CLI:Example for Configuring the Device as a DNS Proxy
Networking Requirements
As shown in Figure 1, the enterprise has many branch LANs in its network. There are the DNS server and the FTP server deployed in the headquarters. In this way, users of the branches can access to the FTP server of the headquarter by domain name. However, when the IP address of the DNS server changes, all the DNS clients in the LANs can be affected, which can make network maintenance difficult. The FW can be deployed on the link between which the branch LANs and the headquarters communicate with each other, and can be configured to function as a DNS proxy to forward the requests and response packets between the hosts in the branch LANs and the DNS server of the headquarters. In this way, when the IP address of the DNS server changes, only the configuration on the FW needs to be changed, and the users of the LANs are not affected.
Configuration Roadmap
After the function of DNS proxy is enabled on the FW, the FW can be considered as the DNS server of Host_A and Host_B. On both the hosts, the IP address of the DNS server needs to be specified to the IP address of the FW. The IP address of the DNS server on the FW needs to be configured to the IP address of the DNS server of the headquarter, 2.2.2.2. In this way, when the IP address of the DNS server changes, only the configuration on the FW_A needs to be changes, which the internal users cannot be aware of.
Procedure
- Configure the IP address of the interfaces on the FW and assign them to security zones.
# Configure the IP address of GigabitEthernet 0/0/1 and assign it to the untrust zone.
<sysname> system-view [sysname] sysname FW [FW] interface GigabitEthernet 0/0/1 [FW-GigabitEthernet0/0/1] ip address 1.1.1.1 24 [FW-GigabitEthernet0/0/1] quit [FW] firewall zone untrust [FW-zone-untrust] add interface GigabitEthernet 0/0/1 [FW-zone-untrust] quit
- Configure a security policy to allow DNS packet to pass through FW.
Assume that the enterprise branch is located in the intranet as the trust zone. policy1 allows the DNS request packet of the intranet user to reach FW. policy2 allow the DNS proxy request packet can be sent to the DNS server.
[FW] security-policy [FW-policy-security] rule name policy1 [FW-policy-security-rule-policy1] source-zone trust [FW-policy-security-rule-policy1] destination-zone local [FW-policy-security-rule-policy1] action permit [FW-policy-security-rule-policy1] quit
[FW-policy-security] rule name policy2 [FW-policy-security-rule-policy2] source-zone local [FW-policy-security-rule-policy2] destination-zone untrust [FW-policy-security-rule-policy2] action permit [FW-policy-security-rule-policy2] quit [FW-policy-security] quit
- Configure the function of DNS proxy on theFW.
[FW] dns proxy enable [FW] dns resolve [FW] dns server 2.2.2.2
- Configure the default route to the DNS server on theFW.
Assume that the next-hop address of the FW to the DNS Server is 1.1.1.2/24.
[FW] ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 - On the hosts of the branch intranet, taking Host_A as an example, configure the IP address of the DNS server to 1.1.1.1.
Configuration Verification
# Run the command display current-configuration on the FW to display the related configuration of DNS proxy. The following only shows the configuration related to DNS.
<FW> display current-configuration
------------------------------------------------------------------------------
#
dns resolve
dns server 2.2.2.2
dns proxy enable
------------------------------------------------------------------------------
Configuration Script
# dns resolve dns server 2.2.2.2 dns proxy enable # interface GigabitEthernet0/0/1 undo shutdown ip address 1.1.1.1 255.255.255.0 # firewall zone untrust set priority 85 add interface GigabitEthernet0/0/1 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.2 # security-policy rule name policy1 source-zone trust destination-zone local action permit rule name policy2 source-zone local destination-zone untrust action permit # return