04-Layer 3-IP Services Configuration Guide

HomeSupportResource CenterConfigure & DeployConfiguration GuidesH3C S12500-X & S12500X-AF Switch Series Configuration Guides(R115x)-6W10204-Layer 3-IP Services Configuration Guide
04-DNS configuration
Title Size Download
04-DNS configuration 282.64 KB

Configuring DNS

Overview

Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. With DNS, you can use easy-to-remember domain names in some applications and let the DNS server translate them into correct IP addresses. The domain name-to-IP address mapping is called a DNS entry.

DNS services can be static or dynamic. After a user specifies a name, the device checks the static name resolution table for an IP address. If no IP address is available, it contacts the DNS server for dynamic name resolution, which takes more time than static name resolution. To improve efficiency, you can put frequently queried name-to-IP address mappings in the local static name resolution table.

Static domain name resolution

Static domain name resolution means manually creating mappings between domain names and IP addresses. For example, you can create a static DNS mapping for a device so that you can Telnet to the device by using the domain name.

Dynamic domain name resolution

Resolution process

1.        A user program sends a name query to the resolver of the DNS client.

2.        The DNS resolver looks up the local domain name cache for a match. If the resolver finds a match, it sends the corresponding IP address back. If not, it sends a query to the DNS server.

3.        The DNS server looks up the corresponding IP address of the domain name in its DNS database. If no match is found, the server sends a query to other DNS servers. This process continues until a result, whether successful or not, is returned.

4.        After receiving a response from the DNS server, the DNS client returns the resolution result to the user program.

Figure 1 Dynamic domain name resolution

 

Figure 1 shows the relationship between the user program, DNS client, and DNS server.

The DNS client is made up of the resolver and cache. The user program and DNS client can run on the same device or different devices, but the DNS server and the DNS client usually run on different devices.

Dynamic domain name resolution allows the DNS client to store latest DNS entries in the dynamic domain name cache. The DNS client does not need to send a request to the DNS server for a repeated query within the aging time. To make sure the entries from the DNS server are up to date, a DNS entry is removed when its aging timer expires. The DNS server determines how long a mapping is valid, and the DNS client obtains the aging information from DNS responses.

DNS suffixes

You can configure a domain name suffix list so that the resolver can use the list to supply the missing part of an incomplete name.

For example, you can configure com as the suffix for aabbcc.com. The user only needs to enter aabbcc to obtain the IP address of aabbcc.com because the resolver adds the suffix and delimiter before passing the name to the DNS server.

The name resolver handles the queries based on the domain names that the user enters:

·          If the user enters a domain name without a dot (.) (for example, aabbcc), the resolver considers the domain name to be a host name and adds a DNS suffix before performing the query operation. If no match is found for the domain names with any configured suffix, the resolver uses the user entered domain name (for example, aabbcc) to query the IP address.

·          If the user enters a domain name with a dot (.) among the letters (for example, www.aabbcc), the resolver directly uses this domain name for the query operation. If the query fails, the resolver adds a DNS suffix for another query operation.

·          If the user enters a domain name with a dot (.) at the end (for example, aabbcc.com.), the resolver considers the domain name an FQDN and returns the successful or failed query result. The dot at the end of the domain name is considered a terminating symbol.

The device supports static and dynamic DNS client services.

If an alias is configured for a domain name on the DNS server, the device can resolve the alias into the IP address of the host.

DNS configuration task list

Tasks at a glance

Perform one of the following tasks:

·         Configuring the IPv4 DNS client

·         Configuring the IPv6 DNS client

(Optional.) Specifying the source interface for DNS packets

(Optional.) Configuring the DNS trusted interface

(Optional.) Setting the DSCP value for outgoing DNS packets

 

Configuring the IPv4 DNS client

Configuring static domain name resolution

Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv4 addresses.

Follow these guidelines when you configure static domain name resolution:

·          On the public network or a VPN, each host name maps to only one IPv4 address. The most recent configuration for a host name takes effect.

·          The system allows a maximum of 1024 IPv4 DNS entries for the public network or each VPN instance. You can configure IPv4 DNS entries for both public network and VPN instances.

To configure static domain name resolution:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure a mapping between a host name and an IPv4 address.

ip host host-name ip-address [ vpn-instance vpn-instance-name ]

By default, no mapping between a host name and an IPv4 address is configured.

 

Configuring dynamic domain name resolution

To use dynamic domain name resolution, configure DNS servers so that DNS queries can be sent to a correct server for resolution. A DNS server manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS server configured earlier takes precedence. A name query is first sent to the DNS server that has the highest priority. If no reply is received, it is sent to the DNS server that has the second highest priority, and thus in turn.

