Table of Contents

Related Documents

03-DNS commands

Title	Size	Download
03-DNS commands	220.77 KB

DNS commands

description

Use description to configure a description for a DNS server group.

Use undo description to restore the default.

Syntax

description text

undo description

Default

No description is configured for a DNS server group.

Views

DNS server group view

Predefined user roles

network-admin

Parameters

text: Specifies a description, a case-insensitive string of 1 to 255 characters.

Examples

# Configure the description as office for DNS server group 1.

<Sysname> system-view

[Sysname] dns server-group 1

[Sysname-dns-server-group-1] description office

Related commands

dns server-group

display dns domain

Use display dns domain to display the domain name suffixes.

Syntax

display dns domain [ dynamic ] [ vpn-instance vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dynamic: Displays the domain name suffixes dynamically obtained through DHCP or other protocols. If you do not specify this keyword, the command displays the statically configured and dynamically obtained domain name suffixes.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command displays domain name suffixes for the public network.

Examples

# Display the statically configured and dynamically obtained domain name suffixes for the public network.

<Sysname> display dns domain

Type:

D: Dynamic S: Static

No. Type Domain suffix

1 S com

2 D net

Table 1 Command output

Field	Description
No.	Sequence number.
Type	Domain name suffix type: · S—A statically configured domain name suffix. · D—A domain name suffix dynamically obtained through DHCP or other protocols.
Domain suffix	Domain name suffixes.

Related commands

dns domain

display dns host

Use display dns host to display information about domain name-to-IP address mappings.

Syntax

display dns host [ ip [ ipv4-address ] | ipv6 [ ipv6-address ] ] [ vpn-instance vpn-instance-name ] [ name host-name ] [ ttl { greater-than greater-than-value | less-than less-than-value } ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip [ ipv4-address ]: Specifies type A queries. A type A query resolves a domain name to the mapped IPv4 address. The ipv4-address argument specifies the mapped IPv4 address. If you specify this option, the command displays the domain name-to-IP address mapping that contains the IPv4 address. If you do not specify this option, the command displays all domain name-to-IP address mappings that contain IPv4 addresses.

ipv6 [ ipv6-address ]: Specifies type AAAA queries. A type AAAA query resolves a domain name to the mapped IPv6 address. The ipv6-address argument specifies the mapped IPv6 address. If you specify this option, the command displays the domain name-to-IP address mapping that contains the IPv6 address. If you do not specify this option, the command displays all domain name-to-IP address mappings that contain IPv6 addresses.

name host-name: Specifies a host name. This option supports fuzzy match by adding a wildcard (*) to the host name. For example, to match a host name including abc, specify the domain-name argument as *abc*, *abc, or abc*. To exactly match a host name, do not add the wildcard (*).

ttl greater-than greater-than-value: Displays only dynamic domain name-to-IP address mappings with TTL values greater than or equal to the value for the greater-than-value argument. The greater-than-value argument specifies the lower TTL limit in the range of 1 to 4294967295.

ttl less-than less-than-value: Displays only dynamic domain name-to-IP address mappings with TTL values less than or equal to the value for the less-than-value argument. The less-than-value argument specifies the upper TTL limit in the range of 1 to 4294967295.

Usage guidelines

If you do not specify the ip or ipv6 keyword, this command displays domain name-to-IP address mappings of all query types.

Examples

# Display domain name-to-IP address mappings of all query types.

<Sysname> display dns host

Type:

D: Dynamic S: Static

Total number: 3

No. Host name Type TTL Query type IP addresses

1 sample.com D 3132 A 192.168.10.1

192.168.10.2

192.168.10.3

2 zig.sample.com S - A 192.168.1.1

3 sample.net S - AAAA FE80::4904:4448

Table 2 Command output

Field	Description
No.	Sequence number.
Host name	Domain name.
Type	Domain name-to-IP address mapping type: · S—A static mapping configured by the ip host or ipv6 host command. · D—A mapping dynamically obtained through dynamic domain name resolution.
TTL	Time in seconds that a mapping can be stored in the cache. For a static mapping, a hyphen (-) is displayed.
Query type	Query type: A or AAAA.
IP addresses	Replied IP address: · For a type A query, the replied IP address is an IPv4 address. · For a type AAAA query, the replied IP address is an IPv6 address.

Related commands

ip host

ipv6 host

reset dns host

display dns server

Use display dns server to display IPv4 DNS server information.

Syntax

display dns server [ dynamic ] [ vpn-instance vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dynamic: Displays IPv4 DNS server information dynamically obtained through DHCP or other protocols. If you do not specify this keyword, the command displays statically configured and dynamically obtained IPv4 DNS server information.

Examples

# Display IPv4 DNS server information for the public network.

<Sysname> display dns server

Type:

D: Dynamic S: Static

No. Type IP address

1 S 202.114.0.124

2 S 169.254.65.125

Table 3 Command output

Field	Description
No.	Sequence number.
Type	DNS server type: · S—A manually configured DNS server. · D—DNS server information dynamically obtained through DHCP or other protocols.
IP address	IPv4 address of the DNS server.

