Configuring dns in the web interface – H3C Technologies H3C SecPath F1000-E User Manual
Page 239
214
•
The device connects to the PSTN/ISDN network through a dial-up interface and triggers the
establishment of a dial-up connection only when packets are to be forwarded through the dial-up
interface.
•
The device serves as a DNS proxy and is specified as a DNS server on the hosts. After the dial-up
connection is established through the dial-up interface, the device dynamically obtains the DNS
server address through DHCP or other autoconfiguration mechanisms.
Without DNS spoofing enabled, the device forwards the DNS requests received from the hosts to the
DNS server, if it cannot find a match in the local domain name resolution table. However, without any
dial-up connection established, the device cannot obtain the DNS server address and cannot forward or
answer the requests from the clients. The domain name cannot be resolved and no traffic triggers the
establishment of a dial-up connection.
DNS spoofing can solve the problem. DNS spoofing enables the device to reply the DNS client with a
configured IP address when the device does not have a DNS server address or route to a DNS server.
Subsequent packets sent by the DNS client trigger the establishment of a dial-up connection with the
, a host accesses the HTTP server in following these steps.
1.
The host sends a DNS request to the device to resolve the domain name of the HTTP server into an
IP address.
2.
Upon receiving the request, the device searches the local static and dynamic DNS entries for a
match. If no match is found and the device does know the DNS server address, the device spoofs
the host by replying a configured IP address. The TTL of the DNS reply is 0. Note that the device
must have a route to the IP address with the dial-up interface as the outgoing interface.
3.
Upon receiving the reply, the host sends an HTTP request to the replied IP address.
4.
When forwarding the HTTP request through the dial-up interface, the device establishes a dial-up
connection with the network and dynamically obtains the DNS server address through DHCP or
other autoconfiguration mechanisms.
5.
When the DNS reply ages out, the host sends a DNS request to the device again.
6.
Then the device operates the same as a DNS proxy.
7.
After obtaining the IP address of the HTTP server, the host can access the HTTP server.
NOTE:
Because the IP address configured with DNS spoofing is not the actual IP address of the requested domain
name, the TTL of the DNS reply is set to 0 to prevent the DNS client from generating incorrect domain
name-to-IP address mappings.
Configuring DNS in the web interface
DNS provides the following functions:
•
Static name resolution—Name resolution is carried out through manually configured name
resolution entries.
•
Dynamic name resolution—A device resolves domain names through the DNS server.
•
DNS proxy—You can configure a device as a DNS proxy.
- H3C SecPath F5000-A5 Firewall H3C SecPath F1000-A-EI H3C SecPath F1000-E-SI H3C SecPath F1000-S-AI H3C SecPath F5000-S Firewall H3C SecPath F5000-C Firewall H3C SecPath F100-C-SI H3C SecPath F1000-C-SI H3C SecPath F100-A-SI H3C SecBlade FW Cards H3C SecBlade FW Enhanced Cards H3C SecPath U200-A U200-M U200-S H3C SecPath U200-CA U200-CM U200-CS H3C SecBlade LB Cards H3C SecPath L1000-A Load Balancer