The following lists the DNS deployment options that can be configured in Address Manager.
Note: Address Manager v9.6.0 introduces support for the configuration of EDNS Client
Subnet (ECS) options on DNS/DHCP Servers. ECS options are only intended for
servers with recursion enabled, and will have no effect on servers with
recursion disabled.
For information about adding DNS Deployment options,
refer to Managing DNS deployment options
| DNS Deployment Option | Description | Parameters |
|---|---|---|
| Allow Dynamic Updates | This option takes an ACL or match list as an
argument. Only addresses matched on the list are allowed to send
updates to the server for that zone. Use Update Policy for more control over update permissions. Allow Dynamic Updates and Update Policy are mutually exclusive and can't be set at the same level in Address Manager. Note: Dynamic DNS updates in an
xHA cluster environment must be configured using the physical IP addresses (not a
virtual IP address) of the active and passive nodes.
|
For DNS Servers:
Note: Allowing updates based on IP
address is considerably less secure than using a TSIG key.
Note: If you
select Key, the DHCP server must be configured with a zone declaration signed
with the same key.
|
| Allow Notify | Limits the servers that are allowed to send notify messages to a secondary zone. This option accepts a list of IPv4 and IPv6 addresses. |
|
| Allow Query | BIND 9 servers are able to limit the IP addresses that can access a particular view by means of an ACL. Addresses in the list are allowed to query that view’s records. |
|
| Allow Query Cache | Provides a list of hosts allowed to query the View’s cache. |
|
| Allow Recursion | Lets users make recursive queries to the server. A list of clients that can perform recursive queries is associated with the server. For more information, refer to Recursive DNS. |
|
| Allow Update Forwarding | Specifies which hosts are allowed to submit dynamic DNS updates to secondary zones for forwarding to the primary. The default is none, which means that no update forwarding is performed. Specifying values other than none or any is counterproductive unless required (as in Active Directory), as the responsibility for update access control must rest with the primary server and not the secondary servers. Enabling this feature on a secondary server could expose primary servers to cache poisoning attacks due to reliance on the IP address based access control of the insecure secondary server. |
|
| Allow Zone Transfer | Prevents zone transfers to IP addresses except those specified in the option. |
|
| DNS64 Contact | Used to specify the contact information for the reverse zones created by DNS64 reverse mapping. | In the Email field, specify email for the contact. |
| DNS64 Server | Used to specify the name of the server in which the synthesized IP6.ARPA zone is being created. | In the FQDN field, specify the fully qualified domain name. |
| Deny Clients | Defines ACL lists to match clients against. ACL match lists can be defined below the view level, but are a view-global option upon deployment. Clients matched against an ACL defined by this client are denied access to DNS resolution for the view to which the ACL is attached. This option should only be used for views and not zones. |
|
| DNSSEC Accept Expired | When enabled, the server accepts expired DNSSEC signatures. This option can bet set at the configuration, view, or server level. Enabling this option leaves the server vulnerable to replay attacks. | Enabled check box. |
| DNSSEC Enable | Enables the server to respond to DNS requests from DNSSEC-aware servers. This option can be set at the configuration, view, or server level. | Enabled check box. |
| DNSSEC Must Be Secure | A list of domains and if they must be signed or not for the server to accept answers. When the Secured check box is selected, the domains must be signed; when not selected, the domains don't need to be signed. This option can bet set at the configuration, view, or server level. | List of fully qualified domain names. Secured check box indicates if the zone must be secure. |
| DNSSEC Trust Anchors | Provides the public key for trusted zones. This option can be set at the server level. | List of fully qualified domain names and their key signing keys. In the FQDN field, type the fully qualified domain name. In the Key field, paste the zone’s public key. |
| DNSSEC Validation | Enables the server to validate answers from other DNNSEC-enabled servers. This option can be set at the configuration, view, or server level. | Enabled check box. The DNSSEC Enable option the DNSSEC Trust Anchor must also be set for the server to function properly. |
| ECS Disable Servers | Disables the sending of ECS options when communicating with remote servers at the specified addresses and/or within the specified prefixes. This option can be set at the configuration and view level. | List of IPv4 addresses, IPv6 addresses, and/or IP prefixes (IP ranges in CIDR notation). |
| ECS Enable | Indicates which zones ECS-tagged queries may be sent to. Check Enable ECS to enable ECS-tagged queries for a zone, or leave unchecked to disable ECS-tagged queries for a zone. This option can be configured at the configuration, server, server group, view, and zone level. | Enable ECS check box. |
| ECS Exclude Names | Indicates domains to exclude by specifying a
resource record name. This option can be configured at the zone
and zone template level. Note: This option is not inherited by
sub-zones.