In addition, you can configure a DNS suffix that the system automatically adds to the provided domain name for resolution. A DNS suffix manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS suffix configured earlier takes precedence. The DNS resolver first uses the suffix that has the highest priority. If the name resolution fails, the DNS resolver uses the suffix that has the second highest priority, and thus in turn.

Configuration guidelines

Follow these guidelines when you configure dynamic domain name resolution:

·          The system allows a maximum of six DNS server IPv4 addresses for the public network or each VPN instance. You can specify DNS server IPv4 addresses for both public network and VPN instances.

·          The system allows a maximum of 16 DNS suffixes for the public network or each VPN instance. You can specify DNS suffixes for both public network and VPN instances.

·          An IPv4 name query is first sent to the DNS server IPv4 addresses.

Configuration procedure

To configure dynamic domain name resolution:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Specify a DNS server.

·         Specify a DNS server IPv4 address:
dns server ip-address [ vpn-instance vpn-instance-name ]

·         Specify a DNS server IPv4 address:
ipv6 dns server ipv6-address [ interface-type interface-number ] [ vpn-instance vpn-instance-name ]

By default, no DNS server IPv4 address is specified.

You can specify both the IPv4 and IPv6 addresses.

3.       (Optional.) Configure a DNS suffix.

dns domain domain-name [ vpn-instance vpn-instance-name ]

By default, no DNS suffix is configured and only the provided domain name is resolved.

 

Configuring the IPv6 DNS client

Configuring static domain name resolution

Static domain name resolution allows applications such as Telnet to contact hosts by using host names instead of IPv6 addresses.

Follow these guidelines when you configure static domain name resolution:

·          For the public network or a VPN instance, each host name maps to only one IPv6 address. The most recent configuration for a host name takes effect.

·          The system allows a maximum of 1024 IPv6 DNS entries for the public network or each VPN instance. You can configure IPv6 DNS entries for both public network and VPN instances.

To configure static domain name resolution:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure a host name-to-IPv6 address mapping.

ipv6 host host-name ipv6-address [ vpn-instance vpn-instance-name ]

By default, no host name-to-IPv6 address mappings exist.

 

Configuring dynamic domain name resolution

To send DNS queries to a correct server for resolution, you must enable dynamic domain name resolution and configure DNS servers. A DNS server manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS server configured earlier takes precedence. A name query is first sent to the DNS server that has the highest priority. If no reply is received, it is sent to the DNS server that has the second highest priority, and so on.

In addition, you can configure a DNS suffix that the system automatically adds to the provided domain name for resolution. A DNS suffix manually configured takes precedence over the one dynamically obtained through DHCP, and a DNS suffix configured earlier takes precedence. The DNS resolver first uses the suffix that has the highest priority. If the name resolution fails, the DNS resolver uses the suffix that has the second highest priority, and so on.

Configuration guidelines

Follow these guidelines when you configure dynamic domain name resolution:

·          The system allows a maximum of six DNS server IPv4 addresses for the public network or each VPN instance. You can specify DNS server IPv4 addresses for both public network and VPN instances.

·          The system allows a maximum of six DNS server IPv6 addresses for the public network or each VPN instance. You can specify DNS server IPv6 addresses for both public network and VPN instances.

·          An IPv6 name query is first sent to the IPv6 DNS servers. If no reply is received, it is sent to the IPv4 DNS servers.

·          The system allows a maximum of 16 DNS suffixes for the public network or each VPN instance. You can specify DNS suffixes for both public network and VPN instances.

Configuration procedure

To configure dynamic domain name resolution:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Specify a DNS server.

·         Specify a DNS server IPv4 address:
dns server ip-address [ vpn-instance vpn-instance-name ]

·         Specify a DNS server IPv6 address:
ipv6 dns server ipv6-address [ interface-type interface-number ] [ vpn-instance vpn-instance-name ]

By default, no DNS server is specified.

You can specify both the IPv4 and IPv6 addresses.

3.       (Optional.) Configure a DNS suffix.

dns domain domain-name [ vpn-instance vpn-instance-name ]

By default, no DNS suffix is configured. Only the provided domain name is resolved.

 

Specifying the source interface for DNS packets

By default, the device uses the primary IP address of the output interface of the matching route as the source IP address of a DNS request. Therefore, the source IP address of the DNS packets might vary with DNS servers. In some scenarios, the DNS server only responds to DNS requests sourced from a specific IP address. In such cases, you must specify the source interface for the DNS packets so that the device can always use the primary IP address of the specified source interface as the source IP address of DNS packets.

When sending IPv4 DNS request, the device uses the primary IPv4 address of the source interface as the source IP address of the DNS request.

You can configure only one source interface on the public network or a VPN instance. You can configure the source interface for both public network and VPN instances.

To specify the source interface for DNS packets:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Specify the source interface for DNS packets.

dns source-interface interface-type interface-number [ vpn-instance vpn-instance-name ]

By default, no source interface for DNS packets is specified.

