Courseiva
Network ServicesCCNA 200-301

DNS Resolution Failing — Users Cannot Reach Websites by Name

Presenting Symptom

Users in the branch office cannot access websites by domain name (e.g., www.example.com), but can reach them by IP address.

Network Context

The branch office has a Cisco 4321 ISR router (IOS XE 16.9) connected to the corporate WAN via a serial link. Inside the branch, there is a single VLAN with a DHCP server providing IP addresses and DNS server 10.0.0.2. The DNS server is a Windows server located in the data center, reachable via the WAN. The router is configured with NAT for internet access.

Diagnostic Steps

1

Verify DNS resolution on a client

nslookup www.example.com
Server:  UnKnown
Address:  10.0.0.2

DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

The client cannot resolve the domain name. The DNS server 10.0.0.2 is not responding. This confirms the problem is DNS-related.

2

Check connectivity to the DNS server from the client

ping 10.0.0.2
Reply from 10.0.0.2: bytes=32 time=1ms TTL=128
Reply from 10.0.0.2: bytes=32 time=1ms TTL=128

The client can reach the DNS server via ICMP. The issue is not basic connectivity; it is likely a DNS service or firewall issue.

3

Check DNS server configuration on the router

show running-config | include ip name-server
ip name-server 10.0.0.2

The router is configured with the correct DNS server. If this line is missing or incorrect, the router itself cannot resolve names.

4

Test DNS resolution from the router

ping www.example.com
Translating "www.example.com"...domain server (10.0.0.2)
% Unrecognized host or address, or protocol not running.

The router also fails to resolve the name. This indicates the DNS server is not responding to queries from the router. Possible causes: DNS server down, ACL blocking UDP port 53, or routing issue.

5

Check if DNS queries are being sent and responses received

debug ip udp
UDP: src=10.0.0.1, dst=10.0.0.2, sport=1025, dport=53, len=...
UDP: src=10.0.0.2, dst=10.0.0.1, sport=53, dport=1025, len=...

If you see outgoing queries but no responses, the DNS server is not replying. If no queries are seen, the router may not be configured to use DNS. This debug confirms the traffic flow.

6

Check ACLs on the router that might block DNS

show access-lists
Extended IP access list 100
    10 permit udp any any eq domain
    20 permit tcp any any eq domain
    30 deny ip any any

If an ACL is applied to the WAN interface, ensure it permits DNS (UDP/TCP port 53) to the DNS server. If the ACL denies DNS, traffic is blocked.

7

Verify the DNS server is listening on port 53

telnet 10.0.0.2 53
Trying 10.0.0.2 53 ...
% Connection refused by remote host

If connection is refused, the DNS server is not listening on port 53. This indicates the DNS service is not running or is misconfigured.

Root Cause

The DNS server (10.0.0.2) is not running the DNS service. The server is reachable via ping, but it is not listening on UDP/TCP port 53. This prevents any DNS resolution for clients and the router.

Resolution

On the Windows DNS server, start the DNS service and ensure it is configured to listen on the correct IP. Alternatively, if the DNS server is a Cisco device, configure it as a DNS server. For this scenario, the fix is to start the DNS service on the Windows server: 1. Open Server Manager. 2. Go to Tools > DNS. 3. Right-click the server and select 'Start'. 4. Ensure the DNS server is configured to listen on 10.0.0.2. No IOS commands are needed on the router; the router configuration is correct.

Verification

From the router, run: ping www.example.com Expected output: Translating "www.example.com"...domain server (10.0.0.2) [OK] Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 93.184.216.34, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5)

Prevention

1. Implement DNS server monitoring to alert when the DNS service stops. 2. Use redundant DNS servers (primary and secondary) in DHCP configuration. 3. Regularly test DNS resolution from multiple points in the network.

CCNA Exam Relevance

On the CCNA 200-301 exam, DNS troubleshooting scenarios appear in multiple-choice and drag-and-drop questions. The exam tests the ability to identify DNS resolution failures by interpreting show commands and debug output. Key fact: DNS uses UDP port 53 for queries and TCP port 53 for zone transfers. A CCNA candidate must know how to verify DNS configuration and connectivity.

Exam Tips

1.

Remember that DNS uses UDP port 53; ACLs must permit this traffic.

2.

Use 'ping' with a domain name to test DNS resolution from the router; if it fails, check 'ip name-server' configuration.

3.

The 'debug ip udp' command can confirm if DNS queries are being sent and received.

Commands Used in This Scenario

ping [ip]

The ping command sends ICMP echo requests to a destination IP address to test network connectivity and measure round-trip time.

show access-lists

Displays all configured access control lists (ACLs) on the device, including their entries and match counters, used to verify ACL configuration and traffic filtering.

show running-config

Displays the current active configuration in DRAM, showing all non-default settings.

Test Your CCNA Knowledge

Practice with scenario-based questions to prepare for the CCNA 200-301 exam.

Practice CCNA Questions