Specifying The Source Interface For Dns Packets; Configuring The Dns Trusted Interface - HPE FlexNetwork HSR6800 Configuration Manual
Comware 7 layer 3, ip services
Hide thumbs
Also See for FlexNetwork HSR6800:
- Security command reference (538 pages) ,
- Configuration manual (482 pages) ,
- Command reference manual (153 pages)
Table of Contents
Advertisement
Step
1.
Enter system view.
2.
Enable DNS proxy.
3.
Enable DNS spoofing and
specify the IP address
used to spoof DNS
requests.
4.
Configure the device to
track the network mode of
an output interface.
Specifying the source interface for DNS packets
This task enables the device to always use the primary IP address of the specified source interface
as the source IP address of outgoing DNS packets. This feature applies to scenarios in which the
DNS server responds only to DNS requests sourced from a specific IP address. If no IP address is
configured on the source interface, no DNS packets can be sent out.
When sending an IPv6 DNS request, the device follows the method defined in RFC 3484 to select an
IPv6 address of the source interface.
You can configure only one source interface on the public network or a VPN instance. You can
configure the source interface for both public network and VPN instances.
To specify the source interface for DNS packets:
Step
1.
Enter system view.
2.
Specify the source
interface for DNS
packets.
Configuring the DNS trusted interface
This task enables the device to use only the DNS suffix and domain name server information
obtained through the trusted interface. The device can then obtain the correct resolved IP address.
This feature protects the device against attackers that act as the DHCP server to assign incorrect
DNS suffix and domain name server address.
To configure the DNS trusted interface:
Step
1.
Enter system view.
Command
system-view
dns proxy enable
•
Specify an IPv4 address:
dns spoofing ip-address
[ vpn-instance
vpn-instance-name ]
•
Specify an IPv6 address:
ipv6 dns spoofing
ipv6-address [ vpn-instance
vpn-instance-name ]
dns spoofing track controller
interface-type interface-number
Command
system-view
dns source-interface interface-type
interface-number [ vpn-instance
vpn-instance-name ]
Command
system-view
93
Remarks
N/A
By default, DNS proxy is disabled.
By default, DNS spoofing is
disabled.
You can specify both an IPv4
address and an IPv6 address.
As a best practice, specify a
private IP address on the device.
By default, the device does not
track the network mode of an
output interface.
Remarks
N/A
By default, no source interface for
DNS packets is specified.
If you execute the command
multiple times, the most recent
configuration takes effect.
If you specify the vpn-instance
vpn-instance-name option, make
sure the source interface is on the
specified VPN.
Remarks
N/A
Advertisement
Table of Contents
Troubleshooting
