Contents

Configuring DNS·· 2

About DNS· 2

Types of DNS services· 2

Static domain name resolution· 2

Server-based dynamic domain name resolution· 2

DNS server group-based domain name resolution· 3

DNS proxy· 3

DNS tasks at a glance· 4

Configuring the DNS client 5

About domain name resolution on the DNS client 5

Configuring static domain name resolution· 5

Configuring server-based dynamic domain name resolution· 5

Configuring DNS server group-based domain name resolution (independent domain name rules) 7

Configuring DNS server group-based domain name resolution (domain name rules associated with domain name groups) 8

Configuring the DNS proxy· 10

Configuring DNS redirection· 10

Configuring DNS snooping· 11

Configuring the DNS trusted interface· 12

Specifying the source interface for DNS packets· 12

Setting the DSCP value for outgoing DNS packets· 13

Display and maintenance commands for DNS· 13

IPv4 DNS configuration examples· 14

Example: Configuring static domain name resolution· 14

Example: Configuring dynamic domain name resolution· 14

Example: Configuring DNS proxy· 17

IPv6 DNS configuration examples· 18

Example: Configuring static domain name resolution· 18

Example: Configuring dynamic domain name resolution· 19

Example: Configuring DNS proxy· 21

Troubleshooting DNS configuration· 23

Failure to resolve IPv4 addresses· 23

Failure to resolve IPv6 addresses· 23

Configuring DNS

About DNS

Domain Name System (DNS) is a distributed database used by TCP/IP applications to translate domain names into IP addresses. The domain name-to-IP address mapping is called a DNS entry.

Types of DNS services

DNS services can be static or dynamic. After a user specifies a name, the device checks the static name resolution table for an IP address. If no IP address is available, it contacts the DNS server for dynamic name resolution, which takes more time than static name resolution. To improve efficiency, you can put frequently queried name-to-IP address mappings in the local static name resolution table.

Static domain name resolution

Static domain name resolution means manually creating mappings between domain names and IP addresses. For example, you can create a static DNS mapping for a device so that you can Telnet to the device by using the domain name.

Server-based dynamic domain name resolution

Architecture

Figure 1 shows the relationship between the user program, DNS client, and DNS server. The DNS client includes the resolver and cache. The user program and DNS client can run on the same device or different devices. The DNS server and the DNS client usually run on different devices.

Figure 1 Server-based dynamic domain name resolution

 

The device can function as a DNS client, but not a DNS server.

If an alias is configured for a domain name on the DNS server, the device can resolve the alias into the IP address of the host.

Resolution process

Server-based dynamic domain name resolution process is as follows:

1.     A user program sends a name query to the resolver of the DNS client.

2.     The DNS resolver looks up the local domain name cache for a match. If the resolver finds a match, it sends the corresponding IP address back. If not, it sends a query to the DNS server.

3.     The DNS server looks up the corresponding IP address of the domain name in its DNS database. If no match is found, the server sends a query to other DNS servers. This process continues until a result, whether successful or not, is returned.

4.     After receiving a response from the DNS server, the DNS client returns the resolution result to the user program.

Caching

Server-based dynamic domain name resolution allows the DNS client to store latest DNS entries in the DNS cache. The DNS client does not need to send a request to the DNS server for a repeated query within the aging time. To make sure the entries from the DNS server are up to date, a DNS entry is removed when its aging timer expires. The DNS server determines how long a mapping is valid, and the DNS client obtains the aging information from DNS responses.

DNS suffixes

You can configure a domain name suffix list so that the resolver can use the list to supply the missing part of an incomplete name.

For example, you can configure com as the suffix for aabbcc.com. The user only needs to enter aabbcc to obtain the IP address of aabbcc.com. The resolver adds the suffix and delimiter before passing the name to the DNS server.

The name resolver handles the queries based on the domain names that the user enters:

·     If the user enters a domain name without a dot (.) (for example, aabbcc), the resolver considers the domain name to be a host name. It adds a DNS suffix to the host name before performing the query operation. If no match is found for any host name and suffix combination, the resolver uses the user-entered domain name (for example, aabbcc) for the IP address query.

·     If the user enters a domain name with a dot (.) among the letters (for example, www.aabbcc), the resolver directly uses this domain name for the query operation. If the query fails, the resolver adds a DNS suffix for another query operation.

·     If the user enters a domain name with a dot (.) at the end (for example, aabbcc.com.), the resolver considers the domain name an FQDN and returns the successful or failed query result. The dot at the end of the domain name is considered a terminating symbol.

