Transparent DNS proxy

Class name

Enter a name for the class, case insensitive.

Match type

Select a match type:

·     Match any—A packet matches a class if it matches any of the rules in the class.

·     Match all—A packet matches a class if it matches all rules in the class.

Match rule

A class can contain a maximum of 65535 match rules.

To configure a match rule:

1.     Click Create, and configure the following items on the Create Match Rule page:

¡     Rule ID—Enter a rule ID. Rules are matched in ascending order of rule IDs.

¡     Type—Select a rule type. Options include Source IPv4 address, Source IPv6 address, Destination IPv4 address, Destination IPv6 address, Class, IPv4 ACL, IPv6 ACL, Domain name, User, and Input interface.

¡     IPv4 address—Specify the IPv4 address to match. This parameter appears only if you have selected Source IPv4 address or Destination IPv4 address from the Type list.

¡     Mask length—Specify the mask length for the IPv4 address. This parameter appears only if you have selected Source IPv4 address or Destination IPv4 address from the Type list.

¡     IPv6 address—Specify the IPv6 address to match. This parameter appears only if you have selected Source IPv6 address or Destination IPv6 address from the Type list.

¡     Prefix length—Specify the prefix length for the IPv6 address. This parameter appears only if you have selected Source IPv6 address or Destination IPv6 address from the Type list.

¡     Class—Specify the class to match. This parameter appears only if you have selected Class from the Type list.

¡     IPv4 ACL—Specify the IPv4 ACL to match. You can select an existing ACL or create an ACL. A created ACL can be viewed from the Objects > ACL > IPv4 page. This parameter appears only if you have selected IPv4 ACL from the Type list.

¡     IPv6 ACL—Specify the IPv6 ACL to match. You can select an existing ACL or create an ACL. A created ACL can be viewed from the Objects > ACL > IPv6 page. This parameter appears only if you have selected IPv6 ACL from the Type list.

¡     Domain name—Specify the domain name to match. The domain name is a case-insensitive string of 1 to 253 characters. Each dot-separated part in the domain name can contain a maximum of 63 characters. The domain name can contain letters, digits, hyphens (-), underscores (_), dots (.), and wildcards (asterisks (*) and question marks (?)).The wildcards can substitute any characters except for dots (.). An asterisk (*) can substitute a character string. A question mark (?) can substitute a single character. This parameter appears only if you have selected Domain name from the Type list.

¡     User—Specify the user or user group to match. You can select an existing user or user group or create a user or user group. This parameter appears only if you have selected User from the Type list.

¡     Input interface—Specify the input interface to match. This parameter appears only if you have selected Input interface from the Type list.

2.     Click OK. The new match rule appears in the match rule list.

Description

Enter a description for the class.

DNS server name

Enter a name for the DNS server, case insensitive.

IP address configuration method

Select an IP address configuration method:

·     Manual.

·     Automatic—To use this method, an outgoing interface must be specified on the Create Link page.

IPv4 address

Enter an IPv4 address for the DNS server.

The IPv4 address cannot be a loopback address, multicast address, broadcast address, or 0.X.X.X.

IPv6 address

Enter an IPv6 address for the DNS server.

The IPv6 address cannot be a loopback address, multicast address, link-local address, or all-zero address.

Port number

Enter a port number for the DNS server. The value 0 means the port number carried in the packet is used.

Weight

Enter a weight for the DNS server. A DNS server with a greater weight value has a higher priority than a DNS server with a smaller weight value.

Priority

Enter a priority for the DNS server in the DNS server pool. A DNS server with a greater priority value has a higher priority than a DNS server with a smaller priority value.

If the number of DNS servers with the highest priority is smaller than the configured minimum number, DNS servers with lower priority are selected to meet the minimum number or until no DNS servers are available.

You can configure the maximum number and minimum number from Policies > Load Balancing > Link Load Balancing > DNS Proxy > DNS Server Pool.

Probe method

Specify a probe template used by the DNS server to detect health and availability. You can also configure this parameter for all DNS servers in a DNS server pool from Policies > Load Balancing > Link Load Balancing > DNS Proxy > DNS Server Pool. The configuration performed on the DNS Server page has higher priority over that performed on the DNS Server Pool page.

You can select an existing probe template or create a probe template. The created probe template can be viewed from the Objects > Health Monitoring page.

Success criteria

Specify the health monitoring success criteria for the DNS server.

·     All probes succeed—Health monitoring succeeds only when all the specified health monitoring methods succeed.

·     At least n probes succeed—Health monitoring succeeds when a minimum of the specified number of health monitoring methods succeed. When the specified number of health monitoring methods is greater than the number of health monitoring methods on the device, health monitoring succeeds if all health monitoring methods succeed.

Link

Specify a link to associate with the DNS server.

You can select an existing link or create a link. A created link can be viewed from Policies > Load Balancing > Common Configuration > Links.

Description

Enter a description for the DNS server.

Pool name

Enter a name for the DNS server pool, case insensitive.

Scheduling algorithm

Select a scheduling algorithm for the DNS server pool.

