Cisco Cisco Web Security Appliance S380 User Guide
484
I R O N P O R T A S Y N C O S 6 . 3 F O R W E B U S E R G U I D E
C O N F I G U R I N G D N S S E R V E R ( S )
You can configure the DNS settings for your IronPort appliance using the Network > DNS
page or using the
page or using the
dnsconfig
command. Before you configure DNS, consider the following:
• Whether to use the Internet’s DNS servers or your own, and which specific server(s) to
use.
• Which routing table to use for DNS traffic.
You must use the routing table associated with the interface that faces the DNS server,
either Data or Management.
either Data or Management.
• The number of seconds to wait before timing out a reverse DNS lookup.
• Clearing the DNS cache.
Specifying DNS Servers
IronPort AsyncOS can use the Internet root DNS servers, your own DNS servers, or the
Internet root DNS servers and authoritative DNS servers that you specify. When using the
Internet root servers, you can specify alternate servers to use for specific domains. Since an
alternate DNS server applies to a single domain, it must be authoritative (provide definitive
DNS records) for that domain.
Internet root DNS servers and authoritative DNS servers that you specify. When using the
Internet root servers, you can specify alternate servers to use for specific domains. Since an
alternate DNS server applies to a single domain, it must be authoritative (provide definitive
DNS records) for that domain.
Split DNS
AsyncOS supports split DNS where internal servers are configured for specific domains and
external or root DNS servers are configured for other domains. If you are using your own
internal server, you can also specify exception domains and associated DNS servers.
external or root DNS servers are configured for other domains. If you are using your own
internal server, you can also specify exception domains and associated DNS servers.
Using the Internet Root Servers
The IronPort AsyncOS DNS resolver is designed to accommodate the large number of
simultaneous DNS connections.
simultaneous DNS connections.
Multiple Entries and Priority
For each DNS server you enter, you can specify a numeric priority. AsyncOS will attempt to
use the DNS server with the priority closest to 0. If that DNS server is not responding
AsyncOS will attempt to use the server at the next priority. If you specify multiple entries for
DNS servers with the same priority, the system randomizes the list of DNS servers at that
priority every time it performs a query. The system then waits a short amount of time for the
first query to expire or “time out” and then increments with a slightly longer amount of time
for subsequent servers. The amount of time depends on the exact number of DNS servers and
priorities that have been configured. The timeout length is the same for all IP addresses at any
particular priority. The first priority gets the shortest timeout, each subsequent priority gets a
longer timeout. Further, the timeout period is roughly 60 seconds. If you have one priority, the
timeout for each server at that priority is 60 seconds. If you have two priorities, the timeout for
each server at the first priority is 15 seconds, and each server at the second priority is 45
seconds. For three priorities, the timeout increments are 5, 10, 45.
use the DNS server with the priority closest to 0. If that DNS server is not responding
AsyncOS will attempt to use the server at the next priority. If you specify multiple entries for
DNS servers with the same priority, the system randomizes the list of DNS servers at that
priority every time it performs a query. The system then waits a short amount of time for the
first query to expire or “time out” and then increments with a slightly longer amount of time
for subsequent servers. The amount of time depends on the exact number of DNS servers and
priorities that have been configured. The timeout length is the same for all IP addresses at any
particular priority. The first priority gets the shortest timeout, each subsequent priority gets a
longer timeout. Further, the timeout period is roughly 60 seconds. If you have one priority, the
timeout for each server at that priority is 60 seconds. If you have two priorities, the timeout for
each server at the first priority is 15 seconds, and each server at the second priority is 45
seconds. For three priorities, the timeout increments are 5, 10, 45.