DNS Configuration on Clients and Routers

1. How DNS Configuration Fits the Network

Every device that needs to resolve hostnames — laptops, phones, servers, routers — must know which DNS server to ask. This configuration happens at two distinct levels that work together:

  • Clients (Windows PCs, Linux workstations, phones) — each device needs a DNS server address to send queries to. This is usually learned automatically via DHCP, but can be set manually.
  • Routers and Layer 3 switches — need DNS to resolve hostnames in their own CLI commands (ping, traceroute, SSH by name), and to serve as DNS relay agents or caching resolvers for the clients behind them.
  DNS Query Flow in a Typical Network:

  PC (Windows/Linux)
    │ 1. Needs to reach "mail.company.com"
    │ 2. Checks local hosts file first
    │ 3. Checks local DNS cache
    │ 4. Sends DNS query to configured DNS server
    ▼
  Router / Layer 3 Switch (DNS Relay or Caching Resolver)
    │ 5. Relays query upstream if configured
    ▼
  Upstream DNS Server (ISP / Corporate DNS / Public 8.8.8.8)
    │ 6. Resolves hostname → IP
    ▼
  Answer flows back to PC → PC connects to destination IP

Related pages: How DNS Works | DNS Record Types | DHCP Configuration | nslookup | dig | ping Command | traceroute Command | DHCP Server Configuration Lab

2. DNS Configuration on Windows Clients

Method 1 — GUI (Network Adapter Properties)

  1. Open Control Panel → Network and Sharing Center → Change adapter settings
  2. Right-click your active network adapter → Properties
  3. Select Internet Protocol Version 4 (TCP/IPv4) → click Properties
  4. Choose "Use the following DNS server addresses"
  5. Enter your preferred and alternate DNS servers and click OK
Example values:
Preferred DNS server: 8.8.8.8 (Google Public DNS)
Alternate DNS server: 1.1.1.1 (Cloudflare DNS)

For IPv6: follow the same steps but select Internet Protocol Version 6 (TCP/IPv6) and set preferred/alternate IPv6 DNS servers (e.g., 2001:4860:4860::8888 for Google IPv6 DNS).

Method 2 — Command Line (netsh)

! Set the primary (static) DNS server on the "Ethernet" adapter
netsh interface ip set dns "Ethernet" static 8.8.8.8

! Add a secondary DNS server (index=2 means second in the list)
netsh interface ip add dns "Ethernet" 1.1.1.1 index=2

! Add a tertiary DNS (index=3)
netsh interface ip add dns "Ethernet" 9.9.9.9 index=3

! Revert to DHCP-assigned DNS (remove static entry)
netsh interface ip set dns "Ethernet" dhcp

! Verify current DNS settings on an adapter
netsh interface ip show dns "Ethernet"
Finding your adapter name: Run netsh interface ip show interfaces or ipconfig /all to find the exact adapter name (it might be "Wi-Fi", "Local Area Connection", or "Ethernet 2" depending on your system).

Method 3 — PowerShell (Windows 8/10/11/Server)

! View all network adapters and their index numbers
Get-NetAdapter

! Set DNS servers on interface with index 5 (replace with your index)
Set-DnsClientServerAddress -InterfaceIndex 5 -ServerAddresses 8.8.8.8,1.1.1.1

! Revert to DHCP-assigned DNS
Set-DnsClientServerAddress -InterfaceIndex 5 -ResetServerAddresses

! View current DNS server addresses for all adapters
Get-DnsClientServerAddress

Viewing and Verifying DNS Configuration

! Show full IP configuration including DNS server addresses
ipconfig /all

! Look for these lines in the output:
   DNS Servers . . . . . . . . . . . : 8.8.8.8
                                       1.1.1.1
   DNS Suffix Search List. . . . . . : company.local

! Show cached DNS entries on the local machine
ipconfig /displaydns

! Test DNS resolution
nslookup google.com          ! Simple A record query
nslookup google.com 8.8.8.8  ! Query a specific DNS server
ping google.com              ! Tests DNS resolution AND connectivity

3. DNS Configuration on Linux Clients

DNS configuration on Linux varies by distribution and whether the system uses the older /etc/resolv.conf approach or the modern systemd-resolved service. Most modern distributions (Ubuntu 18.04+, Fedora, Debian 10+) use systemd-resolved by default.

