Previously I wrote about how to configure using a Juniper SRX as a DNS proxy. I've been testing now for our guest network and I've got some hard numbers and some experience to share about using the feature.
First the setup, we're using a little ol' SRX 100B as the gateway for a cable modem service. Attached to that service we have 200-300 clients, mostly wireless. This network services our guest network, as well as a dedicated SSID for employee owned devices (personal phones, computers, tablets, etc). This network is largely unfiltered, with guests and employees pretty much having free reign to the internet. At the moment there are 220 devices active in the ARP table. The cable modem is a standard business class connection, 50 Mb service. Surprisingly the cable modem holds up well to this type of load, with no user complaints and observed speed is always good. This SRX is running 12.1.x44D25.5.
For the past 3 weeks this SRX has been performing as the DNS proxy for 100% of all DNS requests for this network. Let's take a look at our counts during that time:
> show system services dns-proxy statistics
DNS proxy statistics :
Status : enabled
IPV4 Queries received : 3557611
IPV6 Queries received : 0
Responses sent : 3520092
Queries forwarded : 1699966
Negative responses : 429619
Positive responses : 3090473
Retry requests : 37456
Pending requests : 63
Server failures : 29099
Interfaces : fe-0/0/2.0
In the past 3 weeks we have proxied approximate 3.5 million DNS requests through the SRX.
I've been monitoring the statistics throughout the time and we consistently hit the cache about 50% of the time. Currently there are about 5600 entries in the cache. 430k requests received a negative response. 29k server failures also seems notable.
As a second test, I also wanted to experiment with blocking ad sites through the DNS cache. There is a site that maintains a large list of DNS entries to block for this very purpose. That list is approximately 15k entries long. I took that list and converted it to set commands, i.e.
set system services dns-proxy cache adwords.com x.x.x.x
Using the ever convenient 'load set terminal' I pasted in all 15k entries into my SRX. The SRX only was able to parse the first 6999 entries, so that must be a hard limit. I'll have to try this on another model to test if it is platform specific. I didn't attempt to commit that many entries, my fear was that if I statically assign 7000 entries then I won't have any room for any cached entries.
Finally, how is the performance? As a user on that guest network, the performance seems fine. I didn't notice any change for better or worse to be honest. Ultimately I need to test against something more well known, like a linux box with DNSMasq to compare, especially the hit rate. Anything in cache tends to respond in 7-8 ms, things not in cache are the typical 45-90ms.
As a bonus, here are some stats, out of those 5xxx entries in the cache, here are some stats by domain:
Anything containing Apple, MobileMe or iCloud: 674 entries
Anything containing Google: 422 entries
Anything containing Akamai: 794
Anything containing Amazon: 365
Anything containing Cloudfront: 100
Any response that is a CNAME: 2950
Anything containing Facebook: 24
Anything containing Twitter:2