DNS server group-based domain name resolution

This feature allows the device (DNS client or proxy) to search for a matching domain name rule and send queries to servers in the DNS server group bound to the rule.

When the device receives a user query and fails to find a local matching DNS entry, it looks for a matching domain name rule in the same VPN instance or on the public network as the user in ascending order of rule IDs:

·     If the domain name in the query matches a domain name or subdomain name in a rule, the device sends the query to DNS servers in the DNS server group bound to the rule.

¡     After the device receives the reply, it sends the reply to the user and stores the DNS mapping in the local DNS cache.

¡     If no reply is received, the device turns to the next domain name rule.

·     If the domain name in the query does not match any domain names or subdomain names in all rules, the device does not forward the query to DNS servers in DNS server groups and the domain name resolution fails.

DNS proxy

The DNS proxy performs the following functions:

·     Forwards the request from the DNS client to the designated DNS server.

·     Conveys the reply from the DNS server to the client.

The DNS proxy simplifies network management. When the DNS server address is changed, you can change the configuration only on the DNS proxy instead of on each DNS client.

Figure 2 shows the typical DNS proxy application.

Figure 2 DNS proxy application

 

A DNS proxy operates as follows:

1.     A DNS client considers the DNS proxy as the DNS server, and sends a DNS request to the DNS proxy. The destination address of the request is the IP address of the DNS proxy.

2.     The DNS proxy searches the local static domain name resolution table and dynamic domain name resolution cache after receiving the request. If the requested information is found, the DNS proxy returns a DNS reply to the client.

3.     If the requested information is not found, the DNS proxy sends the request to the designated DNS server for domain name resolution.

4.     After receiving a reply from the DNS server, the DNS proxy records the IP address-to-domain name mapping and forwards the reply to the DNS client.

If no DNS server is designated or no route is available to the designated DNS server, the DNS proxy does not forward DNS requests.

DNS tasks at a glance

To configure DNS, perform the following tasks:

1.     Configuring the DNS client

Choose the following tasks as needed:

¡     Configuring static domain name resolution

¡     Configuring server-based dynamic domain name resolution

¡     Configuring DNS server group-based domain name resolution (independent domain name rules)

¡     Configuring DNS server group-based domain name resolution (domain name rules associated with domain name groups)

2.     (Optional.) Configuring the DNS proxy

3.     (Optional.) Configuring DNS redirection

4.     (Optional.) Configuring DNS security features

¡     Configuring DNS snooping

¡     Configuring the DNS trusted interface

5.     (Optional.) Configuring DNS packet parameters

¡     Specifying the source interface for DNS packets

¡     Setting the DSCP value for outgoing DNS packets

Configuring the DNS client

About domain name resolution on the DNS client

You can create domain name-to-address mappings on the DNS client by using the following methods:

·     Configure static domain name resolution—Use this method when you use domain names to access a small number of devices or when the network does not have available DNS servers. The network administrator must configure or maintain the domain name-to-address mappings manually.

·     Configure dynamic domain name resolution—Use this method when you use domain names to access a large number of devices and the network has an available DNS server.

A DNS client resolves a domain name in the following order:

1.     Static domain name resolution.

2.     Locally saved DNS mappings that have been resolved.

3.     DNS server-based domain name resolution.

The resolution fails if the domain name cannot be resolved after all these methods are used.

Configuring static domain name resolution

Restrictions and guidelines

Each host name maps to only one IPv4 address and one IPv6 address for the public network or a VPN instance.

You can configure DNS entries for both public network and VPN instances. A maximum of 2048 DNS entries can be configured for the public network or each VPN instance.

Procedure

1.     Enter system view.

system-view

2.     Configure a host name-to-address mapping. Choose the options to configure as needed:

IPv4:

ip host host-name ip-address [ vpn-instance vpn-instance-name ]

IPv6:

ipv6 host host-name ipv6-address [ vpn-instance vpn-instance-name ]

Configuring server-based dynamic domain name resolution

Restrictions and guidelines

·     The limit on the number of DNS servers on the device is as follows:

¡     In system view, you can specify a maximum of six DNS server IPv4 addresses for the public network or each VPN instance. You can specify DNS server IPv4 addresses for both public network and VPN instances.

¡     In system view, you can specify a maximum of six DNS server IPv6 addresses for the public network or each VPN instance. You can specify DNS server IPv6 addresses for both public network and VPN instances.