Method 1 — /etc/resolv.conf (Traditional)

! View current DNS configuration
cat /etc/resolv.conf

! Typical resolv.conf content:
nameserver 8.8.8.8         # Primary DNS server
nameserver 1.1.1.1         # Secondary DNS server
search company.local       # DNS search domain (appended to short hostnames)
options ndots:5            # Threshold for treating as absolute vs relative name

! Manually set DNS (WARNING: may be overwritten by NetworkManager or DHCP)
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
echo "nameserver 1.1.1.1" | sudo tee -a /etc/resolv.conf   ! -a appends

! Make resolv.conf immutable (prevent DHCP from overwriting)
sudo chattr +i /etc/resolv.conf
! Remove immutability flag when changes are needed:
sudo chattr -i /etc/resolv.conf
Warning: On systems using NetworkManager or systemd-resolved, /etc/resolv.conf is often a symlink to a managed file and manual edits are overwritten at next network restart. Use the appropriate tool for your system (see below).

Method 2 — nmcli (NetworkManager)

! List all network connections
nmcli connection show

! Set DNS servers on a specific connection (replace "eth0" with your connection name)
nmcli con mod eth0 ipv4.dns "8.8.8.8 1.1.1.1"

! Set DNS search domain
nmcli con mod eth0 ipv4.dns-search "company.local"

! Prevent DHCP from overriding the manual DNS setting
nmcli con mod eth0 ipv4.ignore-auto-dns yes

! Apply the changes
nmcli con up eth0

! Verify the connection DNS settings
nmcli con show eth0 | grep DNS

Method 3 — systemd-resolved (Modern Ubuntu/Debian/Fedora)

! View current DNS configuration including per-interface resolvers
resolvectl status

! Show what DNS server is being used for each interface
resolvectl dns

! Set DNS servers for a specific interface (enp3s0 = your interface name)
sudo resolvectl dns enp3s0 8.8.8.8 1.1.1.1

! Set DNS search domains
sudo resolvectl domain enp3s0 company.local

! Test DNS resolution through systemd-resolved
resolvectl query google.com

! Alternative flush and check:
sudo systemd-resolve --flush-caches
sudo systemd-resolve --statistics | grep "Cache hits"

Method 4 — /etc/systemd/resolved.conf (Persistent systemd-resolved)

! Edit the resolved.conf for persistent system-wide DNS settings
sudo nano /etc/systemd/resolved.conf

! Add or uncomment these lines:
[Resolve]
DNS=8.8.8.8 1.1.1.1
FallbackDNS=9.9.9.9
Domains=company.local
DNSSEC=yes
DNSOverTLS=yes

! Restart systemd-resolved to apply changes
sudo systemctl restart systemd-resolved

Flushing DNS Cache on Linux

! systemd-resolved (Ubuntu 18.04+, Debian 10+, Fedora)
sudo systemd-resolve --flush-caches

! Or with newer systemctl syntax:
sudo resolvectl flush-caches

! nscd (older distributions using nscd daemon)
sudo /etc/init.d/nscd restart

! dnsmasq (if used as local resolver)
sudo /etc/init.d/dnsmasq restart

! Verify cache was flushed
resolvectl statistics

4. The hosts File — Local DNS Override

The hosts file is checked by the OS before any DNS query is sent. An entry in the hosts file always wins over DNS for that hostname — regardless of what any DNS server says. This makes it useful for testing, local overrides, and blocking.

OS hosts File Location How to Edit
Windows C:\Windows\System32\drivers\etc\hosts Open Notepad as Administrator, then open the file
Linux / macOS /etc/hosts sudo nano /etc/hosts

hosts File Syntax and Examples

! Format: IP_address  hostname  [alias]

! Map a server to a custom hostname
192.168.1.100   myserver.local   myserver

! Block a website by redirecting to localhost
127.0.0.1       ads.example.com
127.0.0.1       tracker.analytics.com

! Override a DNS entry for testing (before DNS change propagates)
203.0.113.50    www.company.com

! IPv6 entries
::1             localhost
2001:db8::1     ipv6server.local

! Loopback entries (always present by default)
127.0.0.1       localhost
::1             localhost
Name resolution order: Most systems check hosts file first, then local DNS cache, then DNS server. On Windows, the order is controlled by HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\HostsPriority — by default, hosts file entries override DNS. On Linux, the order is defined in /etc/nsswitch.conf by the hosts: line — typically hosts: files dns (files = hosts file, then dns).

5. DNS Configuration on Cisco Routers (IOS)

Configuring DNS on a Cisco IOS router serves two distinct purposes: enabling the router itself to resolve hostnames (for CLI use), and relaying or serving DNS to clients on connected networks.

Enabling DNS Resolution on the Router (for CLI hostname resolution)

! ── Step 1: Enable DNS lookup (on by default, but confirm) ─────────────
Router(config)# ip domain-lookup
! Without this, hostname resolution is disabled.
! "no ip domain-lookup" is often added in labs to prevent lookup delays
! when mistyping commands — but it also disables legitimate DNS queries.

! ── Step 2: Configure the DNS server IP(s) to query ──────────────────
Router(config)# ip name-server 8.8.8.8
Router(config)# ip name-server 1.1.1.1        ! Multiple entries supported
Router(config)# ip name-server 9.9.9.9         ! Third resolver for redundancy

! ── Step 3: Set the default domain name (for short hostname completion) ─
Router(config)# ip domain-name company.local
! With this set, "ping mailserver" resolves to "mailserver.company.local"

! ── Step 4: Verify DNS works from the router CLI ──────────────────────
Router# ping google.com
! If this resolves to an IP and pings → DNS is working on the router
! See: ping Command

Router# show hosts
! Displays the router's DNS cache and manually configured host entries
Example scenario: Without ip domain-lookup and ip name-server, running ping router2.company.com on a Cisco router returns "% Unrecognized host or address, or protocol not running." With both configured, the router resolves the hostname and attempts the ping normally.

Manual Host Entries on Cisco Routers

! Add a static hostname-to-IP mapping on the router (like a hosts file entry)
Router(config)# ip host mailserver 192.168.1.10
Router(config)# ip host fileserver 192.168.1.20
Router(config)# ip host dc01 192.168.1.5 192.168.2.5  ! Multiple IPs for one host

! Verify static host entries
Router# show hosts
! Output shows both cached DNS entries and static ip host entries

Configuring the Router as a DNS Server (for LAN Clients)

! Enable the IOS DNS server so clients can query the router directly
Router(config)# ip dns server

! The router will:
! 1. Serve static ip host entries to clients
! 2. Forward unknown queries to the configured ip name-server addresses
! 3. Cache responses for the TTL duration

! Example: Client sets DNS to 192.168.1.1 (the router's LAN IP)
! Client queries router for "fileserver" → router has static ip host entry → answers
! Client queries router for "google.com" → router forwards to 8.8.8.8 → caches answer

! Verify DNS server is responding
Router# show ip dns name-list
Router# debug ip dns

DNS Configuration in DHCP Pools (Pushing DNS to Clients)

! The most common way to distribute DNS to LAN clients is via DHCP Option 6
! Configure the DNS server in each DHCP pool

Router(config)# ip dhcp pool LAN_POOL
Router(dhcp-config)# network 192.168.1.0 255.255.255.0
Router(dhcp-config)# default-router 192.168.1.1
Router(dhcp-config)# dns-server 8.8.8.8 1.1.1.1     ! These become DHCP Option 6
Router(dhcp-config)# domain-name company.local       ! DHCP Option 15

! Per-VLAN custom DNS — give different VLANs different DNS servers
Router(config)# ip dhcp pool VLAN10_HR
Router(dhcp-config)# network 192.168.10.0 255.255.255.0
Router(dhcp-config)# dns-server 192.168.10.53        ! Internal corporate DNS for HR

Router(config)# ip dhcp pool VLAN30_GUEST
Router(dhcp-config)# network 192.168.30.0 255.255.255.0
Router(dhcp-config)# dns-server 8.8.8.8              ! Public DNS for guest VLAN

6. DNS Relay vs. DNS Proxy vs. DNS Server on Routers

Routers can handle DNS in three distinct ways. Understanding the difference is critical for enterprise design and CCNA exam questions.

Mode How It Works Cisco Command When to Use
DNS Forwarding / Relay Router receives DNS query from client, forwards it to an upstream DNS server, returns the response. Client's query reaches the upstream server. ip name-server <IP> on the router (no ip dns server needed) Simple setups where clients point their DNS to the router, which just forwards to ISP or corporate DNS
DNS Caching Proxy Router answers repeated queries from its cache — doesn't forward if already cached. Reduces upstream traffic and latency for frequently visited names. ip dns server — IOS caches responses automatically when acting as DNS server Branch offices to reduce WAN DNS traffic; home/SOHO networks
Authoritative DNS Server Router holds actual DNS zone records and authoritatively answers queries for those zones (e.g., all queries for *.company.local). ip dns server + ip host entries for static records Small/branch networks needing local name resolution without a dedicated DNS server

7. Split DNS — Internal vs. External Resolution

Split DNS (also called split-brain DNS) uses different DNS responses for internal and external clients querying the same hostname. For example, internal users querying mail.company.com get the private IP (10.x.x.x), while external users get the public IP. 

  Internal user queries mail.company.com:
  ┌─────────────────────────────────────────────┐
  │  Internal DNS Server                        │
  │  mail.company.com  →  10.10.10.25 (private) │
  │  (responds to internal clients only)        │
  └─────────────────────────────────────────────┘

  External user queries mail.company.com:
  ┌─────────────────────────────────────────────┐
  │  External/Public DNS Server                 │
  │  mail.company.com  →  203.0.113.50 (public) │
  │  (responds to internet queries)             │
  └─────────────────────────────────────────────┘

Implementing Split DNS on Cisco Router

! Route queries for "company.local" to the internal DNS server
! and all other queries to the public resolver

! On a client/router with ip dns server enabled:
! 1. Create static ip host entries for internal names (go to internal IPs)
Router(config)# ip host mail.company.com 10.10.10.25
Router(config)# ip host file.company.com 10.10.10.30

! 2. Forward all other queries to public DNS
Router(config)# ip name-server 8.8.8.8
Router(config)# ip dns server

! Result: Clients that use this router as their DNS server get
! private IPs for internal hosts and public IPs for everything else

8. DNS over HTTPS (DoH) and DNS over TLS (DoT)

Traditional DNS queries are sent in plain text over UDP port 53 — anyone monitoring network traffic (ISP, Wi-Fi operators, attackers) can see every hostname your devices look up. DoH and DoT encrypt these queries to protect privacy.

Protocol Transport Port How It Works Notes
Plain DNS UDP (or TCP) 53 Queries sent as plaintext — fully visible to network observers Default; no privacy protection
DNS over TLS (DoT) TCP + TLS 853 Wraps DNS in a TLS session. Network observer can see a TLS connection to port 853 but cannot read query content Easier to monitor/block at network level (distinct port)
DNS over HTTPS (DoH) HTTPS 443 DNS queries carried inside standard HTTPS traffic. Indistinguishable from normal web traffic to most network monitors Harder to block; used by browsers (Firefox, Chrome) by default

Enabling DoT/DoH on Clients

! ── Windows 11 (DoH built-in) ────────────────────────────────────────────
Settings → Network & Internet → your adapter → Edit DNS →
  Manual → Enter 8.8.8.8 → DNS over HTTPS: On (automatic)

