This article summarizes how a SRX Services Gateway can be used as a DNS proxy, with a configuration example, topology, and confirmation with packet captures. This feature is supported on SRX starting from Junos OS 12.1X44-D10 for SRX-Branch series devices.
NOTE: DNS proxy is currently not supported for SRX devices in a cluster.
Problem or Goal:
When a DNS query is resolved by a DNS proxy, the result is stored in the device's DNS cache. This stored cache helps the device to resolve subsequent queries from the same domain and avoid network latency delay.
If a network setup requires that clients use a proxy instead of initiating DNS queries directly to a global DNS server, the SRX can be configured accordingly as the DNS proxy.
For the DNS Proxy overview and configuration instructions, see the 'Related Links' section of this article.
Below is configuration example, including the topology, configuration, and lab output:
PC is connected directly to the SRX interface ge-0/0/0.0
SRX interface ge-0/0/1.0 connected to modem receives an IP via DHCP
DNS proxy has been enabled on the interface ge-0/0/0.0.
SRX is configured to forward these requests to the DNS server 22.214.171.124.
set system services dns dns-proxy interface ge-0/0/0.0 set system services dns dns-proxy default-domain * forwarders 126.96.36.199
Below is the complete configuration for the SRX gateway with default policy rules. Stricter implementations can be used per customer requirements.
root@240-poe-4# show | display set set system root-authentication encrypted-password "" set system services dns dns-proxy interface ge-0/0/0.0 set system services dns dns-proxy default-domain * forwarders 188.8.131.52 set system services web-management http set system services web-management https system-generated-certificate set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24 set interfaces ge-0/0/1 unit 0 family inet dhcp set security nat source rule-set rset1 from zone z1 set security nat source rule-set rset1 to zone z1 set security nat source rule-set rset1 rule r1 match source-address 0.0.0.0/0 set security nat source rule-set rset1 rule r1 then source-nat interface set security policies default-policy permit-all set security zones security-zone z1 host-inbound-traffic system-services all set security zones security-zone z1 host-inbound-traffic protocols all set security zones security-zone z1 interfaces all