dns-redirect response ttl

Usage Scenario

When web users access the network using HTTPS and a list of accessible hosts in the pre-authentication domain needs to be configured, the system filters DNS packets to be sent to users in the pre-authentication domain based on whitelists. DNS packets that do not match the whitelists are redirected to a specified web server. To configure a TTL value for DNS response packets, run the dns-redirect response ttl command. After the command is run, the device changes the TTL value of the DNS packets that do not match whitelists to that configured. The TTL value of the DNS packets that match the whitelists is not changed. After a user terminal receives a DNS response packet, the user terminal generates a DNS entry based on the packet and uses the TTL value carried in the packet as the lifetime of the DNS entry. If the user terminal desires to access the same domain name before the DNS entry is aged, the user terminal will not send a DNS request again. Instead, the user terminal redirects the user to the web server address recorded in the DNS entry. If the TTL value is too large, the user cannot be directed to the IP address of the URL which the user requests to access. To prevent DNS entries from being cached for too long, run the dns-redirect response ttl ttl-value command to set a lifetime for the DNS entries.

Precautions

In VS mode, this command is supported only by the admin VS.