuming you mean you cannot ping or traceroute from the router, this may
>also be a NAT issue. If so, try an extended ping using the inside NAT
>interface (ethernet0) as the source:
>
>#ping
>Protocol [ip]:
>Target IP address: 1.2.3.4
>Repeat count [5]:
>Datagram size [100]:
>Timeout in seconds [2]:
>Extended commands [n]: y
>Source address or interface: ethernet0
>Type of service [0]:
>Set DF bit in IP header? [no]:
>Validate reply data? [no]:
>Data pattern [0xABCD]:
>Loose, Strict, Record, Timestamp, Verbose[none]:
>Sweep range of sizes [n]:
>Type escape sequence to abort.
>Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
>Packet sent with a source address of 2.3.4.5
>!!!!!
>Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms

#ping
Protocol [ip]:
Target IP address: 65.87.155.1
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: ethernet0
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 65.87.155.1, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/11/16 ms


>or
>
>telnet 1.2.3.4 /source-interface ethernet0

#telnet 207.192.128.59
Trying 207.192.128.59 ...
% Connection timed out; remote host not responding

I was able to connect to this telnet address from my PC.

>Posting your config (again, apologies if you've already done so) might
>speed up a resolution.


!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname ******
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 ************************
!
clock timezone EDT 5
no aaa new-model
ip subnet-zero
ip icmp redirect host
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.200 10.10.10.254
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease 0 2
!
!
ip domain lookup source-interface Ethernet0
ip host switch 10.10.10.221
ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
no crypto isakmp enable
!
!
!
interface Ethernet0
description Interface to Cisco internal switch.
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
hold-queue 32 in
!
interface Ethernet1
description Interface to Cablemodem.
ip address dhcp client-id Ethernet1
ip nat outside
ip virtual-reassembly
duplex full
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip default-gateway 10.10.10.1
ip classless
no ip http server
ip http secure-server
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static 10.10.10.200 interface Ethernet1
ip nat inside source static tcp 10.10.10.200 21 interface Ethernet1 21
ip nat inside source static tcp 10.10.10.200 80 interface Ethernet1 80
ip nat inside source static tcp 10.10.10.200 20 interface Ethernet1 20
ip nat inside source static tcp 10.10.10.200 69 interface Ethernet1 69
ip nat inside source static tcp 10.10.10.1 23 interface Ethernet1 23
!
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
!
control-plane
!
banner motd
**********************.

!
line con 0
exec-timeout 3 0
password 7 ****************
logging synchronous
login
no modem enable
transport preferred none
transport output all
stopbits 1
line aux 0
exec-timeout 3 0
password 7 ****************
logging synchronous
login
transport preferred none
transport output all
line vty 0 4
exec-timeout 3 0
password 7 ****************
logging synchronous
login
transport preferred none
transport input all
transport output all
!
scheduler max-task-time 5000
end

On Mon, 03 Jan 2005 10:28:23 +0000, Fred Atkinson wrote:

>>Assuming you mean you cannot ping or traceroute from the router, this may
>>also be a NAT issue. If so, try an extended ping using the inside NAT
>>interface (ethernet0) as the source:
>>
>>#ping
>>Protocol [ip]:
>>Target IP address: 1.2.3.4
>>Repeat count [5]:
>>Datagram size [100]:
>>Timeout in seconds [2]:
>>Extended commands [n]: y
>>Source address or interface: ethernet0
>>Type of service [0]:
>>Set DF bit in IP header? [no]:
>>Validate reply data? [no]:
>>Data pattern [0xABCD]:
>>Loose, Strict, Record, Timestamp, Verbose[none]:
>>Sweep range of sizes [n]:
>>Type escape sequence to abort.
>>Sending 5, 100-byte ICMP Echos to 1.2.3.4, timeout is 2 seconds:
>>Packet sent with a source address of 2.3.4.5
>>!!!!!
>>Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/28 ms
>
> #ping
> Protocol [ip]:
> Target IP address: 65.87.155.1
> Repeat count [5]:
> Datagram size [100]:
> Timeout in seconds [2]:
> Extended commands [n]: y
> Source address or interface: ethernet0
> Type of service [0]:
> Set DF bit in IP header? [no]:
> Validate reply data? [no]:
> Data pattern [0xABCD]:
> Loose, Strict, Record, Timestamp, Verbose[none]:
> Sweep range of sizes [n]:
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 65.87.155.1, timeout is 2 seconds:
> Packet sent with a source address of 10.10.10.1
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 4/11/16 ms
>

Since this ping worked, and your previous attempt did not, I think you're
seeing a NAT problem.

