Knowledge Center Search


 

[SRX] Configuration example - SRX Services Gateway used as a DNS proxy

  [KB27492] Show KB Properties

  [KB27492] Hide KB Properties

Categories:
Knowledge Base ID: KB27492
Last Updated: 15 Nov 2013
Version: 3.0

Summary:

This article summarizes how a SRX Services Gateway can be used as a DNS proxy, with a configuration example, topology, and confirmation with packet captures. This feature is supported on SRX starting from Junos OS 12.1X44-D10 for SRX-Branch series devices.

NOTE: DNS proxy is currently not supported for SRX devices in a cluster.

Problem or Goal:

Cause:

When a DNS query is resolved by a DNS proxy, the result is stored in the device's DNS cache. This stored cache helps the device to resolve subsequent queries from the same domain and avoid network latency delay. 

If a network setup requires that clients use a proxy instead of initiating DNS queries directly to a global DNS server,  the SRX can be configured accordingly as the DNS proxy.



Solution:

For the DNS Proxy overview and configuration instructions, see the 'Related Links' section of this article.

Below is configuration example, including the topology, configuration, and lab output:

Topology:

PC(10.10.10.2)----(10.10.10.1)SRX(192.168.1.12)----modem-----Internet

   PC is connected directly to the SRX interface ge-0/0/0.0

   SRX interface ge-0/0/1.0 connected to modem receives an IP via DHCP

Configuration:

   DNS proxy has been enabled on the interface ge-0/0/0.0.

   SRX is configured to forward these requests to the DNS server 4.2.2.2.

set system services dns dns-proxy interface ge-0/0/0.0
set system services dns dns-proxy default-domain * forwarders 4.2.2.2

Below is the complete configuration for the SRX gateway with default policy rules. Stricter implementations can be used per customer requirements.

root@240-poe-4# show | display set
set system root-authentication encrypted-password ""
set system services dns dns-proxy interface ge-0/0/0.0
set system services dns dns-proxy default-domain * forwarders 4.2.2.2
set system services web-management http
set system services web-management https system-generated-certificate
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24
set interfaces ge-0/0/1 unit 0 family inet dhcp
set security nat source rule-set rset1 from zone z1
set security nat source rule-set rset1 to zone z1
set security nat source rule-set rset1 rule r1 match source-address 0.0.0.0/0
set security nat source rule-set rset1 rule r1 then source-nat interface
set security policies default-policy permit-all
set security zones security-zone z1 host-inbound-traffic system-services all
set security zones security-zone z1 host-inbound-traffic protocols all
set security zones security-zone z1 interfaces all

Lab Output :


Ethernet Adapter Settings :

Ethernet adapter Local Area Connection:


Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce 10/100/1000 Mbps Networking Controller
Physical Address. . . . . . . . . : 00-1F-16-F5-B9-D9
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : fe80::21f:16ff:fef5:b9d9%4
Default Gateway . . . . . . . . . : 10.10.10.1
DNS Servers . . . . . . . . . . . : 10.10.10.1

Query from the PC




Response from SRX to PC :





Purpose:
Configuration
Implementation
Troubleshooting

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.