The add query-name answer command configures a rule of constructing response packets for the user-defined DNS safe search function.
The undo add query-name command deletes a rule of constructing response packets for the user-defined DNS safe search function.
add query-name host-text answer { ip ip-address | cname cname } [ ttl ttl-time ]
undo add query-name { host-text | all }
| Parameter | Description | Value |
|---|---|---|
host-text |
Specifies the domain name of the request direction to be matched. Only exact match is supported. |
- |
ip ip-address |
Specifies the IP address of a constructed response packet. |
The value is in dotted decimal notation. |
cname cname |
Specifies the CNAME of a constructed response packet. |
- |
ttl ttl-time |
Specifies the aging time of DNS cache entries. |
The value is an integer in the range from 600 to 3600, in seconds. By default, the aging time of DNS cache entries is 600 seconds. |
Usage Scenario
The pre-defined DNS safe search function can only be implemented for three search engines: Bing, Google, and YouTube. In addition, parameters such as the IP address of the safe search server, CNAME, and TTL in DNS response packets cannot be configured. To address these issues, run this command to configure a rule of constructing DNS response packets. If the domain name in a DNS request packet matches the domain name in the request direction configured in a rule, the device constructs a DNS response packet with the IP address or CNAME field pointing to the safe search server based on the rule to implement the user-defined DNS safe search function. The pre-defined and user-defined DNS safe search functions are independent of each other, and the user-defined DNS safe search function takes precedence over the pre-defined DNS safe search function.
You can set the aging time of DNS cache entries using the ttl ttl-time parameter in either of the preceding two commands. By default, the user-defined DNS safe search function does not take effect. After you run this command to configure a rule of constructing DNS response packets for the user-defined DNS safe search function and reference the rule in a specific DNS filtering profile, the user-defined DNS safe search function takes effect. A maximum of 256 rules can be configured in a DNS filtering profile for constructing response packets based on the IP address or CNAME, and a maximum of 2048 rules can be configured on a device for constructing response packets based on the IP address or CNAME.
Precaution
The domain name (specified by host-text) in rules of constructing response packets must be unique in a DNS filtering profile. The rule of constructing response packets for domain names in the same request direction can be configured based on either the IP address or CNAME.
# Set the IP address in a DNS response packet whose domain name in the request direction is example.huawei.com to 1.1.1.1 (IP address of the safe search server) and the aging time of DNS cache entries to 1200 seconds.
<sysname> system-view [sysname] profile type dns-filter name safesearch [sysname-profile-dns-filter-safesearch] add query-name example.huawei.com answer ip 1.1.1.1 ttl 1200