The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter explains how to set the Caching DNS parameter for the advanced features of the server. Before you proceed with the tasks in this chapter, see Introduction to the Domain Name System which explains the basics of DNS.
You can specify a domain for which forwarding should occur. The forwarder definition is by a list of names of servers or a list of IP addresses with an optional port number, or both.
Note | You can specify IPv4 and/or IPv6 addresses and for the changes to take effect, you must reload the CDNS server. |
Tip | To force a caching DNS server to only talk to a forwarder, define a forwarder for the DNS root (.). |
To define a forwarder:
Use the following cdns commands to:
Note | For any change to the forwarders to take effect, you should restart the CDNS server. |
If you do not want the CDNS server to use the standard resolution method to query the nameserver for certain domains, use exceptions. This bypasses the root nameservers and targets a specific server (or list of servers) to handle name resolution.
Let us say that example.com has four subsidiaries: Red, Blue, Yellow, and Green. Each has its own domain under the .com domain. When users at Red want to access resources at Blue, their CDNS server follows delegations starting at the root nameservers.
These queries cause unnecessary traffic, and in some cases fail because internal resources are often barred from external queries or sites that use unreachable private networks without unique addresses.
Exceptions solve this problem. The Red administrator can list all the other example.com domains that users might want to reach and at least one corresponding nameserver. When a Red user wants to reach a Blue server, the Red server queries the Blue server instead following delegations from the root servers down.
To enable resolution exceptions, simply create an exception for the domain listing the IP address(es) and/or hostname(s) of the authoritative nameserver(s).
Note | Exceptions can contain both IPv4 and/or IPv6 addresses and require a CDNS server reload to take effect. |
To delete an exception list, select the exception in the Exceptions pane and click the Delete icon. To add or remove name servers to an exception, click the name of the exception in the List/Add Exceptions page to open the Edit Exceptions page.
Use the exception commands only if you do not want your DNS Caching server to use the standard name resolution for querying root name servers for names outside the domain. IP Express sends non-recursive queries to these servers.
Use the following cdns commands to:
For any change to resolution exceptions to take effect, you must restart the CDNS server.
DNS64 with NAT64 provides access to the IPv4 Internet and servers for hosts that have only IPv6 addresses. DNS64 synthesizes AAAA records from A records, when a IPv6 client queries for AAAA records, but none are found. It also handles reverse queries for the NAT64 prefix(es).
In Cisco Prime IP Express 8.3 and later, you can define multiple prefixes for synthesizing AAAA record.
To add, edit, or view the DNS64 configuration items:
To create DNS64 in the Caching DNS server, use cdns64 create [acl-match-clients=<ACL> prefix=<IPv6 prefix>]. (see the cdns64 command in the CLIGuide.html file in the /docs directory for syntax and attribute descriptions).
DNSSEC enables the server to determine the security status of all Resource Records that are retrieved. You can manage DNSSEC only in the Advanced mode. The dnssec attribute enables validation of DNS information. The domain-insecure attribute defines domain names to be insecure, DNSSEC chain of trust is ignored towards the domain names. So, a trust anchor above the domain name can not make the domain secure with a DS record, such a DS record is then ignored. DNSSEC requires a root trust anchor to establish trust for the DNS root servers. The initial DNSSEC root trust anchor, root.anchor, is stored in the .../data/cdns directory and is the default value of the auto-trust-anchor-file attribute. Additional trust anchors may be added by adding them to the .../data/cdns directory and to the auto-trust-anchor-file if the zone supports automated updates according to RFC 5011 or the trust-anchor-file attribute if not. The cdnssec command controls and configures DNSSEC processing in the Cisco Prime IP Express DNS Caching server.
To set the size of the aggressive negative cache in bytes, use the neg-cache-size attribute on the Manage DNS Caching Server page.
The key-cache-size attribute sets the size of the key cache in bytes. The prefetch-key attribute sets whether the DNS caching server should fetch the DNSKEYs earlier in the validation process, when a DS record is encountered.
In Cisco Prime IP Express 8.3 and later, both the Caching DNS and Authoritative DNS servers can run on the same operating system, without the need for two separate virtual or physical machines. For more information on DNS firewall, see Setting up Caching DNS and Authoritative DNS Server on Same Operating System.
DNS Firewall provide a mechanism control the domain names, IP addresses, and name servers that are allowed to function on the network. For more information on DNS firewall, see Managing DNS Firewall.