¡     In interface view, you can specify a maximum of six DNS server IPv4 addresses for the public network or each VPN instance. You can specify DNS server IPv4 addresses for both public network and VPN instances.

·     A DNS server address is required so that DNS queries can be sent to a correct server for resolution. If you specify both an IPv4 address and an IPv6 address, the device performs the following operations:

¡     Sends an IPv4 DNS query first to the DNS server IPv4 addresses. If the query fails, the device turns to the DNS server IPv6 addresses.

¡     Sends an IPv6 DNS query first to the DNS server IPv6 addresses. If the query fails, the device turns to the DNS server IPv4 addresses.

·     The DNS server address priority is as follows:

¡     A DNS server address specified in system view takes priority over a DNS server address specified in interface view.

¡     A DNS server address specified earlier has a higher priority.

¡     A DNS server address manually specified takes priority over a DNS server address dynamically obtained, for example, through DHCP.

The device first sends a DNS query to the DNS server address of the highest priority. If the first query fails, it sends the DNS query to the DNS server address of the second highest priority, and so on.

·     You can configure a DNS suffix that the system automatically adds to the incomplete domain name that a user enters.

¡     You can configure a maximum of 16 DNS suffixes for the public network or each VPN instance. You can configure DNS suffixes for both public network and VPN instances.

¡     A DNS suffix manually configured takes priority over a DNS suffix dynamically obtained, for example, through DHCP. A DNS suffix configured earlier has a higher priority. The device first uses the suffix that has the highest priority. If the query fails, the device uses the suffix that has the second highest priority, and so on.

Procedure

1.     Enter system view.

system-view

2.     (Optional.) Set the TTL value for DNS entries.

dns cache ttl { maximum max-value | minimum min-value } *

By default, the TTL value for DNS entries is the TTL value in the DNS reply.

3.     (Optional.) Configure a DNS suffix.

dns domain domain-name [ vpn-instance vpn-instance-name ]

By default, no DNS suffix is configured and only the domain name that a user enters is resolved.

4.     Specify a DNS server address. Choose the options to configure as needed:

¡     Specify a DNS server address in system view.

IPv4:

dns server ip-address [ vpn-instance vpn-instance-name ]

IPv6:

ipv6 dns server ipv6-address [ interface-type interface-number ] [ vpn-instance vpn-instance-name ]

¡     Execute the following commands in sequence to specify a DNS server IPv4 address in interface view.

interface interface-type interface-number

dns server ip-address [ vpn-instance vpn-instance-name ]

By default, no DNS server address is specified.

Configuring DNS server group-based domain name resolution (independent domain name rules)

About this task

This feature allows the device (DNS client or proxy) to search for a matching domain name rule and send queries to servers in the DNS server group bound to the rule.

An independent domain name rule can be matched by using one of the following methods:

·     Exact match—The match succeeds only when the domain name in the query is exactly the same as a domain name in the rule.

·     Fuzzy match—The match succeeds if the domain name in the query contains a subdomain name.

A user query can only match a domain name rule that is in the same VPN instance or on the public network as the user.

If the domain name in the query matches a domain name or subdomain name in a rule, the device sends the query to DNS servers in the DNS server group bound to the rule in the order that is same as the one displayed in the display this command for the group. If the query is an IPv4 packet, the device forwards the query first to IPv4 DNS servers. If the query is an IPv6 packet, the device forwards the query first to IPv6 DNS servers.

If the domain name in the query does not match any domain names or subdomain names in all rules, the device does not forward the query to DNS servers in DNS server groups and the domain name resolution fails.

Restrictions and guidelines

You can add both IPv4 and IPv6 DNS server addresses to a DNS server group.

Procedure

1.     Enter system view.

system-view

2.     (Optional.) Set the TTL value for DNS entries.

dns cache ttl { maximum max-value | minimum min-value } *

By default, the TTL value for DNS entries is the TTL value in the DNS reply.

3.     Create a DNS server group.

dns server-group group-id [ vpn-instance vpn-instance-name ]

By default, no DNS server groups exist.

The device supports a maximum of 16 DNS server groups. Each DNS server group can contain a maximum of 6 IPv4 DNS server addresses and a maximum of 6 IPv6 DNS server addresses.

4.     Add DNS servers to the DNS server group.

IPv4:

dns server ip-address

IPv6:

ipv6 dns server ipv6-address [ interface-type interface-number ]

By default, a DNS server group does not have any DNS servers.

