Key Points for DNS Transparent Proxy

This section describes how to configure DNS transparent proxy.

Procedure

To configure DNS transparent proxy, perform the following operations:

Set basic parameters of DNS transparent proxy.
1. Enable the DNS transparent proxy function.
2. Set the IP address of the DNS server bound to the interface.
3. Configure DNS transparent proxy routing.
4. (Optional) Specify the domain names that do not require DNS transparent proxy.
Configure a DNS transparent proxy policy.
1. Create a DNS transparent proxy policy rule and configure matching conditions, and then specify DNS request packets requiring DNS transparent proxy.
2. Configure an action for the DNS transparent proxy policy rule.
(Optional) Enable the data backup function of the DNS transparent proxy in the hot standby scenario.

Setting Basic Parameters of DNS Transparent Proxy

Operation	Command	Description
Access the system view	system-view	-
Access the DNS transparent proxy policy view	dns-transparent-policy	-
Enable the DNS transparent proxy function	dns transparent-proxy enable	By default, the DNS transparent proxy function is disabled.
Set the IP address of the DNS server bound to the interface	dns server bind interface interface-type interface-number preferred preferred-dns-address [ alternate alternate-dns-address ] [ health-check { enable [ times times \| tx-interval tx-interval ] ^* \| disable } ]	The FW uses the address of the preferred DNS server (preferred preferred-dns-address) to replace the destination addresses of DNS query messages. When the preferred DNS server is down, the FW will replace the destination addresses of DNS query messages with the address of the alternate DNS server (alternate alternate-dns-address). The health-check parameter specifies whether the DNS server bound to the outbound interface is available. If both the primary and secondary DNS servers are unavailable, DNS transparent proxy does not take effect.
Configure DNS transparent proxy routing	Configure the routing mode of DNS transparent proxy. mode { priority-of-userdefine \| proportion-of-bandwidth \| proportion-of-weight \| based-on-multi-interface } Add a member interface for DNS transparent proxy routing. add { interface interface-type interface-number \| interface-group { interface-group-name \| isp isp-name } } [ priority priority \| weight weight ] ^*	One of the following modes can be selected: Intelligent uplink selection mode configured for the DNS transparent proxy PBR-based intelligent uplink selection or global route selection policy Common static or dynamic route selection The priorities of route selection modes are as follows: intelligent uplink selection mode configured for the DNS transparent proxy > PBR-based intelligent uplink selection > global route selection policy > common static or dynamic route selection. By default, DNS transparent proxy selects a route based on the global route selection mode, that is, PBR-based intelligent uplink selection or global route selection policy. If intelligent uplink selection is not configured, common static or dynamic route selection is applied.
(Optional) Specify the domain names that do not require DNS transparent proxy	dns transparent-proxy exclude domain [ server preferred preferred-dns-address [ alternate alternate-dns-address ] ]	If you exclude a domain name from DNS transparent proxy, even if DNS transparent proxy is configured on the DNS server specified on the client, the FW directly forwards the DNS query messages without honoring the messages. If you specify the DNS server address for resolving this domain name (server server-address), the DNS query messages are forwarded to this server, not to the DNS server specified on clients. If multiple domain names do not require DNS transparent processing, you need to perform this step for these domain names.

Configuring a DNS Transparent Proxy Policy

Create a DNS transparent proxy policy rule and configure matching conditions, and then specify DNS request packets requiring DNS transparent proxy.

Operation	Command	Description
Create a DNS transparent proxy policy rule or access the view of an existing DNS transparent proxy policy	rule name rule-name	-
(Optional) Configure a description for the DNS transparent proxy policy rule	description text	-
(Optional) Configure a label for the policy	add tag tag-name	After policies reference labels, you can query policies based on labels and delete, move, enable, or disable policies in batches based on query results. For the label description and configuration, see Tag.
Enable the transparent DNS proxy policy rule	enable	By default, the DNS transparent proxy policy rule is enabled.
Configure matching conditions for the DNS transparent proxy policy rule
Source IP address	source-address { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } [ description description ] \| range ipv4-start-address ipv4-end-address [ description description ] \| any }	To exclude specific source addresses from a wide network range, you can also run the source-address-exclude command.
Destination IP address	destination-address { address-set address-set-name &<1-6> \| ipv4-address { ipv4-mask-length \| mask mask-address \| wildcard } [ description description ] \| range ipv4-start-address ipv4-end-address [ description description ] \| any }	To exclude specific destination addresses from a wide network range, you can also run the destination-address-exclude command.

Configure an action for the DNS transparent proxy policy rule.
action { tpdns | no-tpdns }

(Optional) Enabling the Data Backup Function of DNS Transparent Proxy in the Hot Standby Scenario

Access the system view.
system-view
Enable the data backup function of the DNS transparent proxy in the hot standby scenario.
hrp auto-sync config dns-transparent-policy