Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - How to configure DNS server access via a custom routing instance

0

0

Article ID: KB36150 KB Last Updated: 25 May 2021Version: 2.0
Summary:

On SRX Series devices, the routing-instance option in the name-server command is not supported from Junos OS 17.3 and later releases.

This article describes how to configure DNS server access via a custom routing instance by not using the routing-instance option.

Solution:

A name-server configuration can be run only on a default routing instance in devices that run Junos OS 17.3 and later releases. When an SRX device has DNS server access configured via a custom routing instance, we will need extra configuration.

This article shows an example configuration by using the following topology.

Sample Topology

SRX ge-0/0/0 192.168.0.1 (VR1) ----192.168.0.254 GW Router ----- DNS server 192.168.10.1

Interface/Zone/name-server configuration

Specify the source-address for the name-server configuration. In this example, we have used the loopback IP address. This source-address is used as the static route for the DNS reply in a custom routing instance.

In this environment, the source IP address of the DNS query will be chosen from the IP address configured in the default routing instance. When the source-address is not specified and multiple L3 interfaces are configured in a default routing instance, unintended IP addresses might be chosen as the DNS source IP address.

set system name-server 192.168.10.1 source-address 192.168.254.1 
set interfaces ge-0/0/0 unit 0 family inet address 192.168.0.1/24
set interfaces lo0 unit 0 family inet address 192.168.254.1/32
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone loopback interfaces lo0.0

Routing instance configuration

set routing-instances VR1 routing-options static route 192.168.10.1/32 next-hop 192.168.0.254 <<<< Route for DNS server
set routing-instances VR1 routing-options static route 192.168.254.1/32 next-table inet.0     <<<< Route for DNS reply
set routing-instances VR1 interface ge-0/0/0.0
set routing-instances VR1 instance-type virtual-router

Policy option configuration to import DNS server route from custom routing instance to default routing instance

set policy-options policy-statement to-vr1 term t1 from instance VR1
set policy-options policy-statement to-vr1 term t1 from route-filter 192.168.10.1/32 exact
set policy-options policy-statement to-vr1 term t1 then accept
set policy-options policy-statement to-vr1 term t2 then reject
set routing-options instance-import to-vr1

NAT configuration to translate source IP address of DNS query to interface IP address in custom routing instance

set security nat source rule-set RS1 from routing-instance default
set security nat source rule-set RS1 to routing-instance VR1
set security nat source rule-set RS1 rule R1 match destination-address 192.168.10.1/32
set security nat source rule-set RS1 rule R1 then source-nat interface
Modification History:
2021-05-25: Fixed incorrect route-filter IP address. Before: route-filter 10.219.2.101 Fixed: route-filter 192.168.10.1 
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search