Cisco Cisco Content Security Management Appliance M160 Guía Del Usuario
14-36
AsyncOS 8.3 for Cisco Content Security Management User Guide
Chapter 14 Common Administrative Tasks
Changing Network Settings
Configuring Domain Name System Settings
You can configure the Domain Name System (DNS) settings for your content security appliance through
the Management Appliance > Network > DNS page in the GUI, or via the
the Management Appliance > Network > DNS page in the GUI, or via the
dnsconfig
command.
You can configure the following settings:
•
Whether to use the Internet’s DNS servers or your own, and which server(s) to use
•
Which interface to use for DNS traffic
•
The number of seconds to wait before timing out a reverse DNS lookup
•
Clearing the DNS cache
Specifying DNS Servers
AsyncOS can use the Internet root DNS servers, your own DNS servers, or the Internet root DNS servers
and authoritative DNS servers that you specify. When using the Internet root servers, you may specify
alternate servers to use for specific domains. Because an alternate DNS server applies to a single domain,
it must be authoritative (provide definitive DNS records) for that domain.
and authoritative DNS servers that you specify. When using the Internet root servers, you may specify
alternate servers to use for specific domains. Because an alternate DNS server applies to a single domain,
it must be authoritative (provide definitive DNS records) for that domain.
AsyncOS supports “splitting” DNS servers when not using the Internet’s DNS servers. If you are using
your own internal server, you can also specify exception domains and associated DNS servers.
your own internal server, you can also specify exception domains and associated DNS servers.
When setting up “split DNS,” you should set up the in-addr.arpa (PTR) entries as well. For example, if
you want to redirect “.eng” queries to the nameserver 1.2.3.4 and all the .eng entries are in the 172.16
network, then you should specify “eng,16.172.in-addr.arpa” as the domains in the split DNS
configuration.
you want to redirect “.eng” queries to the nameserver 1.2.3.4 and all the .eng entries are in the 172.16
network, then you should specify “eng,16.172.in-addr.arpa” as the domains in the split DNS
configuration.
Multiple Entries and Priority
For each DNS server that you enter, you can specify a numeric priority. AsyncOS attempts to use the
DNS server with the priority closest to 0. If that DNS server is not responding, AsyncOS attempts to use
the server at the next priority. If you specify multiple entries for DNS servers with the same priority, the
system randomizes the list of DNS servers at that priority every time it performs a query. The system
then waits a short amount of time for the first query to expire or “time out” and then a slightly longer
amount of time for the second, and so on. The amount of time depends on the exact total number of DNS
servers and priorities that have been configured. The timeout length is the same for all IP addresses at
any particular priority. The first priority gets the shortest timeout; each subsequent priority gets a longer
timeout. Further, the timeout period is roughly 60 seconds. If you have one priority, the timeout for each
server at that priority is 60 seconds. If you have two priorities, the timeout for each server at the first
priority is 15 seconds, and each server at the second priority is 45 seconds. For three priorities, the
timeouts are 5, 10, 45.
DNS server with the priority closest to 0. If that DNS server is not responding, AsyncOS attempts to use
the server at the next priority. If you specify multiple entries for DNS servers with the same priority, the
system randomizes the list of DNS servers at that priority every time it performs a query. The system
then waits a short amount of time for the first query to expire or “time out” and then a slightly longer
amount of time for the second, and so on. The amount of time depends on the exact total number of DNS
servers and priorities that have been configured. The timeout length is the same for all IP addresses at
any particular priority. The first priority gets the shortest timeout; each subsequent priority gets a longer
timeout. Further, the timeout period is roughly 60 seconds. If you have one priority, the timeout for each
server at that priority is 60 seconds. If you have two priorities, the timeout for each server at the first
priority is 15 seconds, and each server at the second priority is 45 seconds. For three priorities, the
timeouts are 5, 10, 45.
For example, suppose you configure four DNS servers, with two of them at priority 0, one at priority 1,
and one at priority 2:
and one at priority 2:
Table 14-3
Example of DNS Servers, Priorities, and Timeout Intervals
Priority
Server(s)
Timeout (Seconds)
0
1.2.3.4, 1.2.3.5
5, 5
1
1.2.3.6
10
2
1.2.3.7
45