Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-DNS configuration | 372.94 KB |
Contents
Dynamic domain name resolution
Configuring static domain name resolution
Configuring dynamic domain name resolution
Configuring network mode tracking for an output interface
Specifying the source interface for DNS packets
Configuring the DNS trusted interface
Setting the DSCP value for outgoing DNS packets
Display and maintenance commands for DNS
IPv4 DNS configuration examples
Example: Configuring static domain name resolution
Example: Configuring dynamic domain name resolution
Troubleshooting DNS configuration
Failure to resolve IPv4 addresses
Applying the DDNS policy to an interface
Configuring DNS
About DNS
Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. The domain name-to-IP address mapping is called a DNS entry.
Types of DNS services
DNS services can be static or dynamic. After a user specifies a name, the device checks the static name resolution table for an IP address. If no IP address is available, it contacts the DNS server for dynamic name resolution, which takes more time than static name resolution. To improve efficiency, you can put frequently queried name-to-IP address mappings in the local static name resolution table.
Static domain name resolution
Static domain name resolution means manually creating mappings between domain names and IP addresses. For example, you can create a static DNS mapping for a device so that you can Telnet to the device by using the domain name.
Dynamic domain name resolution
Architecture
Figure 1 shows the relationship between the user program, DNS client, and DNS server. The DNS client includes the resolver and cache. The user program and DNS client can run on the same device or different devices. The DNS server and the DNS client usually run on different devices.
Figure 1 Dynamic domain name resolution
The device can function as a DNS client, but not a DNS server.
If an alias is configured for a domain name on the DNS server, the device can resolve the alias into the IP address of the host.
Resolution process
The dynamic domain name resolution process is as follows:
1. A user program sends a name query to the resolver of the DNS client.
2. The DNS resolver looks up the local domain name cache for a match. If the resolver finds a match, it sends the corresponding IP address back. If not, it sends a query to the DNS server.
3. The DNS server looks up the corresponding IP address of the domain name in its DNS database. If no match is found, the server sends a query to other DNS servers. This process continues until a result, whether successful or not, is returned.
4. After receiving a response from the DNS server, the DNS client returns the resolution result to the user program.
Caching
Dynamic domain name resolution allows the DNS client to store latest DNS entries in the DNS cache. The DNS client does not need to send a request to the DNS server for a repeated query within the aging time. To make sure the entries from the DNS server are up to date, a DNS entry is removed when its aging timer expires. The DNS server determines how long a mapping is valid, and the DNS client obtains the aging information from DNS responses.
DNS suffixes
You can configure a domain name suffix list so that the resolver can use the list to supply the missing part of an incomplete name.
For example, you can configure com as the suffix for aabbcc.com. The user only needs to enter aabbcc to obtain the IP address of aabbcc.com. The resolver adds the suffix and delimiter before passing the name to the DNS server.
The name resolver handles the queries based on the domain names that the user enters:
· If the user enters a domain name without a dot (.) (for example, aabbcc), the resolver considers the domain name to be a host name. It adds a DNS suffix to the host name before performing the query operation. If no match is found for any host name and suffix combination, the resolver uses the user-entered domain name (for example, aabbcc) for the IP address query.
· If the user enters a domain name with a dot (.) among the letters (for example, www.aabbcc), the resolver directly uses this domain name for the query operation. If the query fails, the resolver adds a DNS suffix for another query operation.
· If the user enters a domain name with a dot (.) at the end (for example, aabbcc.com.), the resolver considers the domain name an FQDN and returns the successful or failed query result. The dot at the end of the domain name is considered a terminating symbol.
DNS tasks at a glance
To configure DNS, perform the following tasks:
Choose the following tasks as needed:
¡ Configuring static domain name resolution
¡ Configuring dynamic domain name resolution
2. (Optional.) Configuring network mode tracking for an output interface
This feature takes effect on the cellular interface when the interface acts as the output interface to reach the DNS server.
