Cisco Cisco Email Security Appliance C650 Guía Del Usuario
31-51
Cisco AsyncOS 8.5 for Email User Guide
Chapter 31 System Administration
Changing Network Settings
AsyncOS will randomly choose between the two servers at priority 0. If one of the priority 0 servers is
down, the other will be used. If both of the priority 0 servers are down, the priority 1 server (1.2.3.6) is
used, and then, finally, the priority 2 (1.2.3.7) server.
down, the other will be used. If both of the priority 0 servers are down, the priority 1 server (1.2.3.6) is
used, and then, finally, the priority 2 (1.2.3.7) server.
The timeout period is the same for both priority 0 servers, longer for the priority 1 server, and longer still
for the priority 2 server.
for the priority 2 server.
Using the Internet Root Servers
The AsyncOS DNS resolver is designed to accommodate the large number of simultaneous DNS
connections required for high-performance email delivery.
connections required for high-performance email delivery.
Note
If you choose to set the default DNS server to something other than the Internet root servers, that server
must be able to recursively resolve queries for domains for which it is not an authoritative server.
must be able to recursively resolve queries for domains for which it is not an authoritative server.
Reverse DNS Lookup Timeout
The appliance attempts to perform a “double DNS lookup” on all remote hosts connecting to a listener
for the purposes of sending or receiving email. [That is: the system acquires and verifies the validity of
the remote host's IP address by performing a double DNS lookup. This consists of a reverse DNS (PTR)
lookup on the IP address of the connecting host, followed by a forward DNS (A) lookup on the results
of the PTR lookup. The system then checks that the results of the A lookup match the results of the PTR
lookup. If the results do not match, or if an A record does not exist, the system only uses the IP address
to match entries in the Host Access Table (HAT).] This particular timeout period applies only to this
lookup and is not related to the general DNS timeout discussed in
for the purposes of sending or receiving email. [That is: the system acquires and verifies the validity of
the remote host's IP address by performing a double DNS lookup. This consists of a reverse DNS (PTR)
lookup on the IP address of the connecting host, followed by a forward DNS (A) lookup on the results
of the PTR lookup. The system then checks that the results of the A lookup match the results of the PTR
lookup. If the results do not match, or if an A record does not exist, the system only uses the IP address
to match entries in the Host Access Table (HAT).] This particular timeout period applies only to this
lookup and is not related to the general DNS timeout discussed in
The default value is 20 seconds. You can disable the reverse DNS lookup timeout globally across all
listeners by entering ‘0’ as the number of seconds.
listeners by entering ‘0’ as the number of seconds.
If the value is set to 0 seconds, the reverse DNS lookup is not attempted, and instead the standard timeout
response is returned immediately. This also prevents the appliance from delivering mail to domains that
require TLS-verified connections if the receiving host’s certificate has a common name (CN) that maps
to the host’s IP lookup.
response is returned immediately. This also prevents the appliance from delivering mail to domains that
require TLS-verified connections if the receiving host’s certificate has a common name (CN) that maps
to the host’s IP lookup.
DNS Alert
Occasionally, an alert may be generated with the message “Failed to bootstrap the DNS cache” when an
appliance is rebooted. The messages means that the system was unable to contact its primary DNS
servers, which can happen at boot time if the DNS subsystem comes online before network connectivity
is established. If this message appears at other times, it could indicate network issues or that the DNS
configuration is not pointing to a valid server.
appliance is rebooted. The messages means that the system was unable to contact its primary DNS
servers, which can happen at boot time if the DNS subsystem comes online before network connectivity
is established. If this message appears at other times, it could indicate network issues or that the DNS
configuration is not pointing to a valid server.
Clearing the DNS Cache
The Clear Cache button from the GUI, or the d
nsflush
command (for more information about the
dnsflush
command, see the Cisco AsyncOS CLI Reference Guide), clears all information in the DNS
cache. You may choose to use this feature when changes have been made to your local DNS system. The
command takes place immediately and may cause a temporary performance degradation while the cache
is repopulated.
command takes place immediately and may cause a temporary performance degradation while the cache
is repopulated.