Help Center User GuideWhat's New
 
X
User Guide
What's New
Help Center
Show Contents
Help CenterPolicies on the SRX Series DeviceConfigure DNS Request Filtering on the SRX Series Device
Contents  
ContentsHide
ContentsHide
DownloadPrint

DNS Request Filtering for Disallowed Domains

Overview

Starting in Junos OS Release 20.4R1, you can configure DNS filtering to identify DNS requests for disallowed domains. You can either:

The sinkhole server actions are not controlled by the DNS request filtering feature; you must configure the sinkhole server actions. For example, the sinkhole server could send a message to the requestor that the domain is not reachable and prevent access to the disallowed domain.

Figure 26: DNS Request for Disallowed Domain

DNS Request for Disallowed Domain

The SRX firewall downloads the DNS domain feeds from ATP Cloud and applies actions such as sinkhole, block (drop/close), permit, or recommended for the matched domains. By default, the SRX firewall responds to the DNS queries for the disallowed domain with the default sinkhole server.

The DNS request for the known bad domains is handled as per the query type (QTYPE). The DNS queries of type – A, AAAA, MX, CNAME, TXT, SRV and ANY will result into sinkhole action and will be counted and reported individually. The DNS queries of other types will only be logged on match to a bad domain (and then allowed to go through) and reported together as type “misc”.

Benefits

Configure DNS Request Filtering

Procedure

To filter DNS requests for disallowed domains:

  1. Configure DNS profile. In this example, the profile name is dns-profile. For dns-feed-1 the DNS request is logged and access is allowed. For custom-dns-feed-1, the DNS request is configured for sinkholing.

    [edit services]

    user@host# set security-intelligence profile dns-profile category DNS

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match feed-name dns-feed-1

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 1

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 2

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 3

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 4

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 5

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 6

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 match threat-level 7

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 then action permit

    user@host# set security-intelligence profile dns-profile rule dns-rule-1 then action log

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 match feed-name custom-dns-feed-1

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 8

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 9

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 match threat-level 10

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 then action sinkhole

    user@host# set security-intelligence profile dns-profile rule dns-rule-2 then action log

  2. (Optional) Configure DNS sinkhole server. We will set the domain name for the DNS sinkhole server as sinkhole.junipernetworks.com.

    [edit services]

    user@host# set dns-filtering sinkhole fqdn sinkhole.junipernetworks.com

    Note 

    • The FQDN value sinkhole.junipernetworks.com is provided as an example, do not use it in actual configuration.

    • If you do not configure the DNS sinkhole server, then by default, the sinkhole IP address that is hosted on the SRX firewall acts as the sinkhole server.

  3. Configure DNS policy.

    [edit services]

    user@host# set security-intelligence policy dns-policy category DNS security-intelligence-profile dns-profile

  4. Configure a security policy and assign the DNS policy to the security policy.

    [edit security]

    user@host# set policies from-zone trust to-zone untrust policy security-policy match source-address any

    user@host# set policies from-zone trust to-zone untrust policy security-policy match destination-address any

    user@host# set policies from-zone trust to-zone untrust policy security-policy> match application any

    user@host# set policies from-zone trust to-zone untrust policy security-policy then permit application-services security-intelligence-policy dns-policy

  5. (Optional) To stream the DNS logs, use the following command:

    [edit security]

    user@host# set log stream <dnsf-stream-name> category dnsf

To display DNS statistics for logical systems and tenant systems, use the following commands:

To display DNS profile statistics for logical systems and tenant systems, use the following commands:

To display all DNS statistics for logical systems and tenant systems, use the following commands:

To clear statistics for DNS filtering, use the following commands:

Related Documentation

Help us to improve. Rate this article.
     
Feedback Received. Thank You!
Previous
Integrate AWS GuardDuty with vSRX Firewalls
Next
Modifying My Profile
Related Topics

  • dns-filtering

  • security-intelligence

  • security-metadata-streaming

Need more help?

Ask questions in TechWiki

Contact Customer Support

Check documentation in TechLibrary

© 2021 Juniper Networks, Inc. All rights reserved

Rating by you:      
X

Additional Comments

800 characters remaining

May we contact you if necessary?

Name:
Email:

Need product assistance? Contact Juniper Support

Submit