3. (Optional.) Specifying the source interface for DNS packets
4. (Optional.) Configuring the DNS trusted interface
5. (Optional.) Setting the DSCP value for outgoing DNS packets
Configuring the DNS client
Configuring static domain name resolution
Restrictions and guidelines
For the public network or a VPN instance, each host name maps to only one IPv4 address.
A maximum of 2048 DNS entries can be configured for the public network or each VPN instance. You can configure DNS entries for both public network and VPN instances.
Procedure
1. Enter system view.
system-view
2. Configure a host name-to-address mapping.
ip host host-name ip-address [ vpn-instance vpn-instance-name ]
Configuring dynamic domain name resolution
Restrictions and guidelines
· The limit on the number of DNS servers on the device is as follows:
¡ In system view, you can specify a maximum of six DNS server IPv4 addresses for the public network or each VPN instance. You can specify DNS server IPv4 addresses for both public network and VPN instances.
¡ In interface view, you can specify a maximum of six DNS server IPv4 addresses for the public network or each VPN instance. You can specify DNS server IPv4 addresses for both public network and VPN instances.
· A DNS server address specified in system view takes priority over a DNS server address specified in interface view. A DNS server address specified earlier has a higher priority. A DNS server address manually specified takes priority over a DNS server address dynamically obtained. The device first sends a DNS query to the DNS server address of the highest priority. If the first query fails, it sends the DNS query to the DNS server address of the second highest priority, and so on.
· You can configure a DNS suffix that the system automatically adds to the incomplete domain name that a user enters.
¡ You can configure a maximum of 16 DNS suffixes for the public network or each VPN instance. You can configure DNS suffixes for both public network and VPN instances.
¡ A DNS suffix manually configured takes priority over a DNS suffix dynamically obtained. A DNS suffix configured earlier has a higher priority. The device first uses the suffix that has the highest priority. If the query fails, the device uses the suffix that has the second highest priority, and so on.
Procedure
1. Enter system view.
system-view
2. (Optional.) Configure a DNS suffix.
dns domain domain-name [ vpn-instance vpn-instance-name ]
By default, no DNS suffix is configured and only the domain name that a user enters is resolved.
3. Specify a DNS server address.
dns server ip-address [ vpn-instance vpn-instance-name ]
By default, no DNS server address is specified.
Configuring network mode tracking for an output interface
About this task
This feature tracks the network mode of an output interface and spoofs DNS requests by using the configured replied IPv4 or IPv6 address if the network mode is 2G. This feature takes effect on the cellular interface when the interface acts as the output interface to reach the DNS server. Spoofing DNS requests avoids DNS packet loss that might be caused by limited 2G network bandwidth.
Restrictions and guidelines
As a best practice, specify a private IPv4 or IPv6 address on the device as the address used to spoof DNS requests if the network mode is 2G.
Procedure
1. Enter system view.
system-view
2. Configure the device to track the network mode of an output interface.
dns spoofing track controller interface-type interface-number
By default, the device does not track the network mode of an output interface.
Specifying the source interface for DNS packets
About this task
This task enables the device to always use the primary IP address of the specified source interface as the source IP address of outgoing DNS packets. This feature applies to scenarios in which the DNS server responds only to DNS requests sourced from a specific IP address. If no IP address is configured on the source interface, no DNS packets can be sent out.
Restrictions and guidelines
You can configure only one source interface on the public network or a VPN instance. You can configure source interfaces for both public network and VPN instances.
Make sure the source interface belongs to the specified VPN instance if you specify the vpn-instance vpn-instance-name option.
Procedure
1. Enter system view.
system-view
2. Specify the source interface for DNS packets.
dns source-interface interface-type interface-number [ vpn-instance vpn-instance-name ]
By default, no source interface for DNS packets is specified.
Configuring the DNS trusted interface
About this task
By default, the device uses the DNS suffix and domain name server information obtained through any interface for domain name resolution.
Restrictions and guidelines
You can configure a maximum of 128 DNS trusted interfaces.