>>or
>>
>>telnet 1.2.3.4 /source-interface ethernet0
>
> #telnet 207.192.128.59
> Trying 207.192.128.59 ...
> % Connection timed out; remote host not responding
>
> I was able to connect to this telnet address from my PC.

To check this, you need to use:

# telnet 207.192.128.59 /source-interface ethernet0

so that your telnet packets have a source address in the inside NAT range,
like the extended ping above.

>
>>Posting your config (again, apologies if you've already done so) might
>>speed up a resolution.
>
>
> !
> version 12.3
> no service pad
> service timestamps debug uptime
> service timestamps log uptime
> service password-encryption
> !
> hostname ******
> !
> boot-start-marker
> boot-end-marker
> !
> no logging buffered
> enable secret 5 ************************ ! clock timezone EDT 5
> no aaa new-model
> ip subnet-zero
> ip icmp redirect host
> ip dhcp excluded-address 10.10.10.1
> ip dhcp excluded-address 10.10.10.200 10.10.10.254 ! ip dhcp pool CLIENT
> import all
> network 10.10.10.0 255.255.255.0
> default-router 10.10.10.1
> lease 0 2
> !
> !
> ip domain lookup source-interface Ethernet0
> ip host switch 10.10.10.221
> ip cef
> ip ips po max-events 100
> no ftp-server write-enable
> !
> !
> !
> !
> no crypto isakmp enable
> !
> !
> !
> interface Ethernet0
> description Interface to Cisco internal switch.
> ip address 10.10.10.1 255.255.255.0
> ip nat inside
> ip virtual-reassembly
> hold-queue 32 in
> !
> interface Ethernet1
> description Interface to Cablemodem.
> ip address dhcp client-id Ethernet1
> ip nat outside
> ip virtual-reassembly
> duplex full

Just a side note:

From the IOS documentation on ip virtual-reassembly

VFR is designed to work with any feature that requires fragment reassembly
(such as Cisco IOS Firewall and NAT). Currently, NAT enables and disables
VFR internally; that is, when NAT is enabled on an interface, VFR is
automatically enabled on that interface.

> !
> interface FastEthernet1
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet2
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet3
> no ip address
> duplex auto
> speed auto
> !
> interface FastEthernet4
> no ip address
> duplex auto
> speed auto
> !
> ip default-gateway 10.10.10.1
> ip classless
> no ip http server
> ip http secure-server

If you have a chance, please remove the statements between here ...

> ip nat inside source list 102 interface Ethernet1 overload
> ip nat inside source static 10.10.10.200 interface Ethernet1
> ip nat inside source static tcp 10.10.10.200 21 interface Ethernet1 21
> ip nat inside source static tcp 10.10.10.200 80 interface Ethernet1 80
> ip nat inside source static tcp 10.10.10.200 20 interface Ethernet1 20
> ip nat inside source static tcp 10.10.10.200 69 interface Ethernet1 69
> ip nat inside source static tcp 10.10.10.1 23 interface Ethernet1 23
> !
> !
> access-list 23 permit 10.10.10.0 0.0.0.255
> access-list 102 permit ip 10.10.10.0 0.0.0.255 any

.... and here, and replace with:

# ip nat inside source list 1 interface Ethernet1 overload
# access-list 1 permit 10.10.10.0 0.0.0.255

and retry. If that works, you can try adding your ip nat statements back in until
your test breaks. I would start with the last one.

> !
> control-plane
> !
> banner motd
> **********************.
>
> !
> line con 0
> exec-timeout 3 0
> password 7 ****************
> logging synchronous
> login
> no modem enable
> transport preferred none
> transport output all
> stopbits 1
> line aux 0
> exec-timeout 3 0
> password 7 ****************
> logging synchronous
> login
> transport preferred none
> transport output all
> line vty 0 4
> exec-timeout 3 0
> password 7 ****************
> logging synchronous
> login
> transport preferred none
> transport input all
> transport output all
> !
> scheduler max-task-time 5000
> end

Making the changes above will simplify things a little and help figure out what's going on.