DNS, it's been around for as long as I care to remember (and I can remember a lot) and we all need it to make a human readable IP address into a human recognisable names like www.google.com. When you type a web server name into your browser you don't see it happening but your computer is using DNS to convert that name (e.g. http://www.defaultrouteuk.com) into an IP address...the rest is electricity (and a bit of luck).

DNS or the Domain Name Service is a collection of hierarchical 'databases' (they are flat files usually) which work on devolved authority from the root name servers responsible for that top level domains like .com, .net etc. When your machine needs to resolve the IP address for a web server it uses the DNS service to do that. Devolved what? Well there are a number of root name servers and each one looks after the 'root' of the DNS 'tree'. Examples of the root are .com and .net. When you need to lookup the hostname www.google.com you first whiz off to the root name server responsible for .com who then tells you to ask at 'google'. You then ask 'google' who tells you the IP address for 'www'.

So, if we are network engineers what do we care about DNS? Well of course sometimes it's nice not to have to remember IP addresses all the time. It is also essential to use DNS in things like NBAR access-lists. Allowing you to lookup hostnames using DNS is a good thing. When you telnet to or from a device then the device may need to perform a DNS lookup either on your incoming connection (for logging or some access-list requirement) or else for the outgoing connection (for example when you wish to connect to routerX using it's hostname). I tell you one time that you wished you turned lookup off though...when you fat finger a hostname and have to wait a long time to get your prompt back (unless you Ctrl+6+x of course). So we need to allow DNS lookups from our IOS device but also you also need to consider DNS lookup requests for hosts behind your filtering routers.

DNS as a protocol

What port and protocols do we need to consider to allow the lookup? Well, just like most things in networking, it depends.

DNS as a service function runs on both TCP and UDP protocols but is listening on port 53. A client lookup will use UDP to initiate the lookup but will use a client port greater than 1023 and destination port of 53. If the response to the query is very large then the server (daemon) will send the information back to the client using TCP. Very large queries are most commonly seen for server to server DNS transfer (XFER) requests so if you are running multiple DNS servers acting as primary, secondary, tertiary etc then TCP will be used to move information around.

Right, the nuts and bolts of it all for the network engineer then. What would the various DNS request types look like in an access-list...here are a few scenarios.

Outbound DNS lookup from hosts behind a filter router
Inbound DNS lookup from Internet hosts to our DNS server(s)
DNS large request support between servers and clients

OK so we need to use an extended or named access-list because we are going to need to support ports (remember the standard ACL has no support for ports). The scenario will work on applying an INBOUND ACL to the  Internet facing interface.

Now I have seen other resources talking of placing the acl 'outbound' on the inside (private) side of the router...I guess I don't have strong feelings one way or the other on the placement however I would say that I tend to err on the side of caution and try to drop bad or unwanted traffic as soon as I see it rather than allow it to traverse the router and consume resources. Up to you.

Outbound access-list permitting DNS lookup outbound

access-list 100 permit udp any eq 53 gt 1023

This acl is applied inbound on the outside interface. We are looking therefore at a source of 'any' because we have no idea of the source of the traffic (the DNS server responsible for that domain). The source port however is known as UDP port 53. The destination for a client lookup using for example nslookup or dig would be a udp port of 1024 or higher.

Inbound access-list permitting DNS ;ookup from our DNS server for our domain.

access-list 100 permit udp any gt 1023 eq 53

Our DNS service is running on a host with IP address

Allow for large DNS lookups, queries and xfers.

access-list 100 permit tcp any eq 53 gt 1023

The access-list, again applied inbound on the public facing interface, will allow for TCP DNS traffic from any host to our private network hosts.

Clearly we all need DNS and in the modern firewalls and application aware routers we can be excused for not knowing the basics...but here they are. Using more modern access-lists using techniques such as NBAR or reflexive can remove a lot of the security flaws with standard and extensive access-lists, so our access-list examples are NOT the complete answer, just a demonstration. 

By the way - that annoying wait you get when you fat finger a telnet command? Normally you would sit there with a dead console waiting while the lookup times out...or you just hit Ctrl+6+x and it'll crash out...then you do that again...then again to kill it. You can simply disable DNS lookups all together and save the issue....this command is for you:

router(config)# no ip domain-lookup

Have you ever thought about using IOS as a DNS server? Well you can, but like DHCP server in IOS what you can do is not necessarily what you should do.

