The Domain Name System Port (DNS)

Revised for CPX 4.7.0.

Terminology

Configuration of the DNS port
Statistics of the DNS port

The Domain Name System (DNS) protocol of TCP/IP networks identifies network stations through a symbolic name associated to the IP address.

When active, the Abilis CPX DNS port behaves as a DNS Resolver for all the local services and, if activated, as a DNS Relay too. The DNS Relay feature allows the system to appear as a DNS server to other IP stations while it simply forwards the requests to real DNS servers, and their responses are forwarded back to the original requesters.

The DNS port of the Abilis CPX uses the Connection Less transport service, provided by the UDP protocol, to query one or two DNS servers referred as primary and secondary.

Terminology

Acting as resolver

When the Abilis CPX DNS Resolver has to deal with an address, it first makes a query to the primary DNS Server. If, after 500 milliseconds, it doesn't get any response, it forwards the same query to both servers and if, after 1 second, no response is received another request to both servers is sent. This procedure is also repeated if no response is received after 2 seconds. If the DNS Resolver doesn't get any answer, after 4 second it terminates the procedure. If the parameter RTY: is set to a value higher than 1, the procedure will be repeated as many times as its value. The delay (in seconds) between two following blocks of queries can be set through the parameter DELAY:.

Acting as relay

When CPX acts as DNS relay it actually acts as an "intermediate" between the requester and the real DNS servers.
Why it is needed?
This method is absolutely needed when the CPX is used in a LAN as a router with NAT+PAT with a dial-up PPP connection. In this situation the address of DNS servers may not be known in advance because they are discovered at PPP connection establishment, and therefore they cannot be configured in the stations: the address of CPX is configured instead, which in turn will forward the request to the DNS servers addresses obtained by PPP. The method can also be used to simplify the configuration of the lan stations: lans are configured with the same address for both "default gateway" and "DNS server", CPX will forward the requests to the configured DNS which may be easily changed by CPX administrator in any moment, and for all the stations.
DNS relay service "listens" for incoming requests on the local UDP port 53, and behaves as explained below:

listen for requests on local UDP port 53
receives a DNS request from DNS client
validates the request (only formally correct ones are processed)
relays the request to a real DNS server (PRIMARY or SECONDARY)
receives, from the real DNS server, the response for this request
sends the response to the DNS requester (also called DNS client)

In addition DNS relay can:

Check the IP address of a requester (source IP in the request packet) against a list of allowed ones and discard those not allowed.
Process several simultaneous requests from the same or different users.
Load balance between PRIMARY and SECONDARY DNS servers.
Validate incoming packets (requests from clients and responses from servers) against formal errors.

Configuration of the DNS port

The Domain Name System Protocol port is labelled within the Abilis CPX with the acronym "DNS" and it is provided with the parameters described in this section.

Here is an example on how to display the DNS port parameters. Shown values are the default ones.

[11:32:37] ABILIS_CPX: D P PO:DNS

PO:910 - Not Saved (SAVE CONF), Not Refreshed (INIT) --------------------------
DNS    ------------------------------------------------------------------------
       LOG:NO         lowpo:902    ACT:YES   RELAY:NO   
       locport:53     SRCADD:R-ID (192.168.000.060)      
       PRIMARY:#                SECONDARY:#            
       - Resolver -------------------------------------------------------------
       DELAY:5        RTY:1   
       - Relay ----------------------------------------------------------------
       RELAY-TOUT:10  IPSRC:*                IPSRCLIST:#

To activate changes made on the parameters displayed by low case characters, it is needed to restart the system; on the contrary for activating changes made on upper case parameters it is enough to execute the initialization command INIT PO:.
Changes made on LOG: parameter are immediately active.

The "Not Saved (SAVE CONF)" message is displayed every time the port configuration is modified but not saved with the SAVE CONF command.

The "Not Refreshed (INIT)" message is displayed every time the port configuration is modified but not refreshed with the INIT PO: command.

Detail of the DNS port parameters

LOG:	Events logging activation and generation of alarm signals
DS	NO, D, S, A, L, T, ALL, +E

Usually this parameter makes possible to activate/deactivate logging functionalities of meaningful events of the port as well as the detection and signalling of alarms in case of critical events.

