Cisco Cisco Content Security Management Appliance M390 Guía Del Usuario
14-37
AsyncOS 9.1 for Cisco Content Security Management Appliances User Guide
Chapter 14 Common Administrative Tasks
Changing Network Settings
server at that priority is 60 seconds. If you have two priorities, the timeout for each server at the first
priority is 15 seconds, and each server at the second priority is 45 seconds. For three priorities, the
timeouts are 5, 10, 45.
priority is 15 seconds, and each server at the second priority is 45 seconds. For three priorities, the
timeouts are 5, 10, 45.
For example, suppose you configure four DNS servers, with two of them at priority 0, one at priority 1,
and one at priority 2:
and one at priority 2:
AsyncOS randomly chooses between the two servers at priority 0. If one of the priority 0 servers is down,
the other is used. If both of the priority 0 servers are down, the priority 1 server (1.2.3.6) is used, and
then, finally, the priority 2 (1.2.3.7) server.
the other is used. If both of the priority 0 servers are down, the priority 1 server (1.2.3.6) is used, and
then, finally, the priority 2 (1.2.3.7) server.
The timeout period is the same for both priority 0 servers, longer for the priority 1 server, and longer still
for the priority 2 server.
for the priority 2 server.
Using the Internet Root Servers
The AsyncOS DNS resolver is designed to accommodate the large number of simultaneous DNS
connections required for high-performance email delivery.
connections required for high-performance email delivery.
Note
If you choose to set the default DNS server to something other than the Internet root servers, that server
must be able to recursively resolve queries for domains for which it is not an authoritative server.
must be able to recursively resolve queries for domains for which it is not an authoritative server.
Reverse DNS Lookup Timeout
The Cisco Content Security appliance attempts to perform a “double DNS lookup” on all remote hosts
connecting to a listener for the purposes of sending or receiving email. That is, the system acquires and
verifies the validity of the remote host's IP address by performing a double DNS lookup. This consists
of a reverse DNS (PTR) lookup on the IP address of the connecting host, followed by a forward DNS
(A) lookup on the results of the PTR lookup. The system then checks that the results of the A lookup
match the results of the PTR lookup. If the results do not match, or if an A record does not exist, the
system uses only the IP address to match entries in the Host Access Table (HAT). This particular timeout
period applies only to this lookup and is not related to the general DNS timeout discussed in
connecting to a listener for the purposes of sending or receiving email. That is, the system acquires and
verifies the validity of the remote host's IP address by performing a double DNS lookup. This consists
of a reverse DNS (PTR) lookup on the IP address of the connecting host, followed by a forward DNS
(A) lookup on the results of the PTR lookup. The system then checks that the results of the A lookup
match the results of the PTR lookup. If the results do not match, or if an A record does not exist, the
system uses only the IP address to match entries in the Host Access Table (HAT). This particular timeout
period applies only to this lookup and is not related to the general DNS timeout discussed in
.
The default value is 20 seconds. You can disable the reverse DNS lookup timeout globally across all
listeners by entering ‘0’ as the number of seconds. If the value is set to 0 seconds, the reverse DNS
lookup is not attempted, and instead the standard timeout response is returned immediately.
listeners by entering ‘0’ as the number of seconds. If the value is set to 0 seconds, the reverse DNS
lookup is not attempted, and instead the standard timeout response is returned immediately.
Table 14-3
Example of DNS Servers, Priorities, and Timeout Intervals
Priority
Server(s)
Timeout (Seconds)
0
1.2.3.4, 1.2.3.5
5, 5
1
1.2.3.6
10
2
1.2.3.7
45