I'm back again with another post on leveraging your SRX to provide services. In this installment, I'll be detailing how to enable and configure DNS proxy. See the related posts on FTP/SCP server and NTP Proxy.
We'll continue to leverage the power of Junos to add services t your SRX. If you've got an SRX in a branch office, lab, home or any other place that you might want to provide services, you should consider whether using the SRX as the DNS server may make sense for you. If you've got the SRX as the default gateway, especially if the SRX is providing DHCP services to your clients, I would suggest that would be a great use case for adding DNS services as well.
What are we trying to accomplish? We want to have the SRX answer DHCP queries for inside clients. The SRX will proxy those requests, return locally cached results if available, and query upstream for unknown hosts. We can even configure multiple upstream servers, with logic to decide what is applicable.
Now, this is a newer feature, so you will need to be running at least 12.1X44-D10 or newer to take advantage of this. This is also limited to the branch series SRX. At the time of this writing the current recommended code is still 11.4 for most SRX models, so read the release notes for any version you are considering.
We're using a Juniper SRX 240H running version 12.1X46-D15.3, but this should apply on any branch series with new enough code.
- We want to enable the DNS system service
#set security zone security-zone host-inbound-traffic system-services dns
- Next, we're going to configure the system service on the L3 interface. This could be a L3 vlan interface or a physical interface.
#set system services dns dns-proxy interface vlan.1
- Last, we're going to configure the upstream DNS servers
- Here is our default forwarder, for any unknown domain name
#set system services dns dns-proxy default-domain * forwarders 188.8.131.52
- Optionally, we can configure split dns, to send any domain specific queries somewhere else. In this case, we'll send our lab traffic back into the lab local lookups
#set system services dns dns-proxy default-domain mylab.com forwarders 192.168.1.2
- Verifying your setup. Here you can see an example of caching for a positive and negative response. The caching happens automatically.
# run show system services dns-proxy cache
Hostname Time-to-live Type Class IP address/Hostname
baddomain. 1787 \-ANY IN ;-$NXDOMAIN
juniper.net. 9246 A IN 184.108.40.206
You'll need to configure your clients to use the SRX as the DNS server, or better yet, modify your DHCP parameters to automatically update your clients.
Like most features targeted at the branch, DNS Proxy is easy to configure, convenient, and should be a set-and-forget. As an extra bonus, DNS could potentially be must faster for your clients. My response times dropped from 80ms to 7 ms if the item was in the SRX cache. Depending on your clients, browsing habits, etc, that speedup could be very noticeable.