dynamic: Displays the domain name suffixes dynamically obtained through DHCP or other protocols. If you do not specify this keyword, the command displays the statically configured and dynamically obtained domain name suffixes.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays domain name suffixes for the public network.

Examples

# Display the statically configured and dynamically obtained domain name suffixes for the public network.

<Sysname> display dns domain

Type:

D: Dynamic S: Static

No. Type Domain suffix

1 S com

2 D net

Table 1 Command output

Field	Description
No.	Sequence number.
Type	Domain name suffix type: · S—A statically configured domain name suffix. · D—A domain name suffix dynamically obtained through DHCP or other protocols. ‌
Domain suffix	Domain name suffixes.

Related commands

dns domain

display dns host

Use display dns host to display information about domain name-to-IP address mappings.

Syntax

display dns host [ ip | ipv6 ] [ vpn-instance vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip: Specifies type A queries. A type A query resolves a domain name to the mapped IPv4 address.

ipv6: Specifies type AAAA queries. A type AAAA query resolves a domain name to the mapped IPv6 address.

Usage guidelines

If you do not specify the ip or ipv6 keyword, this command displays domain name-to-IP address mappings of all query types.

Examples

# Display domain name-to-IP address mappings of all query types.

<Sysname> display dns host

Type:

D: Dynamic S: Static

Total number: 3

No. Host name Interface Type TTL QType IP addresses

1 sample.com D 3132 A 192.168.10.1

192.168.10.2

192.168.10.3

2 zig.sample.com S - A 192.168.1.1

3 sample.net S - AAAA FE80::4904:4448

Table 2 Command output

Field	Description
No.	Sequence number.
Host name	Domain name.
Interface	Name of the output interface. If you do not specify an output interface by using the direct interface command, this field displays a hyphen (-).For more information about the direct interface command, see RIR commands in Layer 3—IP Services Command Reference.
Type	Domain name-to-IP address mapping type: · S—A static mapping configured by the ip host or ipv6 host command. · D—A mapping dynamically obtained through dynamic domain name resolution. ‌
TTL	Time in seconds that a mapping can be stored in the cache. For a static mapping, a hyphen (-) is displayed.
Query type	Query type: A and AAAA.
IP addresses	Replied IP address: · For a type A query, the replied IP address is an IPv4 address. · For a type AAAA query, the replied IP address is an IPv6 address.

Related commands

ip host

ipv6 host

reset dns host

display dns server

Use display dns server to display IPv4 DNS server information.

Syntax

display dns server [ dynamic ] [ vpn-instance vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dynamic: Displays IPv4 DNS server information dynamically obtained through DHCP or other protocols. If you do not specify this keyword, the command displays statically configured and dynamically obtained IPv4 DNS server information.

Examples

# Display IPv4 DNS server information for the public network.

<Sysname> display dns server

Type:

D: Dynamic S: Static

No. Type IP address

1 S 202.114.0.124

2 S 169.254.65.125

Table 3 Command output

Field	Description
No.	Sequence number.
Type	DNS server type: · S—A manually configured DNS server. · D—DNS server information dynamically obtained through DHCP or other protocols. ‌
IP address	IPv4 address of the DNS server.

Related commands

dns server

display dns server health status

Use display dns server health status to display health status of DNS servers.

Syntax

display dns server health status

Views

Any view

Predefined user roles

network-admin

network-operator

Examples

# Display health status of DNS servers.

<Sysname> display dns server health status

No. DNS server OutInterface VPN name Status

1 1.1.1.1 - vpn1 Up

2 2::1 - Up

3 FE80::1 - vpn1 Up

Table 4 Command output

Field	Description
No.	Sequence number.
DNS server	Address of the DNS server.
OutInterface	Output interface of the DNS server. This field is displayed only when the DNS server address is a local IPv6 link address.
VPN name	VPN instance name. If this field is empty, the domain name rule is on the public network.
Status	Result of the health check: · Up—The DNS server is available. · Down—The DNS server is unavailable.

Related commands

health-check enable

display ipv6 dns server

Use display ipv6 dns server to display IPv6 DNS server information.

Syntax

display ipv6 dns server [ dynamic ] [ vpn-instance vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dynamic: Displays IPv6 DNS server information dynamically obtained through DHCP or other protocols. If you do not specify this keyword, the command displays the statically configured and dynamically obtained IPv6 DNS server information.

Examples

# Display IPv6 DNS server information for the public network.

<Sysname> display ipv6 dns server

Type:

D: Dynamic S: Static

No. Type IPv6 address Outgoing Interface

1 S 2::2

Table 5 Command output

Field	Description
No.	Sequence number.
Type	DNS server type: · S—A manually configured DNS server. · D—DNS server information dynamically obtained through DHCP or other protocols. ‌
IPv6 address	IPv6 address of the DNS server.
Outgoing Interface	Output interface.

Related commands

ipv6 dns server

dns cache ttl

Use dns cache ttl to set the TTL value for DNS entries.

Use undo dns cache ttl to cancel the TTL configuration for DNS entries.

Syntax

dns cache ttl { maximum max-value | minimum min-value } *

undo dns cache ttl [ maximum | minimum ]

Default

The TTL value for DNS entries is the TTL value in the DNS reply.

Views

System view

Predefined user roles

network-admin

Parameters

maximum max-value: Specifies the maximum TTL value for DNS entries, in the range of 60 to 3600 seconds.

minimum min-value: Specifies the minimum TTL value for DNS entries, in the range of 60 to 3600 seconds. The value for the min-value argument must be smaller than that for the max-value argument.

Usage guidelines

The device periodically sends a DNS request to the DNS server according to the TTL for DNS entries, which consumes CPU resources. If the TTL value is too small, the device sends DNS requests frequently to the DNS server, which consumes more CPU resources. If the TTL value is too large, DNS mappings cannot be updated in time. To avoid such issues, you can use this command to set the TTL value for DNS entries.

By default, the DNS client obtains the TTL for the following DNS entries from the DNS reply:

· DNS entries generated from DNS transparent proxy.

· DNS entries generated from DNS snooping.

· Dynamic domain name resolution cache generated from the DNS server/DNS server group.

After you set the TTL value for DNS entries, the device specifies the TTL for DNS entries as follows:

· If the TTL value in the DNS reply is smaller than the minimum TTL value, the device uses the minimum TTL value as the TTL for DNS entries. If the TTL value is greater than or equal to the minimum TTL value, the device uses the TTL value in the DNS reply as the TTL for DNS entries.

· If the TTL value in the DNS reply is greater than the maximum TTL value, the device uses the maximum TTL value as the TTL for DNS entries. If the TTL value is smaller than or equal to the maximum TTL value, the device uses the TTL value in the DNS reply as the TTL for DNS entries.

After you execute this command, the configuration only takes effect on the subsequent DNS entries generated from DNS transparent proxy, DNS snooping, and DNS server/DNS server group.

After you execute the undo dns cache ttl command, the current TTL for the existing DNS entries still works.

If you do not specify any keywords when you execute the undo dns cache ttl command, this command cancels all TTL configuration for DNS entries.

If you execute the dns cache ttl minimum, dns cache ttl maximum, or dns cache ttl minimum maximum command multiple times, the most recent configuration takes effect.

Examples

# Set the maximum TTL value for DNS entries to 3600 seconds and the minimum TTL value for DNS entries to 180 seconds.

<Sysname> system-view

[Sysname] dns cache ttl maximum 3600 minimum 180

Related commands

dns server

dns server-group

dns snooping enable

dns transparent-proxy enable

dns domain

Use dns domain to configure a domain name suffix.

Use undo dns domain to delete the specified domain name suffix.

Syntax

dns domain domain-name [ vpn-instance vpn-instance-name ]

undo dns domain domain-name [ vpn-instance vpn-instance-name ]

Default

No domain name suffix is configured. Only the provided domain name is resolved.

Views

System view

Predefined user roles

network-admin

Parameters

domain-name: Specifies a domain name suffix. It is a dot-separated, case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.), for example, example.com. The domain name suffix can include a maximum of 253 characters, and each separated string includes no more than 63 characters.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To configure a domain name suffix for the public network, do not specify this option.

Usage guidelines

For domain name resolution, the resolver automatically uses the suffix list to supply the missing part of an incomplete name entered by a user.

A domain name suffix applies to both IPv4 DNS and IPv6 DNS.

The system allows a maximum of 16 domain name suffixes for the public network or each VPN instance. You can specify domain name suffixes for both public network and VPN instances.

Examples

# Configure domain name suffix com for the public network.

<Sysname> system-view

[Sysname] dns domain com

Related commands

display dns domain

dns domain-rule

Use dns domain-rule to configure a domain name rule.

Use undo dns domain-rule to delete a domain name rule.

Syntax

dns domain-rule rule-id { domain-name domain-name | subdomain-name subdomain-name } [ vpn-instance vpn-instance-name ] server-group group-id

undo dns domain-rule rule-id [ domain-name domain-name | subdomain-name subdomain-name ]

Default

No domain name rule is configured.

Views

System view

Predefined user roles

network-admin

Parameters

rule-id: Specifies the ID of a domain name rule, in the range of 1 to 16.

domain-name domain-name: Specifies a domain name. It is a dot-separated, case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.), for example, www.example.com. The domain name can include a maximum of 253 characters, and each separated string includes no more than 63 characters.

subdomain-name subdomain-name: Specifies a subdomain name. It is a dot-separated, case-insensitive string that can include letters, digits, hyphens (-), underscores (_), dots (.), and asterisk (*). The domain name suffix can include a maximum of 253 characters, and each separated string includes no more than 63 characters.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the DNS client that sends DNS queries belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If the DNS client belongs to the public network, do not specify this option.

server-group group-id: Specifies the ID of a DNS server group, in the range of 1 to 16. The DNS server group must already exist.

Usage guidelines

A domain name rule successfully matches a DNS query only if the domain name in the query is exactly the same as a domain name or subdomain name in the rule. When you specify a subdomain name in a rule, do not include an asterisk (*).

A domain name rule is uniquely identified by its ID and VPN instance. For one rule, you can repeat this command to bind a maximum of eight domain names and subdomain names to the same DNS server group.

To delete a domain name or subdomain name, execute the undo dns domain-rule command and specify the domain-name domain-name or subdomain-name subdomain-name option. To delete a rule, do not specify any domain name.

A domain name rule can be bound to only one DNS server group.

A user query can match only domain name rules that are in the same VPN instance or on the public network as the user.

A domain name rule and its bound DNS server group can be in different VPN instances, or one can be in a VPN instance and the other on the public network.

Examples

# Create domain name rule 1 and bind subdomain name example.com and domain name www.example.com to DNS server group 1.

<Sysname> system-view

[Sysname] dns domain-rule 1 subdomain-name example.com server-group 1

[Sysname] dns domain-rule 1 domain-name www.example.com server-group 1

Related commands

dns server-group

dns dscp

Use dns dscp to set the DSCP value for DNS packets sent by a DNS client or DNS proxy.

Use undo dns dscp to restore the default.

Syntax

dns dscp dscp-value

undo dns dscp

Default

The DSCP value is 0 in DNS packets sent by a DNS client or DNS proxy.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Specifies the DSCP value in the range of 0 to 63.

Usage guidelines

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Examples

# Set the DSCP value to 30 for outgoing DNS packets.

<Sysname> system-view

[Sysname] dns dscp 30

dns fast-reply enable

Use dns fast-reply enable to enable DNS fast-reply.

Use undo dns fast-reply enable to disable DNS fast-reply.

Syntax

dns fast-reply enable

undo dns fast-reply enable

Default

DNS fast-reply is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

As DNS fast-reply can process a large number of DNS requests per second, use this feature in scenarios that require high DNS packet processing performance.

With this feature enabled, the device monitors the received DNS requests (only UDP packets are supported in the current software version). Then, it resolves the domain names in the requests, and looks up the local static domain name resolution table, DNS cache, and dynamic domain name resolution cache for a match.

· If a match is found, the device sends a DNS reply to the DNS client.

· If no match is found, the device forwards the query to the DNS server.

This command enables both IPv4 DNS fast-reply and IPv6 DNS fast-reply.

The dns fast-reply enable and dns transparent-proxy enable commands are mutually exclusive. After one command is executed, the other command cannot be executed.

Examples

# Enable DNS fast-reply.

<Sysname> system-view

[Sysname] dns fast-reply enable

Related commands

dns transparent-proxy enable

dns filter

Use dns filter to enable DNS filtering and add a host name to the denylist or allowlist.

Use undo dns filter to disable DNS filtering and delete a host name from the denylist or allowlist.

Syntax

dns filter { allowlist | denylist } hostname

undo dns filter { allowlist | denylist } hostname

The following compatibility matrixes show the support of hardware platforms for this command:

Hardware	Command compatibility
MSR610	Yes
MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-CNDE-SJK, MSR810-EI, MSR810-LM-EA, MSR810-LM-EI	Yes
MSR810-LMS, MSR810-LUS	No
MSR810-SI, MSR810-LM-SI	No
MSR810-LMS-EA, MSR810-LME	Yes
MSR1004S-5G, MSR1004S-5G-CN	Yes
MSR1104S-W, MSR1104S-W-CAT6, MSR1104S-5G-CN, MSR1104S-W-5G-CN	Yes
MSR2600-6-X1, MSR2600-15-X1, MSR2600-15-X1-T	Yes
MSR2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28, MSR3600-51	Yes
MSR3600-28-SI, MSR3600-51-SI	No
MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP	Yes
MSR3600-28-G-DP, MSR3600-51-G-DP	Yes
MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD, MSR-EAD-AK770, MSR3610-I-IG, MSR3610-IE-IG	Yes
MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC, MSR3620-X1, MSR3640-X1	Yes
MSR 3610, MSR 3620, MSR 3620-DP, MSR 3640, MSR 3660	Yes
MSR3610-G, MSR3620-G	Yes
MSR3640-G	Yes
MSR3640-X1-HI	Yes

Hardware	Command compatibility
MSR810-W-WiNet, MSR810-LM-WiNet	Yes
MSR830-4LM-WiNet	Yes
MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet	Yes
MSR830-6BHI-WiNet, MSR830-10BHI-WiNet	Yes
MSR2600-6-WiNet	Yes
MSR2600-10-X1-WiNet	Yes
MSR2630-WiNet	Yes
MSR3600-28-WiNet	Yes
MSR3610-X1-WiNet	Yes
MSR3610-WiNet, MSR3620-10-WiNet, MSR3620-DP-WiNet, MSR3620-WiNet, MSR3660-WiNet	Yes

Hardware	Command compatibility
MSR860-6EI-XS	Yes
MSR860-6HI-XS	Yes
MSR2630-XS	Yes
MSR3600-28-XS	Yes
MSR3610-XS	Yes
MSR3620-XS	Yes
MSR3610-I-XS	Yes
MSR3610-IE-XS	Yes
MSR3620-X1-XS	Yes
MSR3640-XS	Yes
MSR3660-XS	Yes

Hardware	Command compatibility
MSR810-LM-GL	Yes
MSR810-W-LM-GL	Yes
MSR830-6EI-GL	Yes
MSR830-10EI-GL	Yes
MSR830-6HI-GL	Yes
MSR830-10HI-GL	Yes
MSR1004S-5G-GL	Yes
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

Default

DNS filtering is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

allowlist: Adds a host name to the allowlist.

denylist: Adds a host name to the denylist.

hostname: Specifies a host name, a case-insensitive string of 1 to 253 characters. The string can contain letters, digits, hyphens (-), underscores (_), and dots (.). This argument supports fuzzy match by adding a wildcard (*) to the host name. For example, to match a host name including abc, specify the hostname argument as *abc*, *abc, or abc*. To exactly match a host name, do not add the wildcard (*).

Usage guidelines

The DNS proxy uses DNS filtering to filter DNS requests as follows:

· If the allowlist has a matching host name or the denylist does not have any matching host name with the domain name in the received DNS request, the DNS proxy forwards the request. Upon receiving a DNS reply, the DNS proxy records the DNS mapping and forwards the reply to the DNS client.

· If the denylist has a matching host name or the allowlist does not have any matching host name with the domain name in the received DNS request, the DNS proxy discards the DNS request.

To implement a strict access control, use an allowlist to filter DNS requests. To implement a loose access control, use a denylist to filter DNS requests.

To add multiple host names to the allowlist or denylist, repeat this command. However, a host name cannot be added to both the denylist and allowlist.

Examples

# Enable DNS filtering and add the host names containing .abc to the allowlist.

<Sysname> system-view

[Sysname] dns filter allowlist *.abc

dns proxy enable

Use dns proxy enable to enable DNS proxy.

Use undo dns proxy enable to disable DNS proxy.

Syntax

dns proxy enable

undo dns proxy enable

Default

DNS proxy is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This configuration applies to both IPv4 DNS and IPv6 DNS.

Examples

# Enable DNS proxy.

<Sysname> system-view

[Sysname] dns proxy enable

dns redirect enable

Use dns redirect enable to enable DNS redirection.

Use undo dns redirect enable to disable DNS redirection.

Syntax

dns redirect enable

undo dns redirect enable

Default

DNS redirection is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

With DNS redirection enabled, the device monitors the received DNS requests (only UDP packets are supported in the current software version) and resolves the source IP addresses, source port numbers, and domain names. Then, the device searches for a matching domain name rule and redirects the request to the DNS server in the rule.

The device enabled with DNS redirection works as follows:

1. The device searches for a matching domain name rule.

¡ If a match is found, it replaces the destination IP address in the request with the IP address of the first reachable DNS server in the server group bound to the rule. Then, the device forwards the request to the DNS server.

¡ If no match is found, the device does not redirect the DNS request.

2. The device records the replacement, including the source IP address, source port number, and requested server address in the DNS request, and the replaced server address

3. Upon receiving the DNS reply, the device replaces the source IP address in the reply with the original server address in the request.

This configuration applies to both IPv4 DNS redirection and IPv6 DNS redirection.

The dns redirect enable and dns transparent-proxy enable commands are mutually exclusive. After one command is executed, the other command cannot be executed.

Examples

# Enable DNS redirection.

<Sysname> system-view

[Sysname] dns redirect enable

Related commands

dns transparent-proxy enable

dns server

Use dns server to specify the IPv4 address of a DNS server.

Use undo dns server to remove the IPv4 address of a DNS server.

Syntax

dns server ip-address [ vpn-instance vpn-instance-name ]

undo dns server [ ip-address ] [ vpn-instance vpn-instance-name ]

Default

No DNS server IPv4 address is specified.

Views

System view

Interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IPv4 address of a DNS server. When you execute the undo form of the command in interface view, you must specify this argument.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To specify a DNS server IPv4 address for the public network, do not use this option.

Usage guidelines

The device sends a DNS query request to the DNS servers in ascending order of their IPv4 addresses.

The system allows a maximum of six DNS server IPv4 addresses for the public network or each VPN instance. You can specify DNS server IPv4 addresses for both public network and VPN instances.

If you do not specify an IPv4 address, the undo dns server command removes all DNS server IPv4 addresses for the public network or the specified VPN instance.

Examples

# Specify DNS server IPv4 address 172.16.1.1.

<Sysname> system-view

[Sysname] dns server 172.16.1.1

# Specify DNS server IPv4 address 172.16.1.1 on GigabitEthernet 1/0/1.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] dns server 172.16.1.1

Related commands

display dns server

dns server (DNS server group view)

Use dns server to add an IPv4 DNS server to the DNS server group.

Use undo dns server to remove IPv4 DNS servers from the DNS server group.

Syntax

dns server ip-address

undo dns server [ ip-address ]

Default

No DNS servers exist in a DNS server group.

Views

DNS server group view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IPv4 address of a DNS server.

Usage guidelines

The device sends a DNS query to DNS servers of the DNS server group in the same order as the order displayed in the display this command output for the group.

A DNS server group supports a maximum of six IPv4 DNS server addresses.

If you do not specify the ip-address argument, the undo dns server command deletes all IPv4 addresses in the DNS server group.

Examples

# Add DNS server 172.16.1.1 to DNS server group 1.

<Sysname> system-view

[Sysname] dns server-group 1

[Sysname-dns-server-group-1] dns server 172.16.1.1

dns server-group

Use dns server-group to create a DNS server group and enter its view, or enter the view of an existing DNS server group.

Use undo dns server-group to delete the specified DNS server group.

Syntax

dns server-group group-id [ vpn-instance vpn-instance-name ]

undo dns server-group group-id

Default

No DNS server group exists.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Specifies the ID of a DNS server group, in the range of 1 to 16.

vpn-instance vpn-instance-name: Specifies the MPLS L3VPN instance to which the DNS server group belongs. The vpn-instance-name argument is a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, the DNS server group is on the public network.

Usage guidelines

To allow the device to send queries to specific DNS servers, add the DNS servers to a DNS server group and bind the group to domain names in a domain name rule. When the device receives a user query and fails to find a local matching DNS entry, the device determines whether a matching domain name rule exists in the same VPN instance or on the public network as the user. If a matching rule exists, the device forwards the query to DNS servers in the DNS server group bound to the rule. If no matching rule exists, the device does not forward the query to DNS servers in DNS server groups.

Examples

# Create DNS server group 1.

<Sysname> system-view

[Sysname] dns server-group 1

[Sysname-dns-server-group-1]

Related commands

description

dns domain-rule

dns snooping enable

Use dns snooping enable to enable DNS snooping.

Use undo dns snooping enable to disable DNS snooping.

Syntax

dns snooping enable

undo dns snooping enable

Default

DNS snooping is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

DNS snooping is applicable to scenarios that use domain name-based policies (such as security policies and bandwidth policies). In such a scenario, the device requires the resolved IP addresses for traffic filtering. Enabled with DNS snooping, the device monitors received DNS requests and replies, and works as follows:

· If the domain name in a DNS request matches a policy, the device records the DNS mapping after receiving the DNS reply, and reports the mapping to the policy for traffic filtering.

· If the domain name does not match a policy, the device does not record the DNS mapping.

DNS snooping is applicable to only Layer 3 service networks. Layer 2 forwarding services belonging to the same VLAN on the device do not support the DNS snooping feature.

DNS snooping works only between the DNS client and DNS server, or the DNS client and DNS proxy.

The DNS snooping and DNS transparent proxy features cannot be both configured.

Inter-VPN application of the DNS snooping feature is not supported. Make sure the input and output interfaces of DNS packets belong to the same VPN.

Examples

# Enable DNS snooping.

<Sysname> system-view

[Sysname] dns snooping enable

Related commands

dns transparent-proxy enable

dns snooping log enable

Use dns snooping log enable to enable DNS snooping logging.

