The destination-address-exclude command excludes specific destination addresses from a DNS transparent proxy policy rule.
The undo destination-address-exclude command deletes the destination addresses excluded from a DNS transparent proxy policy rule.
destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range ipv4-start-address ipv4-end-address } [ description description ]
undo destination-address-exclude { address-set address-set-name &<1-6> | ipv4-address { ipv4-mask-length | mask mask-address | wildcard } | range ipv4-start-address ipv4-end-address } [ description description ]
| Parameter | Description | Value |
|---|---|---|
| address-set address-set-name &<1-6> | Specifies the name of an address or address group. | The specified address or address group must exist. You can add or delete a maximum of six addresses or address groups at a time. |
| ipv4-address | Specifies an IPv4 address. | The value is in dotted decimal notation. |
| ipv4-mask-length | Specifies the mask length of an IPv4 address. | The value is an integer ranging from 1 to 32. |
| mask mask-address | Specifies the mask of an IPv4 address. | The value is in dotted decimal notation. The wildcard in binary format can be noncontiguous 1s, such as 255.0.255.0 (11111111 00000000 11111111 00000000). Only digits 1 in the binary format are matched, whereas digits 0 are not. For example, IP address 192.168.1.1/255.0.255.0 matches the IP addresses in 192.*.1.* format. |
| wildcard | Specifies a wildcard for the IPv4 address. | The value is in dotted decimal notation. The wildcard in binary format can be noncontiguous 1s, such as 0.255.0.255 (00000000 11111111 00000000 11111111). Only digits 0 in the binary format are matched, whereas digits 1 are not. For example, IP address 192.168.1.1/0.255.0.255 matches the IP addresses in 192.*.1.* format. |
| range | Indicates an address range. | - |
| ipv4-start-address | Specifies the start address of the IPv4 address range. | The value is in dotted decimal notation. |
| ipv4-end-address | Specifies the end address of the IPv4 address range. | The value is in dotted decimal notation. |
| description description | Specifies the description of a single IPv4 address or address range. | The value is a string of 1 to 128 characters. |
None
When the destination address of a flow is excluded by a rule of the configured DNS transparent proxy policy, the flow is not subject to the policy.
Application Scenario
For example, a user wants to implement DNS transparent proxy for traffic whose destination address is within network segment 10.1.1.0/24, but not for the traffic whose destination address (excluded destination address) is in the range of 10.1.1.40 to 10.1.1.50 on the network segment. Two DNS transparent proxy policy configuration schemes are available to meet the requirement. In configuration scheme 1, two policies are configured to take different actions on two flows. This scheme increases policies, which makes it difficult to maintain policies. In configuration scheme 2, only one policy needs to be configured. Excluding destination addresses from a rule of the policy has the same function as configuration scheme 1, which reduces the policy maintenance workload and facilitates the configuration.
| Configuration Scheme | Command |
|---|---|
| Configuration scheme 1 | <sysname> system-view [sysname] dns-transparent-policy [sysname-policy-dns] rule name policy_deny [sysname-policy-dns-rule-policy_deny] destination-address range 10.1.1.40 10.1.1.50 [sysname-policy-dns-rule-policy_deny] action no-tpdns [sysname-policy-dns-rule-policy_deny] quit [sysname-policy-dns] rule name policy_permit [sysname-policy-dns-rule-policy_permit] destination-address 10.1.1.0 24 [sysname-policy-dns-rule-policy_permit] action tpdns |
| Configuration scheme 2 | <sysname> system-view [sysname] dns-transparent-policy [sysname-policy-dns] rule name policy_sec [sysname-policy-dns-rule-policy_sec] destination-address-exclude range 10.1.1.40 10.1.1.50 [sysname-policy-dns-rule-policy_sec] destination-address 10.1.1.0 24 [sysname-policy-dns-rule-policy_sec] action tpdns |