Using Forwarders
You can specify a domain for which forwarding should occur. The forwarder definition is a list of IP addresses with an optional port number or a list of names of servers, or both. Typically forwarders are other DNS Caching servers that have access to Internet or external DNS resources.
Note |
We highly recommend using IP address rather than hostnames. |
When forwarders are used, the Caching DNS server forwards user queries matching the forwarding domain to another Caching DNS server to perform the resolution. This can be useful in situations where the local Caching DNS server does not have Internet access (that is, inside a firewall). In these situations, it is typical for exceptions to be configured for local zones and then a root (.) forwarder to be created for all external queries. Forwarder name corresponds to the domains you would like to have forwarded. For example, to forward example.com queries, your forwarder will be named example.com.
Note |
You can specify IPv4 and/or IPv6 addresses and for the changes to take effect, you must reload the Caching DNS server. |
Tip |
To force the Caching DNS server to forward all queries to one or more DNS forwarders, use the DNS root (.) as the forwarder name. |
Note |
Caching DNS by default does not allow access to AS112 and RFC 1918 reverse zones. These are the reverse zones for IP address ranges that are reserved for local use only. To access these zones, define an exception or forwarder for the reverse zones that are defined locally. |
In Cisco Prime Network Registrar, you can enable TLS at the individual forwarder object level. To do this, enable the tls attribute by selecting the enabled option. If you enable this, you should configure a tls-cert-bundle to load the CA certificates, otherwise, the connections cannot be authenticated. To add public key to the Certificate Authority bundle, copy the public.pem of forwarder server to the Caching DNS server, and update the same in tls-upstream-cert-bundle using the following commands:
scp -r public.pem @client-ip:/etc/pki/ca-trust/source/anchors/
# update-ca-trust
The tls-auth-name indicates the auth name for the forwarder server. If TLS is enabled, the Caching DNS server checks the TLS authentication certificates with that name sent by the forwarder server.
Starting with Cisco Prime Network Registrar 11.1, you can enable/disable forwarder as a Cisco Umbrella CDNS forwarder using the cisco-umbrella attribute. This allows Caching DNS to capture and log security events detected by upstream Cisco Umbrella servers.
Local and Regional Web UI
To define a forwarder:
Procedure
Step 1 |
From the Design menu, choose Forwarders under the Cache DNS submenu . This opens the List/Add Forwarders page. |
||
Step 2 |
Click the Add Forwarders icon on the Forwarders pane to open the Add Forwarder dialog box. |
||
Step 3 |
Enter the name of the zone to be forwarded as the name and click Add Forwarder .
|
||
Step 4 |
In the Edit Forwarders page, enter the hostname, and click Add Host or enter the IP address for the forwarder, and then click Add Address. |
||
Step 5 |
Click Save. |
CLI Commands
-
To specify the address (or space-separated addresses) of nameservers to use as forwarders, use cdns addForwarder domain [tls=on | off] [tls-auth-name=name] addr.
If the tls flag is on, the server connects to the name server using TLS. If tls-auth-name is provided, the server verifies this name in the TLS certificate provided by the name server.
You can also use cdns-forwarder name create attribute=value to create the Caching DNS forwarder objects.
-
To list the current forwarders, use cdns listForwarders or cdns-forwarder list.
-
To modify the forwarder objects, use cdns-forwarder name set attribute=value.
-
To remove a forwarder or list of forwarders, use cdns removeForwarder domain [addr ...] or cdns-forwarder name delete.
Note |
For any TLS related changes in the forwarders to take effect, you should restart the Caching DNS server. |
Pushing and Pulling Forwarders
You can push Forwarders to and pull Forwarders from local clusters on the List/Add Forwarders page in the regional cluster web UI.
Pushing Forwarders to Local Clusters
To Push Fowarders to the local cluster, do the following:
Regional Web UI
Procedure
Step 1 |
From the Design menu, choose Forwarders under the Cache DNS submenu to open the List/Add Forwarders page in the regional web UI. |
Step 2 |
Click the Push All icon in the Forwarders pane to push all the Forwarders listed on the page, or select the Forwader on the Forwaders pane and click the Push icon at the top of the Edit Fowarder page. This opens the Push Forwarder page. |
Step 3 |
Choose a push mode using one of the Data Synchronization Mode radio buttons.
In both the above cases, Ensure is the default mode. Choose Replace only if you want to replace the existing Forwarder data at the local cluster. Choose Exact only if you want to create an exact copy of the Forwarder at the local cluster, thereby deleting all Forwarders that are not defined at the regional cluster. |
Step 4 |
Choose one or more local clusters in the Available field of the Destination Clusters and move it or them to the Selected field. |
Step 5 |
Click Push Data to Clusters . |
CLI Commands
When connected to a regional cluster, you can use cdns-forwarder <name | all> push <ensure | replace | exact> cluster-list [-report-only | -report].
Pulling CDNS Forwarders from Local Clusters
To pull Forwarders from the replica database, do the following:
Regional Web UI
Procedure
Step 1 |
From the Design menu, choose Forwarders under the Cache DNS submenu to open the List/Add Zone Forwarders page. |
Step 2 |
Click the Pull Data icon in the Forwarders pane to open Select Replica Forwarder Data to Pull window. |
Step 3 |
Click the Replica icon in the Update Replica Data column for the cluster. (For the automatic replication interval, see the "Replicating Local Cluster Data" section in Cisco Prime Network Registrar 11.2 Administration Guide.). |
Step 4 |
Choose a replication mode using one of the Mode radio buttons. |
Step 5 |
Leave the default Replace mode enabled, unless you want to preserve any existing Forwarder data at the local cluster by choosing Ensure. |
Step 6 |
Click the Pull All Forwarders button to view the pull details. |
Step 7 |
Click Ok. |
CLI Commands
When connected to a regional cluster, you can use cdns-forwarder <name | all> pull <ensure | replace | exact> cluster-name [-report-only | -report].