The following table shows the available options and the related functionalities usable by the parameter:

Option	Meaning
D	Recording of the driver state changes and/or the meaningful events in Debug Log
S	Recording of the driver state changes and/or the meaningful events in the System Log
A	Periodic detection of possible alarms. The detected alarms can be displayed the command ALARM VIEW or by the analogous command available on the UTILITY of the LCD display on the front panel
L	On alarm detection, acoustic signal generation plus a message on the LCD display. This function depends on activation of alarms detection by the "A" option
T	Generation by the Agent SNMP of Abilis CPX of SNMP traps corresponding to any change of the driver state and/or occurring of meaningful events

Beside the already described options the following values are also allowed:

Option	Meaning
NO	It means that all the logging functionalities, alarms detection and generation, above mentioned, are disabled.
ALL	It means that all the logging functionalities, alarms detection and generation, above mentioned, are enabled.
+E	This option added to one or more of the previous ones, extends its (their) set of meaningful events. The value "ALL+E" activates all the options and extends the set of meaningful events. The value "NO+E" is meaningless so it is ignored.

Options can be combined together.

Some examples:

setting "LOG:DS+E", activates the extended logging functions for Events Log and System Log
setting "LOG:STA", activates the extended logging functions for System Log, SNMP traps generation and periodic detection of alarm states;

By using the characters "+" and "-" as prefix of one or more options is possible to add or delete one or more functionalities without setting from the scratch the value of the parameters.

Some examples:

Suppose the current value of the parameter is "LOG:DSTA", by setting "LOG:-A", the periodic detection of eventual alarm states is removed, leaving unchanged all the remaining options; in such way the final value of the parameter will be "LOG:DST";
Suppose the current value of the parameter is "LOG:ST", by setting "LOG:+DA", the logging function of the events on the Events Log and the periodic alarm detection are added to the already activated options; in such way the final value of the parameter will be "LOG:DSTA".

The changes made on this parameter are immediately activated, without the need of initialization commands.

lowpo:	Lower CPX port number
NONE	NONE, 1 - 999

It sets the lower CPX port number. Only UDP are accepted.

Value "NONE" isolate the DNS port.

ACT:	Runtime activation/deactivation
NO	NO, YES

This parameter allows to run-time activate/deactive DNS functionalities.
When it is set to "NO", DNS port is running but its functionalities are disabled.
When it is set to "YES", DNS port is running and its functionalities are enabled.

RELAY:	Activation/deactivation of DNS relay feature.
NO	NO, YES

This parameter activate/deactivate DNS relay feature for DNS port. DNS relay allows to relay external DNS requests of DNS clients from CPX to DNS server.

locport:	DNS-relay listening UDP port
53	53

This parameter sets the UDP port on which the DNS relay will receive client's requests. As specified in RFC-1700 and RFC-1035, the only possible value is 53.

SRCADD:	Source IP address for outgoing requests
R-ID	R-ID, OUT-IPP, 1.0.0.0-126.255.255.255, 128.0.0.0-223.255.255.255

It sets the IP address to be set in every outgoing DNS requests.

The "R-ID" value makes possible to use the Router-ID IP address.

The "OUT-IPP" value makes possible to use the IP address of the IP port through which the request is sent.

The specification of an IP address, in Dotted Decimal Notation, in the range [1.0.0.0-126.255.255.255, 128.0.0.0-223.255.255.255] is also allowed. D and E class of IP addresses are not supported.

PRIMARY:	IP address of the primary DNS Server
#	#, 1.0.0.0-126.255.255.255, 128.0.0.0-223.255.255.255

This parameter sets the IP address of the primary DNS server, which the Abilis CPX port refers to for name resolution.

The allowed values are shown in the following table:

HEX:	01000000 - 7EFFFFFF	80000000 - DFFFFFFF
DDN:	1.0.0.0 - 126.255.255.255	128.0.0.0 - 223.255.255.255

IP addresses of class D and E are not currently supported.

The value "#" means "none primary DNS Server".

SECONDARY:	IP address of the secondary DNS Server
#	#, 1.0.0.0-126.255.255.255, 128.0.0.0-223.255.255.255

This parameter sets the IP address of the secondary DNS server, which the Abilis CPX port refers to for name resolution.

The allowed values are shown in the following table:

HEX:	01000000 - 7EFFFFFF	80000000 - DFFFFFFF
DDN:	1.0.0.0 - 126.255.255.255	128.0.0.0 - 223.255.255.255

IP addresses of class D and E are not currently supported.

The value "#" means "none secondary DNS Server".

DELAY:	Time that resolvers waits for server's responses
5	1..15 sec.

This parameter sets the maximum time (in seconds) to wait for receiving a response from the DNS server (Resolver only).

