The following lists the DNS deployment options that can be configured in Address Manager.
DNS Deployment Option | Description | Parameters |
---|---|---|
Allow Dynamic Updates | This option takes an ACL or match list as an
argument. Only addresses matched on the list are allowed to send
updates to the server for that zone. Use Update Policy for more control over update permissions. Allow Dynamic Updates and Update Policy are mutually exclusive and can't be set at the same level in Address Manager. Note: Dynamic DNS updates in an
xHA cluster environment must be configured using the physical IP addresses (not a
virtual IP address) of the active and passive nodes.
|
For DNS Servers:
Note: When Key or ACL is
selected, the Exclusion check box will appear. Select the
Exclusion check box to add an exclusion to a DNS ACL or
TSIG key.
Note: Allowing updates based on IP
address is considerably less secure than using a TSIG key.
Note: If you
select Key, the DHCP server must be configured with a zone declaration signed
with the same key.
|
Allow Notify | Limits the servers that are allowed to send notify messages to a secondary zone. This option accepts a list of IPv4 and IPv6 addresses. |
Note: When Key or ACL is
selected, the Exclusion check box will appear. Select the
Exclusion check box to add an exclusion to a DNS ACL or
TSIG key.
|
Allow Query | BIND 9 servers are able to limit the IP addresses that can access a particular view by means of an ACL. Addresses in the list are allowed to query that view’s records. |
Note: When Key or ACL is
selected, the Exclusion check box will appear. Select the
Exclusion check box to add an exclusion to a DNS ACL or
TSIG key.
|
Allow Query Cache | Provides a list of hosts allowed to query the View’s cache. |
Note: When Key or ACL is
selected, the Exclusion check box will appear. Select the
Exclusion check box to add an exclusion to a DNS ACL or
TSIG key.
|
Allow Recursion | Lets users make recursive queries to the server. A list of clients that can perform recursive queries is associated with the server. For more information, refer to Recursive DNS. |
Note: When Key or ACL is
selected, the Exclusion check box will appear. Select the
Exclusion check box to add an exclusion to a DNS ACL or
TSIG key.
|
Allow Update Forwarding | Specifies which hosts are allowed to submit dynamic DNS updates to secondary zones for forwarding to the primary. The default is none, which means that no update forwarding is performed. Specifying values other than none or any is counterproductive unless required (as in Active Directory), as the responsibility for update access control must rest with the primary server and not the secondary servers. Enabling this feature on a secondary server could expose primary servers to cache poisoning attacks due to reliance on the IP address based access control of the insecure secondary server. |
Note: When Key or ACL is
selected, the Exclusion check box will appear. Select the
Exclusion check box to add an exclusion to a DNS ACL or
TSIG key.
|
Allow Zone Transfer | Prevents zone transfers to IP addresses except those specified in the option. |
Note: When Key or ACL is
selected, the Exclusion check box will appear. Select the
Exclusion check box to add an exclusion to a DNS ACL or
TSIG key.
|
DNS64 Contact | Used to specify the contact information for the reverse zones created by DNS64 reverse mapping. | In the Email field, specify email for the contact. |
DNS64 Server | Used to specify the name of the server in which the synthesized IP6.ARPA zone is being created. | In the FQDN field, specify the fully qualified domain name. |
Deny Clients | Defines ACL lists to match clients against. ACL match lists can be defined below the view level, but are a view-global option upon deployment. Clients matched against an ACL defined by this client are denied access to DNS resolution for the view to which the ACL is attached. This option should only be used for views and not zones. |
Note: When Key or ACL is
selected, the Exclusion check box will appear. Select the
Exclusion check box to add an exclusion to a DNS ACL or
TSIG key.
|
DNSSEC Accept Expired | When enabled, the server accepts expired DNSSEC signatures. This option can bet set at the configuration, view, or server level. Enabling this option leaves the server vulnerable to replay attacks. | Enabled check box. |
DNSSEC Enable | Enables the server to respond to DNS requests from DNSSEC-aware servers. This option can be set at the configuration, view, or server level. | Enabled check box. |
DNSSEC Must Be Secure | A list of domains and if they must be signed or not for the server to accept answers. When the Secured check box is selected, the domains must be signed; when not selected, the domains don't need to be signed. This option can bet set at the configuration, view, or server level. | List of fully qualified domain names. Secured check box indicates if the zone must be secure. |
DNSSEC Trust Anchors | Provides the public key for trusted zones. This option can be set at the server level. | List of fully qualified domain names and their key signing keys. In the FQDN field, type the fully qualified domain name. In the Key field, paste the zone’s public key. |
DNSSEC Validation | Enables the server to validate answers from other DNNSEC-enabled servers. This option can be set at the configuration, view, or server level. | Enabled check box. The DNSSEC Enable option the DNSSEC Trust Anchor must also be set for the server to function properly. |
Forwarding | Provides a list of server IP addresses that are
designated as forwarders and also includes the option to disable
forwarding for child zones. Off-site queries requiring recursive
queries are sent to these forwarders, thereby managing network
traffic efficiently. The order in which the server IP addresses
are listed here does not determine the order in which they are
queried. The server that is likely to respond most quickly based
on its response times from previous queries is selected.
