beautypg.com

Dhcp relay agent configuration task list, Enabling dhcp, Specifying the source interface for dns packets – H3C Technologies H3C S12500 Series Switches User Manual

Page 86: Configuring the dns trusted interface

background image

73

To configure DNS spoofing:

Step Command

Remarks

1.

Enter system view.

system-view N/A

2.

Enable DNS proxy.

dns proxy enable

By default, DNS proxy is disabled.

3.

Enable DNS spoofing and
specify the translated IPv4

address.

dns spoofing ip-address
[ vpn-instance vpn-instance-name ]

By default, no translated IP
address is specified.

85B

Specifying the source interface for DNS packets

By default, the device uses the primary IP address of the output interface of the matching route as the
source IP address of a DNS request. Therefore, the source IP address of the DNS packets may vary with

DNS servers. In some scenarios, the DNS server only responds to DNS requests sourced from a specific

IP address. In such cases, you must specify the source interface for the DNS packets so that the device

can always uses the primary IP address of the specified source interface as the source IP address of DNS

packets.
When sending IPv4 DNS request, the device uses the primary IPv4 address of the source interface as the

source IP address of the DNS request. If no IP address is configured on the source interface, the DNS

packet fails to be delivered.
You can configure only one source interface on the public network or a VPN. When you configure a new
source interface, the last configuration takes effect.
To specify the source interface for DNS packets:

Step Command Remarks

1.

Enter system view.

system-view

N/A

2.

Specify the source
interface for DNS

packets.

dns source-interface interface-type
interface-number [ vpn-instance

vpn-instance-name ]

By default, no source interface for
DNS packets is specified.
If you specify the vpn-instance
vpn-instance-name option, make

sure the source interface is on the

specified VPN.

232B

Configuring the DNS trusted interface

By default, an interface obtains DNS suffix and domain name server information from DHCP. The

network attacker may act as the DHCP server to assign wrong DNS suffix and domain name server

address to the device. As a result, the device fails to get the resolved IP address or may get the wrong IP
address. With the DNS trusted interface specified, the device only uses the DNS suffix and domain name

server information obtained through the trusted interface to avoid attack.
To configure the DNS trusted interface:

Step Command Remarks

1.

Enter system view.

system-view

N/A

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: