It is often when you come across deployments where branch users need reach an internal resource that is also mapped for external users via DNS however the problem start when user inside the corp is resolving that address over the public DNS he will get response of the public address of that resource and in order for him to reach that address packet will need to go out form the internal trust zone to outside and back in , this is what is called a DNS Split Horizon problem!
to fix that you can either use some static host configuration that is very unscaleable or use a DNS proxy and Internal forwarders, for that there are 2 main methods (with Juniper SRX):
Method 1
Split DNS configuration where all DNS traffic is default to 8.8.8.8 with the exception of sguez.net that is using 198.168.1.200 (Internal DNS)
root@SRXv01# show system services dns | display set set system services dns dns-proxy interface ge-0/0/1.0 set system services dns dns-proxy default-domain * forwarders 8.8.8.8 set system services dns dns-proxy default-domain sguez.net forwarders 198.168.1.200 [edit] root@SRXv01#
Important part when configuring dns-proxy over SRX is to enable the dns system service
root@SRXv01# show security zones security-zone trust host-inbound-traffic | display set set security zones security-zone trust host-inbound-traffic system-services dns [edit] root@SRXv01#
Method 2
Split DNS configuration where all DNS traffic is default to 8.8.8.8 with the exception of sguez.net that is using 198.168.1.200 (Internal DNS) and for external resolve via (external DNS) based on request source (clients IP's):
root@SRXv01# show system services dns dns-proxy | display set set system services dns dns-proxy interface ge-0/0/1.0 set system services dns dns-proxy view internal match-clients 192.168.0.0/16 set system services dns dns-proxy view internal domain sguez.net forwarders 192.168.1.200 set system services dns dns-proxy view external match-clients 172.24.190.114/28 set system services dns dns-proxy view external domain sguez.net forwarders 192.168.1.201 [edit] root@SRXv01# Also with that configuration do not forget the enable for dns system servicesroot@SRXv01# show security zones security-zone trust host-inbound-traffic | display set set security zones security-zone trust host-inbound-traffic system-services dns [edit] root@SRXv01#
Verification for both:
Clear Cache:
root@SRXv01# run clear system services dns-proxy cache
Show Cache:
root@SRXv01# run show system services dns-proxy cache
Clear Statistics:
root@SRXv01# run clear system services dns-proxy statistics
Show Statistics:
root@SRXv01# run show system services dns-proxy statistics
No comments:
Post a Comment