Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

dns-filter

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 18.3R1 on MX Series.

Support added for Next Gen Services on MX Series routers MX240, MX480 and MX960 with MX-SPC3 services cards in Junos OS Release 19.3R2.

Description

Configure the settings for filtering DNS requests for disallowed website domains. Filtering can result in either:

  • Blocking access to the site by sending the client a DNS response that includes an IP address or domain name of a sinkhole server instead of the disallowed domain.

  • Logging the DNS request and allowing access.

Settings at the [edit services web-filter profile profile-name dns-filter-template template-name] hierarchy level override the corresponding settings at the [edit services web-filter profile profile-name] hierarchy level.

Options

database-file filenameName of the domain filter database file to use when filtering DNS requests.
dns-resp-ttl seconds Number of seconds to live while sending the DNS response after taking the DNS sinkhole action.

Default: 1800

Range: 0 through 86,400

dns-server [ ip-address ](Optional) IP addresses (IPv4 or IPv6) for up to three specific DNS servers. DNS filtering examines only DNS requests that are destined for those DNS servers.
hash-key key-stringHash key that you used to create the hashed domain name in the domain filter database file.
hash-method hash-method-nameHash method that you used to create the hashed domain name in the domain filter database file. The only supported hash method is hmac-sha2-256.
statistics-log-timer minutesNumber of minutes in the interval for logging statistics for DNS requests and for sinkhole actions performed for each customer IP address.

Default: 5

Range: 0 through 60

wildcarding-level levelLevel of subdomains that are searched for a match. A value of 0 indicates that subdomains are not searched.

For example, if you set the wildcarding-level to 4 and the database file includes an entry for example.com, the following comparisons are made for a DNS request that arrives with the domain 198.51.100.0.example.com:

  • 198.51.100.0.example.com: no match

  • 51.100.0.example.com: no match for one level down

  • 100.0.example.com: no match for two levels down

  • 0.example.com: no match for three levels down

  • example.com: match for four levels down

Range: 0 through 10

Required Privilege Level

system—To view this statement in the configuration.

system-control—To add this statement to the configuration.