Cisco Cisco Email Security Appliance X1070 User Guide
15-521
Cisco IronPort AsyncOS 7.1 for Email Configuration Guide
OL-22158-02
Chapter 15 System Administration
For example, suppose you configure four DNS servers, with two of them at
priority 0, one at priority 1, and one at priority 2:
priority 0, one at priority 1, and one at priority 2:
AsyncOS will randomly choose between the two servers at priority 0. If one of the
priority 0 servers is down, the other will be used. If both of the priority 0 servers
are down, the priority 1 server (1.2.3.6) is used, and then, finally, the priority 2
(1.2.3.7) server.
priority 0 servers is down, the other will be used. If both of the priority 0 servers
are down, the priority 1 server (1.2.3.6) is used, and then, finally, the priority 2
(1.2.3.7) server.
The timeout period is the same for both priority 0 servers, longer for the priority
1 server, and longer still for the priority 2 server.
1 server, and longer still for the priority 2 server.
Using the Internet Root Servers
The IronPort AsyncOS DNS resolver is designed to accommodate the large
number of simultaneous DNS connections required for high-performance email
delivery.
number of simultaneous DNS connections required for high-performance email
delivery.
Note
If you choose to set the default DNS server to something other than the Internet
root servers, that server must be able to recursively resolve queries for domains
for which it is not an authoritative server.
root servers, that server must be able to recursively resolve queries for domains
for which it is not an authoritative server.
Reverse DNS Lookup Timeout
The IronPort appliance attempts to perform a “double DNS lookup” on all remote
hosts connecting to a listener for the purposes of sending or receiving email. [That
is: the system acquires and verifies the validity of the remote host's IP address by
performing a double DNS lookup. This consists of a reverse DNS (PTR) lookup
on the IP address of the connecting host, followed by a forward DNS (A) lookup
on the results of the PTR lookup. The system then checks that the results of the A
lookup match the results of the PTR lookup. If the results do not match, or if an
hosts connecting to a listener for the purposes of sending or receiving email. [That
is: the system acquires and verifies the validity of the remote host's IP address by
performing a double DNS lookup. This consists of a reverse DNS (PTR) lookup
on the IP address of the connecting host, followed by a forward DNS (A) lookup
on the results of the PTR lookup. The system then checks that the results of the A
lookup match the results of the PTR lookup. If the results do not match, or if an
Table 15-12
Example of DNS Servers, Priorities, and Timeout Intervals
Priority
Server(s)
Timeout (seconds)
0
1.2.3.4, 1.2.3.5
5, 5
1
1.2.3.6
10
2
1.2.3.7
45