< Home

Configuring Domain Groups Using the CLI

This section describes how to configure domain groups on the CLI.

Procedure

  1. Access the system view.

    system-view

  2. Configure the DNS server.

    dns server ip-address

    To allow the device to send DNS request packets properly, enable the security policy for the Local zone and the zone where the DNS server resides.

  3. Set the maximum committed rate for analyzing DNS reply packets.

    dns analyze maximum-rate maximub-rate

    The maximum committed rate refers to the maximum number of DNS reply packets that the FW can resolve per second. For the DNS reply packets that exceeds the maximum committed rate, the FW permits the packets without recording the domain name-IP address mapping.

    The FW can analyze a maximum of 80,000 DNS reply packets per second by default.

  4. Sets the minimum and maximum DNS aging time for a domain group.

    domain-set dns aging-time minimum minimum-num maximum maximum-num

    By default, the minimum DNS aging time of a domain group is 30 minutes, and the maximum DNS aging time is 14400 minutes.

    This function is supported since V600R007C20SPC603.

  5. Create a domain group and access its view.

    domain-set name domain-set-name

  6. Add a domain member.

    add domain domain-name &<1-6>

    The device needs to forward DNS packets and parse domain names in the domain group, and fuzzy match is unavailable for domain names; therefore, the configured domain name must be complete. For example, example.com cannot be simply configured as example.

  7. Optional: Configure the domain group description.

    description text

    The description is optional; however, the proper description helps you to maintain and manage the domain group in the future.

Parent Topic: Domain Group
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >