Knowledge Search


×
 

[SRX] Configuration example - SRX Services Gateway used as a DNS proxy

  [KB27492] Show Article Properties


Summary:

This article summarizes how a SRX Services Gateway can be used as a DNS proxy, with a configuration example, topology, and confirmation with packet captures.

This feature is supported on SRX devices starting from the following JUNOS OS versions:
  • SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650 - From 12.1X44-D10
  • SRX300, SRX320, SRX340, SRX345 - From 15.1X49-D35
  • SRX550HM, SRX1500 - From 15.1X49-D30
  • SRX4100, SRX4200 - From 15.1X49-D65
  • vSRX - From 12.1X46-D10 [Dynamic DNS (DDNS) is not supported]

Note: DNS proxy is supported for Branch and Mid-range SRX devices in a cluster. However, please note that the cache entries are not synced to the backup RE and during an RG-0 failover, the new RE will need to re-learn the cache.

Cause:

When a DNS query is resolved by a DNS proxy, the result is stored in the device's DNS cache. This stored cache helps the device to resolve subsequent queries from the same domain and avoid network latency delay. 

If a network setup requires that clients use a proxy instead of initiating DNS queries directly to a global DNS server,  the SRX can be configured accordingly as the DNS proxy.


 
Solution:

For the DNS Proxy overview and configuration instructions, see the 'Related Links' section of this article.

Below is configuration example, including the topology, configuration, and lab output:

Topology

PC(10.10.10.2)----(10.10.10.1)SRX(192.168.1.12)----modem-----Internet

   PC is connected directly to the SRX interface ge-0/0/0.0

   SRX interface ge-0/0/1.0 connected to modem receives an IP via DHCP

Configuration

   DNS proxy has been enabled on the interface ge-0/0/0.0.

   SRX is configured to forward these requests to the DNS server 4.2.2.2.

set system services dns dns-proxy interface ge-0/0/0.0
set system services dns dns-proxy default-domain * forwarders 4.2.2.2

Below is the complete configuration for the SRX gateway with default policy rules. Stricter implementations can be used per customer requirements.

root@240-poe-4# show | display set
set system root-authentication encrypted-password ""
set system services dns dns-proxy interface ge-0/0/0.0
set system services dns dns-proxy default-domain * forwarders 4.2.2.2
set system services web-management http
set system services web-management https system-generated-certificate
set interfaces ge-0/0/0 unit 0 family inet address 10.10.10.1/24
set interfaces ge-0/0/1 unit 0 family inet dhcp
set security nat source rule-set rset1 from zone z1
set security nat source rule-set rset1 to zone z1
set security nat source rule-set rset1 rule r1 match source-address 0.0.0.0/0
set security nat source rule-set rset1 rule r1 then source-nat interface
set security policies default-policy permit-all
set security zones security-zone z1 host-inbound-traffic system-services all
set security zones security-zone z1 host-inbound-traffic protocols all
set security zones security-zone z1 interfaces all

Lab Output

Ethernet Adapter Settings:

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce 10/100/1000 Mbps Networking Controller
Physical Address. . . . . . . . . : 00-1F-16-F5-B9-D9
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 10.10.10.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : fe80::21f:16ff:fef5:b9d9%4
Default Gateway . . . . . . . . . : 10.10.10.1
DNS Servers . . . . . . . . . . . : 10.10.10.1

 

Query from the PC

 
 

Response from SRX to PC:

 
Modification History:

2017-11-23: Added other SRX platforms that support this feature and the Junos version that support was introduced in.

2017-06-25: Updated the note in Summary section.

Related Links: