Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Example: Configure DNS Snooping

Read this topic to understand how to configure DNS snooping on SRX Series Firewalls to update DNS cache with mappings of FQDN and IP addresses.

SRX Series Firewalls support DNS snooping feature. The DNS snooping feature offers a mechanism for dynamically inspecting and caching DNS responses in real time. When you enable DNS snooping, the system captures DNS response packets as traffic traverse the network, extracting the relevant DNS records and build mapping of FQDN and IP address in a local cache. This cache provides accurate and timely DNS mappings by ensuring that IP addresses associated with Fully Qualified Domain Names (FQDNs) remain current.

Tip:
Table 1: Time Estimates

Reading Time

15 minutes

Configuration Time

30 minutes

Example Prerequisites

Table 2 lists the hardware and software components that support the configuration.

Table 2: Requirements

Hardware requirements

SRX Series Firewalls and vSRX Virtual Firewalls

Software requirements

All SRX Series support this feature from Junos OS Release 25.2R1. We’ve tested this example using vSRX instances.

Install and configure Application Identification. For details, see Predefined Application Signatures for Application Identification.

Before You Begin

Know more

Configuring Security Policies

Learn more

DNS Overview

Functional Overview

Table 3 provides a quick summary of the configuration components deployed in this example.

Table 3: Configuration Components

Technologies used

  • Enable DNS snooping

  • Security zones and policies

  • Interfaces

Primary verification tasks

  1. Verify DNS snooping cache

  2. Verify DNS snooping counters

Topology Illustration

Following figure shows the topology used in this configuration example.

Figure 1: DNS Snooping Topology Network setup showing a client device in a secure Trust Zone, SRX Series Firewall with DNS Snooping Cache, and connections to an Untrust Zone and Internet for DNS resolution.

In this example, the interfaces ge-0/0/0 is in the trust zone and connected to the client device (10.1.1.1). The ge-0/0/1 is in untrust zone and is connected to the DNS server through the Internet gateway (10.102.70.245). You configure DNS snooping on SRX Series Firewall.

In this example, you enable DNS snooping and create a address book with FQDN name. Then create a security policy and add the address book (FQDN name) as destination address. When the traffic matches security policy, the system captures DNS response packets as traffic traverse the network, extracting the relevant DNS records and build mapping of FQDN and IP address in a local cache. This cache provides DNS mappings by ensuring that IP addresses associated with FQDN always remain current.

Topology Overview

Table 4 shows the details of configuration used in this example.

Table 4: Interfaces and IP Address Configuration on Security Devices
Device Interface IP Address Zone Configured For
SRX Series Firewall

ge-0/0/0.0

10.1.1.122/24

Trust

 Connects to the internal client device (10.1.1.1)

ge-0/0/0.1

10.102.70.240/24

 Untrust Connects to the Internet gateway (10.102.70.254)

Configure

To configure DNS snooping, use the following steps:

  1. Enable the DNS snooping feature.

    Optionally you can specify trusted DNS servers to ensure that only traffic from the trusted servers is subject to DNS snooping.

    This configuration minimizes the risk of cache poisoning from untrusted or rogue DNS traffic. You can configure up to 32 DNS servers in a set.

  2. Configure interfaces.
  3. Configure security zones.

    For this example only, we have enabled host-inbound-traffic as all. Ensure you allow host inbound traffic on zones as per your network requirements.

  4. Add the DNS address name as an address in the global address book and refer the address in a security policy as matching condition.
  5. Apply DNS snooping to specific policy zones. This configuration restricts snooping for the traffic passing through certain zones only.

    (Optional) You can enable DNS snooping globally.

    You have the option to enable dns-snooping at either a zonal level or globally, but simultaneously configuring both options is not supported.

  6. Configure a default policy to permit all traffic.

    In this example, the default policy allows the initial traffic for the DNS lookup and then the p1 policy allows the traffic to google.com and triggers the dns-snooping.

    For this example only, we have created security policies to allow all traffic. Ensure you configure security policies to restrict the traffic as per your network requirements.

Verification

Use the following show commands to verify the feature in this example.

Table 5: Verification Tasks
Commands Verification Task

show services dns-snooping cache

 Display DNS snooping counters details.
show services dns-snooping counters Display DNS snooping cache information to view mapping of IP addresses associated with Fully Qualified Domain Names (FQDNs).

Check DNS Snooping Cache

Purpose

View and verify the details of DNS snooping cache.

Action

From operational mode, run the following command:

Meaning

Output displays mapping of IP address and FQDN. You can also see time-to-live (TTL) data in the output.

Check DNS Snooping Counters

Purpose

View and verify the details of DNS snooping counters.

Action

From operational mode, run the following command:

Meaning

Output displays DNS snooping counter details including number of sessions processed, allocated and free memory, and AppID errors (if any).

Set Commands on All Devices

Set Commands on SRX Series Firewall

Show Configuration Output

From configuration mode, confirm your configuration by entering the show , , and other details. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

Global Address Book

Services

Security Policies

Security Zones

Interfaces