Juniper SRX DNS Proxy Issues Over the VPN

Problem:  JUNOS DNS-Proxy resolution does not work over the VPN.

  • DNS name resolution only resolves external domain names (i.e. Internet).
  • SRX DNS proxy does not resolve internal/ local domains from DNS server on other side of the VPN..
  • Ping requests fail from the SRX (i.e., DNS-Proxy) to the remote VPN site.
       For Example, SRX2 cannot ping any node behind SRX1 via VPN.
  • All ping requests from the SRX fail without specifying exit interface.  
  • Ping request from nodes on either side of the VPN are successful.  Routing and VPN work.
Topology:  The DNS proxy and DNS server are on separate sides of the VPN.

  • SRX1 is at the data center.  Its site hosts the primary domain controller (DC) and DNS servers.
  • SRX2 is at the branch office.  
  • The SRX2 site does not have a local DC or DNS server.  It uses a split-tunnel VPN and split-brain DNS proxy for internal and external name resolution

Solution:  Assume routing, DNS-Proxy and firewall configurations are OK.   The problem is with how the SRX chooses its default address.  Specify the default address for s should fix the problem:

set system default-address-selection
Next, assign the loopback interface with a routed IP address.
set interface lo0 unti 0 family inet address
N.B., Planning to use the DNS proxy with an public DNS server (e.g.,  Don't forget to create a corresponding NAT statement:

[edit security nat]
rule-set self-internet {
from zone junos-host;
to zone UNTRUST;
rule RE-untrust {
match { source-address;
then {
source-nat {
Reason:  The DNS proxy service uses the SRX loopback interface (lo0) for its source address.  The default lo0 addess is  Traffic isn't going to go far with that address!  Everything works if you assign lo0 with an IP address from your default VLAN!

N.B., This fixes all other issues with ICMP, FTP, etc., across the SRX to VPN as well.



Post a Comment

My Instagram