Related commands

dns server

display dns snooping host

Use display dns snooping host to display domain name-to-IP address mappings recorded by DNS snooping.

Syntax

display dns snooping host [ ip [ ipv4-address ] | ipv6 [ ipv6-address ] ] [ vpn-instance vpn-instance-name ] [ name host-name ] [ server { ipv4-address | ipv6-address } ] [ ttl { greater-than greater-than-value | less-than less-than-value } ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

ip [ ipv4-address ]: Specifies type A queries. A type A query resolves a domain name to the mapped IPv4 address. The ipv4-address argument specifies the mapped IPv4 address. If you specify this option, the command displays the domain name-to-IP address mapping recorded by DNS snooping that contains the IPv4 address. If you do not specify this option, the command displays all domain name-to-IP address mappings recorded by DNS snooping that contain IPv4 addresses.

ipv6 [ ipv6-address ]: Specifies type AAAA queries. A type AAAA query resolves a domain name to the mapped IPv6 address. The ipv6-address argument specifies the mapped IPv6 address. If you specify this option, the command displays the domain name-to-IP address mapping recorded by DNS snooping that contains the IPv6 address. If you do not specify this option, the command displays all domain name-to-IP address mappings recorded by DNS snooping that contain IPv6 addresses.

server { ipv4-address | ipv6-address }: Specifies a DNS server. The ipv4-address argument specifies the IPv4 address of the DNS server. The ipv6-address argument specifies the IPv6 address of the DNS server.

Usage guidelines

If you do not specify the ip or ipv6 keyword, this command displays domain name-to-IP address mappings of both query types recorded by DNS snooping.

Examples

# Display domain name-to-IP address mappings of both query types recorded by DNS snooping.

<Sysname> display dns snooping host

Total number: 5

No. Host name Server TTL QType IP addresses

1 a.example.com 8.8.8.8 3593 A 100.100.0.7

2 b.example.com 8.8.8.8 3595 A 100.100.0.8

100.100.0.9

3 c.example.com 8.8.8.8 3593 A 100.100.0.6

4 d.example.com 8.8.8.8 3597 AAAA 101:101::104

5 e.example.com 8.8.8.8 3597 AAAA 101:101::103

Table 4 Command output

Field	Description
No.	Sequence number.
Host name	Domain name.
Server	IP address of the DNS server.
TTL	Time in seconds that a mapping can be stored in the cache.
QType	Query type: A and AAAA.
IP addresses	Replied IP address: · For a type A query, the replied IP address is an IPv4 address. · For a type AAAA query, the replied IP address is an IPv6 address.

Related commands

reset dns host

display ipv6 dns server

Use display ipv6 dns server to display IPv6 DNS server information.

Syntax

display ipv6 dns server [ dynamic ] [ vpn-instance vpn-instance-name ]

Views

Any view

Predefined user roles

network-admin

network-operator

Parameters

dynamic: Displays IPv6 DNS server information dynamically obtained through DHCP or other protocols. If you do not specify this keyword, the command displays the statically configured and dynamically obtained IPv6 DNS server information.

Examples

# Display IPv6 DNS server information for the public network.

<Sysname> display ipv6 dns server

Type:

D: Dynamic S: Static

No. Type IPv6 address Outgoing Interface

1 S 2::2

Table 5 Command output

Field	Description
No.	Sequence number.
Type	DNS server type: · S—A manually configured DNS server. · D—DNS server information dynamically obtained through DHCP or other protocols.
IPv6 address	IPv6 address of the DNS server.
Outgoing Interface	Output interface.

Related commands

ipv6 dns server

dns cache ttl

Use dns cache ttl to set the TTL value for DNS entries.

Use undo dns cache ttl to cancel the TTL configuration for DNS entries.

Syntax

dns cache ttl { maximum max-value | minimum min-value } *

undo dns cache ttl [ maximum | minimum ]

Default

The TTL value for DNS entries is the TTL value in the DNS reply.

Views

System view

Predefined user roles

network-admin

Parameters

maximum max-value: Specifies the maximum TTL value for DNS entries, in the range of 60 to 3600 seconds.

minimum min-value: Specifies the minimum TTL value for DNS entries, in the range of 60 to 3600 seconds. The value for the min-value argument must be smaller than that for the max-value argument.

Usage guidelines

Application scenarios

The device periodically sends a DNS request to the DNS server according to the TTL for DNS entries, which consumes CPU resources. If the TTL value is too small, the device sends DNS requests frequently to the DNS server, which consumes more CPU resources. If the TTL value is too large, DNS mappings cannot be updated in time. To avoid such issues, you can use this command to set the TTL value for DNS entries.

Operating mechanism

By default, the DNS client obtains the TTL from the DNS reply for dynamic domain name resolution cache.

After you set the TTL value for DNS entries, the device specifies the TTL for DNS entries as follows:

· If the TTL value in the DNS reply is smaller than the minimum TTL value, the device uses the minimum TTL value as the TTL for DNS entries. If the TTL value is greater than or equal to the minimum TTL value, the device uses the TTL value in the DNS reply as the TTL for DNS entries.

