Device Security
-
Override default minimum TTL for DNS caching (cSRX, SRX Series Firewalls, and vSRX 3.0)—Override the default minimum time-to-live value (TTL) value for fully qualified domain names (FQDNs) in the address book for DNS caching. This configuration ensures that DNS responses with TTL values lower or higher than 16 seconds are cached for their actual duration, rather than for the default minimum of 16 seconds. The system maintains default behavior for backward compatibility unless you reconfigure it. This feature offers more accurate DNS resolution and is particularly beneficial in environments where IP addresses change frequently.
-
Real-time DNS snooping for dynamic FQDN policy updates (cSRX, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, SRX4600, SRX4700, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Domain Name System (DNS) snooping inspects and caches DNS responses in real time.
After you enable DNS snooping, the firewall:
Captures DNS response packets as traffic traverses the network.
Extracts relevant DNS records.
Builds a local cache mapping of fully qualified domain names (FQDNs) to IP addresses.
The firewall keeps these mappings accurate and current for IPv4 or IPv6 traffic. Use this feature to implement real-time DNS mapping updates in environments with frequently changing DNS entries.
-
DNS snooping and DNS module integration (cSRX, SRX1600, SRX2300, SRX4100, SRX4200, SRX4300, SRX4600, SRX4700, SRX5400, SRX5600, SRX5800, and vSRX 3.0)—Use the integrated DNS-snooping cache in the Packet Forwarding Engine with the DNS module on the Routing Engine to unify entries from explicit DNS queries and DNS snooping in the data plane. The combined DNS cache remains accurate and relevant, helping you to apply DNS-based policies and destination network address translation (NAT) configurations effectively.
The
show security dns-cachecommand displays entries from both the DNS resolver and DNS snooping.