Procedure
1. Enter system view.
system-view
2. Specify the DNS trusted interface.
dns trust-interface interface-type interface-number
By default, no DNS trusted interface is specified.
Setting the DSCP value for outgoing DNS packets
About this task
The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Procedure
1. Enter system view.
system-view
2. Set the DSCP value for DNS packets sent by a DNS client.
dns dscp dscp-value
By default, the DSCP value is 0 in IPv4 DNS packets sent by a DNS client.
Display and maintenance commands for DNS
Execute display commands in any view and reset commands in user view.
|
Task |
Command |
|
Display DNS suffixes. |
display dns domain [ dynamic ] [ vpn-instance vpn-instance-name ] |
|
Display the domain name resolution table. |
display dns host [ ip ] [ vpn-instance vpn-instance-name ] |
|
Display IPv4 DNS server information. |
display dns server [ dynamic ] [ vpn-instance vpn-instance-name ] |
|
Clear dynamic DNS entries. |
reset dns host [ ip ] [ vpn-instance vpn-instance-name ] |
IPv4 DNS configuration examples
Example: Configuring static domain name resolution
Network configuration
As shown in Figure 2, the host at 10.1.1.2 is named host.com. Configure static IPv4 DNS on the device so that the device can use the easy-to-remember domain name rather than the IP address to access the host.
Procedure
# Configure a mapping between host name host.com and IP address 10.1.1.2.
<Sysname> system-view
[Sysname] ip host host.com 10.1.1.2
# Verify that the device can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2.
[Sysname] ping host.com
Ping host.com (10.1.1.2): 56 data bytes, press CTRL+C to break
56 bytes from 10.1.1.2: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 10.1.1.2: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 10.1.1.2: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 10.1.1.2: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 10.1.1.2: icmp_seq=4 ttl=255 time=2.000 ms
--- Ping statistics for host.com ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms
Example: Configuring dynamic domain name resolution
Network configuration
As shown in Figure 3, configure the DNS server to store the mapping between the host's domain name host and IPv4 address 3.1.1.1/16 in the com domain. Configure dynamic IPv4 DNS and DNS suffix com on the device so that the device can use domain name host to access the host.
Procedure
Before performing the following configuration, make sure that:
· The device and the host can reach each other.
· The IP addresses of the interfaces are configured as shown in Figure 3.
1. Configure the DNS server:
The configuration might vary by DNS server. The following configuration is performed on a PC running Windows Server 2008 R2.
a. Select Start > Programs > Administrative Tools > DNS.
The DNS server configuration page appears, as shown in Figure 4.
b. Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create a new zone named com.
Figure 4 Creating a zone
c. On the DNS server configuration page, right-click zone com and select New Host.
d. On the page that appears, enter host name host and IP address 3.1.1.1.
e. Click Add Host.
The mapping between the IP address and host name is created.
Figure 6 Adding a mapping between domain name and IP address
2. Configure the DNS client:
# Specify the DNS server 2.1.1.2.
<Sysname> system-view
[Sysname] dns server 2.1.1.2
# Specify com as the name suffix.
[Sysname] dns domain com
Verifying the configuration
# Verify that the device can use the dynamic domain name resolution to resolve domain name host.com into IP address 3.1.1.1.
[Sysname] ping host
Ping host.com (3.1.1.1): 56 data bytes, press CTRL+C to break
56 bytes from 3.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms
56 bytes from 3.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms
56 bytes from 3.1.1.1: icmp_seq=2 ttl=255 time=1.000 ms
56 bytes from 3.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms
56 bytes from 3.1.1.1: icmp_seq=4 ttl=255 time=2.000 ms
--- Ping statistics for host ---
5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss
round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms
Troubleshooting DNS configuration
Failure to resolve IPv4 addresses
Symptom
After enabling dynamic domain name resolution, the user cannot get the correct IP address.
