Руководство Пользователя для Cisco Cisco Content Security Management Appliance M160
14-39
AsyncOS 8.1 for Cisco Content Security Management User Guide
Chapter 14 Common Administrative Tasks
Note
If you choose to set the default DNS server to something other than the Internet root servers, that server
must be able to recursively resolve queries for domains for which it is not an authoritative server.
must be able to recursively resolve queries for domains for which it is not an authoritative server.
Reverse DNS Lookup Timeout
The Cisco Content Security appliance attempts to perform a “double DNS lookup” on all remote hosts
connecting to a listener for the purposes of sending or receiving email. That is, the system acquires and
verifies the validity of the remote host's IP address by performing a double DNS lookup. This consists
of a reverse DNS (PTR) lookup on the IP address of the connecting host, followed by a forward DNS
(A) lookup on the results of the PTR lookup. The system then checks that the results of the A lookup
match the results of the PTR lookup. If the results do not match, or if an A record does not exist, the
system uses only the IP address to match entries in the Host Access Table (HAT). This particular timeout
period applies only to this lookup and is not related to the general DNS timeout discussed in
connecting to a listener for the purposes of sending or receiving email. That is, the system acquires and
verifies the validity of the remote host's IP address by performing a double DNS lookup. This consists
of a reverse DNS (PTR) lookup on the IP address of the connecting host, followed by a forward DNS
(A) lookup on the results of the PTR lookup. The system then checks that the results of the A lookup
match the results of the PTR lookup. If the results do not match, or if an A record does not exist, the
system uses only the IP address to match entries in the Host Access Table (HAT). This particular timeout
period applies only to this lookup and is not related to the general DNS timeout discussed in
The default value is 20 seconds. You can disable the reverse DNS lookup timeout globally across all
listeners by entering ‘0’ as the number of seconds. If the value is set to 0 seconds, the reverse DNS
lookup is not attempted, and instead the standard timeout response is returned immediately.
listeners by entering ‘0’ as the number of seconds. If the value is set to 0 seconds, the reverse DNS
lookup is not attempted, and instead the standard timeout response is returned immediately.
DNS Alert
Occasionally, an alert may be generated with the message “Failed to bootstrap the DNS cache” when an
appliance is rebooted. The message means that the system was unable to contact its primary DNS
servers, which can happen at boot time if the DNS subsystem comes online before network connectivity
is established. If this message appears at other times, it could indicate network issues or that the DNS
configuration is not pointing to a valid server.
appliance is rebooted. The message means that the system was unable to contact its primary DNS
servers, which can happen at boot time if the DNS subsystem comes online before network connectivity
is established. If this message appears at other times, it could indicate network issues or that the DNS
configuration is not pointing to a valid server.
Clearing the DNS Cache
The Clear Cache button from the GUI, or the d
nsflush
command (for more information about the
dnsflush
command, see the Cisco IronPort AsyncOS CLI Reference Guide), clears all information in the
DNS cache. You may choose to use this feature when changes have been made to your local DNS system.
The command takes place immediately and may cause a temporary performance degradation while the
cache is repopulated.
The command takes place immediately and may cause a temporary performance degradation while the
cache is repopulated.
Configuring DNS Settings
via the Graphical User Interface
Procedure
Step 1
On the Management Appliance > Network > DNS page, click the Edit Settings button.
Step 2
Select whether to use the Internet’s root DNS servers or your own internal DNS server(s), and specify
authoritative DNS servers.
authoritative DNS servers.
Step 3
If you want to use your own DNS server(s) or specify authoritative DNS servers, enter the server ID and
click Add Row. Repeat this for each server. When entering your own DNS servers, specify a priority as
well. For more information, see
click Add Row. Repeat this for each server. When entering your own DNS servers, specify a priority as
well. For more information, see
.
Step 4
Choose an interface for DNS traffic.
Step 5
Enter the number of seconds to wait before canceling a reverse DNS lookup.