Using Forwarders
You can specify a domain for which forwarding should occur. The forwarder definition is a list of IP addresses with an optional port number or a list of names of servers, or both. Typically forwarders are other DNS Caching servers that have access to Internet or external DNS resources.
Note |
We highly recommend using IP address rather than hostnames. |
When forwarders are used, the Caching DNS server forwards user queries matching the forwarding domain to another Caching DNS server to perform the resolution. This can be useful in situations where the local Caching DNS server does not have Internet access (that is, inside a firewall). In these situations, it is typical for exceptions to be configured for local zones and then a root (.) forwarder to be created for all external queries. Forwarder name corresponds to the domains you would like to have forwarded. For example, to forward example.com queries, your forwarder will be named example.com.
Note |
You can specify IPv4 and/or IPv6 addresses and for the changes to take effect, you must reload the Caching DNS server. |
Tip |
To force the Caching DNS server to forward all queries to one or more DNS forwarders, use the DNS root (.) as the forwarder name. |
Note |
Caching DNS by default does not allow access to AS112 and RFC 1918 reverse zones. These are the reverse zones for IP address ranges that are reserved for local use only. To access these zones, define an exception or forwarder for the reverse zones that are defined locally. |
In Cisco Prime Network Registrar, you can enable TLS at the individual forwarder object level. To do this, enable the tls attribute by selecting the enabled option. If you enable this, you should configure a tls-cert-bundle to load the CA certificates, otherwise, the connections cannot be authenticated. To add public key to the Certificate Authority bundle, copy the public.pem of forwarder server to the Caching DNS server, and update the same in tls-upstream-cert-bundle using the following commands:
scp -r public.pem @client-ip:/etc/pki/ca-trust/source/anchors/
# update-ca-trust
The tls-auth-name indicates the auth name for the forwarder server. If TLS is enabled, the Caching DNS server checks the TLS authentication certificates with that name sent by the forwarder server.
Starting with Cisco Prime Network Registrar 11.1, you can enable/disable forwarder as a Cisco Umbrella CDNS forwarder using the cisco-umbrella attribute. This allows Caching DNS to capture and log security events detected by upstream Cisco Umbrella servers.
Local and Regional Web UI
To define a forwarder:
Procedure
Step 1 |
From the Design menu, choose Forwarders under the Cache DNS submenu . This opens the List/Add Forwarders page. |
||
Step 2 |
Click the Add Forwarders icon on the Forwarders pane to open the Add Forwarder dialog box. |
||
Step 3 |
Enter the name of the zone to be forwarded as the name and click Add Forwarder .
|
||
Step 4 |
In the Edit Forwarders page, enter the hostname, and click Add Host or enter the IP address for the forwarder, and then click Add Address. |
||
Step 5 |
Click Save. |
CLI Commands
-
To specify the address (or space-separated addresses) of nameservers to use as forwarders, use cdns addForwarder domain [tls=on | off] [tls-auth-name=name] addr.
If the tls flag is on, the server connects to the name server using TLS. If tls-auth-name is provided, the server verifies this name in the TLS certificate provided by the name server.
You can also use cdns-forwarder name create attribute=value to create the Caching DNS forwarder objects.
-
To list the current forwarders, use cdns listForwarders or cdns-forwarder list.
-
To modify the forwarder objects, use cdns-forwarder name set attribute=value.
-
To remove a forwarder or list of forwarders, use cdns removeForwarder domain [addr ...] or cdns-forwarder name delete.
Note |
For any TLS related changes in the forwarders to take effect, you should restart the Caching DNS server. |