· If the TTL value in the DNS reply is greater than the maximum TTL value, the device uses the maximum TTL value as the TTL for DNS entries. If the TTL value is smaller than or equal to the maximum TTL value, the device uses the TTL value in the DNS reply as the TTL for DNS entries.

Restrictions and guidelines

After you execute this command, the configuration only takes effect on the subsequent generated DNS entries.

After you execute the undo dns cache ttl command, the current TTL for the existing DNS entries still works.

If you do not specify any keywords when you execute the undo dns cache ttl command, this command cancels all TTL configuration for DNS entries.

If you execute the dns cache ttl minimum, dns cache ttl maximum, or dns cache ttl minimum maximum command multiple times, the most recent configuration takes effect.

Examples

# Set the maximum TTL value for DNS entries to 3600 seconds and the minimum TTL value for DNS entries to 180 seconds.

<Sysname> system-view

[Sysname] dns cache ttl maximum 3600 minimum 180

Related commands

dns server

dns domain

Use dns domain to configure a domain name suffix.

Use undo dns domain to delete the specified domain name suffix.

Syntax

dns domain domain-name [ vpn-instance vpn-instance-name ]

undo dns domain domain-name [ vpn-instance vpn-instance-name ]

Default

No domain name suffix is configured. Only the provided domain name is resolved.

Views

System view

Predefined user roles

network-admin

Parameters

domain-name: Specifies a domain name suffix. It is a dot-separated, case-insensitive string that can include letters, digits, hyphens (-), underscores (_), and dots (.), for example, aabbcc.com. The domain name suffix can include a maximum of 253 characters, and each separated string includes no more than 63 characters.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To configure a domain name suffix for the public network, do not specify this option.

Usage guidelines

Application scenarios

You can configure a domain name suffix list so that the resolver can use the list to supply the missing part of an incomplete name. For example, you can configure com as the suffix for example.com. The user only needs to enter example to obtain the IP address of example.com. The resolver adds the suffix and delimiter before passing the name to the DNS server.

Operating mechanism

The name resolver handles the queries based on the domain names that the user enters:

· If the user enters a domain name without a dot (.) (for example, example), the resolver considers the domain name to be a host name. It adds a DNS suffix to the host name before performing the query operation. If no match is found for any host name and suffix combination, the resolver uses the user-entered domain name (for example, example) for the IP address query.

· If the user enters a domain name with a dot (.) among the letters (for example, www.example), the resolver directly uses this domain name for the query operation. If the query fails, the resolver adds a DNS suffix for another query operation.

· If the user enters a domain name with a dot (.) at the end (for example, example.com.), the resolver considers the domain name an FQDN and returns the successful or failed query result. The dot at the end of the domain name is considered a terminating symbol.

The device performs the above operations only when it searches the dynamic domain name resolution cache.

Restrictions and guidelines

The device supports the domain name suffix list only when it acts as a DNS client.

A domain name suffix applies to both IPv4 DNS and IPv6 DNS.

The system allows a maximum of 16 domain name suffixes for the public network or each VPN instance. You can specify domain name suffixes for both public network and VPN instances.

Examples

# Configure domain name suffix com for the public network.

<Sysname> system-view

[Sysname] dns domain com

Related commands

display dns domain

dns domain-name-group

Use dns domain-name-group to create a domain name group and enter its view, or enter the view of an existing domain name group.

Use undo dns domain-name-group to delete a domain name group.

Syntax

dns domain-name-group group-name

undo dns domain-name-group group-name

Default

The system has a default domain name group named any.

Views

System view

Predefined user roles

network-admin

Parameters

group-name: Specifies the name of a domain name group, a case-insensitive string of 1 to 31 characters.

Usage guidelines

Application scenarios

When the device uses domain name rules to match DNS queries, you can associate a domain name rule with a domain name group to simplify configuration. If multiple domain names are to be matched, you do not need to configure domain name rules multiple times.

Operating mechanism

After you add domain names or subdomain names to a domain name group, you can associate a domain name rule with it, so that the device can distribute DNS queries based on the matching results. To add domain names or subdomain names to a domain name group, use the domain-name or subdomain-name command, respectively.

The relationships between a domain name rule and its associated domain name groups include the following types:

· Include the domain name group—The device matches the domain name in a query against the domain names in the domain name groups. The match succeeds if the domain name in the query matches any domain name in a domain name group.

If the domain name rule includes default domain name group any, any domain name can match the rule.

· Exclude the domain name group—The device matches the domain name in a query against the domain names in the domain name groups. The match succeeds only when the domain name in the query does not match any domain name in the domain name groups.

If the domain name rule includes default domain name group any, no domain names can match the rule.

Restrictions and guidelines

The default domain name group cannot be manually created or deleted.

You can execute this command multiple times to create multiple domain name groups.

Do not delete domain name groups that are already associated with domain name rules.

Examples

# Create a domain name group named 1 and enter its view.

<Sysname> system-view

[Sysname] dns domain-name-group 1

[Sysname-domain-name-group-1]

Related commands

dns domain-rule

domain-name

subdomain-name

dns domain-rule

Use dns domain-rule to configure a domain name rule.

Use undo dns domain-rule to delete a domain name rule.

