Method used to configure a DNS resolution policy on AR series routers

In V2R5C90 and V200R006C10, an Huawei AR supports the DNS resolution policy. That is, access control can be performed for some sites based on the domain name. The DNS resolution policy is supported only when the AR functions as the DNS proxy or relay agent.
DNS resolution policy rules are configured using the rule rule-id [ if-match name hostname ] { deny | permit | spoofing ip-address } command. The domain name hostname can be parsed or not parsed, or a spoofing response is sent. rule-id specifies the DNS resolution rule ID. A smaller value indicates a higher priority of the rule. If the specified rule ID already exists, the new rule will overwrite the existing rule.
The configuration procedure is as follows:
[Huawei] dns proxy enable //Enable the DNS proxy function, or run the dns relay enable command to enable the DNS relay function.
[Huawei] dns resolve //Enable dynamic domain name resolution.
[Huawei] dns server 10.3.1.2 //Configure the IP address of the DNS server.
[Huawei] dns resolve policy a //Enter the DNS resolution policy view.
[Huawei-dns-resolve-policy-a] rule 0 if-match name www.huawei.com permit //Configure the rule to 0. If the domain name is www.huawei.com, parsing is allowed.
[Huawei-dns-resolve-policy-a] rule 1 spoofing 192.168.1.1 //For other domain names, a spoofing response is sent with the response address of 192.168.1.1.

Scroll to top