The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter explains how to set the Caching DNS server parameters. Before you proceed with the tasks in this chapter, see Introduction to the Domain Name System which explains the basics of DNS.
You can configure the network interfaces for the CDNS server from the Manage Servers page in the local web UI.
You can set properties for the Caching DNS server. These include:
General server properties—See Setting General CDNS Server Properties
Log Settings—See Specifying Log Settings
Activity Summary Settings—See Specifying Activity Summary Settings
Cache TTLs—See Setting Cache TTLs
Root name servers—See Defining Root Nameservers
UDP Ports—See Dynamic Allocation of UDP Ports
Maximum memory cache sizes—See Setting Maximum Memory Cache Sizes
Resolver Settings—See Specifying Resolver Settings
Network Settings—See Specifying Network Settings
Advanced Settings—See Specifying Advanced Settings
Flush cache—See Flushing CDNS Cache
Prevent DNS cache poisoning—See Detecting and Preventing DNS Cache Poisoning
Handle unresponsive nameservers—See Handling Unresponsive Nameservers
You can view CDNS general server properties, such as log settings, basic cache settings, SNMP traps, and root nameservers.
The following subsections describe some of the most common property settings. They are listed in Setting DNS Caching Server Properties.
Use cdns show to display the CDNS server properties (see the cdns command in the CLIGuide.html file in the /docs directory for syntax and attribute descriptions).
This setting determines which detailed events the Caching DNS server logs, as set using a bit mask. Logging these additional details can help analyze a problem. Leaving detailed logging enabled for a long period, however, can fill the log files and cause the loss of important information.
The possible options are:
Note | To specify the activity summary settings, you have to check activity-summary under the Log Settings. |
You can specify the interval at which to log activity-summary information using the Statistics Interval (activity-summary-interval) attribute.
The Caching DNS server logs sample and/or total statistics based on the option you check for the attribute Statistics Type (activity-summary-type).
Note | The Activity-summary- interval attribute has a default value of 60 seconds. The default Activity-summary -type is sample. |
The option checked for the attribute Statistics Settings (activity-summary-settings) determines the category of statistics that is logged as part of activity summary. The possible settings are:
Use the Prefetch attribute to set whether message cache elements should be prefetched before they expire to keep the cache up to date. Turning it on gives about 10 percent more traffic and load on the machine, but can increase the query performance for popular DNS names.
When prefetch is enabled, records are assigned a prefetch time that is within 10 percent of the expiration time. As the server processes client queries and looks up the records, it checks the prefetch time. Once the record is within 10 percent of its expiration, the server will issue a query for the record in order to keep it from expiring.
TTL is the amount of time that any nameserver is allowed to cache data learned from other nameservers. Each record added to the cache arrives with some TTL value. When the TTL period expires, the server must discard the cached data and get new data from the authoritative nameservers the next time it sends a query. TTL attributes, cache-min-ttl and cache-max-ttl defines the minimum and the maximum time Cisco Prime IP Express retains the cached information. These parameters limit the lifetime of records in the cache whose TTL values are very large.
Root nameservers know the addresses of the authoritative nameservers for all the top-level domains. When you first start a newly installed Cisco Prime IP Express Caching DNS server, it uses a set of preconfigured root servers, called root hints, as authorities to ask for the current root nameservers.
When Cisco Prime IP Express gets a response to a root server query, it caches it and refers to the root hint list. When the cache expires, the server repeats the process. The time to live (TTL) on the official root server records is preconfigured and you can specify a different cache TTL value, (see Setting Cache TTLs).
Because the configured servers are only hints, they do not need to be a complete set. You should periodically (every month to six months) look up the root servers to see if the information needs to be altered or augmented.
On the Edit Local CDNS Server tab, under the Root Name Servers category, enter the domain name and IP address of each additional root nameserver, clicking Add Root Namerserver after each one, then click Save.
Use cdns addRootHint.
The Caching DNS server uses a large number of UDP port numbers, by default approximately 60000 port numbers. These numbers are divided among the processing threads. The large number of port numbers reduce the risk of cache poisoning via Birthday Attacks. The Caching DNS server uses the default pool of UDP ports (2048) and the maximum allowable size of the default pool of UDP ports is 4096.
Currently, Cisco Prime IP Express uses the port range from 1024 to 65535. Based on the number of outstanding resolution queries, the Caching DNS server adjusts the pool size by adding or removing ports. The Caching DNS server allocates and releases the UDP ports dynamically when the server is running. If you reload the server, all the UDP ports are released and randomly picked again.
Cisco Prime IP Express uses outgoing-range-avoid attribute that allows you to define ports or ranges of ports that will be excluded from use by the DNS server when sending queries.
Note | You need to ensure that UDP ports needed by other applications are in the port exclusion list. Otherwise, these applications may not be able bind to their port(s) if the DNS server is using the port. |
On the Edit Local CDNS Server tab, expand Additional Attributes to view various attributes and their values. For the query-source-port-exclusion-list attribute value, enter a range of ports that need to be excluded. Then click Modify Server.
The maximum memory cache size property specifies how much memory space you want to reserve for the DNS in-memory cache. The larger the memory cache, the less frequently the Caching DNS server will need to re-resolve unexpired records.