Use undo dns snooping log enable to disable DNS snooping logging.

Syntax

dns snooping log enable

undo dns snooping log enable

Default

DNS snooping logging is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

The DNS proxy searches the static domain name resolution table and dynamic domain name resolution cache after receiving a request.

· If the requested information is found, the DNS proxy returns a DNS reply to the client.

· If the requested information is not found, the DNS proxy sends the request to the designated DNS server.

Too many requests received at the same time will increase network load and affect the performance of the DNS proxy and DNS server.

To avoid this issue, you can configure DNS snooping on the device between the DNS client and DNS proxy, or the DNS client and DNS server. Also, you can configure the device to generate and send DNS snooping logs to the fast log module. The administrator can locate and troubleshoot issues based on the logs. For information about the fast log output function, see Network Management and Monitoring Configuration Guide.

Examples

# Enable DNS snooping logging.

<Sysname> system-view

[Sysname] dns snooping log enable

dns snooping rate-limit

Use dns snooping rate-limit to configure a rate limit for incoming DNS packets on interfaces.

Use undo dns snooping rate-limit to disable DNS snooping packet rate limit.

Syntax

dns snooping rate-limit rate

undo dns snooping rate-limit

The following compatibility matrixes show the support of hardware platforms for this command:

Hardware	Command compatibility
MSR610	Yes
MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-CNDE-SJK, MSR810-EI, MSR810-LM-EA, MSR810-LM-EI	Yes
MSR810-LMS, MSR810-LUS	No
MSR810-SI, MSR810-LM-SI	No
MSR810-LMS-EA, MSR810-LME	No
MSR1004S-5G, MSR1004S-5G-CN	Yes
MSR1104S-W, MSR1104S-W-CAT6, MSR1104S-5G-CN, MSR1104S-W-5G-CN	Yes
MSR2600-6-X1, MSR2600-15-X1, MSR2600-15-X1-T	Yes
MSR2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28, MSR3600-51	Yes
MSR3600-28-SI, MSR3600-51-SI	No
MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP	Yes
MSR3600-28-G-DP, MSR3600-51-G-DP	Yes
MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD, MSR-EAD-AK770, MSR3610-I-IG, MSR3610-IE-IG	Yes
MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC, MSR3620-X1, MSR3640-X1	Yes
MSR 3610, MSR 3620, MSR 3620-DP, MSR 3640, MSR 3660	Yes
MSR3610-G, MSR3620-G	Yes
MSR3640-G	Yes
MSR3640-X1-HI	Yes

Hardware	Command compatibility
MSR810-W-WiNet, MSR810-LM-WiNet	Yes
MSR830-4LM-WiNet	Yes
MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet	Yes
MSR830-6BHI-WiNet, MSR830-10BHI-WiNet	Yes
MSR2600-6-WiNet	Yes
MSR2600-10-X1-WiNet	Yes
MSR2630-WiNet	Yes
MSR3600-28-WiNet	Yes
MSR3610-X1-WiNet	Yes
MSR3610-WiNet, MSR3620-10-WiNet, MSR3620-DP-WiNet, MSR3620-WiNet, MSR3660-WiNet	Yes

Hardware	Command compatibility
MSR860-6EI-XS	Yes
MSR860-6HI-XS	Yes
MSR2630-XS	Yes
MSR3600-28-XS	Yes
MSR3610-XS	Yes
MSR3620-XS	Yes
MSR3610-I-XS	Yes
MSR3610-IE-XS	Yes
MSR3620-X1-XS	Yes
MSR3640-XS	Yes
MSR3660-XS	Yes

Hardware	Command compatibility
MSR810-LM-GL	Yes
MSR810-W-LM-GL	Yes
MSR830-6EI-GL	Yes
MSR830-10EI-GL	Yes
MSR830-6HI-GL	Yes
MSR830-10HI-GL	Yes
MSR1004S-5G-GL	Yes
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

Default

The rate of incoming DNS packets is not limited.

Views

System view

Predefined user roles

network-admin

Parameters

rate: Specifies the maximum rate in pps. The value range varies by device model. Usage guidelines

An interface will discard DNS packets exceeding the specified rate limit.

This command takes effect only when the DNS snooping logging feature or DNS transparent proxy feature is enabled.

Examples

# Set the DNS packet rate limit to 64 pps.

<Sysname> system-view

[Sysname] dns snooping rate-limit 64

Related commands

dns snooping log enable

dns transparent-proxy enable

dns source-interface

Use dns source-interface to specify the source interface for DNS packets.

Use undo dns source-interface to restore the default.

Syntax

dns source-interface interface-type interface-number [ vpn-instance vpn-instance-name ]

undo dns source-interface interface-type interface-number [ vpn-instance vpn-instance-name ]

Default

No source interface is specified for DNS packets. The device uses the primary IP address of the output interface of the matching route as the source IP address for a DNS request.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To specify a source interface for the public network, do not use this option.

Usage guidelines

This configuration applies to both IPv4 and IPv6.

In IPv4 DNS, the device uses the primary IPv4 address of the specified source interface as the source IP address of a DNS query. In IPv6 DNS, the device selects an IPv6 address of the specified source interface as the source IP address of a DNS query. The method of selecting the IPv6 address is defined in RFC 3484.

The system allows only one source interface for the public network or each VPN instance. If you execute this command multiple times, the most recent configuration takes effect. You can specify source interfaces for both public network and VPN instances.

This command takes effect whether the source interface belongs to the VPN instance or not. As a best practice, specify an interface that belongs to the VPN instance as the source interface.

Examples

# Specify GigabitEthernet 1/0/1 as the source interface for DNS packets on the public network.

<Sysname> system-view

[Sysname] dns source-interface gigabitethernet 1/0/1

dns spoofing

Use dns spoofing to enable DNS spoofing and specify the IPv4 address for spoofing DNS requests.

Use undo dns spoofing to disable DNS spoofing.

Syntax

dns spoofing ip-address [ vpn-instance vpn-instance-name ]

undo dns spoofing ip-address [ vpn-instance vpn-instance-name ]

Default

DNS spoofing is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IPv4 address used to spoof DNS requests.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To enable DNS spoofing for the public network, do not specify this option.

Usage guidelines

Use the dns spoofing command together with the dns proxy enable command.

DNS spoofing functions when the DNS proxy does not know the DNS server address or cannot reach the DNS server. It enables the DNS proxy to spoof DNS queries of type A by responding with the specified IPv4 address.

The system allows only one replied IPv4 address for the public network or each VPN instance. If you execute this command multiple times, the most recent configuration takes effect. You can configure DNS spoofing for both public network and VPN instances.

Examples

# Enable DNS spoofing for the public network and specify IPv4 address 1.1.1.1 for spoofing DNS requests.

<Sysname> system-view

[Sysname] dns proxy enable

[Sysname] dns spoofing 1.1.1.1

Related commands

dns proxy enable

dns transparent-proxy enable

Use dns transparent-proxy enable to enable DNS transparent proxy.

Use undo dns transparent-proxy enable to disable DNS transparent proxy.

