Руководство Пользователя для Cisco Cisco Email Security Appliance C170
15-39
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 15 System Administration
Configuring Domain Name System (DNS) Settings
You can configure the DNS settings for your Cisco IronPort appliance through the DNS page on the
Network menu of the GUI, or via the d
Network menu of the GUI, or via the d
nsconfig
command.
You can configure the following settings:
•
whether to use the Internet’s DNS servers or your own, and which specific server(s) to use
•
which interface to use for DNS traffic
•
the number of seconds to wait before timing out a reverse DNS lookup
•
clear DNS cache
Specifying DNS Servers
Cisco IronPort AsyncOS can use the Internet root DNS servers, your own DNS servers, or the Internet
root DNS servers and authoritative DNS servers you specify. When using the Internet root servers, you
may specify alternate servers to use for specific domains. Since an alternate DNS server applies to a
single domain, it must be authoritative (provide definitive DNS records) for that domain.
root DNS servers and authoritative DNS servers you specify. When using the Internet root servers, you
may specify alternate servers to use for specific domains. Since an alternate DNS server applies to a
single domain, it must be authoritative (provide definitive DNS records) for that domain.
AsyncOS supports “splitting” DNS servers when not using the Internet’s DNS servers. If you are using
your own internal server, you can also specify exception domains and associated DNS servers.
your own internal server, you can also specify exception domains and associated DNS servers.
When setting up “split DNS,” you should set up the in-addr.arpa (PTR) entries as well. So, for example,
if you want to redirect “.eng” queries to the nameserver 1.2.3.4 and all the .eng entries are in the 172.16
network, then you should specify “eng,16.172.in-addr.arpa” as the domains in the split DNS
configuration.
if you want to redirect “.eng” queries to the nameserver 1.2.3.4 and all the .eng entries are in the 172.16
network, then you should specify “eng,16.172.in-addr.arpa” as the domains in the split DNS
configuration.
Multiple Entries and Priority
For each DNS server you enter, you can specify a numeric priority. AsyncOS will attempt to use the DNS
server with the priority closest to 0. If that DNS server is not responding AsyncOS will attempt to use
the server at the next priority. If you specify multiple entries for DNS servers with the same priority, the
system randomizes the list of DNS servers at that priority every time it performs a query. The system
then waits a short amount of time for the first query to expire or “time out” and then a slightly longer
amount of time for the second, etc. The amount of time depends on the exact total number of DNS servers
and priorities that have been configured. The timeout length is the same for all IP addresses at any
particular priority. The first priority gets the shortest timeout, each subsequent priority gets a longer
timeout. Further, the timeout period is roughly 60 seconds. If you have one priority, the timeout for each
server at that priority will be 60 seconds. If you have two priorities, the timeout for each server at the
first priority will be 15 seconds, and each server at the second priority will be 45 seconds. For three
priorities, the timeouts are 5, 10, 45.
server with the priority closest to 0. If that DNS server is not responding AsyncOS will attempt to use
the server at the next priority. If you specify multiple entries for DNS servers with the same priority, the
system randomizes the list of DNS servers at that priority every time it performs a query. The system
then waits a short amount of time for the first query to expire or “time out” and then a slightly longer
amount of time for the second, etc. The amount of time depends on the exact total number of DNS servers
and priorities that have been configured. The timeout length is the same for all IP addresses at any
particular priority. The first priority gets the shortest timeout, each subsequent priority gets a longer
timeout. Further, the timeout period is roughly 60 seconds. If you have one priority, the timeout for each
server at that priority will be 60 seconds. If you have two priorities, the timeout for each server at the
first priority will be 15 seconds, and each server at the second priority will be 45 seconds. For three
priorities, the timeouts are 5, 10, 45.
For example, suppose you configure four DNS servers, with two of them at priority 0, one at priority 1,
and one at priority 2:
and one at priority 2:
Table 15-12
Example of DNS Servers, Priorities, and Timeout Intervals
Priority
Server(s)
Timeout (seconds)
0
1.2.3.4, 1.2.3.5
5, 5
1
1.2.3.6
10
2
1.2.3.7
45