Syntax

dns domain-rule rule-id { domain-name domain-name | [ exclude ] domain-name-group group-name | subdomain-name subdomain-name } [ vpn-instance vpn-instance-name ] server-group group-id

undo dns domain-rule rule-id [ domain-name domain-name | [ exclude ] domain-name-group group-name | subdomain-name subdomain-name ]

Default

No domain name rule is configured.

Views

System view

Predefined user roles

network-admin

Parameters

rule-id: Specifies the ID of a domain name rule. The value range is 1 to 16.

domain-name domain-name: Specifies a domain name, a dot-separated, case-insensitive string of up to 253 characters that can contain letters, digits, hyphens (-), underscores (_), and dots (.), for example, www.example.com. The domain name cannot start or end with a dot (.) or contain two consecutive dots (..).

exclude: Matches a DNS query when the domain name in the query is not in the domain name group. If you do not specify this keyword, the domain name rule matches a DNS query when the domain name in the query is in the domain name group.

domain-name-group group-name: Specifies a domain name group by its name, a case-insensitive string of 1 to 31 characters. The specified domain name group must already exist.

subdomain-name subdomain-name: Specifies a subdomain name, a dot-separated, case-insensitive string that can contain letters, digits, hyphens (-), underscores (_), and dots (.), for example, .example.com. The subdomain name can contain up to 253 characters, and each separated string can contain up to 63 characters.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance to which the DNS client that sends DNS queries belongs by its name, a case-sensitive string of 1 to 31 characters. If the DNS client belongs to the public network, do not specify this option.

server-group group-id: Specifies a DNS server group by its ID, in the range of 1 to 16. You can bind a domain name rule to a non-existent DNS server group. For the configuration to take effect, execute the dns server-group command to create that DNS server group.

Usage guidelines

Application scenarios

This feature allows the device (DNS client or proxy) to search for a matching domain name rule and send queries to servers in the DNS server group bound to the rule.

Operating mechanism

A domain name rule can be matched in one of the following methods:

· Exact match—The match succeeds only when the domain name in the query is exactly the same as a domain name in the rule.

· Fuzzy match—The match succeeds if the domain name in the query contains a subdomain name.

If the domain name rule includes default domain name group any, any domain name can match the rule.

If the domain name rule includes default domain name group any, no domain names can match the rule.

When the device receives a user query and fails to find a local matching DNS entry, it looks for a matching domain name rule in the same VPN instance or on the public network as the user in ascending order of rule IDs:

· If the domain name in the query matches a domain name or subdomain name in a rule, the device sends the query to DNS servers in the DNS server group bound to the rule.

¡ After the device receives the reply, it sends the reply to the user and stores the DNS mapping in the local DNS cache.

¡ If no reply is received, the device turns to the next domain name rule.

· If the domain name in the query does not match any domain names or subdomain names in all rules, the device does not forward the query to DNS servers in DNS server groups and the domain name resolution fails.

Restrictions and guidelines

A domain name rule is uniquely identified by its ID and VPN instance. When you configure a domain name rule, follow these guidelines:

· A domain name rule can be bound to only one DNS server group.

· A domain name rule can be associated with a maximum of eight domain name groups. Do not configure both the including the domain name group and excluding the domain name group matching methods for the same rule.

· For one domain name rule, you can repeat this command to bind a maximum of eight domain names and subdomain names to the same DNS server group.

· After you associate a domain name rule with a domain name group, do not configure the domain name or subdomain name matching method for the rule. After you configure the domain name or subdomain name matching method for a domain name rule, do not associate the rule with a domain name group.

· To delete a domain name or subdomain name specified for a rule, execute the undo dns domain-rule command and specify the domain-name domain-name or subdomain-name subdomain-name option. To disassociate a domain name group from a domain name rule, specify the exclude domain-name-group domain-group-name or domain-name-group domain-group-name option. To delete a complete domain name rule, do not specify any parameters.

A user query can match only domain name rules that are in the same VPN instance or on the public network as the user.

A domain name rule and its bound DNS server group can be in different VPN instances, or one can be in a VPN instance and the other on the public network.

Examples

# Create domain name rule 1 and bind subdomain name .example.com and domain name www.ddeeff.com to DNS server group 1.

<Sysname> system-view

[Sysname] dns domain-rule 1 subdomain-name .example.com server-group 1

[Sysname] dns domain-rule 1 domain-name www.ddeeff.com server-group 1

# Create domain name rule 1, associate the rule with domain name group group1, and bind the rule to DNS server group 1.

<Sysname> system-view

[Sysname] dns domain-name-group group1

[Sysname-dns-domain-name-group-group1] domain-name www.example.com

[Sysname-dns-domain-name-group-group1] subdomain-name example.com

[Sysname-dns-domain-name-group-group1] quit

[Sysname] dns domain-rule 1 domain-name-group group1 server-group 1

Related commands

dns domain-name-group

dns server-group

dns dscp

Use dns dscp to set the DSCP value for DNS packets sent by a DNS client or DNS proxy.

Use undo dns dscp to restore the default.

Syntax

dns dscp dscp-value

undo dns dscp

Default

The DSCP value is 0 in DNS packets sent by a DNS client or DNS proxy.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Specifies the DSCP value in the range of 0 to 63.