Solution
To resolve the problem:
1. Use the display dns host ip command to verify that the specified domain name is in the cache.
2. If the specified domain name does not exist, check that the DNS client can communicate with the DNS server.
3. If the specified domain name is in the cache, but the IP address is incorrect, check that the DNS client has the correct IP address of the DNS server.
4. Verify that the mapping between the domain name and IP address is correct on the DNS server.
Configuring DDNS
About DDNS
DNS provides only the static mappings between domain names and IP addresses. When the IP address of a node changes, your access to the node fails.
Dynamic Domain Name System (DDNS) can dynamically update the mappings between domain names and IP addresses for DNS servers.
Figure 7 shows the typical DDNS application.
DDNS works on the client-server model.
· DDNS client—A device that needs to update the mapping between its domain name and IP address dynamically on the DNS server when its IP address changes. An Internet user typically accesses an application layer server such as an HTTP server or an FTP server by using the server's domain name. When its IP address changes, the application layer server runs as a DDNS client. It sends a request to the DDNS server for updating the mapping between its domain name and its IP address.
· DDNS server—Informs the DNS server of latest mappings. When receiving the mapping update request from a DDNS client, the DDNS server tells the DNS server to re-map the domain name and the IP address of the DDNS client. Therefore, the Internet users can use the same domain name to access the DDNS client even if the IP address of the DDNS client has changed.
The device can function as a DDNS client to update the domain name-IP address mappings on the DNS servers through DDNS servers such as www.3322.org and PeanutHull.
|
|
NOTE: The DDNS update process does not have a unified standard but varies by DDNS server that the DDNS client contacts. |
DDNS client tasks at a glance
To configure a DDNS client, perform the following tasks:
2. Applying the DDNS policy to an interface
3. (Optional.) Setting the DSCP value for outgoing DDNS packets
Configuring a DDNS policy
About this task
A DDNS policy contains the DDNS server address, port number, login ID, password, time interval, and update time interval. After creating a DDNS policy, you can apply it to multiple interfaces to simplify DDNS configuration.
Restrictions and guidelines
The URL address for update requests varies by DDNS server.
Table 1 Common URL addresses
|
DDNS server |
URL address for DDNS update requests |
|
www.3322.org |
http://members.3322.org/dyndns/update?system=dyndns&hostname=<h>&myip=<a> |
|
DYNDNS |
http://members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a> |
|
DYNS |
http://www.dyns.cx/postscript.php?host=<h>&ip=<a> |
|
ZONEEDIT |
http://dynamic.zoneedit.com/auth/dynamic.html?host=<h>&dnsto=<a> |
|
TZO |
http://cgi.tzo.com/webclient/signedon.html?TZOName=<h>IPAddress=<a> |
|
EASYDNS |
http://members.easydns.com/dyn/ez-ipupdate.php?action=edit&myip=<a>&host_id=<h> |
|
HEIPV6TB |
http://dyn.dns.he.net/nic/update?hostname=<h>&myip=<a> |
|
CHANXGE-IP |
http://nic.changeip.com/nic/update?hostname=<h>&offline=1 |
|
NO-IP |
http://dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a> |
|
DHS |
http://members.dhs.org/nic/hosts?domain=dyn.dhs.org&hostname=<h>&hostscmd=edit&hostscmdstage=2&type=1&ip=<a> |
|
HP |
https://server-name/nic/update?group=group-name&myip=<a> |
|
ODS |
ods://update.ods.org |
|
GNUDIP |
gnudip://server-name |
|
PeanutHull |
Select the URL according to your network situation: · ray://phddns60.oray.net · oray://phservice2.oray.net |
Identify the DDNS server type in your network and follow the following restrictions and guidelines to set an appropriate URL address:
· The URL address for an update request can start with:
¡ http://—The HTTP-based DDNS server.
¡ https://—The HTTPS-based DDNS server.
¡ ods://—The TCP-based ODS server.
¡ gnudip://—The TCP-based GNUDIP server.
¡ oray://—The TCP-based PeanutHull DDNS server.