! ── Linux (systemd-resolved with DoT) ───────────────────────────────────
! Edit /etc/systemd/resolved.conf:
[Resolve]
DNS=1.1.1.1
DNSOverTLS=yes          ! Enables DoT
DNSSEC=yes

sudo systemctl restart systemd-resolved

! ── Verify DoT is active ─────────────────────────────────────────────────
resolvectl status | grep "DNS over TLS"

Public DoH / DoT Servers

Provider DoT Server DoH URL IP
Cloudflare one.one.one.one https://cloudflare-dns.com/dns-query 1.1.1.1 / 1.0.0.1
Google dns.google https://dns.google/dns-query 8.8.8.8 / 8.8.4.4
Quad9 dns.quad9.net https://dns.quad9.net/dns-query 9.9.9.9 / 149.112.112.112

9. Complete Verification and Troubleshooting Commands

Windows Verification Commands

Command What It Shows When to Use
ipconfig /all Full IP configuration including DNS server addresses and DNS suffix Confirm which DNS servers the adapter is configured to use
ipconfig /displaydns Contents of the local DNS resolver cache Check if a hostname is cached (and at what TTL)
ipconfig /flushdns Clears the local DNS cache Force fresh DNS queries after a DNS change; resolve stale cached entries
nslookup google.com DNS query for google.com using default resolver Verify DNS resolution is working; check which server responds
nslookup google.com 8.8.8.8 DNS query using a specific server (8.8.8.8) Bypass local resolver to test a specific DNS server directly
ping google.com Tests DNS resolution AND network reachability Quick end-to-end test; failure could be DNS or connectivity
sc query dnscache Status of the Windows DNS Client service Check if DNS caching service is running
net start dnscache Starts the Windows DNS Client service If DNS cache service was stopped

Linux Verification Commands

Command What It Shows
cat /etc/resolv.conf Current DNS server configuration (nameserver lines)
resolvectl status Per-interface DNS config, DoT status, DNSSEC status (systemd)
dig google.com Full DNS query with server, TTL, flags — more detailed than nslookup
dig @8.8.8.8 google.com Query a specific DNS server directly
host google.com Simple hostname-to-IP lookup
cat /etc/nsswitch.conf | grep hosts Name resolution order — confirms if hosts file is checked before DNS

Cisco IOS Verification Commands

! Show configured DNS servers
Router# show running-config | include name-server
Router# show running-config | include domain

! Show the router's DNS cache and static host entries
Router# show hosts

! Test DNS resolution from the router
Router# ping google.com
! If this works → ip name-server and ip domain-lookup are correctly configured

! Test that the router can reach the DNS server
Router# ping 8.8.8.8

! Show DHCP pool DNS settings (what clients will receive)
Router# show ip dhcp pool
! Look for "DNS server" line in each pool

! Real-time DNS debugging (lab only)
Router# debug ip dns
Router# undebug all    ! Always stop debug after use

10. Troubleshooting DNS Issues — Systematic Approach

Symptom Likely Cause Diagnostic & Fix
Can ping IP (8.8.8.8) but not hostname (google.com) DNS resolution failing — server unreachable, wrong server configured, or DNS service not running ipconfig /all — check DNS server is set; nslookup google.com — does it resolve? Try alternate server: nslookup google.com 8.8.8.8
DNS worked, then stopped after a change Stale DNS cache serving old/wrong entry ipconfig /flushdns (Windows) or resolvectl flush-caches (Linux); then retry
Correct IP via public DNS but wrong IP via local DNS Internal DNS server has stale or incorrect record; split DNS misconfiguration Compare: nslookup domain.com vs nslookup domain.com 8.8.8.8 — different answers confirm split DNS or stale internal record issue
Hosts file entry not working Syntax error; wrong path; file is read-only; OS not checking hosts file first Verify format: IP then hostname separated by whitespace; check /etc/nsswitch.conf has files before dns
Cisco router: "% Unrecognized host" on ping hostname ip domain-lookup disabled, or ip name-server not configured Check: show run | include domain and show run | include name-server; add missing commands
Clients not getting DNS from DHCP DNS server not configured in DHCP pool (missing dns-server command) show ip dhcp pool — look for "DNS server" line; add dns-server 8.8.8.8 to the pool if missing
Intermittent DNS failures Primary DNS unreachable; falling back to slow/overloaded secondary; single point of failure Ensure two DNS servers configured — preferred + alternate (or backup); test each individually with nslookup domain.com <server>

11. Common Public DNS Servers — Reference

Provider Primary Secondary Key Features
Google Public DNS 8.8.8.8 8.8.4.4 Fast, reliable, no filtering; supports DoH and DoT; good global coverage
Cloudflare 1.1.1.1 1.0.0.1 Privacy-focused (no query logging after 24h); fastest public resolver; DoH/DoT
Quad9 9.9.9.9 149.112.112.112 Security-focused — blocks known malicious domains; DoH/DoT; non-profit
OpenDNS (Cisco) 208.67.222.222 208.67.220.220 Content filtering options; free and paid tiers; parental controls
Comodo Secure DNS 8.26.56.26 8.20.247.20 Malware and phishing blocking

12. DNS Configuration Summary — Client vs. Router

Aspect Windows Client Linux Client Cisco Router (IOS)
Set DNS server GUI (adapter IPv4 properties) or netsh interface ip set dns nmcli con mod or /etc/systemd/resolved.conf ip name-server <IP>
Enable DNS lookup On by default (cannot disable in GUI) On by default ip domain-lookup (enabled by default)
Set default domain DNS suffix via DHCP or manual adapter setting search domain in resolv.conf ip domain-name company.local
Local hostname override C:\Windows\System32\drivers\etc\hosts /etc/hosts ip host <name> <IP>
Flush DNS cache ipconfig /flushdns resolvectl flush-caches clear host * (clears cached hosts)
Serve DNS to clients Not applicable (client only) Can run dnsmasq or bind ip dns server + DHCP pool dns-server
Verify DNS config ipconfig /all, nslookup resolvectl status, dig, cat /etc/resolv.conf show hosts, show run | include name-server

13. Common Misconceptions

  • "If I can ping by IP, DNS doesn't matter."
    Almost every modern application — web browsers, email clients, SSH, RDP, cloud services — uses hostnames, not bare IPs. DNS failure makes those applications non-functional even when the network itself is healthy. DNS resolution is required for the overwhelming majority of real network activity.
  • "Flushing the DNS cache fixes everything."
    Flushing the local cache forces a fresh query — but if the DNS server itself has a stale or incorrect record, or if the DNS server is unreachable, flushing the local cache won't help. Always verify the DNS server is returning the correct answer with nslookup <host> <server-IP>.
  • "The hosts file is checked after DNS."
    On both Windows and Linux, the hosts file is checked before DNS by default. A hosts file entry always overrides DNS for that hostname. This is the expected behaviour used intentionally for testing and overrides — but it also means a stale hosts file entry can cause confusion even when DNS is correct.
  • "ip domain-lookup on a Cisco router is always safe to disable."
    In labs, no ip domain-lookup is often added to prevent Cisco IOS from trying to resolve mistyped commands as hostnames (causing a 30-second delay). However, in production this also disables legitimate DNS resolution from the router CLI — ping and traceroute to hostnames stop working. Use it only in labs.
  • "Using public DNS (8.8.8.8) instead of corporate DNS is always better."
    Corporate DNS servers typically resolve internal hostnames (servers, printers, file shares) that public DNS servers know nothing about. Pointing a corporate workstation to only 8.8.8.8 breaks resolution of all internal resources. Internal and external DNS should both be configured — usually the corporate DNS as primary (which forwards external queries upstream) and a public server as fallback.