Syntax

dns transparent-proxy enable

undo dns transparent-proxy enable

The following compatibility matrixes show the support of hardware platforms for this command:

Hardware	Command compatibility
MSR610	Yes
MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-CNDE-SJK, MSR810-EI, MSR810-LM-EA, MSR810-LM-EI	Yes
MSR810-LMS, MSR810-LUS	No
MSR810-SI, MSR810-LM-SI	No
MSR810-LMS-EA, MSR810-LME	No
MSR1004S-5G, MSR1004S-5G-CN	Yes
MSR1104S-W, MSR1104S-W-CAT6, MSR1104S-5G-CN, MSR1104S-W-5G-CN	Yes
MSR2600-6-X1, MSR2600-15-X1, MSR2600-15-X1-T	Yes
MSR2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28, MSR3600-51	Yes
MSR3600-28-SI, MSR3600-51-SI	No
MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP	Yes
MSR3600-28-G-DP, MSR3600-51-G-DP	Yes
MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-ES, MSR3610-IE-EAD, MSR-EAD-AK770, MSR3610-I-IG, MSR3610-IE-IG	Yes
MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC, MSR3620-X1, MSR3640-X1	Yes
MSR 3610, MSR 3620, MSR 3620-DP, MSR 3640, MSR 3660	Yes
MSR3610-G, MSR3620-G	Yes
MSR3640-G	Yes
MSR3640-X1-HI	Yes

Hardware	Command compatibility
MSR810-W-WiNet, MSR810-LM-WiNet	Yes
MSR830-4LM-WiNet	Yes
MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet	Yes
MSR830-6BHI-WiNet, MSR830-10BHI-WiNet	Yes
MSR2600-6-WiNet	Yes
MSR2600-10-X1-WiNet	Yes
MSR2630-WiNet	Yes
MSR3600-28-WiNet	Yes
MSR3610-X1-WiNet	Yes
MSR3610-WiNet, MSR3620-10-WiNet, MSR3620-DP-WiNet, MSR3620-WiNet, MSR3660-WiNet	Yes

Hardware	Command compatibility
MSR860-6EI-XS	Yes
MSR860-6HI-XS	Yes
MSR2630-XS	Yes
MSR3600-28-XS	Yes
MSR3610-XS	Yes
MSR3620-XS	Yes
MSR3610-I-XS	Yes
MSR3610-IE-XS	Yes
MSR3620-X1-XS	Yes
MSR3640-XS	Yes
MSR3660-XS	Yes

Hardware	Command compatibility
MSR810-LM-GL	Yes
MSR810-W-LM-GL	Yes
MSR830-6EI-GL	Yes
MSR830-10EI-GL	Yes
MSR830-6HI-GL	Yes
MSR830-10HI-GL	Yes
MSR1004S-5G-GL	Yes
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

Default

DNS transparent proxy is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

DNS transparent proxy modifies the source address in DNS requests so that the DNS client seems to receive a DNS reply directly from the DNS server. This feature is applicable to domain name-based policies, such as security policies and bandwidth policies.

The DNS client does not configure the DNS server address as the DNS transparent proxy address, which simplifies the DNS client configuration. As a best practice, enable DNS transparent proxy in some load balancing scenarios.

The device enabled with DNS transparent proxy monitors received DNS requests and replies and records DNS mappings as follows:

1. The device monitors all received DNS packets. Upon receiving a DNS request, the device specifies a local IP address that can reach the DNS server as the source IP address for the request.

2. Upon receiving the DNS reply, the device records the DNS mapping and forwards the reply to the DNS client.

3. The device searches the local entries after receiving another request. If a match is found, the device returns a DNS reply to the client. If no match is found, the device forwards the query to the DNS server for domain name resolution.

Do not configure both the DNS transparent proxy feature and the following features:

· DNS fast-reply.

· DNS snooping.

· DNS redirection.

Inter-VPN application of the DNS transparent proxy feature is not supported. Make sure the input and output interfaces of DNS packets belong to the same VPN.

Examples

# Enable DNS transparent proxy.

<Sysname> system-view

[Sysname] dns transparent-proxy enable

Related commands

dns fast-reply enable

dns proxy enable

dns redirect enable

dns snooping enable

dns trust-interface

Use dns trust-interface to specify a DNS trusted interface.

Use undo dns trust-interface to remove a DNS trusted interface.

Syntax

dns trust-interface interface-type interface-number

undo dns trust-interface [ interface-type interface-number ]

Default

No DNS trusted interface is specified.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

By default, an interface obtains DNS suffix and DNS server information from DHCP. A network attacker might act as the DHCP server to assign a wrong DNS suffix and DNS server address to the device. As a result, the device fails to obtain the resolved IP address or might get the wrong IP address. With the DNS trusted interface specified, the device only uses the DNS suffix and DNS server information obtained through the trusted interface to avoid attacks.

This configuration applies to both IPv4 DNS and IPv6 DNS.

You can configure a maximum of 128 DNS trusted interfaces on the device.

If you do not specify an interface, the undo dns trust-interface command removes all DNS trusted interfaces and restores the default.

Examples

# Specify GigabitEthernet 1/0/1 as a DNS trusted interface.

<Sysname> system-view

[Sysname] dns trust-interface gigabitethernet 1/0/1

health-check enable

Use health-check enable to enable DNS server health check.

Use undo health-check enable to disable DNS server health check.

Syntax

health-check enable

undo health-check enable

Default

DNS server health check is disabled.

Views

DNS server group view

Predefined user roles

network-admin

Usage guidelines

When the device enabled with DNS redirection receives a DNS request that matches a domain name rule, the device forwards the request to a DNS server. The DNS server is selected according to the server order displayed in the display this command.

If the device does not receive a DNS reply from the DNS server within two seconds, it reselects a DNS server. To prevent the device from selecting an unavailable DNS server, execute the health-check enable command to detect the availability of DNS servers. After you execute the command on the device, it works as follows:

1. The device periodically sends a DNS request to each DNS server in the DNS server group.

2. If the device receives a DNS reply from a DNS server, it regards the DNS server available.

3. If the device does not receive any DNS reply from a DNS server after it sends a DNS request to the DNS server for three consecutive times, it regards the DNS server unavailable.

4. Upon receiving a DNS request that matches a domain name rule, the device ignores the unavailable DNS servers automatically and selects a DNS server according to the lexicographical order.

Examples

# Enable health check for DNS servers in DNS server group 1.

<Sysname> system-view

[Sysname] dns server-group 1

[Sysname-server-group-1] health-check enable

Related commands

display dns server health status

ip host

Use ip host to create a host name-to-IPv4 address mapping.

Use undo ip host to remove a host name-to-IPv4 address mapping.

Syntax

ip host host-name ip-address [ vpn-instance vpn-instance-name ]

undo ip host host-name ip-address [ vpn-instance vpn-instance-name ]

Default

No host name-to-IPv4 address mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

host-name: Specifies a host name, a case-insensitive string of 1 to 253 characters. Valid characters are letters, digits, hyphens (-), underscores (_), and dots (.).

ip-address: Specifies the IPv4 address of the host.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To create a host name-to-IP address mapping for the public network, do not specify this option.

Usage guidelines

The system allows a maximum of 1024 host name-to-IPv4 address mappings for the public network or each VPN instance. You can configure host name-to-IPv4 address mappings for both public network and VPN instances.

For the public network or a VPN instance, each host name maps to only one IPv4 address. If you execute this command multiple times, the most recent configuration takes effect.

Do not use the ping command parameter ip, -a, -c, -f, -h, -i, -m, -n, -p, -q, -r, -s, -t, -tos, -v, or -vpn-instance as the host name. For more information about the ping command parameters, see Network Management and Monitoring Command Reference.

Examples

# Map IPv4 address 10.110.0.1 to host name aaa for the public network.

<Sysname> system-view

[Sysname] ip host aaa 10.110.0.1

Related commands

display dns host

ipv6 dns dscp

Use ipv6 dns dscp to set the DSCP value for IPv6 DNS packets sent by an IPv6 DNS client or IPv6 DNS proxy.

Use undo ipv6 dns dscp to restore the default.

