TechLibrary

Navigation Back up to About Overview

Configuring the Device as a DNS Proxy

The Junos operating system (Junos OS) incorporates domain name system (DNS) support, which allows you to use domain names as well as IP addresses for identifying locations. A DNS server keeps a table of the IP addresses associated with domain names. Using DNS enables a device to reference locations by domain name (such as www.juniper.net) in addition to using the routable IP address (207.17.137.68 for www.juniper.net).

DNS features include:

  • DNS proxy—The device proxies hostname resolution requests on behalf of the clients behind the SRX Series device. DNS proxy improves domain lookup performance by using caching.
  • Split DNS—The device redirects DNS queries over a secure connection to a specified DNS server in the private network. Split DNS prevents malicious users from learning the network configuration, and thus also prevents domain information leaks. Once configured, split DNS operates transparently.
  • Dynamic DNS (DDNS) client—Servers protected by the device remain accessible despite dynamic IP address changes. For example, a protected Web server continues to be accessible with the same hostname, even after the dynamic IP address is changed because of address reassignment by the Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol (PPP) by Internet service provider (ISP).

To configure the device as a DNS proxy, you enable DNS on a logical interface and configure DNS proxy servers. Configuring a static cache enables branch office and corporate devices to use hostnames to communicate. Configuring dynamic DNS (DDNS) clients allows IP address changes.

Perform the following procedure to configure the device as a DNS proxy server by enabling DNS proxy on a logical interface—for example, ge-0/0/1.0—and configuring a set of name servers that are to be used for resolving the specified domain names. You can specify a default domain name by using an asterisk (*) and then configure a set of name servers for resolution. Use this approach when you need global name servers to resolve domain name entries that do not have a specific name server configured.

  1. DNS proxy configuration
    • Enable DNS proxy on a logical interface.
      [edit system services]user@host# set dns dns-proxy interface ge-0/0/1.0
    • Set a default domain name, and specify global name servers according to their IP addresses.
      [edit system services]user@host# set dns dns-proxy default-domain * forwarders 172.17.28.100
    • If you are done configuring the device, commit the configuration.
      [edit]user@host# commit

      To verify if the configuration is working properly, execute the show command.

      user@hostshow system services dns dns-proxy
  2. Dynamic DNS proxy configuration
    • Enable client.
      [edit system services]user@host# set dynamic-dns client abc.com agent juniper interface ge-0/0/1.0 username test password test123
    • If you are done configuring the device, commit the configuration.
      [edit]user@host# commit

      To verify if the configuration is working properly

      user@hostshow system services dynamic-dns

Published: 2014-05-08