5.     (Optional.) Configure a description for the DNS server group.

description text

By default, no description is configured for the DNS server group.

6.     Return to system view.

quit

7.     Configure a domain name rule.

dns domain-rule rule-id { domain-name domain-name | subdomain-name subdomain-name } [ vpn-instance vpn-instance-name ] server-group group-id

By default, no domain name rule is configured.

Configuring DNS server group-based domain name resolution (domain name rules associated with domain name groups)

About this task

When the device uses domain name rules to match DNS queries, you can associate a domain name rule with a domain name group to simplify configuration. If multiple domain names are to be matched, you do not need to configure domain name rules multiple times.

After you add domain names or subdomain names to a domain name group, you can associate a domain name rule with it, so that the device can distribute DNS queries based on the matching results.

The relationships between a domain name rule and its associated domain name groups include the following types:

·     Include the domain name group—The device matches the domain name in a query against the domain names in the domain name groups. The match succeeds if the domain name in the query matches any domain name in a domain name group.

If the domain name rule includes default domain name group any, any domain name can match the rule.

·     Exclude the domain name group—The device matches the domain name in a query against the domain names in the domain name groups. The match succeeds only when the domain name in the query does not match any domain name in the domain name groups.

If the domain name rule includes default domain name group any, no domain names can match the rule.

A user query can only match a domain name rule that is in the same VPN instance or on the public network as the user.

If the domain name in the query matches a domain name or subdomain name in a rule, the device sends the query to DNS servers in the DNS server group bound to the rule in the order that is same as the one displayed in the display this command for the group. If the query is an IPv4 packet, the device forwards the query first to IPv4 DNS servers. If the query is an IPv6 packet, the device forwards the query first to IPv6 DNS servers.

If the domain name in the query does not match any domain names or subdomain names in all rules, the device does not forward the query to DNS servers in DNS server groups and the domain name resolution fails.

Restrictions and guidelines

You can add both IPv4 and IPv6 DNS server addresses to a DNS server group.

Procedure

1.     Enter system view.

system-view

2.     (Optional.) Set the TTL value for DNS entries.

dns cache ttl { maximum max-value | minimum min-value } *

By default, the TTL value for DNS entries is the TTL value in the DNS reply.

3.     Create a DNS server group.

dns server-group group-id [ vpn-instance vpn-instance-name ]

By default, no DNS server groups exist.

The device supports a maximum of 16 DNS server groups. Each DNS server group can contain a maximum of 6 IPv4 DNS server addresses and a maximum of 6 IPv6 DNS server addresses.

4.     Add DNS servers to the DNS server group.

IPv4:

dns server ip-address

IPv6:

ipv6 dns server ipv6-address [ interface-type interface-number ]

By default, a DNS server group does not have any DNS servers.

5.     (Optional.) Configure a description for the DNS server group.

description text

By default, no description is configured for the DNS server group.

6.     Return to system view.

quit

7.     Create a domain name group and enter its view, or enter the view of an existing domain name group.

dns domain-name-group group-name

By default, the system has a default domain name group named any.

The default domain name group cannot be manually created or deleted.

You can execute this command multiple times to create multiple domain name groups.

8.     Add a domain name to the domain name group.

domain-name domain-name

By default, a domain name group does not have domain names.

9.     Add a subdomain name to a domain name group.

subdomain-name subdomain-name

By default, a domain name group does not have subdomain names.

10.     Return to system view.

quit

11.     Configure a domain name rule.

¡     Associate the domain name group with a domain name rule and configure the domain name rule to match a DNS query when the domain name in the query is in the domain name group.

dns domain-rule rule-id domain-name-group group-name [ vpn-instance vpn-instance-name ] server-group group-id

¡     Associate the domain name group with a domain name rule and configure the domain name rule to match a DNS query when the domain name in the query is not in the domain name group.

dns domain-rule rule-id exclude domain-name-group group-name [ vpn-instance vpn-instance-name ] server-group group-id

By default, no domain name rule is configured.

Configuring the DNS proxy

Restrictions and guidelines

You can specify multiple DNS servers. The DNS proxy forwards a request to the DNS server that has the highest priority. If having not received a reply, it forwards the request to a DNS server that has the second highest priority, and so on.

You can specify both an IPv4 address and an IPv6 address.

·     A DNS proxy forwards an IPv4 name query first to IPv4 DNS servers. If no reply is received, it forwards the request to IPv6 DNS servers.

