114
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable DNS proxy.
dns proxy enable
By default, DNS proxy is disabled.
3. Enable DNS spoofing and
specify the IP address
used to spoof DNS
requests.
• Specify an IPv4 address:
dns spoofing ip-address
[ vpn-instance
vpn-instance-name ]
• Specify an IPv6 address:
ipv6 dns spoofing
ipv6-address [ vpn-instance
vpn-instance-name ]
By default, DNS spoofing is
disabled.
You can specify both an IPv4
address and an IPv6 address.
As a best practice, specify a
private IP address on the device.
4. Configure the device to
track the network mode of
an output interface.
dns spoofing track controller
interface-type interface-number
By default, the device does not
track the network mode of an
output interface.
Specifying the source interface for DNS packets
This task enables the device to always use the primary IP address of the specified source interface
as the source IP address of outgoing DNS packets. This feature applies to scenarios in which the
DNS server responds only to DNS requests sourced from a specific IP address. If no IP address is
configured on the source interface, no DNS packets can be sent out.
When sending an IPv6 DNS request, the device follows the method defined in RFC 3484 to select an
IPv6 address of the source interface.
You can configure only one source interface on the public network or a VPN instance. You can
configure the source interface for both public network and VPN instances.
To specify the source interface for DNS packets:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Specify the source
interface for DNS
packets.
dns source-interface
interface-type
interface-number [
vpn-instance
vpn-instance-name ]
By default, no source interface for
DNS packets is specified.
If you execute the command
multiple times, the most recent
configuration takes effect.
If you specify the
vpn-instance
vpn-instance-name option, make
sure the source interface is on the
specified VPN.
Configuring the DNS trusted interface
This task enables the device to use only the DNS suffix and domain name server information
obtained through the trusted interface. The device can then obtain the correct resolved IP address.
This feature protects the device against attackers that act as the DHCP server to assign incorrect
DNS suffix and domain name server address.
To configure the DNS trusted interface:
To Next Page
Loading...
Need help?
General