Using this option enables recursion on the server. To prevent the server from performing recursion, add the Forwarding Policy deployment option at the same level as the Forwarding option. Set the Forwarding Policy deployment option to Only. |
Disable Forwarding for Child
Zones checkbox. List of IPv4 or IPv6 addresses. |
Forwarding Policy | Indicates whether requests are forwarded only to caching servers (forwarders) with precedence or are forwarded there first, and if requests aren't answered by the caching server, then they're answered by this server. | Select an option: first or only. |
Lame TTL | Specifies the duration that the server avoids requesting data from a remote server that listed as authoritative, but isn't responding authoritatively. | Specify the duration and unit of time. |
Match Clients | Defines ACL lists for matching clients. Match lists are defined below the view level, but become a global option upon deployment. Clients matched against an ACL defined by this client are allowed access to DNS resolution for the view to which the ACL is attached. Use this option only for views, not zones. |
Note: When Key or ACL is
selected, the Exclusion check box will appear. Select the
Exclusion check box to add an exclusion to a DNS ACL or
TSIG key.
|
Maximum Cache TTL | Defines the length of time that a positive response to a DNS query is held in cache. The default is seven days. | Specify the duration and unit of time. |
Maximum Cache size | The maximum size for the DNS cache in bytes specified as an unsigned 16-bit integer value. | Specify a value from 0 to 4,294,967,295. |
Maximum Idle Time for Inbound Transfers | For secondary servers, the maximum time, in minutes, that an inbound zone transfer remains idle before timing out. | Specify the duration and unit of time. |
Maximum Idle Time for Outbound Transfers | For primary servers, the maximum time, in minutes, that an outbound zone transfer remains idle before timing out. | Specify the duration and unit of time. |
Maximum Negative Cache TTL | Defines the length of time that a negative response to a DNS query is held in cache. The default is three hours with seven days being the maximum. | Specify the duration and unit of time. |
Maximum Number of Recursive Clients | Restricts the maximum number of simultaneous recursive clients, specified as an unsigned 16-bit integer. | Specify a value from 0 to 4,294,967,295. |
Maximum Number of TCP Clients | Restricts the number of concurrent TCP connections that the server processes. The default is 100 clients. | Specify a value from 0 to 65,535. |
Maximum Number of Transfers per Name Server | For secondary servers, limits the total number of inbound zone transfers from any single remote name server that this server requests at any time. The default is 10 transfers. | Specify a value from 0 to 65,535. |
Maximum Time for Inbound Transfers | The maximum time (in minutes) allowed for a single inbound zone transfer connection to a secondary server. It's specified using an unsigned 16-bit integer value. | Specify the duration and unit of time. |
Maximum Time for Outbound Transfers | The maximum time (in minutes) allowed for a single outbound zone transfer connection to a secondary server. It is specified using an unsigned 16-bit integer value. | Specify the duration and unit of time. |
Notify | Used to notify secondary servers of changes made to zones. | Select a radio button for the following:
Note: If you select False, BDDS
stops sending DDNS notifications to Address Manager but can still send DHCP
notifications successfully.
|
Notify Additional Servers | A primary DNS server ensures that zone changes are rapidly propagated to secondary servers by notifying them of the changes. Use this option to add servers that should be notified of changes. This option isn't required for secondary servers managed by Address Manager as the deployment engine automatically sets up this notification for secondary servers hosting that zone. | List of IPv4 or IPv6 addresses. |
Notify Source | A DNS server will use the value of this option as
the source IPv4 address when sending zone change notifications
from a primary server to secondary servers. Note: Available only at the view, zone, and
IPv4 block/network levels.
|
Valid IPv4 address. |
Notify Source v6 | A DNS server will use the value of this option as
the source IPv6 address when sending zone change notifications
from a primary server to secondary servers. Note: Available only at the view, zone, and
IPv6 block/network levels.