·     Bandwidth algorithm—Distributes DNS requests to DNS servers according to the weights and remaining bandwidths of DNS servers. When the remaining bandwidths of two DNS servers are the same, this algorithm is equivalent to the round-robin algorithm. When the weights of two DNS servers are the same, this algorithm always distributes DNS requests to the DNS server that has larger remaining bandwidth.

·     Random algorithm—Distributes DNS requests to DNS servers randomly.

·     Weighted round-robin algorithm—Distributes DNS requests to DNS servers in a round-robin manner according to the weights of DNS servers. A DNS server with a greater weight value is assigned more DNS requests.

·     Maximum bandwidth algorithm—Distributes DNS requests always to an idle DNS server that has the largest remaining bandwidth.

·     Source IP address hash algorithm—Hashes the source IP address of DNS requests and distributes DNS requests to different DNS servers according to the hash values.

·     Source IP address and port hash algorithm—Hashes the source IP address and port number of DNS requests and distributes DNS requests to different DNS servers according to the hash values.

·     Destination IP address hash algorithm—Hashes the destination IP address of DNS requests and distributes DNS requests to different DNS servers according to the hash values.

By default, the bandwidth algorithm is used.

Priority scheduling

Specify the upper limit and lower limit of DNS servers in a DNS server pool that can be scheduled. By default, all DNS servers with the highest priority in a DNS server pool are scheduled.

·     If the number of DNS servers with the highest priority is greater than the configured maximum number, the maximum number applies.

·     If the number of such DNS servers is less than the minimum number, DNS servers with lower priority are selected to meet the minimum number or until no DNS servers are available.

The DNS server priority can be configured from Policies > Load Balancing > Link Load Balancing > DNS Proxy > DNS Server.

Health monitoring method

Specify a probe template used by the DNS server pool to detect the health and availability of its DNS servers. You can also configure this parameter for a single DNS server from Policies > Load Balancing > Link Load Balancing > DNS Proxy > DNS Server. The configuration performed on the DNS Server page has higher priority over that performed on the DNS Server Pool page.

You can select an existing probe template or create a probe template. A created probe template can be viewed from the Objects > Health Monitoring page.

Success criteria

Specify the health monitoring success criteria for the DNS server pool.

·     All probes succeed—Health monitoring succeeds only when all the specified health monitoring methods succeed.

·     At least n probes succeed—Health monitoring succeeds when a minimum of the specified number of health monitoring methods succeed. When the specified number of health monitoring methods is greater than the number of health monitoring methods on the device, health monitoring succeeds if all health monitoring methods succeed.

DNS server list

You can add a DNS server to a DNS server pool in one of the following ways:

Create a DNS server and add it to the DNS server pool.

1.     Click Add, and select Create DNS server.

2.     Configure the parameters for the DNS server (see "Configure a DNS server").

3.     Click OK. The new DNS server appears in the DNS server list.

Select an existing DNS server.

1.     Click Add, and select Select existing DNS server.

2.     Select a DNS server from the list, and configure DNS server parameters (see "Configure a DNS server").

3.     Click OK. The DNS server appears in the DNS server list.

Description

Enter a description for the DNS server pool.

Status

Status of the transparent DNS proxy:

·     Available.

·     Unavailable. Please check the configuration.

Proxy port

Enter a proxy port number. If the destination port number of an incoming DNS request is the same as the proxy port number, the device performs the transparent DNS proxy on the DNS request.

Transparent DNS proxy

Enable or disable the transparent DNS proxy feature.

IPv6 proxy policies do not support this parameter.

Link protection

Enable or disable the link protection feature. This feature enables a transparent DNS proxy to select a DNS server based on the link bandwidth ratio. If the bandwidth ratio of a link is exceeded, the DNS server is not selected.

Session extension information synchronization

Enable or disable session extension information synchronization.

Sticky entry synchronization

Enable or disable sticky entry synchronization.

Sticky entry synchronization type

Select the sticky entry synchronization type:

·     Intra-group synchronization—Synchronizes sticky entries to the device in the same failover group.

·     Global synchronization—Synchronizes sticky entries to devices in all failover groups.

This function is available only when sticky entry synchronization is enabled.

Support for this function depends on the device model.

Class

Select an existing class or create a class. A created class can be viewed from Policies > Load Balancing > Link Load Balancing > DNS Proxy > Class.

Forwarding action

Select a forwarding action.

·     Load balance

·     Discard

·     Forward

·     Skip the transparent DNS proxy

ToS

Enter the ToS field value in IP packets sent to the DNS server.

DNS server pool

Select an existing DNS server pool or create a DNS server pool. The created class can be viewed from Policies > Load Balancing > Link Load Balancing > DNS Proxy > DNS Server Pool.

Sticky group

Select an existing sticky group or create a sticky group. The created sticky group can be viewed from Policies > Load Balancing > Common Configuration > Sticky Groups.

Only address-port sticky groups are supported.

Fallback action

Specify that the next rule is matched when a failure to find a DNS server occurs.

Busy action

Specify that the next rule is matched when all DNS servers are busy.

Insert before

Specify an existing proxy policy before which the new policy is inserted.