First enable the DNS server daemon (listener)

R1(config)#ip dns server

Now enable lookup (remember this is on by default so unless you disabled it you won't need to do this)

R1#(config) ip domain-lookup

OK so now lets put some hosts into our 'database'.

ip host R1
ip host R2

If we configured an IOS DNS client to point at R1 for hostname lookup (using ip name-server it would resolve using the hostnames we just configured.

IOS dns client lookup

So far we've just shown how to perform hostname lookups but what if we wanted more DNS information like domain names? Well IOS doesn't disappoint...

R1(config)#ip dns primary defaultrouteuk.com soa R1.defaultrouteuk.com defaultrouteuk.com support@defaultrouteuk.com 300 60 3600 86400

Here we've configured the domain of 'defaultrouteuk.com'. The 'Start of Authority' record shows we've delegated authority for lookup to R1. Now we'll setup the client to lookup hosts inside that domain...

R2(config)#ip domain-name defaultrouteuk.com

OK so a ping now for the domain?

Screen shot 2011-08-17 at 02.05.30

Ok so we see that pinging R1 doesn't work anymore because we're not in that domain anymore on the client. Pinging the hostname R1.defaultrouteuk.com fails too, because the server doesn't have a hostname record for that...oh man

Screen shot 2011-08-17 at 02.05.21

Right so we've put the hostname in the server...can the client lookup properly now?

Screen shot 2011-08-17 at 02.05.42

Awesome! It'll even work if we ping R1 too because we'll lookup inside that 'defaultrouteuk.com' domain from the client (remember we used the 'ip domain-name' command?)

So like I said before IOS DNS server is a 'fix' but it's NOT a solution to DNS for you and you should use a dedicated DNS server for the job like BIND or Windows (shudder) Server (wretch). Certainly it will work for hosts but it's unworkable to manually put in lots of records. It won't support things like record type beyond A and SOA records so MX, PTR, TXT etc are not going to be available to you.

Good luck with your studies!
View Comments
I'm sure this list is not complete, how do I know? I just know there are better people out there than me, nothing more.

So I'll start the thread by asked if anyone who ever plugged in their laptop and picked up an address but were expecting something else? For those people who thought they’d been hacked or their DHCP server just went nuts, this section is for you.

IPv4 Well-Known Addresses – Current Network only valid as a source address [RFC1700] – Loopback - Private (not routed on the internet) ranges [RFC1918]
Documentation [RFC5735 and RFC5737] - TEST-NET-1 - This is the "link local" block. As described in [RFC3927] - IPv4 to IPv6 Relay - Network Benchmark tests - TEST-NET-2 - TEST-NET-3 Multicast [RFC5771] – - Reserved for future Use - Broadcast [RFC919]

IPv6 Well Known and Reserved Addresses

::0/8 - Unassigned
0100::/8 0200::/7 - Reserved by the IEFT
0400::/6 0800::/5 1000::/4
2000::/3 - Global Unicast
2001::/32 - Teredo (IPv6 NAT to you and me) [RFC4380]
2001:DB8::/32 - Documentation Purposes [RFC3849]
2002::/16 - 6to4 Tunnels
( 4000::/3, 6000::/3, 8000::/3, A000::/3, C000::/3, E000::/4, F000::/5, F800::/6, FE00::/9, FEC0::/10 ) - Various Reserved
FC00::/7 - Unique Local Unicast [RFC4193]
FEC0::10 - Reserved link local but now deprecated (see FE80) [RFC3879]
FD00::/8 - Private Administration
FE80::/10 - Link Local Unicast [RFC4291]
FF00::/8 - Multicast [RFC4291]
::1 - Loopback address
::/0 - Default route

By the way, for those guys I was talking about in the first chapter, Microsoft machines default to that IP address when they are configured for DHCP but can’t get a DHCP response see RFC3927 above.

Thanks for reading - good luck with your studies.
View Comments

Binary Math

You can add up, subtract and multiply by 2 right? If you can’t you are going to struggle with this. If you can’t do those things then look away now. Binary math is nothing to be afraid of and this brief introduction to the challenge of solving binary math problems should set you up for success.

So we’ll begin way back in primary school if thats OK. When we started to learn about numbers we were all taught this simple scale. From Right to Left we have U or Units, T or Tens, H or Hundreds and T or Thousands. This will look very familiar to you except maybe you called the first column on the far left Ones not Units - stick with me.
decimal scale

This number above is, as we all know 1234 or 1 x Thousand, 2 x Hundred, 3 x Ten and 4 x Unit. This number is a decimal number and is based on a series of ‘base 10’ - ‘Dec’ is Latin for 10...all good so far. Each of the columns is allocated a ‘base 10’ formula where we designate each a ‘power of’ (shown as a ‘^’ sign) number where the power of is the number of 0’s or the amount we need to multiply by the reach the next decimal boundary.

Lets take Units. To get a number between 0 and 9 we do not need any 10’s at all so these numbers are given a power of figure equal to 0 or 0 x 10.

Units are designated 10 ^ 0.

That about Tens. Well to get a number between 10 and 99 we have a number of Units multiplied by 10 e.g. 3.4 x 10 = 34, 9/9 x 10 = 99. We cannot multiply numbers to bigger than 99 because then we are in the Hundreds column right? Great news., well done for keeping up. so we’ve multiplied units by 10 once.

Tens are designated 10 ^ 1.

Hundreds hold exactly the same rules as Tens but the range of 10 to 99. Just as for Tens we can’t go higher than 9.9 because that would push us into the Thousands column. So we’ve multiplied by 10 twice e.g. 99 x 10 = 99 x 10 = 999.

Hundreds are designated 10 ^ 2

Finally, (but not of course in reality where numbers go on, and on, and on) we have the Thousands column where we have the Units multiplied by 10, then the Hundreds multiplied by 10 then the Hundreds multiplied by 10. Just like for each of Tens and Hundreds we cannot go beyond 9.9 Units or we would be in the Ten Thousands column (not shown).

Thousands are designated 10 ^ 3

Now hopefully you are seeing a pattern here:

10 ^ 0 ( 0 to 9 )
10 ^ 1 ( 10 to 99)
10 ^ 2 ( 100 to 999)
10 ^ 3 ( 1000 to 9999)

So lets now bring in binary. Binary where ‘Bi’ is Latin for two as in Bicycle (2 wheels) or Bi-plane (2 wings) is a base 2 numbering system. In binary you can only ever have a 0 or a 1.

For binary math numbers we follow the same pattern as decimal:

2 ^ 0 (0 or 1)
2 ^ 1 (00, 01, 10, 11)
2 ^ 2 (00, 01, 10, 11, 100, 101, 111)
2 ^ 3 (00, 01, 10, 11, 100, 101, 111, 1000, 1001, 1010, 1100, 1101, 1111)

OK so far hopefully. Lets take something easy. We want to show the number 0 in decimal....it’s 0 right. What about in binary notation? You guessed right it’s a 0. Same for 1...no issues right. What about 2? Well just like where in decimal where we couldn’t go higher than 9 units, in binary we can’t go higher than 1. So for 2, which is higher than 1 we need to (cue the Rocky Horror music) “It’s just a jump to the left” and pop a 1 into the Hundreds (pardon the poor analogy) column.

Here is 1 shown in Binary using the power of ‘^’ notation.

binary - one

Now lets add 1 to make two - we can’t add 1 to 1 in binary so we need to move the 1 along to the column to the right.

binary one + one

Now we have two in binary

binary two

Now we add one - hey we’ve got space for 1 in the most left column and because we can add 1 to zero we’ll put the 1 in there. So here is 2 + 1 = 3 in binary

binary 3

Right now I want to add one more to make decimal 4. Well the first column has a 1 in it so we can’t put it there and the second column has a 1 in it so we can’t put it there so we’ll have to put it in the third column. The 1 moves along to the left replacing the 1 with 0 as it travels.

binary shift

Finally here is decimal 4 as binary

binary 4

So now we’ve covered this lets take a quick recap and hopefully you’ll see a shortcut sequence. We all love a short cut right? So in case you missed it, here is the sequence again for 0, 2 and 4 with 8 thrown in just to make it easy.

binary 0000

binary 0010

binary 0100

binary 1000

Right, here is the point. The first number is decimal 0 and we have 0’s in each of the fields. This is 2 ^ 0. Decimal 2 is 10 in binary or 2 ^ 1. Decimal 4 is 100 or 2 ^ 2 and Decimal 4 is 1000 or 2 ^ 3. I need you to relax now as we do something seriously difficult. I need you guys to multiply a number....by itself!

