Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example: Configuring DNS proxy for clients in a custom routing instance

0

0

Article ID: KB34039 KB Last Updated: 01 Mar 2021Version: 2.0
Summary:
 

This article discusses how to achieve DNS proxy functionality when clients are behind a custom routing instance.

 

Cause:
 

Clients behind a custom routing instance need to use the SRX device as a DNS proxy interface. No other interface in the custom routing instance can be used as a DNS proxy interface because the SRX device cannot source DNS queries from a routing instance of type VR.

Name resolution also does not work for the SRX device if the DNS server is reachable only via a Virtual Router (VR).

 

Solution:
 

Starting from Junos OS 15.1X49-D130, DNS proxy can be achieved for clients behind a custom routing instance by using a loopback interface in the default routing instance.

The following example setup shows how this can be done:

  • In this setup, user traffic enters the SRX device through a custom routing instance.

  • The SRX device is configured as dns-proxy to reach DNS server, 10.215.194.50, which in turn, is connected via the fxp interface.

  • Because the SRX device can only listen on an interface in its default routing instance, a loopback interface (lo0) is configured as the DNS proxy interface.

 

Topology

 

  10.215.194.50]fxp0  ----     SRX B(ge-0/0/5)[routing instance]  ------------  (ge-0/0/5)     SRXA, which acts as the client 

 

Here, the request originates from 172.20.1.2, which is the client machine (SRX-A) and which is connected to ge-0/0/5 of SRX-B. The destination IP address of this request is the lo0 IP address of SRX-B. When the request reaches SRX-B, it is forwarded over fxp0 to the DNS server (10.215.194.50).

 

Configuring DNS Proxy on SRX-B

SRX-B

DNS proxy is configured on the lo0 interface, which enables the SRX device to forward requests to the DNS server 10.215.194.50. See KB15656 - SRX Getting Started - Configure DNS and KB27492 - [SRX] Configuration example - SRX Services Gateway used as a DNS proxy for additional details. 

set system services dns dns-proxy interface lo0.0
set system services dns dns-proxy default-domain * forwarders 10.215.194.50
 

Complete configuration on SRX-B

set interfaces ge-0/0/5 unit 0 family inet address 172.20.1.1/24
set routing-instances dns-1 interface ge-0/0/5.0
set routing-instances dns-1 instance-type virtual-router
set security zones security-zone dns-p interfaces ge-0/0/5.0 host-inbound-traffic system-services all
set security zones security-zone dns-p interfaces ge-0/0/5.0 host-inbound-traffic protocols all
set interfaces lo0 unit 0 family inet address 192.168.168.1/32
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic protocols all
set security policies default-policy permit-all
set routing-options static route 0.0.0.0/0 next-hop 10.219.17.65
set routing-options static route 172.20.1.0/24 next-table dns-1.inet.0
set policy-options policy-statement dnsproxy term 1 from instance master
set policy-options policy-statement dnsproxy  term 1 from route-filter 10.219.17.75/32 exact
set policy-options policy-statement dnsproxy  term 1 then accept
set policy-options policy-statement dnsproxy term lo0 from instance master
set policy-options policy-statement dnsproxy term lo0 from route-filter 192.168.168.1/32 exact
set policy-options policy-statement dnsproxy  term lo0 then accept
set policy-options policy-statement dnsproxy  term 2 then reject
set routing-instances dns-1 routing-options instance-import dnsproxy 
 

SRX-A

set system name-server 192.168.168.1
set interfaces ge-0/0/1 unit 0 family inet address 172.20.1.2/24
set routing-options static route 192.168.168.1/32 next-hop 172.20.1.1
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all
 

Outputs to verify functionality on SRX-B

root@SRX-B# run show system services dns-proxy statistics
DNS proxy statistics        :
    Status                  : enabled
    IPV4 Queries received   : 9
    IPV6 Queries received   : 0
    Responses sent          : 9
    Queries forwarded       : 6
    Negative responses      : 0
    Positive responses      : 9
    Retry requests          : 0
    Pending requests        : 0
    Server failures         : 0
    Interfaces              : lo0.0

 
[edit]
root@SRX-B# run show system services dns-proxy cache
Hostname                  Time-to-live   Type        Class    IP address/Hostname
google.com.               108            A           IN       172.217.160.142
yahoo.com.                201            A           IN       72.30.35.9
yahoo.com.                201            A           IN       72.30.35.10
yahoo.com.                201            A           IN       98.137.246.7
yahoo.com.                201            A           IN       98.137.246.8
yahoo.com.                201            A           IN       98.138.219.231
yahoo.com.                201            A           IN       98.138.219.232
www.amazon.de.            233            CNAME       IN       www.cdn.amazon.de.
 

Output from Client (SRX-A)

root@SRX-A% dig +short www.amazon.de
www.cdn.amazon.de.
djvbdz1obemzo.cloudfront.net.
13.32.63.59
root@SRX-A% dig +short www.google.com
172.217.163.196
root@SRX-A% dig +short www.yahoo.com
atsv2-fp-shed.wg1.b.yahoo.com.
106.10.250.10
106.10.250.11

 

Modification History:
 

2021-03-01: Minor corrections in Solution section

 

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search