rfc1612.DNS Resolver MIB Extensions

AAA配置与管理一、根底1、AAA是指：authentication〔认证〕、authorization〔授权〕、accounting〔计费〕的简称，是网络平安的一种管理机制；Authentication是本地认证/授权，authorization和accounting是由远处radius〔远程拨号认证系统〕效劳或hwtacacs〔华为终端访问控制系统〕效劳器完成认证/授权；AAA是基于用户进展认证、授权、计费的，而NAC案是基于接入设备接口进展认证的。

在实际应用中，可以使用AAA的一种或两种效劳。

2、AAA根本架构：C/S构造，AAA客户端〔也叫NAS-网络接入效劳器〕是使能了aaa功能的网络设备〔可以是一台或多台、不一定是接入设备〕3、AAA基于域的用户管理：通过域来进展AAA用户管理，每个域下可以应用不同的认证、授权、计费以及radius或hwtacacs效劳器模板，相当于对用户进展分类管理缺省情况下，设备存在配置名为default〔全局缺省普通域〕和default_admin〔全局缺省管理域〕，均不能删除，只能修改，都属于本地认证；default为接入用户的缺省域，default_admin为管理员账号域〔如、ssh、telnet、terminal、ftp用户〕的缺省域。

用户所属域是由域分隔符后的字符串来决定的，域分隔符可以是、|、%等符号，如userhuawei.就表示属于huawei 域，如果用户名不带，就属于系统缺省default域。

自定义域可以被配置为全局缺省普通域或全局缺省管理域，但域下配置的授权信息较AAA效劳器的授权信息优先级低，通常是两者配置的授权信息一致。

4、radius协议Radius通过认证授权来提供接入效劳、通过计费来收集、记录用户对网络资源的使用。

定义UDP 1812、1813作为认证〔授权〕、计费端口Radius效劳器维护三个数据库：Users:存储用户信息〔用户名、口令、使用的协议、IP地址等〕Clients:存储radius客户端信息〔接入设备的共享密钥、IP地址〕Dictionary：存储radius协议中的属性和属性值含义Radius客户端与radius效劳器之间通过共享密钥来对传输数据加密，但共享密钥不通过网络来传输。

网络拥塞解决方案引言概述：随着互联网的普及和应用的广泛，网络拥塞问题日益突出。

网络拥塞不仅会影响用户的上网体验，还可能导致网络服务的中断，给企业和个人带来巨大的损失。

为了解决网络拥塞问题，各种解决方案应运而生。

本文将介绍五种常见的网络拥塞解决方案。

一、流量控制1.1 拥塞控制算法拥塞控制算法是一种通过控制数据包的发送速率来减少网络拥塞的方法。

常见的拥塞控制算法有TCP拥塞控制算法和RED（随机早期检测）算法。

TCP拥塞控制算法通过动态调整发送速率和接收窗口大小来控制网络拥塞。

RED算法则通过在路由器上检测网络拥塞的早期迹象，及时丢弃一部分数据包，从而减轻网络负载。

1.2 服务质量保证（QoS）服务质量保证是一种通过为不同类型的数据流分配不同的网络资源来保证网络性能的方法。

QoS可以根据数据流的重要性和敏感性，为其分配带宽、延迟、抖动等网络资源。

通过合理配置QoS策略，可以有效地减少网络拥塞，提高网络的可靠性和稳定性。

1.3 压缩技术压缩技术是一种通过减少数据传输的数据量来缓解网络拥塞的方法。

常见的压缩技术有无损压缩和有损压缩。

无损压缩可以将数据压缩为较小的体积，减少网络传输的数据量，从而减轻网络拥塞。

有损压缩则可以根据数据的重要性，舍弃一部分细节信息，进一步减小数据的体积。

二、增加带宽2.1 网络扩容网络扩容是一种通过增加网络带宽来缓解网络拥塞的方法。

可以通过增加链路带宽、升级网络设备或增加服务器数量等方式来实现网络扩容。

网络扩容可以有效地提高网络的传输能力，减少网络拥塞的发生。

2.2 多路径传输多路径传输是一种通过同时利用多条路径传输数据来增加网络带宽的方法。

可以通过路由器的负载均衡功能将数据流分散到多个路径上，从而提高网络的传输能力。

多路径传输可以有效地提高网络的吞吐量，减少网络拥塞的发生。

2.3 带宽控制带宽控制是一种通过限制网络流量的传输速率来增加网络带宽的方法。

可以通过在路由器或交换机上设置带宽限制策略，控制不同类型的数据流的传输速率。

openvpn dns resolution error
检查网络连接：确保您的设备已连接到OpenVPN服务器，并且网络连接稳定。

更换DNS服务器：尝试将DNS服务器更改为公共DNS服务器，例如Google DNS （8.8.8.8）或Cloudflare DNS（1.1.1.1），以查看是否解决了问题。