On the Edit Local CDNS Server tab, in the Caching category, set it to the desired value for the RRSet Cache Size (rrset-cache-size ), then click Save. The default size is 200MB.
To set the size of the message cache, use the Message Cache Size (msg-cache-size) attribute. The message cache stores query responses. The default size is 200MB.
Glue record(s) is/are A record(s) for name server(s) that cannot be found through normal DNS processing because they are inside the zone they define. When harden-glue is enabled, the Caching DNS server will ignore glue records that are not within the zone that is queried. The harden-glue attribute is on by default.
The listen-ip-version attribute lets you to choose the ip packets to accept and issue. You can check IPv4, IPv6, both, or none. The listen-protocol attribute lets you to choose the packet protocol to answer and issue, UDP, TCP, both, or none.
The minimal-responses attribute controls whether the DNS Caching server omits or includes records from the authority and data sections of query responses when these records are not required. Enabling this attribute may improve query performance such as when the DNS server is configured as a caching server.
The remote-ns-host-ttl attribute lets you to set the time to live for entries in the host entries in the remote name server cache. They contains roundtrip timing and EDNS support information.
The remote-ns-cache-numhosts attribute lets you to set the number of hosts for which information is cached.
A query might return multiple A records for a nameserver. To compensate for most DNS clients starting with, and limiting their use to, the first record in the list, you can enable round-robin to share the load. This method ensures that successive clients resolving the same name will connect to different addresses on a revolving basis. The DNS server then rearranges the order of the records each time it is queried. It is a method of load sharing, rather than load balancing, which is based on the actual load on the server.
On the Manage DNS Caching Server page, under the Advanced Settings section, find the Enable round-robin (round-robin) attribute.
Use cdns get round-robin to see if round-robin is enabled (it is by default). If not, use cdns enable round-robin.
The Cisco Prime IP Express cache flushing function lets you remove all or a portion of cached data in the memory cache of the server.
To:
Cisco Prime IP Express enhances the CDNS server performance to address the CDNS related issues such as DNS cache poisoning attacks (CSCsq01298), as addressed in a Cisco Product Security Incident Response Team (PSIRT) document number PSIRT-107064 with Advisory ID cisco-sa-20080708-dns, available at:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20080708-dns
A cache poisoning attack can change an existing entry in the DNS cache as well as insert a new invalid record into the DNS cache. This attack causes a hostname to point to the wrong IP address. For example, let us say that www.example.com is mapped to the IP address 192.168.0.1, and this mapping is present in the cache of a DNS server. An attacker can poison the DNS cache and map www.example.com to 10.0.0.1. If this happens, if you try to visit www.example.com, you will end up contacting the wrong web server.
A DNS server that uses a single static port for receiving responses to forwarded queries are susceptible to malicious clients sending forged responses.
The DNS transaction ID and source port number used to validate DNS responses are not sufficiently randomized and can easily be predicted, which allows an attacker to create forged responses to DNS queries. The DNS server will consider such responses as valid.
To reduce the susceptibility to the DNS cache poisoning attack, the DNS server randomizes the UDP source ports used for forwarded queries. Also, a resolver implementation must match responses to the following attributes of the query:
Note | The response source IP address must match the query's destination IP address and the response destination IP address must match the query's source IP address. A mismatch must be considered as format error, and the response is invalid. |
Resolver implementations must:
The Expert mode Caching DNS server setting randomize-query-case, when enabled, specifies that when sending a recursive query, the query name is pseudo-randomly camel-cased and the response is checked to see if this camel-casing is unchanged. If randomize-query-case is enabled and the casing has changed, then the response is discarded. The randomize-query-case is disabled by default, disabling this feature.
The DNS server statistics appears on the Statistics tab of the Manage DNS Caching Server Statistics page. The Statistics displays the answers-unwanted values. You can refresh the DNS Caching Server Statistics.
When trying to resolve query requests, Caching DNS servers may encounter unresponsive nameservers. A nameserver may be unresponsive to queries, respond late. This affects the performance of the local DNS server and remote nameservers.
Using Cisco Prime IP Express, you can resolve these problems by barring unresponsive nameservers. You can configure a global ACL of unresponsive nameservers that are to be barred, using the acl-do-not-query attribute.
When Cisco Prime IP Express receives a list of remote nameservers to transmit a DNS query request to, it checks for the name-servers listed in the acl-do-not-query list and removes them from this list. Conversely, all incoming DNS requests from clients or other nameservers are also filtered against the acl-blacklist.
Note | Using the acl-do-not-query does not affect the configuration of communication with certain servers such as forwarders. |
Use the acl-query attribute to specify which clients are allowed to query the server. By default any client is allowed to query the server. A client that is not in this list will receive a reply with status REFUSED. Clients on the acl-blacklist do not get any response whatsoever.
On the Edit Local CDNS Caching Server tab, expand Query Access Control to view the various attributes and their values. For the Do Not Query (acl-do-not-query) attribute value, enter, for example, 10.77.240.73. Then click Save.
Access the commands by using the Commands button. Clicking the Commands button opens the CDNS Commands dialog box in the local web UI. Each command has its own Run icon (click it, then close the dialog box):
Note | To remove all the entries from the in-memory cache, you need to reload the CDNS server. |
Note | If you find a server error, investigate the server log file for a configuration error, correct the error, return to this page, and refresh the page. |