In all seriousness here is the shortcut. The ‘power of’ number being either 0, 1, 2 or 3 in our case dictates the decimal value. Work with me a little. Lets take Decimal 2. This was binary 10 or 2 ^ 1. So what is 2 x 1? In math what is 2 x 1...it’s 2 right. So a 1 in that second column from the right which indicates ^1 means multiply 2 x 1.

OK lets take decimal 4. This was 2 ^ 2 or indeed 2 x 2 which is 4. What about 8? 2 ^ 3 or 2 x 2 x 2 = 8.

Take it further and jazz it up a little now. What about 16? Well 2 x 2 = 2 x 1 = 2 x 2 = 4 x 2 = 8 x 2 = 16. So how many times did we multiply by 2...5 times? Right so we put a 1 in the fifth column from the left? Yeah so 16 in decimal is 10000 in binary. Shortcuts...love ‘em or hate ‘em, in an exam you need ‘em.

So can we do some maths now?

Cisco have a great game online to help with this sort of binary math and you can find it at this address. I recommend it as a good fun way to consolidate your learning.

Cisco Binary Game

Finally, defaultroute.co.uk is supported by me in my spare time and believe me when I say it is a pleasure to do it. I would appreciate your support however by clicking ads where you see them or visiting the store (its amazon fulfilment so you can be assured it’s all good).

I’m also writing a binary math masterclass to cover ip addressing, sub-netting and bitwise operations which we did not cover today (I am bias but I think it’s a piece of quality and I am proud of it). I’ve also produced a video and best of all an actual online multiple choice exam paper (Flash based) to solidify binary maths for your exams. You will receive feedback to solve the question plus a immediate result. Each of these can be purchased separately or as a bundle.

Good luck with your studies and thank you for reading.

View Comments

1. “The proctor messed with my pod”

You are going to see this come up time and time again and I can assure you that it is not true, maybe. My personal experience is that it was true one time out of the three times I took the exam.

2. You are not allowed to leave the room during the exam.

This is not true, you may leave the room for the bathroom and to refresh yourself with drinks etc.

3. The proctors are aggressive and unhelpful.

I have found the proctors to be hugely helpful and very patient despite my provocation with stupid questions.

4. During lunch you are searched when you leave/enter the room.

I only ever heard of this once. The guy apparently tried to go outside during lunch break for a smoke...

5. The VOIP guys turn up their phones to distract you.

I can honestly say that the VOIP guys in my labs have always been extremely courteous and turned their phones down.

6. When you pass the exam a company will employ you for your # and you won’t even have to work

Actually this is a truth...nah just kidding. Cisco have strong rules about this sort of thing going on. ‘Rent-a-CCIE’ no longer operates.

7. You are not allowed to wear ear plugs in the exam.

Yes you are so long as they are not also connected to a short wave radio with your mate outside passing you football scores.

8. I failed because kit in my pod was broken.

Well all I can say on this one is that you are allowed time at the end of the exam if you have some fault with your pod so failing because you ran out of time is probably your fault for not finding the fault soon enough or sitting on your hands.

9. You run out of time because the proctor finished the exam early.

The exam is a fixed length of time. From the minute you start you will have a goal finish time and that's that.

10. You can't leave early even if you are finished.

It's not prison man, you can leave that exam whenever you want to. If you walked out because it wasn't working out for you then thats time you lost to study so far as I am concerned. If you left early because you finished just be sure you saved your configurations!
View Comments

1. Learn the DOC-CD.

No-one ever passed without touching the Cisco documentation resource. It used to come on a CD, then briefly I saw a few DVD's, but right now the Cisco documentation is only available on the web. Make it a part of your study regime and always make a point to learn new technology using the Cisco Support documentation. Go to cisco.com and use the support (Doc-CD) during your studies - it is the only reference you get in the lab and I used this a lot - I don’t know anyone who passed without knowing where to find configuration using the doc-cd.