清除DNS缓存：在Windows上，可以尝试按下Win键和R键，输入"cmd"，然后运行"ipconfig /flushdns"命令来清除DNS缓存。

在其他操作系统上，可以查找相应的命令来清除DNS缓存。

检查OpenVPN配置：确保OpenVPN客户端的配置正确，包括正确的服务器地址、端口号、密码等。

同时，确保客户端已正确配置了DNS服务器。

联系网络管理员：如果您使用的是企业网络或学校网络，请联系网络管理员以获取帮助解决DNS解析问题。

Network Working Group J. Schlyter, Ed. Request for Comments: 3845 August 2004 Updates: 3755, 2535Category: Standards TrackDNS Security (DNSSEC) NextSECure (NSEC) RDATA FormatStatus of this MemoThis document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions forimprovements. Please refer to the current edition of the "InternetOfficial Protocol Standards" (STD 1) for the standardization stateand status of this protocol. Distribution of this memo is unlimited. Copyright NoticeCopyright (C) The Internet Society (2004).AbstractThis document redefines the wire format of the "Type Bit Map" fieldin the DNS NextSECure (NSEC) resource record RDATA format to coverthe full resource record (RR) type space.Table of Contents1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 22. The NSEC Resource Record . . . . . . . . . . . . . . . . . . . 2 2.1. NSEC RDATA Wire Format . . . . . . . . . . . . . . . . . 3 2.1.1. The Next Domain Name Field . . . . . . . . . . . 3 2.1.2. The List of Type Bit Map(s) Field . . . . . . . 3 2.1.3. Inclusion of Wildcard Names in NSEC RDATA . . . 4 2.2. The NSEC RR Presentation Format . . . . . . . . . . . . 42.3. NSEC RR Example . . . . . . . . . . . . . . . . . . . . 53. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 54. Security Considerations . . . . . . . . . . . . . . . . . . . 55. References . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5.1. Normative References . . . . . . . . . . . . . . . . . . 65.2. Informative References . . . . . . . . . . . . . . . . . 66. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 67. Author’s Address . . . . . . . . . . . . . . . . . . . . . . . 68. Full Copyright Statement . . . . . . . . . . . . . . . . . . . 7 Schlyter, Ed. Standards Track [Page 1]1. IntroductionThe DNS [6][7] NSEC [5] Resource Record (RR) is used forauthenticated proof of the non-existence of DNS owner names andtypes. The NSEC RR is based on the NXT RR as described in RFC 2535[2], and is similar except for the name and typecode. The RDATAformat for the NXT RR has the limitation in that the RDATA could only carry information about the existence of the first 127 types. RFC2535 did reserve a bit to specify an extension mechanism, but themechanism was never actually defined.In order to avoid needing to develop an extension mechanism into adeployed base of DNSSEC aware servers and resolvers once the first127 type codes are allocated, this document redefines the wire format of the "Type Bit Map" field in the NSEC RDATA to cover the full RRtype space.This document introduces a new format for the type bit map. Theproperties of the type bit map format are that it can cover the full possible range of typecodes, that it is relatively economical in the amount of space it uses for the common case of a few types with anowner name, that it can represent owner names with all possible types present in packets of approximately 8.5 kilobytes, and that therepresentation is simple to implement. Efficient searching of thetype bitmap for the presence of certain types is not a requirement.For convenience and completeness, this document presents the syntaxand semantics for the NSEC RR based on the specification in RFC 2535 [2] and as updated by RFC 3755 [5], thereby not introducing changesexcept for the syntax of the type bit map.This document updates RFC 2535 [2] and RFC 3755 [5].The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14, RFC 2119 [1].2. The NSEC Resource RecordThe NSEC resource record lists two separate things: the owner name of the next RRset in the canonical ordering of the zone, and the set of RR types present at the NSEC RR’s owner name. The complete set ofNSEC RRs in a zone indicate which RRsets exist in a zone, and form a chain of owner names in the zone. This information is used toprovide authenticated denial of existence for DNS data, as described in RFC 2535 [2].The type value for the NSEC RR is 47.Schlyter, Ed. Standards Track [Page 2]The NSEC RR RDATA format is class independent and defined for allclasses.The NSEC RR SHOULD have the same TTL value as the SOA minimum TTLfield. This is in the spirit of negative caching [8].2.1. NSEC RDATA Wire FormatThe RDATA of the NSEC RR is as shown below:1 1 1 1 1 1 1 1 1 12 2 2 2 2 2 2 2 2 23 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+/ Next Domain Name /+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+/ List of Type Bit Map(s) /+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+2.1.1. The Next Domain Name FieldThe Next Domain Name field contains the owner name of the next RR in the canonical ordering of the zone. The value of the Next DomainName field in the last NSEC record in the zone is the name of thezone apex (the owner name of the zone’s SOA RR).A sender MUST NOT use DNS name compression on the Next Domain Namefield when transmitting an NSEC RR.Owner names of RRsets that are not authoritative for the given zone(such as glue records) MUST NOT be listed in the Next Domain Nameunless at least one authoritative RRset exists at the same ownername.2.1.2. The List of Type Bit Map(s) FieldThe RR type space is split into 256 window blocks, each representing the low-order 8 bits of the 16-bit RR type space. Each block thathas at least one active RR type is encoded using a single octetwindow number (from 0 to 255), a single octet bitmap length (from 1to 32) indicating the number of octets used for the window block’sbitmap, and up to 32 octets (256 bits) of bitmap.Window blocks are present in the NSEC RR RDATA in increasingnumerical order."|" denotes concatenationType Bit Map(s) Field = ( Window Block # | Bitmap Length | Bitmap ) + Schlyter, Ed. Standards Track [Page 3]Each bitmap encodes the low-order 8 bits of RR types within thewindow block, in network bit order. The first bit is bit 0. Forwindow block 0, bit 1 corresponds to RR type 1 (A), bit 2 corresponds to RR type 2 (NS), and so forth. For window block 1, bit 1corresponds to RR type 257, and bit 2 to RR type 258. If a bit isset to 1, it indicates that an RRset of that type is present for the NSEC RR’s owner name. If a bit is set to 0, it indicates that noRRset of that type is present for the NSEC RR’s owner name.Since bit 0 in window block 0 refers to the non-existing RR type 0,it MUST be set to 0. After verification, the validator MUST ignorethe value of bit 0 in window block 0.Bits representing Meta-TYPEs or QTYPEs, as specified in RFC 2929 [3] (section 3.1), or within the range reserved for assignment only toQTYPEs and Meta-TYPEs MUST be set to 0, since they do not appear inzone data. If encountered, they must be ignored upon reading.Blocks with no types present MUST NOT be included. Trailing zerooctets in the bitmap MUST be omitted. The length of each block’sbitmap is determined by the type code with the largest numericalvalue within that block, among the set of RR types present at theNSEC RR’s owner name. Trailing zero octets not specified MUST beinterpreted as zero octets.2.1.3. Inclusion of Wildcard Names in NSEC RDATAIf a wildcard owner name appears in a zone, the wildcard label ("*") is treated as a literal symbol and is treated the same as any otherowner name for purposes of generating NSEC RRs. Wildcard owner names appear in the Next Domain Name field without any wildcard expansion. RFC 2535 [2] describes the impact of wildcards on authenticateddenial of existence.2.2. The NSEC RR Presentation FormatThe presentation format of the RDATA portion is as follows:The Next Domain Name field is represented as a domain name.The List of Type Bit Map(s) Field is represented as a sequence of RR type mnemonics. When the mnemonic is not known, the TYPErepresentation as described in RFC 3597 [4] (section 5) MUST be used. Schlyter, Ed. Standards Track [Page 4]2.3. NSEC RR ExampleThe following NSEC RR identifies the RRsets associated with. and the next authoritative name after.. 86400 IN NSEC . A MX RRSIG NSECTYPE1234The first four text fields specify the name, TTL, Class, and RR type (NSEC). The entry . is the next authoritative nameafter . in canonical order. The A, MX, RRSIG, NSEC, and TYPE1234 mnemonics indicate there are A, MX, RRSIG, NSEC, andTYPE1234 RRsets associated with the name .The RDATA section of the NSEC RR above would be encoded as:0x04 ’h’ ’o’ ’s’ ’t’0x07 ’e’ ’x’ ’a’ ’m’ ’p’ ’l’ ’e’0x03 ’c’ ’o’ ’m’ 0x000x00 0x06 0x40 0x01 0x00 0x00 0x00 0x030x04 0x1b 0x00 0x00 0x00 0x00 0x00 0x000x00 0x00 0x00 0x00 0x00 0x00 0x00 0x000x00 0x00 0x00 0x00 0x00 0x00 0x00 0x000x00 0x00 0x00 0x00 0x20Assuming that the resolver can authenticate this NSEC record, itcould be used to prove that does not exist, or could be used to prove that there is no AAAA record associated with. Authenticated denial of existence is discussed in RFC 2535 [2].3. IANA ConsiderationsThis document introduces no new IANA considerations, because all ofthe protocol parameters used in this document have already beenassigned by RFC 3755 [5].4. Security ConsiderationsThe update of the RDATA format and encoding does not affect thesecurity of the use of NSEC RRs.Schlyter, Ed. Standards Track [Page 5]5. References5.1. Normative References[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.[2] Eastlake 3rd, D., "Domain Name System Security Extensions", RFC 2535, March 1999.[3] Eastlake 3rd, D., Brunner-Williams, E., and B. Manning, "Domain Name System (DNS) IANA Considerations", BCP 42, RFC 2929,September 2000.[4] Gustafsson, A., "Handling of Unknown DNS Resource Record (RR)Types", RFC 3597, September 2003.[5] Weiler, S., "Legacy Resolver Compatibility for Delegation Signer (DS)", RFC 3755, May 2004.5.2. Informative References[6] Mockapetris, P., "Domain names - concepts and facilities", STD13, RFC 1034, November 1987.[7] Mockapetris, P., "Domain names - implementation andspecification", STD 13, RFC 1035, November 1987.[8] Andrews, M., "Negative Caching of DNS Queries (DNS NCACHE)", RFC 2308, March 1998.6. AcknowledgementsThe encoding described in this document was initially proposed byMark Andrews. Other encodings where proposed by David Blacka andMichael Graff.7. Author’s AddressJakob Schlyter (editor)NIC-SEBox 5774Stockholm SE-114 87SwedenEMail: jakob@nic.seURI: http://www.nic.se/Schlyter, Ed. Standards Track [Page 6]8. Full Copyright StatementCopyright (C) The Internet Society (2004).This document is subject to the rights, licenses and restrictionscontained in BCP 78, and except as set forth therein, the authorsretain all their rights.This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/S HEREPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS ORIMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OFTHE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIEDWARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual PropertyThe IETF takes no position regarding the validity or scope of anyIntellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described inthis document or the extent to which any license under such rightsmight or might not be available; nor does it represent that it hasmade any independent effort to identify any such rights. Information on the IETF’s procedures with respect to rights in IETF Documents can be found in BCP 78 and BCP 79.Copies of IPR disclosures made to the IETF Secretariat and anyassurances of licenses to be made available, or the result of anattempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of thisspecification can be obtained from the IETF on-line IPR repository at /ipr.The IETF invites any interested party to bring to its attention anycopyrights, patents or patent applications, or other proprietaryrights that may cover technology that may be required to implementthis standard. Please address the information to the IETF at ietf-ipr@.AcknowledgementFunding for the RFC Editor function is currently provided by theInternet Society.Schlyter, Ed. Standards Track [Page 7]。