|
List of names indicating resource records within
the zone. For example, if you wish to exclude
test.example.com, add this option to the
example.com zone and provide a value of
test in the Name field of the
option. |
| ECS Forward |
Specifies an ACL of client addresses from which ECS-tagged queries may be forwarded. By default, when ECS is not enabled for a resolver, ECS headers received from incoming queries are ignored. The server will not send an ECS header upstream to a forwarder or authoritative server, and will not send an ECS header in its response. If ECS is enabled in any way in the resolver and an ECS header is received in an incoming query, the server by default will REFUSE the query unless the requested prefix length is 0, which will disable ECS in processing the query. The ECS Forward ACL allows the resolver to handle an incoming ECS header with prefix length > 0. In this case, the prefix reported in the ECS header will be sent upstream, with the prefix length capped to the configured prefix length derived from ECS IPv4 Prefix and ECS IPv6 Prefix and the built-in defaults. This option can be configured at the configuration, server, server group, and view level. |
Note: Check the Exclusion check box to exclude an IP
address, range, TSIG key, or ACL.
|
| ECS Ignore for Servers | If a remote server returns a response with an unsolicited header, the resolver will normally drop the entire response. This option allows the resolver to ignore unexpected ECS headers and process the remainder of the response for remote servers at the specified addresses and/or within the specified prefixes. This option can be configured at the configuration and view level. | List of IPv4 addresses, IPv6 addresses, and/or IP prefixes (IP ranges in CIDR notation). |
| ECS Bits | Indicates the default source prefix-length to use in ECS queries for IPv4 and IPv6 addresses. The maximum value for IPv4 addresses is 32 bits. The maximum value for IPv6 addresses is 128 bits. This option can be configured at the configuration, server, server group, view, and zone level. Note: Prefix lengths greater than /24 for IPv4 or /56 for
IPv6 can reduce resolver cache efficiency and increase
privacy risk. For more information, refer to https://kb.isc.org/docs/edns-client-subnet-ecs-for-resolver-operators-getting-started (section 5) and https://datatracker.ietf.org/doc/html/rfc7871#section-11.1 (section
11.1).
|
ECS Prefix Length IPv4: Specify a value from 0 to 32. ECS Prefix Length IPv6: Specify a value from 0 to 128. |
| ECS Privacy | If this option is enabled, when a query is allowed for ECS processing and no client ECS option is being forwarded, the resolver will include an ECS option with a source prefix-length of zero in all of its upstream queries. This is a request to upstream intermediate resolvers to disable ECS when processing queries sent by this resolver. Allowed forwarded ECS prefix lengths are still passed through, as described in the ECS Forward option. This option can be configured at the configuration, server, server group, and view level. | Enable ECS Privacy Option check box. |
| ECS Types | Specifies resource record types for which
ECS-tagged queries may be sent, and for which ECS-tagged replies
may be cached. The default is "ANY", which matches all types
with the exception of DNS infrastructure types (NS, SOA), and
DNSSEC-related types (DS, DNSKEY, NSEC, NSEC3, NSEC3PARAM). DNS
infrastructure and DNSSEC-related types are never ECS-tagged
even if explicitly included in the ECS Types option.
Note: If an answer of type CNAME is found in a reply to an
ECS-tagged query, the CNAME data is always cached with ECS,
regardless of whether CNAME is included in ECS
Types.
This option can be configured at the
configuration, server, server group, and view level. |
Select ANY or Custom:
|
| Forwarding | Provides a list of server IP addresses that are
designated as forwarders and also includes the option to disable
forwarding for child zones. Off-site queries requiring recursive
queries are sent to these forwarders, thereby managing network
traffic efficiently. The order in which the server IP addresses
are listed here does not determine the order in which they are
queried. The server that is likely to respond most quickly based
on its response times from previous queries is selected.