|
Valid IPv6 address. |
NXDOMAIN Redirection | When the recursive DNS server contacts an external server attempting to find a domain name and to respond to a DNS client query, the server will return with the response showing the value Name Error if the domain name in the client query does not exist. NXDOMAIN redirection provides the ability for a recursive server to replace an NXDOMAIN response to a query with a configured answer of its own, such as a different website. |
|
Reverse Zone Name Format | Allows user to select a reverse zone name format for subclass C classless networks that will be created automatically by Address Manager. | Select a reverse zone name format from the
Format drop-down menu. Address
Manager supports the following formats:
|
Response Policies | This option is required to assign the response policies for a view. User-defined Response Policy objects are available in the Available column. Select the Response Policy object(s) and move that to Selected column to make the object deployable. For more information, refer to About Response Policies. | Select a Response Policy object from the Available column and move to Selected column. The response policies are by default ordered alpha-numerically and the policies apply in order from top to bottom. When deploying allowlist along with other policy objects, be sure to put the allowlist in front of any other object. |
RPZ Break DNSSEC | When enabled, policy processing is performed on all DNSSEC queries. If this option is disabled, the response policy zone doesn't process queries that request DNSSEC data or that have RRs in the answer. This option is only available on the view and configuration level. | Enabled check box. |
RPZ Max Policy TTL | This option is used to specify the length of time that responses will be held in the cache. The default is 5 seconds. This option is only available at the view and configuration level. | Specify a value from 0 to 4,294,967,295. |
RPZ Min NS Dots | This option is used to define the minimum number of dot separators that must appear in any QNAME to invoke policy processing. This option is only available on the view and configuration level. | Enabled check box. |
RPZ NSIP Wait Recurse | When enabled, policy processing is invoked only when the results of a query are readily available. When disabled, if the result of a Name Server lookup is in the cache, the NS-IP Trigger will be processed normally. However, if the data isn't available in the cache, the NS-IP will be bypassed but the NS lookup operation will continue, therefore it will subsequently be cached and invoke normal NS-IP Policy Trigger operations. This operation is enabled by default and is only available on the view and configuration level. | Enabled check box. |
RPZ Qname Wait Recurse | When enabled, policy processing is invoked only when the results of a query are readily available. When disabled, policy processing occurs when the query is received without waiting for a response. This behavior only applies to QNAME Policy Triggers. This option is enabled by default and is only available on the view and configuration level. | Enabled check box. |
RPZ Recursive Only | When enabled, policy processing is invoked only on recursive queries. When disabled, policy processing is invoked on every query received by the server. This option is enabled by default and is only available on the view and configuration level. | Enabled check box. |
Secondary Zone Notifications | Enables notifications from a BDDS that's acting as a secondary server to a RFC compliant non-BlueCat DNS server. | Select a server to be responsible for sending
Secondary Zone Notifications to (BAM). Note: Secondary Zone Notifications
can only be configured at the configuration level, view level, and zone level. At
each level, only one Secondary Zone Notifications deployment option is
permitted.
|
Transfer Format | Controls whether the format of zone transfers from the primary to the secondary servers is one-answer (which carries only one resource record in each DNS message) or many-answers (which carries as many resource records as possible). The default setting is many-answers. | Select an option: many-answers or one-answer. |
TSIG Key for Server Pair | This option overrides the default behavior where
TSIG is generated for each view. Instead, unique TSIG keys are
generated for each server pair. For example, a primary with two
secondary servers will have two TSIG keys generated, one for
each primary secondary relationship. Note: All
inter-communicating DNS servers enabled with this deployment option must all be at
the same software level.
|
Click Auto Generate to create the Salt Key. |
Transfer Source | A secondary DNS server will use the value of this
option as the source IP address when sending a request for zone
transfer to its primary over IPv4. Note: Available only at the view, zone, and
IPv4 block/network levels.
|
Valid IPv4 address. |
Transfer Source v6 | A secondary DNS server will use the value of this
option as the source IP address when sending a request for zone
transfer to its primary over IPv6. Note: Available only at the view, zone, and
IPv6 block/network levels.
|
Valid IPv6 address. |
Update Policy | Allows clients matching detailed criteria to update specific records on the server. This option provides more control over updates than the Allow Dynamic Updates option. Allow Dynamic Updates and Update Policy are mutually exclusive and can't be set at the same level in Address Manager. | Specify Privilege, Identity, Nametype, Name, and Resource Record parameters. For more information on setting this option, refer to Update Policy DNS deployment option. |
Use WINS Reverse Lookup | Resolves IP addresses in a Windows DNS server reverse zones to NetBIOS names. | Specify the following parameters:
|
Version Information | A custom text string that can provide a version response when the server version is queried. This can help protect against the profiling that tends to precede incidents of hacking. | Text string. |
Zone Default TTL | The default time to live value for the zone. | Specify the duration and unit of time. |
Zone Transfers In | Limits the total number of inbound zone transfers from all remote servers that the local name server requests at any one time. The default setting is 10 transfers. Increasing this setting may speed up the convergence of secondary zones, but it may also increase the load on the local system. | Specify a value from 0 to 65,535. |
Zone Transfers Out | The maximum number of simultaneous outbound zone transfers. It's specified using an unsigned 16-bit integer. The default is 10. | Specify a value from 0 to 65,535. |