HA Proxy DNS Intercept


HA Proxy DNS Intercept
 
 
This chapter describes the system’s support for the HA Proxy DNS Intercept feature and explains how it is configured. The product Administration Guides provide examples and procedures for configuration of basic services on the system. It is recommended that you select the configuration example that best meets your service model, and configure the required elements for that model, as described in the respective product Administration Guide, before using the procedures in this chapter.
Important: HA Proxy DNS Intercept is a license-enabled feature.
 
Overview
An inherent problem in many mobile IP scenarios is the placement of the foreign network’s Domain Name Server (DNS) behind a firewall. When a mobile user roams into a foreign network and the DNS address is returned to the home network, the home network does not have access to the foreign network’s DNS. A common solution is to implement IS-835D, but the majority of legacy mobile handsets and most current handsets do not support this standard.
To address this, a proxy DNS intercept feature is available for the Home Agent (HA). This feature, when configured, looks for DNS packets and compares the DNS IP address in the destination address field to a configured rules list. If the destination address matches an address on a “pass through” rules list, the packets are allowed to continue without modification. If the destination address is on a “redirect” rules list, the packets are intercepted and the visited network’s DNS IP address is replaced with the home network’s DNS IP address while the call is accessing the home network. When the DNS response is returned to the mobile node, the HA removes the home network’s DNS address and returns the original visited network’s address so the mobile node is not aware that a modification has occurred. The flow in the following figure provides an example of what happens when a visited networks DNS address is intercepted by the HA.
 
HA Proxy DNS Intercept Flow
 
Configuring Proxy DNS Intercept
To configure the Proxy DNS Intercept feature:
Step 1
Step 2
Step 3
Step 4
Save your configuration as described in the Saving Your Configuration chapter.
Important: Commands used in the configuration examples in this section provide base functionality to the extent that the most common or likely commands and/or keyword options are presented. In many cases, other optional commands and/or keyword options are available. Refer to the Command Line Interface Reference for complete information regarding all commands.
 
Enabling Proxy DNS Intercept in the Destination Context
Use the following example to enable the Proxy DNS Intercept feature in the subscriber destination context:
 
configure
  context <context_name>
     ip dns-proxy source-address <ip_address>
     end
Notes:
The ip dns-proxy source-address <ip_address> command must be entered in the destination context for the subscriber. If there are multiple destination contexts for different subscribers, the command must be entered in each context. This feature uses UDP port 53.
<ip_address> must be the interface in the current context where all redirected DNS requests will be sent.
 
Creating the Proxy DNS Intercept Rules List
Use the following example to create the list of rules in the AAA context, which is used to specify how an intercepted DNS packet is to be processed:
 
configure
  context <context_name>
     proxy-dns intercept-list <name>
        pass-thru <ip_address> [ /<ip_mask> ]
        redirect <ip_address> [ /<ip_mask> ]
        end
Notes:
 
<name> must be the name of the rules list for later association with a subscriber.
Use the pass-thru command to set the DNS IP addresses that should be allowed through the intercept feature.
Use the redirect command to set the DNS IP addresses that should be redirected by the intercept feature to the home DNS. Use the optional primary-dns and secondary-dns keywords to specify the IP addresses of primary and secondary home DNS servers. Refer to the Command Line Interface Reference for more information regarding these optional keywords.
Important: If a packet does not match the pass-thru or redirect rule, the packet is dropped. If the optional keywords primary-dns or secondary-dns are not configured, DNS messages are redirected to the primary-dns-server (or the secondary-dns-server) configured for the subscriber OR inside the context.
 
Associating a Proxy DNS Intercept Rules List With a Subscriber
Use the following example to associate a system-configured subscriber with a configured Proxy DNS rules list.
 
configure
  context <context_name>
     subscriber name <user_name>
        proxy-dns intercept list-name <name>
        end
 

Cisco Systems Inc.
Tel: 408-526-4000
Fax: 408-527-0883