If you execute the command multiple times, the most recent configuration takes effect.

If you specify the vpn-instance vpn-instance-name option, make sure the source interface is on the specified VPN.

 

Configuring the DNS trusted interface

By default, an interface obtains DNS suffix and domain name server information from DHCP. The network attacker might act as the DHCP server to assign wrong DNS suffix and domain name server address to the device. As a result, the device fails to get the resolved IP address or might get the wrong IP address. With the DNS trusted interface specified, the device only uses the DNS suffix and domain name server information obtained through the trusted interface to avoid attack.

To configure the DNS trusted interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Specify the DNS trusted interface.

dns trust-interface interface-type interface-number

By default, no DNS trusted interface is specified.

You can configure up to 128 DNS trusted interfaces.

 

Setting the DSCP value for outgoing DNS packets

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

To specify the DSCP value for outgoing DNS packets:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Specify the DSCP value for outgoing DNS packets.

·         DSCP value for IPv4 DNS packets:
dns dscp
dscp-value

·         DSCP value for IPv6 DNS packets:
ipv6 dns dscp
dscp-value

By default, the DSCP value for outgoing DNS packets is 0.

 

Displaying and maintaining DNS

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display the domain name resolution table.

display dns host [ ip | ipv6 ] [ vpn-instance vpn-instance-name ]

Display IPv4 DNS server information.

display dns server [ dynamic ] [ vpn-instance vpn-instance-name ]

Display DNS suffixes.

display dns domain [ dynamic ] [ vpn-instance vpn-instance-name ]

Clear dynamic DNS entries.

reset dns host [ ip | ipv6 ] [ vpn-instance vpn-instance-name ]

 

IPv4 DNS configuration examples

Static domain name resolution configuration example

Network requirements

As shown in Figure 2, the host at 10.1.1.2 is named host.com. Configure static IPv4 DNS on the device so that the device can use the easy-to-remember domain name rather than the IP address to access the host.

Figure 2 Network diagram

 

Configuration procedure

# Configure a mapping between host name host.com and IP address 10.1.1.2.

<Sysname> system-view

[Sysname] ip host host.com 10.1.1.2

# Use the ping host.com command to verify that the device can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2.

[Sysname] ping host.com

Ping host.com (10.1.1.2): 56 data bytes, press CTRL_C to break

56 bytes from 10.1.1.2: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=1 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=4 ttl=255 time=2.000 ms

 

--- Ping statistics for host.com ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms

Dynamic domain name resolution configuration example

Network requirements

As shown in Figure 3, the device wants to access the host by using an easy-to-remember domain name rather than an IP address, and to request the DNS server on the network for an IP address by using dynamic domain name resolution. The IP address of the DNS server is 2.1.1.2/16 and the DNS server has a com domain, which stores the mapping between domain name host and IP address 3.1.1.1/16.

Configure dynamic domain name resolution and the domain name suffix com on the device that serves as a DNS client so that the device can use domain name host to access the host with the domain name host.com and the IP address 3.1.1.1/16.

Figure 3 Network diagram

 

Configuration procedure

Before performing the following configuration, make sure the device and the host can reach each other, and that the IP addresses of the interfaces are configured as shown in Figure 3.

1.        Configure the DNS server:

The configuration might vary with DNS servers. The following configuration is performed on a PC running Windows Server 2000.

a.    Select Start > Programs > Administrative Tools > DNS.

The DNS server configuration page appears, as shown in Figure 4.

b.    Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create a new zone named com.

Figure 4 Creating a zone

 

c.    On the DNS server configuration page, right-click zone com, and select New Host.

Figure 5 Adding a host

 

d.    On the page that appears, enter host name host and IP address 3.1.1.1.

e.    Click Add Host.

The mapping between the IP address and host name is created.

Figure 6 Adding a mapping between domain name and IP address

 

2.        Configure the DNS client:

# Specify the DNS server 2.1.1.2.

<Sysname> system-view

[Sysname] dns server 2.1.1.2

# Specify com as the name suffix.

[Sysname] dns domain com

Verifying the configuration

# Use the ping host command on the device to verify that the communication between the device and the host is normal and that the translated destination IP address is 3.1.1.1.

[Sysname] ping host

Ping host.com (3.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 3.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=4 ttl=255 time=2.000 ms

 

--- Ping statistics for host ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms

IPv6 DNS configuration examples

Static domain name resolution configuration example

Network requirements

As shown in Figure 7, the host at 1::2 is named host.com. Configure static IPv6 DNS on the device so that the device can use the easy-to-remember domain name rather than the IPv6 address to access the host.

