DNS Proxy configuration
2.4.1 DNS Proxy Introduction
1. Overview
DNS proxy refers to the start of the DNS agent on the firewall, so that when there is no DNS server inside the LAN, intranet clients can connect to the external DNS server through the firewall, after the correct DNS resolution, you can access the Internet.
2. Working mechanism of DNS proxy
(1) The DNS client sends the DNS request message to DNS proxy, at which point the destination address of the request message is the IP address of DNS proxy;
(2) After the DNS proxy receives the request message, the destination address in the message is replaced with the IP address of the DNS server, and the message is forwarded to the DNS server according to the address of the configured DNS server. If multiple DNS server addresses are configured on a DNS proxy, DNS proxy sends a request to the first DNS server, and if the first DNS server is not responding, the DNS client waits for a timeout to resend the DNS request message, and the DNS Proxy receives the request message and forwards it to the second DNS server, and so on until the DNS server sends a response message.
(3) When the response message of the DNS server is returned to DNS Prxoy, DNS proxy is forwarded to the DNS client after replacing the source IP address in the message with the IP address of the DNS proxy. At this point, the DNS client can access the Internet using the IP address that DNS resolves to.
Configuration of 2.4.2 DNS proxy
1. Configuration Preparation
Before you configure DNS proxy functionality, you need to configure the following:
To configure the address of a real DNS server on a DNS proxy
Specify DNS server on the PC as the IP address of the firewall that enables DNS proxy
Ensure DNS proxy and DNS client and DNS server network up to
2. Configure DNS Proxy
The DNS proxy function is configured on the firewall.
2.4.3 DNS Proxy Typical configuration example
1. Networking Requirements
There is no DNS server within the LAN, which requires the PC of the internal 10.1.1.0/24 network segment to resolve the domain name through the DNS server of the extranet. Requirements:
The firewall supports DNS proxy;
The IP address for the extranet DNS server is 10.72.66.36/24.
2. Configuration steps
(1) Configure the firewall
# Configure the IP address of the Ethernet 1/0/0.
[H3C] Interface Ethernet 1/0/0
[h3c-ethernet1/0/0] IP address 10.1.1.1 255.255.255.0
# Configure the NAT service so that clients can access the Internet through DNS proxy.
[H3C] ACL number 2000
[h3c-acl-basic-2000] Rule 0 Permit source 10.1.1.0 0.0.0.255
[h3c-acl-basic-2000] Quit
[H3C] Interface Ethernet 1/0/1
[H3C-ETHERNET1/0/1] IP address 10.1.2.1 255.255.255.0
[H3C-ETHERNET1/0/1] Nat Outbound 2000
[H3C-ETHERNET1/0/1] Quit
# Start the DNS proxy function.
[H3C] Dns-proxy Enable
# Configure DNS server addresses.
[H3C] DNS server 10.72.66.36
# Configure Routing (abbreviated).
To ensure that the firewall is routed to the client and DNS servers.
(2) Configure PC
Specify the gateway and DNS server as 10.1.1.1.