Use Cisco router to redirect dns requests to a local dns server

If you are reading this post, it means you want to understand how to redirect dns requests to a local dns server, using a Cisco router. This topic is useful, especially to ISPs who desire to have all their subscribers make use of a local dns server.

Amongst the numerous reasons an ISP would want to redirect dns requests to a local dns server are faster domain name resolution time and complete control over what websites users are permitted to visit. Without implementing this feature, users can easily bypass limitations and have access to blocked websites on a local dns server by simply assigning a public dns address to their devices.

To accomplish this task, user must have a fully functional local dns server reachable from the router and all users on the network. The configuration will involve the use of access-list and route-map. An access list will be configured to capture all dns requests from users connected behind the router while a route-map will be used to redirect the captured dns requests to a local dns server. Let’s look at the network topology of what we want to achieve.

Network Topology

redirect dns requests to a local dns server

How to redirect dns requests to a local dns server on a Cisco router

The configuration will be done in two parts. The first part involves the configuration of an access list to match dns requests on udp port 53. See commands for this part below.

Access-list to match dns requests

R1(config)#ip access-list extended local_dns

R1(config-ext-nacl)#permit udp any any eq 53

R1(config-ext-nacl)#exit

You may also like:  How to configure path control on a cisco router using route-map

Route-map to redirect dns requests to a local dns server

R1(config)#route-map redirect_dns permit 10

R1(config-route-map)#match ip address local_dns

R1(config-route-map)#set ip next-hop 192.168.88.100

R1(config-route-map)#route-map redirect_dns permit 20

R1(config-route-map)#exit

 

Policy placement

The route-map configured above, must be placed on the LAN interface. This will ensure that the configured policy is applied on matching packets as they make their way to the router. In this case, interface f0/0 connects to the LAN switch.

R1(config-route)#interface f0/0

R1(config-if)#ip address 192.168.88.1 255.255.255.0

R1(config-if)#ip policy route-map redirect_dns

Verification

To verify this configuration, two privilege-mode commands are required – show access-list and show route-map. To check access-list matching, use the commande #sh access-list. For route-map matching, use #sh route-map. It can narrow down the commands by entering the name of the access-list or route-map. For example, #sh access-list dns_requests.

If you enjoyed this tutorial, please subscribe to this blog to receive my posts via email. Also subscribe to my YouTube channel, like my Facebook page and follow me on Twitter

Spread the love

Leave a Comment