SRX

Hi there!

Just started using Juniper and I'm currently trying to configure a SRX100 to our needs. But there seems to be a DNS problem with my configuration. The routing seems to work, pinging IP addresses works. The boxes DNS resolution works, but when trying to ping from a laptop within any internal zone, I don't get an IP address back. Did I miss any specific DNS configurations?

• 2 WAN zones (ISP1, ISP2)
• 1 Internal Zone (INT)
• 3 DMZ (WEB, FON, DEV)

Any thoughts appreciated!

Adrian

Attachment(s)

config.txt   14 KB 1 version

Hello,

Is Your laptop getting its IP address via DHCP from SRX?

If yes then You did not specify name-server in DHCP options:

        dhcp {
            pool 192.168.6.0/24 {
                address-range low 192.168.6.100 high 192.168.6.199;
                router {
                    192.168.6.1;
                }
                name-server {
                    8.8.8.8;
                    8.8.4.4;
                }

            }
        }

 HTH

Thanks
Alex

I added the name servers to the DHCP config, thanks, I missed that one. But the the laptop has a static configuration and I set the DNS server accordingly.

Are you getting anything back with an nslookup for example?

Also, can you telnet to to the DNS server on port 53?

If you are not getting to the DNS server with telnet, you should enable a flow trace, it may reveal where the traffic is getting dropped and why:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16108

Hi there,

You are likely to have to valid route in "routing-table-ISP1" instance:

routing-instances {
	routing-table-ISP1 {
		instance-type forwarding;
		routing-options {
			static {
				route 0.0.0.0/0 {
					next-hop 1.1.1.1;
				}
			}
		}
	}

 1.1.1.1 must be a valid ARP-replying nexthop on directly connected interface for the above route to be active/forwarding packets.

Please post the printout:

show route 0/0 exact | no-more

 HTH

Thanks
Alex

Telnet to port 53 does not work. It seems the packets are dropped but I don't see any rule which would be the reason for that. ISP1 is not connected because that is our main connection, I can only work on that on Sundays. Currently everything is routed via ISP2. Ping etc. works fine, except DNS is not willing to answer.

aw@srx100> show route 0/0 exact | no-more

inet.0: 11 destinations, 11 routes (11 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 01:56:02
                    > to 192.168.10.1 via fe-0/0/1.0

routing-table-ISP2.inet.0: 9 destinations, 9 routes (9 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

0.0.0.0/0          *[Static/5] 00:18:56
                    > to 192.168.10.1 via fe-0/0/1.0

aw@srx100> ping www.audi.de
PING a1845.r.akamai.net (193.45.14.153): 56 data bytes
64 bytes from 193.45.14.153: icmp_seq=0 ttl=55 time=13.694 ms
64 bytes from 193.45.14.153: icmp_seq=1 ttl=55 time=12.332 ms
64 bytes from 193.45.14.153: icmp_seq=2 ttl=55 time=13.226 ms
--- a1845.r.akamai.net ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 12.332/13.084/13.694/0.565 ms

Hi there,

---

info@xbdx.de wrote:

Telnet to port 53 does not work. It seems the packets are dropped but I don't see any rule which would be the reason for that. ISP1 is not connected because that is our main connection, 

---

It does not matter if ISP1 is not connected, Your laptop' packets coming i.e. into fe-0/0/3 (which has input filter input routing_filter_WEB) are put into routing_table_ISP1 which has no valid route.

Your other post showing ping to www.audi.de from SRX100 itself is orthogonal to the "DNS from laptop" issue. SRX uses name-server configured under [system name-server] which You have populated with public DNS servers.

You may also want to disable DNS ALG on SRX or disable DNS doctoring:

set security alg dns disable
set security alg dns doctoring none

HTH

Thanks
Alex

Ok, got it working. The problem was me using a too old version of the CLI Reference which didn't have the dns-proxy command.

Added to system:

dns {
  dns-proxy {
    interface {
      fe-0/0/2.0;
      fe-0/0/3.0;
      fe-0/0/4.0;
      fe-0/0/5.0;
    }
    default-domain * {
      forwarders {
        194.25.0.68;
	213.73.91.35;
      }
    }
  }
}

And add dns to each relevant zone in security:

security-zone INT {
  interfaces {
    fe-0/0/2.0 {
      host-inbound-traffic {
        system-services {
          ping;
          https;
	  dns;
        }
      }
    }
  }
}

Hi,

Are you using your SRX for DHCP?  I assume you are,  you have no name-server set in your config so your clients do not know where to look for DNS resolution.

user@host# set system services dhcp pool 192.168.6.0/24 name-server xxx.xxx.xxx.xxx

http://kb.juniper.net/InfoCenter/index?page=content&id=KB15754