Transparent DNS proxy configuration examples

Transparent DNS proxy can load balance the traffic of internal users that access the external DNS servers among multiple links.

As shown in the Figure, the two ISPs provide two public IP addresses. Configure transparent DNS proxy to meet the following requirements:

·     DNS servers at 183.xx.xx.190 and 183.xx.xx.191 resolve the DNS requests to mail.qq.com.

·     DNS servers at 61.xx.xx.125 and 61.xx.xx.126 resolve the DNS requests to www.baidu.com, with the one that has a higher priority as the primary, and the other as the backup.

#

nqa template icmp icmp-cnc-1

 next-hop ip 61.xx.xx.2

 out interface Route-Aggregation1.100

#

nqa template icmp icmp-cnc-2

 next-hop ip 180.xx.xx.2

 out interface Route-Aggregation1.101

#

nqa template icmp icmp-chinatel-master

 next-hop ip 1.xx.xx.2

 out interface Route-Aggregation1.102

#

nqa template icmp icmp-chinatel-backup

 next-hop ip 203.xx.xx.2

out interface Route-Aggregation1.103

#

nqa template dns dns114.114.114.114

 destination ip 114.114.114.114

 resolve-target mail.qq.com

 ttl 255

#

nqa template dns dns202.xx.xx.151

 destination ip 202.xx.xx.151

 resolve-target mail.qq.com

 ttl 255

#

nqa template dns dns219.xx.xx.68

 destination ip 219.xx.xx.68

 resolve-target www.baidu.com

 ttl 255

#

nqa template dns dns8.8.8.8

 destination ip 8.8.8.8

 resolve-target www.baidu.com

 ttl 255

#

loadbalance dns-server dns-qq-1

 ip address 114.114.114.114

 link link-cnc-1

#

loadbalance dns-server dns-qq-2

 ip address 202.xx.xx.151

 link link-cnc-2

#

loadbalance dns-server dns-baidu-master

 ip address 219.xx.xx.68

 link link-chinatel-master

#

loadbalance dns-server dns-baidu-backup

ip address 8.8.8.8

 link link-chinatel-backup

#

loadbalance dns-server-pool dsp-qq

 success-criteria at-least 1

 dns-server dns-qq-1 port 0

 success-criteria at-least 1

probe dns114.114.114.114

 dns-server dns-qq-2 port 0

 success-criteria at-least 1

probe dns202.xx.xx.151

#

loadbalance dns-server-pool dsp-baidu

 success-criteria at-least 1

 dns-server dns-baidu-backup port 0

  success-criteria at-least 1

probe dns8.8.8.8

dns-server dns-baidu-master port 0

 priority 8

 success-criteria at-least 1

probe dns219.xx.xx.68

#

loadbalance class damian-baidu.com type dns match-any

 match 1 domain-name www.baidu.com

#

loadbalance class domain-qq.com type dns match-any

 match 1 domain-name mail.qq.com

#

loadbalance action ##defaultactionfordnsproxyipv4##%%autocreatedbyweb%% type dns

 dns-server-pool dsp-qq

#

loadbalance action dp4#action#for#damian-baidu.com type dns

 dns-server-pool dsp-baidu

 #

loadbalance action dp4#action#for#domain-qq.com type dns

 dns-server-pool dsp-qq

 #

loadbalance policy ##defaultpolicyfordnsproxyipv4##%%autocreatedbyweb%% type dns

 class domain-qq.com action dp4#action#for#domain-qq.com

 class damian-baidu.com action dp4#action#for#damian-baidu.com

 default-class action ##defaultactionfordnsproxyipv4##%%autocreatedbyweb%%

#

loadbalance link link-chinatel-backup

 router ip 203.xx.xx.2

 success-criteria at-least 1

probe icmp-chinatel-backup

#

loadbalance link link-chinatel-master

 router ip 1.xx.xx.2

 success-criteria at-least 1

 probe icmp-chinatel-master

#

loadbalance link link-cnc-1

 router ip 61.xx.xx.2

 success-criteria at-least 1

probe icmp-cnc-1

#

loadbalance link link-cnc-2

 router ip 180.xx.xx.2

 success-criteria at-least 1

probe icmp-cnc-2

#

loadbalance dns-proxy ##defaultdpfordnsproxyipv4##%%autocreatedbyweb%% type udp

 ip address 0.0.0.0 0

 service enable

 lb-policy ##defaultpolicyfordnsproxyipv4##%%autocreatedbyweb%%

#

nat address-group 1 name cnc-1

 address 61.xx.xx.100 61.xx.xx.200

#

nat address-group 2 name cnc-2

 address 180.xx.xx.100 180.xx.xx.200

#

nat address-group 3 name chinatel-master

 address 1.xx.xx.100 1.xx.xx.200

#

nat address-group 4 name chinatel-backup

 address 203.xx.xx.100 203.xx.xx.200

#

interface Route-Aggregation1.100

ip address 61.xx.xx.1 255.255.255.0

 nat outbound address-group 1

vlan-type dot1q vid 191

#

interface Route-Aggregation1.101

 ip address 180.xx.xx.1 255.255.255.0

 nat outbound address-group 2

vlan-type dot1q vid 192

#

interface Route-Aggregation1.102

ip address 1.xx.xx.1 255.255.255.0

 nat outbound address-group 3

vlan-type dot1q vid 193

#

interface Route-Aggregation1.103

 ip address 203.xx.xx.1 255.255.255.0

 nat outbound address-group 4

vlan-type dot1q vid 194

#

1. Configure the default DNS servers. A record parsing is taken as an example.

2. Make sure the DNS server IP address set at the client cannot be an IP address on the device or an IP address in the same network segment and make sure the DNS request packets from the client can be sent to the LB device.

3. If outbound link load balancing is also configured, make sure you configure the link settings for transparent DNS proxy are the same as those for outbound link load balancing.