RTY:	Number of attempts to perform DNS request
1	1..10

This parameter sets how many times a request has to be sent to the DNS server if the DNS Resolver doesn't get any response in the expected time interval fixed in the DELAY: parameter (Resolver only).

RELAY-TOUT:	Timeout waiting server response for relayed requests
5	5..60 sec.

This parameter sets the time of life (in seconds) for a record in DNS relay table (Relay only).
The record in the DNS relay table is used to forward back to the client the response from the PRIMARY: or SECONDARY: server, therefore if the time elapses and record is deleted further "late answers" cannot be passed back to the client.

IPSRC:	Client IP address from which the requests are accepted
*	*, 1.0.0.0-126.255.255.255, 128.0.0.0-223.255.255.255

This parameter selects the IP address of the client from which the requests will be accepted (Relay only).
In conjunction with IPSRCLIST:, it allows to selectively grant/deny the service to stations by looking at their IP address, actually the source IP address of the requests.

If it is equal to "*", requests are accepted from any IP address. This value also makes IPSRCLIST: parameter irrelevant.

If it is equal to a specific IP address, only requests from that address are accepted. However, if an IP list is specified in IPSRCLIST:, those IP addresses will be accepted too.
The allowed IP addresses are shown in the following table:

HEX:	01000000 - 7EFFFFFF	80000000 - DFFFFFFF
DDN:	1.0.0.0 - 126.255.255.255	128.0.0.0 - 223.255.255.255

IP addresses of class D and E are not currently supported.

Requests coming from DNS Client, whose IP address doesn't match neither the value configured in this parameter nor satisfies the list configured in IPSRCLIST: parameter, are discarded.

IPSRCLIST:	List of additional client IP addresses from which the requests are accepted
#	ListName, #

The parameter sets the list of DNS Client systems enabled to use the DNS relay service.

The name of the list must be string of up to 20 characters in the range [0..9, a..z, A..Z, _]. It must correspond to the name of a list of IP addresses or the name of a list of IP addresses ranges or the name of a Rule list or the name of a Master Rule list. The referenced list must already be defined in the Elements Lists service.

The value "#" means "no list".

Requests coming from DNS Clients, whose IP address doesn't satisfy neither the list configured in this parameter nor matches the value configured in IPSRC: parameter, are discarded.

Statistics of the DNS port

The following example shows how to display state and statistics of the DNS port through the command D S:

[11:32:37] ABILIS_CPX: D S PO:DNS
PO:910 ------------------------------------------------------------------------
DNS    RESOLVER-STATE:READY   
       RELAY-STATE:READY     CUR:0        PEAK:0        MAX:0   
       - Resolver -------------------------------------------------------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       PRI-QUERIES|           |          0|SEC-QUERIES|           |          0|
       PRI-RES    |          0|           |SEC-RES    |          0|           |
       PRI-UNK    |          0|           |SEC-UNK    |          0|           |
       PRI-RTY-OVR|          0|           |SEC-RTY-OVR|          0|           |
       PRI-TOUT   |          0|           |SEC-TOUT   |          0|           |
       PRI-ERRORS |          0|           |SEC-ERRORS |          0|           |
       ------------------------------------------------------------------------
       - Relay ----------------------------------------------------------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       REQ-TOTAL  |          0|           |PRI-REQ-RSP|          0|          0|
       REQ-SUCC   |          0|           |SEC-REQ-RSP|          0|          0|
       REQ-BAD    |          0|           |PRI-NOMATCH|          0|           |
       OVERFLOW   |          0|           |SEC-NOMATCH|          0|           |
       DROP-ACCESS|          0|           |RSP-BAD    |          0|           |
       ------------------------------------------------------------------------

The following example shows how to display extended statistics of the DNS port through the command D SE:

