If you are reading this post, it means you want to understand how to redirect dns requests to a local dns server, using a Cisco router. This topic is useful, especially to ISPs who desire to have all their subscribers make use of a local dns server.
Amongst the numerous reasons an ISP would want to redirect dns requests to a local dns server are faster domain name resolution time and complete control over what websites users are permitted to visit. Without implementing this feature, users can easily bypass limitations and have access to blocked websites on a local dns server by simply assigning a public dns address to their devices.
To accomplish this task, user must have a fully functional local dns server reachable from the router and all users on the network. The configuration will involve the use of access-list and route-map. An access list will be configured to capture all dns requests from users connected behind the router while a route-map will be used to redirect the captured dns requests to a local dns server. Let’s look at the network topology of what we want to achieve.
How to redirect dns requests to a local dns server on a Cisco router
The configuration will be done in two parts. The first part involves the configuration of an access list to match dns requests on udp port 53. See commands for this part below.
Access-list to match dns requests
R1(config)#ip access-list extended local_dns
R1(config-ext-nacl)#permit udp any any eq 53
You may also like: How to configure path control on a cisco router using route-map
Route-map to redirect dns requests to a local dns server
R1(config)#route-map redirect_dns permit 10
R1(config-route-map)#match ip address local_dns
R1(config-route-map)#set ip next-hop 192.168.88.100
R1(config-route-map)#route-map redirect_dns permit 20
The route-map configured above, must be placed on the LAN interface. This will ensure that the configured policy is applied on matching packets as they make their way to the router. In this case, interface f0/0 connects to the LAN switch.
R1(config-if)#ip address 192.168.88.1 255.255.255.0
R1(config-if)#ip policy route-map redirect_dns
To verify this configuration, two privilege-mode commands are required – show access-list and show route-map. To check access-list matching, use the commande #sh access-list. For route-map matching, use #sh route-map. It can narrow down the commands by entering the name of the access-list or route-map. For example, #sh access-list dns_requests.