DNSSec调研报告刘冰洋2008310477@清华大学计算机科学与技术系，北京，100084摘要：DNS（域名系统）已成为互联网服务的重要基础设施，但它存在着严重的安全漏洞，近年来针对这些安全漏洞的网络攻击给DNS和互联网带来了巨大的损失。

DNSSec为DNS 提供了安全扩展功能，支持对数据源及事务和请求的认证，从而在一定程度上遏制了相关的网络攻击。

本文回顾了DNS的发展历程与其面临的安全威胁，介绍了DNSSec的基本原理和组成部分，分析了DNSSec存在的问题，调研了DNSSec在全球的部署情况，并对其未来应用进行了展望。

关键词：DNS, DNSSec, DNS安全, 互联网安全.Abstract: DNS (Domain Name System) is now a very important infrastructure of the Internet. However, it was designed with a lot of vulnerability. These years, the network attacks taking advantages of its vulnerability have brought huge damage to the DNS and Internet. DNSSec, the security extension of DNS, was designed to secure DNS. It supports the authentication of the data origin and transaction and request, so that it mitigates the relevant attacks. This paper reviews the history of DNS and its vulnerability, and introduces the rationale of DNSSec. We analyzed the problems in DNSSec, investigated its deployment progress around the world, and also presented the future application of DNSSec.Keywords: DNS, DNSSec, Internet Security.1引言1.1DNS发展历程DNS（Domain Name System，域名系统）[1]出现之前，网络用户需要在本机上维护一个HOSTS配置文件，这个文件包含本机与网络上的其他系统通信时所需要的信息。

CentOS 6.5 主DNS服务器配置实例【例题】配置DNS服务器，为域名、进行正向和反向解析，IP地址为：192.168.1.168，当该服务器遇到不能解析的域名时，将跳转到网络DNS服务器8.8.8.8进行解析。