Usage guidelines

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Examples

# Set the DSCP value to 30 for outgoing DNS packets.

<Sysname> system-view

[Sysname] dns dscp 30

dns proxy enable

Use dns proxy enable to enable DNS proxy.

Use undo dns proxy enable to disable DNS proxy.

Syntax

dns proxy enable

undo dns proxy enable

Default

DNS proxy is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

This configuration applies to both IPv4 DNS and IPv6 DNS.

Examples

# Enable DNS proxy.

<Sysname> system-view

[Sysname] dns proxy enable

dns redirect enable

Use dns redirect enable to enable DNS redirection.

Use undo dns redirect enable to disable DNS redirection.

Syntax

dns redirect enable

undo dns redirect enable

Default

DNS redirection is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

With DNS redirection enabled, the device monitors the received DNS requests (only UDP packets are supported in the current software version) and resolves the source IP addresses, source port numbers, and domain names. Then, the device searches for a matching domain name rule and redirects the request to the DNS server in the rule.

The device enabled with DNS redirection works as follows:

1. The device searches for a matching domain name rule.

¡ If a match is found, it replaces the destination IP address in the request with the IP address of the first reachable DNS server in the server group bound to the rule. Then, the device forwards the request to the DNS server.

¡ If no match is found, the device does not redirect the DNS request.

2. The device records the replacement, including the source IP address, source port number, and requested server address in the DNS request, and the replaced server address.

3. Upon receiving the DNS reply, the device replaces the source IP address in the reply with the original server address in the request.

This configuration applies to both IPv4 DNS redirection and IPv6 DNS redirection.

Examples

# Enable DNS redirection.

<Sysname> system-view

[Sysname] dns redirect enable

dns server (system view/interface view)

Use dns server to specify the IPv4 address of a DNS server.

Use undo dns server to remove the IPv4 address of a DNS server.

Syntax

dns server ip-address [ vpn-instance vpn-instance-name ]

undo dns server [ ip-address ] [ vpn-instance vpn-instance-name ]

Default

No DNS server IPv4 address is specified.

Views

System view

Interface view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IPv4 address of a DNS server. When you execute the undo form of the command in interface view, you must specify this argument.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To specify a DNS server IPv4 address for the public network, do not use this option.

Usage guidelines

In system view, you can specify a maximum of six DNS server IPv4 addresses for the public network or each VPN instance. You can specify DNS server IPv4 addresses for both public network and VPN instances.

In interface view, you can specify a maximum of six DNS server IPv4 addresses for the public network or each VPN instance. You can specify DNS server IPv4 addresses for both public network and VPN instances.

A DNS server IPv4 address specified in system view takes priority over a DNS server IPv4 address specified in interface view. A DNS server IPv4 address specified earlier has a higher priority. A DNS server IPv4 address manually specified takes priority over a DNS server IPv4 address dynamically obtained, for example, through DHCP. The device first sends a DNS query to the DNS server IPv4 address of the highest priority. If the first query fails, it sends the DNS query to the DNS server IPv4 address of the second highest priority, and so on.

If you do not specify an address, the undo dns server command in system view removes all DNS server IPv4 addresses for the public network or the specified VPN instance.

Examples

# Specify DNS server IPv4 address 172.16.1.1.

<Sysname> system-view

[Sysname] dns server 172.16.1.1

# Specify DNS server IPv4 address 172.16.1.1 on Ten-GigabitEthernet 0/0/15. ‌

<Sysname> system-view

[Sysname] interface ten-gigabitethernet 0/0/15

[Sysname-Ten-GigabitEthernet0/0/15] dns server 172.16.1.1

Related commands

display dns server

dns server (DNS server group view)

Use dns server to add an IPv4 DNS server to the DNS server group.

Use undo dns server to delete an IPv4 DNS server from the DNS server group.

Syntax

dns server ip-address

undo dns server [ ip-address ]

Default

A DNS server group does not have any DNS servers.

Views

DNS server group view

Predefined user roles

network-admin

Parameters

ip-address: Specifies the IPv4 address of a DNS server.

Usage guidelines

Operating mechanism

The device sends a DNS query to DNS servers in a DNS server group in the configuration order of their IPv4 addresses.

Restrictions and guidelines

A DNS server group supports a maximum of six IPv4 DNS server addresses.

If you do not specify the ip-address argument when you execute the undo dns server command, the command deletes all IPv4 DNS server addresses from the DNS server group.

Examples

# Add DNS server 172.16.1.1 to DNS server group 1.

<Sysname> system-view

[Sysname] dns server-group 1

[Sysname-dns-server-group-1] dns server 172.16.1.1

dns server-group

Use dns server-group to create a DNS server group and enter its view, or enter the view of an existing DNS server group.

Use undo dns server-group to delete a DNS server group.

Syntax

dns server-group group-id [ vpn-instance vpn-instance-name ]

undo dns server-group group-id

Default

No DNS server group exists.

Views

System view

Predefined user roles

network-admin

Parameters

group-id: Specifies the ID of a DNS server group, in the range of 1 to 16.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If the DNS server group is on the public network, do not specify this option.

