I am new to Juniper product, so this may be probably a silly question but I can't find any answer on the Internet….
Generally, my lab environment is sample, one Trusted zone with DHCP enabled, and a Untrusted zone with dual WAN IP, my goal is let Trusted zone use to access Internet
My PC obtain IP address from SRX DHCP(Full config can be found on the end of this post):
Configuration on my PC
DHCP Enabled: Yes
IPv4 Address: 192.168.1.2
IPv4 Subnet Mask: 255.255.255.0
IPv4 Default Gateway: 192.168.1.1
IPv4 DHCP Server: 192.168.1.1
IPv4 DNS Server: 192.168.1.1
Test result with the above settings
C:\Users\user>nslookup
Default Server: UnKnown
Address: 192.168.1.1
> google.com
Server: UnKnown
Address: 192.168.1.1
*** UnKnown can't find google.com: No response from server
C:\Users\user>ping 8.8.4.4
Pinging 8.8.4.4 with 32 bytes of data:
Reply from 8.8.4.4: bytes=32 time=4ms TTL=52
Reply from 8.8.4.4: bytes=32 time=4ms TTL=52
Reply from 8.8.4.4: bytes=32 time=4ms TTL=52
Ping statistics for 8.8.4.4:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 4ms, Maximum = 4ms, Average = 4ms
Control-C
^C
C:\Users\user>ping google.com
Ping request could not find host google.com. Please check the name and try again.
Based on the result observed, my PC has internet connection, but can't lookup DNS record, however I had configurated DNS nameserver in SRX and found it can lookup DNS record with putty
telnet@SRX-A> traceroute google.com.hk inet
traceroute to google.com.hk (216.58.221.227), 30 hops max, 40 byte packets
1 123-123-123-254.static.hk.net (123.123.123.254) 8.488 ms 9.140 ms 9.889 ms
2 yckfb001.netvigator.com (203.198.7.179) 10.088 ms 9.899 ms 9.494 ms
3 n219076107190.netvigator.com (219.76.107.190) 9.552 ms 9.673 ms 9.445 ms
4 218.102.21.53 (218.102.21.53) 9.748 ms 9.872 ms 9.520 ms
5 wtsc3a054.netvigator.com (218.102.40.54) 10.259 ms 10.171 ms 9.045 ms
6 tenge8-1.br01.hkg15.pccwbtn.net (63.218.211.97) 20.303 ms 19.483 ms 19.979 ms
7 72.14.219.25 (72.14.219.25) 9.527 ms 20.102 ms 9.284 ms
8 209.85.241.56 (209.85.241.56) 20.241 ms 19.139 ms 9.785 ms
9 209.85.240.205 (209.85.240.205) 19.789 ms 9.647 ms 9.777 ms
10 hkg07s21-in-f227.1e100.net (216.58.221.227) 19.827 ms 19.441 ms 9.783 ms
Below is the full config file:
## Last changed: 2015-11-11 15:38:50 UTC
version 12.1X44-D35.5;
groups {
node0 {
system {
host-name SRX-A;
backup-router 10.3.5.254 destination 192.168.1.0/24;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.3.5.1/24;
}
}
}
}
}
node1 {
system {
host-name SRX-B;
backup-router 10.3.5.254 destination 192.168.1.0/24;
}
interfaces {
fxp0 {
unit 0 {
family inet {
address 10.3.5.1/24;
}
}
}
}
}
}
apply-groups "${node}";
system {
root-authentication {
encrypted-password "$1$UxtwVlQz$JTySdQwlJvLVmR4KpA64O.";
}
name-server {
8.8.8.8;
8.8.4.4;
}
login {
user telnet {
full-name telnet;
uid 2000;
class super-user;
authentication {
encrypted-password "$1$t5x8eCya$egeoCAw3IsfAfaJT0XdxW0";
}
}
}
services {
telnet;
web-management {
http {
interface [ reth0.0 reth1.0 reth2.0 ];
}
}
dhcp {
router {
192.168.1.1;
}
pool 192.168.1.0/24 {
address-range low 192.168.1.2 high 192.168.1.254;
name-server {
192.168.1.1;
}
}
}
}
}
chassis {
cluster {
reth-count 3;
redundancy-group 0 {
node 0 priority 200;
node 1 priority 100;
}
redundancy-group 1 {
node 0 priority 200;
node 1 priority 100;
interface-monitor {
ge-0/0/4 weight 255;
ge-5/0/4 weight 255;
ge-0/0/5 weight 255;
ge-5/0/5 weight 255;
ge-0/0/6 weight 255;
ge-5/0/6 weight 255;
}
}
}
}
interfaces {
ge-0/0/4 {
gigether-options {
redundant-parent reth0;
}
}
ge-0/0/5 {
gigether-options {
redundant-parent reth1;
}
}
ge-0/0/6 {
gigether-options {
redundant-parent reth2;
}
}
ge-5/0/4 {
gigether-options {
redundant-parent reth0;
}
}
ge-5/0/5 {
gigether-options {
redundant-parent reth1;
}
}
ge-5/0/6 {
gigether-options {
redundant-parent reth2;
}
}
fab0 {
fabric-options {
member-interfaces {
ge-0/0/2;
}
}
}
fab1 {
fabric-options {
member-interfaces {
ge-5/0/2;
}
}
}
reth0 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 192.168.1.1/24;
}
}
}
reth1 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 123.123.123.74/24;
}
}
}
reth2 {
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 123.123.123.75/24;
}
}
}
}
routing-options {
static {
route 0.0.0.0/0 {
next-hop 123.123.123.254;
qualified-next-hop 123.123.123.254 {
preference 7;
}
preference 5;
}
}
}
security {
nat {
source {
rule-set rs1 {
from zone Trusted;
to zone Untrusted;
rule r1 {
match {
source-address 0.0.0.0/0;
destination-address 0.0.0.0/0;
}
then {
source-nat {
interface;
}
}
}
}
}
}
policies {
from-zone Trusted to-zone Untrusted {
policy Outside {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
policy internet-access {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
default-policy {
permit-all;
}
}
zones {
security-zone Trusted {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
reth0.0 {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
}
}
}
security-zone Untrusted {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
reth1.0;
reth2.0;
}
}
}
}
Best Answer
I don't see any configuration to make the SRX do the DNS Proxy. It can get out because you gave it name servers, but nothing to pass that on to clients.
Try this page: http://www.juniper.net/documentation/en_US/junos12.1x46/topics/concept/dns-proxy-device-configuration-overview.html