2. Participate in online forums and study groups.

Places like ieoc.com and studygroup.com bring thousands of like-minded people together. These are usually busy places and can be intimidating if you are just starting your journey but you will find them friendly and rewarding. Commercial entities like cisco.com and ipexpert can also be valuable places to socialise. Challenge what you know and do not be afraid to ask stupid questions. Like my teachers used to say, the only stupid questions are the ones you don't ask.

3. Read before you 'do'.

One of the biggest challenges for engineers is not rushing the process and jumping in with both feet first. I always make if a point to read about a technology before I start to 'lab it up'. Think of it as ‘mental fasting’ try to force yourself not to lab up without understanding first. Putting into practice something which you have understood is more rewarding because you can push the boundary of what you know and try out new ideas. Make the lab the 'carrot' for your reading 'cart' and pull your study plan along.

4. Prepare yourself to study.

The worst thing you can do is study when you are tired, you won't learn anything. Did your parents never tell you the old saying. “Early to bed and early to rise makes a man healthy, wealthy and wise”. One of the most common mistakes I made were done when I was tired. Take time out to rest yourself or you will read and re-read and re-read. You may stay up for long hours trying to study but fatigue means you will end up learning nothing. The next day you beat yourself up and work harder the next night etc etc. Studying while tired is self-defeating and more importantly demoralising.

5. Drink me, eat me.

So the CCIE lab is not the same as ‘Alice in Wonderland’? Well getting to the exam in the morning does feel a little like the late rabbit. 'Drink Me' is all about hydration and is probably just as important as getting to the exam on time. If you don't believe me just do a search for studies done comparing people who do and don't drink water while they study. Didn't you ever ask why kids drink water in school? It’s not just because they are thirsty, proper hydration is essential for concentration.

So waht about 'Eat Me'? Well food is essential of course but I find it can also be a distraction to study. If you eat well before you start studying you may not be as tempted to get out of your seat to raid the fridge! Snacks are a great excuse to stop studying so instead give yourself comfort breaks at regular intervals. Set a goal or target, achieve the goal and take a break.

6. Get rid of distractions.

Now I'm not telling you to leave your partners here or palm off your kids to family and friends but you need ‘me’ time Have a look around your 'study place'. Are you nervous of interruptions while you sit there? If you expect things to happen like the phone to ring or someone to disturb you then you will not immerse yourself properly. Find a quiet place, move away all distractions. You really don’t need that ‘Newtons Cradle’!

7. Plan the work.

Have a diary of things to study. Look at the blueprint for your exam from cisco.com/go/ccie and segment the time you have between now and the day you are going to sit it. Be sure to each day as it comes and achieve your study goal for that day.

8. Make your goal achievable.

Be completely realistic about what you can achieve in your life. You know your strengths and weaknesses and how much time you'll need to work on each technology. Consider your life, which brings us to point 9.

9. Consider your time.

Consider your family and friends as well as your social life. Make sure to keep your mind healthy by not compromising everyone and everything in your challenge. Forgetting the world could lead you to get depressed and frustrate those around you. When you fly back with that PASS you want people around you to be there to celebrate with you so be careful not to push them away.

10. Work the plan.

Luckily you've got a lot of of 'knowns' in the plan. You’re studying for the CCIE and that means you get a blueprint. You know what you want to achieve and crucially (if you followed point 7) you know what you don't know (this is key, "know the unknowns"). Finally you know how long you've got before the exam so you can and should put some thought into your study diary. What can you achieve? Put your goals down on a piece of paper and stamp it to the wall, door etc. Focus on the goal, work through your plan, don’t be distracted and you will achieve!

11. This Top-10 goes to Eleven

I'll leave you with a piece of mumbo jumbo. My wife is a pretty spiritual soul and one day she came to me with an idea from the 'Ether'. I was told to take my goal and write it down on a piece of paper and stick it to the computer monitor. My goal took the form of a CCIE badge with a fake # on it and a pass date of my booked exam date. Looking back now it did definitely help me focus and as mumbo jumbo goes, it's not a bad idea to set a focus. I know this technique has worked for a lot of people and won't dismiss it. Each to their own.

I wish you all the very best of luck in your studies
View Comments
© 2011 defaultrouteuk.com

Cisco, IOS, CCNA, CCNP, CCIE are trademarks of Cisco Systems Inc.
JunOS, JNCIA, JNCIP, JNCIE are registered trademark of Juniper Networks Inc.