Using this option enables recursion on the server. To prevent the server from performing recursion, add the Forwarding Policy deployment option at the same level as the Forwarding option. Set the Forwarding Policy deployment option to Only. |
Disable Forwarding for Child
Zones checkbox. List of IPv4 or IPv6 addresses. |
| Forwarding Policy | Indicates whether requests are forwarded only to caching servers (forwarders) with precedence or are forwarded there first, and if requests aren't answered by the caching server, then they're answered by this server. | Select an option: first or only. |
| Lame TTL | Specifies the duration that the server avoids requesting data from a remote server that listed as authoritative, but isn't responding authoritatively. | Specify the duration and unit of time. |
| Match Clients | Defines ACL lists for matching clients. Match lists are defined below the view level, but become a global option upon deployment. Clients matched against an ACL defined by this client are allowed access to DNS resolution for the view to which the ACL is attached. Use this option only for views, not zones. |
|
| Maximum Cache TTL | Defines the length of time that a positive response to a DNS query is held in cache. The default is seven days. | Specify the duration and unit of time. |
| Maximum Cache size | The maximum size for the DNS cache in bytes specified as an unsigned 16-bit integer value. | Specify a value from 0 to 4,294,967,295. |
| Maximum Idle Time for Inbound Transfers | For secondary servers, the maximum time, in minutes, that an inbound zone transfer remains idle before timing out. | Specify the duration and unit of time. |
| Maximum Idle Time for Outbound Transfers | For primary servers, the maximum time, in minutes, that an outbound zone transfer remains idle before timing out. | Specify the duration and unit of time. |
| Maximum Negative Cache TTL | Defines the length of time that a negative response to a DNS query is held in cache. The default is three hours with seven days being the maximum. | Specify the duration and unit of time. |
| Maximum Number of Recursive Clients | Restricts the maximum number of simultaneous recursive clients, specified as an unsigned 16-bit integer. | Specify a value from 0 to 4,294,967,295. |
| Maximum Number of TCP Clients | Restricts the number of concurrent TCP connections that the server processes. The default is 100 clients. | Specify a value from 0 to 65,535. |
| Maximum Number of Transfers per Name Server | For secondary servers, limits the total number of inbound zone transfers from any single remote name server that this server requests at any time. The default is 10 transfers. | Specify a value from 0 to 65,535. |
| Maximum Time for Inbound Transfers | The maximum time (in minutes) allowed for a single inbound zone transfer connection to a secondary server. It's specified using an unsigned 16-bit integer value. | Specify the duration and unit of time. |
| Maximum Time for Outbound Transfers | The maximum time (in minutes) allowed for a single outbound zone transfer connection to a secondary server. It is specified using an unsigned 16-bit integer value. | Specify the duration and unit of time. |
| Notify | Used to notify secondary servers of changes made to zones. | Select a radio button for the following:
Note: If you select False, the
DNS/DHCP Server stops sending DDNS notifications to Address Manager but can still send DHCP
notifications successfully.
|
| Notify Additional Servers | A primary DNS server ensures that zone changes are rapidly propagated to secondary servers by notifying them of the changes. Use this option to add servers that should be notified of changes. This option isn't required for secondary servers managed by Address Manager as the deployment engine automatically sets up this notification for secondary servers hosting that zone. | List of IPv4 or IPv6 addresses. |
| Notify Source | A DNS server will use the value of this option as
the source IPv4 address when sending zone change notifications
from a primary server to secondary servers. Note: Available only at the view, zone, and
IPv4 block/network levels.
|
Valid IPv4 address. |
| Notify Source v6 | A DNS server will use the value of this option as
the source IPv6 address when sending zone change notifications
from a primary server to secondary servers. Note: Available only at the view, zone, and
IPv6 block/network levels.
