Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Configuring the Device as a DNS Proxy

The Junos operating system (Junos OS) incorporates domain name system (DNS) support, which allows you to use domain names as well as IP addresses for identifying locations. A DNS server keeps a table of the IP addresses associated with domain names. Using DNS enables an SRX300, SRX320, SRX340, SRX345, SRX550M, or SRX1500 device to reference locations by domain name (such as www.example.net) in addition to using the routable IP address.

DNS features include:

  • DNS proxy cache—The device proxies hostname resolution requests on behalf of the clients behind the SRX Series Firewall. DNS proxy improves domain lookup performance by using caching.

  • Split DNS—The device redirects DNS queries over a secure connection to a specified DNS server in the private network. Split DNS prevents malicious users from learning the network configuration, and thus also prevents domain information leaks. Once configured, split DNS operates transparently.

  • Dynamic DNS (DDNS) client—Servers protected by the device remain accessible despite dynamic IP address changes. For example, a protected Web server continues to be accessible with the same hostname, even after the dynamic IP address is changed because of address reassignment by the Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol (PPP) by Internet service provider (ISP).

To configure the device as a DNS proxy, you enable DNS on a logical interface and configure DNS proxy servers. Configuring a static cache enables branch office and corporate devices to use hostnames to communicate. Configuring dynamic DNS (DDNS) clients allows IP address changes.

Perform the following procedure to configure the device as a DNS proxy server by enabling DNS proxy on a logical interface—for example, ge-2/0/0.0—and configuring a set of name servers that are to be used for resolving the specified domain names. You can specify a default domain name by using an asterisk (*) and then configure a set of name servers for resolution. Use this approach when you need global name servers to resolve domain name entries that do not have a specific name server configured.

  1. DNS proxy with non-split dns configuration

    • Enable DNS proxy on a logical interface.

    • Set dns resolver to forward received dns query.

    • If you are done configuring the device, commit the configuration.

      To verify if the configuration is working properly, execute the show command.

  2. DNS proxy with split dns configuration

    • Enable DNS proxy on a logical interface.

    • Configure view for split DNS, specify the internal IP interface to handle the DNS query and view the logical subnet address.

    • Set a default internal domain name, and specify IP server for forwarding the DNS query according to their IP addresses.

    • Configure view for split DNS, specify the external IP interface to handle the DNS query and view the logical subnet address.

    • Set a default external domain name, and specify IP server for forwarding the DNS query according to their IP addresses.

    • If you are done configuring the device, commit the configuration.

      To verify if the configuration is working properly, execute the show command.

  3. DNS proxy cache configuration

    • Configure the dns proxy static cache entries to specify the host's IPv4 address.

    • If you are done configuring the device, commit the configuration.

      To verify if the configuration is working properly, execute the show command.

  4. Dynamic DNS proxy configuration

    • Enable client.

    • Configure the server.

    • If you are done configuring the device, commit the configuration.

      To verify if the configuration is working properly