Cisco Cisco Content Security Management Appliance M160 ユーザーガイド
Chapter 11 Common Administrative Tasks
11-80
Cisco IronPort AsyncOS 7.2.0 for Security Management User Guide
OL-21768-01
Reverse DNS Lookup Timeout
The IronPort appliance attempts to perform a “double DNS lookup” on all remote
hosts connecting to a listener for the purposes of sending or receiving email. That
is, the system acquires and verifies the validity of the remote host's IP address by
performing a double DNS lookup. This consists of a reverse DNS (PTR) lookup
on the IP address of the connecting host, followed by a forward DNS (A) lookup
on the results of the PTR lookup. The system then checks that the results of the A
lookup match the results of the PTR lookup. If the results do not match, or if an
A record does not exist, the system uses only the IP address to match entries in
the Host Access Table (HAT). This particular timeout period applies only to this
lookup and is not related to the general DNS timeout discussed in
hosts connecting to a listener for the purposes of sending or receiving email. That
is, the system acquires and verifies the validity of the remote host's IP address by
performing a double DNS lookup. This consists of a reverse DNS (PTR) lookup
on the IP address of the connecting host, followed by a forward DNS (A) lookup
on the results of the PTR lookup. The system then checks that the results of the A
lookup match the results of the PTR lookup. If the results do not match, or if an
A record does not exist, the system uses only the IP address to match entries in
the Host Access Table (HAT). This particular timeout period applies only to this
lookup and is not related to the general DNS timeout discussed in
The default value is 20 seconds. You can disable the reverse DNS lookup timeout
globally across all listeners by entering ‘0’ as the number of seconds. If the value
is set to 0 seconds, the reverse DNS lookup is not attempted, and instead the
standard timeout response is returned immediately.
globally across all listeners by entering ‘0’ as the number of seconds. If the value
is set to 0 seconds, the reverse DNS lookup is not attempted, and instead the
standard timeout response is returned immediately.
DNS Alert
Occasionally, an alert may be generated with the message “Failed to bootstrap the
DNS cache” when an appliance is rebooted. The message means that the system
was unable to contact its primary DNS servers, which can happen at boot time if
the DNS subsystem comes online before network connectivity is established. If
this message appears at other times, it could indicate network issues or that the
DNS configuration is not pointing to a valid server.
DNS cache” when an appliance is rebooted. The message means that the system
was unable to contact its primary DNS servers, which can happen at boot time if
the DNS subsystem comes online before network connectivity is established. If
this message appears at other times, it could indicate network issues or that the
DNS configuration is not pointing to a valid server.
Clearing the DNS Cache
The Clear Cache button from the GUI, or the d
nsflush
command (for more
information about the
dnsflush
command, see the Cisco IronPort AsyncOS CLI
Reference Guide), clears all information in the DNS cache. You may choose to use
this feature when changes have been made to your local DNS system. The
command takes place immediately and may cause a temporary performance
degradation while the cache is repopulated.
this feature when changes have been made to your local DNS system. The
command takes place immediately and may cause a temporary performance
degradation while the cache is repopulated.