|
Valid IPv6 address. |
| NXDOMAIN Redirection | When the recursive DNS server contacts an external server attempting to find a domain name and to respond to a DNS client query, the server will return with the response showing the value Name Error if the domain name in the client query does not exist. NXDOMAIN redirection provides the ability for a recursive server to replace an NXDOMAIN response to a query with a configured answer of its own, such as a different website. |
|
| Reverse Zone Name Format | Allows user to select a reverse zone name format for subclass C classless networks that will be created automatically by Address Manager. | Select a reverse zone name format from the
Format drop-down menu. Address
Manager supports the following formats:
|
| Response Policies | This option is required to assign the response policies for a view. User-defined Response Policy objects are available in the Available column. Select the Response Policy object(s) and move that to Selected column to make the object deployable. For more information, refer to About Response Policies. | Select a Response Policy object from the Available column and move to Selected column. The response policies are by default ordered alpha-numerically and the policies apply in order from top to bottom. When deploying allowlist along with other policy objects, be sure to put the allowlist in front of any other object. |
| RPZ Break DNSSEC | When enabled, policy processing is performed on all DNSSEC queries. If this option is disabled, the response policy zone doesn't process queries that request DNSSEC data or that have RRs in the answer. This option is only available on the view and configuration level. | Enabled check box. |
| RPZ Max Policy TTL | This option is used to specify the length of time that responses will be held in the cache. The default is 5 seconds. This option is only available at the view and configuration level. | Specify a value from 0 to 4,294,967,295. |
| RPZ Min NS Dots | This option is used to define the minimum number of dot separators that must appear in any QNAME to invoke policy processing. This option is only available on the view and configuration level. | Enabled check box. |
| RPZ NSIP Wait Recurse | When enabled, policy processing is invoked only when the results of a query are readily available. When disabled, if the result of a Name Server lookup is in the cache, the NS-IP Trigger will be processed normally. However, if the data isn't available in the cache, the NS-IP will be bypassed but the NS lookup operation will continue, therefore it will subsequently be cached and invoke normal NS-IP Policy Trigger operations. This operation is enabled by default and is only available on the view and configuration level. | Enabled check box. |
| RPZ Qname Wait Recurse | When enabled, policy processing is invoked only when the results of a query are readily available. When disabled, policy processing occurs when the query is received without waiting for a response. This behavior only applies to QNAME Policy Triggers. This option is enabled by default and is only available on the view and configuration level. | Enabled check box. |
| RPZ Recursive Only | When enabled, policy processing is invoked only on recursive queries. When disabled, policy processing is invoked on every query received by the server. This option is enabled by default and is only available on the view and configuration level. | Enabled check box. |
| Secondary Zone Notifications | Enables notifications from a DNS/DHCP Server that's acting as a secondary server to a RFC compliant non-BlueCat DNS server. | Select a server to be responsible for sending
Secondary Zone Notifications to Address Manager. Note: Secondary Zone Notifications
can only be configured at the configuration level, view level, and zone level. At
each level, only one Secondary Zone Notifications deployment option is
permitted.
|
| Transfer Format | Controls whether the format of zone transfers from the primary to the secondary servers is one-answer (which carries only one resource record in each DNS message) or many-answers (which carries as many resource records as possible). The default setting is many-answers. | Select an option: many-answers or one-answer. |
| Transfer Source | A secondary DNS server will use the value of this
option as the source IP address when sending a request for zone
transfer to its primary over IPv4. Note: Available only at the view, zone, and
IPv4 block/network levels.
|
Valid IPv4 address. |
| Transfer Source v6 | A secondary DNS server will use the value of this
option as the source IP address when sending a request for zone
transfer to its primary over IPv6. Note: Available only at the view, zone, and
IPv6 block/network levels.
|
Valid IPv6 address. |
| Update Policy | Allows clients matching detailed criteria to update specific records on the server. This option provides more control over updates than the Allow Dynamic Updates option. Allow Dynamic Updates and Update Policy are mutually exclusive and can't be set at the same level in Address Manager. | Specify Privilege, Identity, Nametype, Name, and Resource Record parameters. For more information on setting this option, refer to Update Policy DNS deployment option. |
| Use WINS Reverse Lookup | Resolves IP addresses in a Windows DNS server reverse zones to NetBIOS names. | Specify the following parameters:
|
| Version Information | A custom text string that can provide a version response when the server version is queried. This can help protect against the profiling that tends to precede incidents of hacking. | Text string. |
| Zone Default TTL | The default time to live value for the zone. | Specify the duration and unit of time. |
| Zone Transfers In | Limits the total number of inbound zone transfers from all remote servers that the local name server requests at any one time. The default setting is 10 transfers. Increasing this setting may speed up the convergence of secondary zones, but it may also increase the load on the local system. | Specify a value from 0 to 65,535. |
| Zone Transfers Out | The maximum number of simultaneous outbound zone transfers. It's specified using an unsigned 16-bit integer. The default is 10. | Specify a value from 0 to 65,535. |