Restrictions and Precautions for DNS

Hardware Requirements

The DNS function is supported by all models.

License Requirements

The DNS function is not license-controlled.

Precautions

• If the FW functions as a DNS proxy in multi-egress scenarios, the DNS request source IP address and outbound interface address might be inconsistent. As a result, the DNS server may fail to respond to DNS requests of the FW. Therefore, you are advised to configure Source NAT in easy IP mode on the FW to translate the sourceIP addresses of DNS packets to the IP address of the outbound interface.
• The DNS client and DNS proxy/relay support IPv6. DDNS does not support IPv6.
• A conflict may occur if DNS proxy and DNS transparent proxy are configured together with PBR on a device.

  If DNS proxy, DNS transparent proxy, and PBR are all configured on the device, the device searches for a matching PBR route after receiving a packet that requires DNS proxy and matches the DNS transparent proxy policy. If a matching PBR route is found, the packet destined for the device cannot be sent to the device, and the device forwards the packet based on the PBR route. As a result, the DNS proxy function is invalid. The following methods can be used to address the problem:

  • Configure DNS transparent proxy (the original DNS proxy function is replaced by DNS transparent proxy). DNS transparent proxy is implemented for a DNS request destined to the device. The DNS request is sent to the DNS server based on the matching PBR route.
  • Configure DNS proxy and DNS transparent proxy and adjust PRB routes so that the device does not implement PBR on the DNS packets destined to the device.
• When the device functions as a DNS relay agent or DNS proxy, the device cannot parse DNS request and response packets larger than 512 bytes.