【配置】1、安装DNS服务器程序：yum install bind –y #yum安装dns程序包2、配置DNS服务器主配置文件：#vim /etc/named.conf #编辑主配置文件修改下列字段listen-on port 53 { any; }; #更改为监听所有字段// listen-on-v6 port 53 { ::1; }; #注释掉这一行allow-query { any; }; #接受所有客服端的查询forwarders {8.8.8.8;}; #添加转发字段3、配置正向，反向区域文件：#vi /etc/named.rfc1912.zones #编辑文件添加下列字段zone “” IN { #正向区域创建type master;file “.zone”; #这是正向区域解析文件的名称allow-update { none; };};zone “1.168.192.in-addr.arpa” IN { #反向区域创建type master;file “192.168.1.zone”#这是反向区域解析文件的名称allow-update { none; };};4、配置正向解析文件，切换目录到/var/named下：#cp –p named.localhost .zone #拷贝正向解析模板到这个区域vim .zone #编辑正向解析文件添加修改下列字段@ NS . #指定主服务器域名A 192.168.1.168ftp A 192.168.1.168 #创建A记录解析，以下相同www A 192.168.1.1685、配置反向解析文件，同样在/var/named目录下：cp –p named.loopback 192.168.1.zone #拷贝反向解析模板到这个区域vim 192.168.1.zone #编辑反向解析文件添加修改下列字段@ NS . #设置主服务器域名A 192.168.1.168168 PTR . #添加PTR指针168 PTR .6、启动DNS服务器：#service named start #启动dns服务器#chkconfig named on #设置dns服务器 3 5 级自启【测试】#nslookup #使用nslookup命令进行dns测试> #测试正向解析，以下相同>>192.168.1.168 #测试反向解析【小结】。

The N2200-ON switch series offers a power-efficient Multigigabit Ethernet network-access switching solution with integrated 25GbE uplinks. With high-performance capabilities and wire-speed performance, utilizing anon-blocking architecture to easily handle unexpected traffic loads, the switches offer simple management and scalability via an 160Gbps (full duplex) high availability stacking architecture that allows management of up to twelve switches from a single IP address. An integrated80PLUS Platinum certified power supply provides energy efficiency to help decrease power and cooling costs. Modernize campus network architectures Modernize campus network architectures with a power-efficient and resilient 1/2.5/25GbE switching solution with 802.3bt Type-3 (60W) Power over Ethernet. PoE ports can deliver clean power to network devices such as wireless access points (APs), Voice-over-IP (VoIP) handsets, video conferencing systems, security cameras, LED luminaries and many more. For greater interoperability in multivendor networks, N2200-ON switches offer the latest open-standard protocols.Leverage familiar tools and practicesAll N-Series switches include Dell EMC Networking OS6, designed for easier deployment, greater interoperability and a lower learning curve for network administrators. One common command line interface (CLI) and graphic user interface (GUI) using a well-known command language gets skilled network administrators productive quickly. With USB auto-configuration, network administrators can rapidly deploy mirrored configurations to numerous devices by simply inserting a USB key. N2200-ON switches also support the Open Network Install Environment (ONIE), enabling installation of alternate network operating systems.Deploy with confidence at any scaleN2200-ON series switches help create performance assurance with a data rate up to 600Gbps (full duplex) and a forwarding rate up to 833Mpps. Scale easily with built-in rear stacking ports. Switch stacks of up to 624 1/2.5/25GbE ports can be managed from a single screen using the highly-available stacking architecture for high-density aggregation with seamless redundant availability.N-Series switches help provide certainty with a lifetime warranty that covers software upgrades, hardware repair or replacement, and optics and cables purchased with the switch.*Hardware, performance and efficiency• 1RU switches with up to 48 line-rate 1/2.5GbE RJ-45 ports and four integrated 25GbE SFP28 ports.• Up to 48 ports of 30W PoE including 24 ports which can scale up to 60W PoE.• Up to 624 1/2.5/25GbE ports in a 12-unit stack for high-density, high-availability in IDFs, MDFs and wiring closets.• Non-stop forwarding and fast failover in stack configurations.• Dell Fresh Air compliance for operation in environments up to 113°F (45°C) helps reduce cooling costs intemperature constrained deployments.Dell EMC PowerSwitchN2200-ON Series SwitchesCost-effective open networking Multigigabit Ethernet switches for modernizingand scaling infrastructure*Select Networking products carry a Lifetime Limited Warranty with Basic Hardware Service (repair or replacement) for life. Repair or replacement does not include troubleshooting, configuration, or other advanced service provided by Dell EMC ProSupport. Details at https:///en-us/work/shop/networkingwarranty/cp/networkingwarrantyDeploying, configuring and managing• USB auto-configuration rapidly deploys the switch without complex TFTP configurations or sendingtechnical staff to remote offices.• Management via an intuitive and familiar CLI, embedded web server (GUI), SNMP-basedmanagement console application (including DellOpenManage Network Manager), Telnet or serialconnection.• Private VLAN extensions and Private VLAN Edge support.• AAA authorization, TACACS+ accounting and RADIUS support for comprehensive secure access support.• Authentication tiering allows network administrators to tier port authentication methods such as 802.1x, MAC authentication.• Bypass and Captive Portal in priority order so that a single port can provide flexible access and security.• Achieve high availability and full bandwidth utilization with MLAG and support firmware upgrades withouttaking the network offline.• Layer 3 Standard IPv4 and IPv6 functionality including static routing, RIP, and OSPF support.• VXLAN-Lite support in hardware only (can be used if enabled by Open Networking (ON) partner networkoperating system). ** Planned in Roadmap*** Auto-negotiation not supported, using 1G optics require manual configuration and all 4x10G SFP+ or 4x25G SFP28 ports to be set to same speed. 100M speed not supported. **** Auto-negotiation not supported, using 10G cables or optics require manual configuration and all 4x25G SFP28 ports to be set to same speed. 100M/1G speed not supported.Hardware specificationsPhysical2 integrated rear 40GbE QSFP+ stacking ports Out-of-band management port(10/100/1000BASE-T)USB (Type A) port for configuration via USB flash driveMicroUSB (Type B) console port (MicroUSB to USB connector cable included)RJ45 console port with RS232 signaling(RJ-45 t o female DB-9 connector cable included)Auto-negotiation for speed and flow control Auto MDI/MDIX, port mirroringFlow-based port mirroringBroadcast storm controlRedundant variable speed fans (field replaceable)Air flow: I/O to power supply; Power supply to I/O options available with non-PoE models Integrated power supply: 550W AC (N2224X- ON, N2248X-ON), 1050W AC (N2224PX- ON), 1600W AC (N2248PX-ON)Dual firmware images on-boardSwitching engine model: Store and forwardChassisSize (1RU, H x W x D): 1.71 in x 17.09 in x 15.75 in (power supply/fan tray handle adds additional 1.18 in)Approximate weight (Switch with 1 PSU installed): 14.3lbs/6.5kg (N2224X-ON),14.7lbs/6.7kg (N2224PX-ON), 15.1lbs/6.9kg (N2248X-ON), 15.8lbs/7.2kg (N2248PX-ON) 2-Post rack mounting kitEnvironmentalPower supply efficiency: 80% or better in all operating modesMax. thermal output (BTU/hr):812 (N2224X-ON), 4495 (N2224PX-ON), 1112 (N2248X-ON), 8478 (N2248PX-ON) Power consumption max (watts):238W (N2224X-ON), 1318W (N2224PX-ON), 326W (N2248X-ON), 2486W (N2248PX-ON) Operating temperature: 32° to 113°F (0° to 45°C)Operating humidity: 95%Storage temperature: –40° to 149°F (–40° to 65°C)Storage relative humidity: 85% PerformanceCPU memory: 4GBSSD: 8GBPacket buffer memory: 4MBSwitch fabric capacity (full duplex):480Gbps (N2224X-ON and N2224PX-ON); 600Gbps (N2248X-ON and N2248PX-ON)Forwarding rate:667Mpps (N2224X-ON and N2224PX-ON);833Mpps (N2248X-ON and N2248PX-ON)Line-rate Layer 2 switching: All (non-blocking)Line-rate Layer 3 routing: All (non-blocking)Network Operating System specificationsSoftware specifications listed below areapplicable for OS6. For detailed specifications ofthe NOS, please contact your Dell TechnologiesrepresentativeScaling performanceMAC addresses: 32KStatic routes: 256 (IPv4)/128 (IPv6) Dynamicroutes: 256 (IPv4)Link aggregation: 128 LAG groups, 144 