[j-nsp] controlling the source IP for the Dns Proxy feature

Ben Dale bdale at comlinx.com.au
Wed Oct 15 18:22:47 EDT 2014

Hi Andy,

I have come across this exact issue using the feature.

There was a good reason why we didn't use default address selection that escapes me just now, but I had a slight advantage in that I was using route-based VPNs, so I was able to number the st0 interface with a /32 from the corporate range and source my queries from there.

Unfortunately policy-based VPNs are extremely limiting when it comes to things like this.  I can't think of too many scenarios where I'd even use them any more.  If you don't have too many sites, I'd seriously consider migrating them across.


On 16 Oct 2014, at 1:28 am, Andy Litzinger <andy.litzinger.lists at gmail.com> wrote:

> Hello,
> is anyone out there using the dns-proxy feature for the branch SRX?  Are
> there any clever tricks for specifying the source address the SRX uses to
> query name servers?  It does not appear to be a config option.
> with the default config it appears to use the IP of the outbound
> interface.  If I add the config statement 'set system default address
> selection' i can influence it to use the lo0.0 address, which can solve my
> issue, but not in a way i prefer.
> my exact problem is the following:
> I have an SRX 220H in a remote office. It has an trust and untrust zone.
> users sit on the trust zone and receive dhcp from the SRX and use the SRX
> as their default gateway and dns server.  There is a policy based vpn that
> connects from the untrust zone to our corp HQ.  I have the dns-proxy config
> set up so that if a dns request is going to an intranet zone, e.g.
> corp.example.com, then it should use DNS servers that live across the
> tunnel in our corp HQ.  If they are looking up anything else, they use
> google dns servers.
> here's the relevant config:
> dns-proxy {
>    interface {
>        <interface facing users>;
>    }
>    default-domain * {
>        forwarders {
>  ;
>  ;
>        }
>    }
>    default-domain corp.example.com {
>        forwarders {
>            <corp hq name server1>;
>            <corp hq name server 2>;
>        }
>    }
> }
> the problem is without the 'default address selection' set the SRX tries to
> use the untrust interface IP as the source IP to query our corp HQ name
> servers, but the traffic doesn't enter the tunnel because it doesn't match
> the vpn policy.  And I can't change the policy to allow it because the
> untrust interface IP is the endpoint of the tunnel.  It looks like the
> source zone of the dns query is junos-host- is it possible maybe to set up
> a junos-host zone to untrust zone NAT when going to corp-hq IP space?
> or is there another clever solution?
> thanks!
> -andy
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list