Cache DNS server in SRX

Starting from 12.1X44-D10, an SRX box can also run as a cache only DNS server or dns proxy
if we are to adhere to what is called in the documentation. It has also view support i.e
you can direct DNS queries to specific DNS servers based on the source address.

 

dns_server_proxy_cache_srx2.ndg

In this topology, I have a web server whose local
address is 192.168.200.2  but externally it has
212.45.65.10 address and I would like to
respond with local address to local clients
in this example to make my life easier
(I am not interested in DNS responses to
Internet in this post)

 

 

 

[edit system services dns]
root@SRX# show

dns-proxy {
    interface {
        ge-0/0/1.0;
    }
    view internal_dns {
        match-clients 212.45.63.0/24;
        domain example.com {
            forwarders {
                192.168.103.20;
            }
        }
    }
}


This config literally means;

  • Enable DNS cache service on interface ge-0/0/1.0
  • if any request comes from 212.45.63.0/24 network for example.com domain name, forward the query to 192.168.103.20 DNS server
  • For any requests other than example.com do a recursive query and provide the answer to the client

As you can see, SRX can return local DNS server’s reply to the internal client. Depending on
your DNS infrastructure, hosts outside of your local LAN can receive public IP addresses to
their queries. (I am not touching this topic here).

For this above config to work you must also allow DNS traffic on the internal zone e.g

set security zones security-zone internal host-inbound-traffic system-services dns

Let’s assume that client has already requested www.example.com from the SRX device. You can see if this entry is saved in SRX’s cache or not;

root@SRX#run show system services dns-proxy cache | match www.example.com 
www.example.com.          10769          A           IN       192.168.200.2

You may be asking how SRX can do hostname to IP resolution like a DNS server. Actually it has all root
dns server addresses  in /var/named/named.root file by which it can send its queries.

If you want to clear all DNS cache in SRX, simply execute the command;

 >clear system services dns-proxy cache

I suppose that from now on, you can discover the rest of the feature yourselves:)

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE


6 thoughts on “Cache DNS server in SRX”

  1. That’s good news, I was considering putting this in only to read they had, for at least awhile, removed this feature when they removed bind8 around 9.3 . Thanks for blogging it!

  2. Hi Genco,

    What about the rest of the queries which are entering through ge-0/0/1 interface , which might be from clients
    different from 212.45.63.0/24 or for different domains other than example.com ?

    Would SRX send them to the “name server” defined in the config or the DNS resolvers in “/var/named/named.root” ?

    Can we check what DNS servers(IPs) are there in /var/named/named.root ?

    Thanks,
    San

    1. Hi San,
      Other clients’ queries (i.e other than 212.45.63.0/24) will be processed recursively i.e SRX will do recursive query like a BIND DNS server by consulting root DNS servers configured in /var/named/named.root
      This query has nothing to do with the name-server configuration of SRX. Even if you don’t configure any name-server in SRX “set system name-server 8.8.8.8”, DNS resolution of the queries will be responded as SRX itself is a cache only DNS server in this setup.
      I just wanted to show on this post that as you can do in BIND with view configuration, you can also do the same and add some exception to some network addresses and direct their queries to other DNS servers (i.e split dns)

      I hope it is more clear now.

      cheers
      Genco.

      1. Hi Genco ,

        Thanks for the clarification.

        Since you mentioned that SRX would send DNS queries to DNS servers hardcoded in /var/named/named.root., I would also like to know if we can check what server IP addresses are those ? (probably if there is any shell command for it ) and also can we can tweak those entries ?(to put in a DNS server of our choice)

        I would like to test a packet capture seeing that SRX is sending a recursive query to the same IP
        which is mentioned in /var/named/named.root and not the IP in name server or DNS proxy configuration.

        Thanks,
        San.

  3. Hi San,
    That file is the same as the internic root file at http://www.internic.net/domain/named.root
    you can also see it via
    >start shell
    %cat /var/named/named.root

    You don’t need to change this file but you can for example do a config like below;

    domain * {
    forwarders {
    192.168.103.20;
    }

    and can send every request to specific server as well. There are bunch of tricks. Better to check documentation for more details:)

Leave a Reply to SanCancel reply

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading