Is there a way to turn off reverse lookups and leave forward lookups on?
Summary:
Use no domain-lookup
under line vty 0 4
...
Details:
You're right, the default behavior is to perform & cache a forward / reverse lookup for the addresses in show commands. This config starts similar to yours...
Baseline behaviour: Forward / Reverse lookups
HotCoffee#clear host *
HotCoffee#sh runn | i ip domain|ip name|^ +domain|NTP
Time source is NTP, 06:10:42.327 CDT Tue Aug 13 2013
ip domain name pennington.net
ip name-server 172.16.1.5
domain-name pennington.net
HotCoffee#
After clearing the host cache, there are no entries in it...
HotCoffee#show host
Load for five secs: 0%/0%; one minute: 1%; five minutes: 1%
Time source is NTP, 06:11:46.864 CDT Tue Aug 13 2013
Default domain is pennington.net
Name/address lookup uses domain service
Name servers are 172.16.1.5
Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age Type Address(es)
HotCoffee#
Doing a show user
or ping
populates the host cache...
HotCoffee#sh user
Line User Host(s) Idle Location
* 66 vty 0 cisco idle 00:00:00 tsunami.pennington.net
Interface User Mode Idle Peer Address
HotCoffee#ping flame
Translating "flame"...domain server (172.16.1.5)
Translating "flame"...domain server (172.16.1.5) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms
HotCoffee#
Now there are host entries for both the ping
target and show user
...
HotCoffee#sh hosts
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, 06:16:32.811 CDT Tue Aug 13 2013
Default domain is pennington.net
Name/address lookup uses domain service
Name servers are 172.16.1.5
Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age Type Address(es)
tsunami.pennington.net None (temp, OK) 0 IP 172.16.1.5
flame.pennington.net None (temp, OK) 0 IP 172.16.1.1
flame None (temp, UN) 0 IPv6
HotCoffee#
Solution: Only Forward lookups
Use no domain-lookup
under the vty / console lines to restrict IOS behaviour to only forward lookups...
HotCoffee#conf t
Enter configuration commands, one per line. End with CNTL/Z.
HotCoffee(config)#line vty 0 4
HotCoffee(config-line)#no domain-lookup
HotCoffee(config-line)#end
HotCoffee#
First I clear the host cache for a clean test...
HotCoffee#clear host *
HotCoffee#
HotCoffee#
show user
formerly performed a reverse-lookup on 172.16.1.5 as well as populating the host cache, but neither happens now...
HotCoffee#sh user
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, 06:20:00.250 CDT Tue Aug 13 2013
Line User Host(s) Idle Location
* 66 vty 0 cisco idle 00:00:00 172.16.1.5 <----
Interface User Mode Idle Peer Address
HotCoffee#
HotCoffee#sh host
Load for five secs: 2%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, 06:20:06.729 CDT Tue Aug 13 2013
Default domain is pennington.net
Name/address lookup uses domain service
Name servers are 172.16.1.5
Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age Type Address(es)
<----
HotCoffee#
Just to show that forward lookups still function...
HotCoffee#
HotCoffee#ping flame
Translating "flame"...domain server (172.16.1.5)
Translating "flame"...domain server (172.16.1.5) [OK]
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
HotCoffee#
HotCoffee#
HotCoffee#
HotCoffee#sh hosts
Load for five secs: 0%/0%; one minute: 0%; five minutes: 0%
Time source is NTP, 06:25:43.237 CDT Tue Aug 13 2013
Default domain is pennington.net
Name/address lookup uses domain service
Name servers are 172.16.1.5
Codes: UN - unknown, EX - expired, OK - OK, ?? - revalidate
temp - temporary, perm - permanent
NA - Not Applicable None - Not defined
Host Port Flags Age Type Address(es)
tsunami.pennington.net None (temp, OK) 0 IP 172.16.1.5
flame.pennington.net None (temp, OK) 0 IP 172.16.1.1
flame None (temp, UN) 0 IPv6
HotCoffee#
Best Answer
Basically, you need to check the connectivity between this router and the DNS server through FastEthernet0.
NOTE
I just tried the 'ip name-server X.X.X.X' command on my core switch (X.X.X.X is my DNS server IP address) and everything worked perfect internally and externally (I used ping and traceroute to
idjsrv.beyti.local
) as shown:(I used ping and traceroute to
www.google.com
) as shown: