beautypg.com

Specifying the source interface for dns packets, Configuring the dns trusted interface – H3C Technologies H3C S5560 Series Switches User Manual

Page 106

background image

91

Step Command

Remarks

1.

Enter system view.

system-view N/A

2.

Enable DNS proxy.

dns proxy enable

By default, DNS proxy is disabled.

3.

Enable DNS spoofing and
specify the translated IP

address.

Specify a translated IPv4 address:

dns spoofing ip-address

[ vpn-instance
vpn-instance-name ]

Specify a translated IPv6 address:

ipv6 dns spoofing ipv6-address
[ vpn-instance

vpn-instance-name ]

Use at least one command.
By default, no translated IP

address is specified.

Specifying the source interface for DNS packets

This task enables the device to always use the primary IP address of the specified source interface as the
source IP address of outgoing DNS packets. This feature applies to scenarios in which the DNS server

responds only to DNS requests sourced from a specific IP address. If no IP address is configured on the

source interface, no DNS packets can be sent out.
When sending an IPv6 DNS request, the device follows the method defined in RFC 3484 to select an
IPv6 address of the source interface.
You can configure only one source interface on the public network or a VPN. You can configure the

source interface for the public network and a maximum of 1024 VPNs.
To specify the source interface for DNS packets:

Step Command Remarks

1.

Enter system view.

system-view

N/A

2.

Specify the source
interface for DNS

packets.

dns source-interface interface-type
interface-number [ vpn-instance
vpn-instance-name ]

By default, no source interface for
DNS packets is specified.
If you execute the command
multiple times, the most recent

configuration takes effect.
If you specify the vpn-instance
vpn-instance-name option, make

sure the source interface is on the

specified VPN.

Configuring the DNS trusted interface

By default, an interface obtains DNS suffix and domain name server information from DHCP. The

network attacker might act as the DHCP server to assign wrong DNS suffix and domain name server

address to the device. As a result, the device fails to get the resolved IP address or might get the wrong

IP address. With the DNS trusted interface specified, the device only uses the DNS suffix and domain
name server information obtained through the trusted interface to avoid attack.
To configure the DNS trusted interface:

This manual is related to the following products:
See also other documents in the category H3C Technologies Routers: