Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG-140 block P2P - how to forward all traffic on port 53 to OpenDNS?

    Posted 10-14-2011 05:25

    We have SSG-140 acting as DHCP server for local networks. We are using ISP DNS setings. We have request to block all P2P traffic. I know that we need IDP for this, but for now we will try OpenDNS. We want to prevent users to stay blocked even if they change dns on their machines (they all have admin privileges).
    So the question is how to forward all traffic from LAN on port 53 to OpenDNS on SSG-140 firewall.
    Is anybody have some experience how many users can OpenDNS serve without slowing down the internet.

    Thanks.



  • 2.  RE: SSG-140 block P2P - how to forward all traffic on port 53 to OpenDNS?
    Best Answer

    Posted 10-14-2011 09:23

    On sites using opendns we create two policies to enforce the use of these servers.

     

    1- from trust to untrust permit dns to the opendns servers

    2- from trust to untrust deny dns to any address

     

    This pair allows the requests to the right servers first and then any other use of dns from the client zone is blocked.



  • 3.  RE: SSG-140 block P2P - how to forward all traffic on port 53 to OpenDNS?

    Posted 10-15-2011 06:49

    Thanks. I will try this.



  • 4.  RE: SSG-140 block P2P - how to forward all traffic on port 53 to OpenDNS?

    Posted 06-02-2014 21:53

    Hello Spuluka

     

    Can you tell me in which part of my configuration I should permit dns to the opendns servers in a Junos SRX100?

    Smiley Frustrated

     

    set security policies from-zone trust to-zone untrust policy Internet match source-address any
    set security policies from-zone trust to-zone untrust policy Internet match destination-address any
    set security policies from-zone trust to-zone untrust policy Internet match application " "
    set security policies from-zone trust to-zone untrust policy Internet then permit

     

    set security policies from-zone trust to-zone untrust policy Block-DNS match source-address any
    set security policies from-zone trust to-zone untrust policy Block-DNS match destination-address any
    set security policies from-zone trust to-zone untrust policy Block-DNS match application any
    set security policies from-zone trust to-zone untrust policy Block-DNS then deny

     

    Regards.



  • 5.  RE: SSG-140 block P2P - how to forward all traffic on port 53 to OpenDNS?

     
    Posted 06-02-2014 21:59

    Hi Aaron,

     

    I would suggest modifying the first policy destination from 'Any' to 'IP of Open DNS' and application to DNS.

     

    Please post the query in SRX (http://forums.juniper.net/t5/SRX-Services-Gateway/bd-p/srx) section for expert comments.



  • 6.  RE: SSG-140 block P2P - how to forward all traffic on port 53 to OpenDNS?

    Posted 06-03-2014 07:45

    In the permit rule you will set the destination address to be the ip addresses of the open dns servers.

     

    In both rules you will set the application to be dns.



  • 7.  RE: SSG-140 block P2P - how to forward all traffic on port 53 to OpenDNS?

    Posted 06-03-2014 19:11

    Thank you Guys

    Smiley Happy