·     A DNS proxy forwards an IPv6 name query first to IPv6 DNS servers. If no reply is received, it forwards the request to IPv4 DNS servers.

Procedure

1.     Enter system view.

system-view

2.     Enable DNS proxy.

dns proxy enable

By default, DNS proxy is disabled.

3.     Specify a DNS server address.

¡     Specify a DNS server address in system view.

IPv4:

dns server ip-address [ vpn-instance vpn-instance-name ]

IPv6:

ipv6 dns server ipv6-address [ interface-type interface-number ] [ vpn-instance vpn-instance-name ]

¡     Execute the following commands in sequence to specify a DNS server IPv4 address in interface view.

interface interface-type interface-number

dns server ip-address [ vpn-instance vpn-instance-name ]

By default, no DNS server address is specified.

Configuring DNS redirection

About this task

DNS redirection applies to the scenarios that require DNS request distribution.

With DNS redirection enabled, the device monitors the received DNS requests (only UDP packets are supported in the current software version) and resolves the source IP addresses, source port numbers, and domain names. Then, the device searches for a matching domain name rule and redirects the request to the DNS server in the rule.

The device enabled with DNS redirection works as follows:

1.     The device searches for a matching domain name rule.

¡     If a match is found, it replaces the destination IP address in the request with the IP address of the first reachable DNS server in the server group bound to the rule. Then, the device forwards the request to the DNS server.

¡     If no match is found, the device does not redirect the DNS request.

2.     The device records the replacement, including the source IP address, source port number, and requested server address in the DNS request, and the replaced server address.

3.     Upon receiving the DNS reply, the device replaces the source IP address in the reply with the original server address in the request.

Procedure

1.     Enter system view.

system-view

2.     Enable DNS redirection.

dns redirect enable

By default, DNS redirection is disabled.

Configuring DNS snooping

About this task

DNS snooping is applicable to the scenario where traffic filtering is based on domain names.

Other modules (for example, the address object group module) can obtain the IP addresses corresponding to domain names through DNS snooping only after they send domain name subscription requests to the DNS module.

Enabled with DNS snooping, the device monitors received DNS requests and replies, and works as follows:

·     If the domain name in a DNS request matches a subscribed domain name, the device records the DNS mapping after receiving the DNS reply, and reports the mapping to the corresponding module for traffic filtering.

·     If the domain name does not match a subscribed domain name, the device does not record the DNS mapping.

When the domain names subscribed to by other modules age out, the DNS module notifies the modules of deleting the corresponding mappings to ensure mapping accuracy.

The DNS snooping device can record the resolution results of DNS requests for the Canonical Names (CNAMEs). A CNAME is an alias of a domain name. The type A record directly resolves a domain name to an IP address and a CNAME record resolves a domain name to another domain name. For example, configure the CNAME of domain name www.example.com as web.example.com. When a client accesses www.example.com, it obtains the CNAME after the first domain name resolution on the DNS server. Then, the client automatically sends a DNS query for CNAME web.example.com and obtains the corresponding IP address after the second resolution on the DNS server. The DNS snooping device records the mapping among the domain name, CNAME, and IP address and reports the mapping to the policy as follows:

·     If the policy cares about the CNAME, the DNS snooping device reports the mapping between the CNAME and the IP address to the policy.

·     If the policy cares about the real domain name, the DNS snooping device reports the mapping between the real domain name and the IP address to the policy.

Restrictions and guidelines

DNS snooping works only between the DNS client and DNS server, or the DNS client and DNS proxy.

The DNS snooping feature cannot be used across VPNs. Make sure the input and output interfaces of DNS packets on the device belong to the same VPN.

Procedure

1.     Enter system view.

system-view

2.     (Optional.) Set the TTL value for DNS entries.

dns cache ttl { maximum max-value | minimum min-value } *

By default, the TTL value for DNS entries is the TTL value in the DNS reply

3.     Enable DNS snooping.

dns snooping enable

By default, DNS snooping is disabled.

Configuring the DNS trusted interface

About this task

This task enables the device to use only the DNS suffix and domain name server information obtained through the trusted interface. The device can then obtain the correct resolved IP address. This feature protects the device against attackers that act as the DHCP server to assign incorrect DNS suffix and domain name server address.

Restrictions and guidelines

You can configure a maximum of 128 DNS trusted interfaces.

Procedure

1.     Enter system view.

system-view

2.     Specify the DNS trusted interface.

dns trust-interface interface-type interface-number

By default, no DNS trusted interface is specified.

