Domain Name System (DNS) Cache Resolver and Analytics Engine

The Domain Name System (DNS) cache resolver feature implements a cache of DNS queries on the switch, so that repeated queries can be handled directly by the switch, rather than by repeatedly forwarding the requests to the DNS servers, consuming time and network resources.

The DNS analytics engine analyzes the DNS queries (IPv4 and IPv6) from all connected clients and keeps track of received DNS queries from clients, and domains accessed along with time stamps. By using the cache and analytics, audits can be performed on the details of queries coming from clients, which allows for threat mitigation.

Supported Platforms

Summit X450-G2, X460-G2, X670-G2, and ExtremeSwitching X440-G2, X465, X590, X620, X690, X870 series switches.

Limitations

TCP DNS queries are not cached.
The DNS cache feature and the L7 DNS feature in ONEPolicy should not be enabled at the same time.
Checkpointing is not supported in a stack or a MLAG setup for DNS caching.

New CLI Commands

enable dns cache {{vlan} vlan_name | {vr} vr_name}

disable dns cache {{vlan} vlan_name | {vr} vr_name}

show dns cache configuration {{vlan} vlan_name | {vr} vr_name}

configure dns cache [add | delete ] name-server ip_address {{vr} vr_name}

show dns cache name-server

show dns cache {current} {detail}

clear dns cache

enable dns cache analytics {{vr} vr_name}

disable dns cache analytics {{vr} vr_name}

configure dns cache analytics [{timeout minutes} {max-entries max_entries}]

show dns cache analytics configuration {{vr} vr_name}

show dns cache analytics statistics {client client_ip domain domain_name } {detail} {{vr} vr_name}}

clear dns cache analytics entries {{vr} vr_name}}

configure dns cache analytics [add | delete] protected-client [client_ip netmask | ipNetmask] {{vr} vr_name}