Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configure DNS Proxy in the Juniper firewall



Article ID: KB20555 KB Last Updated: 14 Nov 2017Version: 2.0

This article provides an example on how to configure DNS Proxy on the Juniper firewall.


  • DNS server IP address configured on the ScreenOS firewall
  • Client PC's points its DNS server at the firewall
  • Debug the traffic to see how it is being forwarded


  • Configure local PCs to use the ScreenOS firewall as its DNS server
  • Use the ScreenOS firewall as DNS proxy


When the ScreenOS firewall is configured as DNS-Proxy, it redirects the DNS queries to the DNS servers configured on the ScreenOS firewall.

Configuration on Firewall:


DNS Lookup:

Firewall is configured as a DNS proxy. For that, “DNS proxy“ feature needs to be enabled on the trust interface of the firewall.

set interface eth0/0 zone trust
set interface eth0/0 ip
set interface eth0/2 zone untrust
set interface eth0/2 ip
set dns proxy
set dns proxy enable
set dns server-select domain * outgoing-interface ethernet0/2 primary-server secondary-server failover
set interface eth0/0 proxy dns
set policy id 5 from "Trust" to "Untrust" "Any-IPv4" "Any-IPv4" "DNS" permit

Domain *----you can specify the domain name in the firewall for which you want the firewall to send the query to the specific dns server. Here “*” symbolizes all entries.

Verifying the setup:

Check the policy logs of the firewall to see if the DNS packets are being sent out. Debug DNS proxy will also show the firewall proxying the DNS queries.

## 2010-01-26 16:11:02 : Proxy: Processing request from client port 62625
## 2010-01-26 16:11:02 : Proxy: Host name for lookup is type 28
## 2010-01-26 16:11:02 : Proxy: Looking up best match
## 2010-01-26 16:11:02 : Proxy: New best match len id 1
## 2010-01-26 16:11:02 : Proxy: Selecting primary
## 2010-01-26 16:11:02 : Proxy: DNS socket send returned 0 for server
## 2010-01-26 16:11:02 : Proxy: new socket being set 444 to server
## 2010-01-26 16:11:03 : Proxy: DNS socket receive 112 bytes from server

In case the DNS queries are not getting resolved, check the connectivity with the DNS server configured in the firewall. Another reason can be latency in reply from the DNS server.

Reverse DNS Lookup

The reverse DNS lookup converts an IP address to host name mainly used to identify the domain name of spammer sending you a spam email. The DNS proxy shall in turn, depending on the configuration, redirect the DNS queries to the specific DNS servers. A PTR record (sometimes called a "host PTR record" RFC 1035) is what lets someone do a "reverse" DNS lookup - that is, they have your IP address and want to know what your host/domain is.

Reverse DNS lookup will not happen when the ScreenOS Firewall is acting as a DNS Proxy. It is not supported.

Modification History:
2017-Nov-02: Article reviewed for accuracy. No changes made. Article is correct and complete.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search