Specifying the source interface for DNS packets

About this task

This task enables the device to always use the primary IP address of the specified source interface as the source IP address of outgoing DNS packets. This feature applies to scenarios in which the DNS server responds only to DNS requests sourced from a specific IP address. If no IP address is configured on the source interface, no DNS packets can be sent out.

Restrictions and guidelines

When sending an IPv6 DNS request, the device follows the method defined in RFC 3484 to select an IPv6 address of the source interface.

You can configure only one source interface on the public network or a VPN instance. You can configure source interfaces for both public network and VPN instances.

Make sure the source interface belongs to the specified VPN instance if you specify the vpn-instance vpn-instance-name option. If you specify an incorrect VPN instance, the device might not receive any DNS response.

Procedure

1.     Enter system view.

system-view

2.     Specify the source interface for DNS packets.

dns source-interface interface-type interface-number [ vpn-instance vpn-instance-name ]

By default, no source interface for DNS packets is specified.

Setting the DSCP value for outgoing DNS packets

About this task

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Procedure

1.     Enter system view.

system-view

2.     Set the DSCP value for DNS packets sent by a DNS client or a DNS proxy.

IPv4:

dns dscp dscp-value

By default, the DSCP value is 0 in IPv4 DNS packets sent by a DNS client or a DNS proxy.

IPv6:

ipv6 dns dscp dscp-value

By default, the DSCP value is 0 in IPv6 DNS packets sent by a DNS client or a DNS proxy.

Display and maintenance commands for DNS

Execute display commands in any view and reset commands in user view.

 

Task	Command
Display the domain name resolution table.	display dns host [ ip [ ipv4-address ] | ipv6 [ ipv6-address ] ] [ vpn-instance vpn-instance-name ] [ name host-name ] [ ttl { greater-than greater-than-value | less-than less-than-value } ]
Display IPv4 DNS server information.	display dns server [ dynamic ] [ vpn-instance vpn-instance-name ]
Display domain name-to-IP address mappings recorded by DNS snooping.	display dns snooping host [ ip [ ipv4-address ] | ipv6 [ ipv6-address ] ] [ vpn-instance vpn-instance-name ] [ name host-name ] [ server { ipv4-address | ipv6-address } ] [ ttl { greater-than greater-than-value | less-than less-than-value } ]
Display IPv6 DNS server information.	display ipv6 dns server [ dynamic ] [ vpn-instance vpn-instance-name ]
Display DNS suffixes.	display dns domain [ dynamic ] [ vpn-instance vpn-instance-name ]
Clear dynamic DNS entries.	reset dns host [ client | snooping ] [ ip | ipv6 ] [ vpn-instance vpn-instance-name ]

 

IPv4 DNS configuration examples

Example: Configuring static domain name resolution

Network configuration

As shown in Figure 3, the host at 10.1.1.2 is named host.com. Configure static IPv4 DNS on the device so that the device can use the easy-to-remember domain name rather than the IP address to access the host.

Figure 3 Network diagram

 

Procedure

CAUTION: When the device, acting as the DNS server, replies to DNS requests via static domain name resolution, make sure it is enabled with DNS proxy. To enable DNS proxy on the device, execute the dns proxy enable command.

‌

# Configure a mapping between host name host.com and IP address 10.1.1.2.

<Sysname> system-view

[Sysname] dns proxy enable

[Sysname] ip host host.com 10.1.1.2

# Verify that the device can use static domain name resolution to resolve domain name host.com into IP address 10.1.1.2.

[Sysname] ping host.com

Ping host.com (10.1.1.2): 56 data bytes, press CTRL_C to break

56 bytes from 10.1.1.2: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=1 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 10.1.1.2: icmp_seq=4 ttl=255 time=2.000 ms

 

--- Ping statistics for host.com ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms

Example: Configuring dynamic domain name resolution

Network configuration

As shown in Figure 4, configure the DNS server to store the mapping between the host's domain name host and IPv4 address 3.1.1.1/16 in the com domain. Configure dynamic IPv4 DNS and DNS suffix com on the device so that the device can use domain name host to access the host.

Figure 4 Network diagram

 

Prerequisites

Assign IP addresses to interfaces as shown in Figure 4. Make sure the network connections are available.

Procedure

1.     Configure the DNS server:

The DNS server configuration might vary. This example uses a PC running Windows Server 2008 R2 for illustration.

a.     Select Start > Programs > Administrative Tools > DNS.