dynamicports per stack, 8 member ports per LAGPriority queues per port: 8RIP routing interfaces: 256VLAN routing interfaces: 128VLANs supported: 4,094Protocol-based VLANs: SupportedARP entries: 4,096NDP entries: 512Access control lists (ACL): SupportedMAC and IP-based ACLs: SupportedTime-controlled ACLs: SupportedMax number of ACLs: 100Max ACL rules system-wide: 3,914Max rules per ACL: 1,023Max ACL rules per interface (IPv4): 1,023(ingress), 1023 (egress)Max ACL rules per interface (IPv6): 1023(ingress), 509 (egress)Max VLAN interfaces with ACLs applied: 24IEEE compliance802.1AB LLDPDell Voice VLANDell ISDP802.1D Bridging, Spanning Tree802.1p Ethernet Priority (User Provisioningand Mapping)Dell Adjustable WRR and Strict QueueScheduling802.1Q VLAN Tagging, Double VLANTagging, GVRP802.1S Multiple Spanning Tree (MSTP)802.1v Protocol-based VLANs802.1W Rapid Spanning Tree (RSTP)Dell RSTP-Per VLANDell Spanning tree optional features:STP root guard, BPDU guard, BPDUfiltering802.1X Network Access Control, Auto VLAN802.2 Logical Link Control802.3 10BASE-T802.3ab Gigabit Ethernet (1000BASE-T)802.3ac Frame Extensions for VLAN Tagging802.3ad Link Aggregation with LACP802.3ae 10 Gigabit Ethernet (10GBASE-X)802.3at PoE+ (N2024P and N2048P)802.3AX LAG Load BalancingDell Multi-Chassis LAG (MLAG)Dell Policy Based Forwarding802.3u Fast Ethernet (100BASE-TX) onManagement Ports802.3x Flow Control802.3z Gigabit Ethernet (1000BASE-X)ANSI LLDP-MED (TIA-1057)MTU 9,216 bytesGeneral Internet protocolsGeneral Internet protocols are supported.For a detailed list, please contact your DellTechnologies representative.General IPv4 protocolsGeneral IPv4 protocols are supported. Fora detailed list, please contact your DellTechnologies representative.General IPv6 protocolsGeneral IPv6 protocols are supported. Fora detailed list, please contact your DellTechnologies representative.Layer 3 functionality1058 RIPv11724 RIPv2 MIB Extension2082 RIP-2 MD5 Auth2453 RIPv21765 OSPF DB overflow1850 OSPF MIB2328 OSPFv22740 OSPFv3 (from OS6.6.2)3137 OSPF Stub Router Advert5187 OSPFv3 Graceful Routing Restart(from OS6.6.2)Multicast2365 Admin scoped IP Mcast2932 IPv4 MIB4541 IGMP v1/v2/v3 Snooping and QuerierIEEE 802.1ag draft 8.1 – Connectivity FaultManagementQuality of service2474 DiffServ Field2475 DiffServ Architecture2597 Assured Fwd PHBDell Port Based QoS (TCP/UDP) ServicesModeDell Flow Based QoS Services Mode(IPv4/IPv6)2697 srTCM4115 trTCMDell L4 Trusted ModeDellUDLDNetwork Management and Security1155 SMIv11157 SNMPv11212 Concise MIB Definitions1213 MIB-II1215 SNMP Traps1286 Bridge MIB1442 SMIv21451 Manager-to-Manager MIB1492 TACACS+1493 Managed Objects for Bridges MIB 1573 Evolution of Interfaces1612 DNS Resolver MIB Extensions 1643 Ethernet-like MIB1757 RMON MIB1867 HTML/2.0 Forms with File UploadExtensions1901 Community-based SNMPv21907 SNMPv2 MIB1908 Coexistence Between SNMPv1/v2 2011 IP MIB2012 TCP MIB2013 UDP MIB2068 HTTP/1.12096 IP Forwarding Table MIB2233 Interfaces Group using SMIv22246 TLS v12271 SNMP Framework MIB2295 Transport Content Negotiation 2296 Remote Variant Selection2576 Coexistence Between SNMPv1/v2/v3 2578 SMIv22579 Textual Conventions for SMIv2 2580 Conformance Statements for SMIv2 2613 RMON MIB2618 RADIUS Authentication MIB2620 RADIUS Accounting MIB2665 Ethernet-like Interfaces MIB2666 Identification of Ethernet Chipsets 2674 Extended Bridge MIB2737 ENTITY MIB2818 HTTP over TLS 2819 RMON MIB (groups 1, 2, 3, 9)2856 Text Conv. For High Capacity DataTypes2863 Interfaces MIB2865 RADIUS2866 RADIUS Accounting2868 RADIUS Attributes for Tunnel Prot.2869 RADIUS Extensions3410 Internet Standard Mgmt. Framework3411 SNMP Management Framework3412 Message Processing and Dispatching3413 SNMP Applications3414 User-based security model 3415View-based control model3416 SNMPv23417 Transport Mappings3418 SNMP MIB3577 RMON MIB3580 802.1X with RADIUS3737 Registry of RMOM MIB4086 Randomness Requirements4113 UDP MIB4251 SSHv2 Protocol4252 SSHv2 Authentication4253 SSHv2 Transport4254 SSHv2 Connection Protocol4419 SSHv2 Transport Layer Protocol4521 LDAP Extensions4716 SECSH Public Key File Format5246 TLS v1.26101 SSL6398 IP Router AlertDell Enterprise MIB supporting routingfeatures draft-ietf-hubmib-etherif- mib-v3-00.txt(Obsoletes RFC 2665)Dell LAG MIB Support for 802.3adFunctionalityDell sflow version 1.3 draft 5Dell 802.1x Monitor ModeDell Custom Login BannersDell Dynamic ARP InspectionDell IP Address FilteringDell Tiered AuthenticationDell RSPANDell Change of AuthorizationDell OpenFlow 1.3Dell Python ScriptingDell Support AssistOther certificationsN-Series products have the necessary featuresto support a PCI compliant network topology.Regulatory, environment and othercomplianceSafety and emissionsAustralia/New Zealand: ACMA RCM Class ACanada: ICES Class A; cULChina: CCC Class A; NALEurope: CE Class AJapan: VCCI Class AUSA: FCC Class A; NRTL UL; FDA 21 CFR1040.10 and 1040.11Eurasia Customs Union: EACGermany: GS markProduct meets EMC and safety standards inmany countries inclusive of USA, Canada, EU,Japan, China.For more country-specific regulatoryinformation and approvals, please see your DellTechnologies representative.RoHSProduct meets RoHS compliance standards inmany countries inclusive of USA, EU, China,and India. For more country-specific RoHScompliance information, please see your DellTechnologies representative.EU WEEEEU Battery Directive REACHEnergyJapan: JEL© 2021 Dell Inc. or its subsidiaries. All Rights Reserved. Dell, EMC and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be trademarks of their respective owners. IT Lifecycle Services for NetworkingExperts, insights and easeOur highly trained experts, with innovative tools and proven processes, help you transform your IT investments into strategic advantages.Plan & DesignLet us analyze your multivendor environment and deliver a comprehensive report and action plan to build upon the existing network and improve performance.Deploy & IntegrateGet new wired or wireless network technology installed and configured with ProDeploy. Reduce costs, save time, and get up and running fast.EducateEnsure your staff builds the right skills for long-term success. Get certified on Dell EMC Networking technology and learn how to increase performance and optimize infrastructure.Manage & SupportGain access to technical experts and quickly resolve multivendor networking challenges with ProSupport. Spend less time resolving network issues and more time innovating.OptimizeMaximize performance for dynamic ITenvironments with Dell EMC Optimize. Benefit from in-depth predictive analysis, remotemonitoring and a dedicated systems analyst for your network.RetireWe can help you resell or retire excess hardware while meeting local regulatory guidelines and acting in an environmentally responsible way.Learn more at/ServicesContact a Dell Technologies ExpertView more resourcesJoin the conversationwith@DellNetworkingLearn more about Dell EMC Networking solutions。

dnsforwarder参数
DNS forwarder是指将DNS请求从一个DNS服务器转发到另一个DNS服务器的过程。

以下是dnsforwarder的一些常见参数：
1. listen-address：设定dnsforwarder监听地址，格式为IP地址或者IP:端口号
2. forwarder：设置dnsforwarder转发请求到的DNS服务器的地址，可以指定多个，多个forwarder地址之间用逗号隔开。

3. cache-size：设置dnsforwarder缓存大小，以MB为单位，默认为10MB。

4. timeout：设置dnsforwarder向forwarder服务器发送DNS请求的超时时间，单位为秒，默认为5秒。

5. log-file：设置dnsforwarder的日志文件路径，默认为标准输出。

6. disable-ipv6：禁用IPv6支持。

7. disable-tcp：禁用TCP支持。

8. disable-udp：禁用UDP支持。

9. daemonize：将dnsforwarder变为后台运行模式。

10. version：显示dnsforwarder版本信息。

这些参数可以在启动dnsforwarder时指定。

例如：
dnsforwarder listen-address 127.0.0.1:53 forwarder 8.8.8.8,8.8.4.4 cache-size 50 log-file /var/log/dnsforwarder.log daemonize。

TCPIP⽹络协议层对应的RFC⽂档原⽂地址：作者：RFC - Request For Comments 请求注解TCP/IP层⽹络协议RFC⽂档Physical Layer Data Link Layer ARP - Address ResolutionProtocolRFC826 ( ) RARP - Reverse AddressResolution ProtocolRFC903 ( )Internet Protocol Layer IP - Internet Protocol RFC791 ( CN ) IP v6RFC2460 ( ) ICMP - Internet ControlMessage ProtocolRFC777 ( )RFC792 ( ) ICMP v6RFC2463 ( )RFC4443 ( )RFC4443 ( ) IGMP - Internet GroupManagement ProtocolRFC1112 ( ) IGMP v2RFC2236 ( ) IGMP v3RFC3376 ( ) OSPF - Open Shortest PathFirstRFC1245 ( )RFC1246 ( ) OSPF v2RFC1252 ( )RFC1253 ( )RFC1850 ( )RFC2178 ( )RFC2328 ( )RFC2329 ( )Transport Layer TCP - Transport ControlProtocolRFC793 ( CN ) UDP - User DatagramProtocolRFC768 ( CN ) FTP - File Transfer Protocol RFC959 ( CN ) SMTP - Simple Mail TransferProtocolRFC821 ( ) Telnet - Telnet ProtocolRFC698 ( )RFC779 ( )RFC854 ( )RFC855 ( )RFC856 ( )RFC857 ( )RFC858 ( )RFC859 ( )RFC860 ( )RFC861 ( ) HTTP v1.0 - HypertextTransfer ProtocolRFC1945 ( ) HTTP v1.1RFC2616 ( CN )RFC2617 ( CN ) POP3 - Post Office Protocol -Version 3RFC1939 ( ) BGP - Border GatewayProtocolRFC1105 ( )RFC1163 ( ) BGP v3RFC1267 ( ) BGP v4RFC1654 ( )RFC1771 ( )RFC4271 ( ) PPTP - Point-to-PointTunneling ProtocolRFC2637 ( )ApplicationLayer Tunneling ProtocolHTTP Over TLS RFC2818 ( )DNS - Domain Name SystemRFC881 ( CN )RFC882 ( CN )RFC883 ( CN )RFC1034 ( CN )RFC1035 ( CN )BOOTP - Bootstrap Protocol RFC951 ( )DHCP - Dynamic HostConfiguration ProtocolRFC1531 ( CN )RFC1541 ( CN )RFC2131 ( CN )DHCP v6RFC3315 ( CN )RFC4580 ( CN )RFC4649 ( CN )RFC4704 ( CN )TFTP v2 - Trivial FileTransfer ProtocolRFC783 ( CN )RFC1350 ( CN )SNMP - Simple NetworkManagement ProtocolRFC1067 ( CN )RFC1098 ( CN )RFC1157 ( CN )RIP - Routing InformationProtocolRFC1058 ( CN )RFC1923 ( CN )RIP v2 - Routing InformationProtocolRFC1387 ( CN )RFC1388 ( CN )RFC1389 ( CN )RFC1721 ( CN )RFC1722 ( CN )RFC1723 ( CN )RFC2082 ( CN )RFC2453 ( CN )RFC4822 ( CN )L2TP - Layer Two TunnelingProtocolRFC2661 ( CN )MIB-II - ManagementInformation BaseRFC1158 ( CN )RFC1213 ( CN )SNMP v2RFC2011 ( CN )RFC2012 ( CN )RFC2013 ( CN )RFC2452 ( CN )RFC2465 ( CN )RFC2466 ( CN )RFC4022 ( CN )PPP - Point-to-Point ProtocolRFC1134 ( )RFC1171 ( )RFC1172 ( )RFC1331 ( )RFC1334 ( ) PAPRFC1548 ( )RFC1570 ( )RFC1661 ( )RFC1994 ( ) CHAPRFC2284 ( )RFC2484 ( )RFC3748 ( )RFC5247 ( )PPP-MP - The PPP MultilinkProtocolRFC1717 ( CN )RFC1990 ( CN )HTML v2.0 - HypertextMarkup LanguageRFC1866 ( CN )NetBIOSRFC1001 ( CN )RFC1002 ( CN )MIME - Multipurpose InternetMail ExtensionsRFC1341 ( CN ) RFC1521 ( CN ) RFC1522 ( CN ) RFC2045 ( ) RFC2046 ( CN )RFC2047 ( CN ) RFC2048 ( CN ) RFC2049 ( CN )。

DNS服务器配置：1、安装DNS服务开始—〉设置—〉控制面板—〉添加/删除程序—〉添加/删除Windows组件—〉“网络服务”—〉选择“域名服务系统（DNS）”—〉按确定进行安装2、创建DNS正相解析区域开始—〉程序—〉管理工具—〉选择DNS，打开DNS控制台—〉右击“正相搜索区域”—〉选择“新建区域”—〉选择“标准主要区域”（或“Active Directory 集成区域”或“标准辅助区域”）--〉输入域名“” —〉输入要保存的区域的文件名“.dns”—〉按完成，完成创建。

创建主机记录等：右击“”—〉“新建主机” —〉在名称处输入“www”，在“IP地址”处输入“192.168.0.3”，—〉按“添加主机”完成3、创建DNS反向解析区域开始—〉程序—〉管理工具—〉选择DNS，打开DNS控制台—〉右击“反向搜索区域”—〉选择“新建区域”—〉选择“标准主要区域”—〉输入用来标示区域的“网络ID”—〉输入要保存的区域的文件名“0.168.192.in-addr.arpa.dns”—〉按完成，完成创建创建指针PTR：右击“192.168.1.x.subnet”—〉选择“新建指针”—〉在“主机IP号”中输入2—〉在“主机名”中输入ftp—按“确定”完成添加4、启用DNS循环复用功能如对应于多个IP地址时DNS每次解析的顺序都不同右击选择“DNS服务器”—〉属性—〉高级—〉选择“启用循环”（round robin）--〉选择“启用netmask 排序”—〉按“ 确定”返回注：如所有的IP和域名服务器在同一子网时需要取消“启用netmask排序”，才能实现循环复用功能。

