Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

DNS Request Filtering for Blacklisted Website Domains

 

Overview of DNS Request Filtering

Starting in Junos OS Release 18.3R1, you can configure DNS filtering to identify DNS requests for blacklisted website domains. Starting in Junos OS Release 19.3R2, you can configure DNS filtering if you are running Next Gen Services with the MX-SPC3 services card. Next Gen Services are supported on MX240, MX480 and MX960 routers. For DNS request types A, AAAA, MX, CNAME, TXT, SRV, and ANY, you configure the action to take for a DNS request for a blacklisted domain. You can either:

  • Block access to the website by sending a DNS response that contains the IP address or fully qualified domain name (FQDN) of a DNS sinkhole server. This ensures that when the client attempts to send traffic to the blacklisted domain, the traffic instead goes to the sinkhole server (see Figure 1).

  • Log the request and allow access.

For other DNS request types for a blacklisted domain, the request is logged and access is allowed.

The actions that the sinkhole server takes are not controlled by the DNS request filtering feature; you are responsible for configuring the sinkhole server actions. For example, the sinkhole server could send a message to the requestor that the domain is not reachable and prevent access to the blacklisted domain.

Figure 1: DNS Request for Blacklisted Domain
 DNS Request for Blacklisted
Domain

Benefits

DNS filtering redirects DNS requests for blacklisted website domains to sinkhole servers, while preventing anyone operating the system from seeing the list of blacklisted domains. This is because the blacklisted domain names are in an encrypted format.

Blacklisted Domain Filter Database File

DNS request filtering requires a blacklisted domain filter database .txt file, which identifies each blacklisted domain name, the action to take on a DNS request for the blacklisted domain, and the IP address or fully qualified domain name (FQDN) of a DNS sinkhole server.

DNS Filter Profile

You configure a DNS filter profile to specify which blacklisted domain filter database file to use. You can also specify the interfaces on which DNS request filtering is performed, limit the filtering to requests for specific DNS servers, and limit the filtering to requests from specific source IP address prefixes.

How to Configure DNS Request Filtering

To filter DNS requests for blacklisted website domains, perform the following:

How to Configure a Domain Filter Database

Create one or more domain filter database files that include an entry for each blacklisted domain. Each entry specifies what to do with a DNS request for a blacklisted website domain.

To configure a domain filter database file:

  1. Create the name for the file. The database file name can have a maximum length of 64 characters and must have a .txt extension.
  2. Add a file header with a format such as 20170314_01:domain,sinkhole_ip,v6_sinkhole,sinkhole_fqdn,id,action.
  3. Add an entry in the file for each blacklisted domain. You can include a maximum of 10,000 domain entries. Each entry in the database file has the following items:

    hashed-domain-name,IPv4 sinkhole address, IPv6 sinkhole address, sinkhole FQDN, ID, action

    where:

    • hashed-domain-name is a hashed value of the blacklisted domain name (64 hexadecimal characters). The hash method and hash key that you use to produce the hashed domain value are needed when you configure DNS filtering with the Junos OS CLI.

    • IPv4 sinkhole address is the address of the DNS sinkhole server for IPv4 DNS requests.

    • IPv6 sinkhole address is the address of the DNS sinkhole server for IPv6 DNS requests.

    • sinkhole FQDN is the fully qualified domain name of the DNS sinkhole server.

    • ID is a 32-bit number that uniquely associates the entry with the hashed domain name.

    • action is the action to apply to a DNS request that matches the blacklisted domain name. If you enter replace, the MX Series router sends the client a DNS response with the IP address or FQDN of the DNS sinkhole server. If you enter report, the DNS request is logged and then sent to the DNS server.

  4. In the last line of the file, include the file hash, which you calculate by using the same key and hash method that you used to produce the hashed domain names.
  5. Save the database files on the Routing Engine in the /var/db/url-filterd directory.
  6. Validate the domain filter database file.
  7. If you make any changes to the database file, apply the changes.

How to Configure a DNS Filter Profile

A DNS filter profile includes general settings for filtering DNS requests for blacklisted website domains, and includes up to 32 templates. The template settings apply to DNS requests on specific uplink and downlink logical interfaces or routing instances, or to DNS requests from specific source IP address prefixes, and override the corresponding settings at the DNS profile level. You can configure up to eight DNS filter profiles.

To configure a DNS filter profile:

  1. Configure the name for a DNS filter profile:

    The maximum number of profiles is 8.

