Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?




Hierarchy Level


Configure the settings for filtering DNS requests for disallowed website domains. Filtering can result in either:

  • Blocking access to the site by sending the client a DNS response that includes an IP address or domain name of a sinkhole server instead of the disallowed domain.

  • Logging the DNS request and allowing access.

Settings at the [edit services web-filter profile profile-name dns-filter-template template-name] hierarchy level override the corresponding settings at the [edit services web-filter profile profile-name] hierarchy level.


database-file filename

Name of the domain filter database file to use when filtering DNS requests.

dns-resp-ttl seconds

Number of seconds to live while sending the DNS response after taking the DNS sinkhole action.

  • Default: 1800

  • Range: 0 through 86,400

dns-server [ ip-address ]

(Optional) IP addresses (IPv4 or IPv6) for up to three specific DNS servers. DNS filtering examines only DNS requests that are destined for those DNS servers.

hash-key key-string

Hash key that you used to create the hashed domain name in the domain filter database file.

hash-method hash-method-name

Hash method that you used to create the hashed domain name in the domain filter database file. The only supported hash method is hmac-sha2-256.

statistics-log-timer minutes

Number of minutes in the interval for logging statistics for DNS requests and for sinkhole actions performed for each customer IP address.

  • Default: 5

  • Range: 0 through 60

wildcarding-level level

Level of subdomains that are searched for a match. A value of 0 indicates that subdomains are not searched.

For example, if you set the wildcarding-level to 4 and the database file includes an entry for, the following comparisons are made for a DNS request that arrives with the domain

  • no match

  • no match for one level down

  • no match for two levels down

  • no match for three levels down

  • match for four levels down

  • Range: 0 through 10

Required Privilege Level

system—To view this statement in the configuration.

system-control—To add this statement to the configuration.

Release Information

Statement introduced in Junos OS Release 18.3R1 on MX Series.

Support added for Next Gen Services on MX Series routers MX240, MX480 and MX960 with MX-SPC3 services cards in Junos OS Release 19.3R2.