Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Configuration example - SRX Services Gateway used as a DNS proxy



Article ID: KB27492 KB Last Updated: 07 Dec 2017Version: 6.0

This article summarizes how a SRX Services Gateway can be used as a DNS proxy, with a configuration example, topology, and confirmation with packet captures.

This feature is supported on SRX devices starting from the following JUNOS OS versions:
  • SRX100, SRX110, SRX210, SRX220, SRX240, SRX550, SRX650 - From 12.1X44-D10
  • SRX300, SRX320, SRX340, SRX345 - From 15.1X49-D35
  • SRX550HM, SRX1500 - From 15.1X49-D30
  • SRX4100, SRX4200 - From 15.1X49-D65
  • vSRX - From 12.1X46-D10 [Dynamic DNS (DDNS) is not supported]

Note: DNS proxy is supported for Branch and Mid-range SRX devices in a cluster. However, please note that the cache entries are not synced to the backup RE and during an RG-0 failover, the new RE will need to re-learn the cache.


When a DNS query is resolved by a DNS proxy, the result is stored in the device's DNS cache. This stored cache helps the device to resolve subsequent queries from the same domain and avoid network latency delay. 

If a network setup requires that clients use a proxy instead of initiating DNS queries directly to a global DNS server,  the SRX can be configured accordingly as the DNS proxy.


For the DNS Proxy overview and configuration instructions, see the 'Related Links' section of this article.

Below is configuration example, including the topology, configuration, and lab output:



   PC is connected directly to the SRX interface ge-0/0/0.0

   SRX interface ge-0/0/1.0 connected to modem receives an IP via DHCP


   DNS proxy has been enabled on the interface ge-0/0/0.0.

   SRX is configured to forward these requests to the DNS server

set system services dns dns-proxy interface ge-0/0/0.0
set system services dns dns-proxy default-domain * forwarders

Below is the complete configuration for the SRX gateway with default policy rules. Stricter implementations can be used per customer requirements.

root@240-poe-4# show | display set
set system root-authentication encrypted-password ""
set system services dns dns-proxy interface ge-0/0/0.0
set system services dns dns-proxy default-domain * forwarders
set system services web-management http
set system services web-management https system-generated-certificate
set interfaces ge-0/0/0 unit 0 family inet address
set interfaces ge-0/0/1 unit 0 family inet dhcp
set security nat source rule-set rset1 from zone z1
set security nat source rule-set rset1 to zone z1
set security nat source rule-set rset1 rule r1 match source-address
set security nat source rule-set rset1 rule r1 then source-nat interface
set security policies default-policy permit-all
set security zones security-zone z1 host-inbound-traffic system-services all
set security zones security-zone z1 host-inbound-traffic protocols all
set security zones security-zone z1 interfaces all

Lab Output

Ethernet Adapter Settings:

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce 10/100/1000 Mbps Networking Controller
Physical Address. . . . . . . . . : 00-1F-16-F5-B9-D9
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . :
Subnet Mask . . . . . . . . . . . :
IP Address. . . . . . . . . . . . : fe80::21f:16ff:fef5:b9d9%4
Default Gateway . . . . . . . . . :
DNS Servers . . . . . . . . . . . :


Query from the PC


Response from SRX to PC:

Modification History:

2017-11-23: Added other SRX platforms that support this feature and the Junos version that support was introduced in.

2017-06-25: Updated the note in Summary section.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search