Das DNS Proxy Feature an Juniper Firewalls erlaubt es den Clients, ihre Anfragen zu „splitten“.
meinezone1.de soll zum NS ns1.domain.de und
meinezone2.de soll zum NS ns2.domain.de
geleitet werden. Dazu wird der Firewall bei den Clients als „DNS-Proxy“ eingetragen.
The DNS proxy feature provides a transparent mechanism that allows clients to make split DNS queries.
The proxy redirects the DNS queries selectively to specific DNS servers, according to partial or complete domain specifications. This is useful when VPN tunnels or PPPoE virtual links provide multiple network connectivity, and it is necessary to direct some DNS queries to one network, and other queries to another network.
Initialize Proxy DNS Server Initiates or deletes the DDNS module. Initiating the module allocates all resources needed for DDNS. Deleting the module frees the resources.
Enable Proxy DNS Server Enables the DDNS module.
This page also displays the DNS entry table, which lists partially-filled or fully-filled entries for a DNS proxy domain lookup. Such entries allow the NetScreen device to selectively direct DNS queries to different DNS servers. For example, you can direct all DNS queries with FQDNs containing a particular domain name to a corporate server, and direct all other DNS queries to an ISP server. To denote these other, unspecified queries, place an asterisk symbol in the Domain Name field (described below).
To display the DNS entry table, select either the Initialize Proxy DNS Server check box or the Enable Proxy DNS Server check box.
Domain Name The FQDN (Fully-Qualified Domain Name) contained in each DNS query.
Interface Specifies the interface through which the NetScreen device transmits the DNS query. (Note: You can make such queries secure by specifying a tunnel interface.)
Primary The IP address or domain name of the primary DNS server.
Secondary The IP address or domain name of the secondary DNS server.
Tertiary The IP address or domain name of the tertiary DNS server.
Failover The failover switch directs the DNS to fail over to another server if the currently active server fails.
Configure Allows you to edit or remove a server-select table entry.
On which Interface should Proxy DNS be set?
[KB9877] Show KB Properties
Summary:
On what Interface should Proxy DNS be set?
Problem or Goal:
Juniper firewall is not using DNS servers configured on Proxy DNS configuration.
Solution:
Ensure the Proxy DNS option is selected on the ScreenOS Interface configuration web page (Network > Interfaces) for all interfaces that are receiving DNS queries and need to be forwarded to the appropriate DNS servers as configured on the DNS Proxy Configuration web page (Network > DNS > Proxy )
Example:
Client (192.168.1.5)——-192.168.1.1 (Trust) Netscreen (Untrust) 1.1.1.1 ———–Internet
In the sample network, the Firewall should have following command:
set interface trust proxy dns