Syntax

ipv6 dns dscp dscp-value

undo ipv6 dns dscp

Default

The DSCP value is 0 in IPv6 DNS packets sent by an IPv6 DNS client or IPv6 DNS proxy.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Specifies the DSCP value in the range of 0 to 63.

Usage guidelines

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Examples

# Set the DSCP value to 30 for outgoing IPv6 DNS packets.

<Sysname> system-view

[Sysname] ipv6 dns dscp 30

ipv6 dns server

Use ipv6 dns server to specify the IPv6 address of a DNS server.

Use undo ipv6 dns server to remove the IPv6 address of a DNS server.

Syntax

ipv6 dns server ipv6-address [ interface-type interface-number ] [ vpn-instance vpn-instance-name ]

undo ipv6 dns server [ ipv6-address [ interface-type interface-number ] ] [ vpn-instance vpn-instance-name ]

Default

No DNS server IPv6 address is specified.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address of a DNS server.

interface-type interface-number: Specifies the output interface by its type and number. If you do not specify an interface, the device forwards DNS packets out of the output interface of the matching route. Specify this argument if the IPv6 address of the DNS server is a link-local address. Do not specify this argument if the IPv6 address of the DNS server is a global unicast address.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To specify a DNS server IPv6 address for the public network, do not use this option.

Usage guidelines

The device sends a DNS query request to the DNS servers in ascending order of their IPv6 addresses.

The system allows a maximum of six DNS server IPv6 addresses for the public network or each VPN instance. You can specify DNS server IPv6 addresses for both public network and VPN instances.

If you do not specify an IPv6 address, the undo ipv6 dns server command removes all DNS server IPv6 addresses for the public network or the specified VPN instance.

Examples

# Specify DNS server IPv6 address 2002::1 for the public network.

<Sysname> system-view

[Sysname] ipv6 dns server 2002::1

Related commands

display ipv6 dns server

ipv6 dns server (DNS server group view)

Use ipv6 dns server to add an IPv6 DNS server to the DNS server group.

Use undo ipv6 dns server to remove IPv6 DNS servers from the DNS server group.

Syntax

ipv6 dns server ipv6-address [ interface-type interface-number ]

undo ipv6 dns server [ ipv6-address [ interface-type interface-number ] ]

Default

No DNS servers exist in a DNS server group.

Views

DNS server group view

Predefined user roles

network-admin

Parameters

ipv6-address : Specifies the IPv6 address of a DNS server.

Usage guidelines

The device sends a DNS query to DNS servers of the DNS server group in an order that is the same as the one displayed in the display this command output for the group.

A DNS server group supports a maximum of six IPv6 DNS server addresses.

If you do not specify the ipv6-address argument, the undo ipv6 dns server command deletes all IPv6 addresses in the DNS server group.

Examples

# Add DNS server 2000::1 to DNS server group 1.

<Sysname> system-view

[Sysname] dns server-group 1

[Sysname-server-group-1] ipv6 dns server 2000::1

ipv6 dns spoofing

Use ipv6 dns spoofing to enable DNS spoofing and specify the IPv6 address to spoof DNS requests.

Use undo ipv6 dns spoofing to disable DNS spoofing.

Syntax

ipv6 dns spoofing ipv6-address [ vpn-instance vpn-instance-name ]

undo ipv6 dns spoofing ipv6-address [ vpn-instance vpn-instance-name ]

Default

DNS spoofing is disabled.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address used to spoof DNS requests.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To enable DNS spoofing for the public network, do not specify this option.

Usage guidelines

Use the ipv6 dns spoofing command together with the dns proxy enable command.

DNS spoofing functions when the DNS proxy does not know the DNS server address or cannot reach the DNS server. It enables the DNS proxy to spoof DNS queries of type AAAA by responding with the specified IPv6 address.

The system allows only one replied IPv6 address for the public network or each VPN instance. If you execute this command multiple times, the most recent configuration takes effect. You can configure DNS spoofing for both public network and VPN instances.

Examples

# Enable DNS spoofing for the public network and specify IPv6 address 2001::1 for spoofing DNS requests.

<Sysname> system-view

[Sysname] dns proxy enable

[Sysname] ipv6 dns spoofing 2001::1

Related commands

dns proxy enable

ipv6 host

Use ipv6 host to create a host name-to-IPv6 address mapping.

Use undo ipv6 host to remove a host name-to-IPv6 address mapping.

Syntax

ipv6 host host-name ipv6-address [ vpn-instance vpn-instance-name ]

undo ipv6 host host-name ipv6-address [ vpn-instance vpn-instance-name ]

Default

No host name-to-IPv6 address mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

host-name: Specifies a host name, a case-insensitive string of 1 to 253 characters. It can include letters, digits, hyphens (-), underscores (_), and dots (.).

ipv6-address: Specifies the IPv6 address of the host.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To create a host name-to-IPv6 address mapping for the public network, do not specify this option.

Usage guidelines

The system allows a maximum of 1024 host name-to-IPv6 address mappings for the public network or each VPN instance. You can configure host name-to-IPv6 address mappings for both public network and VPN instances.

For the public network or a VPN instance, each host name maps to only one IPv6 address. If you execute this command multiple times, the most recent configuration takes effect.

Do not use the ping ipv6 command parameter -a, -c, -i, -m, -q, -s, -t, -tc, -v, or -vpn-instance as the host name. For more information about the ping ipv6 command parameters, see Network Management and Monitoring Command Reference.

Examples

# Map IPv6 address 2001::1 to host name aaa for the public network.

<Sysname> system-view

[Sysname] ipv6 host aaa 2001::1

Related commands

ip host

reset dns host

Use reset dns host to clear dynamic DNS entries.

Syntax

reset dns host [ ip | ipv6 ] [ vpn-instance vpn-instance-name ]

Views

User view

Predefined user roles

network-admin

Parameters

ip: Specifies type A queries. A type A query resolves a domain name to the mapped IPv4 address.

ipv6: Specifies type AAAA queries. A type AAAA query resolves a domain name to the mapped IPv6 address.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command clears dynamic DNS entries for the public network.

Usage guidelines

If you do not specify the ip or ipv6 keyword, the reset dns host command clears dynamic DNS entries of all query types.

Use this command to clear the following dynamic DNS entries:

· Dynamic DNS entries on the DNS client.

· Dynamic DNS entries on the device enabled with DNS transparent proxy.

Examples

# Clear dynamic DNS entries of all query types for the public network.

<Sysname> reset dns host

Related commands

display dns host

DDNS commands

The following compatibility matrixes show the support of hardware platforms for DDNS:

Hardware	DDNS compatibility
MSR610	Yes
MSR810, MSR810-W, MSR810-W-DB, MSR810-LM, MSR810-W-LM, MSR810-10-PoE, MSR810-LM-HK, MSR810-W-LM-HK, MSR810-LM-CNDE-SJK, MSR810-CNDE-SJK, MSR810-EI, MSR810-LM-EA, MSR810-LM-EI	Yes
MSR810-LMS, MSR810-LUS	Yes
MSR810-SI, MSR810-LM-SI	Yes
MSR810-LMS-EA, MSR810-LME	Yes
MSR1004S-5G, MSR1004S-5G-CN	Yes
MSR1104S-W, MSR1104S-W-CAT6, MSR1104S-5G-CN, MSR1104S-W-5G-CN	Yes
MSR2600-6-X1, MSR2600-15-X1, MSR2600-15-X1-T	Yes
MSR2600-10-X1	Yes
MSR 2630	Yes
MSR3600-28, MSR3600-51	Yes
MSR3600-28-SI, MSR3600-51-SI	No
MSR3600-28-X1, MSR3600-28-X1-DP, MSR3600-51-X1, MSR3600-51-X1-DP	Yes
MSR3600-28-G-DP, MSR3600-51-G-DP	Yes
MSR3610-I-DP, MSR3610-IE-DP, MSR3610-IE-EAD, MSR-EAD-AK770, MSR3610-IE-ES, MSR3610-I-IG, MSR3610-IE-IG	Yes
MSR3610-X1, MSR3610-X1-DP, MSR3610-X1-DC, MSR3610-X1-DP-DC, MSR3620-X1, MSR3640-X1	Yes
MSR 3610, MSR 3620, MSR 3620-DP, MSR 3640, MSR 3660	Yes
MSR3610-G, MSR3620-G	Yes
MSR3640-G	Yes
MSR3640-X1-HI	Yes