The DNS server configuration page appears, as shown in Figure 5.

b.     Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create a new zone named com.

Figure 5 Creating a zone

 

c.     On the DNS server configuration page, right-click zone com and select New Host.

Figure 6 Adding a host

 

d.     On the page that appears, enter host name host and IP address 3.1.1.1.

e.     Click Add Host.

The mapping between the IP address and host name is created.

Figure 7 Adding a mapping between domain name and IP address

 

2.     Configure the DNS client:

# Specify the DNS server 2.1.1.2.

<Device> system-view

[Device] dns server 2.1.1.2

# Specify com as the name suffix.

[Device] dns domain com

Verifying the configuration

# Verify that the device can use the dynamic domain name resolution to resolve domain name host.com into IP address 3.1.1.1.

[Device] ping host

Ping host.com (3.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 3.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=4 ttl=255 time=2.000 ms

 

--- Ping statistics for host ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms

Example: Configuring DNS proxy

Network configuration

As shown in Figure 8, configure Device A as the DNS proxy to forward DNS packets between the DNS client (Device B) and the DNS server at 4.1.1.1.

Figure 8 Network diagram

 

Prerequisites

Assign IP addresses to interfaces as shown in Figure 8. Make sure the network connections are available.

Procedure

1.     Configure the DNS server:

The configuration might vary by DNS server. When a PC running Windows Server 2008 R2 acts as the DNS server, see "Example: Configuring dynamic domain name resolution" for configuration information.

2.     Configure the DNS proxy:

# Specify the DNS server 4.1.1.1.

<DeviceA> system-view

[DeviceA] dns server 4.1.1.1

# Enable DNS proxy.

[DeviceA] dns proxy enable

3.     Configure the DNS client:

<DeviceB> system-view

# Specify the DNS server 2.1.1.2.

[DeviceB] dns server 2.1.1.2

Verifying the configuration

# Verify that DNS proxy on Device A functions.

[DeviceB] ping host.com

Ping host.com (3.1.1.1): 56 data bytes, press CTRL_C to break

56 bytes from 3.1.1.1: icmp_seq=0 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=1 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=2 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=3 ttl=255 time=1.000 ms

56 bytes from 3.1.1.1: icmp_seq=4 ttl=255 time=2.000 ms

 

--- Ping statistics for host.com ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 1.000/1.200/2.000/0.400 ms

IPv6 DNS configuration examples

Example: Configuring static domain name resolution

Network configuration

As shown in Figure 9, the host at 1::2 is named host.com. Configure static IPv6 DNS on the device so that the device can use the easy-to-remember domain name rather than the IPv6 address to access the host.

Figure 9 Network diagram

 

Procedure

# Configure a mapping between host name host.com and IPv6 address 1::2.

<Device> system-view

[Device] ipv6 host host.com 1::2

# Verify that the device can use static domain name resolution to resolve domain name host.com into IPv6 address 1::2.

[Sysname] ping ipv6 host.com

Ping6(56 data bytes) 1::1 --> 1::2, press CTRL_C to break

56 bytes from 1::2, icmp_seq=0 hlim=128 time=1.000 ms

56 bytes from 1::2, icmp_seq=1 hlim=128 time=0.000 ms

56 bytes from 1::2, icmp_seq=2 hlim=128 time=1.000 ms

56 bytes from 1::2, icmp_seq=3 hlim=128 time=1.000 ms

56 bytes from 1::2, icmp_seq=4 hlim=128 time=0.000 ms

 

--- Ping6 statistics for host.com ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.600/1.000/0.490 ms

Example: Configuring dynamic domain name resolution

Network configuration

As shown in Figure 10, configure the DNS server to store the mapping between the host's domain name host and IPv6 address 1::1/64 in the com domain. Configure dynamic IPv6 DNS and DNS suffix com on the device so that the device can use domain name host to access the host.

Figure 10 Network diagram

 

Prerequisites

Before you configure dynamic domain name resolution, perform the following tasks:

·     Assign IPv6 addresses to interfaces as shown in Figure 10. Make sure the network connections are available.

·     Configure IPv6 DNS on the DNS server supports so that the server can process IPv6 DNS packets and its interfaces can forward IPv6 packets.

Procedure

1.     Configure the DNS server:

The DNS server configuration might vary. This example uses a PC running Windows Server 2008 R2 for illustration.

a.     Select Start > Programs > Administrative Tools > DNS.