14. Key Points & Exam Tips

  • DNS is learned via DHCP (Option 6) or manually configured — DHCP-assigned is the default for most clients.
  • Windows: set DNS via adapter IPv4 properties (GUI) or netsh interface ip set dns "adapter" static <IP> (CLI).
  • Linux: edit /etc/resolv.conf or use nmcli con mod <conn> ipv4.dns "<IP>" or /etc/systemd/resolved.conf.
  • Cisco IOS: ip name-server <IP> sets the DNS server; ip domain-lookup enables resolution; ip domain-name sets the default domain; ip dns server makes the router serve DNS to clients.
  • hosts file: checked before DNS — overrides DNS for any entry listed. Windows: C:\Windows\System32\drivers\etc\hosts; Linux: /etc/hosts.
  • Flush cache: Windows = ipconfig /flushdns; Linux = resolvectl flush-caches; Cisco = clear host *.
  • DoT (DNS over TLS) uses TCP port 853; DoH (DNS over HTTPS) uses port 443 — both encrypt DNS queries for privacy.
  • DHCP pool dns-server command sets DHCP Option 6 — the DNS server IP pushed to all clients obtaining addresses from that pool.
  • ip domain-lookup is on by default on Cisco IOS — disabling it is common in labs but prevents the router from resolving hostnames.
  • Symptom: can ping by IP, cannot ping by name → DNS resolution problem.

Related pages: How DNS Works | DNS Record Types | DHCP Configuration | nslookup | dig | ping Command | traceroute Command | DHCP Overview | show running-config | DHCP Server Configuration Lab

15. DNS Configuration Quiz

1. A network engineer configures a Cisco router with the following commands:
ip name-server 8.8.8.8
no ip domain-lookup
Then tries to run ping google.com. What happens, and why?

Correct answer is C. no ip domain-lookup disables DNS resolution on the router entirely — IOS will not attempt to resolve any hostname to an IP address. Even with ip name-server 8.8.8.8 correctly configured, the router won't use it because the lookup mechanism itself is disabled. The fix is to remove the no ip domain-lookup command: ip domain-lookup. This command is deliberately used in labs to prevent IOS from treating mistyped commands as hostnames (causing a 30-second timeout), but it must never appear in a production configuration where hostname resolution is needed.

2. A Windows user successfully pings 8.8.8.8 but cannot load any websites in a browser. Running ping google.com returns "Ping request could not find host google.com." What is the problem and the first diagnostic step?

Correct answer is D. The ability to ping 8.8.8.8 confirms network connectivity is working at the IP level. The inability to ping google.com by name while IPs work is the classic symptom of DNS failure — the host can reach the network but cannot resolve names. The first diagnostic step is ipconfig /all to check what DNS servers are configured. If the DNS servers are incorrect or unreachable, try querying a known-good server directly: nslookup google.com 8.8.8.8. If that succeeds, the locally configured DNS server is the problem.

3. A Cisco DHCP pool is configured as follows:
ip dhcp pool OFFICE
 network 192.168.1.0 255.255.255.0
 default-router 192.168.1.1
Clients get IP addresses but cannot resolve any DNS names. What is missing?

Correct answer is B. The DHCP pool is missing the dns-server command. Without it, DHCP does not include Option 6 (DNS server) in its Offer/Ack messages. Clients receive an IP address, subnet mask, and default gateway — but no DNS server address. Any application that tries to resolve a hostname finds no DNS server configured and fails. The fix is to add dns-server 8.8.8.8 1.1.1.1 inside the DHCP pool configuration. Verify on clients with ipconfig /all — "DNS Servers" should show the configured addresses.

4. A developer adds an entry to the Windows hosts file:
192.168.100.50 api.company.com
But the application still connects to the production server (203.0.113.10) instead of 192.168.100.50. What is the most likely reason?

Correct answer is A. Windows caches DNS responses in the DNS resolver cache. If api.company.com was previously resolved via DNS and cached (mapping to 203.0.113.10), the cached entry is used for subsequent queries until it expires — even after adding a hosts file override. The hosts file is only consulted when the cache doesn't have an entry. Running ipconfig /flushdns clears the cache, forcing the next resolution to check the hosts file first. After flushing, the hosts file entry (192.168.100.50) will be used. Verify the cache was using the old entry first with ipconfig /displaydns.