[16:14:55] ABILIS_CPX: D SE PO:DNS

PO:910 ------------------------------------------------------------------------
DNS    --- Cleared 000:01:20:58 ago, on 11/05/2004 at 14:56:24 ----------------
       - Resolver -------------------------------------------------------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       PRI-QUERIES|           |          0|SEC-QUERIES|           |          0|
       PRI-RES    |          0|           |SEC-RES    |          0|           |
       PRI-UNK    |          0|           |SEC-UNK    |          0|           |
       PRI-RTY-OVR|          0|           |SEC-RTY-OVR|          0|           |
       PRI-TOUT   |          0|           |SEC-TOUT   |          0|           |
       PRI-ERRORS |          0|           |SEC-ERRORS |          0|           |
       ------------------------------------------------------------------------
       - Relay ----------------------------------------------------------------
       -----------|---INPUT---|--OUTPUT---|-----------|---INPUT---|--OUTPUT---|
       REQ-TOTAL  |          0|           |PRI-REQ-RSP|          0|          0|
       REQ-SUCC   |          0|           |SEC-REQ-RSP|          0|          0|
       REQ-BAD    |          0|           |PRI-NOMATCH|          0|           |
       OVERFLOW   |          0|           |SEC-NOMATCH|          0|           |
       DROP-ACCESS|          0|           |RSP-BAD    |          0|           |
       ------------------------------------------------------------------------

If DNS relay feature is not active, i.e. RELAY: parameter is set to "NO", the "Relay" section of the statistics will not appear.

The information "Cleared DDD:HH:MM:SS ago, at DD/MM/YYYY HH:MM:SS", referred by the extended statistics, shows the elapsed time from the last reset of the statistics (by the format "days:hours:minutes:seconds") and date/time of its execution (by the format "day/month/year" and "hours:minutes:seconds").

Detail of state fields and statistics of the DNS port

RESOLVER-STATE:	Current state of the resolver service
	INACTIVE, DOWN, READY, ERR

It shows the actual state of the resolver service.

Driver	States	Meaning	Values shown in:
Driver	States	Meaning	System Log	Events Log	Display LCD
DNS	INACTIVE	Driver is not active because ACT: parameter is set to "NO".	IN
	DOWN	Driver is not active because not connected to the lower level UDP port, or the LOWPO: parameter is set to "NONE".	DN
	READY	Driver is successfully connected to the UDP port and properly working	RD
	ERR	Software Error. Contact the Abilis assistance.	NA

RELAY-STATE:	Current state of the relay service
	INACTIVE, DOWN, READY, ERR

It shows the actual state of the relay service.

Driver	States	Meaning	Values shown in:
Driver	States	Meaning	System Log	Events Log	Display LCD
DNS	INACTIVE	State set when the parameter RELAY: is set to "NO" or when the parameter ACT: is set to "NO".	NA
	DOWN	Driver is not active because not connected to the lower level UDP port, or the parameter LOWPO: is set to "NONE"	DN
	READY	Driver is successfully connected to the UDP port and properly working	RD
	ERR	Software Error. Contact the Abilis assistance	NA

CUR:	Number of records currently occupied with pending requests.
0	0 - 20000

It counts all the records that contains a request "waiting for server response", not yet timed out.

PEAK:	Maximum number of simultaneously pending records ever reached.
0	0 - 20000

This value shows the maximal use of the table, that is the maximum number of records that were simultaneously waiting for response, not yet timed out.

MAX:	Maximum number of simultaneously pending requests.
500	0 - 20000

This is actually the number of records that the table can host. The value 500 is the size provided in Abilis CPX and cannot be changed by the user. The value has been determined in excess, however if you exeperience frequent "table full" please contact Abilis helpdesk to get the workaround.

PRI-QUERIES	Number of queries sent to the primary DNS server
	0 - 4.294.967.295

The counter PRI-QUERIES (OUTPUT) shows the overall number of queries sent to the primary DNS Server.

PRI-RES	Number of responses received from the primary DNS server
	0 - 4.294.967.295

The counter PRI-RES (INPUT) shows the overall number of response received from the primary DNS Server.

PRI-UNK	Number of negative responses received from the primary DNS Server
	0 - 4.294.967.295

The counter PRI-UNK (INPUT) shows the overall number of negative responses ("Unknown Host") received from the primary DNS Server.

PRI-RTY-OVR	Number of retransmission to the primary DNS server overruns
	0 - 4.294.967.295

The counter PRI-RTY-OVR (INPUT) shows how many times the maximum number, configured in the parameter RTY:, of retransmission to the primary DNS Server ran over.

PRI-TOUT	Number of times the time-out of response from the primary DNS server ran over
	0 - 4.294.967.295

The counter PRI-TOUT (INPUT) is incremented every time the time-out, configured in the parameter DELAY:, of responses from the primary DNS Server ran over.

PRI-ERRORS	Number of bad frames received from the primary DNS server
	0 - 4.294.967.295

The counter PRI-ERRORS (INPUT) shows the number of invalid frames received from the primary DNS Server.