The DNS server configuration page appears, as shown in Figure 11.

b.     Right-click Forward Lookup Zones, select New Zone, and then follow the wizard to create a new zone named com.

Figure 11 Creating a zone

 

c.     On the DNS server configuration page, right-click zone com and select New Host.

Figure 12 Adding a host

 

d.     On the page that appears, enter host name host and IPv6 address 1::1.

e.     Click Add Host.

The mapping between the IPv6 address and host name is created.

Figure 13 Adding a mapping between domain name and IPv6 address

 

2.     Configure the DNS client:

# Specify the DNS server 2::2.

<Device> system-view

[Device] ipv6 dns server 2::2

# Configure com as the DNS suffix.

[Device] dns domain com

Verifying the configuration

# Verify that the device can use the dynamic domain name resolution to resolve the domain name host.com into the IP address 1::1.

[Device] ping ipv6 host

Ping6(56 data bytes) 3::1 --> 1::1, press CTRL_C to break

56 bytes from 1::1, icmp_seq=0 hlim=128 time=1.000 ms

56 bytes from 1::1, icmp_seq=1 hlim=128 time=0.000 ms

56 bytes from 1::1, icmp_seq=2 hlim=128 time=1.000 ms

56 bytes from 1::1, icmp_seq=3 hlim=128 time=1.000 ms

56 bytes from 1::1, icmp_seq=4 hlim=128 time=0.000 ms

 

--- Ping6 statistics for host ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.600/1.000/0.490 ms

Example: Configuring DNS proxy

Network configuration

As shown in Figure 14, configure Device A as the DNS proxy to forward DNS packets between the DNS client (Device B) and the DNS server at 4000::1.

Figure 14 Network diagram

 

Prerequisites

Assign IPv6 addresses to interfaces as shown in Figure 14. Make sure the network connections are available.

Procedure

1.     Configure the DNS server:

This configuration might vary by DNS server. When a PC running Windows Server 2008 R2 acts as the DNS server, see "Example: Configuring dynamic domain name resolution" for configuration information.

2.     Configure the DNS proxy:

# Specify the DNS server 4000::1.

<DeviceA> system-view

[DeviceA] ipv6 dns server 4000::1

# Enable DNS proxy.

[DeviceA] dns proxy enable

3.     Configure the DNS client:

# Specify the DNS server 2000::2.

<DeviceB> system-view

[DeviceB] ipv6 dns server 2000::2

Verifying the configuration

# Verify that DNS proxy on Device A functions.

[DeviceB] ping host.com

Ping6(56 data bytes) 2000::1 --> 3000::1, press CTRL_C to break

56 bytes from 3000::1, icmp_seq=0 hlim=128 time=1.000 ms

56 bytes from 3000::1, icmp_seq=1 hlim=128 time=0.000 ms

56 bytes from 3000::1, icmp_seq=2 hlim=128 time=1.000 ms

56 bytes from 3000::1, icmp_seq=3 hlim=128 time=1.000 ms

56 bytes from 3000::1, icmp_seq=4 hlim=128 time=0.000 ms

 

--- Ping6 statistics for host.com ---

5 packet(s) transmitted, 5 packet(s) received, 0.0% packet loss

round-trip min/avg/max/std-dev = 0.000/0.600/1.000/0.490 ms

Troubleshooting DNS configuration

Failure to resolve IPv4 addresses

Symptom

After enabling dynamic domain name resolution, the user cannot get the correct IP address.

Solution

To resolve the problem:

1.     Use the display dns host ip command to verify that the specified domain name is in the cache.

2.     If the specified domain name does not exist, check that the DNS client can communicate with the DNS server.

3.     If the specified domain name is in the cache, but the IP address is incorrect, check that the DNS client has the correct IP address of the DNS server.

4.     Verify that the mapping between the domain name and IP address is correct on the DNS server.

Failure to resolve IPv6 addresses

Symptom

After enabling dynamic domain name resolution, the user cannot get the correct IPv6 address.

Solution

To resolve the problem:

1.     Use the display dns host ipv6 command to verify that the specified domain name is in the cache.

2.     If the specified domain name does not exist, check that dynamic domain name resolution is enabled, and that the DNS client can communicate with the DNS server.

3.     If the specified domain name is in the cache, but the IPv6 address is incorrect, check that the DNS client has the correct IPv6 address of the DNS server.

4.     Verify that the mapping between the domain name and IPv6 address is correct on the DNS server.