SRX

We have a domain, gitserver.ourdomain.com, whose DNS points to our WAN IP address. Our Juniper is then configured with NAT to send requests to our reverse proxy (Nginx).  Everything works great externally.  However, internally, we cannot access gitserver.ourdomain.com because of the way the NAT is set up.  I'm fairly new to the Juniper world, so instead of configuring a new NAT entry, I thought I'd just use the static-host-mapping method to point gitserver.ourdomain.com to the IP address:

static-host-mapping {
    gitserver.ourdomain.com inet 192.168.1.22;
}

But this does not work.  When I ping it internally (after flushing DNS), it still resolves to the WAN address.  What am I missing?

static-host-mapping is used to resolve SRX originated traffic. It has no effect on transit traffic which you are generating internally.

You may add static entry in your PC's hosts file for your domain with internal IP address. Refer: https://www.howtogeek.com/howto/27350/beginner-geek-how-to-edit-your-hosts-file/

Or if you are using static nat in SRX for your DNS, you may try dns doctoring:  https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-dns-algs.html

Thank you for the response. I'll look into DNS doctoring.  The goal was to simplify management as much as possible, so I don't really want to use the local hosts file and have to keep it synced on all PCs.  We are currently using DNS Forward Lookup zones, but I was hoping to manage all of this in one or two places (Nginx, Juniper).

I think you are looking for the dns proxy functionality on the SRX: https://www.juniper.net/documentation/en_US/junos/topics/concept/dns-proxy-device-configuration-overview.html

There you can define static "cache" entries besides your forwarders. Look at "DNS proxy cache configuration" on above URL.

Let me know if you need a more specific example.

I saw that you deleted your previous post. You were missing the interface on the dns-proxy configuration where the SRX should listen for DNS requests. Example which is copied directly from a working installation.

This example forwards all requests for somedomain.local to 10.20.30.10 and everything else to 1.1.1.1 or 1.0.0.1.

Also remember to allow dns under host-inbound-services in your zone definition.

user@fw# show system services dns dns-proxy
interface {
    irb.10;
}
view internal {
    match-clients 10.10.0.0/24;
    domain somedomain.local {
        forwarders {
            10.20.30.10;
        }
    }
    domain * {
        forwarders {
            1.1.1.1;
            1.0.0.1;
        }
    }
}


user@fw# show security zones security-zone trust interfaces irb.10
host-inbound-traffic {
    system-services {
        dhcp;
        ping;
        ssh;
        dns;
    }
}

Thank you, I appreciate the extra effort.

Since my original question was about why static-host-mapping doesn't work I accepted the answer from Nellikka.