DNS-AS setup includes configuration steps on the local DNS server(s) and routers within the enterprise network.

Local DNS servers are configured with the classification information for specific “trusted domain” sites/applications. This enables a network administrator to control how a network handles traffic for these local, server-based applications – for example, those used in an enterprise intranet.

Routers are configured to detect DNS traffic for the “trusted domains” (sites/applications) controlled by DNS-AS.

Propagating Classification Information

When configuration is complete, the DNS servers can provide classification information for the “trusted domain” applications.

When a client in the network makes a DNS request, the DNS response is sent as usual. If the request relates to a “trusted domain” application, the router then queries the local DNS server about the application. The DNS server sends the router the network address data and the relevant classification information.

DNS-AS Router Setup

On Cisco routers operating in the network, activate the DNS-AS feature and configure the DNS-AS server(s) to use, as well as the “trusted domains,” as follows:

  1. Activate DNS-AS on Routers in the Network
  2. Specify the DNS-AS Server(s) to Use
  3. Configure Trusted Domains on Routers in the Network

Step 1: Activate DNS-AS on Routers in the Network
On the routers in the network, activate DNS-AS.

avc dns-as client enable

Step 2: Specify the DNS-AS Server(s) to Use
Specify the DNS-AS server(s) to query with TXT requests for classification metadata.

ip name-server vrf
Step 3: Configure Trusted Domains on Routers in the Network

On the routers in the network, configure “trusted domains.” The DNS-AS feature affects only the applications configured as trusted domains.
When a router detects DNS traffic for a trusted domain, it requests and receives application classification metadata from the local DNS-AS server using TXT request/response.
Configure trusted domains by providing textual regular expressions that will match domain names found in DNS requests sent by clients in the network. For the example above, StaffOnly.XYZ.com, the regular expression might be:


DNS-AS-client config example:

ip name-server vrf internet
ip domain round-robin
avc dns-as client enable
avc dns-as client trusted-domains 
domain *.f1-online.net 
domain *.toocoolforyou.net 
domain *.dns-as.org 
domain *.internal.cisco.com
domain ^.*cisco.*$