SRX Services Gateway
Reply
Visitor
kfrankovich@sscinc.com
Posts: 8
Registered: ‎05-23-2011
0
Accepted Solution

SRX and DNS Name Server

Greetings,

 

I am trying to setup an SRX 100 to be a DNS name server.

 

I have enabled it by running set system services dns and then configured the forwarders, max-cache-ttl and max-ncache-ttl options, but it doesn't appear to be working.

 

Is there something else I need to do?  If the SRX cannot do this, is there some way of doing it on an EX4200?

 

I am run 10.4 on all equipment at the moment.

 

Thank you in advance for any advice.

Distinguished Expert
firewall72
Posts: 826
Registered: ‎05-04-2008
0

Re: SRX and DNS Name Server

Hi,

 

I believe this should work, but I've never tried it.  How are you permitting DNS?  Have you added the system services to the zone or interface?

 

set security zones security-zone trust host-inbound-traffic system-services dns

 

John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
Visitor
kfrankovich@sscinc.com
Posts: 8
Registered: ‎05-23-2011
0

Re: SRX and DNS Name Server

Greetings,

 

Thank you for your reply.  I have setup the inbound host services on the private side.  However when I run a port scan I show TCP 53 closed and UDP 53 filtered, even after enabling the DNS name server and configuring forwarders.

 

It appears that enabling that command doesn't actually do anything.

 

Any further thoughts?

Trusted Contributor
mawr
Posts: 236
Registered: ‎06-11-2010
0

Re: SRX and DNS Name Server

Are you using stateless filters on your loopback interface, by any chance?

 

mawr

Visitor
kfrankovich@sscinc.com
Posts: 8
Registered: ‎05-23-2011
0

Re: SRX and DNS Name Server

I do not have anything configured on the loopback address.  I am using fe-0/0/2...which is my trust interface.

 

I have all protocols and services configured on zone itself, not on the interface.

 

I am running 10.4R4.5 if that helps any.

 

I don't see any particular way to bind the DNS service to an interface.  Could this be my problem?

Distinguished Expert
Distinguished Expert
pk
Posts: 819
Registered: ‎10-09-2008

Re: SRX and DNS Name Server

Hi

 

Try to look at these files

 

show log /var/tmp/named.run

file show /etc/named.conf

 

In my case the log says

25-May-2011 03:38:36.856 not listening on any interfaces

 

and I see no way to fix this via config. Looks like this feature is not working properly,

and, by the way, it seems to be almost undocumented. So even it may be possible to

make it work - better not to expect much from it.

 

As for EX4200, it does not even have [system services dns] stanza.

Best Regards,
Petr (PK)

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
[Juniper Authorized Education & Support in Russia]
Visitor
kfrankovich@sscinc.com
Posts: 8
Registered: ‎05-23-2011
0

Re: SRX and DNS Name Server

pk...thank you very much.  I see the same message in my log.

 

I think you are right that for some reason these config options exist, but whatever feature they are supposed to implement either isn't complete, is broken, or was never intended to work.

 

For the heck of it...I opened a case with Juniper to see what they have to say...but I am not expecting much.

 

For anyone else who sees the dns config...pk is right in that it basically doesn't work.

 

Thank you!

Contributor
cluckduck
Posts: 10
Registered: ‎05-31-2010
0

Re: SRX and DNS Name Server


kfrankovich@sscinc.com wrote:

For the heck of it...I opened a case with Juniper to see what they have to say...but I am not expecting much.


Please let us know what JTAC say about this -- an implementation of BIND in JUNOS would be an interesting/useful feature indeed.

 

Cheers!

Visitor
kfrankovich@sscinc.com
Posts: 8
Registered: ‎05-23-2011
0

Re: SRX and DNS Name Server

I just got the following from JTAC.  Pretty much says it all!!!

 

Problem : DNS forwarders not working.

A moinor problem related to it DNS traceoptions not being logged.

 

Solution : The DNS forwarders is not supported as of now in SRX. This feature was earlier present but was removed due to various issues.

The DNS internally listens only on 127.0.0.1, which is of no practical use.

 

DNS forwarding is no longer supported since it was removed along with BIND vesion 8 back in 9.3. We upgraded BIND to 9 but have no plans to bring back DNS forwarding. The DNS forwarder currently in place is used with DNSSEC and is not intended for proxying, which explains why it's not listening on any interfaces other than localhost. The documentation team has been sensitized about this to remove any confusion to this matter. I'm sorry for the inconvenience this has caused.

 

If you need to have DNS forwarding (as a proxy) implemented in your network, you should go ahead and contact your Juniper account representative  to file an enhancement request. Otherwise, let me know if you have further questions or if you're ready to close the case.

 

As for the traceoptions, the file is saved under /var/named. If the 'file' option is not specified, the default filename is /var/named/named.run. Though I do not think this would be of any help to you, as the feature itself is not supported.

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.