Usage guidelines

Application scenarios

This feature allows the device (DNS client or proxy) to search for a matching domain name rule and send queries to servers in the DNS server group bound to the rule.

Operating mechanism

· If the domain name in the query matches a domain name or subdomain name in a rule, the device sends the query to DNS servers in the DNS server group bound to the rule.

¡ After the device receives the reply, it sends the reply to the user and stores the DNS mapping in the local DNS cache.

¡ If no reply is received, the device turns to the next domain name rule.

Examples

# Create DNS server group 1 and enter its view.

<Sysname> system-view

[Sysname] dns server-group 1

[Sysname-dns-server-group-1]

Related commands

description

dns domain-rule

dns snooping enable

Use dns snooping enable to enable DNS snooping.

Use undo dns snooping enable to disable DNS snooping.

Syntax

dns snooping enable

undo dns snooping enable

Default

DNS snooping is disabled.

Views

System view

Predefined user roles

network-admin

Usage guidelines

Application scenarios

DNS snooping is applicable to the scenario where traffic filtering is based on domain names.

Operating mechanism

Other modules (for example, the address object group module) can obtain the IP addresses corresponding to domain names through DNS snooping only after they send domain name subscription requests to the DNS module.

Enabled with DNS snooping, the device monitors received DNS requests and replies, and works as follows:

· If the domain name in a DNS request matches a subscribed domain name, the device records the DNS mapping after receiving the DNS reply, and reports the mapping to the corresponding module for traffic filtering.

· If the domain name does not match a subscribed domain name, the device does not record the DNS mapping.

When the domain names subscribed to by other modules age out, the DNS module notifies the modules of deleting the corresponding mappings to ensure mapping accuracy.

Restrictions and guidelines

DNS snooping works only between the DNS client and DNS server, or the DNS client and DNS proxy.

The DNS snooping feature cannot be used across VPNs. Make sure the input and output interfaces of DNS packets on the device belong to the same VPN.

Examples

# Enable DNS snooping.

<Sysname> system-view

[Sysname] dns snooping enable

dns source-interface

Use dns source-interface to specify the source interface for DNS packets.

Use undo dns source-interface to restore the default.

Syntax

dns source-interface interface-type interface-number [ vpn-instance vpn-instance-name ]

undo dns source-interface interface-type interface-number [ vpn-instance vpn-instance-name ]

Default

No source interface is specified for DNS packets. The device uses the primary IP address of the output interface of the matching route as the source IP address for a DNS request.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To specify a source interface on the public network, do not use this option.

Usage guidelines

This configuration applies to both IPv4 and IPv6.

In IPv4 DNS, the device uses the primary IPv4 address of the specified source interface as the source IP address of a DNS query. In IPv6 DNS, the device selects an IPv6 address of the specified source interface as the source IP address of a DNS query. The method of selecting the IPv6 address is defined in RFC 3484.

The system allows only one source interface for the public network or each VPN instance. If you execute this command multiple times, the most recent configuration takes effect. You can specify source interfaces for both public network and VPN instances.

This command takes effect whether the source interface belongs to the VPN instance or not. As a best practice, specify an interface that belongs to the VPN instance as the source interface.

Examples

# Specify Ten-GigabitEthernet 0/0/15 as the source interface for DNS packets on the public network. ‌

<Sysname> system-view

[Sysname] dns source-interface ten-gigabitethernet 0/0/15

dns trust-interface

Use dns trust-interface to specify a DNS trusted interface.

Use undo dns trust-interface to remove a DNS trusted interface.

Syntax

dns trust-interface interface-type interface-number

undo dns trust-interface [ interface-type interface-number ]

Default

No DNS trusted interface is specified.

Views

System view

Predefined user roles

network-admin

Parameters

interface-type interface-number: Specifies an interface by its type and number.

Usage guidelines

By default, an interface obtains DNS suffix and DNS server information from DHCP. A network attacker might act as the DHCP server to assign a wrong DNS suffix and DNS server address to the device. As a result, the device fails to obtain the resolved IP address or might get the wrong IP address. With the DNS trusted interface specified, the device only uses the DNS suffix and DNS server information obtained through the trusted interface to avoid attacks.

This configuration applies to both IPv4 DNS and IPv6 DNS.

You can configure a maximum of 128 DNS trusted interfaces on the device.

If you do not specify an interface, the undo dns trust-interface command removes all DNS trusted interfaces and restores the default.

Examples

# Specify Ten-GigabitEthernet 0/0/15 as a DNS trusted interface. ‌

<Sysname> system-view

[Sysname] dns trust-interface ten-gigabitethernet 0/0/15

domain-name

Use domain-name to add a domain name to a domain name group.

Use undo domain-name to delete a domain name from a domain name group.

Syntax

domain-name domain-name

undo domain-name domain-name

Default

A domain name group does not have domain names.

Views

Domain name group view

Predefined user roles

network-admin

Parameters

domain-name: Specifies a domain name, a dot-separated, case-insensitive string of up to 253 characters that can contain letters, digits, hyphens (-), underscores (_), and dots (.), for example, www.example.com. It cannot start or end with a dot (.) or contain two consecutive dots (..).

Usage guidelines

When the device matches the domain name in a query against the domain names in a domain name group, the match succeeds only when the domain name in the query is exactly the same as a domain name in the domain name group.

You can execute this command multiple times to add multiple domain names to a domain name group.

Examples

# Add domain name www.example.com to domain name group 1.

<Sysname> system-view

[Sysname] dns domain-name-group 1

[Sysname-domain-name-group-1] domain-name www.example.com

Related commands

dns domain-name-group

subdomain-name

ip host

Use ip host to create a host name-to-IPv4 address mapping.

Use undo ip host to remove a host name-to-IPv4 address mapping.

Syntax

ip host host-name ip-address [ vpn-instance vpn-instance-name ]

undo ip host host-name ip-address [ vpn-instance vpn-instance-name ]

Default

No host name-to-IPv4 address mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

host-name: Specifies a host name, a case-insensitive string of 1 to 253 characters that can contain letters, digits, hyphens (-), underscores (_), and dots (.). A host name must meet the following requirements:

· The host name string is separated by dots (.). Each separated part can contain up to 63 characters.

· The host name cannot start or end with a dot (.).

· The host name cannot contain two consecutive dots (..).

ip-address: Specifies the IPv4 address of the host.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To create a host name-to-IP address mapping for the public network, do not specify this option.

Usage guidelines

The system allows a maximum of 1024 host name-to-IPv4 address mappings for the public network or each VPN instance. You can configure host name-to-IPv4 address mappings for both public network and VPN instances.

Each host name maps to only one IPv4 address for the public network or a VPN instance. If you execute this command multiple times, the most recent configuration takes effect.

Do not use the ping command parameter ip, -a, -c, -f, -h, -i, -m, -n, -p, -q, -r, -s, -t, -tos, -v, or -vpn-instance as the host name. For more information about the ping command parameters, see Network Management and Monitoring Command Reference.

Examples

# Map IPv4 address 10.110.0.1 to host name aaa for the public network.

<Sysname> system-view

[Sysname] ip host aaa 10.110.0.1

Related commands

display dns host

ipv6 dns dscp

Use ipv6 dns dscp to set the DSCP value for IPv6 DNS packets sent by an IPv6 DNS client or DNS proxy.

Use undo ipv6 dns dscp to restore the default.

Syntax

ipv6 dns dscp dscp-value

undo ipv6 dns dscp

Default

The DSCP value is 0 in IPv6 DNS packets sent by an IPv6 DNS client or DNS proxy.

Views

System view

Predefined user roles

network-admin

Parameters

dscp-value: Specifies the DSCP value in the range of 0 to 63.

Usage guidelines

The DSCP value of a packet specifies the priority level of the packet and affects the transmission priority of the packet. A bigger DSCP value represents a higher priority.

Examples

# Set the DSCP value to 30 for outgoing IPv6 DNS packets.

<Sysname> system-view

[Sysname] ipv6 dns dscp 30

ipv6 dns server (system view)

Use ipv6 dns server to specify the IPv6 address of a DNS server.

Use undo ipv6 dns server to remove the IPv6 address of a DNS server.

Syntax

ipv6 dns server ipv6-address [ interface-type interface-number ] [ vpn-instance vpn-instance-name ]

undo ipv6 dns server [ ipv6-address [ interface-type interface-number ] ] [ vpn-instance vpn-instance-name ]

Default

No DNS server IPv6 address is specified.

Views

System view

Predefined user roles

network-admin

Parameters

ipv6-address: Specifies the IPv6 address of a DNS server.

interface-type interface-number: Specifies the output interface by its type and number. If you do not specify an interface, the device forwards DNS packets out of the output interface of the matching route. Specify this argument if the IPv6 address of the DNS server is a link-local address. Do not specify this argument if the IPv6 address of the DNS server is a global unicast address.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To specify a DNS server IPv6 address on the public network, do not use this option.

Usage guidelines

For dynamic DNS, the device sends a DNS query request to the DNS servers in the order their IPv6 addresses are specified.

The system allows a maximum of six DNS server IPv6 addresses for the public network or each VPN instance. You can specify DNS server IPv6 addresses for both public network and VPN instances.

If you do not specify an IPv6 address, the undo ipv6 dns server command removes all DNS server IPv6 addresses for the public network or the specified VPN instance.

Examples

# Specify DNS server IPv6 address 2002::1 for the public network.

<Sysname> system-view

[Sysname] ipv6 dns server 2002::1

Related commands

display ipv6 dns server

ipv6 dns server (DNS server group view)

Use ipv6 dns server to add an IPv6 DNS server to the DNS server group.

Use undo ipv6 dns server to delete an IPv6 DNS server from the DNS server group.

Syntax

ipv6 dns server ipv6-address [ interface-type interface-number ]

undo ipv6 dns server [ ipv6-address [ interface-type interface-number ] ]

Default

A DNS server group does not have any DNS servers.

Views

DNS server group view

Predefined user roles

network-admin

Parameters

ipv6-address : Specifies the IPv6 address of a DNS server.

Usage guidelines

Operating mechanism

The device sends a DNS query to DNS servers in a DNS server group in the configuration order of their IPv6 addresses.