SEC-QUERIES	Number of queries sent to the secondary DNS server

The counter SEC-QUERIES (OUTPUT) shows the overall number of queries sent to the secondary DNS Server.

SEC-RES	Number of response received from the secondary DNS server
	0 - 4.294.967.295

The counter SEC-RES (INPUT) shows the overall number of responses received from the secondary DNS Server.

SEC-UNK	Number of negative responses received from the secondary DNS Server
	0 - 4.294.967.295

The counter SEC-UNK (INPUT) shows the overall number of negative responses ("Unknown Host") received from the secondary DNS Server.

SEC-RTY-OVR	Number of retransmission to the secondary DNS server overruns
	0 - 4.294.967.295

The counter SEC-RTY-OVR (INPUT) shows how many times the maximum number, configured in the parameter RTY:, of retransmission to the secondary DNS Server ran over.

SEC-TOUT	Number of times the time-out of response from the secondary DNS server ran over
	0 - 4.294.967.295

The counter SEC-TOUT (INPUT) is incremented every time the time-out, configured in the parameter DELAY:, of responses from the secondary DNS Server ran over.

SEC-ERRORS	Number of bad frames received from the secondary DNS server
	0 - 4.294.967.295

The counter SEC-ERRORS (INPUT) shows the number of invalid frames received from the secondary DNS Server.

REQ-TOTAL	Total number of all the client's requests that arrived to DNS relay.
	0 - 4.294.967.295

It counts all the requests arrived from clients, regardless whether they are later processed or discarded.

REQ-SUCC	Total number of client's DNS requests that were processed successfully.
	0 - 4.294.967.295

Incremented for every client's request that actually got an answer. It mean that:

DNS relay received the client's request
DNS relay forwarded the request
DNS relay received the response from the DNS server
The response is sent back to the client

OVERFLOW	Total number of DNS requests received from clients but was not processed because the DNS relay table was overflow.
	0 - 4.294.967.295

This counter is incremented for every client's request that passed all the checks (access validation, formal checks, etc), but could not occupy a record because the table was full, and therefore it had to be discarded.

PRI-NOMATCH	Number of responses from primary DNS for which a matching request was not found in the table.
	0 - 4.294.967.295

A record in the table for a response could not found when:

DNS relay has not received a matching request for this response.
A record for this response was in the table but it became out of date and was used for other request.

The precise distinction between timeout and missing record is not perfomed because it is an imprecise information: timed out records can be left or deleted depending on needs.

SEC-NOMATCH	Number of responses from secondary DNS for which a matching request was not found in the table.
	0 - 4.294.967.295

A record in the table for a response could not found when:

DNS relay has not received a matching request for this response.
A record for this response was in the table but it became out of date and was used for other request.

The precise distinction between timeout and missing record is not perfomed because it is an imprecise information: timed out records can be left or deleted depending on needs.

DROP-ACCESS	Total number of DNS requests received and discarded because not allowed.
	0 - 4.294.967.295

The counter DROP-ACCESS shows the number of DNS requests received from the clients but not processed because requester (the author of this DNS request) is not allowed. The not-allowed requester is a client whose IP address is not present in IPSRC and IPSRCLIST parameters configuration.

REQ-BAD	Number of client's requests that was malformed or contained severe formal errors.
	0 - 4.294.967.295

Incremented for every client's request that, after having passed the "source IP access validation", was detected as malformed, or with error in the content, or any other serious formal error.

RSP-BAD	Number of responses that had to be discarded because they had formal errors that prevented further processing.
	0 - 4.294.967.295

This counter incremented in cases when:

The source port of a response's UDP packet is not equal DNS (53) port.
A matching request for this respons did not find in the table and the IP source address of a response's UDP packet is not equal IP address of primary DNS Server and not equal IP address of secondary DNS Server.
other formal errors.

PRI-REQ-RSP	Number of requests and responses exchanged with primary DNS.
	0 - 4.294.967.295

The counter PRI-REQ-RSP (INPUT) is incremented every time that DNS receives a response from the primary DNS Server.

The counter PRI-REQ-RSP (OUTPUT) is incremented every time that DNS sends a request to the primary DNS Server.

SEC-REQ-RSP	Number of requests and responses exchanged with secondary DNS.
	0 - 4.294.967.295

The counter SEC-REQ-RSP (INPUT) is incremented every time that DNS receives a response from the secondary DNS server.

The counter SEC-REQ-RSP (OUTPUT) is incremented every time that DNS sends a request to the secondary DNS server.

Print this page