· HP and GNUDIP are common DDNS update protocols. The server-name argument is the domain name or IP address of the service provider's server using one of the update protocols.
· The port number in the URL address is optional. If no port is specified, the system uses the default port numbers: port 80 for HTTP, port 443 for HTTPS, and port 6060 for PeanutHull DDNS server.
· The <h> value can be automatically filled with an FQDN if it is specified in the command for applying a DDNS policy to an interface. The <a> value is automatically filled with the primary IP address of the interface to which the DDNS policy is applied. For more information about applying DDNS policies, see "Applying the DDNS policy to an interface."
· You can also manually specify an FQDN and an IP address for the <h> and <a> fields. In this case, the FQDN specified at the CLI does not take effect. As a best practice, do not manually change the <h> and <a> because your configuration might be incorrect.
· No FQDN or IP address can be specified in the URL address for update requests sent to the PeanutHull DDNS server. You can specify the FQDN when applying the DDNS policy to an interface. The IP address is the primary IP address of the interface to which the DDNS policy is applied.
Prerequisites
Visit the website of a DDNS service provider, register an account, and apply for a domain name for the DDNS client. When the DDNS client updates the mapping between the domain name and the IP address through the DDNS server, the DDNS server checks the following:
· Whether the account information is correct.
· Whether the domain name to be updated belongs to the account.
Procedure
1. Enter system view.
system-view
2. Create a DDNS policy and enter its view.
ddns policy policy-name
3. Specify a URL address for DDNS update requests.
url request-url
By default, no URL address is specified for DDNS update requests.
The URL address cannot contain a username or password. To configure them, use the username command and the password command.
4. Specify the username for logging in to the DDNS server.
username username
By default, no username is specified.
5. Specify the password for logging in to the DDNS server.
password { cipher | simple } string
By default, no password is specified.
6. (Optional.) Specify the parameter transmission method for sending DDNS update requests to HTTP/HTTPS-based DDNS servers.
method { http-get | http-post }
By default, the http-get method is used.
This step is effective for communicating with HTTP/HTTPS-based DDNS servers.
Specify the http-post keyword for DDNS update with a DHS server.
7. (Optional.) Specify the interval for sending update requests.
interval days [ hours [ minutes ] ]
By default, the time interval is one hour.
Applying the DDNS policy to an interface
About this task
After you apply the DDNS policy to an interface and specify the FQDN for update, the DDNS client can send requests to the DDNS server. The requests are to update the mapping between the domain name and the primary IP address of the interface.
Restrictions and guidelines
· The fqdn domain-name option is a must for all DDNS servers except the PeanutHull DDNS server.
· The fqdn domain-name option is optional for PeanutHull DDNS server. If no FQDN is specified, the DDNS server updates all domain names for the DDNS client account. If an FQDN is specified, the DDNS server updates only the mapping between the specified FQDN and the primary IP address.
Prerequisites
Before you apply a DDNS policy to an interface, complete the following tasks:
· Specify the primary IP address of the interface and make sure the DDNS server and the interface can reach each other.
· Configure static or dynamic domain name resolution to translate the domain name of the DDNS server into the IPv4 address. For more information, see "Configuring the DNS client."
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Apply the DDNS policy to the interface to update the mapping between the specified FQDN and the primary IP address of the interface, and enable DDNS update.
ddns apply policy policy-name [ fqdn domain-name ]
By default, no DDNS policy is applied to the interface, no FQDN is specified for update, and DDNS update is disabled.
An FQDN, including a host name and a domain name, is the only identifier for a network node and can be resolved as an IP address.
Setting the DSCP value for outgoing DDNS packets
About this task
The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.
Procedure
1. Enter system view.
system-view
2. Set the DSCP value for outgoing DDNS packets.
ddns dscp dscp-value
By default, the DSCP value for outgoing DDNS packets is 0.
Display and maintenance commands for DDNS
Execute display commands in any view.
|
Task |
Command |
|
Display DDNS policy information. |
display ddns policy [ policy-name ] |