Figure 7 Network diagram

 

Configuration procedure

# Configure a mapping between host name host.com and IPv6 address 1::2.

<Device> system-view

[Device] ipv6 host host.com 1::2

# Verify that the device can use static domain name resolution to resolve domain name host.com into IPv6 address 1::2.

[Sysname] ping ipv6 host.com

Ping6(56 data bytes) 1::1 --> 1::2, press CTRL_C to break

56 bytes from 1::2, icmp_seq=0 hlim=128 time=1.000 ms

56 bytes from 1::2, icmp_seq=1 hlim=128 time=0.000 ms

56 bytes from 1::2, icmp_seq=2 hlim=128 time=1.000 ms

56 bytes from 1::2, icmp_seq=3 hlim=128 time=1.000 ms

56 bytes from 1::2, icmp_seq=4 hlim=128 time=0.000 ms

 

--- Ping6 statistics for host.com ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.600/1.000/0.490 ms

Dynamic domain name resolution configuration example

Network requirements

As shown in Figure 8, configure the DNS server to store the mapping between the host's domain name host and IPv6 address 1::1/64 in the com domain. Configure dynamic IPv6 DNS and DNS suffix com on the device so that the device can use domain name host to access the host.

Figure 8 Network diagram

 

Configuration procedure

Before performing the following configuration, make sure that:

·          The device and the host can reach each other.

·          The IPv6 addresses of the interfaces are configured as shown in Figure 8.

1.        Configure the DNS server:

The configuration might vary by DNS server. The following configuration is performed on a PC running Windows Server 2003. Make sure that the DNS server supports IPv6 DNS so that the server can process IPv6 DNS packets and its interfaces can forward IPv6 packets.

a.    Select Start > Programs > Administrative Tools > DNS.

The DNS server configuration page appears, as shown in Figure 9.

b.    Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create a new zone named com.

Figure 9 Creating a zone

1-1

 

c.    On the DNS server configuration page, right-click zone com, and select Other New Records.

Figure 10 Creating a record

2-2

 

d.    On the page that appears, select IPv6 Host (AAAA) as the resource record type.

Figure 11 Selecting the resource record type

3

e.    Enter host name host and IPv6 address 1::1.

f.     Click OK.

The mapping between the IPv6 address and the host name is created.

Figure 12 Adding a mapping between domain name and IPv6 address

4

 

2.        Configure the DNS client:

# Specify the DNS server 2::2.

<Device> system-view

[Device] ipv6 dns server 2::2

# Configure com as the DNS suffix.

[Device] dns domain com

Verifying the configuration

# Verify that the device can use the dynamic domain name resolution to resolve the domain name host.com into the IP address 1::1.

[Device] ping ipv6 host

Ping6(56 data bytes) 3::1 --> 1::1, press CTRL_C to break

56 bytes from 1::1, icmp_seq=0 hlim=128 time=1.000 ms

56 bytes from 1::1, icmp_seq=1 hlim=128 time=0.000 ms

56 bytes from 1::1, icmp_seq=2 hlim=128 time=1.000 ms

56 bytes from 1::1, icmp_seq=3 hlim=128 time=1.000 ms

56 bytes from 1::1, icmp_seq=4 hlim=128 time=0.000 ms

 

--- Ping6 statistics for host ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.600/1.000/0.490 ms

Troubleshooting IPv4 DNS configuration

Symptom

After enabling dynamic domain name resolution, the user cannot get the correct IP address.

Solution

1.        Use the display dns host ip command to verify that the specified domain name is in the cache.

2.        If the specified domain name does not exist, check that the DNS client can communicate with the DNS server.

3.        If the specified domain name is in the cache, but the IP address is incorrect, check that the DNS client has the correct IP address of the DNS server.

4.        Verify that the mapping between the domain name and IP address is correct on the DNS server.

Troubleshooting IPv6 DNS configuration

Symptom

After enabling dynamic domain name resolution, the user cannot get the correct IPv6 address.

Solution

1.        Use the display dns host ipv6 command to verify that the specified domain name is in the cache.

2.        If the specified domain name does not exist, check that dynamic domain name resolution is enabled, and that the DNS client can communicate with the DNS server.

3.        If the specified domain name is in the cache, but the IPv6 address is incorrect, check that the DNS client has the correct IPv6 address of the DNS server.

4.        Verify that the mapping between the domain name and IPv6 address is correct on the DNS server.

  • Cloud & AI
  • InterConnect
  • Intelligent Computing
  • Security
  • SMB Products
  • Intelligent Terminal Products
  • Product Support Services
  • Technical Service Solutions
All Services
  • Resource Center
  • Policy
  • Online Help
All Support
  • Become a Partner
  • Partner Resources
  • Partner Business Management
All Partners
  • Profile
  • News & Events
  • Online Exhibition Center
  • Contact Us
All About Us
新华三官网