Juniper firewall sends DNS queries for NTP server IP address. Juniper will not qualify the hostname for NTP server even though domain name is configured.
Problem or Goal:
When you force an NTP update with the command "exec ntp update", the clock on the firewall gets updated, but the firewall sends an unnecessary DNS query for the IP address of the NTP server. This can be verified by checking the DNS cache in the firewall. There will be an entry for unresolved addresses with the command:get dns host cache
When you configure the firewall with a Domain name (i.e. test.com) and configure the hostname for NTP server such as "ns01", the firewall doesn't automatically qualify the hostname. It just sends a DNS query for "ns01" instead of "ns01.test.com".
1. Unnecessary DNS query for the NTP server IP address should be stopped. This behavior is fixed in ScreenOS 5.4.0r3a and above.
2. For the NTP server, configure the FQDN instead of just the hostname.