Configuring the Device as an IPv4 DNS Proxy/Relay
Context
DNS relay is similar to DNS proxy. The difference is that the DNS proxy searches for DNS entries saved in the domain name cache after receiving DNS query messages from DNS clients. The DNS relay, however, directly forwards DNS query messages to the DNS server, reducing the cache usage.
Procedure
- Run system-view
The system view is displayed.
- Run dns proxy enable or dns relay enable
DNS proxy or relay is enabled.
- Choose either of the following methods to configure domain name resolution.
Configure static domain name resolution.
Run ip host host-name ip-address
A static DNS entry is configured.
By default, no static DNS entry is configured.
You can manually configure the mappings between domain names and IP addresses by configuring static DNS entries. When a DNS client requests the IP address corresponding to a domain name, the device does not forward the request to the DNS server but searches the static domain name resolution table for the IP address and returns the IP address to the DNS client.
Configure dynamic domain name resolution.
Run dns resolve
Dynamic DNS resolution is enabled.
By default, dynamic DNS resolution is disabled.
After dynamic domain name resolution is enabled, the DNS proxy searches the dynamic domain name resolution table after receiving a DNS request packet and checks whether the requested IP address exists. If yes, the DNS proxy returns a DNS reply packet that carries the resolution result to the DNS client. If not, the DNS proxy forwards the DNS request packet to the DNS server.
(Optional) Run dns server source-ip ip-address
The source IP address that the device uses to exchange packets with the DNS server is configured.
By default, no source IP address is configured for the device.
Run dns server ip-address
The DNS server that the DNS proxy or relay connects to is configured.
By default, no IP address is configured for the DNS server.
(Optional) Run dns server vpn-instance vpn-instance-name
The device is configured to send DNS query requests to the DNS server on a specified VPN network.
By default, the device can only send DNS query requests to the DNS server on a public network.
If you run this command multiple times, only the latest configuration takes effect.
The device can send DNS query requests to the DNS server on a public network or specified VPN network.
The device can respond to DNS query requests sent by DNS clients on multiple VPN networks.
- (Optional) Configure the DNS resolution policy function.
To control access traffic, the administrator requires that users can access only some websites on which they can browse only texts or pictures. For example, in Wi-Fi connection scenarios such as in metro or on bus, passengers can access only specified websites. If they attempt to access other websites, their access requests are rejected or redirected to the specified websites. To meet these requirements, perform the following steps:
Run dns resolve policy { a | aaaa } enable
The DNS resolution policy function is enabled for class A or AAAA query requests.
By default, the DNS resolution policy function is disabled for class A or AAAA query requests.
Run dns resolve policy
The DNS resolution policy view is displayed.
Run rule rule-id [ if-match name hostname ] { deny | permit | spoofing { ipv4-address | ipv6-address } }
A DNS resolution rule is configured.
By default, no DNS resolution rule is configured.
Run quit
Exit from the DNS resolution policy view.
- (Optional) Configure the algorithm mode and retransmission mechanism for a device to send DNS query requests to the DNS server.
Run dns-server-select-algorithm { fixed [ dynamic-precedence ] | auto }
The mode for the device to select the DNS server is configured.
By default, the mode for a device to select the DNS server is auto.
Only V300R019C13 and later versions support the dynamic-precedence parameter.
Run dns forward retry-number number
The number of times for the device to retransmit query requests to the destination DNS server is configured.
By default, the number of times for a device to retransmit DNS query requests to the destination DNS server is 2.
Run dns forward retry-timeout time
The retransmission timeout period for DNS query requests sent by the device to the destination DNS server is configured.
By default, the retransmission timeout period for DNS query requests sent by a device to the destination DNS server is 3 seconds.
The total timeout period for DNS query requests configured by dns forward retry-number and dns forward retry-timeout cannot be too short. Generally, the default value is recommended. If the time of waiting for the resolution response from the DNS server is too long, and the service exception is caused, you can prolong the retransmission timeout period as required.
- (Optional) Run dns proxy sip-info insert-mode decompression-domain-name
The SIP server information is inserted to DNS response packets in domain name decompression mode when the device functions as a DNS proxy.
By default, the domain name decompression mode is not used.
This command applies only to the Branch Exchange Survivable Telephony (BEST) solution. In the BEST solution, the phone functions as the DNS client and the device functions as the DNS proxy. When the DNS client initiates an SRV query, the device inserts SIP server information to the DNS response packet.
- (Optional) Run dns proxy forward-any-response
A DNS proxy forwards all the response packets returned by the DNS server to DNS clients.
By default, the DNS proxy forwards only the successfully resolved response packets returned by the DNS server to DNS clients.
This command is supported only in V300R019C10 and later versions.