5. On a Linux system using systemd-resolved, an engineer wants to make DNS over TLS permanent (surviving reboots) system-wide. Which file and setting achieves this?

Correct answer is C. The persistent configuration for systemd-resolved lives in /etc/systemd/resolved.conf. Setting DNSOverTLS=yes in the [Resolve] section enables DNS over TLS for all DNS queries made through systemd-resolved. After editing the file, run sudo systemctl restart systemd-resolved to apply. Verify with resolvectl status | grep "DNS over TLS". The /etc/resolv.conf approach does not support DoT syntax. Changes via resolvectl are temporary (lost at reboot) without the conf file edit.

6. A corporate workstation is configured with only Google DNS (8.8.8.8) as its DNS server. Users can access the internet normally but cannot reach any internal servers (mail.corp.local, fileserver.corp.local, etc.). What is the cause?

Correct answer is B. Public DNS servers (8.8.8.8, 1.1.1.1, etc.) only know about publicly registered domain names. Internal hostnames in private namespaces (like .local, .corp, .internal, or even subdomains of public domains used internally) exist only in the organisation's internal DNS server. Google cannot resolve mail.corp.local because that record is not registered anywhere on the public internet. The correct configuration is to set the corporate internal DNS server as the primary DNS (it resolves internal names and forwards external queries to public resolvers), with 8.8.8.8 as secondary fallback only.

7. On a Cisco router, the command ip dns server is configured along with several ip host entries. A client with DNS set to the router's IP queries for "printer1.local". The router has ip host printer1.local 192.168.1.50. What happens, and what does the router do for an unknown name like "cloud.service.com"?

Correct answer is D. With ip dns server enabled, the Cisco router acts as a DNS server for clients. It first checks its local static entries (configured with ip host) — if a match is found, it answers authoritatively. For names not in the local table, it forwards the query to the upstream resolvers configured with ip name-server, caches the response, and returns it to the client. This hybrid behaviour (local static records + forwarding for unknown names) makes the router suitable as a basic DNS server for small branch networks without a dedicated DNS server.

8. Why do enterprise networks typically configure split DNS, and what is the security benefit?

Correct answer is A. Split DNS serves two purposes: (1) Efficiency — internal users querying mail.company.com get the private IP (e.g., 10.x.x.x) and connect directly over the LAN, rather than routing through the public internet to a NAT address and back in ("hairpinning"). (2) Security — internal server names (admin consoles, management interfaces, internal applications) are not published in public DNS, so external attackers cannot discover them through DNS enumeration. Only the internal DNS server knows about internal hostnames, and it only responds to queries from within the corporate network.

9. A network engineer runs nslookup webserver.company.com on a Windows machine and gets the correct IP. But ping webserver.company.com connects to a different IP. What is the most likely cause?

Correct answer is C. nslookup always queries the DNS server directly (bypassing the local cache and hosts file). Other tools like ping use the OS resolver, which checks the hosts file before DNS. If the hosts file has an entry for webserver.company.com pointing to a different IP, ping uses the hosts file entry while nslookup returns the DNS answer — causing them to show different results. This is a common source of confusion in troubleshooting. Check the hosts file and clear the DNS cache (ipconfig /flushdns) to resolve it.

10. An organisation's security team mandates that all DNS traffic must be encrypted to prevent ISP-level surveillance. Of DoT (DNS over TLS) and DoH (DNS over HTTPS), which is easier to enforce at a network firewall level and why?

Correct answer is B. DoT uses TCP port 853 — a dedicated, clearly identifiable port. A firewall can allow DoT connections only to specific trusted servers (e.g., the corporate DoT resolver) and block all other port 853 traffic. DoH, however, uses port 443 — the same port as all HTTPS web traffic. A firewall cannot distinguish between DoH DNS traffic and normal HTTPS browsing. Blocking DoH requires deep packet inspection or blocking specific DoH resolver IPs/domains — much more complex. From an enterprise visibility and control perspective, DoT is easier to manage. However, DoH is harder for ISPs and network middleboxes to intercept — which is why privacy advocates prefer it.

← Back to Home