Restrictions and guidelines

A DNS server group supports a maximum of six IPv6 DNS server addresses.

If you do not specify the ipv6-address argument when you execute the undo ipv6 dns server command, the command deletes all IPv6 DNS server addresses from the DNS server group.

Examples

# Add DNS server 2000::1 to DNS server group 1.

<Sysname> system-view

[Sysname] dns server-group 1

[Sysname-server-group-1] ipv6 dns server 2000::1

ipv6 host

Use ipv6 host to create a host name-to-IPv6 address mapping.

Use undo ipv6 host to remove a host name-to-IPv6 address mapping.

Syntax

ipv6 host host-name ipv6-address [ vpn-instance vpn-instance-name ]

undo ipv6 host host-name ipv6-address [ vpn-instance vpn-instance-name ]

Default

No host name-to-IPv6 address mappings exist.

Views

System view

Predefined user roles

network-admin

Parameters

· The host name string is separated by dots (.). Each separated part can contain up to 63 characters.

· The host name cannot start or end with a dot (.).

· The host name cannot contain two consecutive dots (..).

ipv6-address: Specifies the IPv6 address of the host.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. To create a host name-to-IPv6 address mapping for the public network, do not specify this option.

Usage guidelines

The system allows a maximum of 1024 host name-to-IPv6 address mappings for the public network or each VPN instance. You can configure host name-to-IPv6 address mappings for both public network and VPN instances.

Each host name maps to only one IPv6 address for the public network or a VPN instance. If you execute this command multiple times, the most recent configuration takes effect.

Do not use the ping ipv6 command parameter -a, -c, -i, -m, -q, -s, -t, -tc, -v, or -vpn-instance as the host name. For more information about the ping ipv6 command parameters, see Network Management and Monitoring Command Reference.

Examples

# Map IPv6 address 2001::1 to host name aaa for the public network.

<Sysname> system-view

[Sysname] ipv6 host aaa 2001::1

Related commands

ip host

reset dns host

Use reset dns host to clear dynamic DNS entries.

Syntax

reset dns host [ client | snooping ] [ ip | ipv6 ] [ vpn-instance vpn-instance-name ]

Views

User view

Predefined user roles

network-admin

Parameters

client: Clear dynamic DNS entries on the DNS client.

snooping: Clear dynamic DNS entries on the device enabled with DNS snooping.

ip: Specifies type A queries. A type A query resolves a domain name to the mapped IPv4 address.

ipv6: Specifies type AAAA queries. A type AAAA query resolves a domain name to the mapped IPv6 address.

vpn-instance vpn-instance-name: Specifies an MPLS L3VPN instance by its name, a case-sensitive string of 1 to 31 characters. If you do not specify a VPN instance, this command clears dynamic DNS entries for the public network.

Usage guidelines

If you do not specify the ip or ipv6 keyword, the reset dns host command clears dynamic DNS entries of all query types.

Use this command to clear the following dynamic DNS entries:

· Dynamic DNS entries on the DNS client.

· Dynamic DNS entries on the device enabled with DNS snooping.

To clear all the dynamic DNS entries, do not specify the client or snooping keyword.

Examples

# Clear dynamic DNS entries of all query types for the public network.

<Sysname> reset dns host

Related commands

display dns host

subdomain-name

Use subdomain-name to add a subdomain name to a domain name group.

Use undo subdomain-name to delete a subdomain name from a domain name group.

Syntax

subdomain-name subdomain-name

undo subdomain-name subdomain-name

Default

A domain name group does not have subdomain names.

Views

Domain name group view

Predefined user roles

network-admin

Parameters

subdomain-name: Specifies a subdomain name, a dot-separated, case-insensitive string that can contain letters, digits, hyphens (-), underscores (_), and dots (.), for example, .example.com. The subdomain name can include up to 253 characters, and each separated string includes up to 63 characters.

Usage guidelines

When the device matches the domain name in a query against the subdomain names in a domain name group, the match succeeds if the domain name in the query contains a subdomain name in the group. For example, example.net has two subdomain names a.example.net and b.example.net.

· If you specify subdomain-name as .example.net, only a.example.net and b.example.net can match the specified subdomain name.

· If you specify subdomain-name as example.net, example.net, a.example.net, and b.example.net can all match the specified subdomain name.

You can execute this command multiple times to add multiple subdomain names to a domain name group.

Examples

# Add subdomain name com to domain name group 1.

<Sysname> system-view

[Sysname] dns domain-name-group 1

[Sysname-domain-name-group-1] subdomain-name com

Related commands

dns domain-name-group

domain-name

05-Layer 3—IP Services Command Reference

description

display ipv6 dns server

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Restrictions and guidelines

dns proxy enable

dns server (system view/interface view)

Operating mechanism

Restrictions and guidelines

Application scenarios

Operating mechanism

Application scenarios

Operating mechanism

Restrictions and guidelines

dns trust-interface

ipv6 dns server (system view)

Operating mechanism

Restrictions and guidelines

ipv6 host

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Policy & Program

Global Learning

Partner Sales Resources

Service Business

News & Events

Contact Us