Hardware	DDNS compatibility
MSR810-W-WiNet, MSR810-LM-WiNet	Yes
MSR830-4LM-WiNet	Yes
MSR830-5BEI-WiNet, MSR830-6EI-WiNet, MSR830-10BEI-WiNet	Yes
MSR830-6BHI-WiNet, MSR830-10BHI-WiNet	Yes
MSR2600-6-WiNet	Yes
MSR2600-10-X1-WiNet	Yes
MSR2630-WiNet	Yes
MSR3600-28-WiNet	Yes
MSR3610-X1-WiNet	Yes
MSR3610-WiNet, MSR3620-10-WiNet, MSR3620-DP-WiNet, MSR3620-WiNet, MSR3660-WiNet	Yes

Hardware	DDNS compatibility
MSR860-6EI-XS	Yes
MSR860-6HI-XS	Yes
MSR2630-XS	Yes
MSR3600-28-XS	Yes
MSR3610-XS	Yes
MSR3620-XS	Yes
MSR3610-I-XS	Yes
MSR3610-IE-XS	Yes
MSR3620-X1-XS	Yes
MSR3640-XS	Yes
MSR3660-XS	Yes

Hardware	DDNS compatibility
MSR810-LM-GL	Yes
MSR810-W-LM-GL	Yes
MSR830-6EI-GL	Yes
MSR830-10EI-GL	Yes
MSR830-6HI-GL	Yes
MSR830-10HI-GL	Yes
MSR1004S-5G-GL	Yes
MSR2600-6-X1-GL	Yes
MSR3600-28-SI-GL	No

ddns apply policy

Use ddns apply policy to apply a DDNS policy to an interface and enable DDNS update. DDNS updates the mapping between the FQDN and the primary IP address of the interface.

Use undo ddns apply policy to remove the application of a DDNS policy from an interface and to stop DDNS update.

Syntax

ddns apply policy policy-name [ fqdn domain-name ]

undo ddns apply policy policy-name

Default

No DDNS policy and FQDN are specified on the interface, and DDNS update is disabled.

Views

Interface view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a DDNS policy by its name, a case-insensitive string of 1 to 32 characters.

fqdn domain-name: Specifies the FQDN to replace <h> in the URL for DDNS update. The domain-name argument specifies a case-insensitive string of 1 to 253 characters. It can include letters, digits, hyphens (-), underscores (_), and dots (.).

Usage guidelines

You can apply a maximum of four DDNS policies to an interface.

If you execute this command multiple times with the same DDNS policy name but different FQDNs, both of the following occur:

· The most recent configuration takes effect.

· The device initiates a DDNS update request immediately.

Examples

# Apply DDNS policy steven_policy to GigabitEthernet 1/0/1 to update the domain name-to-IP address mapping for FQDN www.whatever.com and enable DDNS update.

<Sysname> system-view

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] ddns apply policy steven_policy fqdn www.whatever.com

Related commands

ddns policy

display ddns policy

ddns dscp

Use ddns dscp to set the DSCP value for outgoing DDNS packets.

Use undo ddns dscp to restore the default.

Syntax

ddns dscp dscp-value

undo ddns dscp

Default

The DSCP value for outgoing DDNS packets is 0.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Specifies the DSCP value in the range of 0 to 63.

Usage guidelines

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Examples

# Set the DSCP value to 30 for outgoing DDNS packets.

<Sysname> system-view

[Sysname] ddns dscp 30

ddns policy

Use ddns policy to create a DDNS policy and enter its view, or enter the view of an existing DDNS policy.

Use undo ddns policy to delete a DDNS policy.

Syntax

ddns policy policy-name

undo ddns policy policy-name

Default

No DDNS policies exist.

Views

System view

Predefined user roles

network-admin

Parameters

policy-name: Specifies the DDNS policy name, a case-insensitive string of 1 to 32 characters.

Usage guidelines

You can create a maximum of 16 DDNS policies on the device.

Examples

# Create a DDNS policy named steven_policy and enter its view.

<Sysname> system-view

[Sysname] ddns policy steven_policy

Related commands

ddns apply policy

display ddns policy

Use display ddns policy to display information about DDNS policies.

Syntax

display ddns policy [ policy-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

policy-name: Specifies a DDNS policy by its name, a case-insensitive string of 1 to 32 characters. If you do not specify a DDNS policy, this command displays information about all DDNS policies.

Examples

# Display information about DDNS policy steven_policy.

<Sysname> display ddns policy steven_policy

DDNS policy: steven_policy

URL : http://members.3322.org/dyndns/update?

system=dyndns&hostname=<h>&myip=<a>

Username : steven

Password : ******

Method : GET

SSL client policy:

Interval : 1 days 0 hours 1 minutes

# Display information about all DDNS policies.

<Sysname> display ddns policy

DDNS policy: steven_policy

URL : http://members.3322.org/dyndns/update?system=

dyndns&hostname=<h>&myip=<a>

Username : steven

Password : ******

Method : GET

SSL client policy:

Interval : 0 days 0 hours 30 minutes

DDNS policy: tom-policy

URL : http://members.3322.org/dyndns/update?system=

dyndns&hostname=<h>&myip=<a>

Username :

Password :

Method : GET

SSL client policy:

Interval : 0 days 0 hours 15 minutes

DDNS policy: u-policy

URL : oray://phddns60.oray.net

Username : username

Password :

Method : -

SSL client policy:

Interval : 0 days 0 hours 15 minutes

Table 6 Command output

Field	Description
DDNS policy	DDNS policy name.
URL	URL address for a DDNS update request. This field is empty if no URL address is configured.
Username	Username for logging in to the DDNS server. This field is empty if no username is configured.
Password	Password for logging in to the DDNS server. This field is empty if no password is configured and displays ****** if a password is configured.
Method	Parameter transmission method used to send HTTP/HTTPS-based DDNS update requests. Method types include GET and POST.
SSL client policy	Name of the associated SSL client policy. This field is empty if no SSL client policy is associated.
Interval	Interval for sending DDNS update requests.

Related commands

ddns policy

interval

Use interval to set the interval for sending DDNS update requests.

Use undo interval to restore the default.

Syntax

interval days [ hours [ minutes ] ]

undo interval

Default

The DDNS update request interval is 1 hour.

Views

DDNS policy view

Predefined user roles

network-admin

Parameters

days: Days in the range of 0 to 365.

hours: Hours in the range of 0 to 23.

minutes: Minutes in the range of 0 to 59.

Usage guidelines

The interface always sends a DDNS update request in one of the following conditions:

· The primary IP address of the interface changes.

· The link state of the interface changes from down to up.

If you set the interval to 0, the device does not periodically initiate DDNS update requests.

If you execute this command multiple times, the most recent configuration takes effect. If you change the interval for an applied DDNS policy, the device immediately initiates a DDNS update request and sets the interval as the update interval.