  2. Configure the interval for logging per-client statistics for DNS filtering. The range is 0 through 60 minutes and the default is 5 minutes.
  3. Configure general DNS filtering settings for the profile. These values are used if a DNS request does not match a specific template.
    1. Specify the name of the domain filter database to use when filtering DNS requests.
    2. (Optional) To limit DNS filtering to DNS requests that are destined for specific DNS servers, specify up to three IP addresses (IPv4 or IPv6).
    3. Specify the format for the hash key.
    4. Specify the hash key that you used to create the hashed domain name in the domain filter database file.
    5. Specify the hash method that was used to create the hashed domain name in the domain filter database file.

      The only supported hash method is hmac-sha2-256.

    6. Configure the interval for logging statistics for DNS requests and for sinkhole actions performed for each customer IP address. The range is 1 through 60 minutes and the default is 5 minutes.
    7. Configure the time to live while sending the DNS response after taking the DNS sinkhole action. The range is 0 through 86,400 seconds and the default is 1800.
    8. Configure the level of subdomains that are searched for a match. The range is 0 through 10. A value of 0 indicates that subdomains are not searched.

      For example, if you set the wildcarding-level to 4 and the database file includes an entry for example.com, the following comparisons are made for a DNS request that arrives with the domain 198.51.100.0.example.com:

      • 198.51.100.0.example.com: no match

      • 51.100.0.example.com: no match for one level down

      • 100.0.example.com: no match for two levels down

      • 0.example.com: no match for three levels down

      • example.com: match for four levels down

  4. Configure a template. You can configure a maximum of 8 templates in a profile. Each template identifies filter settings for DNS requests on specific uplink and downlink logical interfaces or routing instances, or for DNS requests from specific source IP address prefixes.
    1. Configure the name for the template.
    2. (Optional) Specify the client-facing logical interfaces (uplink) to which the DNS filtering is applied.
    3. (Optional) Specify the server-facing logical interfaces (downlink) to which the DNS filtering is applied.
    4. (Optional) Specify the routing instance for the client-facing logical interface to which the DNS filtering is applied.
    5. (Optional) Specify the routing instance for the server-facing logical interface to which DNS filtering is applied.
      Note

      If you configure the client and server interfaces or the client and server routing instances, implicit filters are installed on the interfaces or routing instances to direct DNS traffic to the services PIC for DNS filtering. If you configure neither the client and server interfaces nor the routing instances, you must provide a way to direct DNS traffic to the services PIC (for example, via routes).

    6. Specify the name of the domain filter database to use when filtering DNS requests.
    7. (Optional) To limit DNS filtering to DNS requests that are destined for specific DNS servers, specify up to three IP addresses (IPv4 or IPv6).
    8. Specify the hash method that was used to create the hashed domain name in the domain filter database file.

      The only supported hash method is hmac-sha2-256.

    9. Specify the hash key that was used to create the hashed domain name in the domain filter database file.
    10. Configure the interval for logging statistics for DNS requests and for sinkhole actions performed for each customer IP address. The range is 1 through 60 minutes and the default is 5 minutes.
    11. Configure the time to live while sending the DNS response after taking the DNS sinkhole action. The range is 0 through 86,400 seconds and the default is 1800.
    12. Configure the level of subdomains that are searched for a match. The range is 0 through 10. A value of 0 indicates that subdomains are not searched.

      For example, if you set the wildcarding-level to 4 and the database file includes an entry for example.com, the following comparisons are made for a DNS request that arrives with the domain 198.51.100.0.example.com:

      • 198.51.100.0.example.com: no match

      • 51.100.0.example.com: no match for one level down

      • 100.0.example.com: no match for two levels down

      • 0.example.com: no match for three levels down

      • example.com: match for four levels down

    13. (Optional) Specify the response error code for SRV and TXT query types.
    14. Configure a term for the template. You can configure a maximum of 64 terms in a template.
    15. (Optional) Specify the source IP address prefixes of DNS requests you want to filter. You can configure a maximum of 64 prefixes in a term.
    16. Specify that the sinkhole action identified in the domain filter database is performed on blacklisted DNS requests.

How to Configure a Service Set for DNS Filtering

  • Associate the DNS filter profile with a next-hop service set and enable logging for DNS filtering. The service interface can be an ms- or vms- interface Next Gen Services with MX-SPC3 services card), or it can be an aggregated multiservices (AMS) interface.
Release History Table
Release
Description
Starting in Junos OS Release 19.3R2, you can configure DNS filtering if you are running Next Gen Services with the MX-SPC3 services card. Next Gen Services are supported on MX240, MX480 and MX960 routers.