How do I implement DNS resolution for L2TP users on the AR router

In V2R5C90 and V200R006C10, an Huawei AR supports the DNS resolution policy. That is, access control can be performed for some sites based on the domain name. The DNS resolution policy is supported only when the AR functions as the DNS proxy or relay agent. DNS resolution policy rules are configured using the rule rule-id [ if-match name hostname ] { deny | permit | spoofing ip-address } command. The domain name hostname can be parsed or not parsed, or a spoofing response is sent. rule-id specifies the DNS resolution rule ID. A smaller value indicates a higher priority of the rule. If the specified rule ID already exists, the new rule will overwrite the existing rule. The configuration procedure is as follows: [Huawei] dns proxy enable //Enable the DNS proxy function, or run the dns relay enable command to enable the DNS relay function. [Huawei] dns resolve //Enable dynamic domain name resolution. [Huawei] dns server 10.3.1.2 //Configure the IP address of the DNS server. [Huawei] dns resolve policy a //Enter the DNS resolution policy view. [Huawei-dns-resolve-policy-a] rule 0 if-match name www.huawei.com permit //Configure the rule to 0. If the domain name is www.huawei.com, parsing is allowed. [Huawei-dns-resolve-policy-a] rule 1 spoofing 192.168.1.1 //For other domain names, a spoofing response is sent with the response address of 192.168.1.1.

Use the following methods to disconnect L2TP users:
- Disconnect all users of the L2TP tunnel.
 1. Run the display l2tp tunnel [ tunnel-item <tunnel-id> | tunnel-name <tunnel-name> ] command in any view to check the ID of the tunnel to be terminated or remote tunnel name.
 2. Run the reset l2tp tunnel { peer-name <remote-name> | <local-id tunnel-id> } command in the user view to terminate the tunnel connection based on the local tunnel ID or remote tunnel name.
- Disconnect an L2TP user.
 1. Run the display l2tp session [ destination-ip <d-ip-address> | session-item <session-id> | source-ip <s-ip-address> ] command in any view to check the ID of the local session to be terminated based on the remote IP address.
 2. Run the reset l2tp session session-id <session-id> command in teh user view to terminate the session based on the local session ID.

You cannot view login records of L2TP VPN users on the AR router.

Host resolution is implemented through DNS. You can run the ip host command on the device to configure static DNS entries.

You can use either of the following methods: -Use the DNS server address specified in the address pool. 1.Create an address pool and specify the DNS server address in the address pool. system-view [sysname] ip pool l2tp_pool [sysname-pool-l2tp_pool] section 0 1.1.1.1 1.1.1.10 [sysname-pool-l2tp_pool] dns-list 2.2.2.1 //Change the DNS server address to the actual address. [sysname-pool-l2tp_pool] quit 2.Create a service scheme and reference the address pool.[sysname] aaa [sysname-aaa] service-scheme srvscheme1 [sysname-aaa-service-srvscheme1] ip-pool l2tp_pool //Change the DNS server address to the actual address. 3.Reference the service scheme in the authentication domain. system-view [sysname] aaa [sysname-aaa] domain domain1 //Change the authentication domain to the one used when you configure L2TP. [sysname-aaa-domain1] service-scheme srvscheme1 -Use the DNS server address specified in the service scheme. 1.Create a service scheme. system-view [sysname] aaa [sysname-aaa] service-scheme srvscheme1 [sysname-aaa-service_srvscheme1] dns 2.2.2.1 //Change the DNS server address to the actual address. 2.Reference the service scheme in the authentication domain. system-view [sysname] aaa [sysname-aaa] domain domain1 //Change the authentication domain to the one used when you configure L2TP. [sysname-aaa-domain-domain1] service-scheme srvscheme1 //Reference the service scheme in the authentication domain. If DNS server addresses are specified in both the address pool and service scheme, the DNS server address specified in the address pool is preferentially used.