Examples

# Set the interval to 1 day and 1 minute for sending DDNS update requests for DDNS policy steven_policy.

<Sysname> system-view

[Sysname] ddns policy steven_policy

[Sysname-ddns-policy-steven_policy] interval 1 0 1

Related commands

ddns policy

display ddns policy

method

Use method to specify the parameter transmission method for sending DDNS update requests to HTTP/HTTPS-based DDNS servers.

Use undo method to restore the default.

Syntax

method { http-get | http-post }

undo method

Default

The method http-get applies.

Views

DDNS policy view

Predefined user roles

network-admin

Parameters

http-get: Uses the get operation.

http-post: Uses the post operation.

Usage guidelines

This command applies to DDNS updates in HTTP/HTTPS. If the DDNS server uses HTTP or HTTPS service, choose a parameter transmission method compatible with the DDNS server. For example, a DHS server supports the http-post method.

If the DDNS policy has been applied to an interface, a DDNS update is sent immediately after the parameter transmission is changed.

Examples

# Specify the parameter transmission method as http-post for DDNS update requests for DDNS policy steven_policy.

<Sysname> system-view

[Sysname] ddns policy steven_policy

[Sysname-ddns-policy-steven_policy] method http-post

Related commands

ddns policy

display ddns policy

password

Use password to specify the password for logging in to the DDNS server.

Use undo password to restore the default.

Syntax

password { cipher | simple } string

undo password

Default

No password is specified for logging in to the DDNS server.

Views

DDNS policy view

Predefined user roles

network-admin

Parameters

cipher: Specifies a password in encrypted form.

simple: Specifies a password in plaintext form. For security purposes, the password specified in plaintext form will be stored in encrypted form.

string: Specifies the password. Its plaintext form is a case-sensitive string of 1 to 32 characters. Its encrypted form is a case-sensitive string of 1 to 73 characters.

Examples

# In DDNS policy steven_policy, specify nevets as the password for logging in to the DDNS server.

<Sysname> system-view

[Sysname] ddns policy steven_policy

[Sysname-ddns-policy-steven_policy] password simple nevets

Related commands

ddns policy

display ddns policy

url

username

ssl-client-policy

Use ssl-client-policy to associate an SSL client policy with a DDNS policy.

Use undo ssl-client-policy to restore the default.

Syntax

ssl-client-policy policy-name

undo ssl-client-policy

Default

No SSL client policy is associated with a DDNS policy.

Views

DDNS policy view

Predefined user roles

network-admin

Parameters

policy-name: Specifies a SSL client policy by its name, a case-insensitive string of 1 to 31 characters.

Usage guidelines

The SSL client policy is effective only for HTTPS-based DDNS update requests.

If you execute this command multiple times with different SSL client policies, the most recent configuration takes effect.

Examples

# Associate SSL client policy ssl_policy with DDNS policy steven_policy.

<Sysname> system-view

[Sysname] ddns policy steven_policy

[Sysname-ddns-policy-steven_policy] ssl-client-policy ssl_policy

Related commands

ddns policy

display ddns policy

ssl-client-policy (Security Command Reference)

url

Use url to specify the URL address for DDNS update requests.

Use undo url to restore the default.

Syntax

url request-url

undo url

Default

No URL address is specified for DDNS update requests.

Views

DDNS policy view

Predefined user roles

network-admin

Parameters

request-url: Specifies the URL address, a case-sensitive string of 1 to 240 characters.

Usage guidelines

The URL addresses configured for update requests vary by DDNS server. Common DDNS server URL address formats are shown in Table 7.

Table 7 Common URL addresses for DDNS update request

DDNS server	URL addresses for DDNS update requests
www.3322.org	http://members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>
DYNDNS	http://members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
DYNS	http://www.dyns.cx/postscript.php?host=<h>&ip=<a>
ZONEEDIT	http://dynamic.zoneedit.com/auth/dynamic.html?host=<h>&dnsto=<a>
TZO	http://cgi.tzo.com/webclient/signedon.html?TZOName=<h>IPAddress=<a>
EASYDNS	http://members.easydns.com/dyn/ez-ipupdate.php?action=edit&myip=<a>&host_id=<h>
HEIPV6TB	http://dyn.dns.he.net/nic/update?hostname=<h>&myip=<a>
CHANGE-IP	http://nic.changeip.com/nic/update?hostname=<h>&offline=1
NO-IP	http://dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
DHS	http://members.dhs.org/nic/hosts?domain=dyn.dhs.org&hostname=<h>&hostscmd=edit&hostscmdstage=2&type=1&ip=<a>
HP	https://server-name/nic/update?group=group-name&myip=<a>
ODS	ods://update.ods.org
GNUDIP	gnudip://server-name
PeanutHull	· oray://phddns60.oray.net · oray://phservice2.oray.net · http://ddns.oray.com/ph/update?hostname=<h>&myip=<a>

The URL address cannot contain the username or password. To configure the username and password, use the username command and the password command.

HP and GNUDIP are common DDNS update protocols. The server-name parameter is the domain name or IP address of the service provider's server using one of the update protocols.

The URL address for an update request can start with:

· http://—The HTTP-based DDNS server.

· https://—The HTTPS-based DDNS server.

· ods://—The TCP-based ODS server.

· gnudip://—The TCP-based GNUDIP server.

· oray://—The TCP-based DDNS server.

The domain names of DDNS servers are members.3322.org and phddns60.oray.net. The domain names of PeanutHull DDNS servers can be phddns60.oray.net and phservice2.oray.net. The domain name phservice2.oray.net maps to the public IP address of the old version PeanutHull DDNS server, which is not maintained any more. You need to try several times upon failures to connect to the server. As a best practice, register a new account and a domain name on the PeanutHull DDNS of a new version. Determine the domain name in the URL according to the actual situation.

The port number in the URL address is optional. If you do not specify a port number, the default port number is used. HTTP uses port 80, HTTPS uses port 443, and the PeanutHull server uses port 6060.

The system automatically performs the following tasks:

· Fills <h> with the FQDN that is specified when the DDNS policy is applied to an interface.

· Fills <a> with the primary IP address of the interface to which the DDNS policy is applied.

You can also manually specify an FQDN and an IP address in <h> and <a>, respectively. In this case, the FQDN that is specified when the DDNS policy is applied to an interface will not take effect. As a best practice, do not manually change the <h> and <a> because your configuration might be incorrect.

You cannot specify an FQDN and IP address in the URL address for contacting the PeanutHull server. Alternatively, you can specify an FQDN when applying the DDNS policy to an interface. The system automatically uses the primary IP address of the interface to which the DDNS policy is applied as the IP address for DDNS update.

To avoid misinterpretation, do not include colons (:), at signs (@), and question marks (?) in your login username or password, even if you can do so.

If you execute this command multiple times, the most recent configuration takes effect.

Examples

# Specify the URL address for DDNS update requests for DDNS policy steven_policy. The device contacts www.3322.org for DDNS update.

<Sysname> system-view

[Sysname] ddns policy steven_policy

[Sysname-ddns-policy-steven_policy] url http:// members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a>

Related commands

ddns policy

display ddns policy

password

username

Use username to specify the username for logging in to the DDNS server.

Use undo username to restore the default.

Syntax

username username

undo username

Default

No username is specified for logging in to the DDNS server.

Views

DDNS policy view

Predefined user roles

network-admin

Parameters

username: Specifies the username, a case-sensitive string of 1 to 32 characters.

Examples

# In DDNS policy steven_policy, specify steven as the username for logging in to the DDNS server.

<Sysname> system-view

[Sysname] ddns policy steven_policy

[Sysname-ddns-policy-steven_policy] username steven

Related commands

ddns policy

display ddns policy

password

url

07-Layer 3—IP Services Command References

description

display ipv6 dns server

dns proxy enable

dns server

DDNS commands

ddns apply policy

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us