即启用循环时，当主机的IP和dns在同一个子网时将始终排在最前面，当都在一个子网时就不进行循环，只有去除了“启用netmask排序” 时才能实现循环复用。

DNS服务器会优先把与自己的网络ID相同的记录返回给客户端5、创建标准辅助区域，实现DNS区域复制在另一台DNS服务器上，右击“正向搜索区域”—〉选择“新建区域”—〉选择“标准辅助区域”—〉输入“”—〉输入主域名服务器的IP地址—〉选择“完成”可手工要求同步：在辅域名服务器上右击“”的域—〉选择“从主服务器传输”并且可以设置允许传输的域名服务器：在主域名服务器上右击“”的域—〉选择“属性”—〉选择“区域复制”—〉在“允许复制”前打勾，并选择允许复制的主机（到所有服务器、只有在“名称服务器”选项卡中列出的服务器、只允许到下列服务器）完成服务器类型的转换：右击区域—〉选择“属性”—〉选择“类型”的“更改”按钮—〉选择要更改的区域类型—〉按“确定”6、实现DNS唯高速缓存服务器创建一个没有任何区域的DNS服务器—〉右击DNS服务器—〉选择“属性”—〉选择“转发器”中的“启用转发器”—〉输入转发器的IP地址—〉按“确定”完成清除“唯高速缓存”中的cache内容：右击“DNS服务器”—〉选择“清除缓存”或者选择“DNS服务器”—〉在菜单中选择“查看”，高级—〉右击“缓存的查找”—〉选择“清除缓存”（客户端清空DNS缓存—）ipconfig /flushdns）7、DNS的委派（子域的转向）在原域名服务器上建立“”的主机—〉右击的域，选择“新建委派”—〉将的域代理给的主机—〉在上建立“正向标准区域”—〉添加相关主机记录8、设置DNS区域的动态更新右击选择DNS上区域—〉选择“属性”—〉选择“常规”中的“允许动态更新”，选是—〉然后按“确定”—〉在本机的DHCP服务器中—〉右击选择DHCP服务器—〉选择“属性”—〉选择“DNS”—〉选择“为不支持动态更新的DNS客户启用更新”—〉在客户端使用ipconfig/registerdns来更新域名的注册信息注意客户端需要将完整的计算机名改成9、配置DNS客户端在客户端计算机上打开tcp/ip属性对话框，在dns服务器地址栏输入dns服务器的ip地址手工配置最多可配置12个DNS服务器DHCP服务器配置DHCP服务占67号端口，DHCP的前身是bootps这个协议。

dns over tls 原理DNS over TLS 原理解析什么是 DNS over TLS？DNS over TLS（DoT）是一种新的加密 DNS 流量的协议，它可以确保 DNS 查询的私密性和安全性。

通过将 DNS 查询和响应的数据包通过加密的传输层安全协议（TLS）进行打包，DNS over TLS 可以有效地防止恶意拦截和篡改。

DNS 基础知识回顾在深入了解 DNS over TLS 的工作原理之前，我们先来回顾一下DNS 的基础知识。

DNS（Domain Name System）是一个重要的 Internet 基础设施，用于将易于记忆的域名转换为 IP 地址。

当我们在浏览器中访问一个网站时，浏览器会向 DNS 服务器发送一个域名查询请求，以获取该域名对应的 IP 地址。

DNS 服务器会返回一个包含 IP 地址的响应，然后浏览器才能启动与目标服务器的连接。

DNS 查询过程中的潜在威胁然而，在传统的 DNS 查询过程中存在一些安全和隐私方面的问题：1.未加密的通信：通常，DNS 查询和响应是通过明文的 UDP 或 TCP 连接进行传输的，这使得它们容易受到窃听和篡改的威胁。

2.潜在的篡改：因为 DNS 查询和响应是明文的，中间人可以修改这些数据包，将用户重定向到恶意网站或截获用户的敏感信息。

3.记录隐私泄露： DNS 查询包含有关用户上网活动的信息，例如访问的网站和应用程序，这可能对用户的隐私构成威胁。

DNS 传输层安全协议（TLS）TLS 是一种加密协议，用于在互联网上的通信中确保数据的安全性和完整性。

它使用公开密钥加密和数字证书来验证服务器的身份，并在客户端和服务器之间建立安全的通信通道。

DNS over TLS 的工作原理DNS over TLS 使用了 TLS 协议来加密 DNS 查询和响应。

下面列出了 DNS over TLS 的工作过程：1.建立加密通道：客户端首先与 DNS over TLS 服务器建立 TLS 握手，通过交换加密密钥和证书来建立安全通信的加密通道。

dnscl法-回复DNSCL（Domain Name System over Cryptographic Links）是一种基于加密链路的域名系统。

在传统的DNS中，域名解析是通过明文传输的，这可能导致中间人攻击、数据篡改等安全问题。

为了解决这些问题，DNSCL将传输过程中的域名解析信息进行了加密，提高了数据传输的安全性和可靠性。

DNS（Domain Name System）是因特网中用于解析域名与IP地址之间映射关系的系统。

通过DNS，用户可以通过域名访问网站，而不需要记住相应的IP地址。

不仅如此，DNS还负责将邮件发送到正确的邮件服务器、寻找资源的位置等功能。

传统的DNS解析过程如下：1. 用户在浏览器中输入一个域名，例如2. 浏览器将域名发送给本地的DNS服务器，请求域名解析。

3. 本地DNS服务器查询自己的缓存，如果有相应的解析结果，则直接返回。

4. 如果本地DNS服务器没有缓存数据，则向根DNS服务器发送请求。

5. 根DNS服务器指导本地DNS服务器向顶级域名服务器发送请求，以获取域名服务器的IP地址。

6. 本地DNS服务器向域名服务器发送请求，获得对应域名服务器的IP 地址。

7. 本地DNS服务器向对应的域名服务器发送请求，获取域名对应的IP 地址。

8. 本地DNS服务器将结果缓存，并返回给用户的浏览器，浏览器再通过IP地址访问对应的网站。

然而，上述过程中的数据传输都是明文的，容易受到攻击者的窃听和篡改。

为了解决这些安全问题，DNSCL采用了加密链路的方式进行数据传输。

DNSCL的数据传输过程如下：1. 用户在浏览器中输入一个域名，例如2. 浏览器将域名通过HTTPS的方式发送给本地的DNS服务器。

3. 本地DNS服务器使用公钥加密用户的请求，将加密后的数据发送给远程的DNS服务器。

4. 远程DNS服务器使用私钥解密数据，并进行相应的域名解析工作。

5. 远程DNS服务器将域名对应的IP地址使用公钥加密，将加密后的结果发送给本地DNS服务器。